Abstract This paper investigates how state diagrams can be best represented in the polychronous model of computation (MoC) and proposes to use this model for code validation of behavior specifications in architecture analysis & design language (AADL). In this relational MoC, the basic objects are signals, which are related through dataflow equations. Signals are associated with logical clocks, which provide the capability to describe systems in which components obey multiple clock rates. We propose a model of finite-state automata, called polychronous automata, which is based on clock relationships. A specificity of this model is that an automaton is submitted to clock constraints, which allows one to specify a wide range of control-related configurations, being either reactive or restrictive with respect to their control environment. A semantic model is defined for these polychronous automata, which relies on boolean algebra of clocks. Based on a previously defined modeling method for AADL software architectures using the polychronous MoC, the proposed model is used as a formal model for the AADL behavior annex. This is illustrated with a case study involving an adaptive cruise control system.
Introduction
The design of embedded systems, and more specifically critical systems, requires the satisfaction of strong, various, and heterogeneous constraints such as safety, determinism of embedded programs, threaded or distributed implementation, scheduling in a specific or non-specific OS, among others. One way to help designers is to provide them with friendly usable tools supported by strong mathematical semantics. These formal models and methods allow designers to ensure the correctness of components used and/or to define them at each level of the design. The polychronous model of computation [1] is such a formal model. Historically related to the synchronous programming paradigm [2] (Esterel [3] , and Lustre [4] ), the polychronous model of computation implemented in the dataflow language called Signal [5, 6] and its environment Polychrony 1) , stands apart because of its capability to model multi-clocked systems. The synchronous paradigm consists of abstracting the non-functional implementation details of a system and allows one to benefit from a focused reasoning process on the logics behind the instants at which the system functionalities should be secured. The fundamental notion of polychrony is the capability to describe systems in which components obey multiple clock rates. In particular, the Signal language allows the opportunity to seamlessly model embedded systems at multiple levels of abstraction while reasoning within a simple and for- 1) The toolset can be downloaded freely on the official website of Polychrony at Inria mally defined mathematical model. A design approach that may be advocated is to allow for a seamless inter-operation of heterogeneous programming viewpoints within the same host model of computation, which is the polychronous model. A typical case study from Airbus, for instance, was based on the co-modeling of the door management system of the A350 [7] . In this case study, door functionalities were modeled with synchronous Simulink 2) and a system-level model of the hardware was specified in architecture analysis & design language (AADL) [8] . The Polychrony toolbox was then used to interpret the computations and communications specified in both models to synthesize schedulers for sequential and distributed simulation. The experiment was successful, and demonstrated that the polychronous model, through its supportive language Signal, may be used as an effective common semantic model for representing or interfacing heterogeneous models. However, Signal is based on a dataflow oriented notation, thus there is sometimes some separation between an actual specification which may use for instance, state oriented descriptions, and its semantic encoding as systems of equations. This may cause some practical difficulties, in particular when traceability is a requirement, as is the case in most systems.
In this paper, first, we investigate the manner in which state diagrams can be best represented in the polychronous model of computation while maintaining the multi-clock characteristic property of the representation. We propose a model of automata, called polychronous automata, which is based on clock (or event) relationships, and allows one to specify a wide range of control-related configurations, more or less permissive (or, dually, more or less restrictive). A semantic model is defined for these polychronous automata that relies on the boolean algebra of clocks, and permits manipulation of these automata without having to necessarily translate them into dataflow equations. In previous works [9, 10] , with the aim of virtually prototyping embedded architectures, we defined a compositional semantic translation of AADL specifications into the polychronous model. We now refine this modeling by considering a polychronous automata model as a formal model for the AADL behavior annex.
Our work is motivated by practical reasons such as effective combination of heterogeneous programming notations (including dataflow and automata), and formal validation and virtual prototyping of timed software architectures. Our purpose is not to simply propose another extension of an existing programming language. Instead, we focus on the definition of a specific model of automata adapted to the polychronous model of computation, to be adopted as a common semantic model. Such automata have to relate events by expressing and specifying clock relationships (or clock constraints) among these events. For the definition of polychronous automata, the Signal language is used as syntactic support to express clock equations. Simple examples such as alternating events are used in the first sections of this paper, as they are sufficient to illustrate the basics of the model.
In the next section, we first consider some related work, concerning both the introduction of models of automata in synchronous languages, and the use of formal models to represent and validate AADL models. In Section 3, we review the main operators of the Signal language and their semantics. Then in Section 4 we define the boolean control algebra which is used to manipulate clock formulas. In Section 5,  we describe the refinement of polychronous programs as automata. In Section 6, we highlight different forms of polychronous automata described as equations on signals. Relying on these requirements in terms of expressivity, we define our model of automata in Section 7. Then, the principles of the semantic translation of AADL in the polychronous model are presented in Section 8. A concrete AADL case study, including behavior specifications as automata, is detailed in Section 8 to illustrate the formal validation of this modeling framework. Conclusions and future work are discussed in Section 10.
Related work
Automata were introduced several years ago in dataflow synchronous languages and are used every day in production tools such as SCADE [11] . More generally, there have been many attempts to combine heterogeneous programming models. A major problem addressed in Ptolemy is the use of heterogeneous mixtures of models of computation [12] . Socalled modal models in particular are hierarchical models where the top level model comprises a finite-state machine, the states of which are refined into other models, possibly from different domains [13] . In our approach, heterogeneous designs are expressed in terms of common semantics, represented by the polychronous model of computation. In the software system Matlab/Simulink, which is largely accepted in the industry, the Stateflow notation [14] is used to describe modes in event-driven and continuous systems.
Mode-automata [15] were originally proposed to apply the 2) Refer to the MathWorks website advantages of declarative and imperative approaches to synchronous programming and to extend the functional dataflow paradigm of Lustre with the capability to model transition systems. Mode-automata have been combined with stream functions in Lucid Synchrone [16] . Related forms of hierarchical state machines include Statecharts [17] and their variants, including UML state machines [18] , SyncCharts [19] , associated in particular with Esterel and, more recently, SCCharts [20] , based on an improved definition of (sequential) constructivity [21] . DDFCharts [22] , which compose finitestate machines and synchronous dataflow graphs, have multiple clocks; transitions can be driven by different clocks and the instants at which clocks synchronize are considered rendezvous communications.
