Formal Refinement Checking in a System-level Design Methodology by Talpin, Jean-Pierre et al.
Formal Refinement Checking in a System-level Design
Methodology
Jean-Pierre Talpin, Paul Le Guernic, Sandeep Shukla, Fre´de´ric Doucet, R.K.
Gupta
To cite this version:
Jean-Pierre Talpin, Paul Le Guernic, Sandeep Shukla, Fre´de´ric Doucet, R.K. Gupta. Formal
Refinement Checking in a System-level Design Methodology. Fundamenta Informaticae, Polskie
Towarzystwo Matematyczne, 2004, 62 (2), pp.243-273. <hal-00541995>
HAL Id: hal-00541995
https://hal.archives-ouvertes.fr/hal-00541995
Submitted on 1 Dec 2010
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Fundamenta Informaticae XX (2004) 1–32 1
IOS Press
Formal Refinement Checking in a System-level Design Methodology
Jean-Pierre Talpin
INRIA-IRISA
Paul Le Guernic
INRIA-IRISA
Sandeep Kumar Shukla
Virginia Tech
Fre´de´ric Doucet
University of California at San Diego
Rajesh Gupta
University of California at San Diego
Abstract. Rising complexity, increasing performance requirements, and shortening time-to-market
demands necessitate newer design paradigms for embedded system design. Such newer design
methodologies require raising the level of abstraction for design entry, reuse of intellectual property
blocks as virtual components, refinement based design, and formal verification to prove correct-
ness of refinement steps. The problem of combining various components from different designers
and companies, designed at different levels of abstraction, and embodying heterogeneous models of
computation is a difficult challenge for the designer community today. Moreover, one of the gating
factors for widespread adoption of the system-level design paradigm is the lack of formal models,
method and tools to support refinement. In the absence of provably correct and adequate behavioral
synthesis techniques, the refinement of a system-level description towards its implementation is pri-
marily a manual process. Furthermore, proving that the implementation preserves the properties of
the higher system-level design-abstraction is an outstanding problem.
In this paper, we address these issues and define a formal refinement-checking methodology for
system-level design. Our methodology is based on a polychronous model of computation of the
multi-clocked synchronous formalism SIGNAL. This formalism is implemented in the POLYCHRONY
workbench. We demonstrate the effectiveness of our approach by the experimental case study of a
SPECC modeling example. First, we define a technique to systematically model SPECC programs
in the SIGNAL formalism. Second, we define a methodology to compare system-level models of
SPECC programs and to validate behavioral equivalence relations between these models at differ-
ent levels of abstraction. Although we use SPECC modeling examples to illustrate our technique,
our methodology is generic and language-independent and the model that supports it conceptually
minimal by offering a scalable notion and a flexible degree of abstraction.
Address for correspondence: INRIA-IRISA, Campus de Beaulieu, 35042 Rennes, France (Jean-Pierre.Talpin@irisa.fr)
2 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
1. Introduction
Rising complexity and performances, shortening time-to-market demands, stress high-level embedded
system design as a prominent research topic Ad-hoc design methodologies, that lifts modeling to higher
levels of abstraction, the concept of intellectual property, that promotes reuse of existing components,
are essential steps to manage design complexity, gain performance, accelerate design cycle. However,
the issue of compositional correctness arises with these steps. Given components from different man-
ufacturers, designed at different levels of abstraction and with heterogeneous models of computation,
combining them in a correct-by-construction manner is a difficult challenge.
A gating factor for widespread adoption of the system-level design paradigm is a lack of formal mod-
els, method and tools to support refinement. In the absence of adequate behavioral synthesis techniques,
the refinement of a system-level description toward its implementation is primarily a manual process.
Furthermore, proving that the implementation preserves the properties of the higher system-level design
abstraction is an unsolved problem.
In this aim, system design based on the so-called “synchronous hypothesis” [5] consists of abstracting
the non-functional implementation details of a system away and let one benefit from a focused reason-
ing on the logics behind the instants at which the system functionalities should be secured. From this
point of view, synchronous design models and languages provide intuitive models for integrated circuits.
This affinity explains the ease of generating synchronous circuits and verify their functionalities using
compilers and related tools that implement this approach.
