Towards a simple and safe Objective Caml compiling framework for the synchronous language SIGNAL by Yang, Zhibin et al.
Official URL 
DOI : https://doi.org/10.1007/s11704-017-6485-y 
Any correspondence concerning this service should be sent 
to the repository administrator: tech-oatao@listes-diff.inp-toulouse.fr 
This is an author’s version published in: 
http://oatao.univ-toulouse.fr/24993 
Open  Archive  Toulouse  Archive  Ouverte 
OATAO is an open access repository that collects the work of Toulouse 
researchers and makes it freely available over the web where possible 
To cite this version: Yang, Zhibin and Bodeveix, Jean-Paul and 
Filali, Mamoun Towards a simple and safe Objective Caml 
compiling framework for the synchronous language SIGNAL. (2019) 
Frontiers of Computer Science, 13 (4). 715-734. ISSN 2095-2228 
Towards a Simple and Safe Objective Caml Compiling Framework
for the Synchronous Language SIGNAL
Zhibin YANG 1,2,3, Jean-Paul BODEVEIX 3, Mamoun FILALI 3
1 School of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics,
Nanjing 211106, China
2 Collaborative Innovation Center of Novel Software Technology and Industrialization, Nanjing 211106, China
3 IRIT-CNRS, Université de Toulouse, Toulouse 31062, France
Abstract
This paper presents a simple and safe compiler, called
MinSIGNAL, from a subset of the synchronous dataflow lan-
guage SIGNAL to C, as well as its existing enhancements.
The compiler follows a modular architecture, and can be seen
as a sequence of source-to-source transformations applied to
an intermediate representation which is named Synchronous
Clocked Guarded Actions (S-CGA) and translation to se-
quential imperative code. Objective Caml (OCaml) is used
for the implementation of MinSIGNAL. As a modern func-
tional language, OCaml is adapted to symbolic computation
and so, particularly suitable for compiler design and imple-
mentation of formal analysis tools. In particular, the safety of
its type checking allows to skip some verification that would
be mandatory with other languages. Additionally, this work
is a basis for the formal verification of the compilation of
SIGNAL with a theorem prover such as Coq.
Keywords Synchronous Languages, SIGNAL, Syn-
chronous Clocked Guarded Actions (S-CGA), Objective
Caml, Functional Programming
1 Introduction
Safety-critical systems are widely used in the fields of avion-
ics, space systems, and nuclear power plants. Many of them
are also considered as reactive systems [1], because they al-
E-mail: yangzhibin168@163.com, bodeveix@irit. f r, f ilali@irit. f r
ways continuously interact with their environment. The en-
vironment can be some physical devices to be controlled, a
human operator, or other reactive systems. These systems
receive from the environment input events, and compute the
output information, which are finally returned to the environ-
ment. Synchronous programming is an important choice to
design these systems, which relies on the synchronous hy-
pothesis [3]. Firstly, the computation time is abstracted as
zero, that lets system behaviors be divided into a discrete se-
quence of instants. At each instant, the system does input-
computation-output, which takes zero time. Secondly, the
different arrival time of events are abstracted as the rela-
tive order between events. Even if the physical time is ab-
stracted, the inherent functional properties are not changed,
so we can say this method focuses on functional behaviors at
a platform-independent level.
There are several synchronous languages, such as ES-
TEREL [4], LUSTRE [5], SIGNAL [6], and QUARTZ [7],
which can be considered as different implementations of
the synchronous hypothesis. They adopt different program-
ming styles, e.g., ESTEREL and QUARTZ have an imper-
ative style suitable for control dominant applications while
LUSTRE and SIGNAL respectively borrow functional and
relational styles suitable for dataflow-oriented applications.
Moreover, as a main difference from other synchronous lan-
guages, SIGNAL naturally considers a mathematical time
model, in terms of a partial-order relation, to describe multi-
clocked systems without the necessity of a global clock. This
feature permits the description of globally asynchronous lo-
cally synchronous systems (GALS) [8, 9] conveniently.
The compilation process of synchronous languages is not
limited to code generation: some analyses are first applied
to determine if the specification is indeed executable. Let
us mention the LUSTRE and ESTEREL causality analyses,
the LUSTRE clock analyses and the ESTEREL constructive
analysis. The SIGNAL compilation process contains two ma-
jor analyses called clock calculus and data-dependency graph
construction from which code generation directly follows.
Moreover the clock calculus contains several steps, such as
the synchronizations of each process, i.e., the generation of
a set of equational constraints over clocks; the resolution of
a system of clock equations; and the construction of a clock
hierarchy on which the automatic code generation strongly
relies.
In the SIGNAL compiler, the control flow expressed by
abstract clocks serves to derive a control structure in auto-
matic code generation. Thus, the quality of clock calculus
has a strong impact on the correctness and efficiency of im-
plementations. There are several optimizations of the clock
calculus have been proposed to improve the quality of the
code generated by the compiler, e.g., a code executed more
efficiently or a code with smaller footprint. Optimizations
aim at increasing the depth of the clock hierarchy in order to
avoid useless tests in the generated code. They rely on dis-
covering logical implications between boolean expressions, a
conjunction being inserted as a descendent of one of its con-
juncts. Several techniques have been considered: in the SIG-
NAL compiler-Polychrony 1) rewriting techniques tempt to
normalize boolean or arithmetic expressions (with the option
command -crew), [10] uses an SMT solver, [11] and [12] an
interval-based data structure referred to as Interval-Decision
Diagram (IDD).
In this paper, we propose an implementation of the main
concepts of the SIGNAL compilation process which is en-
coded in the OCaml 2) language. In our compiler, called
MinSIGNAL, we have considered existing enhancements
such as [10], [11], and [12]. The compiler follows a mod-
ular architecture, and can be seen as a sequence of source-to-
source transformations applied to an intermediate representa-
tion which is named Synchronous Clocked Guarded Actions
(S-CGA) and translation to sequential imperative code.
(1) Why a new intermediate representation
Guarded commands [13], also called asynchronous
guarded actions by J. Brandt et al. [14], are a well-established
concept for the description of concurrent systems. In the
spirit of the guarded commands, J. Brandt et al. propose
1) http://www.irisa.fr/espresso/Polychrony
2) http://ocaml.org/
synchronous guarded actions [15] as an intermediate repre-
sentation for their QUARTZ compiler. As the name sug-
gests, it follows the synchronous model. Hence, the behavior
(control flow as well as data flow) is basically described by
sets of guarded actions of the form 〈γ ⇒ A〉. The boolean
condition γ is called the guard and A is called the action.
To support the integration of synchronous, polychronous and
asynchronous models (such as CAOS [16] or SHIM [17]),
they propose an extended intermediate representation, that is
clocked guarded actions [14, 18] where one can declare ex-
plicitly a set of clocks. They also show how clocked guarded
actions can be verified by symbolic model checking (SMV)
and simulated by SystemC.
Compared with the existing SIGNAL compiler, we use
clocked guarded actions as the intermediate representation,
to integrate more synchronous languages such as QUARTZ,
AIF3) [14] into our compiler in the future. However, in con-
trast to the SIGNAL language, clocked guarded actions can
evaluate a variable even if its clock does not hold. We men-
tion also that the DC+ [19] intermediate format has been
proposed as an intermediate format for compiling multiclock
synchronous languages (ESTEREL, LUSTRE and SIGNAL).
However, DC+ is introduced as a layer on top of DC which
is a monoclock intermediate language. DC+ is character-
ized by a rich kernel with a monoclock guarded assign-
ment (named at) and the equivalent of SIGNAL when and
default constructs. Thus, we propose a variant of Clocked
Guarded Actions, namely S-CGA, which constrains variable
accesses as done by SIGNAL and where guarded assignments
are multiclocked. Compared to DC+, the SIGNAL when
and default are not part of S-CGA. Actually, they are
compiled. The code generation from SIGNAL programs is
adapted to the S-CGA context. In [20, 21], we have already
defined the abstract syntax and the formal semantics of the
S-CGA language.
(2) Why using OCaml in the tooling implementation
For a safety-critical system, the development process al-
ways follows strict guidelines. The development quality as-
surance applies as much to the final source code, as to the
tools themselves. For instance, in the civil avionics the DO-
178B/C airworthiness certification standard [22, 23] defines
all the constraints ruling the aircraft software development.
Moreover, one of the supplements to DO-178C, the DO-
330 (Software Tool Qualification Considerations) provides a
guidance to qualify tools. This means a tool, for example a
compiler also needs to be qualified. For example, the SCADE
3) Averest Intermediate Format
SUITE 4) 5) KCG automatic code generator has been qualified
as a development tool at DO-178B level A.
The choice of a programming language close and adapted
to the tooling development is very important since a well-
suited language leads to a simpler and safer way to encode the
tooling requirements and consequently, a better and simpler
traceability.
OCaml is a functional, imperative and object-oriented ML
dialect. As a modern functional language, OCaml is adapted
to symbolic computation and so, particularly suitable for
compiler design and implementation of formal analysis tools.
In particular, the safety of its type checking allows to skip
some verification that would be mandatory with other lan-
guages, such as the memory allocation, coherency, initial-
ization checks. The OCaml language has been used in Lu-
cid Synchrone [24] (the Lustre language for reactive sys-
tems implementation), the compiler implementation of Pre-
lude [25] (a synchronous language for critical embedded sys-
tems with multiple real-time constraints), and the Coq proof
assistant [2] implementation. The first release of the SCADE
KCG code generator was implemented in C and was avail-
able in 1999. Since 2005, Esterel Technologies has designed
its new SCADE SUITE 6T M in OCaml, which contains 65k
lines of OCaml code [26]. As well, the abstract interpretation
tool ASTREE [27] is also implemented in OCaml. The expe-
riences of SCADE SUITE and of ASTREE by Airbus show
that tools written in OCaml can be integrated in a critical soft-
ware development process.
In this paper, the Ocaml implementation is a basis for the
formal verification of the compilation of SIGNAL with a the-
orem prover such as Coq. Thus we restrict to the functional
subset except for hash tables. Actually, the hash table can
be replaced by the map structure in OCaml. Moreover, this
work would be reused by ones interested in experimenting
a new strategy for clock calculus and experimenting a new
proof technique for the correctness of clock calculus (in a
long term).
The rest of the paper is organized as follows. Section 2
gives an overview of the SIGNAL language. An analysis of
the SIGNAL compilation process and the existing enhance-
ments are given in Section 3. The MinSIGNAL is presented
in Section 4. Section 5 discusses the related work, and Sec-
tion 6 gives some concluding remarks and future work.
4) A successful commercial version of the synchronous language LUS-
TRE
5) http://www.esterel-technologies.com/products/scade-suite/
2 An Introduction to SIGNAL
In this section, we first introduce the basic concepts of the
SIGNAL language such as signals and abstract clocks, then
we give a sketch of its primitive constructs and a few ex-
tended constructs. Finally, a formal semantics of the prim-
itive constructs is introduced.
2.1 Basic concepts
Signals. As declared in the synchronous hypothesis, the be-
haviors of a reactive system are divided into a discrete se-
quence of instants. At each instant, the system does input-
computation-output, which takes zero time. So, the inputs
and outputs are sequences of values, each value of the se-
quence being present at some instants. Such a sequence is
called a signal. Consequently, at each instant, a signal may
be present or absent (denoted by ⊥). In SIGNAL, signals
must be declared before being used, with an identifer (i.e.,
signal variable or the name of signal) and an associated type
for their values such as integer, real, complex, boolean, event,
string, etc.