Our approach may be distinguished from others by its capability to model multi-clocked systems and to express clock relationships through the automata. A first attempt was made a few years ago to define polychronous mode automata [23] , but compared to our current proposal, it did not allow manipulation of automata as specific objects that can be used, for instance, to specify the dynamic properties of events. In this spirit, our approach, that is based on constraint specifications relating the occurrence of events, is similar to that taken by Lutin [24] , but with a different purpose. In Lutin, statements describe sequences of non-deterministic atomic reactions expressing constraints on input/output values. The method is used mainly for test sequence specification and generation. In our proposal, constraints relate values and clocks of signals.
Concerning the second contribution of this article, i.e., the use of a formal model (in our case, polychronous automata) to represent and validate AADL behavior specifications, there have been many related works that have contributed to the formal specification, analysis, and verification of AADL models and its annexes. We limit ourselves to mentioning here the works which appear to be closest to our approach. In particular, RAMSES [25] presents the implementation of the AADL behavior annex. The behavior annex supports the specification of automata and sequences of actions to model the behavior of AADL programs and threads. Its implementation (OSATE) proceeds by model refinement and can be plugged in to Eclipse-compliant backend tools for analysis or verification. For instance, the RAMSES tool uses OSATE to generate C code for OSs complying with the ARINC-653 standard.
Synchronous modeling is central in [26] , which presents a formal real-time rewriting logic semantics method for a behavioral subset of the AADL. This semantics rewriting can be directly executed in Real-Time Maude and provides a synchronous AADL simulator (as well as LTL model-checking). It is implemented by the tool AADL2MAUDE using OSATE.
Similarly, Yang et al. [27] define a formal semantics for an implicitly synchronous subset of the AADL, which includes periodic threads and data port communications. Its operational semantics is formalized as a timed transition system. This framework is used to prove semantics preservation through transformations from AADL models to the target verification formalism of a timed abstract state machine (TASM).
With respect to the related works mentioned here, we also annex the core AADL and its behavior annex with formal semantic frameworks to express executable behaviors and temporal properties, but we endeavor to structure and use them together within the framework of a more expressive multi-clocked synchronous model. Polychrony allows us to gain abstraction from the direct specification of executable, synchronous operations in the AADL, yet offers services to automate the synthesis of such locally synchronous, executable specification with global asynchrony, when or wherever needed.
The Signal language
We first introduce the Signal language and its semantics, before formalizing its boolean control algebra, which is the basis for clock calculus. Signal is a declarative language expressed within the polychronous model of computation. The reader is referred to the bibliography of the Signal language for a detailed description (for instance [28] for an overview, or [5, 29] for detailed syntax and semantics).
A Signal process defines a set of (partially) synchronized signals as the composition of equations. A signal x is a finite ((∃n ∈ N)(x = (x t ) t∈N,t n ) or infinite (x = (x t ) t∈N ) sequence of typed values in the data domain D x ; the indices in the sequence represent logical discrete time instants. At each instant t, a signal is either present and holds a value v in D x , is absent and virtually holds an extra value denoted ⊥, or is completed and never holds any actual or virtual value for all instants s such that t s. The set of instants at which a signal x is present is represented by its clockx. Two signals are synchronous if and only if (iff) they have the same clock. Clock constraints result from implicit constraints over signals and explicit constraints over clocks.
The semantics of the full language is deduced from the semantics of a core language and from the Signal definition of the extended features. A Signal process is either an equation
where f is a function, the composition P|Q of two processes P and Q, or the binding P/x of the signal variable x to the process P. In this section, we provide a description of its function using dataflow models. Signal functions. A Signal function is an n-ary (with n > 0) function f that is total, strict, and continuous over domains [30] (w.r.t. prefix order) and that satisfies:
Stepwise extension. Given n > 0 and an n-ary total function f : D 1 ×· · ·×D n → D n+1 , the stepwise extension of f (e.g., =, and, +, etc.) denoted as F, is the synchronous function that satisfies:
The Process. An equation is a pair (x, E) denoted as x := E. An equation x := E associates the variable x with the sequence resulting from the evaluation of the Signal function f denoted by E (defined as a composition of functions). If
is the set of free variables in E, the equation x := E denotes a process on A, i.e., a set of behaviors on A ∪ {x}; a process is closed by stretch-equivalence (owing to the stretching rule).
The parallel composition of equations defines a process by a network of strict continuous functions connected by signal names. Composition of processes is associative, commutative, and idempotent. When it satisfies the Kahn conditions (no cycle, single assignment. . . ), it is a strict continuous function or Kahn Process Network (KPN) [31] , defined by the least upper bound satisfying the equations. It further satisfies the termination and stretching properties (it is closed for the stretching relationship). It may or may not be synchronous. In the semantics of Signal [1] , a process is the set of infinite behaviors accepted by the above "KPN semantics".
A process with feedback or local variables may be not time-deterministic. The semantics of a non-deterministic process can be defined using Plotkin's power-domain construction [32] . The input-free equation x := x $ init 0 is a typical example of a not timely deterministic process: x holds a sequence of constant values 0 separated by an undetermined number of silent transitions, characterized by an occurrence of ⊥.
An example of a non-deterministic process is the equation x ::= E that defines x to be equal to E when E is present, and undefined when E is ⊥ (partial definition). This equation is a shortcut for x := E default x. A signal x can be constructively defined by several equations x ::= E1, . . . , x ::= En in a process, provided that for every pair of equations x ::= Ei, x ::= Ej, when Ei and Ej are both present, they hold the same value. If E1, . . . , En do not recursively refer to x and if they both denote functions, then (x ::= E1|...|x ::= En) is a deterministic process.
Partial definitions are very useful in automata, where the function that computes the value of a signal often depends on the current state. The states being exclusive, the consistency property is satisfied. Partial definitions are also used to define state variables, the elements of which are present as frequently as necessary. When such a state variable is not explicitly defined, it retains its previous value.
