Modular interpretation of heterogeneous modeling diagrams into synchronous equations using static single assignment by Talpin, Jean-Pierre et al.
Modular interpretation of heterogeneous modeling
diagrams into synchronous equations using static single
assignment
Jean-Pierre Talpin, Julien Ouy, Thierry Gautier, Lo¨ıc Besnard, Cortier
Alexandre
To cite this version:
Jean-Pierre Talpin, Julien Ouy, Thierry Gautier, Lo¨ıc Besnard, Cortier Alexandre. Modular
interpretation of heterogeneous modeling diagrams into synchronous equations using static
single assignment. [Research Report] RR-7036, INRIA. 2009, pp.22. <inria-00417682>
HAL Id: inria-00417682
https://hal.inria.fr/inria-00417682
Submitted on 16 Sep 2009
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
appor t  

de  r ech er ch e 
IS
SN
02
49
-
63
99
IS
R
N
IN
R
IA
/R
R
-
-
70
36
-
-
FR
+
EN
G
Thème COM
INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE
Modular interpretation of heterogeneous modeling
diagrams into synchronous equations using static
single assignment
Jean-Pierre Talpin, Julien Ouy, Thierry Gautier, INRIA
Loic Besnard, CNRS, and Alexandre Cortier, CNES-IRIT
N° 7036
September 2009
Centre de recherche INRIA Rennes – Bretagne Atlantique
IRISA, Campus universitaire de Beaulieu, 35042 Rennes Cedex
Téléphone : +33 2 99 84 71 00 — Télécopie : +33 2 99 84 71 71
Modular interpretation of heterogeneous modeling diagrams
into synchronous equations using static single assignment
Jean-Pierre Talpin, Julien Ouy, Thierry Gautier, INRIA
Loic Besnard, CNRS, and Alexandre Cortier, CNES-IRIT
The`me COM — Syste`mes communicants
E´quipes-Projets Espresso
Rapport de recherche n° 7036 — September 2009 — 19 pages
Abstract: The ANR project SPACIFY develops a domain-specific programming environment,
Synoptic, to engineer embedded software for space applications. Synoptic is an Eclipse-based mod-
eling environment which supports all aspects of aerospace software design. As such, it is a domain-
specific environment consisting of heterogeneous modeling and programming principles defined in
collaboration with the industrial partners and end users of the project : imperative synchronous pro-
grams, data-flow diagrams, mode automata, blocks, components, scheduling, mapping and timing.
This article focuses on the essence and distinctive features of its behavioral or programming aspects :
actions, flows and automata, for which we use the code generation infrastructure of the synchronous
modeling environment SME. It introduces an efficient method for transforming a hierarchy of blocks
consisting of actions (sequential Esterel-like programs), data-flow diagrams (to connect and time
modules) and mode automata (to schedule or mode blocks) into a set of synchronous equations.
This transformation minimizes the needed state variables and block synchronizations. It consists
of an inductive static-single assignment transformation algorithm across a hierarchy of blocks that
produces synchronous equations. The impact of this new transformation technique is twofold. With
regards to code generation objectives, it minimizes the needed resynchronization of each block in the
system with respects to its parents, potentially gaining substantial performance from way less syn-
chronizations. With regards to verification requirements, it minimizes the number of state variables
across a hierarchy of automata and hence maximizes model checking performances.
Key-words: Synchronous programming, model-driven engineering, program transformation,
static-single assignment
Interpretation modulaire de mode`les he´te´roge`nes utilisant
l’assignation unique
Re´sume´ : Ce rapport de´crit une technique de transformation de programme utilise´e dans le cadre
du projet ANR Spacify afin de transformer un ensemble de diagrammes he´te´roge`nes, repre´sentant
diffe´rentes vue d’un syste`me pendant sa conception, en utilisant une repre´sentation interme´diaire
SSA (static-signgle assignment). La forme intermd´iaire, modulaire et compacte, ainsi obtenue,
est alors interpre´te´ dans lem ode`le de calcul synchrone de l’atelier SME pour obtenir enfin une
mode´lisation formelle supportant une ve´rification acce´le´re´ et un code gn´e´re´ efficace
Mots-cle´s : Programmation synchrone, inge´nierie de mode`les, transformation de programmes,
assignation unique
Model transformations using SSA 3
Contents
1 Introduction 4
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Model of computation 6
2.1 Model of timed traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 Formal semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Interpretation and semantics of Synoptic 8
3.1 Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Dataflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3 Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.4 Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.5 Modularity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.6 Periodic behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4 Experimental Results 16
5 Related Work 17
6 Conclusions 17
RR n° 7036
4 Talpin, et al.
1 Introduction
In the ANR project SPACIFY [10], we develop a domain-specific programming environment, Synop-
tic, for engineering for space application and control software. Synoptic is an Eclipse-based modeling
environment which supports all aspects of aerospace software design. It covers the design of ap-
plication and control modules using imperative synchronous programs, data-flow diagrams, mode
automata, and also the partitioning, timing and mapping of these module onto satellite architec-
tures. As such, Synoptic is a domain-specific environment : its aim is to provide the engineer
with a unified modeling environment to cover all heterogeneous programming, analysis and verifi-
cation tasks, as defined in collaboration with the industrial end users of the project. One typical
case study under investigation in the project is a generic satellite positioning software, responsible
for automatically moving the satellite into a correct position before initiating interaction with the
ground.
Its specification, Fig. 1, consists of the composition of heterogeneous diagrams. Each diagram
represents one specfic aspect of the software’s role: automata, Fig. 1-1, control its modes of oper-
ation for specific conditions (e.g. a solar eclipse). Data-flows, Fig. 1, define communication links
and/or periodic processing tasks. Timed imperative programs, Fig. 1, specify sequential algorithmic
behaviors.
Figure 1: Specification of the positionning software
(a) (b) (c)
(d)
1.1 Motivation
In this article, we are concerned with the heterogeneity of modeling notations of the Synoptic
language and propose a method to embed them in a suitable model of computation for the purpose
of formal verification and code generation. To model and compile all distinctive programming
INRIA
Model transformations using SSA 5
features of Synoptic : imperative programs, data-flows and automata, we use the code generation
infrastructure of the synchronous modeling environment SME [2].
This model transformation or interpretation introduces an efficient method for transforming
a hierarchy of blocks consisting of actions (sequential Esterel-like programs), data-flow diagrams
(to connect and time modules) and mode automata (to schedule or mode blocks) into a set of
synchronous equations. This transformation minimizes the needed state variables and block syn-
chronizations. It consists of an inductive static-single assignment transformation algorithm across
a hierarchy of blocks that produces synchronous equations.
1.2 Outline
The impact of this transformation technique is twofold. With regard to code generation objectives, it
maximizes the amount of atomic operations that are performed within one cycle of execution, gaining
substantial performance from way less synchronizations. With regard to verification requirements,
it minimizes the number and updates of state variables across automata and hence provides better
model checking performances.
Example The principle of our transformation technique can be illustrated by considering a simple
