Polychrony for Formal Refinement-Checking in a System-Level Design Methodology by Talpin, Jean-Pierre et al.
Polychrony for Formal Refinement-Checking in a
System-Level Design Methodology
Jean-Pierre Talpin, Paul Le Guernic, Sandeep Shukla, R.K. Gupta, Fre´de´ric
Doucet
To cite this version:
Jean-Pierre Talpin, Paul Le Guernic, Sandeep Shukla, R.K. Gupta, Fre´de´ric Doucet. Poly-
chrony for Formal Refinement-Checking in a System-Level Design Methodology. Third Inter-
national Conference on Application of Concurrency to System Design (ACSD ’03), Jun 2003,
Guimara˜es, Portugal. IEEE Computer Society, pp.9-19, 2003. <hal-00542156>
HAL Id: hal-00542156
https://hal.archives-ouvertes.fr/hal-00542156
Submitted on 1 Dec 2010
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Polychrony for Formal Renement-Checking in a System-Level
Design Methodology
Jean-Pierre Talpin
1
, Paul Le Guernic
1
, Sandeep Kumar Shukla
2
,
Rajesh Gupta
3
, Frederic Doucet
3
1
Inria/Irisa,
2
Virgina Tech,
3
UC San Diego
Abstract
The productivity gap incurred by the rising complex-
ity of system-on-chip design have necessitated newer
design paradigms to be introduced based on system-
level design languages. A gating factors for widespread
adoption of these new paradigms is a lack of formal
tool support of renement based design. A system
level representation may be rened manually (in ab-
sence of adequate behavioral synthesis algorithms and
tools) to obtain an implementation, but proving that
the lower level representation preserves the correctness
proved at higher level models is still an unsolved prob-
lem. We address the issue of formal renement proofs
between design abstraction levels using the concepts
of polychronous design. Renement of synchronous
high-level designs into globally asynchronous and lo-
cally synchronous architectures is formally supported
in this methodology. The polychronous (i.e. multi-
clocked) model of the Signal design language oers
formal support for the capture of behavioral abstrac-
tions for both very high-level system descriptions (e.g.
SystemC/SpecC) and behavioral-level Ip components
(e.g. Vhdl). Its platform, Polychrony, provides
models and methods for a rapid, renement-based, in-
tegration and a formal conformance-checking of Gals
hardware/software architectures. We demonstrates the
eectiveness of our approach by the experimental, com-
parative, case study of an even-parity checker design in
SpecC. It highlights the benets of the formal models,
methods and tools provided in Polychrony, in rep-
resenting functional, architectural, communication and
implementation abstractions of the design, and the suc-
cessive renements.
1 Introduction
Rising complexities and performances of integrated
circuits and systems, shortening time-to-market de-
mands for electronic equipments, growing installed
bases of intellectual property, requirements for adapt-
ing existing Ips with new services, all stress high-level
design as a prominent research topic and call for the
development of appropriate methodological solutions.
In this aim, system design based on the so-called \syn-
chronous hypothesis" consists of abstracting the non-
functional implementation details of a system away and
let one benet from a focused reasoning on the logics
behind the instants at which the system functionali-
ties should be secured. From this point of view, syn-
chronous design models [13] and languages [5] provide
intuitive models for integrated circuits. This aÆnity
explains the ease of generating synchronous circuits
and verify their functionalities using compilers and re-
lated tools that implement this approach.
In today's multi-Giga-hertz SoC designs, the clock
period is so small that clocking across the chip in a syn-
chronous manner is a challenge. Hence newer SoC de-
signs need to be globally asynchronous and locally syn-
chronous (Gals). The relational model of the Poly-
chrony
1
design platform [13] goes beyond the domain
of purely synchronous circuits to embrace the context
of architectures consisting of synchronous circuits and
desynchronization protocols: Gals architectures. The
unique features of this model are to provide the notion
of polychrony: the capability to describe multi-clocked
(or partially clocked) circuits and systems; and to sup-
port formal design renement, from the early stages of
requirements specication, to the later stages of syn-
thesis and deployment, and by using formal verication
techniques.
In practice, a multi-clocked system description is of-
ten the representation or the abstraction of an asyn-
chronous system or of a Gals architecture. In system-
level design, the asynchronous implementation of a sys-
tem is obtained through the renement of its descrip-
tion toward hardware-software co-design. However,
1
Available from http://www.irisa.fr/espresso/Polychrony .
1
clocks are often left unspecied at the functional level,
and no choice on a master clock is made at the archi-
tectural level. As communication and implementation
layers are reached, however, multiple clocks might be
a way of life. In the polychronous model of compu-
tation (MoC), one can actually design a system with
partially ordered clocks and rene it to obtain master-
clocked components integrated within a multi-clocked
architecture, while preserving the functional properties
of the original high-level design, thanks to the formal
verication methodology provided by the formal theory
(model and theorems) of polychronous signals.
In the present article, we put the principles of poly-
chronous design to work in the context of the emerging
high-level languages such as SystemC/SpecC [11, 19,
20] by studying the renement of a high-level specica-
tion, the even-parity checker (Epc) toward its imple-
mentation Our goal is to derive automatically veriable
conditions on specications under which renement-
based design principles work. In other words, we seek
toward tools and methodologies to allow to take a high-
level SystemC/SpecC specication and to rene it in
a semantic-preserving manner into a Gals implemen-
tation. We focus on a simple case study to illustrate
our methodology and we show how the specication
of the Epc in SpecC can be rened toward a Gals
implementation with the help of Polychrony.
2 An informal introduction to Signal
In Signal, a process P consists of the composition
of simultaneous equations over signals. A signal x 2 X
describes a possibly innite ow of discretely-timed val-
ues v 2 V . An equation x = fy denotes a relation
between a sequence of operands y and a sequence of
results x by a process f 2 F . Synchronous composi-
tion P j Q consists of considering a simultaneous solu-
tion of the equations P and Q at any time. Signal
requires three primitive processes: pre , to reference
the previous value of a signal in time; when , to sample
a signal; and default , to deterministically merge two
signals (and provides, e.g. negation not , equality eq ,
etc).
P ::=x = f y j P j Q j P =x
f 2 F  f pre v j v 2 Vg [ fwhen ; default ; : : :g
The equation x = pre v y initially denes x by v and
then by the previous value of y in time (tags t
1
; t
2
; t
3
denote instants).
y : (t
1
; v
1
) (t
2
; v
2
) (t
3
; v
3
) : : :
pre v y : (t
1
; v) (t
2
; v
1
) (t
3
; v
2
) : : :
The equation x = y when z denes x by y when z is
true.
y : (t
1
; v
1
) (t
2
; v
2
) (t
3
; v
3
) : : :
z : (t
2
; tt) (t
3
; ff) (t
4
; tt) : : :
y when z : (t
2
; v
2
) : : :
The equation x = y default z denes x by y when y is
present and by z otherwise.
y : (t
2
; v
2
) (t
3
; v
3
) : : :
z : (t
1
; v
1
) (t
3
; w
3
) : : :
y default z : (t
1
; v
1
) (t
2
; v
2
) (t
3
; v
3
) : : :
We exemplify the equational/relational design model
of Signal by considering the denition of a counting
process: Count. It accepts an input event reset and de-
livers the integer output val. A local counter, initialized
to 0, stores the previous value of val (equation counter
:= pre 0 val). When the event reset occurs, val is reset
to 0 (i.e. (0 when reset)). Otherwise, counter is in-
cremented (i.e. (counter + 1)). The activity of Count
is governed by the clock of its output val, which diers
from that of its input reset: Count is multi-clocked.
process Count= (? event reset ! integer val)
(j counter:= pre 0 val
j val:= (0 when reset) default (counter + 1)
j) where integer counter; end;
3 A model of polychronous signals
Starting from the model of tagged signals of Lee et
al. [12, 6], we give the tagged model of polychronous
signals [13] for the formal study of protocol properties.
We consider a set of boolean and integer values v 2 V
to represent the operands and results of computations.
A tag t 2 T, denotes an instant. The dense set T
is equipped with a partial order relation  to denote
synchronization and causal relations. The subset T 
T of a given process is chosen to be a semi-lattice (T ;
; 0). A chain C 2 C is a totally ordered subset of T.
t
1
= t
3
n
t
1
<t
2
z }| {
x
tt
x
ff
x
tt
x
0
x
1
x
0
x
1
x
0
x
tt
x
tt
x
tt
o
t
3
67 t
4
Figure 2. A behavior b as a map from names
to partially ordered tags and values
2
[[x := pre v y]]=