Example 1 Three signals named input1, input2, output are
shown as follows.
input1 1 ⊥ 3 ⊥ · · ·
input2 ⊥ 5 7 9 · · ·
output ⊥ ⊥ 10 ⊥ · · ·
Abstract Clock. The set of instants where a signal takes
a value is the abstract clock of the signal. Two signals are
synchronous if they are always present and absent at the same
instants, which means they have the same abstract clock.
In the example given above, the abstract clock of input1,
input2 and output, denoted respectively ̂input1, ̂input2 and
ôutput, are defined by different sets of logical instants.
2.2 SIGNAL constructs
SIGNAL uses several constructs to express the relations be-
tween signals, including relations between values and rela-
tions between abstract clocks. Moreover, SIGNAL can spec-
ify the relations between the abstract clocks of signals in two
ways: implicitly or explicitly.
Primitive Constructs. The primitive constructs can be
classified into two families: monoclock operators (for which
all signals involved have the same abstract clock) and mul-
ticlock operators (for which the signals involved may have
different clocks).
• Monoclock operators, including instantaneous func-
tion and delay. The instantaneous function x :=
f (x1, · · · , xn) applied on a set of inputs x1, · · · , xn will
produce the output x, while the delay operator x :=
x1 $ init c sends the previous value of the input to the
output with an initial value c.
• Multiclock operators, including undersampling and de-
terministic merging. The undersampling operator x :=
x1 when x2 is used to get an input at the true occurrence
of another input, while the deterministic merging oper-
ator x := x1 de f ault x2 is used to select between two
inputs to be sent as the output, with a higher priority to
the first input.
Notice that, these operators specify the relations between
the abstract clocks of the signals in an implicit way.
In the SIGNAL language, the relations between values and
the relations between abstract clocks of the signals, are de-
fined as equations, and a process consists of a set of equa-
tions. Two basic operators apply to processes, the first one
is the composition of different processes, and the other one
is the local declaration in which the scope of a signal is re-
stricted to a process.
Extended Constructs. SIGNAL also provides some oper-
ators to express control-related properties by specifying clock
relations explicitly, such as clock synchronization, set op-
erators on clocks (union, intersection, difference) and clock
comparison.
• Clock synchronization, the equation x1 ˆ= x2 ˆ= · · · ˆ=xn
specifies that signals x1, x2, · · · , xn are synchronous.
• Set operators on clocks, such as the equation x:= x1 ˆ +
x2 defines the clock of x as the union of the clocks of
signals x1 and x2, the equation x:= x1 ˆ * x2 defines the
clock of x as the intersection of the clocks of signals x1
and x2, the equation x:= x1 ˆ - x2 defines the clock of x
as the difference of the clocks of signals x1 and x2.
• Clock comparison, such as the statement x1 ˆ < x2 spec-
ifies a set of inclusion relations between the clocks of
signals x1 and x2, the statement x1 ˆ > x2 specifies a set
of containment relations between the clocks of signals
x1 and x2, the statement x1 ˆ ♯ x2 specifies that the inter-
section of the clocks of signals x1 and x2 is empty.
2.3 A Trace Denotational Semantics
There exist several semantics for SIGNAL, such as deno-
tational semantics based on traces (called trace semantics)
[28–30], denotational semantics based on tags (called tagged
model semantics) [29, 31], operational semantics presented
in a structural style [6, 29], operational semantics defined by
synchronous transition systems (STS) [?]. [33, 34] define a
unified constructive semantic framework to unite QUARTZ
and SIGNAL. This framework allows us to better understand
the relationship between synchrony and polychrony. Here,
we introduce the trace semantics. Moreover, the semantics
of each of the extended constructs being defined in terms of
the primitive constructs, we just consider the primitive con-
structs, that is core-SIGNAL. In [35], we have given a proof
of the semantics equivalence between the trace semantics and
the tagged model semantics of the core-SIGNAL.
In the following paragraphs, we first summarize the se-
mantics domain i.e. the trace model, then the trace semantics.
(1) Trace Model
Let X be a set of signal variables, and let V be the set of
values that can be taken by the variables. The symbol ⊥ (⊥
< V) is introduced to express the absence of valuation of a
variable. Then we denote:
V⊥ = V ∪ {⊥}
Definition 1 (Signal) [29] A signal s is a sequence (si)i∈I
of typed values (of V⊥), where I is the set of natural integers
N or an initial segment of N, including the empty segment.
A signal can be finite. However, we can extend the finite
signal with infinite absences, to get an infinite one.
The definition of traces is given in the following para-
graphs. Notice that, a signal is just a sequence of values
corresponding to a signal variable, while a trace defines the
synchronized sequences of values of a set of signal variables.
Definition 2 (Event) [28] Considering X a non-empty
subset of X, we call event on X any application
e : X → V⊥X
• e(x) = ⊥ indicates that variable x has no value in the
event.
• e(x) = v indicates, for v ∈ Vx, that variable x takes the
value v in the event.
The absent event on X (X → {⊥}), where all the signals are
absent at a logical instant, is denoted ⊥e(X). Moreover, the
set of events on X (X → V⊥
X
) is denoted εX .
A trace is a sequence of events. For any subset X of X, we
consider the following definition of the set τX of traces on
X.
Definition 3 (Traces) τX is the set of traces on X, de-
fined as the set of applications N →εX where N is the set of
natural integers.
Similarly, a trace can be finite. However, we can extend
the finite sequence with infinite absent events, to get an infi-
nite trace.
Definition 4 (Sprocess) Given a SIGNAL process, its
trace semantics, denoted as Sprocess, includes a set of sig-
nal variables defining the domain of the process and a set of
traces.
(2) Trace semantics
Based on the trace model, the trace semantics of SIGNAL
is presented as follows. It defines the set of traces associated
to each primitive construct of SIGNAL.
Trace Semantics 1 The trace semantics of the instanta-
neous function x := f (x1, · · · , xn) is defined as follows:
∀t ∈ N
xt =
{
⊥ i f x1t = . . . = xnt = ⊥
f (x1t, . . . , xnt) i f x1t , ⊥ ∧ . . . ∧ xnt , ⊥
At each instant t, the signals are either all present or all
absent, i.e., they are synchronous, denoted x ˆ = x1 ˆ = · · · ˆ
= xn. xt gets the value of f (x1t, . . . , xnt) when the signals are
all present. The function f includes different mathematical
operations, such as arithmetic operations, boolean operations,
etc.
Trace Semantics 2 The trace semantics of the delay con-
struct x := x1 $ init c is defined as follows:
− (∀t ∈ N) x1t = ⊥ ⇔ xt = ⊥
− {k | x1k , ⊥} , ∅ ⇒ xmin{k|x1k,⊥} = c
− (∀t ∈ N) x1t , ⊥ ∧ {k > t | x1k , ⊥} , ∅
⇒ xmin{k>t|x1k,⊥} = x1t
Here, min(X) denotes the minimum of a non-empty set of
naturals. Similarly to the instantaneous function, the delay
construct also requires signals x and x1 have the same clock,
denoted x ˆ= x1. Given a logical instant t, x takes the most
recent value of x1 except the one at t. Initially, x takes the
value c.
Trace Semantics 3 The trace semantics of the undersam-
pling construct x := x1 when x2 is defined as follows:
∀t ∈ N
xt =
{
x1t i f x2t = true
⊥ otherwise
Here, x and x1 have the same type and x2 is a boolean
signal. The clock of x is the intersection of the clock of x1
and the true occurrences of x2, denoted x=x1 ˆ* [x2], where
[x2] = x̂2 ∧ x2 represents the true occurrences of x2.
Trace Semantics 4 The trace semantics of the determin-
istic merging construct x := x1 de f ault x2 is defined as fol-
lows:
∀t ∈ N
xt =
{
x1t i f x1t , ⊥
x2t otherwise
Here, signals x, x1 and x2 have the same type. The clock
of x is the union of the clocks of x1 and x2, denoted x = x1 ˆ+
x2. Given a logical instant t, xt gets the merge of the values
of x1t and x2t, and the value of x1t has a higher priority.
Finally the semantics of parallel composition is defined as
the intersection of the semantics of the components. We ap-
ply these semantics rules to a SIGNAL process, to get a com-
plete semantics of the process, that is SProcess (Definition
4).
Remark 1. The formal semantics is used in the programs
transformations of the SIGNAL compiler, and it is also the
basis of the validation of the compilation process.
3 An Analysis of the Main Concepts of the
SIGNAL Compilation
In this section, we first present two formalizations, namely
clock algebra and conditional data-dependency graph, which
are used in the SIGNAL compilation process. Then, the main
steps of the compilation are presented. Finally, we introduce
the existing enhancements of the compilation process.
3.1 Formal models for SIGNAL program analysis
A SIGNAL program is a formal specification that is basically
composed of equations describing relations of both values
and clocks of the signals involved. The language allows one
to mathematically reason on the properties of such a spec-
ification. One clock algebra associated to SIGNAL is the
algebraic domain Z/3Z, the set of integers modulo 3 (i.e.,
Z/3Z = {−1, 0, 1}). Here 0 denotes a signal is absent, -1
means the signal is present and its value is false, and 1 means
the signal is present and its value is true. As well, the rea-
soning approach for SIGNAL programs also includes depen-
dency graphs to encode data dependencies.
(1) Clock algebra
In the SIGNAL context, relations over clocks are de-
scribed using the clock algebra. The clock cl of a signal de-
notes a series of instants. The clock xˆ of a signal x denotes the
instants at which the signal x is present. The clock [x] (resp.
[¬x]) denotes the instants at which x is present and holds the
value true (resp. false). A clock expression e is either the
empty clock, noted 0, a signal clock cl, or the conjunction
e1 ∧ e2, the disjunction e1 ∨ e2, the symmetric difference
e1\e2 of two clock expressions e1 and e2.
cl ::= xˆ | [x] | [¬x] (clock)
e ::= 0 | cl | e ∧ e | e ∨ e | e\e (clock expression)
Here, we have [x] ∨ [¬x] = xˆ and [x] ∧ [¬x] = 0.
(2) Conditional data-dependency graph
Intuitively, a data-dependency can be understood as the ne-
cessity that the value of some signal must be known in order
to calculate the value of some other signal. A program is
compiled into a graph that describes the data dependencies in
the following sense: the edge
a →cl b
specifies that the computation of the node b, a signal or a
clock, cannot be scheduled before that of the node a when
the clock cl is present. A clock relation cl = e specifies that
the signal clock cl is present iff the clock expression e is true.
a, b ::= x | xˆ (node)
R ::= cl = e | a →cl b (data dependency)
Remark 2. At the semantics level, we mainly consider
the relations between clocks and the relations between val-
ues. However, at the compiler level, we also need to consider
the data-dependencies, because they determine the execution
sequences in the generated code.
3.2 The main steps of the SIGNAL compilation
After a transformation from the user program (whose state-
ments are expressed with both primitive constructs and ex-
tended constructs) to the normalized program whose state-
ments are all expressed with primitive constructs, the SIG-
NAL compilation process contains two major analyses called
clock calculus and data-dependency graph construction from
which code generation directly follows. Moreover the clock
calculus contains several steps, such as the synchronizations
of each process, i.e., the generation of a set of equational con-
straints over clocks; the resolution of a system of clock equa-
tions; and the construction of a clock hierarchy on which the
automatic code generation strongly relies.