(Esterel-like) imperative Synoptic program. When the program receives control, it first initializes
x and then increments it if y is true. Otherwise, x is decremented, a skip is issued (to synchronize
with the parent block), and x is decremented again. At the end, control is released to the parent
(caller) block.
x = 0;
if y then {x = x+ 1}
else {x = x− 1; skip ;x = x− 1}
end
The static single assignment form of this program (Fig. 2, left) assigns a different name x1...4 to
each definition of x and uses a so called φ-node to merge the values x2 and x4 of x flowing from
then and else branches of the if . It is interpreted (Fig. 2, right) by a merge (the default keyword)
of two flows, x2 and x4, that are sampled (the when keyword) by the corresponding condition of
the control-flow. All other data-flow equations match an instruction of the intermediate SSA form
and its control-flow point. The signals s and s′ record the current and next states of the program
(0 and 1) using a delay keyword pre .
Figure 2: A timed sequential program and its data-flow interpretation
x1 = 0;
if y
thenx2 = x1 + 1
else {
x3 = x1 − 1;
x = x3;
skip ;
x4 = x− 1
};
x = φ(x2, x4)
end
x1 = 0when (s = 0)
x2 = x1 + 1when (s = 0)when y
x3 = x1 − 1when (s = 0)when not y
x4 = (x pre 0)− 1when (s = 1)
x = x2 when (s = 0)when y
defaultx3 when (s = 0)when not y
defaultx4 when (s = 1)
s′ = 0when (s = 1)
default 0when (s = 0)when y
default 1when (s = 0)when not y
s = s′ pre 0
In the present paper, we show how to not only translate the core imperative programming
features into equation by generalizing the above idea, but also extend it to the mode automata that
control the activation of such elementary blocks and to the data-flow diagrams that connect them.
RR n° 7036
6 Talpin, et al.
This yields, just as in the case of the above simple programs (one variable update instead of three) a
significant gain in the number of transitions and of synchronization needed to verify and to execute
programs.
2 Model of computation
The model of computation on which Synoptic relies for program transformation and code generation
purposes is that of the Eclipse-based synchronous modeling environment SME [11]. The core of SME
is based on compiler of the synchronous programming language Signal [6]. In Signal, a process P
consists of the composition of simultaneous equations x = f(y, z) over signals x, y, z.
P,Q ::= x = y f z | P/x | P |Q (process)
A delay equation x = y pre v defines x every time y is present. Initially, x is defined by the value
v, and then, it is defined by the previous value of y. A sampling equation x = y when z defines x
by y when z is true. Finally, a merge equation x = y default z defines x by y when y is present and
by z otherwise. An equation x = y f z can use a boolean or arithmetic operator f to define all of
the nth values of the signal x by the result of the application of f to the nth values of the signals y
and z. The synchronous composition of processes P |Q consists of the simultaneous solution of the
equations in P and in Q. It is commutative and associative. The process P/x restricts the signal x
to the lexical scope of P .
In Signal, the presence of a value along a signal x is an expression noted xˆ. It is true when x is
present. Otherwise, it is absent. Specific processes and operators are defined in Signal to manipulate
clocks explicitly. We only use the simplest one, x sync y, that synchronizes all occurrences of the
signals x and y.
Example We exemplify the model of computation of Signal by considering an equation that
defines a counter. The output signal counter is defined by 0 when the input signal reset is true and,
otherwise, by an increment of its previous value (counter pre 0) which is initially 0.
counter = 0when reset default 1 + counter pre 0
Notice that the clock of the output signal is left deliberately larger than that of the input signal.
One may later refine it with an additional clock equation counter sync reset to generate a count every
time an occurrence of the input signal reset, true or false, is present.
2.1 Model of timed traces
In the timing model of Polychrony [6], symbolic tags t or u denote periods in time during which
execution takes place. Time is defined by a partial order relation ≤ on tags: t ≤ u stipulates that t
occurs before u or at the same time. A chain is a totally ordered set of tags. It corresponds to the
clock of a signal: it samples its values over a series of totally related tags. The domains for events,
signals, behaviors and processes are defined as follows:
- an event is a pair consisting of a tag t ∈ T and a value v ∈ V,
- a signal s ∈ S is a function from a chain of tags C ⊂ T to a set of values v ∈ V,
- a behavior b ∈ B is a function from a finite set of signal names X ⊂ V to signals,
- a process p ∈ P is a set of behaviors that have the same domain.
Example To illustrate these definitions, consider a possible behavior of the signals x and y defined
by the process x = filter(y). The time tags at which the output x is present correspond to the time
tags at which the previous and present value of y differ. Hence, evenly tagged values belong both
to x and y.
y 7→ (t1, true ) (t2, false ) (t3, false ) (t4, true ) (t5, true ) (t6, false )
x 7→ (t2, true ) (t4, true ) (t6, true )
INRIA
Model transformations using SSA 7
Notations We write T (s) for the chain of tags of a signal s and min s and max s for its minimal
and maximal tag. We write V(b) for the domain of a behavior b (a set of signal names). The
restriction of a behavior b to X is noted b|X (i.e. V(b|X) = X). Its complementary b/X satisfies
b = b|X ⊎ b/X (i.e. V(b/X) = V(b) \X). We overload T and V to designate the tags of a behavior b
and the set of signal names of a process p.
Since tags along a signal s form a chain C = T (s), we write Ci for the ith instant in chain C
and have that Ci ≤ Cj iff i ≤ j for all i, j ≥ 0.
Reaction A reaction r is a behavior with (at most) one time tag t. We write T (r) for the tag of
a non empty reaction r. The empty signal is noted ∅. If a reaction r is concatenable to a behavior
b, written b ·? r then the concatenation of r to b is written b · r.
b ·? c⇔ V(b) = V(c) ∧max(T (b)) < min(T (c)) b ·? c⇒ ∀x ∈ V(b), (b · c)(x) = b(x) ⊎ r(x)
Synchronous structure A behavior c is a stretching of a behavior b, written b ≤ c, iff V(b) = V(c)
and there exists a bijection f on tags s.t.
∀t, u, t ≤ f(t) ∧ (t < u⇔ f(t) < f(u))
∀x ∈ V(b), T (c(x)) = f(T (b(x))) ∧ ∀t ∈ T (b(x)), b(x)(t) = c(x)(f(t))
b and c are clock-equivalent, written b ∼ c, iff there exists a behavior d s.t. d ≤ b and d ≤ c. The
synchronous composition p |q of two processes p and q is defined by combining behaviors b ∈ p and
c ∈ q that are identical on the interface between p and q : I = V(p) ∩ V(q).
p |q = {b ∪ c | (b, c) ∈ p× q ∧ b|I = c|I ∧ I = V(p) ∩ V(q)}
Alternatively, the synchronous structure of a process can be interpreted as an equivalence relation
∼ that refines the causal tag structure of individual signals (for all b ∈ B, for all x ∈ V(b), T (b(x))
is a chain of T). If we make the assumption that the only phenomenological structure is this causal
structure, then the synchronous structure of a behavior ∼b can be seen as a way to slice time across
individual signals in a way that preserves causality: for all t, u ∈ T (b), 1. t < u iff t 6∼b u and 2.
t ≤ u iff t ∼ u or t < v and v ∼b u.
2.2 Formal semantics
We examplify the use of the model of computation by considering the kernel operators of Signal.
The meaning [[P ]] of a Signal process P is a set of behaviors that are inductively defined by the
concatenation of reactions (we assume that ØV(P ) ∈ [[P ]] for all P ).
The meaning of the synchronous composition P |Q is the synchronous composition [[P |Q]] =
[[P ]] | [[Q]] of the meaning of P and Q. The meaning of restriction is defined by [[P/x]] = {c | b ∈
[[P ]] ∧ c ≤ (b/x)}.
The semantics of a delay x = y pre v is defined by appending a reaction r of tag t to a behavior
b. It initially defines x by the value v (when b is empty) and then by the previous value of y (i.e.
b(y)(u) where u is the maximal tag of b).
[[x = y pre v]] =