b 2 Bj
x;y




tags(b(x)) = tags(b(y)) = C 2 C n ;; b(x)(min(C)) = v
8t 2 C nmin(C); b(x)(t) = b(y)(pred
C
(t))

[f0j
x;y
g
[[x := ywhen z]]=

b 2 Bj
x;y;z




tags(b(x)) = ft 2 tags(b(y)) \ tags(b(z)) j b(z)(t) = ttg
8t 2 tags(b(x)); b(x)(t) = b(y)(t)

[[x := y default z]]=

fb 2 Bj
x;y;z




tags(b(y)) [ tags(b(y)) = tags(b(x)) = C 2 C
8t 2 C; b(x)(t) = if t 2 tags(b(y)) then b(y)(t) else b(z)(t)

Figure 1. Denotation of elementary Signal equations
Denition 1 (events, signals and behaviors) An
event e 2 E = T  V relates a tag and a value. A
signal s 2 S = T * V is a partial function relating
a chain of tags to a set of values. We write tags(s)
for the domain of s. A behavior b 2 B = X * S is a
partial function from signal names x 2 X to signals
s 2 S.
We write vars(b) for the domain of b and tags(b) =
[
x2vars(b)
tags(b(x)) for its tags. Hence, the informal
sentence \x is present at t in b" is formally dened by
t 2 tags(b(x)). We write bj
X
for the projection of a be-
havior b on a set X  X of names (i.e. vars(bj
X
) = X
and 8x 2 X; bj
X
(x) = b(x)) and b
=X
for its comple-
mentary of bj
vars(b)nX
. A process p 2 P = P(B) is a
set of behaviors that have the same domain X (writ-
ten vars(p)). Synchronous composition p jq is dened
by the set of behaviors that extend a behavior b 2 p
by the restriction c
=vars(p)
of a behavior c 2 q if the
projections of b and c on vars(p) \ vars(q) are equal.
p jq =

b [ c




(b; c) 2 p q;
bj
vars(p)\vars(q)
= cj
vars(p)\vars(q)