In the relational model of the POLYCHRONY workbench [28], this affinity goes beyond the domain
of purely synchronous circuits to embrace the context of globally asynchronous locally synchronous
(GALS) architectures. The unique features of this model are to provide a scalable capability to describe
partially clocked specifications or multi-clocked architectures and to support a formal notion of design
refinement, from the early stages of requirements specification, to the later stages of deployment and
synthesis, using formal verification.
We address the issue of conformance checking in system design by considering the polychronous
model of computation of the POLYCHRONY workbench to define a formal refinement-checking method-
ology. Our approach builds upon previous work on the multi-clocked synchronous paradigm of SIG-
NAL [7] and verification using the related model-checking tool SIGALI [24] (the POLYCHRONY work-
bench). We put the polychronous model of computation [22] to work in the context of emerging high-
level design languages such as SPECC [15] by the study of refinement relations between system design
levels in SPECC (Figure 1).
ones even
wait
notify
ﬀ ﬀ
- -
ﬀ
-
ﬀ
-
⇓
POLYCHRONY model
SPECC
refinement
⇒
conformance
checking
⇒ ⇐
ones even
channel
send
recvﬀ
-
ﬀ
-
ﬀ
-
ﬀ
-
⇓
POLYCHRONY model
Figure 1. Checking conformance of a design refinement
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 3
Outline This paper is organized as follows. We start with an overview of the polychronous model
of computation in Section 2. In Section 3, we provide an informal introduction to the SIGNAL data-
flow notation of the POLYCHRONY workbench. Starting from this presentation, Section 4 develops a
methodology aimed at checking design refinement relations correct within the POLYCHRONY workbench
by introducing a suitable notion of flow-preservation. This model and methodology are put to work in
Section 5 in the context of system design using SPECC. A simple design example of an even-parity
checker (EPC) is used as a vehicle to explain our methodology. We outline a technique to automatically
derive a model of SPECC specifications in the POLYCHRONY workbench and apply our methodology to
checking the refinement of the EPC correct from its specification level design to its RTL-level design.
This exercise demonstrates the capability of POLYCHRONY to support high-level design transformations
operated on SPECC programs with the validation services offered by the POLYCHRONY workbench.
2. A Polychronous Model of Computation
We start with a brief overview of the polychronous model of computation, proposed in [22]. The poly-
chronous model of computation consists of a domain of traces and of semi-lattice structures that render
synchrony and asynchrony using timing equivalence relations: clock equivalence relates traces in the
synchronous structure and flow equivalence relates traces in the asynchronous structure.
Domain of polychrony We consider a partially-ordered set (T ,≤, 0) of tags. A tag t ∈ T denotes a
symbolic period in time. The relation ≤ denotes a partial order. Its minimum is noted 0. We note C ∈ C
a (possibly infinite) chain of tags. Events, signals, behaviors and processes are defined as follows:
Definition 2.1. (polychrony)
- An event e ∈ E = T × V is the pair of a value and a tag.
- A signal s ∈ S = C → V is a function from a chain of tags to a set of values.
- A behavior b ∈ B is a function from names x ∈ X to signals s ∈ S .
- A process p ∈ P is a set of behaviors that have the same domain.
Figure 2 depicts a behavior b over three signals named x, y and z in the domain of polychrony. Two
frames depict timing domains formalized by chains of tags. Signal x and y belong to the same timing
domain: x is a down-sampling of y. Its events are synchronous to odd occurrences of events along y and
share the same tags, e.g. t1. Even tags of y, e.g. t2, are ordered along its chain, e.g. t1 < t2, but absent
from x. Signal z belongs to a different timing domain. Its tags, e.g. t3 are not ordered with respect to the
chain of y, e.g. t1 6≤ t3 and t3 6≤ t1.
x : •t1 • •
y : •t1 •t2 • • •
z : •t3 • • •
Figure 2. A behavior in the polychronous model of computation
4 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
In the remainder, we write tags(s) and tags(b) = ∪x∈vars(b)tags (b(x)) for the tags of a signal
s and of a behavior b, b|X for the projection of a behavior b on X ⊂ X and b/X = b|vars(b)\X for its
complementary, vars(b) and vars(p) for the domains of b and p. We write B|X for the set of all behaviors
defined on the set of variables X .