(1) Synchronizations of SIGNAL processes
Each primitive construct inherently defines a relation over
the clocks involved. Consequently, a system composed out
of multiple processes describes a system of these relations,
which is, an equation system of clock variables that describe
the synchronizations of the system. Based on the clock alge-
bra presented in section 3.1, for each primitive construct, the
clock synchronizations are given by Table 1. Moreover, the
clock synchronizations can be described equivalently using
SIGNAL extended constructs (e.g., xˆ= x1 ˆ+ x2).
Table 1 Synchronizations of each primitive construct
P
synchronizations o f
P in clock algebra
synchronizations
o f P in S IGNAL
x := f (x1, · · · , xn) xˆ = xˆ1 = · · · = xˆn xˆ= x1 | ... | xˆ= xn
x := x1 $ init c xˆ = xˆ1 xˆ= x1
x := x1 when x2 xˆ = xˆ1 ∧ [x2] xˆ= x1 ˆ∗ when x2
x := x1 de f ault x2 xˆ = xˆ1 ∨ xˆ2 xˆ= x1 ˆ+ x2
(2) Solving the clock equation system
The SIGNAL philosophy strongly emphasizes that clocks
indicate the control of data-flow specifications. Accordingly
the control-flow of the target executable code is synthesized
from relations over clocks, or synchronizations, that is, at any
given instant, before the value of a signal x is computed, a test
must be made on the presence/absence of x, namely the pres-
ence/absence of its clock xˆ. So there is a need for a resolu-
tion method that will allow to efficiently check the presence
of a clock. For that purpose, the clock equation system to
be solved is extracted from the system by applying the rules
of Table 1. The general approach for solving this equation
system is given by triangularization [36]:
The equational system is transformed into an ordered set
of so called directed definitions, that is, a system of equations
of the form h = h1 〈op〉 h2, where h is a newly defined clock,
h1, h2 are previously defined clocks and op ∈ {∧,∨, \} is some
operator on clocks. This representation ensures the absence
of clock-to-clock cycles. Several problems should be solved
to get this representation:
• Multiple definitions: If the equation system contains
more than one equation with clock h on the left side, the
equality of their respective right sides must be proven.
• Clock-to-clock cycles: If the equation system contains
cyclic dependencies, they have to be eliminated.
• Complex relations: If equations are not of the form
h = h1 〈op〉 h2, e.g., given by h1 〈op〉 h2 = k1 〈op〉 k2,
an attempt can be made to prove the equivalence of the
formulas with rewriting techniques.
The SIGNAL compilation process involves solving these
problems, mainly by using a rewriting system plus some
heuristics, in order to achieve triangular form. But since these
problems are complex, the compiler is not complete: If no ap-
propriate rewriting rule can be applied, an input program may
be rejected although the system could be solved. In any case,
if some equalities cannot be proven or if some cycle cannot
be eliminated, an input program is considered temporally in-
correct and rejected.
(3) Hierarchical representation of clock equations
Efficient code generation requires a "good" representation
of the solutions of the clock equations which result from the
previous step. In order to efficiently apply rewriting and keep
track of the triangularity (i.e., triangularization preservation)
of the equation systems, a tree-based representation of the
equations is used, named the clock hierarchy. Moreover,
the paper [9] discusses the link between perfect synchrony
and asynchrony, and shows that the endochrony property of a
clock hierarchy is a sufficient condition to get executable and
deterministic code from a given clock hierarchy.
The synthesis of clock hierarchy in SIGNAL programs re-
lies on an efficient algorithm [36] that has been implemented
in the compiler. We summarize it as follows:
• For a Boolean signal x, the known partition [x] ⊆ xˆ ⊇
[¬x] is represented by a basic partition tree, whose edges
are the set inclusion relations.
• The representation of the whole equation system of syn-
chronizations starts with representing all directed defi-
nitions by a forest of clock trees.
• Then, two clock trees are iteratively fusioned by insert-
ing one tree into another: Let T, T’ be two clock trees
with roots r and h respectively, where h is defined by
the directed equation h = h1 〈op〉 h2, and h1 and h2 are
subtrees of T. Then the fusion of T’ into T is applied
by adding the tree T’ to the immediate children of the
least common ancestor of h1 and h2 in T. This way, the
subtree T’, which is defined by the operands h1 and h2,
is placed directly under the least common ancestor of
these operands. This preserves the structural property
of triangularization and gives credit to clock inclusion
relations which yield more efficient nested if-tests.
Intuitively, the clock of a node is a subset of the clock
of its parent. The algorithm repeatedly tries to rewrite the
equations so that they match the criteria of the fusion step and
then executes the fusion until this cannot be done anymore.
As shown in the report [36], we can do optimizations on
the clock hierarchy to improve the quality of the code gen-
erated by the compiler, e.g., a code executed more efficiently
or a code with smaller footprint. For instance, the resulting
tree-based representation of the equation systems over clocks
can be optimized in the sense that the insertion step during
the fusion chooses a parent with greatest depth.
(4) Code generation
The code generation is based on the transformations pre-
sented in the previous sections. It is strongly guided by the
clock hierarchy resulting from the clock calculus to structure
the target language program, and by the conditional data-
dependency graph not only to locally order elementary op-
erations in sequences, but also to schedule component activa-
tions in a hierarchical target code. This code can be obtained
in different target languages, among which the most used are
C, C++, and Java.
When a SIGNAL program P is proved to be endochronous,
the generation of its associated code is straightforward. Each
node of the clock tree corresponding to P is characterized
by a Boolean expression that expresses a condition (if-then-
else structures). The statements that depend on each node are
computed whenever the associated condition is evaluated to
be true, meaning that the expressed clock is present. On the
other hand, the code generation takes into account the condi-
tional dependency graph that characterizes the order accord-
ing to which statements are to be computed at the same clock
instants.
Furthermore, the code generated especially the nesting of
if-then-else structures can be optimized, if h and k are two
clocks such that h ⊆ k, then for an instant t, the following
clock implication holds:
t < k =⇒ t < h
In others words, if the test t ∈ k fails, there is no need to
test if t ∈ h. Thus, code generation can take advantage of the
clock inclusion relation between clocks.
As an example, the code
i f present(k) then
do − action − k
i f present(h) then
do − action − h
endi f
endi f
is more efficient than the code
i f present(k) then
do − action − k
endi f
i f present(h) then
do − action − h
endi f
3.3 Handling Numerical Expressions
For the under-sampling construct, remember that the clock
of the Boolean expression x is partitioned into [x] and [¬x],
which are referred to as condition-clocks. In the SIGNAL
compiler, if x is defined by a numerical expression such as an
integer comparison, [x] and [¬x] are seen as black boxes by
default. As a consequence the relation in the numerical ex-
pression is unknown and useless comparisons are generated.
Here, we use an example to explain the handling of nu-
merical expressions.
Example 2 A process named Numerical_Expr is given:
process Numerical_Expr =
(? integer a, b, x1;
boolean c1, c2;
! integer x, y, z1, z2, z3,m, s1, s2;
)
(| aˆ= bˆ= x1ˆ= c1ˆ= c2
| x := a $ init 1
| y := b $ init 2
| z1 := x when (a > 0)
| z2 := x when (a <= 0)
| z3 := y when (b > 0)
| m := z1 de f ault z2 de f ault z3
| s1 := x1 when c1
| s2 := x1 when (c1 and c2)
|);
• Default Polychrony compiler
A part of the result of the clock calculus generated by the
compiler in Polychrony (without the option -crew) is shown
as follows. Here, [a > 0], [not (a > 0)], [a <= 0],
[not (a <= 0)], [b > 0], and [not (b > 0)] are consid-
ered as black boxes. So, the compiler treats [a > 0] and
[not (a <= 0)], [not (a > 0)] and [a <= 0], as different
clock equivalence classes. Actually they are in the same clock
equivalence class respectively. It follows that the compiler
cannot analyze some static properties of a program, such as
clock exclusion or clock emptiness, since numerical expres-
sions are not suitably abstracted.
| ( | CLK := when ( a>0)
| CLK_13 := when ( not ( a >0) )
| )
| ( | CLK_14 := CLK ^∗ CLK_z1 | )
| ( | CLK_z1 := CLK_a ^∗ CLK
| CLK_z1 ^= z1
| ( | z1 := x when CLK_z1 | )
| )
| ( | CLK_17 := when ( a<=0)
| CLK_18 := when ( not ( a <=0))
| )
| ( | CLK_19 := CLK_17 ^∗ CLK_z2 | )
| ( | CLK_z2 := CLK_a ^∗ CLK_17
| CLK_z2 ^= z2
| ( | z2 := x when CLK_z2 | )
| )
| ( | CLK_22 := when ( b>0)
| CLK_23 := when ( not ( b>0) )
| )
| ( | CLK_24 := CLK_22 ^∗ CLK_z3 | )
| ( | CLK_z3 := CLK_a ^∗ CLK_22
| CLK_z3 ^= z3
| ( | z3 := y when CLK_z3 | )
| )
A part of the C code generated by Polychrony compiler is
shown as follows. It also appears that the test C_s2 associ-
ated to [c1 and c2] is performed even if [c1] or [c2] tests fail.
It means that the clock inclusion property [c1 and c2] ⇒ [c1]
has not been detected. If [c1 and c2] had been placed as a son
of one of [c1] or [c2] while preserving "arborescent canonical
form", the test of the conjunction would have been performed
only when one of the argument is true. However, as men-
tioned in section 3.2, such optimizations could be performed
by the C compiler itself.
C_z1 = a > 0 ;
C_z2 = a <= 0 ;
C_z3 = b > 0 ;
C_s2 = c1 && c2 ;
C_CLK_52 = C_z1 | | C_z2 ;
C_m = C_CLK_52 | | C_z3 ;
i f ( c1 )
{ s1 = x1 ; w_exp1_s1 ( s1 ) ;
}
i f ( C_z1 )
{ z1 = x ; w_exp1_z1 ( z1 ) ;
}
i f ( C_z2 )
{ z2 = x ; w_exp1_z2 ( z2 ) ;
}
i f ( C_z3 )
{ z3 = y ; w_exp1_z3 ( z3 ) ;
}
i f ( C_s2 )
{ s2 = x1 ; w_exp1_s2 ( s2 ) ;
}
i f (C_m)
{ i f ( C_z1 )
m = z1 ;
e l s e i f ( C_z2 )
m = z2 ;
e l s e
m = z3 ;
w_exp1_m (m) ;
}
• Compilation with the option -crew
Even if the SIGNAL compiler does not fully handle nu-
merical expressions, it is possible to let it do some rewriting
of numerical conditions as Boolean expressions by using the
option -crew. A part of code generated for the Example 2 is
given as follows. With this option, comparisons are rewritten
using only the operators == (for example CLK_81 = 0 == a)
and <= (for example CLK_83 = 0 <= a). Thus, [a > 0] and
[a <= 0] can be rewritten as C_z1 =!CLK_81&&CLK_83
and C_z2 = CLK_81||!CLK_83 respectively. As we can see,
the rewriting of comparisons permits a more precise analysis
on clocks.