Scalability is a key concept for engineering systems
and reusing components in a smooth design process. A
formal support for allowing time scalability in design
is given in our model by the so-called stretch-closure
property. The intuition behind this relation is to con-
sider a signal as an elastic with ordered marks on it
(tags). If it is stretched, marks remain in the same
(relative and partial) order but have more space (time)
between each other. The same holds for a set of elas-
tics: a behavior. If elastics are equally stretched, the
partial order between marks is unchanged. Stretching
is a partial-order relation which gives rise to an equiv-
alence relation between behaviors: clock equivalence.
Denition 2 (clock equivalence) Formally, a be-
havior c is a stretching of b, written b  c, i
vars(b) = vars(c) and there exists a bijection f on T
that is strictly monotonic (8tt
0
; t < t
0
, f(t) < f(t
0
)),
increasing (8t; t  f(t)) and satises tags(c(x)) =
f(tags(b(x))) for all x 2 vars(b) and b(x)(t) =
c(x)(f(t)) for all x 2 vars(b) and all t 2 tags(b(x)).
The behaviors b and c are stretch-equivalent, written
b 7 c, i there exists a behavior d s.t. d  b and d  c.
Both relations extend to processes. A process p is
stretch-closed i for all b 2 p, c 7 b ) c 2 p. A non-
empty, stretch-closed process p admits a set of strict
behaviors (a strict behavior is the -minimum of a 7-
equivalence class), written (p)
7
, s.t. (p)
7
 p (for all
b 2 p, there is a unique c 2 (p)
7
s.t. c 7 b).
Distribution To model asynchrony, we consider a
weaker relation which discards synchronization rela-
tions and allows for comparing behaviors w.r.t. the se-
quences of values signals hold. The relaxation relation
allows to individually stretch the signals of a behavior.
Relaxation is a partial-order relation that denes the
ow-equivalence relation.
Denition 3 (ow equivalence) A behavior c is a
relaxation of b, written b v c, i vars(b) = vars(c) and
for all x 2 vars(b), b
jx
 c
jx
. Two behaviors are ow-
equivalent i their signals hold the same values in the
same order. The behaviors b and c are ow-equivalent,
written b  c, i there exists a behavior d s.t. d v b
and d v c.
The -equivalence classes of a process p admit strict
behaviors, written (p)

. We use relaxation to dene
the meaning of asynchronous composition p k q (we
note X = vars(P ), Y = vars(Q) and I = X \ Y ).
p k q =

d




9b 2 p; d
jXnY
7 b
jXnY
; bj
I
v dj
I
9c 2 q; d
jY nX
7 c
jY nX
; cj
I
v dj
I

Denotation of Signal in the model of poly-
chrony The model of polychrony provides a purely
relational denotation of Signal (gure 1), consisting of
the function [[]] that associates a Signal process to the
set of its possible behaviors. Notice that the semantics
of Signal is closed in the structure of polychronous
signals, in that, whenever a process P (network Q)
3
Vhdl
behavioral
description
High-level
SpecC/SystemC
design
Signal captureSignal capture
Polychrony


-


-








6


6
analysis
abstraction
transformation
distribution
code
generation
control
synthesis
verication
simulation
Figure 3. Polychrony for high-level system design
has a behavior b, written b 2 [[P ]], then it admits any
stretching c  b (relaxation c w b) of b, i.e. c 2 [[P ]].
Polychronous design properties The model of
polychronous signals allows to dene formal proper-
ties that are essential for the component-based design
of Gals architectures [13].
Controllability or input-endochrony is a key design
property. A process is input-endochronous i, given
an external (asynchronous) stimulation of its inputs I ,
it reconstructs a unique synchronous behavior (up to
stretch-equivalence). Endochrony denotes the class of
processes that are insensitive to (internal and) external
propagation delays.
Denition 4 (controlability) A process p is en-
dochronous on its input signals I i 8b; c 2 p; (bj
I
)

=
(cj
I
)

) b
7
c.
Flow-equivalence oers the right criterion for check-
ing the renement of a high-level system specica-
tion with distributed communication protocols cor-
rect. For instance, it is considered in [4] for the
renement-based design of the Ltta protocol in Sig-
nal. Flow-invariance is the property that ensures
that the renement of a functional specication p jq
by an asynchronous implementation p k q preserves
ow-equivalence. Formally,
Denition 5 (ow-invariance) p and q are ow-
invariant i, for all b 2 p jq, for all c 2 p k q,
(bj
I
)

= (cj
I
)