Synchronous composition is noted p |q and defined by the union of all behaviors b (from p) and c
(from q) which are synchronous: all signals they share, i.e. in I = vars(p) ∩ vars(q), are equal.
p |q = {b ∪ c | (b, c) ∈ p× q, I = vars(p) ∩ vars(q), b|I = c|I }
Figure 3 depicts the synchronous composition, right, of the behaviors b, left, and the behavior c, middle,
of two processes p and q. Notice that the signal y, shared by p and q, must carry the same tags and the
same values in both p and q in order for b ∪ c, right, to belong to p |q.
 x : •
t1 •
y : •t1 •t2 • •
 |
 y : •t1 •t2 • •
z : •t3 • •
 =
 x : •
t1 •
y : •t1 •t2 • •
z : •t3 • •

Figure 3. Synchronous composition of b ∈ p and c ∈ q
Scheduling structure To render constraints between the occurrence of events during a period t, we
refine the domain of polychrony with a scheduling relation. Figure 4 depicts a scheduling relation super-
imposed to the signals x and y of Figure 2. The relation yt1 → xt1 denotes a scheduling constraint: y
should be calculated before x at the period t1.
x : •t1 • •
↑ ↑ ↑
y : •t1 •t2 • • •
Figure 4. Scheduling relations between simultaneous events
The pair xt of a time tag t and of a signal name x renders the date d of the event occurring at the
symbolic period t along the signal x. The tag t represents the period during which multiple events take
place to form a reaction. It corresponds to an equivalence class between dates d, as in the synchronous
structures [27].
Definition 2.2. (scheduling relation)
The scheduling relation→b is a pre-order defined on dates D = X × T for a behavior b which satisfies:
∀b ∈ B,∀x ∈ vars(b),∀t, t′ ∈ tags(b(x)), t < t′ ⇒ xt →b xt′ ∧ xt →b xt′ ⇒ ¬(t′ < t)
When no ambiguity is possible on the identity of b in x →b y, we write it x → y. A scheduling
relation is implicitly transitive (xt →b yt′ →b zt′′ implies xt →b zt′′) and its closure for restriction b/X
is defined by xt →b/X yt′ iff xt →b yt′ and x, y 6∈ X .
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 5
Synchronous structure Building upon the domain of polychrony, we define the semi-lattice structure
which relationally denotes synchronous behaviors. The intuition behind this relation is depicted figure 5.
It is to consider a signal as an elastic with ordered marks on it (tags). If the elastic is stretched, marks
remain in the same relative and partial order but have more space (time) between each other. The same
holds for a set of elastics: a behavior. If elastics are equally stretched, the order between marks is
unchanged. In the figure 5, the time scale of x and y change but the partial timing and scheduling relations
are preserved. Stretching is a partial-order relation which defines clock equivalence (definition 2.3).
x : •t1 • •
↑ ↑ ↑
y : •t1 •t2 • • •
≤
x : •t3 • •
↑ ↑ ↑
y : •t3 •t4 • • •
Figure 5. Relating synchronous behaviors by stretching.
Definition 2.3. (clock equivalence)
A behavior c is a stretching of b, written b ≤ c, iff vars(b) = vars(c) and there exists a bijection on tags
f which satisfies
∀t, t′ ∈ tags(b), t ≤ f(t) ∧ (t < t′ ⇔ f(t) < f(t′))
∀x, y ∈ vars(b),∀t ∈ tags(b(x)),∀t′ ∈ tags(b(y)), tx →b t′y ⇔ f(t)x →c f(t′)y
∀x ∈ vars(b), tags(c(x)) = f(tags(b(x))) ∧ ∀t ∈ tags(b(x)), b(x)(t) = c(x)(f(t))
b and c are clock-equivalent, written b ∼ c, iff there exists a behavior d s.t. d ≤ b and d ≤ c.
Asynchronous structure The asynchronous structure of polychrony is modeled by weakening the
clock-equivalence relation to allow for comparing behaviors w.r.t. the sequences of values signals hold
regardless of the time at which they hold these values. The relaxation relation allows to individually
stretch the signals of a behavior in a way preserving scheduling constraints. Relaxation is a partial-order
relation which defines flow-equivalence (definition 2.4). Two behaviors are flow-equivalent iff their
signals hold the same values in the same order.