b ∈ B|x,y
∣∣∣∣∣∣
T (b(x)) = T (b(y))
∀t ∈ T (b(x)), b(x)(succC(t))= b(y)(t)
b(x)(min(C)) = v


[[x = y f z]] =
{
b ∈ B|x,y,z
∣∣∣∣T (b(x)) = T (b(y)) = T (b(z))∀t ∈ T (b(x)), b(x)(t) = f(b(y)(t), b(z)(t))
}
Similarly, the semantics of a sampling x = y when z defines x by y when z is true. Finally,
x = y default z defines x by y when y is present and by z otherwise. We write T true (s){t ∈
T (s) | s(t) = true } for the chain of tags at which a signal s is true.
RR n° 7036
8 Talpin, et al.
[[x = y when z]] =
{
b ∈ B|x,y,z
∣∣∣∣T (b(x)) = T true (b(y)) ∩ T (b(z))∀t ∈ T (b(x)), b(x)(t) = b(y)(t)
}
[[x = y default z]] =

b ∈ B|x,y,z
∣∣∣∣∣∣
T (b(x)) = T (b(y)) ∪ T (b(z))}
∀t ∈ T (b(x)), b(x)(t) =
{
b(y)(t), t ∈ T (b(y))
b(z)(t), t 6∈ T (b(y))


3 Interpretation and semantics of Synoptic
We formalize the semantics Synoptic by isolating the core syntactic categories that characterize its
expressive capability: blocks, dataflows, actions and automata.
Blocks are the main structuring element of Synoptic. A block block xA defines a functional unit
of compilation and of execution that can be called from many contexts and with different modes in
the system under design. A block x encapsulates a functionality A that may consists of subblocks,
automata and dataflows. A block x is implicity associated with two signals x.trigger and x.reset.
The signal x.trigger starts the execution of A. The specification A may then operate at its own
pace until the next x.trigger is signaled. The signal x.reset is delivered to x at at some x.trigger and
forces A to reset its state and variables to initial values.
(blocks) block xA where A,B ::= block xA | dataflow xA | automaton xA | A |B
Dataflows ensure the inter-connection between data (inputs and outputs) and events (e.g. trigger
and reset signals) within a block. A flow can be the connection of an event x to an event y,
written event x → y, data y and z combined by a simple operation f to form the flow x, written
data y f z → x or a delayed connection from y to x to implement feedback, written data y pre v → x.
The signal x is initially defined by x0 = v. Then, at each occurrence n > 0 of the signal y, it takes
its previous value xn = yn−1.
(dataflow) dataflow xA where A,B ::= data y pre v → x | data y f z → x | event x→ y | A |B
The execution of a data-flow is controlled by its parent clock. A data-flow simultaneously executes
each connection it is composed of every time it is triggered by its parent block.
Actions are sequences of operations on variables that are performed during the execution of
automata. An assignment x = y f z defines the new value of the variable x from the current values
of y and z by the function f . The skip statement stores the new values of variables that have been
defined before it, so that they become current past it. The conditional ifx thenA elseB executes A
if the current value of x is true and executes B otherwise. A sequence A;B executes A and then B.
(action) A,B ::= skip | x = y f z | ifx thenA elseB | A;B
Automata schedule the execution of operations and blocks by performing timely guarded tran-
sitions. An automaton receives control from its trigger and reset signals xtrigger and x.reset as
specified by its parent block. When an automaton is first triggered, or when it is reset, its starts
execution from its initial state, specified as initial stateS. On any state S : doA, it performs
the action A. From this state, it may perform an immediate transition to new state T , written
S → on x T , if the value of the current variable x is true. It may also perform a delayed transition
to T , written S ։ on x T , that waits until the next trigger to resume execution (in state T ). If no
transition condition applies, it then waits the next trigger and resumes execution in st ate S. States
and transitions are composed as A |B.
(automaton) automaton xA where A,B ::= stateS : doA | S → on x T | S ։ on x T | A |B
INRIA
Model transformations using SSA 9
The syntax for automata supports additional constructs to facilitate the definition of more complex
policies. The initial (and terminal) state(s) of an automaton are explicitly specified by initial stateS :
doA and terminal stateS : doA while, in the semantics, the initial state is just an initial or reset
value of the state and a terminal state a state without outgoing transition. The actions performed
in a state can be further decomposing into the actions of entering a state stateS on entry doA, the
action repetitively performed in a given state stateS during doA, the action performed when leaving
a state stateS on exit doA, the action performed while leaving a state S ։ on x doA T .
A,B ::= initial stateS : doA | terminal stateS : doA | stateS on entry doA
| stateS during doA | stateS on exit doA | S ։ on x doA T
The timed execution of an automaton combines the behavior of an action or a data-flow. The
execution of a delayed transition or of a stutter is controlled by an occurrence of the parent trigger
signal (as for a data-flow). The execution of an immediate transition is performed without waiting
for a trigger or a reset (as for an action).
3.1 Blocks
A block x receives control from its trigger and reset signals x.trigger and x.trigger. The translation
of a block block xA is the same as that of A but it is parameterized by the pair of trigger and reset
signals.
[[ block xA]] = [[A]]
x.trigger,x.reset
Denotation The corresponding denotation is parameterized by the time tags at which the trigger
and reset events occur. They are defined by the chains Ct (for the trigger) and Cr (for the reset).
Therefore, the operation of A is controlled by C = (Ct, Cr).
[[ block xA]] =

b |c | b ∈ [[A]]C , c ∈ B|x.trigger
x.reset
, Ct = T true (c(x.trigger)) ⊇ T (c(x.reset)) = C
r