Derived operators. The following notations (which are derived operators) are used to manipulate clocks, represented as signals of type event, always true iff present.
• null clockˆ0 (never present)
• signal clockˆx, defined by x = x (present, and true, when x is present)
, defined bŷ b when b (present, and true, when b is present and is true)
• intersection x1ˆ* x2, defined byˆx1 when x2
• union x1ˆ+ x2, defined byˆx1 default x2
• synchronization x1ˆ= x2, defined as (c := (ˆx1 =ˆx2))/c Note that, in the syntax, the hat notation appears just before the symbol or variable and applies to: for instance, "ˆ*" is a syntactic representation of " * " (see below).
A synchronized memory y := x cell c init x0 is defined by the composition of y := x default (y $ init x0) and yˆ= xˆ+ [c] . It defines y with the most recent value of x when x is present or when c is present and true. Finally, the Signal term ll :: P associates the label ll with the process P; a label ll is a signal of type event. Its clock is the tick of the labeled process, P (i.e., the upper bound of all the clocks in P).
Boolean control algebra
We define the syntax and set the axioms of the boolean control algebra taking into account the state variables used to represent states of the automata. • * ,+ designate meet (infimum) and join (supremum), respectively;
• 0, 1 V are the minimum and maximum, respectively.
The set of control boolean formulas F V,S is the smallest set that satisfies:
Parentheses and infix notations can be used in the formulas.
The formula x designates the clock of a variable x, and x designates the clock at which the variable x is true. The formulas satisfy the boolean axioms: (F V,S , * ,+, ¬, 0, 1 V ) in boolean algebra. The following supplementary axioms are also considered.
• difference f− g = f * ¬g;
• partition ∀x ∈ V ∪ S , x = x+ ¬ x and x * ¬ x = 0;
• exclusion ∀s1, s2 ∈ S , s1 * s2 = 0 or s1 = s2;
The clock of an automaton with a non-empty V is defined by x∈V ( x+ ¬ x) = 1 V , and ∀s ∈ S , s = 1 V . Formulas in the boolean control algebra have normal forms e.g., Shannon disjunctive forms (given an arbitrary total order of variables).
Note that, independently of the state variables which are distinguished here, this boolean control algebra is that of the standard polychronous model of computation. The formal tools based on this control algebra, such as the clock calculus (which builds a clock hierarchy), still apply in the exact manner when automata are considered. In both contexts, timing analysis mainly refers to analyzing clock relationships based on clock hierarchy.
Clock hierarchy. The clock hierarchy of a process is a component of its Data Control Graph (DCG). The DCG consists of a multigraph G and a clock system Σ. Refer to [28] for a more complete description. A clock equation is a class of equivalent clock formulas. The clock system Σ is a forest (set of trees) of clock equations; which is why it is called clock hierarchy. The clock hierarchy is defined by a relationshipˆ (dominates) on the quotient set of signals byˆ= (x and y are in the same class iff they are synchronous). Informally, a class C dominates a class D if the clock of D is computed as a function of boolean signals belonging to C and/or to classes recursively dominated by C. A node n of a tree, which is a clock equation, also contains the list of signals signal(n) whose clock shares this class. A tree represents an endochronous process; it has a fastest rated clock and the status (presence/absence) of all signals is a pure flow function (i.e., this status depends neither on communication delays, nor on computing latencies).
The equational nature of the Signal language is a fundamental characteristic that makes it possible to consider the compilation of programs as an endomorphism in Signal programs. We have mentioned a few properties such as allowing the rewrite of programs with rules such as commutativity and associativity of parallel composition. More generally, until the very final steps of code generation (when code generation is an objective), the compilation process may be considered as a sequence of morphisms allowing rewrite of programs into transformed Signal programs. The final steps (C code generation for instance) are simple morphisms of the transformed Signal programs. These transformation steps to sequential, clustered, or distributed code generation, are described in [28] .
Refinement of processes as automata
So far, contrary to other synchronous languages, including dataflow ones such as Lustre (see for instance [33] ), no explicit representation of automata was directly produced in the compilation of Signal programs, either for code generation purposes, or as input to formal verification tools. In this section, we propose a method for deriving an automaton from a polychronous program, which relies heavily on the concept of the clock.
A given Signal program may be seen as an automaton which contains a single state and a single transition, labeled by a clock. This clock is the upper bound of all the clocks of the program (the tick of the program).
The construction of a refined automaton from a Signal program will be based on delayed signals, viewed as state variables (in particular boolean ones). A state of the automaton is a Signal program with some valuation of its state variables. Transitions are labeled by clocks, which represent the events that activate these transitions. The principle of the construction consists in dividing a given state according to the possible values of a state variable (i.e., true and false for boolean state variables to obtain two states, and thus two new Signal programs. Each one of these two states is obtained using a rewritten version of the starting program. Moreover, the absence of value for the state variable (which can be considered as another possible value) is taken into account in the clocks labeling the transitions. The construction of the automaton is a hierarchic process. Figure 1 illustrates the first step of the construction. Initially, the automaton A has one single state, which is the Signal program P, with one transition, labeled by the tick k of P. The construction begins with the valuation of a first state variable, s, in the program P, respectively with true and false, which produces two new programs, P 1 and P 2 . The new programs are obtained by rewriting the previous one, taking into account the considered valuation. This rewriting generally results in simplifications of the programs. The resulting automaton, A 1 , now contains two states, P 1 and P 2 . The calculus of the transitions consists of computing the clocks of the events that cause a change of state. The transition from P 1 to P 2 occurs when the state variable s, which was true, becomes false, thus the corresponding clock is ¬ s. Conversely, the transition from P 2 to P 1 occurs at the clock s. The transition from P 1 to itself is labeled by the clock k, minus the instants at which there is a transition from P 1 to P 2 (the same reasoning applies to P 2 ). Note that the transitions are not instantaneous. When a clock raising a change of state is present at a given instant, the effective change of state of the automaton takes place at the following instant (with respect to the tick). The construction of the automaton is an iterative process, by successive valuation of its state variables, s 1 , s 2 , etc. For instance, the second step would introduce new states P 11 and P 12 from P 1 by discriminating it according to the value of a second variable s 2 . One could, equivalently, introduce two other states from P 2 . Now, at any refinement step n > 1, one could then potentially define 2 n states by iterating the refinement of all sub-processes P n−1 i , of clocks k n−1 i and indices 0 < i 2 n−1 obtained from step n − 1, by partitioning them according to an n th state variable s n and by repeating the same mechanism (see Fig. 2 ).