Definition 2.4. (flow equivalence)
A behavior c is a relaxation of b, written b v c, iff vars(b) = vars(c) and, for all x ∈ vars(b), b|{x} ≤
c|{x}. b and c are flow-equivalent, written b ≈ c, iff there exists a behavior d s.t. d v b and d v c.
Figure 6 depicts two asynchronously equivalent behaviors related by relaxation. The first event along
x has been shifted (and its scheduling constraint with an initially synchronous event along y lost) as the
effect of delaying its transmission using e.g. a FIFO buffer.
x : •t1 • •
↑ ↑ ↑
y : •t1 •t2 • • •
v
x : •t3 • •
y : •t4 •t5 • • •
Figure 6. Relating asynchronous behaviors by relaxation.
6 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
Asynchronous composition is noted p ‖ q and defined by considering the partial-order structure
induced by the relaxation relation. The parallel composition of p and q consists of behaviors d that are
relaxations of behaviors b and c from p and q along shared signals I = vars(p) ∩ vars(q) and that are
stretching of b and c along the independent signals of p and q.
p ‖ q = {d ∈ B|vars(p)∪vars(q) | ∃(b, c) ∈ p× q, d/I ≥ b/I ∧ d/I ≥ c/I ∧ b|I v d|I ∧ d|I w c|I}
Figure 7 depicts the asynchronous composition, right, of the behavior b ∈ p, left, and of the behavior
c ∈ q, middle. Notice that the signal x and y are alternated in p, left, and synchronous in q, middle.
Asynchronous composition allows for these signals to be independently stretched in both p and q in
order to find a common flow in the asynchronously composed process, right. x : •
t1 •t3
y : •t2 •t4
 ‖
 x : •
t1 •t2
y : •t1 •t2
z : • • •
 =
 x : • •y : • •
z : • • •

Figure 7. Asynchronous composition of b ∈ p and c ∈ q
3. A Polychronous Design Language
In the POLYCHRONY workbench, the polychronous model of computation is implemented by the multi-
clocked synchronous data-flow notation SIGNAL [7]. It will serve as the specification formalism used
for the case study of the present article.
Core syntax and semantics In SIGNAL, a process P consists of the composition of simultaneous
equations x := f(y, z) over signals x, y, z. A signal x ∈ X is a possibly infinite flow values v ∈ V
sampled at a discrete clock noted ^x.
P,Q ::= x := y f z | P/x | P |Q (SIGNAL process)
In the polychronous model of computation, Section 2, the denotation of a clock ^x is the domain of the
signal associated to x: a chain of tags. We note [[P ]] for the denotation of a process P . The synchronous
composition of processes P |Q consists of the simultaneous solution of the equations in P and in Q. The
process P/x restricts the signal x to the lexical scope of P .
[[P |Q]] = [[P ]] | [[Q]] and [[P/x]] = [[P ]]/x = {c ≤ b/{x} | b ∈ [[P ]]}
An equation x := y f z denotes a relation between the input signals y and z and an output signal x by a
combinator f . An equation is usually a ternary and infixed relation noted x := y f z but it can in general
be an m+ n-ary relation noted (x1, . . . xm) := f(y1, . . . yn).
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 7
Native combinators SIGNAL requires four primitive combinators to perform delay x := y$1 init v,
sampling x := y when z, merge x = y default z and specify scheduling constraints x → y when ^z,
Figure 8. The equation x := y$1 init v initially defines the signal x by the value v and then by the
previous value of the signal y. The signal y and its delayed copy x := y$1 init v are synchronous: they
share the same set of tags t1, t2, . . . . Initially, at t1, the signal x takes the declared value v and then, at
tag tn, the value of y at tag tn−1.