implies b  c for I the input signals
of p jq.
In Signal,Gals architectures are modeled as endo-
isochronously communicating endochronous compo-
nents. We say that two endochronous processes p and
q are endo-isochronous i (pj
I
) j(qj
I
) is endochronous
(with I = vars(p) \ vars(q)). Endo-isochrony im-
plies ow-invariance and is directly amenable to static
verication by the Signal compiler using its clock
resolution and control synthesis engine [1]. Auto-
mated techniques of distribution using protocol syn-
thesis techniques are implemented in the Polychrony
platform [2]: endo-isochronous distribution consists of
a causality-aware exchange (duplication) of boolean
clocks among interacting components.
Notice that the properties of controllability and
ow-invariance introduced in [13], considered in the
present study, imply the previously studied properties
of IO-endochrony and isochrony of [3] (a process is IO-
endochronous i 8b; c 2 p; b  c ) b
7
c and two pro-
cesses are isochronous i their synchronous and asyn-
chronous compositions have the same traces). Whereas
IO-endochrony and isochrony allow non-deterministic
(in the aim of modeling distributed reactive systems),
input-endochrony and ow-invariance imply determin-
ism (embedded systems and SoC architectures are the
target).
Hence, controllability and ow-invariance oers pre-
cise, accurate, behavioral-level renement checking
conditions to characterize protocol synthesis, while IO-
endochrony and isochrony state global, process-level,
relation between synchrony and asynchrony.
Capturing high-level design using polychrony
Although system-level design languages such as Sys-
temC, SpecC or System Verilog have been intro-
duced as a way to raise the level of abstraction and
there by handling design correctness at a higher level,
there is not much research literature that can prove re-
nement between abstraction levels to be correctness
preserving. We propose a program analysis-based rep-
resentation of system-level models at various abstrac-
tion levels in Signal, and then apply the analysis on
these Signal models. This will provide us with a tech-
nique to formally establish correctness of renements
of higher level representation of designs to lower level
implementation.
4
behavior ones(in unsigned int data, out unsigned int ocount,
in event istart, out event idone) f
void main (void) f
unsigned int idata, icount;
while (1) f wait(istart);
idata = data; icount = 0;
while (idata != 0) f icount += data & 1;
idata >>= 1;
g
ocount = icount;
notify(idone); ggg;
behavior even(in unsigned int In, out unsigned int Out,
in event Start, out event Done, . . . ) f
void main(void) f
while (1) f wait(Start);
data = In;
notify(istart);
wait(idone);
Out = ocount & 1;
notify(Done); ggg;
Figure 4. Specification-level design of the Epc in SpecC
In this paper, we do not discuss the compilation of
these system level languages in Signal, because for
compilation, we need to x the semantics of the lan-
guage, which is not properly done yet. However, that is
a part of our on going eort. However, here we assume
a semantics, and manually translate the SpecC code
into Signal code, and apply our methodology.
In the polychronous design paradigm, one can give
a functional-level specication of a system in terms of
relations and partially-ordered clocks. A renement, at
the architecture-level, consists of isolating the master-
clock of components and of integrating them within
multi-clocked architectures, while preserving the func-
tional properties of the original design, thanks to the
formal verication of ow-invariance. The main ben-
et of considering the model of polychronous signals
for high-level C-like design languages lies in the for-
mal semantics backbone/platform it provides, on which
verication and optimization techniques can then be
plugged in.
Our approach to applying the Polychrony model
to high-level Gals architectures modeling in C-like de-
sign languages (gure 3) consists of automatically syn-
thesizing or capturing the behavioral abstraction or
model of a SpecC design as a Signal process. Other
formalisms, such as interface automata or algebra could
be used. What matters is to choose a formalism in
which deciding properties about models (equivalence,
bisimulation, etc) is decidable.
4 A case study: the even parity checker
The polychronous model of the Signal de-
sign language oers formal support for the cap-
ture of behavioral abstractions for both very high-
level system descriptions (e.g. SystemC/SpecC) and
behavioral-level Ip components (e.g. Vhdl). Its plat-
form, Polychrony, provides formal methods for
a rapid, renement-based, integration and a formal
conformance-checking of Gals hardware/software ar-
chitectures. We focus on a case study that illustrates
our methodology by showing how the specication of
the Epc in SpecC can be rened toward a Gals im-
plementation with the help of the tool Polychrony,
showing in what respects and at which critical design
stages formal methods matter for engineering such ar-
chitectures. The Epc consists of three functional units
(gure 5): an IO interface process, an even test process
and a main ones counting process (gray elements are
SpecC-specic).
ones even
IO