CLK_81 = 0 == a ;
CLK_83 = 0 <= a ;
C_z1 = ! CLK_81 && CLK_83 ;
C_z2 = CLK_81 | | ! CLK_83 ;
C_z3 = (0 <= b ) && ! ( 0 == b ) ;
C_s2 = c1 && c2 ;
• Enhancement with a combined numerical-Boolean ab-
straction
Paul Feautrier et al [10] propose a combined numerical-
Boolean abstraction to deal with these problems. In the new
abstraction, every signal in a program is associated with a pair
of the form (clock, value), where clock is a Boolean function
and value is a Boolean or numeric function. They also use a
SMT solver to reason on the new abstraction, and get more
precise clock analysis because they treat the numerical ex-
pression as white boxes.
4 Inside the MinSIGNAL Compiler
In this section, we present the OCaml code of the compila-
tion process of MinSIGNAL. First, the modular architecture
of MinSIGNAL is given in a global view. Second, the com-
pilation progress is presented step by step.
4.1 A Modular Architecture
As shown in Figure 1, the MinSIGNAL compiler has a mod-
ular architecture, and can be seen as a sequence of source-to-
source transformations applied to the intermediate represen-
tation S-CGA and then translation to sequential imperative
code. Specifically, the compilation process is mainly struc-
tured as five modules. At each module, there are several sub-
modules.
• Module 1: Normalization of the user program. Beyond
the usual lexical analysis, parsing and type checking, the
compiler will transform the user program (using the sub-
set of SIGNAL) whose statements are expressed with
both primitive constructs and extended constructs to the
normalized program whose statements are all expressed
with primitive constructs.
• Module 2: Synchronizations of SIGNAL processes. As
a difference with the existing SIGNAL compiler, we
construct S-CGA from the normalized program. S-CGA
contains control flow (the relations between clocks) as
well as data flow (the relations between values).
• Module 3: Solving the clock equation system. If the sys-
tem of clock equations contains more than one equation
with the same clock, the execution of the generated code
will check the same control condition several times, and
it is inefficient. This is why we need to resolve it. We
can use BDD or SMT technology to check the equiva-
lence of two clock equations, and put the corresponding
clock variables into the same equivalence class. We also
check the endochrony property at this step, namely there
is just one master clock.
• Module 4: Hierarchical representation of clock equa-
tions. The code generation is based on both the clock
hierarchy and the data dependencies. However, there
may be clock-to-data cycles. To reduce these cycles, we
first sort all the guarded actions. It will be easier to con-
struct a clock hierarchy based on deterministic sorting,
and we consider the sorting as a depth first search (DFS)
order.
• Module 5: Code generation and optimization. The basic
idea of code generation is the same as in the SIGNAL
compiler. Furthermore, we do some optimizations at the
code level. Given two equations such as y = x when x1
and z = x when (x1 and x2), there is a clock-inclusion
relation: [x1 ∧ x2] → [x1], i.e., the clock of [x1 ∧ x2] is
a subset of the clock of [x1]. Consequently, we can do
the code optimization illustrated as follows. If control
condition x1 holds, we do not need to check x1 again in
x1&&x2. We just need to check if x2 holds or not.
Figure 1 A modular architecture for the formalization of the SIGNAL compilation process
i f (x1){
do actions
...
i f (x1&&x2){
do actions
...}
}
⇛
i f (x1){
do actions
...
i f (x2){
do actions
...}
}
As mentioned before, the safety of the type checking of
OCaml allows to skip some verification that would be manda-
tory with other languages. Moreover, the OCaml code is
compact which allows less verification efforts. MinSIGNAL
consists in about 3000 lines of OCaml code (Table 2).
Table 2 The OCaml code size of MinSIGNAL
Module name OCaml code
Normalization of the user program 750 lines
Intermediate representation S-CGA 350 lines
Solving the clock equation system 750 lines
Hierarchical representation of clock equations 550 lines
Code generation and optimization 500 lines
4.2 Normalization of the user program
As shown in section 2.2, the definition of the extended con-
structs is derived from a combination of the primitive con-
structs to provide the user with suitable macros. So, beyond
the usual lexical analysis, parsing and type checking, the
compiler will transform the user program whose statements
are expressed with both primitive constructs and extended
constructs to the normalized program whose statements are
all expressed with primitive constructs.
(1) Lexical analysis, parsing and type checking
The lexical analysis and parsing of MinSIGNAL are im-
plemented with standard tools, OCamlLex and OCamlYacc.
As usual, they translate a string of characters to a sequence
of tokens and then to an abstract syntax tree, which is neces-
sary for any complex program manipulation. We don’t give
the details of the lexical analysis, parsing and type checking,
because of the space limitations.
Here, we give a simplified abstract syntax which is defined
in OCaml. ty represents the data types of SIGNAL such as in-
teger, real, complex, boolean, etc. A SIGNAL specification
spec is a set of processes. A process proc is a set of equations
(eqn list) for signals specifying relations between values, on
the one hand, and clocks, on the other hand, of the signals
involved. Moreover, a process also includes its name, input
signals, output signals and local declarations. An equation
can denote the relations between values or the relations be-
tween clocks, Ident represents the identifier of a signal, CInt,
CReal, CBool, CString, and CChar represents constants de-
fined in the equations, Func, Delay, When, and Default de-
note the primitive constructs, set operators on clocks such as
ˆ +, ˆ * and ˆ - are also represented in Func, while clock com-
parison operators such as ˆ <, ˆ >, ˆ ♯ and ˆ= are represented
in Constraint.
type t y = TBasic of s t r i n g
type exp =
| I d e n t of s t r i n g
| CI n t of i n t
| CReal of f l o a t
| CBool of bo o l
| C S t r i n g of s t r i n g
| CChar of c h a r
| Func of s t r i n g ∗ exp l i s t
| Delay of exp ∗ exp
| When of exp ∗ exp
| D e f a u l t of exp ∗ exp
type eqn =
| Ass of s t r i n g ∗ exp
| C o n s t r a i n t of s t r i n g ∗ exp ∗ exp
type d e c l = t y ∗ s t r i n g
type p roc = Proc of s t r i n g ∗ ( d e c l l i s t )
∗ ( d e c l l i s t ) ∗ ( eqn l i s t ) ∗ ( d e c l l i s t )
type s pe c = p roc l i s t
(2) Transformation of the user syntax to the kernel syn-
tax
We first give the kernel syntax (corresponding to the core-
SIGNAL) which is defined in OCaml. The abstract syntax
of core-SIGNAL, of clock equation (in section 4.4), and of
reduced normal form (i.e., equivalence class in section 4.5)
have a common style, thus we use a type kind with three val-
ues Ksignal, Clock, and Class. In the user syntax, the expres-
sion can be iterated, while in the kernel syntax, the expression
has been flattened.
type k t y= KTBasic of s t r i n g
type c o n s t =
| SCInt of i n t
| SCReal of f l o a t
| SCBool of boo l
| S C St r i n g of s t r i n g
| SCChar of c h a r
type k ind=
| K s i g n a l
| Clock
| C l a s s of Q u o t i e n t . t
type v a r = s t r i n g ∗ k ind
type sexp =
| SVar of v a r
| SConst of c o n s t
| SFunc of s t r i n g ∗ v a r l i s t
type kexpSig =
| KDelay of s t r i n g ∗ sexp
| KWhen of s t r i n g ∗ s t r i n g
| KDefau l t of s t r i n g ∗ s t r i n g
type keqn =
| KAss of v a r ∗ sexp
| KAssSig of s t r i n g ∗ kexpSig
type k d e c l = k t y ∗ s t r i n g
type kproc = KProc of s t r i n g ∗ ( k d e c l l i s t )
∗ ( k d e c l l i s t ) ∗ ( keqn l i s t )
type kspec = kproc l i s t
Several rules are applied to the transformation from the
extended constructs to the primitive constructs.
Transformation 1. We have one basic rule: the equation
clk := xˆ can be expressed using primitive constructs as fol-
lows.
Clock extraction Corresponding primitive constructs
clk := xˆ clk := (x = x)
Transformation 2. The set operations on abstract clocks
such as clock intersection, union, and difference, can be ex-
pressed by the following constructs, and then can be ex-
pressed using primitive constructs.
Set operations on clocks Corresponding constructs
x := x1 ˆ * x2 x := xˆ1 when xˆ2
x := x1 ˆ + x2 x := xˆ1 de f ault xˆ2
x := x1 ˆ - x2 x :=
when ((not xˆ2)
de f ault xˆ1)
Notice that x := when ((not xˆ2) de f ault xˆ1) can be
rewritten as x := ((not xˆ2) de f ault xˆ1) when ((not xˆ2)
de f ault xˆ1)
Transformation 3. The comparison operations of abstract
clocks can be expressed using set operations on clocks, and
then can be expressed using primitive constructs. Here, 0ˆ
specifies the empty clock.
Clock comparison operations Set operations on clocks
x1 ˆ < x2 x1 ˆ = x1 ˆ * x2
x1 ˆ > x2 x1 ˆ = x1 ˆ + x2
x1 ˆ ♯ x2 0ˆ ˆ = x1 ˆ * x2
x1 ˆ = x2 clk := xˆ1 = xˆ2 where clk
Dealing with constant signals. In addition, we’d like
to see the clock equation system defined in clock algebra di-
rectly. There is a little problem about the presence of constant
signals. For example, given a process with two equations of
signals,
y = 2 when b
y′ = 2 when b′
we have the clock relations as follows,
yˆ = 2ˆ ∧ [b]
yˆ′ = 2ˆ ∧ [b′]
However, the clock 2ˆ in yˆ = 2ˆ ∧ [b] and in yˆ′ = 2ˆ ∧ [b′]
may be not the same. Namely, the presence of constant sig-
nals depend on their usage context. To avoid conflicts, we use
a new signal variable (defined in the local declaration) to re-
place the constant signal, and the new signal variable will be
defined using a delay construct, for example x1 = x1 $ init 2
and x2 = x2 $ init 2. Then, the process will be transformed
as,
y = x1 when b,
y′ = x2 when b
′
x1 = x1 $ init 2
x2 = x2 $ init 2
Finally, we get the clock relations as follows,
yˆ = xˆ1 ∧ [b]
yˆ′ = xˆ2 ∧ [b′]
Notice that, we compute the data-type of each new signal
variable by type inference.
Based on the kernel syntax and previous transformation
rules, the user program will be transformed into the normal-
ized program and then will be flattened.