[[x→ y when ^z]]={b ∈ B|x,y,z | ∀t ∈ tags(b(x)) ∩ tags(b(y)) ∩ tags(b(z)), xt → yt}
[[x := y$1 init v]]=
{
b ∈ B|x,y
∣∣∣∣∣tags(b(x)) = tags(b(y)) = C ∈ C, b(x)(min(C)) = v∀t ∈ C \min(C), b(x)(t) = b(y)(predC(t))
}
[[x := y when z]]=
{
b ∈ B|x,y,z
∣∣∣∣∣tags(b(x)) = {t ∈ tags(b(y)) ∩ tags(b(z)) | b(z)(t) = true }∀t ∈ tags(b(x)), b(x)(t) = b(y)(t) ∧ yt → xt ∧ zt → xt
}
[[x := y default z]]=
b ∈ B|x,y,z
∣∣∣∣∣∣∣
tags(b(y)) ∪ tags(b(z)) = tags(b(x)) ∈ C
∀t ∈ tags(b(y)), b(x)(t) = b(y)(t) ∧ yt → xt
∀t ∈ tags(b(x))\tags(b(y)), b(x)(t) = b(z)(t) ∧ zt → xt

Figure 8. Semantics of polychronous operators
The equation x → y when ^z forces x to occur before y when z is present. In the equation y →
x when ^z, for instance, there is no scheduling relation required from x to y unless both x, y, z are
present, e.g. at tag t.
y •t1,v1 •t2,v2 •t3,v3 . . .
(x := y$1 init v) x •t1,v •t2,v1 •t3,v2 . . .
y • • •t . . .
↓
(y → x when ^z) x • •t . . .
z • •t . . .
The equation x := y default z defines x by y when y is present and by z otherwise. If y is absent and
z present with v1 at t1 then x holds (t1, v1). If y is present (at t2 or t3) then x holds its value whether z
is present (at t2) or not (at t3). The equation x := y when z defines x by y when z is true (and both y and
z are present); x is present with the value v2 at t2 only if y is present with v2 at t2 and if z is present at
t2 with the value true. When this is the case, one needs to schedule the calculation of y and z before x,
as depicted by yt2 → xt2 ← zt2 .
y • •t2,v2 . . .
↓
(x := y when z) x •t2,v2 . . .
↑
z • •t1,0 •t2,1 . . .
y •t2,v2 •t3,v3 . . .
↓ ↓
(x := y default z) x •t1,v1 •t2,v2 •t3,v3 . . .
↑
z •t1,v1 • . . .
Syntax and semantics of clocks In SIGNAL, the presence of a value along a signal x is the proposition
noted ^x that is true when x is present and that is absent otherwise. The syntax of clock expressions e and
8 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
clock relations E is a particular subset of SIGNAL that is defined by the induction grammar of Figure 9.
The clock expression ^x can be defined by the boolean operation x = x (i.e. y := ^x=defy := (x = x)).
Referring to the polychronous model of computation, it represents the set of tags at which the signal
holds a value. Clock expression naturally represent control, the clock whenx represents the time tags
at which the boolean signal x is present and true (i.e. y := whenx=defy := true whenx). The clock
when notx represents the time tags at which the boolean signal x is present and false. We write 0 for the
empty clock (the empty set of tags). A clock constraint E is a SIGNAL process. The constraint e^= e′
synchronizes the clocks e and e′. It corresponds to the process (x := (e = e′))/x. Composition E |E′
corresponds to the union of constraints and restriction E/x to the existential quantification of E by x.
e ::= ^x | whenx | when notx | e ^+ e′ | e ^- e′ | e ^* e′ | 0 (clock expression)
E ::= () | e^= e′ | e^<e′ | x→ y when e | E |E′ | E/x (clock constraint)
Figure 9. Clock and scheduling constraints
Scheduling constraints are transitive and distributive w.r.t. clocks: x → y when e |y → z when e′
implies x→ z when e ^* e′ and x→ y when e |x→ y when e′ implies x→ y when e ^+ e′. Each process
P corresponds to a clock constraint E satisfying [[P ]] ⊆ [[E]] by the inference system P : E of Figure 10
(we write x→ y for x→ y when ^x).
x := y$1 init v : ^x^= ^y
x := y when z : ^x^= ^ywhen z |y → x when z
x := y default z : ^x^= ^y ^+ ^z |y → x |z → x when (^z ^- ^y)
P : E Q : E′
P |Q : E |E′
P : E
P/x : E/x
Figure 10. Inference system
Hierarchization The clock and scheduling constraintsE of a process P hold the necessary information
to decide the property of endochrony [22]. The process accepts flow-equivalent inputs x and y (left).