This would seem to be an expensive construction, at least in the worst case, as the size of the explicit automaton would be an exponential of its number of state variables. Fortunately, however, all Signal programs have a clock hierarchy, defined from the dominance relationship introduced in Section 4, which is used to represent the control flow of the program in a much more efficient manner (and actually optimal, as hierarchies can be normalized and allow a canonical representation). Concretely, most of the 2 n states are in practice inaccessible, because of dominance (of a state value by a clock). It may further be observed that, when constructing the automaton, the order in which state variables are valuated has an influence on the number of states of the automaton. Our choice is to therefore base this order on the clock hierarchy of the Signal program, using a pre-order depth-first traversal. In this manner, more frequent state variables are evaluated before less frequent ones. Note also that when some state variable is evaluated, the corresponding program is rewritten, using in particular constant propagation. This generally results in many simplifications, as a number of clocks may become null, thus eliminating their corresponding variables.
Automaton description in Signal equations
Of particular interest from the previous example is that in the polychronous framework, the behavior of an automaton may be either reactive, with respect to its environment or context, or restrictive, constrained by clock relationships. In the case of a reactive automaton, events from the environment are free to occur at their own rate. The automaton registers the occurrences of these events and causes its state to evolve according to these occurrences. In the case of a restrictive automaton, the automaton enforces constraints on the events that can occur. Events that are not explicitly allowed in some state are forbidden; this has an effect on the environment, which is in some way controlled by the automaton. This can be illustrated by an automaton alternating two events, a and b. In Fig. 3 , events a and b are constrained to alternate by the clock relationship a * b = 0, which imposes that they cannot occur simultaneously (the intersection of clocks a and b is never present). It should further be assumed that b cannot occur in S 1 and a cannot occur in S 2 . Note that the occurrences of a and b are always controlled (or constrained), and the control is state dependent. A reactive behavior, as in Lustre or Esterel, is different. Events a and b are free to occur at any time. An Esterel or a Lustre program does not "control" the delivery of its input signals. A reactive automaton will observe and record the alternating occurrences of a and b, see Fig. 4 , but it will not enforce them. In Signal, the observer will be implemented using a pair of equations that monitor alternation using a state variable change and stuttering using another variable wait. A resettable Esterel program such as the famous ABRO is an object which lies between constrained and reactive behaviors; it emits an output o immediately after receiving both inputs a and b and is reset when r occurs. So, signal o is controlled, while others are not. The automaton for ABRO is represented in Fig. 5 , where transitions are labeled by Signal clock expressions. In the ABRO program, the inputs a, b, and r are never controlled, and the output o is obviously controlled. However, in Signal, it is worth noting that controlled variables are not limited to output signals.
Explicit structure of polychronous automata
Although it is always possible to represent automata by systems of equations, equations are clearly not always the most natural way to represent them. Moreover, in a model-driven engineering context, it is better suited to explicitly represent user-specified and automatically generated automata to preserve high-level semantic properties as well as the traceability of model transformations. We have hence chosen lightweight syntactic extensions to the Signal language to introduce explicit representations of automata.
We add a new syntactic category of process, called automaton. In such an automaton process, labeled processes represent states, and generic processes such as
Transition are used to represent the automaton features. Standard equations can be used in these automaton processes to specify constraints or to define computations. Then the question arises as to whether these automata should be only a syntactic structure (in such a manner that they would be systematically translated as ordinary equations on signals when compiled), or whether they should be reflected in the polychronous formal model itself. This latter choice has the advantage of allowing formal manipulation of automata (which may or may not be, translated as equations). For instance, it may be the case that a given behavior is best abstracted as an interface automaton than as a system of clock equations, which would require making explicit some hidden boolean variables. It is therefore desirable to define a model of "polychronous automata" that allows a smooth integration within the polychronous model.
A basic statement for the definition of our automata is that state change takes time. This assumption is also made in [15, 16] , and in SCADE 6. Consequently, there is a single state at each logical instant and there is no immediate transition. Such automata should be used to schedule steps, not the actions in a step. This drives toward simplicity and is also suitable for high-level mode modeling in an application. In the polychronous framework, transitions will be labeled by clock (or event) expressions named triggers and a state is implicitly exited on the upper bound of its trigger(s). An automaton is clocked, that is, it is controllable by an external clock (its control clock). There are several possible interpretations of a given automaton; in a permissive view, all non-forbidden events are allowed in states, while in a restrictive one, all non-allowed events are forbidden in states. By default, we adopt the permissive view.
Notations for polychronous automata
To illustrate, let us write a syntactic representation of the automaton in Fig. 6 . This simple automaton has two external events, a and b, and its control clock is, implicitly, the upper bound, aˆ+ b of the clocks of its inputs. The two states, S1 and S2, are designated by labels associated here with empty processes. The statement Never (aˆ* b) represents the constraint of the automaton. This constraint, which must always be respected, can be expressed by a clock formula that is constrained to be null, here, aˆ* bˆ= 0 is expressed as Never (aˆ* b). Such constraints can always be expressed as a conjunction of Never formulas (which can also be specified as a single Never statement with several parameters) or of explicit synchronizations such as Synchro (x, y) (with Synchro (x, y) defined as Never (xˆ-y, yˆ-x)). In this small automaton with two states and two explicit transitions, the initial state is S1. We will demonstrate below that there are also implicit transitions.