In addition to the above, an enable signal x. enable can be used to initiate the delayed execution
of a block. Therefore, assuming Ct = T true (c(x.trigger)) and C
e = T true (c(x. enable )), we should
have that, ∀t ∈ Ct∃u ∈ Ce, t ≤ u.
Example The execution of a block is driven by the trigger t of its parent block. The block
resynchronizes with that trigger every time, itself or one of its sub-block, performs an explicitly
delayed transition, e.g. S ։ T for an automaton, or makes an explicit reference to time (e.g. skip for
an action). Otherwise, the elapse of time shall not be sensed from within the block, whose operations
(e.g., on ci), should be perceived as belonging to the same period as within [ti, ti+1[. To implement
this feature, we make use of an encoding of actions and automata using static single assignment. As
a result, and from within a block, every immediate sequence of actions A;B or transitions A → B
only defines the value of the block’s variable once, while defining several intermediate ones in the
flow of its execution.
(main) ti ti+1 . . .
↓ ↓
(block)
bi︷ ︸︸ ︷
ui . .
↓ ci︷ ︸︸ ︷
· · · · · ·
ui+1 . . .
(sub−block)
RR n° 7036
10 Talpin, et al.
3.2 Dataflow
Data-flows are structurally similar to Signal programs and equally combined using synchronous
composition. The interpretation [[A]]
rt
= 〈P 〉 of a data-flow is parameterized by the reset and
trigger signals of the parent block and returns a process P 1. A delayed flow data y pre v → x
initially defines x by the value v. It is reset to that value every time the reset signal r occurs.
Otherwise, it takes the previous value of y in time. A functional flow data y f z → x defines x by
the product of (y, z) by f . An event flow event y → x connects y to define x. The operator ?(y)
converts an event y to a boolean data. The operator (ˆy) converts the boolean data y to an event.
We write in(A) and out(A) for the input and output signals of a dataflow A.
[[ dataflow f A]]
rt
= 〈[[A]]rt |
(∏
x∈in(A) x sync t
)
〉
[[ data y pre v → x]]rt = 〈x = (vwhen r) default (y pre v) | (x sync y)〉
[[ data y f z → x]]rt = 〈x = y f z〉
[[ event y → x]]rt = 〈x = when y〉
[[ data ?(y)→ x]]rt = 〈x = true when y default false |x sync t〉
[[ event (ˆy)→ x]]rt = 〈x = when y〉
[[A |B]]rt = 〈[[A]]rt | [[B]]rt〉
By default, the convention of Synoptic is to synchronize the input signals of a data-flow to the
parent trigger. It is however, possible to define alternative policies. One is to down-sample the
input signals at the pace of the trigger. Another is to adapt or resample them at that trigger.
Alternatively, adaptors could better be installed around the input and output signals of a block in
order to resample them with respect to the specified frequency of the block.
[[sample data y → x]]rt = 〈x = y when t〉 [[adapt data y → x]]rt = 〈x = y cell t〉
Denotation A data-flow dataflow f A is defined by the meaning of A controlled by the parent
timing C. A delayed flow data y f z → x assigns v to the signal x upon reset t ∈ Cr and the
previous value of y otherwise, at time predCx(t). An operation data y f z → x assigns the product
of the values u and v of y and z by the operation f to the signal x. An event event x→ y triggers
x every time y occurs. Composition A |B merges all timely compatible traces of A and B under the
same context.
[[ dataflow f A]]
C
= {b ∈ [[A]]C | ∀x ∈ in(A)Ct = T (b(x))}
[[ data y pre v → x]]C =
{
b ∈ B|x,y
∣∣∣∣Cx = T (b(x)) = T (b(y)) ⊇ Cv = Cr ∪ {min(T (b(x)))}∀t ∈ Cx, b(x)(t) = if t ∈ Cv then v else b(y)(predCx(t))
}
[[ data y f z → x]]C =
{
b ∈ B|x,y,z
∣∣∀t ∈ T (b(x)) = T (b(y)) = T (b(z)), b(x)(t) = f(b(y)(t), b(z)(t))}
[[ event y → x]]C = {b ∈ B|x,y |T (b(x)) = T (b(y))}
[[A |B]]C = [[A]]C | [[B]]C
1The input term A and the output term P are marked by [[A]] and 〈P 〉 for convenience
INRIA
Model transformations using SSA 11
3.3 Actions
The execution of an action A starts at an occurrence of its parent trigger and shall end before the
next occurrence of that event. During the execution of an action, one may also wait and synchronize
with this event by issuing a skip statement.
A skip statement has no behavior but to signal the end of an instant: all the newly computed
values of signals are flushed in memory and execution is resumed upon the next parent trigger.
A statement x! sends the signal x to its environment. Execution may continue within the same
symbolic instant unless a second emission is performed: one shall issue a skip statement before that.
An operation x = y f z takes the current value of y and z to define the new value of x by the product
with f . A conditional ifx thenA elseB executes A or B depending on the current value of x.
As a result, only one new value of a variable x should at most be defined within an instant
delimited by the start and the end or skip statement. Therefore, the interpretation of an action
consists of its decomposition in static single assignment form. To this end, we use an environment
E to associate each variable with its definition, an expression, and a guard, that locates it (in time).
An action holds an internal state s that stores an integer n denoting the current portion of the
actions that is being executed. State 0 represents the start of the program and each n > 0 labels a
skip statement that materializes a synchronized sequence of actions.
The interpretation [[A]]s,m,g,E = 〈P 〉n,h,F of an action A takes as parameters the state variable
s, the state m of the current section, the guard g that leads to it, and the environment E. It returns
a process P , the state n and guard h past it, and an updated environment F . We write usegE(x) for
the expression that returns the definition of the variable x at the guard g and defgE(x) for storing
the final values of all variables x defined in E at the guard g.
usegE(x) = if x ∈ V(E) then 〈E(x)〉 else 〈(x pre 0)when g〉 defg(E) =
∏
x∈V(E)
(x = usegE(x))
Execution is started with s = 0 upon receipt of a trigger t. It is also resumed from a skip statement
at s = n with a trigger t. Hence the signal t is synchronized to the state s of the action. The signal
r is used to inform the parent block (an automaton) that the execution of the action has finished
(it is back to its initial state 0). An end statement resets s to 0, stores all variables x defined in E
with an equation x = usegE(x) and finally stops (its returned guard is false ).
A skip statement advances s to the next label n + 1 when it receives control upon the guard
e and flushes the variables defined so far. It returns a new guard (s pre 0) = n + 1 to resume the
actions past it. An action x! emits x when its guard e is true. A sequence A;B evaluates A to the
process P and passes its state nA, guard gA, environment EA to B. It returns P |Q with the state,
guard and environment of B.
[[ doA]]
rt
= 〈(P |s sync t |r = (s = 0)) /s〉 and 〈P 〉n,h,F = [[A; end ]]
s,0,((s pre 0)=0),∅
[[ end ]]
s,n,g,E
= 〈s = 0when g |defg(E)〉0, false ,∅
[[ skip ]]s,n,g,E = 〈s = n+ 1when g |defg(E)〉n+1,((s pre 0)=n+1),∅
[[x!]]s,n,g,E = 〈x = true when g〉n,g,E
[[x = y f z]]s,n,g,E = 〈x = e〉n,g,Ex⊎{x 7→e} where e = 〈f(use
g
E(y), use
g
E(z))when g〉
[[A;B]]s,n,g,E = 〈P |Q〉nB ,gB ,EB where 〈P 〉nA ,gA,EA = [[A]]
s,n,g,Eand 〈Q〉nB ,gB ,EB = [[B]]
s,nA,gA,EA
Similarly, a conditional evaluates A with the guard gwhenx to P and B with g when notx to Q.
It returns P |Q but with the guard gA default gB. All variables x ∈ X , defined in both EA and EB ,
RR n° 7036
12 Talpin, et al.
are merged in the environment F .
[[ if x then A else B]]
s,n,g,E
= 〈P |Q〉nB ,(gA default gB),(EA⊲⊳EB)
where 〈P 〉nA ,gA,EA = [[A]]
s,n,(gwhen usegE(x)),E
and 〈Q〉nB ,gB ,EB = [[B]]
s,nA,(g when notuse
g
E
(x)),E
We write E ⊲⊳ F to merge the definitions in the environments E and F .
∀x ∈ V(E) ∪ V(F ), (E ⊲⊳ F )(x) =