Inputs are processed by p in clock equivalent ways (middle) so as to produce the same outputs in the
same order at clock-equivalent rates (right).
x :• • •
↘ ↓ ↘
y : •••• •
input
buffer
• • •
↓ ↓ ↓
• • • • •
endochronous
process p
• • • : z
x :• • •
↘ ↘ ↘
y : •• • • •
input
buffer
• • •
↓ ↓ ↓
• • • • •
endochronous
process p
• • • : z
Figure 11. Endochrony: from flow-equivalent inputs to clock-equivalent outputs
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 9
A process is said endochronous iff, given a set I ⊂ vars(p) of external input signals, it has the
capability to reconstruct a unique synchronous behavior (up to clock-equivalence). Formally, p is en-
dochronous iff there exists I ⊂ vars(p) such that ∀b, c ∈ p, (b|I)≈(c|I) ⇒ b ∼ c. The behavior of an
endochronous process p is depicted in Figure 11.
Clock constraints determine the order ¹ in which events are processed endochronously, defini-
tion 3.1. Rule 1 defines equivalence classes for signals of equivalent clocks. Rule 2 constructs elementary
partial orders relations: the clock whenx is smaller than ^x. Rule 3 defines the insertion of a partial or-
der of maximum e3 under a clock e º e3. The insertion algorithm, specified in [3], yields a canonical
representation of the corresponding partial order by observing that there exists a unique minimum clock
e′ below e such that 3 holds. We write E ⇒ E′ iff E′ is a proposition that is deductible from E in the
semi-lattice of clocks.
E is hierarchical iff its clock relation ¹ has a minimum, written min¹E ∈ vars(E), so that ∀x ∈
vars(E),∃y ∈ vars(E), y ¹ x. H is acyclic iff E ⇒ x → x when e implies E ⇒ e^=0 (for all
x ∈ vars(E)). In [22], we show that ifP : E and ifE is acyclic and hierarchical, thenP is endochronous.
Definition 3.1. The partial order ¹ of E is the largest relation satisfying
1. if E ⇒ ^x^= ^y then x ¹ y (and y ¹ x).
2. if E ⇒ ^x^= when y or E ⇒ ^x^= when not y then y ¹ x.
3. if y ¹ x º w and H ⇒ ^z = ^yf^w for any f ∈ { ^+ , ^* , ^- } then x ¹ z.
x and y are equivalent, written x≺Ây, iff x ¹ y and y ¹ x.
Example The implications of definition 3.1 can be outlined by considering a simple SIGNAL program,
Figure 12, left. Process buffer implements two functionalities. One is the process current. It defines
a cell in which values are stored at the input clock ^i and loaded at the output clock ^o. cell is a
predefined SIGNAL operation defined by:
x := y cell z init v def= (m := x$1 init v |x := y defaultm |^x^= ^y ^+ ^z) /m
The other functionality is the process alternate which desynchronizes the signals i and o by synchro-
nizing them to the true and false values of an alternating boolean signal b.
Clock inference (Figure 12, middle) applies the clock inference system of Figure 10 to the process
buffer to determine three synchronization classes. We observe that b, c b, zb, zo are synchronous
and define the master clock synchronization class of buffer. There are two other synchronization
classes, c i and c o, that corresponds to the true and false values of the boolean flip-flop variable b,
respectively. Recalling Definition 3.1, we write:
b≺Âc b≺Âzb≺Âzo and b ¹ c i≺Âi and b ¹ c o≺Âo
This defines three nodes in the control-flow graph of the generated code, Figure 12, right. At the main
clock c b, b and c o are calculated from zb. At the sub-clock b, the input signal i is read. At the
sub-clock c o the output signal o is written. Finally, zb is determined. Notice that the sequence of
instructions follows the scheduling constraints determined during clock inference.