First, we define some vocabulary and notations. For a tran-sition T = Transition (S1, S2, h), S1 is the source of T, S2 is the target of T, h is the trigger of T, denoted trigger(T), and a trigger in S1; h is a clock expression that may represent, for instance, a conjunction of events (e.g., aˆ* b represents the conjunction of events a and b). The transition T is enabled at k iff (kˆ* h) is not null and the current state is S1. A step is defined as being an implicit not-exiting reflexive (e.g. stuttering) transition. A step S1
h -S1 is enabled at k iff (kˆ* h) is not null, the current state is S1 and there is no enabled transition. All steps that are not explicitly forbidden are allowed. In the example of Fig. 6 , S1
bˆ-a -S1 and S2 aˆ-b -S2 are steps (they appear as dotted transitions). Steps allow for "stuttering" when there is no enabled transition. For a state S, exiting on (one of the) enabled transitions is mandatory. A formal model of constrained automata, consistent with the polychronous framework, is proposed in the next section.
Formal definition
For an automaton A of signal variables V A and states S A , we denote by F A,S the set of normal form formulas in the boolean control algebra Φ(V A , S A ) (cf. Section 4). • S A is the non-empty finite set of states;
• s 0 is the initial state;
• R A ⊂ S A × S A is the transition relationship;
• V A is the (possibly empty) finite set of signal variables;
• T A : (R A ) → F A,S is the function that assigns a formula to a transition;
• C A is the constraint of A and is a formula in F A,S that is (constrained to be) null (thus a formula f in F A,S is null
Remarks. A transition in T A carries a boolean control formula that represents its trigger. Polychronous automata are subject to clock constraints C A which are expressed by a formula in the boolean control algebra. If C A is 0, then the automaton is constraint-free; if C A is 1 V A (i.e., the supremum of the algebra is constrained to be null), and all formulas are null. The notation 1 A is used to denote the supremum 1 V A .
An automaton with an empty set of transitions is O V = ({s}, s, ∅, V, ∅, 1 V ) , which blocks all occurrences of all variables of V. An automaton with an empty set of variables is I = I ∅ = ({s}, s, ∅, ∅, ∅, 0); it is equal to O ∅ = ({s}, s, ∅, ∅, ∅, 1 ∅ ) .
Example. The automaton in Fig. 6 is defined by A = (S A , s 0 , R A , V A , T A , C A ) with
(a, b are events, and thus ¬ a, ¬ b should be null).
A labeled transition is denoted by "h :
Properties
Now the notions introduced previously can be formalized:
which represents the supremum of the clocks of its variables.
• In h : s 1 R A s 2 , h is the trigger of (s 1 , s 2 ), and it is a trigger in s 1 .
• The trigger of a state s, trigger A (s), is the upper bound of the triggers of (s, * ), where (s, * ) represents all the transitions outgoing from s.
Then it is possible to define the stuttering clock of a state as the clock difference between the control clock of the automaton and the trigger of the state (plus the null clock of the state, C A (s) = s * C A ); the stuttering clock of a state s is τ(s) = 1 A− (C A (s)+ trigger A (s)). Hence the definition of implicit transitions is: when the stuttering clock τ(s) of a state s is not null, there is a silent implicit transition τ(s) : sR A s named a step. The standard properties of automata can be easily extended to polychronous automata:
• A state t is n-reachable in A iff s 0 and t are not null and either
• n = 0 and t = s 0 ,
• n > 0 and t is (n − 1)-reachable in A,
and (∃s (n − 1)-reachable in A) (∃h)(h * s not null)(h : sR A t).
• A state t is reachable in A iff it is |S A |-reachable in A.
• A state s is deterministic if the triggers of its transitions are mutually exclusive: formally, s is deterministic iff (∀((s, s 1 ), (s,
• An automaton is deterministic iff all its reachable states are deterministic.
• An automaton is total (or reactive) iff all its states are total (we observe that if C A is not 0 then A is not reactive).
Polychronous automata algebra
As in synchronous composition, the composition (or synchronous product) of polychronous automata corresponds to the conjunction of the behaviors specified by each automaton.
Definition 3 Let
T B , C B ) be two polychronous automata, then their composition is defined by AB = A|B = (S AB , (s 0 , t 0 ), R AB , V AB , T AB , C AB ), where:
Note that the constraint of the composed automaton (its null formula C AB ) is defined by the clock union of the constraints of the operand automata.
Theorem 1 The composition of polychronous constrained automata has the following properties:
• if A is deterministic, it is idempotent: A|A = A;
• it is commutative;
• it has a neutral element I = ({s}, s, ∅, ∅, ∅, 0);
• it is associative.
Idempotence for deterministic automata can be proved using induction on the n-reachability of states. Associativity can be proved by induction On the n-prefix automata (the states of an n-prefix automaton of an automaton A are the n-reachable states of A). Associativity corresponds to context independence and commutativity to order independence.
Discussion
The added value provided by the formal model of the polychronous automata is to allow for a smooth integration of automata into the polychronous model of computation of the Signal dataflow language. They need not necessarily be translated by systems of equations on signals, although such a translation is, of course, possible. Note that using such a translation, the semantics of polychronous automata reduces to the semantics of standard polychronous programs. Comparable translations have been studied in previous work, such as [16] for example (it is not our purpose here to describe another similar translation). We have defined a parallel composition (synchronous composition) of polychronous automata. A classical extension of finite automata is also that of hierarchical automata, in which states may be non-atomic. Here, this can be handled quite simply in the context of the Signal language. It is not detailed in this article because it does not present new challenges with respect to previous studies.
Just as labels are syntactically associated with states, labels can also be associated with transitions, and these labels can be used as clocks. The label of a transition is an event signal (a clock), which is true (present) when this transition is triggered. Actions associated with an automaton can be expressed as polychronous equations (in our case, in Signal), that are composed with the constraints of the automaton. They may use specific events associated with the automaton, such as labels of transitions, but also other typical events such as entering or exiting a given state, etc. For example, let t1 and t2 be labels associated with two transitions in a given automaton, then the equation o := t1ˆ+ t2 expresses the action of emitting an event o as soon as one of these transitions is triggered.