The comparison operations of abstract clocks are trans-
formed into the set operations on clocks. Its OCaml code
is given as follows.
l e t rec e l i m _ c t r s _ i n _ e q n s eqns =
L i s t . c o n c a t ( L i s t . map (
f u n c t i o n
| Ass ( s , e ) as eq −> [ eq ]
| C o n s t r a i n t ( s , e1 , e2 ) −>
begin match s with
| "^<"−>
[ C o n s t r a i n t ( " ^= " , e1 , Func ( " ^∗ " , [ e1 ; e2 ] ) ) ]
| "^>"−>
[ C o n s t r a i n t ( " ^= " , e1 , Func ( " ^+ " , [ e1 ; e2 ] ) ) ]
| " ^# "−>
[ C o n s t r a i n t ( " ^= " , Func ( " ^ " , [ CIn t ( 0 ) ] ) ,
Func ( " ^∗ " , [ e1 ; e2 ] ) ) ]
| " ^= "−>
l e t c1=new_var "C" ( TBasic " e v e n t " )
and c2=new_var "C" ( TBasic " e v e n t " )
and c3=new_var "C" ( TBasic " e v e n t " )
in
i f i s I d e n t o r C o n s t ( e2 ) then
[ Ass ( c1 , Func ( "==" , [ e1 ; e1 ] ) ) ;
Ass ( c2 , Func ( "==" , [ e2 ; e2 ] ) ) ;
Ass ( c3 , Func ( "==" , [ I d e n t c1 ; I d e n t c2 ] ) ) ]
e l s e
l e t c4=new_var "C" ( TBasic " e v e n t " ) in
[ Ass ( c1 , Func ( "=" , [ e1 ; e1 ] ) ) ;
Ass ( c2 , e2 ) ;
Ass ( c3 , Func ( "=" , [ I d e n t c2 ; I d e n t c2 ] ) ) ;
Ass ( c4 , Func ( "=" , [ I d e n t c1 ; I d e n t c3 ] ) ) ]
| _−> f a i l w i t h ( "NYI : unknown c o n s t r a i n t " )
end
) eqns )
For the set operations on abstract clocks, they are
firstly transformed into corresponding constructs, which
are implemented by the constructors Func("ˆ+",[e1;e2]),
Func("ˆ*",[e1;e2]) and Func("ˆ-",[e1;e2]) in the recursive
function flatten. Then, all the clocks such as xˆ will be
expressed using primitive constructs, that is the construc-
tor Func("ˆ",[e]). Finally, all the primitive constructs trans-
formed will be flattened.
l e t rec f l a t t e n = f u n c t i o n
| Func ( " ^+ " , [ e1 ; e2 ] ) −>
f l a t t e n ( D e f a u l t ( Func ( " ^ " , [ e1 ] ) , Func ( " ^ " , [ e2 ] ) ) )
| Func ( " ^∗ " , [ e1 ; e2 ] ) −>
f l a t t e n ( When ( Func ( " ^ " , [ e1 ] ) , Func ( " ^ " , [ e2 ] ) ) )
| Func ( "^−" , [ e1 ; e2 ] ) −>
l e t e3 = D e f a u l t ( Func ( " n o t " , [ Func ( " ^ " , [ e2 ] ) ] ) ,
Func ( " ^ " , [ e1 ] ) ) in
f l a t t e n ( When ( e3 , e3 ) )
| Func ( " ^ " , [ e ] ) −>
l e t v1=new_var "CL" ( TBasic " e v e n t " ) in
l e t e1= f l a t t e n e in
add_eqn ( Ass ( v1 , Func ( " := " , [ e1 ; e1 ] ) ) ) ;
I d e n t v1
| Func ( f , l ) as e −>
l e t v1=new_var "F" ( TBasic ( g e t _ t y p e e ) ) in
add_eqn ( Ass ( v1 , Func ( f , L i s t . map f l a t t e n l ) ) ) ;
I d e n t v1
| Delay ( e1 , e2 ) as e −>
l e t v2=new_var "D" ( TBasic ( g e t _ t y p e e ) ) in
add_eqn ( Ass ( v2 , Delay ( f l a t t e n e1 , e2 ) ) ) ;
I d e n t v2
| D e f a u l t ( e1 , e2 ) as e −>
l e t v3=new_var "M" ( TBasic ( g e t _ t y p e e ) ) in
add_eqn ( Ass ( v3 , D e f a u l t ( f l a t t e n e1 , f l a t t e n e2 ) ) ) ;
I d e n t v3
| When ( e1 , e2 ) as e −>
l e t v4=new_var "W" ( TBasic ( g e t _ t y p e e ) ) in
add_eqn ( Ass ( v4 , When ( f l a t t e n e1 , f l a t t e n e2 ) ) ) ;
I d e n t v4
| I d e n t _ as e −> e
| e (∗ t h i s i s c o n s t a n t ∗ )−>
l e t k=new_var "K" ( TBasic ( g e t _ t y p e e ) ) in
add_eqn ( Ass ( k , Delay ( I d e n t k , e ) ) ) ;
I d e n t k
4.3 S-CGA Intermediate representation
In papers such as [18], clocked guarded actions have been de-
fined as a common representation for synchronous (via syn-
chronous guarded actions), polychronous and asynchronous
(via asynchronous guarded actions) models. It has a multi-
clocked feature. However, in contrast to the SIGNAL lan-
guage, clocked guarded actions can evaluate a variable even
if its clock does not hold [18] [20]. In this case the read
value is the most recently written value, while in SIGNAL
read and writes can be simultaneous provided the causality
is respected. As a consequence, we have introduced an inter-
mediate representation S-CGA [20, 21], which is a variant of
clocked guarded actions. In one hand, S-CGA expresses the
relations between signals, including the relations between ab-
stract clocks and the relations between values, which are con-
sistent with the SIGNAL program. In the other hand, as an
intermediate representation, S-CGA permits us to integrate
more synchronous languages such as QUARTZ, AIF into our
compiler in the future.
(1) The definition of S-CGA
S-CGA has the same structure as clocked guarded actions,
but has different semantics.
Definition 6 (S-CGA) An S-CGA system is represented
by a set of guarded actions of the form 〈γ ⇒ A〉 defined over
a set of variables X. The Boolean condition γ is called the
guard and A is called the action. Guarded actions can be of
the following forms:
(1) γ ⇒ x = τ (immediate)
(2) γ ⇒ next(x) = τ (delayed)
(3) γ ⇒ assume(σ) (assumption)
where
• the guard γ is a Boolean condition over the variables of
X, and their respective clocks. For a variable x ∈ X, we
denote:
– its clock xˆ,
– its initial clock init(xˆ) as the clock which ticks the
first time (if any) where xˆ ticks.
• τ is an expression over X,
• σ is a Boolean expression over the variables of X and
their clocks.
An immediate assignment x = τ writes the value of τ im-
mediately to the variable x. The form (1) implicitly imposes
that if γ is defined6) and its value is true, then x is present and
τ is defined.
A delayed assignment next(x) = τ evaluates τ in the given
instant but changes the value of the variable x at next time
clock xˆ ticks.
The form (3) defines a constraint. It determines a Boolean
condition which has to hold when γ is defined and true. All
the execution traces must satisfy this constraint. Otherwise,
they are ignored.
Guarded actions are composed by using the parallel oper-
ator ‖.
A SIGNAL process includes its name, input signals, out-
put signals, local declarations, and equations which denote
the relations between clocks or the relations between values.
In the OCaml code, we consider also inputs and outputs as
guarded actions in S-CGA. The immediate guarded action is
split into init(xˆ) ⇒ x = τ and γ ⇒ x = τ where init(xˆ) is not
6) An expression is said to be defined if all the variables it contains are
present.
in the guard γ. The assumption guard action is also defined in
the type action. We use another hash table ddes to deal with
the delay guarded action.
The corresponding OCaml code is given as follows.
(∗ immedia te , a s sumpt ion , ∗ )
(∗ i n p u t , and o u t p u t guarded a c t i o n s ∗ )
type a c t i o n=
Dass of sexp ∗ v a r ∗ sexp
| I n p u t of v a r ∗ s t r i n g
| Outpu t of s t r i n g
l e t a c t i o n 2 s t r = f u n c t i o n
| Dass ( se1 , sv2 , se2 ) −>
s e x p 2 s t r se1 ^ "=>" ^ v a r 2 s t r sv2
^ "=" ^ ( s e x p 2 s t r se2 )
| I n p u t ( sv , s ) −>
v a r 2 s t r sv ^ "=>" ^ " Read " ^ s
| Outpu t s −>
" Wr i t e " ^ s
(∗ i n i t p a r t o f immed ia t e guarded a c t i o n s ∗ )
l e t d ces=H a s h t b l . c r e a t e 1000
l e t h a s h 2 s t r 1 t l s = H a s h t b l . f o l d ( fun k v r −>
r ^ " \ n " ^ " i n i t ( " ^ s e x p 2 s t r k ^ " ) "
^ "=>" ^ k e q n 2 s t r v ) t l s " "
(∗ d e l a y guarded a c t i o n s ∗ )
l e t ddes=H a s h t b l . c r e a t e 1000
l e t rec v 2 s t r = f u n c t i o n
| KAss ( ( sv , k ) , e ) −>
" n e x t ( " ^ sv ^ " ) " ^ "=" ^ ( s e x p 2 s t r e )
| _ −> f a i l w i t h " v 2 s t r "
l e t h a s h 2 s t r 2 t l s =H a s h t b l . f o l d ( fun k v r −>
r ^ " \ n " ^ s e x p 2 s t r k^ "=>" ^ v 2 s t r v ) t l s " "
(2) From normalized program to S-CGA
Clock synchronization constraints are given in Table 3.
Except for the under-sampling construct, we also enhance
the clock synchronization of the deterministic-merging con-
struct. The construct x := x1 de f ault x2 will be split as two
assignments: x = x1 corresponding to the clock x̂1 and x = x2
corresponding to the clock ̂de f ___x2 = x̂2\x̂1. Namely, a
new clock variable ̂de f ___x2 is added. This enhancement
will be useful in the construction of the clock hierarchy to
avoid clock-to-data cycles (section 4.5).
Table 3 Extended synchronizations of each primitive construct
P
synchronizations o f P
in extended clock abstraction
x := f (x1, · · · , xn) xˆ = x̂1 = · · · = x̂n
x := x1 $ init c xˆ = x̂1
x := x1 when x2
xˆ = x̂1 ∧ ̂t___x2
̂t___x2 = x̂2 ∧ x2
x := x1 de f ault x2
xˆ = x̂1 ∨ x̂2
̂de f ___x2 = x̂2\x̂1
S-CGA expresses the relations between signals, including
the relations between clocks and the relations between val-
ues, which are consistent with the SIGNAL program. Thus,
in the OCaml code, the normalized program is transformed
into S-CGA by using two functions: trans_eqns_clkeqv and
attachEquation.
The function trans_eqns_clkeqv is used to construct the
clock equations from S-CGA. KAss((s, k),ex) considers the
three cases in the instantaneous function x := f (x1, · · · , xn).
The constructor KAssSig(s,es) deals with the primitive con-
structs delay, undersampling and deterministic merging.