-

-
data
ocount
In
Out
istart

idone
-
start

done
-
Figure 5. Functional architecture of the Epc
Specication-level design in SpecC The behavior
ones in SpecC (gure 4) determines the parity of an
input data received along data. Upon receipt of the
start notication, it repeatedly shifts the data until it is
0ed. The output count icount is sent along ocount and
done notied. The behavior even performs the mirror
notications and outputs the nal parity check along
the Out.
Synchronization mechanisms between threads can
easily be modeled in Signal. Suppose we have N ele-
mentary threads (i.e. critical sections) communicating
via locks. Let us identify each of them by a symbolic
datum. A notication consists of setting a lock to true
upon request of the notier. A waiting process checks
whether the lock has been notied at the previous in-
5
process ones = (? integer data; event tick
! integer Out; boolean istart, idone)
(j c ::= waitfistartg(tick)
j idata := (data default rshift (pre InitData idata)) when c
j icount := ((pre 0 icount) + xand(idata, 1)) when c
j ocount := icount when idata=0 when c
default pre 0 ocount when tick
j notifyfidoneg(when c when idata=0)
j) where integer idata, icount; event c ;
process even = (? integer In, ocount; event tick ! boolean Out,
data; boolean start, istart, done, idone)
(j c1 ::= waitfstartg(tick)
j data := In when c1 default pre InitData data when tick
j notifyfistartg(when c1)
j c2 ::= waitfidoneg(tick)
j Out := xand (ocount when c2, 1)=1
j notifyfdoneg(when c2)
j) where event c1, c2 end;
Figure 6. Corresponding model of the specification-layer in Signal
stant and is available at its own request. If so, the
event acquired is present and the lock becomes false.
The model of wait/notify makes use of partial equa-
tions. In Signal, a partial equation x ::= f(y)when c
partially denes x by f(y) at the clock c. Composed
to x ::= f(z)when d, it is equivalent to the equation
x := f(y)when c default f(z) when d i the exclusion of
the clocks c and d, denoted by the constraint c^# d,
can be checked satisable by the clock resolution en-
gine of the compiler (meaning that the assignment to
x is deterministic). We note x := ffcg(y) for a call
to a Signal process of module f that takes the static
parameters c.
process notify=fboolean lockg( ? event request ! )
(j lock ::= true when request j);
process wait =fboolean lockg( ? event request ! event ack)
(j ack ::= when request when pre false lock
j lock ::= false when ack j);
A systematic translation of a specication-level be-
havior in Signal (for instance that of the thread
ones, gure 6) consists, rst, of decomposing the syn-
tactic structure of the SpecC program into an interme-
diate representation that renders the imperative struc-
ture of the original program together with its most
characteristic features (use of locks, interrupts, etc).
In this structure, each thread consists of a sequence of
blocks (critical sections) delimited by wait and notify
synchronization statements.
A related work, reported in [16], consists of a Poly-
chrony plugin which translates multi-threaded real-
time Java programs in Signal. In this tool, the Jvm
real-time runtime system is modeled using the Ar-
inc library of Signal [9]. This library gives a generic
model of real-time operating systems Apis in Signal.
The translator allows for entirely modeling the behav-
ior of a multi-threaded real-time Java component and
to reuse and recongure its package of real-time thread
classes according to a given target architecture.
Within such blocks, basic control structures are then
encoded. A method call or a basic operation, e.g.
x = y + 1 with y declared as int y = n, is encoded by
an equation, e.g. either x = pre n y+1when c (when y
references a value computed during the previous tran-
sition in this block) or x = y+1when c (if it has already
been computed in the same transition), conditioned by
an activation clock c. A conditional statement, e.g.
if x thenP elseQ, is encoded by constraining the clock
of P by x and that of Q by notx. While loops are
encoded by over-sampling. Interrupts are rendered by
events. An interrupt conditions the activation clock of
subsequent equations in the control ow graph; if it es-
capes the scope of the method in which it is raised, it
becomes an output signal of the process that encodes
the method in order to propagate in the context of use
of that method.
In the specication-layer of the behavior ones, there
is only one critical section, delimited by a wait and a
notify. It is encoded much like the polychronous spec-
ication of the previous section, with the noticeable
addition of the wait-notify protocol and the simulation
scheduling tick. The process is activated when it ob-
tains the lock on istart. Then, at its own rate (now
conditioned by the clock c), it determines the count.
When it is nished, it sends the notication.
A polychronous model of the EPC By contrast,
the polychronous design-layer of Signal could start at
a much higher design abstraction-level, without making
any implicit (simulation) architecture choices. By con-
trast, at the SpecC specication-level, the system is
already distributed into a set of behaviors (i.e. threads)
which interact via shared variables and wait and notify
synchronization mechanisms.
At the polychronous design layer of the Epc in Sig-
nal, we put these implementation details o until later
renement stages and focus on its most characteristic
threads, ones and even (gure 7). The process ones con-
sists of an iterative computation of the parity, imple-
mented using over-sampling: a local signal idata, reset
upon receipt of an inputdata, is iteratively scanned to
count the number of bits set to 1 (signal icount). When
6
constant integer InitData = -32768;
process ones= (? integer data ! integer ocount ) % boolean istart, idone %
(j idata := data default rshift (pre InitData idata) % istart ^= data %
j icount := (pre 0 icount) + xand (idata, 1) % idone ^= ocount %
j ocount := icount when idata=0
j) where integer idata, icount end;
process even= (? integer In, ocount ! boolean Out, data ) % boolean start, istart, done, idone %
(j data := In % istart ^= In ^= start %
j Out := (xand (ocount, 1) = 1) % ocount ^= done ^= idone %
j);
function rshift= ( ? i1 ! i2 ) spec (j i1 ^= i2 j) pragmas C CODE "&i2 = &i1 >> 1"end pragmas;
function xand= ( ? i1, i2 ! i3 ) spec (j i1 ^= i2 ^= i3 j)pragmas C CODE "&i3=&i1 & &i2" end pragmas;
Figure 7. Polychronous model of the Epc-core
nished (i.e. when idata is 0), icount is returned along
the output signal ocount. Auxiliary notication signals
of the original SpecC specication of the Epc, (e.g.
start, done), appear behind comments as they are not
necessary at this level of specication. Notice that the
process ones is endochronous. The consumer process
even simply reads the count sent along the ocount sig-
nal and checks whether it is even. The functions rshift
and xand are available from an external C library. They
are embedded in Signal using interface specications.
Validation of the polychrony-to-specication
design renement Checking that the specication-
level design of the Epc is a correct renement of the
polychronous Signal specication amounts to check-
ing that these two designs are ow-invariant to the in-
troduction of the wait-notify protocol (gure 8, a box
stands for a register).
ones even

-

-
data
ocount
istart
idone
+
ones even
wait
notify
 
- -

-

-
data
ocount
istart
idone
Figure 8. Refinement of the polychronous
model by the specification model
The validation of this design renement amounts to
proving that, for all behaviors b and c of the poly-
chronous and specication layers of the Epc, noted
P
ones
and S
ones
, ow equivalence of the input signal
In, i.e. bj
In
 cj
In
implies ow equivalence of the signal
Out, i.e. bj
Out
 cj
Out
.
(1) : 8b 2 [[P
ones
]]; 8c 2 [[S
ones
]]; bj
In
 cj
In
) bj
Out
 cj
Out
However, the polychronous model of the Epc only dif-
fers from the specication layer by the introduction
of a wait-notify protocol, which implements a generic
synchronization scheme P of the polychronous model.
The matching pattern S of the protocol in the speci-
cation layer consists of the insertion of delays in the
transmission of data due to the wait-notify toggle.
P  (data^ = start j idata := data j start^ = In j data := In)
S 