A further remark can be made on permissive versus restrictive interpretation (recall that permissive is the default). The transformation of a given automaton from a permissive interpretation to a restrictive one is obtained as follows by disabling its steps. Given a (permissive) automaton A, the highlevel operation "strong A" consists of adding the following constraint for every state s in A: (1 A− trigger A (s)) * s = 0. For an event h and a clock S, let us write (in a more readable manner) "h in S" the clock hˆ* [S]. Consider as example the A automaton represented in Fig.  6 . Defining "automaton alternate = strong A" adds to A the constraints (aˆ+b)ˆ-a) in S1ˆ= O and (aˆ+b)ˆ-b) in S2ˆ= O. Applying constraint reduction, we obtain the automaton represented in Fig. 7 . Fig. 7 "alternate" automaton
Polychronous AADL modeling
In previous sections, we have introduced a model of polychronous automata in the polychronous model of computation. This polychronous MoC has been used previously as a semantic model for systems described in the core AADL standard. The core AADL is extended with annexes, such as the behavior annex, which allows more precise specification of architectural behaviors. The translation from AADL specifications into the polychronous model should take into account these behavior specifications, which are based on descriptions of automata. In this section, we first introduce briefly AADL, then we describe the principles of a compositional semantic translation of AADL specifications into the polychronous model, and we discuss a global view of the AADL with respect to the Signal toolchain.
A short introduction to AADL
AADL is a society of automotive engineers (SAE) standard, dedicated to modeling embedded real-time system architectures. It describes the structure of systems as an assembly of software components allocated on execution platform components along with timing constraints.
Architecture. Three families of components are provided in AADL:
• software application components, which include process, thread, thread group, subprogram, and data components;
• execution platform components, which include processor, virtual processor, memory, device, bus, and virtual bus components;
• composite components, which describe systems containing execution platform, application software, or (Fig. 8) . A thread is activated to perform the computation at start time, and has to be finished before a deadline. A complete event is sent at the end of the execution. The received inputs are frozen at a specified point (Input_Time), by default the dispatch time, which means that the content of the port does not change during the execution of a dispatch, even though the sender may send new values. For example, the values 2 and 3 ( Fig. 8) arriving after the first Input_Time will not be processed until the next Input_Time. As a result, the performed computation is not affected by a new input arrival until an explicit request for input is issued. Similarly, the output is made available to other components at a specified point of Output_Time, by default at the complete (resp., deadline) time if the associated port connection is an immediate (resp., delayed) communication.
Fig. 8 Execution time model for an AADL thread
Behavior. The behavior annex provides an extension to the AADL core standard so that complementary behavior specifications can be attached to AADL components. The behavior is described with a state transition system equipped with guards and actions.
AADL modeling
The compositional transformation from AADL to Signal is based on considering the AADL time model in the polychronous model.
AADL time model in Polychrony
The key idea for modeling the computing latency and communication delay in Signal is to preserve the ideal view of instantaneous computations and communications while delegating computing latency and communication delays to specific "memory" processes that introduce delays, and provide well-suited synchronizations to timed signals. 
Input freezing. Let f (x) represent the result of the behavior f of a given in port on its input signal x (e.g., f can be a FIFO to represent queued events or can be an event data port). A port y = f (x) gives the available output y from the currently received input x:
The freezing of x at t, denoted here by x t, is a function that takes an input x, a frozen time event t, and produces a new signal z at time t:
Thread activation. We use th(z 1 , z 2 , . . . ) to represent the original computation of a thread th with frozen inputs z 1 , z 2 , . . . An activation condition start is introduced so that the thread th is activated to perform computation at start. This is denoted as th (z 1 , z 2 , . . . , start), where the inputs z 1 , z 2 , . . . are memorized at start:
Output sending. Similar to in ports, let g(y) represent the behavior of an out port. The sending function, denoted here as y t, is such that the generated output of g(y) is held and sent out at time t:
Compositional transformation
The translation from AADL to Signal is recursive. A package, which represents the root of an AADL specification, is transformed into a Signal module, the root of a Signal program, allowing it to describe an application in modular fashion. The rest of the transformation proceeds modularly by an inductive translation of the AADL concepts of a given model or source text. Each AADL component implementation is translated into a Signal process composed of the following elements:
• An interface consisting of input/output signals translated from the features (ports) provided by the component type,
• Additional control signals that may be added depending on the component category (Dispatch and Deadline for a thread),
• A body, itself composed of subcomponents, subprogram call sequences, connections, component properties, and a transition system specifying the functional behavior.
Threads. Let us sketch the principles of the translation of threads, which are the main executable and schedulable components. The six types of threads (periodic, aperiodic, sporadic, timed, hybrid, and background) are discriminated by the dispatch; a dispatch request is periodic, or is triggered by an event (or event data) arriving, etc. The different threads are implemented in the same manner, but the "dispatch" signal is generated differently. An AADL thread component is implemented as a Signal process (Fig. 9) : it is composed of processes that represent its behavior, property, ports, and subcomponents. Dispatch, Complete, and Error are pre-declared ports in AADL. They are represented as input/output signals ( Dispatch, Complete, and Error). According to the AADL semantics, the signals Resume and Deadline are added as inputs, which are generated by the scheduler.
Start is represented as the first Resume after a Dispatch signal. It is computed in the xx_Thread_property subprocess. The event signals ( x1_Frozen_time_event, The translation (as polychronous automata) of the transition system that provides the functional behavior of the thread will be illustrated in the case study described in Section 9.
Complete toolchain
A global view of the toolchain for modeling, timing analysis, and verification of the AADL models in the polychronous MoC is given in Fig. 10 .
The AADL model, which conforms to the AADL metamodel, is captured as AADL textual code in the OSATE toolkit 3) . The timing properties provide detailed timing specifications related to the AADL model. A model transformation toolchain, ASME2SSME, performs analyses on the ASME models (AADL Syntax Model under Eclipse) and generates Signal models in the Signal Syntax Model under Eclipse (SSME). The SSME models can be transformed to Signal textual code within Polychrony. An AADL2SIGNAL library provides common Signal processes, reducing significantly the transformation cost. The timing properties represented as Signal clocks are calculated and analyzed in the compilation of Signal programs. Then, executable code can be generated for simulation. Associated tools, such as Sigali [34] and SynDEx [35] , can be used for further verification and validation. The global architecture, in the context of Polychrony, is presented in Fig. 11. 