Here, all the primitive constructs have been flattened.
l e t t r a n s _ e q n s _ c l k e q eqs =
un iq ( L i s t . c o n c a t ( L i s t . map (
f u n c t i o n
| KAss ( ( s , k ) , ex ) −>
begin match ex with
SVar ( s1 , K s i g n a l ) −>
[ Dass ( SVar ( " t r u e " , K s i g n a l ) ,
( s , Clock ) , SVar ( s1 , Clock ) ) ]
| SFunc ( f , [ ( s1 , k ) ] ) −>
[ Dass ( SVar ( " t r u e " , K s i g n a l ) ,
( s , Clock ) , SVar ( s1 , Clock ) ) ]
| SFunc ( f , [ ( s1 , k1 ) ; ( s2 , k2 ) ] ) −>
[ Dass ( SVar ( " t r u e " , K s i g n a l ) ,
( s , Clock ) , SVar ( s1 , Clock ) ) ;
Dass ( SVar ( " t r u e " , K s i g n a l ) ,
( s , Clock ) , SVar ( s2 , Clock ) ) ]
| _ −> [ ] (∗ i n c as e o f c o n s t a n t ∗ )
end
| KAssSig ( s , e s ) −>
begin match es with
KDelay ( s1 , e ) −>
[ Dass ( SVar ( " t r u e " , K s i g n a l ) ,
( s , Clock ) , SVar ( s1 , Clock ) ) ]
|KWhen( s1 , s2 ) −>
[ Dass ( SVar ( " t r u e " , K s i g n a l ) ,
( " t _ __ " ^ s2 , Clock ) ,
SFunc ( " and " , [ ( s2 , Clock ) ; ( s2 , K s i g n a l ) ] ) ) ;
Dass ( SVar ( " t r u e " , K s i g n a l ) , ( s , Clock ) ,
SFunc ( " and " , [ ( s1 , Clock ) ;
( " t _ __ " ^ s2 , Clock ) ] ) ) ]
| KDefau l t ( s1 , s2 ) −>
[ Dass ( SVar ( " t r u e " , K s i g n a l ) , ( s , Clock ) ,
SFunc ( " o r " , [ ( s1 , Clock ) ; ( s2 , Clock ) ] ) ) ;
Dass ( SVar ( " t r u e " , K s i g n a l ) ,
( " de f___ " ^ s2 , Clock ) ,
SFunc ( " d i f f " , [ ( s2 , Clock ) ; ( s1 , Clock ) ] ) ) ]
end
) eqs ) )
Moreover, the function attachEquation is used to construct
the relation between values from S-CGA.
l e t a t t a c h E q u a t i o n eqns=
L i s t . i t e r (
f u n c t i o n
| KAssSig ( s , e s ) −>
begin match es with
| KDelay ( s1 , se1 ) −>
H a s h t b l . add dc es ( SVar ( s , Clock ) )
( KAss ( ( s , K s i g n a l ) , se1 ) ) ;
(∗ i n i t ( ^ y )=>y=d ∗ )
H a s h t b l . add ddes ( SVar ( s , Clock ) )
( KAss ( ( s , K s i g n a l ) , SVar ( s1 , K s i g n a l ) ) )
(∗ ^ y=>n e x t ( y )= x ∗ )
| KDefau l t ( se1 , se2 ) −>
H a s h t b l . add c l s e q ( SVar ( se1 , Clock ) )
( KAss ( ( s , K s i g n a l ) , SVar ( se1 , K s i g n a l ) ) ) ;
H a s h t b l . add c l s e q ( SVar ( " de f___ " ^ se2 , Clock ) )
( KAss ( ( s , K s i g n a l ) , SVar ( se2 , K s i g n a l ) ) )
|KWhen ( se1 , se2 ) −>
H a s h t b l . add c l s e q ( SVar ( s , Clock ) )
( KAss ( ( s , K s i g n a l ) , SVar ( se1 , K s i g n a l ) ) )
end
| KAss ( ( s , k ) , ex ) as e −>
H a s h t b l . add c l s e q ( SVar ( s , Clock ) ) e ;
) eqns ;
c l s e q
4.4 Solving the clock equation system
We first introduce the resolution algorithm, then we present
how to compute clock equivalence classes to avoid multiple
definitions of a clock, and finally get a reduced clock equa-
tion system (namely reduced normal form) based on the clock
equivalence classes.
(1) Transformation to normal form
The clock equation system extracted from the S-CGA pro-
gram will be solved as a system of equations of the form
h = h1 〈op〉 h2 (which is also called normal form), to effi-
ciently check the presence of a clock. That’s why, for ex-
ample, if the equation system contains more than one equa-
tion with the same clock on the left side, the execution of the
generated code will check the same control condition several
times, which is inefficient. As shown in section 3.2, there
are also other problems that need to be dealt with, such as
clock-to-clock cycles and complex relations.
Given two sets NFS and UNFS, NFS is a set of normalized
clock equations, and UNFS is a set of unnormalized ones for
example complex relations. In NFS, each clock equation is
uniquely defined to avoid multiple definitions, and the clock
variable in the left-hand side (LHS) cannot be in the right-
hand side (RHS) to avoid clock-to-clock cycles.
Algorithm 1: Resolution of the clock equation system.
• Step 1: given any equation eq of the clock equation sys-
tem, replace the clock variables in both sides of eq with
the corresponding definition which has been defined in
NFS (if it has been defined), and we get the new equa-
tion eq’.
• Step 2: if the LHS of eq’ is a clock expression and its
RHS is a clock variable, then we reverse eq’.
• Step 3: if the LHS of eq’ is a clock variable, and it exists
in the RHS, then Step 5, else Step 6.
• Step 4: if both LHS and RHS of eq’ are clock expres-
sions, namely a complex relation, then Step 5.
• Step 5: put eq’ into UNFS, then Step 8.
• Step 6: put eq’ into NFS, then Step 7.
• Step 7: for each equation ceq in UNFS, replace the clock
variables of both sides of ceq with eq’, and we get a
new equation ceq’, if the LHS and the RHS of ceq’ are
equivalent, then we eliminate it from UNFS, else we add
it into UNFS.
• Step 8: repeating Step 1 - Step 7 until there is no equa-
tion in the clock equations system.
• Step 9: if UNFS is empty, then return NFS, else return a
refuse information.
The corresponding OCaml expression is given as follows.
Here, we have two lists UNFS and NFS. When we add a new
equation to the list NFS, we need to replace other equations
in NFS using the new one.
l e t c l e q s 2 n f a c t i o n l i s t =
l e t c l e q s l i s t = a c t i o n 2 c l e q s l i s t a c t i o n l i s t in
l e t n f e q n l i s t= s e q n 2 n f e q n l i s t c l e q s l i s t in
l e t ( unfs , n f s )=
L i s t . f o l d _ r i g h t (
fun ( NFAss ( c l , c l e x p ) ) ( unfs , n f s )−>
l e t l= n f s r e p l a c e n f s ( c l k 2 e x p c l )
and r= n f s r e p l a c e n f s c l e x p in
i f b a s i c l then
i f o c c u r s l r then
( a d d _ u n f s l r unfs , n f s )
e l s e
( a p p l y ( NFAss ( e x p 2 c l k l , r ) ) unfs ,
a d d _ n f s l r n f s )
e l s e i f b a s i c r then
i f o c c u r s r l then
( a d d _ u n f s r l unfs , n f s )
e l s e
( a p p l y ( NFAss ( e x p 2 c l k r , l ) ) unfs ,
a d d _ n f s r l n f s )
e l s e
( a d d _ u n f s l r unfs , n f s )
) n f e q n l i s t ( [ ] , [ ] )
in
i f u n f s = [ ] then
n f s
e l s e
f a i l w i t h ( " c l e q s 2 n f  c a n n o t  s o l v e  t h e  sys tem " )
In the SIGNAL compiler, the clock analysis mainly relies
on a Boolean abstraction of programs, internally represented
as BDDs or SMTs for an efficient reasoning. In the Step 7,
we reuse BDD technology to check the equivalence between
LHS and RHS of a complex relation in UNFS.
(2) Computing clock equivalence class
As mentioned above, each clock equation is uniquely de-
fined in NFS to avoid multiple definitions. Here all the clock
equations are considered as boolean equations, so we reuse
the BDD technology to check the equivalence of boolean
equations, and put the corresponding clock variables into the
same equivalence class.
The OCaml expression is given as follows. Every boolean
equation has a unique BDD representation (exp2bdd), which
corresponds to an equivalence class. Moreover, we use a hash
table (esmap) to save the corresponding relations between
equivalence class and the clock variables it contains.
l e t rec e q _ c l a s s _ e x p=
f u n c t i o n
| NFVar ( sv , k1 ) as e −>
l e t i d=Clockeq2nf . e x p 2 q u o t i e n t e in
H a s h t b l . r e p l a c e esmap ( e x p 2 c l k e ) i d
| NFFunc ( f , [ ce ] ) −> e q _ c l a s s _ e x p ce
| NFFunc ( f , [ ce1 ; ce2 ] ) −>
e q _ c l a s s _ e x p ce1 ; e q _ c l a s s _ e x p ce2
| _ −> f a i l w i t h " e q _ c l a s s _ e x p "
l e t c p t _ e q _ c l a s s c l e q s l i s t = L i s t . i t e r (
f u n c t i o n
NFAss ( c l , c l e x p ) −> l e t i d =
Clockeq2nf . e x p 2 q u o t i e n t c l e x p in
H a s h t b l . r e p l a c e esmap c l i d ;
e q _ c l a s s _ e x p c l e x p ;
)
(3) Getting reduced normal form
To further efficiently check the presence of a clock, we use
the identity of the equivalence class to replace the clock vari-
ables in the normal form, and we just preserve one equation
for one identity. This form is called reduced normal form.
Here, we give the abstract syntax of the reduced normal form
in OCaml.
type c l a s s i d=
C l a s s i d of UseBDD .BDD. t
type c l a s s e x p r=
C C l a s s i d of UseBDD .BDD. t
| N o t c l of c l a s s e x p r
| Andcl of c l a s s e x p r ∗ c l a s s e x p r
| O rc l of c l a s s e x p r ∗ c l a s s e x p r
| D i f f c l of c l a s s e x p r ∗ c l a s s e x p r
type c l a s s e q s = ( c l a s s i d , c l a s s e x p r ) H a s h t b l . t
4.5 Hierarchical representation of clock equations
Before the construction of clock hierarchy, we add two steps,
i.e., associating actions to the clock equivalence class and de-
terministic sorting.
(1) Associating actions to the clock equivalence class
The construction of clock hierarchy is based on the re-
duced normal form, that is each node of the clock hierarchy is
an identity of a clock equivalence class. As well, we associate
the actions, such as inputs, outputs and value assignments, to
each clock equivalence class.
Compared with other constructs, the delay construct is a
dynamic operator since the properties induced on the signals
refer to different values of time indexes, so we can’t asso-
ciate its actions statically to the clock equivalence class (it
will be dealt with in the step of code generation). As shown
in section 4.3, the construct x := x1 de f ault x2 will be split
as two assignments: x = x1 and x = x2. The construct
x := x1 when x2 is translated into a unique assignment x = x1
in the equivalence class of xˆ.