E(x), x ∈ V(E) \ V(F )
F (x), x ∈ V(F ) \ V(E)
E(x) defaultF (x), x ∈ V(E) ∩ V(F )
Notes An action cannot be reset from the parent clock because it is not synchronized to it. A
sequence of emissions x!;x! yield only one event along the signal x because they occur at the same
(logical) time, as opposed to x!; skip ;x! which sends the second one during the next trigger.
Denotation Given its state b, the execution ck = [[A]]b of an action A returns a new state c and
a status k whose value is 1 if a skip occurred and 0 otherwise. We write b↓x = b(x)(min T (b)) and
b↑x = b(x)(max T (b)) for the first and last value of x in b.
A sequence first evaluates A to ck and then evaluates B with store b · c to dl. If k is true,
then a skip has occurred in A, meaning that c and d belong to different instants. In this case, the
concatenation of b and c is returned.
If k is false, then the execution that ended in A continues in B at the same instant. Hence,
variables defined in the last reaction of c must be merged to variables defined in the first reaction
of d. To this end, we write (b ⊲⊳ c)(x) = b(x) ⊎ c(x) for all x ∈ V(b) if t = max(T (b)) = min(T (c)).
[[ doA]]b = b · cwhere ck = [[A]]b
[[ skip ]]b = ∅1
[[x!]]b = {(x, t, 1)}0
[[x = y f z]]b = {((x, t, f(b↑y, b↑z))}0
[[ ifx thenA elseB]]b = if b↑x then 〈A〉b else 〈B〉b
[[A;B]]b = if k then (c · d)l else (c ⊲⊳ d)l where ck = [[A]]b and dl = [[B]]b·c
Example Consider the simple sequential program of the introduction. Its static single assignment
form is depicted in Fig. 3.
x = 0;
if y then {x = x+ 1}
else {x = x− 1; skip ;x = x− 1}
end
As in GCC, it uses a φ-node, line 9 to merge the possible values x2 and x4 of x flowing from each
branch of the if . Our interpretation implements this φ by a default equation that merges these two
values with the third, x3, that is stored into x just before the skip line
6. The interpretation of all
assignment instructions in the program follows the same pattern2. Line 2, for instance, the value of
2In the actual translation, temporarly names x1,...5 are substituted by the expression that defines them. We kept
them in the figure for a matter of clarity.
INRIA
Model transformations using SSA 13
x is x1, which flows from line
1. Its assignment to the new definition of x, namely x2, is conditioned
by the guard y on the path from line 1 to 2. It is conditioned by the current state of the program,
which needs to be 0, from line 1 to 6 and 9 (state 1 flows from line 7 to 9, overlapping on the φ-node).
Hence the equation x2 = x1 + 1when (s=0)when y.
Figure 3: Tracing the interpretation of a timed sequential program
0 x1 = 0;
1 if y
2 thenx2 = x1 + 1
3 else {
4 x3 = x1 − 1;
5 x = x3;
6 skip ;
7 x4 = x− 1
8 };
9 x = φ(x2, x4)
end
x1=0when (s=0)
1
x2=x1 + 1when (s=0)when y
2
x3=x1 − 1when (s=0)when not y4
x4=(x pre 0)− 1when (s=1)
7
x= x2 when (s=0)when y
9
defaultx3 when (s=0)when not y
4
defaultx4 when (s=1)
9
s′= 0when (s=1)8
default 0when (s=0)when y1
default 1when (s=0)when not y6
s=s′ pre 0
3.4 Automata
An automaton describes a hierarchic structure consisting of actions execute upon entry in a state
by immediate and delayed transitions. An immediate transition occurs during the period of time
allocated to a trigger. Hence, it does not synchronize to it. Conversely, a delayed transition occurs
upon synchronization with the next occurrence of the parent trigger event.
As a result, an automaton is partitioned in regions. Each region corresponds to the amount of
calculation that can be performed within the period of a trigger, starting from a given initial state.
Notations We write→A and։A for the immediate and delayed transition relations of an automa-
ton A. We write pred→A(S) and succ→A(S) (resp. pred։A(S) and succ։A(S)) for the predecessor
and successor states of the immediate (resp. delayed) transitions →A (resp. ։A) from a state S in
an automaton A.
predR(S) = {T | (T, x, S) ∈ R} succR(S) = {T | (S, x, T ) ∈ R}
We write ~S for the region of a state S. It is defined by an equivalence relation.
∀S, T ∈ S(A) ((S, x, T ) ∈ →A)⇔ ~S = ~T
For any state S of A, written S ∈ S(A), it is required that the restriction of →A to the region ~S
is acyclic. Notice that, still, a delayed transition may take place between two states of the same
region.
Interpretation An automaton A is interpreted by a process [[ automatonxA]]
rt
parameterized by
its parent trigger and reset signals. The interpretation of A defines a local state s. It is synchronized
to the parent trigger t. It is set to 0, the initial state, upon receipt of a reset signal r and, otherwise,
takes the previous value of s′, that denotes the next state. The interpretation of all states is
performed concurrently.
We give all states Si of an automaton A a unique integer label i = ⌈Si⌉ and designate with ⌈A⌉
its number of states. S0 is the initial state and, for each state of index i, we call Ai its action i and
RR n° 7036
14 Talpin, et al.
xij the guard of an immediate or delayed transition from Si to Sj .
[[ automatonxA]]
rt
= 〈