c ::= waitfstartg(clock)
j idata := data when c

j

notifyfstartg(clock)
j data := In default pre InitData data when clock

Hence, proving equation (1) reduces to showing that
the renement of the polychronous synchronization
scheme P by the wait-notify synchronization protocol
S preserves ow-equivalence, as specied by equation
(2). Indeed, notice that (2) implies (1).
(2) : 8b 2 [[P ]]; 8c 2 [[S]]; bj
In
 cj
In
) bj
idata
 cj
idata
In a similar manner as for loosely time-triggered archi-
tectures, studied in [4], this property is amenable to
symbolic model checking using the tool Sigali [15].
Verication is implemented by specifying the corre-
sponding property in Signal (gure 10), simulating
the input In and idata using, e.g. booleans (providing
the corresponding implementations of the parameters
xand, rshift and InitData) and by calculating that its
output (the invariant) never becomes false. A buer
is used to avoid altering synchronizing signals between
the models P and S. Flow-invariance modulo buer
implies ow-invariance.
Architecture-layer design renement The en-
coding of the even-parity checker demonstrates the
7
channel ChMP() f
unsigned int data; event eReady, eAck;
bool ready = false, ack = false;
void send (unsigned int In) f
data = In;
ready = true;
notify (eReady);
while (!ack) wait (eAck);
ready = false;
notify (eReady);
while (ack) wait (eAck); g
unsigned int recv () f
unsigned int rdata;
while (!ready) wait (eReady);
rdata = data;
ack = true;
notify (eAck);
while (ready) wait (eReady);
ack = false;
notify (eAck);
return rdata; g;
send recv
In
-
ready
-
eReady
-
data
-
ack

eAck

:ready
-
eReady
-
:ack

eAck

rdata-
Figure 9. Implementation of an architecture-level channel in SpecC
process observer = (? boolean i ! boolean invariant)
(j invariant := buer(P(buer(i))) = buer(S(buer(i)))
j) where process buer = ( ? boolean i ! boolean o)
(j o := Current (i) j Alternate (i, o) j)
process Current = (? boolean i ! boolean o)
(j o := (i cell ^o init false) when ^o j)
process Alternate = (? boolean i, o !)
(j i ^= when op
j o ^= when not op
j op := not (pre true op)
j) where boolean op;
end;
clock   
i 1 0 1
start   
o 1 0 1
)
clock      
i 1 0 1
start tt ff tt ff tt ff
o 1 0 1
Figure 10. Refinement-checking observer
capability of Signal to give a polychronous model
of components for specication-level SpecC designs.
This level of abstraction (polychrony) allows for a bet-
ter decoupling of the specication of the system un-
der design from early architecture mapping choices. It
additionally allows for an optimized recombination of
behaviors. For instance, the Signal compiler could
merge the behaviors IO and even using its clock resolu-
tion engine. In comparison, the typical SpecC design-
ow starts with the capture of Ip-blocks represented as
c functions and then does an automatic partitioning
according to an appropriate cost function. After par-
titioning, 2-way handshake protocols (or appropriate
hw-sw protocols) are inserted between the functional
units.
Consider the architecture layer of the Epc (gure 9).
We now have two behaviors, ones and even that com-
municate asynchronously via the ChMP channel. Mod-
eling the architecture-layer renement of the Epc in
Signal consists of modeling the double handshake pro-
tocol implemented by the methods send and recv of the
ChMP channel, which obey the message sequence de-
picted on the right. The model of send and recv in
Signal (gure 11) is obtained in the very same way
as for the behaviors even and ones of the specication
level, except that the ready and ack ags correspond
to state variables (declared at the same lexical level as
send in the ChMP module). By installing the channel
process between producer and consumer, we obtain a
desynchronization of the transmission between the In
and Out processes (in addition to a desynchronization
of locks, obtained in the specication-layer).
process send = (? integer In; event clock ! )
(j c1 := when (event In) when clock
j data ::= In when c1
j ready := true when c1
default false when c2 when not(pre false ack)
default pre false ready when clock
j notifyfeReadyg(c1)
j c2 ::= waitfeAckg(when pre false ack when clock)
j notifyfeReadyg(when c2 when not(pre false ack))
j c3 ::= waitfeAckg(when not(pre false ack) when clock)
j) where event c1, c2, c3 end;
process recv = (? event clock ! integer rdata)
(j c1 ::= waitfeReadyg(when not(pre true ready) when clock)
j rdata ::= pre InitData data when c1 when pre true ready
j ack := true when c1 when pre true ready
default false when c2 when (not pre true ready)
default pre false ack when clock
j notifyfeAckg(when c1 when pre true ready)
j c2 ::= waitfeReadyg(when pre true ready when clock)
j notifyfeAckg(when c2 when (not pre true ready))
j) where event c1, c2 end;
Figure 11. Model of the architecture-level
channels in Signal
Validation of the specication-to-architecture
renement Showing that the renement of the Epc
8
from the specication level S
ones
to the architecture
level A
ones
(gure 12) is correct amounts to checking
ow-invariance between the two designs.
ones even
wait
notify
 