Case study: an adaptive cruise control system
In this section, we present the AADL modeling of an adaptive cruise control (ACC) system, a highly safety-critical system embedded in modern cars, and we show how polychronous automata allow verification of properties in such a heterogeneous system.
Adaptive cruise control systems
Adaptive Cruise Control systems are embedded systems in cars. They receive information from different sensors and can act on the speed of the vehicle, notably in the case of the risk of a collision. As such, ACC systems are safety-critical systems, requiring careful design and verification.
An Adaptive Cruise Control system is an optional cruise control system for road vehicles that automatically adjusts the vehicle speed to maintain a safe distance from vehicles ahead. [. . . ] Control is imposed based on sensor information from onboard sensors [36] . ACC systems pursue two main goals: to automatically follow a preset speed (as do classic cruise control systems), improving comfort of the driver, reducing fatigue, and preventing subconscious violation of speed limits, and adapt the vehicle's speed to maintain a safe distance from a vehicle ahead to prevent collisions.
For this, an ACC system receives information from different sensors: speedometer, lidar/radar to detect vehicles or obstacles ahead, and wheel sensors to adjust the position of the lidar/radar. It also receives information from the driver through buttons used to set the preferred speed and to activate/deactivate the system. Depending on the situation (presence of an obstacle or not, activation of the cruise control or not), it computes the acceleration/deceleration for the vehicle to reach the needed speed, the preferred speed of the driver if there is no obstacle and the cruise control is on, or the speed of the vehicle ahead if one is detected. Finally, it acts on the vehicle through its brakes and throttle.
ACC systems are thus highly safety-critical systems which must satisfy multiple requirements linked to multiple perspectives:
• from the timing and scheduling perspective, all threads must meet their deadlines and the overall task of reacting to the presence or absence of an obstacle must meet a maximum reaction time;
• from the logical perspective, the system must be free of deadlocks and race conditions;
• from the security perspective, critical software components (processes or systems) must be protected from less critical components, and thus are executed on dedicated processors;
• from the consumption perspective, the system must draw minimal power from the car battery, thus processors must run on the minimal possible frequency;
• from the cost perspective, the overall cost of the system should be minimal, which means minimizing hardware component size and complexity.
All these requirements interact in many ways, and thus cannot be checked on only a subset of the system. Minimizing hardware components size and processor frequency to reduce costs and power consumption of the vehicle will affect execution time and scheduling of the different tasks (e.g., a less powerful processor will take more time to execute a task and smaller or slower buses will slow data communication). Similarly, changing a processor with another to reduce costs may lead to impossible bindings between processes and processors (e.g., some embedded processors may be unable to execute complex operations).
To collectively analyze these requirements and to ensure that choices made to satisfy one requirement do not break another (i.e., the set of requirements is compatible), the full system must be analyzed.
The AADL model of the ACC system can be transformed into a Signal program, where behavior is described through polychronous automata and properties are used as constraints over the system. It is then possible to use the Polychrony framework to analyze and simulate the system. The Polychrony framework targets the two first perspectives presented above: time and scheduling, and logical perspectives. Requirements depending on other perspectives should be addressed using complementary analyzes.
AADL modeling of the adaptive cruise control system
In the following, we present the modeling of a simplified ACC system using AADL. AADL provides a combination of visual and textual modeling: we use the visual representation for the overview of the system and details about connections, communications, and behavior automata, and we use the textual representation for details about requirements and properties such as types, numbered or enumerated properties, and about behavior actions.
9.2.1 Architecture of the adaptive cruise control system Figure 12 presents an overview of the system, consisting of:
• devices, such as sensors (speedometer, radar, wheel sensor), console with buttons and display, throttle, and brakes;
• buses allowing subsystems to communicate with each other and with devices;
• controller and console subsystems. Each of the two subsystems consists itself of hardware components, such as processors, memories, and buses; and software components consisting of processes containing threads. Figure 13 presents the controller subsystem and its components: one processor, one memory, one bus connecting the processor and the memory, and one controller process. The controller process itself contains four threads, one for each sensor, and the ComputeActionThread, which is responsible for sending speed up, slow down, or complete stop signals to the throttle and brakes of the vehicle.
Behavior of the adaptive cruise control system
In AADL, system behavior is specified through the so-called behavior annexes attached to components. Behavior annexes specify the behavior of AADL components (threads and subprograms) through state transition systems with guards and actions, which can be expressed as polychronous automata. Figure 14 shows the state transition system describing the behavior of the ComputeActionThread thread, which is responsible for processing the correct behavior the system should adopt (slow down, speed up, or keep the speed constant) depending on the situation.
For readability, guards and actions have been omitted. In The state transition system starts in the Waiting state, waiting for its thread to be dispatched, and to pass to Started state. The Waiting state is a complete one, that is, a state in which a thread pauses its execution when entering, waiting for a new dispatch.
After entering the Started state, depending on the inputs, the state transition system can pass into the Detected state (the system detected an obstacle) or the Console state (the system did not detect an obstacle and the cruise control is on), or go back to the Waiting state (the system did not detect an obstacle and the cruise control is off).
In the Detected state, the system must decide the status of the situation: if the obstacle is in an unsafe range, the system goes into the Emergency state and its next transition will send a signal to the brakes to stop the vehicle; if the obstacle is outside this range, the system enters the NoEmergency state and then determines whether it should slow down to adapt its speed to the obstacle speed, speed up, or keep the speed constant (each transition sending the corresponding signal to the throttle after the computation of the needed acceleration/deceleration). The same occurs in the Console state depending on the current speed of the vehicle and the speed preset by the driver. After saving useful values (e.g., current speed, current obstacle speed, and obstacle distance in the SaveValues state, the state transition system returns to the Waiting state, waiting for the next dispatch of its thread.
Properties of the adaptive cruise control system
Requirements, such as thread deadline, sensor period, memory and bus size, processor frequency, and scheduling policies, are modeled using AADL properties.
Timing and scheduling requirements on a thread can be expressed through AADL properties such as dispatch protocol (Dispatch_Protocol), period in case of a periodic dispatch (Period), execution deadline (Deadline), and worst-case execution time (Compute_Execution_Time). For example, Listing 2 presents these properties attached to the ComputeActionThread thread. Logical requirements, such as the absence of deadlocks and race conditions, are not explicitly expressed through properties, but are automatically checked by the Polychrony framework.