t sync s |s = (0when r) default (s′ pre 0) |

 ∏
Si∈S(A)
[[Si]]
s



 /ss′〉
The concurrent interpretation [[Si]]
s
of all states 0 ≤ i < ⌈A⌉ is implemented by a series of recursive
equations that define the meaning of each state Si depending on the result obtained for its pre-
decessors Sj in the same region. Since regions are acyclic, this system of equations has therefore
a unique solution. The interpretation of state Si starts with that of its actions Ai. An action Ai
defines a local state si synchronized to the parent state s = i of the automaton. The automaton
stutters with s′ = s if the evaluation of the action is not finished: it is in a local state si 6= 0.
Interpreting the actions Ai requires the definition of a guard gi and of an environment Ei. The
guard gi defines when Ai starts. It requires the local state to be 0 or the state Si to receive control
from a predecessor Sj in the same region (with the guard xji). The environment Ei is constructed
by merging these Fj returned by its immediate predecessors Sj . Once these parameters are defined,
the interpretation of Ai returns a process Pi together with an exit guard hi and an environment Fi
holding the value of all variables it defines.
Upon evaluation of Ai, delayed transition from Si are checked. This is done by the definition
of a process Qi which, first, checks if the guard xij of a delayed transition from Si evaluates to
true with Fi. If so, variables defined in Fi are stored with defhi(Fi) and the state of the parent
automaton becomes s′ = j at the guard hi.
∀i < ⌈A⌉ [[Si]]
s
= 〈(Pi |Qi |si sync (s = i) |s
′ = swhen (si 6= 0)) /si〉
where 〈Pi〉n,hi,Fi = [[Ai]]
si,0,gi,Ei
and Ei = ⊲⊳Sj∈pred→A (Si)
Fj
and gi = true when ((si pre 0) = 0) default
(∨
(Sj ,xji,Si)∈→A
(useE(xji))
)
and Qi =
∏
(Si,xij,Sj)∈։A
(
defhi when (useFi (xij))(Fi) |s
′ = j whenhi when (useFi(xij))
)
We write
∏
i≤n Pi for a finite product of processes P1 | . . . Pn,
∑
i≤nAi for a finite sequence of actions
A1; . . . An,
∨
i≤n ei for a finite merge e1 default . . . en and
∧
i≤n ei for a finite sampling e1 when . . . en.
Denotation An automaton x receives control from its trigger at the clock Ct and is reset at the
clock Cr. Its meaning is hence parameterized by C = (Ct, Cr). The meaning of its specifications
〈A〉sb is parameterized by the finite trace b, that represents the store, by the variable s, that represents
the current state of the automaton.
At the ith step of execution, given that it is in state j ((bi)↑s = j) the automaton produces a
finite behavior bi+1 = 〈Sj〉sb . This behavior must match the timeline of the trigger: T (bi) ⊆ C
t. It
must to the initial state 0 is a reset occurs: ∀t ∈ Cr, bi(s)(t) = 0.
[[ automaton xA]]
C
=

(◦i≥0bi) /s
∣∣∣∣∣∣∣∣
b0 = {(x, t0, 0) |x ∈ V(A) ∪ {s}}
∀i ≥ 0, bi+1 ∈ [[Sj ]]
s
bi
j = if min(T (bi+1)) ∈ Cr then 0 else (bi)↑s
T (bi+1) ⊆ Ct


When an automaton is in the state Si, its action Ai is evaluated to c ∈ 〈Ai〉b given the store b.
Then, immediate or delayed transitions departing from Si are evaluated to return the final state d
of the automaton.
[[Si]]
s
b =


[[Sj ]]
s
c, (Si, xij , Sj) ∈ →A ∧ c↑xij
c ⊎ {(s, t, j)}, (Si, xij , Sj) ∈։A ∧ c↑xij
c ⊎ {(s, t, i)}, otherwise
where c/s = [[ doAi]]b
and t = max T c
INRIA
Model transformations using SSA 15
Simplifications A generalized weak (or synchronized) transition from a state S to a state T
translates into one leaving SC (the exit substate of S) and entering TS (the entry substate of T
from S). In this translation, an automaton implicitly stutters the ”during” action of its current
state if no transition is applicable.
 S : during doA
on exit doB