- -

-

-
data
ocount
istart
idone
+
ones even
ChMP
send
recv
wait
notify

-

-

-

-
data
ocount
istart
idone
Figure 12. Refinement of the specification by
an architecture layer
It is amenable to symbolic model checking in Sigali
using the criterion (3) that, in a similar manner as
(1), states the ow-equivalence of the specication and
architecture models S
ones
and A
ones
.
(3) : 8b 2 [[S
ones
]]; 8c 2 [[A
ones
]]; bj
In
 cj
In
) bj
Out
 cj
Out
In the same manner as for the polychrony-to-
specication renement, proving (3) reduces to show-
ing that the desynchronization protocol introduced by
the channel module ChMP preserves ow equivalence
between the original specication layer and the nal
architecture layer. This amounts to showing that the
specication model S is ow-equivalent to the process
A in the architecture model.
S(data := (Inwhen c default pre InitDatadata)when clock)
A(data := recv(clock) j send(In; clock))
Showing that A is ow-equivalent to S is amenable
to symbolic model checking by specifying the property
(4) in Signal (simulating the input In and output data
using booleans). The tool Sigali allows to prove that
the corresponding invariant never becomes false. No-
tice again that (4) implies (3).
(4) : 8b 2 [[S]]; 8c 2 [[A]]; bj
In
 cj
In
) bj
data
 cj
data
Communication-layer design renement The
communication layer of the Epc (gure 13) consists
of a data-type renement of the ChMP channel and of
the implementation of the ChMP as a bus. It consists
of the decomposition of the methods send and receive
into sub-processes, allowing for the isolation of the bus
read and write methods.
channel cBus() implements iBus f
unsigned bit[31:0] data; cSignal ready, ack;
void write(unsigned bit[31:0] wdata) f
ready.assign(1);
data = wdata;
ack.waitval(1);
ready.assign(0);
ack.waitval(0); g
unsigned bit[31:0] read() f
unsigned bit[31:0] rdata;
ready.waitval(1);
rdata = data;
ack.assign(1);
ready.waitval(0);
ack.assign(0);
return data; g
Figure 13. Communication-level bus in SpecC
Showing this renement correct (gure 14) reduces
to proving that the model of the channel's ChMPmeth-
ods send and recv are ow-equivalent to the methods
read and write of the bus model. The control struc-
ture of the bus model in Signal is identical to that
of the channel, except for the implementation of the
input/output integer signals as bit-vectors.
ones even
ChMP
send
recv
wait
notify

-

-

-

-
data
ocount
istart
idone
+
ones even
cBus
write
read
wait
notify

-

-

-

-
data
ocount
istart
idone
Figure 14. Refinement of an architecture-level
channel by a communication-level bus
Rtl-layer design renement The Rtl layer of the
Epc (gure 15) consists of the introduction of a mas-
ter clock clk and of a reset signal rst together with the
conversion of the Epc communication-layer specica-
tion into nite-state machine code. This translation
closely corresponds the Signal's encoding of the Epc
into blocks (critical sections).
In Signal, this renement (gure 16) corresponds
to an implementation-clock accurate, endochronous,
9
behavior ones(in event clk, in unsignedbit[0:0] rst, in unsigned bit[31:0] inport, out unsignedbit[31:0] outport,. . . ) f
void main(void) f
unsigned bit[31:0] data, ocount;
enum state fS0, S1, S2, S3g state = S0;
while (1) f
wait(clk);
if (rst == 1b) state = S0;
switch (state) f
case S0: done = 0b;
ack istart = 0b;
if (start == 1b) state=S1 else state=S0;
break;
case S1: ack istart = 1b;
data = inport;
.
.
.
ocount = 0;
state = S2;
break;
case S2: ocount = ocount + data & 1;
data = data >> 1;
if (data == 0) state=S3 else state=S2;
break;
case S3: outport=ocount;
done = 1b;
if (ack idone == 1b) state=S0 else state=S3;
break; gggg;
Figure 15. Rtl-level implementation of the Epc-core in SpecC
model of the Epc. The Rtl model can be regarded as
a temporal renement of the Signal model, in which
the master clock is stretched in such a way as to al-
low for a single sentence of the SpecC design to be
simulated at a time.
Toward an integration platform In the aim of au-
tomating the above process within a versatile compo-
nent integration platform, the use of Polychrony as a
renement-checking tool provides the required support
by using controller synthesis techniques [14]. Whereas
model-checking consists of proving a property correct
w.r.t. the specication of a system, control synthesis
consists of using this property as a control objective
and to automatically generate a coercive process that
wraps the initial specication so as to guarantee that
the objective is an invariant. To this end, we aim at us-
ing Polychrony as a semantic platform for the Sys-
temC design tool Balboa [17, 8], by using Signal as
an internal representation of behavioral type descrip-
tions for SystemC components, allowing for a correct
by construction component-based design of high-level,
system-on-chip SystemC designs, and the systematic
synthesis of interface protocols between components.
5 Related works
The (multi-clocked) notion of ow-equivalence
relates to the (single-clocked) notion of latency-
equivalence of Carloni et al. [6]. Two signals are
latency-equivalent i they present the same values in
the same order. Flow-invariance casts the property of
ow-equivalence to the general context of design rene-
ment checking, whereas Carloni et al. concentrate with
latency-equivalence on the correct-by-construction as-
sembly of existing IPs with pre-dened elementary pro-
tocol bricks.
Synchronous programming being a computational
model which is popular in hardware design, and
desynchronization being a technique to convert that
computational model into a more general, globally
asynchronous and locally synchronous computational
model, suitable for system-on-chip design, one may
naturally consider investigating further the links be-
tween these two models understood as Ptolemy do-
mains [18] and study the renement-based design of
GALS architectures starting from polychronous speci-
cations captured from heterogeneous elementary com-
ponents.
6 Conclusion
We have put a polychronous design model to work
for the renement of a high-level even-parity checker in
SpecC from the early stages of its functional specica-
tion to the late stages of its hardware/software Gals
implementation. We have demonstrated the eective-
ness of this approach by showing in what respects and
at which critical design renement stages formal veri-
cation and validation support was needed, highlighting
the benets of using the tool Polychrony in that de-
sign chain. The novelty of integrating Polychrony
in a high-level design tool-chain lies in the formal sup-
port oered by the former to automate critical and
complex design verication and validation stages yield-
ing a correct-by-construction system design and rene-
ment in the latter. Polychronous design allows for
an early requirements capture and fora compositional
and formally-checked transformational renements, au-
tomating the most diÆcult design steps toward imple-
mentation using eÆcient clock resolution and synthesis
10
ones even
cBus
write
read
wait
notify