The OCaml expression is given as follows.
l e t c l s e q=H a s h t b l . c r e a t e 1000
l e t ddes=H a s h t b l . c r e a t e 1000
l e t dce s=H a s h t b l . c r e a t e 1000
l e t a t t a c h E q u a t i o n eqns=
L i s t . i t e r (
f u n c t i o n
| SAssSig ( s , e s ) −>
begin match es with
| SDelay ( s1 , se1 ) −>
H a s h t b l . add ddes ( SAssSig ( s , e s ) )
( SAssSig ( s , e s ) )
| S D e f a u l t ( se1 , se2 ) −>
l e t i d 1=H a s h t b l . f i n d ( C p t _ e q c l a s s . esmap )
( Hat ( se1 ) ) in
l e t i d 2=H a s h t b l . f i n d ( C p t _ e q c l a s s . esmap )
( Hat ( " de f___ " ^ se2 ) ) in
H a s h t b l . add c l s e q i d 1 ( SAss ( s , S I d e n t ( se1 ) ) ) ;
H a s h t b l . add c l s e q i d 2 ( SAss ( s , S I d e n t ( se2 ) ) ) ;
H a s h t b l . add dces ( SAss ( s , S I d e n t ( se1 ) ) )
( SAss ( s , S I d e n t ( se1 ) ) ) ;
H a s h t b l . add dces ( SAss ( s , S I d e n t ( se2 ) ) )
( SAss ( s , S I d e n t ( se2 ) ) )
| SWhen ( se1 , se2 ) −>
l e t i d 1=H a s h t b l . f i n d ( C p t _ e q c l a s s . esmap )
( Hat ( s ) ) in
H a s h t b l . add c l s e q i d 1 ( SAss ( s , S I d e n t ( se1 ) ) ) ;
H a s h t b l . add dc es ( SAss ( s , S I d e n t ( se1 ) ) )
( SAss ( s , S I d e n t ( se1 ) ) )
end
| SAss ( s , ex ) as e −>
l e t i d 1=H a s h t b l . f i n d ( C p t _ e q c l a s s . esmap )
( Hat ( s ) ) in
H a s h t b l . add c l s e q i d 1 e ;
H a s h t b l . add dc es e e
) eqns ;
c l s e q
l e t p l _ a t t a c h e q p l=L i s t . map (
f u n c t i o n
SProc ( n , i s , os , eqns , ws ) −>
i n p u t := ! i n p u t @ i s ;
o u t p u t := ! output@os ;
l e t c l s= a t t a c h E q u a t i o n eqns in
c l s
) p l
(2) Deterministic sorting
The code generation is based on both the clock hierarchy
and the conditional data dependencies. However, there may
be clock-to-data cycles when we combine the two intermedi-
ate representations. To cut the cycles, we first sort the clock
relations defined by the reduced normal form and the data
dependencies represented by the actions (such as inputs, out-
puts, and value assignments) which have been associated to
the clock equivalence classes, then we can get a total order
for the clock hierarchy because of the endochrony property.
The OCaml expression is given as follows. We use three
values -1, 0, 1 to express the order between two equations for
example eq1 and eq2, if eq1 is executed before eq2, then it
returns -1, if eq1 is executed after eq2, then it returns 1, else it
returns 0. The sorting principle is defined as, for example, if
the LHS of eq1 exists in the RHS of eq2, then eq1 is executed
after eq2, if the LHS of eq2 exists in the RHS of eq1, then eq1
is executed before eq2.
type s a c t i o n=
| Dass of s t r i n g ∗ sexp
| Cass of c l a s s i d ∗ c l a s s e x p r
| I n p u t of s t r i n g
| Outpu t of s t r i n g
l e t act_comp a c t 1 a c t 2=
i f a c t 1=a c t 2 then 0
e l s e
match ( ac t1 , a c t 2 ) with
| ( Dass ( s1 , e1 ) , Dass ( s2 , e2 ) ) −>
i f v a r _ i n _ s e x p s1 e2 then −1
e l s e i f v a r _ i n _ s e x p s2 e1 then 1
e l s e compare a c t 1 a c t 2
| ( Dass ( s1 , e1 ) , Cass ( C l a s s i d c l2 , c l e 2 ) ) −>
i f v a r _ i n _ c l a s s e x p r s1 c l e 2 then −1
e l s e i f s e x p _ i n _ c l a s s i d c l 2 e1 then 1
e l s e compare a c t 1 a c t 2
| ( Cass ( c l1 , c l e 1 ) , Cass ( c l2 , c l e 2 ) ) −>
i f c l a s s i d _ i n _ c l a s s e x p r c l 1 c l e 2 then −1
e l s e i f c l a s s i d _ i n _ c l a s s e x p r c l 2 c l e 1 then 1
e l s e compare a c t 1 a c t 2
| ( Cass ( C l a s s i d c l1 , c l e 1 ) , Dass ( s2 , e2 ) ) −>
i f s e x p _ i n _ c l a s s i d c l 1 e2 then −1
e l s e i f v a r _ i n _ c l a s s e x p r s2 c l e 1 then 1
e l s e compare a c t 1 a c t 2
| ( I n p u t s1 , I n p u t s2 ) −> compare s1 s2
| ( I n p u t s1 , _ ) −> −1
| ( _ , I n p u t s2 ) −> 1
| ( Outpu t s1 , Outpu t s2 ) −> compare s1 s2
| ( Outpu t s1 , _ ) −> 1
| ( _ , Outpu t s2 ) −> −1
(3) Construction of a clock hierarchy
It will be easier to construct a clock hierarchy based on
the deterministic sorting. Here we consider the sorting as a
depth first search (DFS) order. However, the resulting tree-
based representation of the equation systems over clocks can
be optimized in the sense that the insertion step during the
fusion chooses a parent with greatest depth, i.e., insertion as
deep as possible.
As shown in Fig.2, according to the algorithm [36] that
has been implemented in the compiler, C5 will be inserted
at the right side of C4, C2, C4 and C5 have the same parent
node C. If there exists clock inclusion C5 ⇒ C4, we can
insert C5 as a son node of C4 and at the right side of C42.
As shown in section 4.3, we have considered the condition-
clocks ([x], [¬x]) as white boxes, so here we can get more
precise clock inclusion relations. Moreover, when we insert
C5, all the actions which are executed before C5 have been
inserted into the hierarchy, so there is a limit branch of which
we can just insert the new node into the right side. To insert as
deep as possible, we can check the clock inclusion relations
between C5 and all the nodes which are executed after this
limit branch.
Figure 2 Optimization of the clock hierarchy
We give the basic algorithm as follows.
Algorithm 2: Construction of a clock hierarchy.
• Step 1: get an element from the sorted list.
• Step 2: if the current element is an equation from re-
duced normal form, namely it is the relation between
clock equivalence classes, we find its limit branch on
the hierarchy, and find a good insertion place based on
clock inclusions, then create a new node for the equiva-
lence class of the LHS of the equation.
• Step 3: if the current element is an action such as an
input, an output, or a value assignment, we find the cor-
responding equivalence class which has been inserted in
the hierarchy, and insert this action to the action list of
the corresponding equivalence class (here we don’t need
to sort the action list, because they have been sorted in
the sorting list).
• Step 4: Repeating Step 1- Step 3, until there is no ele-
ment in the sorting list.
4.6 Code generation and optimization
Here, the basic idea of code generation (Fig.3) is as in the
SIGNAL compiler: it is strongly guided by the clock hierar-
chy resulting from the clock calculus to structure the target
language program, and by the data dependencies not only to
locally order elementary operations in sequences, but also to
schedule component activations in a hierarchical target code.
However, all the actions have been added in the clock hierar-
chy, so the code generation become simpler. Moreover, the
generated code can be more optimized because of previous
enhancements. Furthermore, we can also do some optimiza-
tions based on clock inclusions at the generated code level.
Figure 3 Sequential code generation from SIGNAL programs
5 Related Work
We discuss in this section some related studies about two as-
pects: enhancements of the SIGNAL compilation process and
validation of the SIGNAL compilation process.
5.1 Enhancements of the SIGNAL compilation process
In the SIGNAL compiler, the control flow expressed by ab-
stract clocks serves to derive a control structure in automatic
code generation. Thus, the quality of clock calculus has a
strong impact on the correctness and efficiency of implemen-
tations. There is some research about the enhancement of the
clock calculus of synchronous languages.
In [10], the authors denote that there is a limitation of
the clock calculus of the SIGNAL compiler, that is the SIG-
NAL compiler does not fully handle numerical expressions.
This has a strong impact on the analysis precision and on
the quality of generated code. Thus, the authors propose a
new clock abstraction, that is combined numerical-Boolean
abstraction, to eliminate this problem. In the new abstrac-
tion, every signal in a program is associated with a pair of the
form (clock, value), where clock is a Boolean function and
value is a Boolean or numeric function. They also use a SMT
(Satisfiability Modulo Theory) solver to reason on the new
abstraction.
With the same purpose, in [11] and [12], an interval-based
data structure referred to as Interval-Decision Diagram (IDD)
is considered for the analysis of numerical properties in SIG-
NAL programs.
In [37], the authors address the static analysis and code
generation for applications defined in MRICDF (Multi-Rate
Instantaneous Channel Connected Data Flow), which is a
visual actor-oriented polychronous formalism, strongly in-
spired by SIGNAL. The static analysis in MRICDF also relies
on a Boolean encoding of specifications, thus ignoring non-
Boolean properties. Moreover, a SMT-based implementation
of this static analysis is proposed as an efficient alternative to
the initial implementation using a prime implicant generator.
5.2 Validation of the SIGNAL compilation process
For a safety-critical system, it is naturally required that
the compiler must be formally verified as well to ensure
that the source program semantics is preserved. There are
many approaches to gain assurance that the transformation or
the translation of a specification or a program is semantic-
preserving. This can be done by directly building a theorem-
prover-verified compiler [38,39], by using translation valida-
tion [32, 40], proof-carrying code [41], semantics-anchoring
method [42, 43], etc.
A. Pnueli et al. propose the approach of translation vali-
dation to verify the code generator of SIGNAL [32]. In that
work, the authors define a language of symbolic models to
represent both the source and target programs, called Syn-
chronous Transition Systems (STS). A STS is a set of logic
formulas which describe the functional and temporal con-
straints of the whole program and its generated code. Then
they use BDD (Binary Decision Diagrams) representations to
implement the symbolic STS models, and their proof method
uses a SAT-solver to reason on the signal constraints. The
drawback of this approach is that it does not capture explic-
itly the clock semantics and in some cases, the code generator
eliminates the use of a local register variable in the generated
code and then, the mapping cannot be established. Addition-
ally, for a large program, the formula is very large, including
numerical expressions that make some inefficiency. More-
over, the whole calculation of a synchronous program or the
generated code is considered as one atomic transition in STS,
thus it does not capture the data dependencies between sig-
nals and does not explicitly prove the preservation of abstract
clocks in the compiler transformations.
In [44], the authors adopt translation validation to for-
mally verify that the clock semantics and data dependence are
preserved during the compilation of the SIGNAL compiler.
They represent the clock semantics, the data dependence of
a program and its transformed counterpart as first-order for-
mulas which are called Clock Models and Synchronous De-
pendence Graphs (SDGs) respectively. Then they introduce
clock refinement and dependence refinement relations which
express the preservations of clock semantics and dependence,
as a relation on clock models and SDGs respectively. Finally,
a SMT-solver is used for checking the existence of the correct
transformation relations.
In the work of [45], the authors encode the source SIG-
NAL programs and their transformations with Polynomial
Dynamical Systems (PDSs), and prove that the transforma-
tions preserve the abstract clocks and clock relations of the
source programs. By using simulation based on model check-
ing techniques, this approach suffers from the increasing of
the state-space when it deals with large programs.
These existing research mainly use the method of trans-
lation validation. However, translation validation treats the
compiler as a "black box", namely it checks the input and out-
put of each program transformation to validate the semantics
preservation. So it yields that one need to redo the validation
when the source program is changed.
In this paper, the OCaml implementation is a basis for the
formal verification of the compilation of SIGNAL with a the-
orem prover. This work would be reused by ones interested
in experimenting a new strategy for clock calculus and exper-
imenting a new proof technique for the correctness of clock
calculus. Actually, in [21], we have started the proof of se-
mantics preservation of the front-end of our compiler, which
is mechanized in the theorem prover Coq.