։ on g doC

 T : on entry doD


S : doA→ on g ST : doB ։ TS : doC;D → T
Notes An oversampling automaton cannot be reset until it performs a transition synchronized to
its trigger (a weak transition). A terminal state S : terminal stateA is a state S : doA from which
no transition exists. It can only be reset to the initial state.
Example Reconsider our previous sequential program
x = 0; if y thenx = x+ 1 else {x = x− 1; skip ;x = x− 1} end
that is now represented by an automaton. The aim of our interpretation of automata is to merge, use
and store the environments of variables defined in all the states S1...5 in order to provide its regions
with an equivalent meaning as if it was defined by a sequential program. One can actually check
that the translation of the automaton (right) is almost identical the that of the original program.
S0 : dox = 0 |S0 → on y S1
|S0 →
on not y S2
S1 : dox = x+ 1 |S1 → S5
S2 : dox = x− 1 |S2 ։ S4
S4 : dox = x− 1 |S4 → S5
S5 : end
∣∣∣∣∣∣∣∣∣∣∣∣
s = s′ pre 0
| x = 0− 1when (s = 0)when not y
| s′ = 1when (s = 0)when not y
| x = 0 + 1when (s = 0)when y
default (x pre 0)− 1when (s = 1)
| s′ = 0when (s = 0)when y default (s = 1)
3.5 Modularity
The above technique easily and compositionally generalizes to the modular programming framework
under consideration in our project. It may indeed be suitable to have the capability of defining
mode automata that operate blocks defined or compiled separately, and to allow block to possibly
use shared variables.
In the present framework, this is done by associating each block with a def/use profile to register
the association between the uses and definitions of global variables (e.g. x) with local variables (e.g.
x0,...4). As an example, consider the following procedure f to increment the global integer variable
x.
void f(){x = x+ 1}
Our analysis locally records the definition and use of x with two integer variables x0 and x1. This
forms the profile of f . Associating f with it amounts to declaring the association of x0 with the use
of x and of x1 with the definition of x, as follows (or differently).
void f(int x0 #use x, int ∗ x1 #def x){∗x1 = x0 + 1}
Next, had our mode automaton been defined by calling two external functions f() and g() to
respectively increment and decrement x (Fig. 4, left), we would then just had to rewrite it in
SSA form as follows (Fig. 4, right). The final x can itself be defined as a parameter to the hence
SSA-encoded automaton, making the whole technique modular, compositional, hierarchical.
RR n° 7036
16 Talpin, et al.
Figure 4: Modular interpretation of a mode automaton into data-flow equations
S0 : dox = 0
| S0 →
on y S1
| S0 → on not y S2
S1 : do f()
| S1 → S5
S2 : do g()
| S2 ։ S4
S4 : do g()
| S4 → S5
S5 : end
S0 : dox1 = 0
| S0 →
on y S1
| S0 → on not y S2
S1 : do f(x1,&x2)
| S1 → S5
S2 : do g(x1,&x3)
| S2 ։ S4
S4 : do g(x3,&x4)
| S4 → S5
S5 : x = φ(x2, x4); end
3.6 Periodic behaviors
A periodic structure can be defined by the refinement of a causal and synchronous structure. A
signal s samples a signal r with period π and phase φ, written s = π.r+ φ iff (C,D) = T (r, s) and,
for all i ≥ 0, Cπ.i+φ = Di.
For any signal s, we can interpret the periodic structure of the chain T (s) = (tn)n≥0 by a
morphism Π to the series of intervals ([π × n, π × n+ φ[)n≥0.
A morphism Π is consistent with the synchronous structure ∼b of a behavior b iff, for all t, u ∈
T (b), 1. t < u iff maxΠ(t) < minΠ(u) and 2. t ∼b u iff minΠ(t) < maxΠ(u) or minΠ(u) <
maxΠ(t).
[[ block B P 〈F 〉]] = [[ block B P ]]C , Ct ∈ [[F ]]
[[ event x→ y 〈F 〉]] = [[ event x→ y]]C , Ct ∈ [[F ]]
[[frequencynhz]] = {C | ∀i ≥ 0, i/n ≤ Π(Ci) < (i+ 1)/n}
[[mhzwith burstn every p hz]] =
{
C
∣∣∣∣∀i ≥ 0, j = i div n, k = (imodn)j/p+ k/m ≤ Π(Ci) < j/p+ (i+ 1modn)/m
}
4 Experimental Results
Case studies previously presented in [1] in the frame of the FOTOVP project [9] gave experimental
evidences on the performance of our interpretation technique compared to more classical encoding
techniques based on automata. Performance improve both for code generation (minimization of
synchronization points) and for verification (minimization of intermediate states). The examples
in [1] consist of concurrent imperative programs counting bits in parallel.
Fig. 6, in Appendix, depicts the intermediate generated code for the main AOCS module of
Fig. 1. It comprises an interpretation of the automaton itself as well as its data-flow connections
with the safe (SAFE) and nominal (NM) modes. The first six equations define the state transitions
of the automaton. Then, a case statement defines how the block corresponding to each mode is
called by the definition of its data-flow connections and timing constraints (tick, trigger, reset). The
last fourteen equation define the connection that are within the lexical scope of the automaton.
There are only two state variables (_AOCS_aut_A_1_previousState and _AOCS_aut_A_1_zNextState) as
well as two explicitly shared variables (_LO_CMD and _LO_ERR_ATT). The process that interprets the
AOCS automaton is compiled modularly and linked with its sub-modules DataFlowModel_SAFE_dtf
and DataFlowModel_NM_dtf.
INRIA
Model transformations using SSA 17
Figure 5: States and transitions for the SSA interpretation of parallel counters
program vars states reachable transitions
2-bits parallel counters
(property true) 24 224 36 116 0.15 s
2-bits parallel counters
with variant (prop. false) 25 225 107 359 0.27 s
8-bits parallel counters
(property true) 36 236 1.296 3.896 66 s
8-bits parallel counters
with variant (prop. false) 37 237 328.715 1.117.223 124 s
5 Related Work
One common mis-conception about SSA is that since multiple assignments to the same variable
are translated into assignments to multiple intermediate variables, the explosion of the number of
variables introduces a huge overhead. As our encoding demonstrates,this is indeed not a problem as
all of these intermediate variables are encoded into temporary signals and can even be substituted
by the expression that defines them. They can also be dealt efficiently by model-checkers as they
require no additional BDD node. Our experiments have shown that the number of state variables
does not explode by SSA transformation but are rather reduced to the number of explicit time
boundaries (a skip ) in the source program.
Our approach and tools are based on previous studies and experimental results on the translation
of imperative programs into synchronous equations using SSA transformation [7]. In related works,
SSA-based modeling is primarily used for the purpose of efficiently compiling imperative programs
with GCC [3] or LLVM [5], with emphasis on aggressive optimizations [4] generated code safety,
runtime optimization and for symbolic verification [8].
Our technique uses the underlying model of computation of SME platform, dedicated to offer-
ing such capabilities (efficient code-generation and accelerated verification) for timed synchronous
specifications such as in the high-level, domain-specific, programming environment Synoptic. One
big advantage of our approach is that it creates a minimal number of transitions in the generated
code: the portion of code between two explicit synchronizations is indeed encoded as a single reac-
tion. By contrast, a naive approach would consists of translating each instruction with an explicit
control-point and generate a huge automaton. Its encoding would then introduce state variables
with a large number of possible values. Our SSA-based translation avoids this overhead.
6 Conclusions