-

-

-

-
data
ocount
istart
idone
)
m
S
0



-
m
S
1
-
m
S
3
?
 


m
S
2
6
 


m
S
0



-
m
S
1
-


-
m
S
3
?
 


m
S
2
6
 


cBus
write
read
wait
notify

-

-

-

-
data
ocount
istart
idone
Figure 16. Refinement of the communication-level design by an Rtl-level design
techniques, implemented in the Signal compiler.
References
[1] Amagbegnon, T. P., Besnard, L., Le Guer-
nic, P. \Implementation of the data-ow syn-
chronous language Signal". In Conference on
Programming Language Design and Implementa-
tion. ACM Press, 1995.
[2] Aubry, P. \Mises en oeuvre distribues de pro-
grammes synchrones" These de l'Universite de
Rennes 1. October 1997.
[3] Benveniste, A., Caillaud B., and Le Guer-
nic, P. \Compositionality in dataow syn-
chronous languages: specication and distributed
code generation". In Information and Computa-
tion, v. 163, pp. 125-171. Academic Press, 2000.
[4] Benveniste, A., Caspi, P., Le Guernic, P.,
Marchand, H., Talpin, J.-P., Tripakis, S. \A
protocol for loosely time-triggered architectures".
In Embedded Software Conference. Springer Ver-
lag, October 2002.
[5] Berry, G., Gonthier, G. \The Esterel syn-
chronous programming language: design, seman-
tics, implementation". In Science of Computer
Programming, v. 19, 1992.
[6] Carloni, L. P., McMillan, K. L.,
Sangiovanni-Vincentelli, A. L. \Latency-
Insensitive Protocols". In Proceedings of the 11th.
International Conference on Computer-Aided
Verication. Lecture notes in computer science v.
1633. Springer Verlag, July 1999.
[7] G. De Micheli, E. Ernst, and W. Wolf
"Readings in Hardware/Software Co-Design".
Morgan Kaufmann, 2001.
[8] F. Doucet, M. Otsuka, R. Gupta and S.
Shukla "EÆcient System Level Co-Design En-
vironment using Split Level Programming". Tech-
nical Report 01-34. UC Irvine, June 2001.
[9] Gamati

e, A., Gautier, T.Modeling of modular
avionics architectures using the synchronous lan-
guage. In proceedings of the 14th. Euromicro Con-
ference on Real-Time Systems, work-in-progress
session. Ieee Press, 2002.
[10] P. Garg, S. Shukla, R. Gupta "EÆcient Us-
age of Concurrency Models in an Object Ori-
ented Co-Design Framework". In Design Automa-
tion and Test in Europe. Ieee Press, 2001.
[11] D. Gajski, F. Vahid, S. Narayan, and J.
Gong. "Specication and Design of Embedded
Systems". Prentice Hall, 1994.
[12] Lee, E. A., Sangiovanni-Vincentelli, A. \A
framework for comparing models of computation".
In Ieee transactions on computer-aided design, v.
17, n. 12. Ieee Press, December 1998.
[13] Le Guernic, P., Talpin, J.-P., Le Lann, J.-L.
Polychrony for system design. In Journal of Cir-
cuits, Systems and Computers. Special Issue on
Application Specic Hardware Design. World Sci-
entic, 2002.
[14] Marchand, H., Bournai, P., Le Borgne, M.,
Le Guernic, P. Synthesis of Discrete-Event Con-
trollers based on the Signal Environment. In Dis-
crete Event Dynamic System: Theory and Appli-
cations, v. 10(4), pp. 325{346, 2000.
[15] H. Marchand, E. Rutten, M. Le Borgne,
M. Samaan. Formal Verication of Signal pro-
grams: Application to a Power Transformer Sta-
tion Controller. Science of Computer Program-
ming, v. 41(1), pp. 85{104, 2001.
[16] Talpin, J.-P., Le Dez, B., Gamati, A., Le
Guernic, P., Berner, D. Component-based
engineering of real-time JAVA applications on a
polychronous design platform. In Submitted for
publication. Available as Inria research report n.
4744, February 2003.
[17] F. Doucet, M. Otsuka, S. Shukla, and R.
Gupta. An environment for dynamic component
composition for eÆcient co-design. In Design Au-
tomation and Test in Europe. Ieee Press, 2002.
[18] E. A. Lee. Overview of the Ptolemy project.
Technical Memorandum M01/11. UC Berkeley,
2001.
[19] SpecC. http://www.specc.org, 2003.
[20] SystemC. http://www.systemc.org, 2003.
11