6 Conclusion and Future Work
This paper presents a simple and safe compiler, called
MinSIGNAL, from a subset of the synchronous dataflow
language SIGNAL to C, as well as its existing enhance-
ments. For the community of statically typed functional
languages, usual arguments on quality, safety and efficiency
about code written in OCaml are well known and accepted for
a long time. Thus, OCaml is used for the implementation of
MinSIGNAL. An analysis of the SIGNAL compilation pro-
cess and the existing enhancements are first given. Then, the
compiler MinSIGNAL is presented step by step in details.
This work is a basis for the formal verification of the compi-
lation of SIGNAL with a theorem prover such as Coq.
In [21], we have started the proof of semantics preserva-
tion of the front-end of our compiler, which is mechanized in
the theorem prover Coq. Moreover, we have given the back-
end of the compiler, including sequential code generation and
multi-threaded code generation with time-predictable proper-
ties. With the rising importance of multi-core processors in
safety-critical embedded systems or cyber-physical systems
(CPS), there is a growing need for model-driven generation
of multi-threaded code and thus mapping on multi-core. We
are currently working on the proof of semantics preservation
of the back-end of our compiler.
Acknowledgements This work is supported in part by the National Nat-
ural Science Foundation of China under Grant 61502231, the National De-
fense Basic Scientific Research Project under Grant JCKY2016203B011, the
Natural Science Foundation of Jiangsu Province under Grant BK20150753,
the Project of the State Key Laboratory of Software Development Environ-
ment of China under Grants SKLSDE-2015KF-04, the Avionics Science
Foundation of China under Grant 2015ZC52027, China Postdoctoral Science
Foundation, and the Open Project of Shanghai Key Laboratory of Trustwor-
thy Computing under Grant 07dz22304201502, and the RTRA STAE Foun-
dation in France (http://www.fondation-stae.net/).
References
1. Harel D, Pnueli A. On the development of reactive systems. Logics and
Models of Concurrent Systems,1989, F(13):477-498.
2. Castéran P, Bertot Y. Interactive theorem proving and program devel-
opment: Coq’Art: The Calculus of inductive constructions. 2004.
3. Potop-Butucaru D, De Simone R, Talpin J P. The synchronous hypoth-
esis and synchronous languages. The Embedded Systems Handbook,
2005, 1-21.
4. Boussinot F, De Simone R. The Esterel language. Proceedings of the
IEEE, 1991, 79(9): 1293-1304.
5. Halbwachs N, Caspi P, Raymond P, Pilaud D. The synchronous data-
flow programming language Lustre. Proceedings of the IEEE, 1991,
79(9):1305-1320.
6. Benveniste A, Le Guernic P, Jacquemot C. Synchronous programming
with events and relations: the Signal language and its semantics. Sci-
ence of Computer Programming, 1991, 16(2):103-149.
7. Schneider K. The synchronous programming language QUARTZ. In-
ternal report, Department of Computer Science, University of Kaiser-
slautern, Germany, 2010.
8. Teehan P, Greenstreet M, Lemieux G. A Survey and Taxonomy of
GALS Design Styles. IEEE Design and Test of Computers, 2007,
24(5):418-428.
9. Benveniste A, Caillaud B, Le Guernic P. From synchrony to asyn-
chrony. In: Proceedings of International Conference on Concurrency
Theory. 1999, 162-177.
10. Feautrier P, Gamatié A, Gonnord L. Enhancing the Compilation of
Synchronous Dataflow Programs with a Combined Numerical-Boolean
Abstraction. Technical Report 2nd Version, July 2013.
11. Gamatié A, Gautier T, Le Guernic P. Towards Static Analysis of SIG-
NAL Programs using Interval Techniques. In: Proceedings of Syn-
chronous Languages, Applications, and Programming. 2006.
12. Gamatié A, Gautier T, Besnard L. An Interval-Based Solution for Static
Analysis in the SIGNAL Language. In: Proceedings of Engineering of
Computer Based Systems. 2008, 182-190.
13. Dijkstra E W. Guarded Commands, Nondeterminacy and For-
mal Derivation of Programs. Communications of The ACM, 1975,
18(8):453-457.
14. Brandt J, Gemunde M, Shukla S K, Talpin J P. Integrating system de-
scriptions by clocked guarded actions. In: Proceedings of Forum on
Specification and Design Languages. 2011, 1-8.
15. Brandt J, Schneider K. Separate translation of synchronous programs
to guarded actions. Internal Report 382/11, Department of Computer
Science, University of Kaiserslautern, 2011.
16. Brandt J, Schneider K, Shukla S K. Translating concurrent action ori-
ented specifications to synchronous guarded actions. In: Proceedings
of the ACM SIGPLAN/SIGBED 2010 conference on Languages, com-
pilers, and tools for embedded systems. 2010, 47-56.
17. Edwards S A, Tardieu O. SHIM: a deterministic model for heteroge-
neous embedded systems. IEEE Transactions on Very Large Scale In-
tegration Systems, 2006, 14(8):854-867.
18. Brandt J, Gemunde M, Schneider K, Shukla A K, Talpin J P. Rep-
resentation of synchronous, asynchronous, and polychronous compo-
nents by clocked guarded actions. Design Automation for Embedded
Systems, 2014, 18:63-97.
19. Esprit project: Safety Critical Embedded Systems SACRES. The
declarative code DC+, version 1.4. Technical report, IRISA, novem-
ber 1997.
20. Yang Z B, Bodeveix J P, Filali M, Hu K, Ma D F. A verified transfor-
mation: from polychronous programs to a variant of clocked guarded
actions. In: Proceedings of the 17th International Workshop on Soft-
ware and Compilers for Embedded Systems. ACM, 2014,128-137.
21. Yang Z B, Bodeveix J P, Filali M, Hu K, Zhao Y W, Ma D F. Towards
a verified compiler prototype for the synchronous language SIGNAL.
Frontiers of Computer Science, 2016, 10(1): 37-53.
22. RTCA/DO-178B Software Considerations in Airborne Systems and
Equipment Certification. 1992.
23. RTCA/DO-178C Software Considerations in Airborne Systems and
Equipment Certification.2011.
24. Pouzet M. Lucid Synchrone, version 3. Tutorial and reference manual.
Université Paris-Sud, LRI.2016.
25. Forget J. A synchronous language for critical embedded systems with
multiple real-time constraints. Ph.D. dissertation, 2009.
26. Pagano B, Andrieu O, Moniot T, Canou B, Chailloux E, Wang P,
Manoury P, Colaço J L. Using Objective Caml to Develop Safety-
Critical Embedded Tools in a Certification Framework. In: Proceed-
ings of the 14th ACM SIGPLAN international conference on Func-
tional programming, 2009, 215-220.
27. Cousot P, Cousot R, Feret J, Mauborgne L, Miné A, Monniaux D, Rival
X. The ASTRÉE analyzer. In: Proceedings of the 14th European Sym-
posium on Programming, volume 3444 of Lecture Notes in Computer
Science. 2005: 21-30.
28. Besnard L, Gautier T, Le Guernic P. SIGNAL V4 Reference Manual,
2010.
29. Gamatié A. Designing embedded systems with the Signal program-
ming language: synchronous, reactive specification. Springer Science
and Business Media, 2009.
30. Le Guernic P, Gautier T. Data-Flow to von Neumann: the Signal ap-
proach. Advanced Topics in Data-Flow Computing, 1991, 413-438.
31. Le Guernic P, Talpin J P, Le Lann J C. Polychrony for system design.
Journal of Circuits, Systems, and Computers, 2003, 12(03): 261-303.
32. Pnueli A, Siegel M, Singerman E. Translation validation. In: Proceed-
ings of International Conference on Tools and Algorithms for the Con-
struction and Analysis of Systems. Springer Berlin Heidelberg, 1998,
151-166.
33. Talpin J P, Brandt J, Gemunde M, Schneider K, Shukla S K. Construc-
tive polychronous systems. In: Proceedings of International Sympo-
sium on Logical Foundations of Computer Science. Springer Berlin
Heidelberg, 2013, 335-349.
34. Brandt J, Gemunde M, Schneider K, Shukla S K, Talpin J P. Embed-
ding polychrony into synchrony. IEEE Transactions on Software Engi-
neering, 2013, 39(7): 917-929.
35. Yang Z B, Bodeveix J P, Filali M. A comparative study of two formal
semantics of the SIGNAL language. Frontiers of Computer Science,
2013, 7(5): 673-693.
36. Amagbegnon T, Besnard L, Le Guernic P. Arborescent canonical form
of boolean expressions. Irisa, 1994.
37. Jose B A, Gamatié A, Ouy J, Shukla S K. SMT based false causal
loop detection during code synthesis from polychronous specifications.
In: Proceedings of 9th IEEE/ACM International Conference on Formal
Methods and Models for Codesign (MEMOCODE), 2011, 109-118.
38. Leroy X. Mechanized semantics for compiler verification. In: Proceed-
ings of International Conference on Certified Programs and Proofs.
2012, 4-6.
39. Leroy X. Formal verification of a realistic compiler. Communications
of the ACM, 2009, 52(7): 107-115.
40. Necula G C. Translation validation for an optimizing compiler. ACM
SIGPLAN notices. ACM, 2000, 35(5): 83-94.
41. Necula G C. Proof-carrying code. In: Proceedings of the 24th ACM
SIGPLAN-SIGACT symposium on Principles of programming lan-
guages. 1997, 106-119.
42. Chen K, Sztipanovits J, Abdelwalhed S, Jackson E. Semantic anchor-
ing with model transformations. In: Proceedings of European Con-
ference on Model Driven Architecture-Foundations and Applications.
2005, 115-129.
43. Narayanan A, Karsai G. Using semantic anchoring to verify behavior
preservation in graph transformations. Electronic Communications of
the EASST, 2006, 4.
44. Talpin J P, Gautier T, Le Guernic P, Besnard L. Formal verification of
synchronous data-flow program transformations toward certified com-
pilers. Frontiers of Computer Science, 2013, 7(5): 598-616.
45. Talpin J P, Gautier T, Le Guernic P, Besnard L. Formal verification of
compiler transformations on polychronous equations. In: Proceedings
of International Conference on Integrated Formal Methods. 2012, 113-
127.
Dr. Zhibin YANG is an associate pro-fessor at Nanjing University 
of Aero-nautics and Astronautics, China. He received his PhD 
degree in Computer Science from Beihang University, Bei-jing, 
China in February 2012. From April 2012 to December 2014, he 
was a Postdoc in IRIT of University of
Toulouse, France. His research interests include safety-critical real-
time system, formal verification, AADL, and synchronous lan-
guages.
Dr. Jean-Paul BODEVEIX received a PhD of Computer 
Science from the University of Paris-Sud 11 in 1989. He has been 
assistant professor at University
 of Toulouse III since 1989 and is now Professor of computer 
science since 2003. His main research inter-ests concern formal 
specifications, automated and
assisted verification of protocols as well as of proof en-vironments. 
He has participated in European and national projects related to 
these domains. His current activities are linked to real time 
modeling and verification either via model checking techniques or at 
the semantics level.
Dr. Mamoun FILALI is a full time researcher at CNRS (Centre 
National de la Recherche Scientifique). His main research interests 
concern the certified development of embedded systems. He is 
concerned by formal methods, model checking and theorem 
proving. During the last years, he has been mainly involved 
in the french nationwide TOPCASED project where he was 
concerned by the verification topic. He has also participated to the 
proposal of the AADL behavioral annex which has been been 
adopted as part of the AADL SAE standard.