We gave a thorough description of a technique that embeds heterogeneous programming and mod-
eling concepts by interpreting them into an expressive, synchronous data-flow and multi-clocked
model of computation. The development of this technique is based on the use of a static single
assignment decomposition technique that is applied across the boundaries of the source diagrams
yet in a well-typed and modular manner. It demonstrates a striking affinity between SSA and
synchronous data-flow models of computation.
As a result, we obtain an efficient method for transforming a hierarchy of blocks consisting of
actions (sequential Esterel-like programs), data-flow diagrams (to connect and time modules) and
mode automata (to schedule or mode blocks) into a set of synchronous equations.
The impact of this new transformation technique is twofolds. With regards to code generation
objectives, it minimizes needed resynchronizations between blocks in the system, potentially gaining
substantial performances from way less communication. With regards to verification requirements,
it minimizes the number of state variables across hierarchic automata and hence maximizes model
checking capabilities.
RR n° 7036
18 Talpin, et al.
References
[1] Besnard, L., Gautier, T, Moy, M., Talpin, J.-P., Johnson, K., Maraninchi, F. ”Automatic
translation of C/C++ parallel code into synchronous formalism using an SSA intermediate
form”. Automated Verification of Critical Systems. EASST, 2009.
[2] Brunette, C., Talpin, J.-P., Gamatie´, A., Gautier, T. ”A metamodel for the design of poly-
chronous systems”Journal of Logic and Algebraic Programming, Special Issue on Applying
Concurrency Research to Industry. Elsevier, 2008.
[3] R. Cytron, J. Ferrante, B. Rosen, M. Wegman, and K. Zadeck. ”Efficiently Computing Static
Single Assignment Form and the Control Dependence Graph”. ACM Transactions on Program-
ming Languages and Systems, 13(4): 451-490. ACM Press, October 1991.
[4] B. Hardekopf and C. Lin. ”Semi-sparse flow-sensitive pointer analysis”. Symposium on Principles
of programming languages. ACM Press, 2009.
[5] C. Lattner and V. Adve. ”LLVM: A Compilation Framework for Lifelong Program Analysis and
Transformation”. International Symposium on Code Generation and Optimization. ACM Press,
2004.
[6] Le Guernic, P., Talpin, J.-P., Le Lann, J.-C. ”Polychrony for system design”. Journal for Cir-
cuits, Systems and Computers. Special Issue on Application Specific Hardware Design. World
Scientific, August 2003.
[7] Talpin, J.-P., Berner, D., Shukla, S., Le Guernic, P., Gamatie´, A., Gupta, R. ”Behavioral type
inference for compositional system design”. Chapter in Formal Methods and Models for System
Design. Kluwer Academic Publishers, 2004.
[8] A. Zaks and R. Joshi. ”Verifying multi-threaded C Programs with SPIN”. International SPIN
Workshop on Model Checking of Software. Springer, 2008.
[9] ANR project FotoVP http://www-verimag.imag.fr/SYNCHRONE/fotovp.
[10] ANR project Spacify http://spacify.gforge.enseeiht.fr.
[11] Polychrony and SME http://www.irisa.fr/espresso/polychrony.
INRIA
Model transformations using SSA 19
Figure 6: Intermediate code for the main AOCS automaton
process Automaton_AOCS_aut =
( ? _POS_Data; _ATT_Data; _TO_NM; event _tick , _trigger , _reset; ! _CMD; _ERR_ATT; )
(| subprocesses4 ::
(| _WT_2_SAFE_TO_NM_P_0 := true when _TO_NM
when (_AOCS_aut_A_1_currentState =# _SAFE)
| _WT_3_NM_TO_SAFE_P_0 := true when _ERR_ATT
when (_AOCS_aut_A_1_currentState =#_NM )
| _AOCS_aut_A_1_currentState := _AOCS_aut_A_1_zNextState
| _AOCS_aut_A_1_nextState := (#_NM when _WT_2_SAFE_TO_NM_P_0 )
default (#_SAFE when _WT_3_NM_TO_SAFE_P_0 )
default _AOCS_aut_A_1_currentState
| _AOCS_aut_A_1_previousState := _AOCS_aut_A_1_currentState$ init #_SAFE
| _AOCS_aut_A_1_zNextState := _AOCS_aut_A_1_nextState$ init #_SAFE
| case _AOCS_aut_A_1_currentState in
{# _SAFE}:
(| subprocesses5 :: (| subprocesses6 ::
(| _POS_Data1 := _SAFE_POS_Data
| _ATT_Data1 := _SAFE_ATT_Data
| _TO_NM2 := _SAFE_TO_NM
| _tick2 := _SAFE_tick
| _trigger2 := _SAFE_trigger
| _reset2 := _SAFE_reset
| _DataFlowModel_SAFE_dtf :: (_CMD1 ,_ERR_ATT2 ) :=
DataFlowModel_SAFE_dtf {}
(_POS_Data1 ,_ATT_Data1 ,_TO_NM2 ,_tick2 ,_trigger2, _reset2)
| _SAFE_POS_Data := _POS_Data
| _SAFE_ATT_Data := _ATT_Data
| _SAFE_TO_NM := _TO_NM
| _SAFE_tick := _tick
| _SAFE_trigger := _clock_10_Hz
| _SAFE_reset := _reset
| _SAFE_CMD := _CMD1
| _SAFE_ERR_ATT := _ERR_ATT2
| _LO_CMD2 := _SAFE_CMD
| _LO_ERR_ATT2 := _SAFE_ERR_ATT
|)
where _SAFE_POS_Data ; _SAFE_ATT_Data ; _SAFE_TO_NM ;
_SAFE_CMD ; _SAFE_ERR_ATT ; _CMD1; _ERR_ATT2;
event _SAFE_tick , _SAFE_trigger , _SAFE_reset , _tick2 , _trigger2 , _reset2;
label _DataFlowModel_SAFE_dtf , _POS_Data1 , _ATT_Data1 , _TO_NM2;
end
|) where label subprocesses6 ;
end
|)
{#_NM }:
(| subprocesses7 :: (| subprocesses8 ::
(| _POS_Data2 := _NM_POS_Data
| _ATT_Data2 := _NM_ATT_Data
| _TO_NM3 := _NM_TO_NM
| _tick3 := _NM_tick
| _trigger3 := _NM_trigger
| _reset3 := _NM_reset
| _DataFlowModel_NM_dtf :: (_CMD2 ,_ERR_ATT3) :=
DataFlowModel_NM_dtf {}
(_POS_Data2 ,_ATT_Data2 ,_TO_NM3 ,_tick3 ,_trigger3 ,_reset3)
| _NM_POS_Data := _POS_Data
| _NM_ATT_Data := _ATT_Data
| _NM_TO_NM := _TO_NM
| _NM_tick := _tick
| _NM_trigger := _clock_20_Hz
| _NM_reset := _reset
| _NM_CMD := _CMD2
| _NM_ERR_ATT := _ERR_ATT3
| _LO_CMD1 := _NM_CMD
| _LO_ERR_ATT1 := _NM_ERR_ATT
|) where _NM_POS_Data ; _NM_ATT_Data ; _NM_TO_NM ; _NM_CMD;
_NM_ERR_ATT ; _CMD2; _ERR_ATT3;
event _NM_tick, _NM_trigger , _NM_reset , _tick3 ,
_trigger3 , _reset3;
label _DataFlowModel_NM_dtf , _POS_Data2 ,
_ATT_Data2 , _TO_NM3;
end
|) where label subprocesses8 ;
end
|)
|) where type _AOCS_aut_A_1_type = enum (_SAFE , _NM );
event _WT_2_SAFE_TO_NM_P_0 , _WT_3_NM_TO_SAFE_P_0 ;
_AOCS_aut_A_1_type _AOCS_aut_A_1_currentState ,
_AOCS_aut_A_1_nextState , _AOCS_aut_A_1_previousState ,
_AOCS_aut_A_1_zNextState ;
label subprocesses5 , subprocesses7 ;
end
| (| _LO_CMD ::= _LO_CMD2
| _LO_CMD ::= _LO_CMD1
| _LO_ERR_ATT ::= _LO_ERR_ATT2
| _LO_ERR_ATT ::= _LO_ERR_ATT1
| _clock_10_Hz := _tick count 10
| _XMI_Id_3 := (^ _LO_ERR_ATT1 ) default (^ _LO_ERR_ATT2 )
| _XMI_Id_4 := (^ _LO_CMD1) default (^ _LO_CMD2)
| _clock_20_Hz := _tick count 5
| _XMI_Id_4 ^= _LO_CMD
| _XMI_Id_3 ^= _LO_ERR_ATT
| _CMD := _LO_CMD
| _ERR_ATT := _LO_ERR_ATT
|)
|) where shared _LO_CMD , event _LO_ERR_ATT ;
_clock_10_Hz ; _clock_20_Hz ; _XMI_Id_3 ; _XMI_Id_4 ; _LO_CMD1; _LO_CMD2;
event _LO_ERR_ATT1 , _LO_ERR_ATT2 ;
label subprocesses4 ;
end;
RR n° 7036
Centre de recherche INRIA Rennes – Bretagne Atlantique
IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France)
Centre de recherche INRIA Bordeaux – Sud Ouest : Domaine Universitaire - 351, cours de la Libération - 33405 Talence Cedex
Centre de recherche INRIA Grenoble – Rhône-Alpes : 655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier
Centre de recherche INRIA Lille – Nord Europe : Parc Scientifique de la Haute Borne - 40, avenue Halley - 59650 Villeneuve d’Ascq
Centre de recherche INRIA Nancy – Grand Est : LORIA, Technopôle de Nancy-Brabois - Campus scientifique
615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex
Centre de recherche INRIA Paris – Rocquencourt : Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex
Centre de recherche INRIA Saclay – Île-de-France : Parc Orsay Université - ZAC des Vignes : 4, rue Jacques Monod - 91893 Orsay Cedex
Centre de recherche INRIA Sophia Antipolis – Méditerranée : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex
Éditeur
INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)
http://www.inria.fr
ISSN 0249-6399