Refinement and verification of system requirements using the polychronous model of computation
The AADL model of the ACC system can be transformed into a Signal program, where behavior is described through polychronous automata and properties are used as constraints over the system. It is possible to use the Polychrony framework to analyze the system owing to this transformation. For synchronous data flow (SDF) applications [37] , scheduling properties can be computed during the transformation.
Transformation of the behavior annex to Signal
An overview of the compositional transformation from AADL to Signal is presented in Section 8. We will now focus on the translation of a state transition system described through an AADL behavior annex to a polychronous automaton described in Signal. The rules formally describing the semantics of the behavior annex and its translation in transition systems represented as polychronous automata are detailed in [38] . Here, we simply provide the intuition of this translation as Signal automata through our case study. Such an automaton is described using the Signal syntactic extensions presented in Section 7. Once the AADL model of a system is transformed into a Signal program, one can analyze the program using the Polychrony framework to check if the logical requirements over the entire system are met. Note that timing and scheduling requirements are checked during the transformation itself.
Verification of timing and scheduling requirements
Polychrony provides a schedulability analysis for periodic programs obtained from AADL models. In particular, it can detect non-schedulable systems owing to the timing properties (mainly the period and the WCET-Worst Case Execution Time). Moreover, with some extra information (port rates), periods can be left undefined; they will be computed by calling a standalone plugin named ADFG (this plugin is based on the work of Bouakaz [39, 40] ).
The schedulability test is triggered during the translation of an AADL processor device into Signal, provided that all threads of the unique process bound to this processor are periodic and as a minimum have a defined
Compute_Execution_Time. The test consists of the following two steps: 1) Polychrony checks that all threads have a defined period and tries to compute it if this is not the case (in our case study, all periods are defined so this step is skipped). The periods can be computed if all threads define connections between them (such that they form a connected graph) and have Input_Rate and Output_Rate properties set on their connection ports. The computation is performed by ADFG, which ensures that the deduced periods imply a schedulable system.
2) A simple utilization factor test is performed on the current processor (which is useful especially if the periods are user-provided). If the utilization factor is less than one, each thread period is converted into an affine clock relationship between the fastest clock and each thread control signal (Dispatch, Resume, Deadline, and Initialize) with corresponding phases. Otherwise, the AADL to Signal transformation continues on the other AADL elements without generating the current processor's scheduling equations.
Note that this method of defining the periodic thread control signals implies that the generated Signal code does not take into account possible thread preemptions; it is oriented toward functional simulation only.
The current implementation has some limitations: e.g., all temporal properties (periods, etc.) must be expressed in the same time unit, and the scheduled threads must exist in the same unique process of a processor. Future work will be dedicated to release these limitations and to use an exact scheduling test in Step 2, instead of the utilization factor (which is only a necessary condition) for Earliest Deadline First (EDF) and Deadline Monotonic (DM) scheduling algorithms. Besides, Step 1 is based on ADFG, which can compute the best periods, deadlines, and communication buffer sizes given a cyclo-static dataflow graph to maximize the throughput. This is more than what is currently used, so a possible improvement would be to reuse all the ADFG results to refine more AADL properties related to scheduling.
Verification of logical requirements
Polychrony also allows detection of deadlocks in the AADL model of a given system. After the transformation of the AADL model to a Signal program (following the compositional transformation presented in Section 8), the Polychrony framework calculates the Graph of Conditional Dependencies of the Signal program and computes the product clock of each cycle in this graph (a cycle representing a potential deadlock) [41] . The Graph of Conditional Dependencies is a labeled, directed graph where:
• vertices are the signals and clock variables;
• edges indicate data dependencies among signals and clock variables;
• labels represent the conditions for which the dependencies are valid.
In this graph, cycles represent possible deadlocks, e.g., cyclical data dependencies between signals and/or clock variables. However, because dependencies are conditioned, Polychrony only needs to consider instants where all dependencies are valid. To do so, it computes the product of the labels of each edge in the cycle. If this product is null, there is no instant where all the dependencies are valid at the same time, and thus there is no possible deadlock.
If the product clock of every cycle in the Graph of Conditional Dependencies of the Signal program is null, then the program (and the AADL model from which it has been obtained) is deadlock-free.
In the case study, a race condition due to an error in the state transition system of the ComputeActionThread was detected by the clock calculus of Polychrony.
In addition, model checking-based formal verification can be performed in the Polychrony framework using the associated Sigali tool [34] . Properties such as invariance, reachability, and attractivity can be checked by Sigali. Algorithms for computing state predicates are also available in the tool.
Conclusion
We have presented a model of finite-state automata, called polychronous automata, that integrates smoothly with dataflow equations in the polychronous model of computation. Automata define transition systems to express explicit reactions together with properties, in the form of boolean formulas over logical time, to constrain their behavior.
The implementation of such automata amounts to composing explicit transition systems with a controller synthesized from the specified constraints.
Polychronous automata have been integrated in the opensource version of the Polychrony framework through lightweight syntactic extensions of the Signal language. They may be used to specify behaviors (and constraints) and to abstract behaviors, as the result of a formal calculus.
This formal model of automata supports the recommendations adopted by the SAE committee on the AADL to implement a timed and synchronous behavioral annex for the standard [42] . The model of polychronous automata has been provided as a semantic model for our proposal as an extension of the AADL behavior annex.
An experimental implementation of the semantic features of this "timing annex" enriches the already existing transformation of AADL models to Signal programs to consider the behaviors of AADL models. This transformation will be integrated in the POP environment for Eclipse 4) . The implementation has been tested with an adaptive cruise control case study, developed with Toyota ITC. Adaptive Cruise Control systems are highly safety-critical embedded vehicle systems which must satisfy multiple interdependent requirements. Polychronous automata allow us to define a complete semantic model for AADL specifications of such systems. We provide tools to this semantic model for verifying and analyzing properties (such as deadlock freedom and schedulability) over an entire system. 