10 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
process buffer = (? i ! o)
(| alternate (i, o)
| o := current (i)
|) where
process alternate = (? i, o ! )
(| zb := b$1 init true
| b := not zb
| o ^= when not b
| i ^= when b
|) / b, zb;
process current = (? i ! o)
(| zo := i cell ^o init false
| o := zo when ^o
|) / zo;
(| c_b ^= b
| b ^= zb
| zb ^= zo
| c_i := when b
| c_i ^= i
| c_o := when not b
| c_o ^= o
| i -> zo when ^i
| zb -> b
| zo -> o when ^o
|) / zb, zo, c_b,
c_o, c_i, b;
buffer_iterate () {
b = !zb;
c_o = !b;
if (b) {
if (!r_buffer_i(&i))
return FALSE;
}
if (c_o) {
o = i;
w_buffer_o(o);
}
zb = b;
return TRUE;
}
Figure 12. Specification, clock analysis and code generation
Some more concrete syntax In addition to the core syntax of SIGNAL presented so far, we make
extensive use of process declarations and partial equations for the purpose of modeling our case study. In
SIGNAL, a partial equation x ::= y f z when e is the partial definition of the variable x by the operation
y f z at the clock denoted by the expression e. The default equation x ::= defaultvalue v defines
the value of the variable x when it is present but no corresponding partial equation x ::= y f z when e
applies (because e is absent). Let x be a variable defined using n partial equations and a default value v:
x ::= x1 when e1 | . . . |x ::= xn when en |x ::= defaultvalue v
Once parsed, the SIGNAL compiler processes this definition by first checking the clock expressions
e1, . . . en mutually exclusive and then handling the definition as the equivalent equation:
x := (x1 when e1) default . . . default (xn when en) default v
In SIGNAL, the declaration of a processP of name f , input signals x1, . . . xm, output signals xm+1, . . . xn
is noted
process f = (?x1, . . . xm !xm+1, . . . xn) (|P |);
Once declared, process f may be called (ym+1, . . . yn) := f(y1, . . . ym) with its actual parameters
y1, . . . yn and behave as P with x1,...n substituted by y1,...n. A variant declaration is that of a foreign
function f , accessible, e.g. from a separately compiled C library. Its call can be wrapped into SIGNAL
by declaring its interface and by declaring an abstraction E of its behavior (consists of scheduling and
clock constraints).
process f = (?x1, . . . xm !x) spec (|E |) pragmas C CODE”&x = f(&x1, . . .&xm)” end pragmas;
4. A Refinement Checking Methodology
The definition of the polychronous model of computation [22] accurately renders the synchronous hy-
pothesis implemented in the multi-clocked data-flow notation SIGNAL and relates it to architectures
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 11
using communication with unbounded delay. In an embedded architecture, however, the flow of a signal
usually slides from another as the result of finite delays incurred by resource-bounded protocols, e.g.
fifo buffers. In this section, we seek towards a formulation of the formal properties implied by this
practice to check correctness of a concrete design refinement methodology.
Finite relaxation We start from the model of a one-place fifo buffer in SIGNAL, Figure 13, which
we will use to draw the spectrum of possible timing relations considered, modelled and checked in the
context of the present case study. The processing of process fifo is decomposed into two functionalities.
One is the process access which defines the necessary timing constraints on the input signal i and output
signal o via the delayed value of the boolean signal b: fifo can accepts an input at the next time sample
iff b is true.
process access = (? i, o ! )
(| a := ^o default (not ^i) default b
| b := a$1 init false
| i ^= when b
| o ^= when not b
|) / a, b
process current = (? i ! o)
(| o:= (i cell ^o init false) when ^o
|)
process fifo = (? i ! o)
(| access(i, o) | o := current (i)
|)
Figure 13. A one-place first-in first-out buffer in SIGNAL
The other functionality of fifo is the process current of Figure 12. Figure 14 depicts the relation
of the signals x and y and the cell m defined by the equation y := fifo(x).
y := fifo(x)
d(x) : • • •
↓ ↓ ↓
d(m) : • • •→•
↓ ↘ ↓
d(y) = c(x) : • • •
Figure 14. Relation between events through a one-place FIFO buffer
Definition 4.1 formalizes this relation and accounts for the behavior of fifo by implying a series
of (reflexive-anti-symmetric) relations vN (for N > 0) which yields the (series of) reflexive-symmetric
flow relations ≈N to identify processes of same flows up to a flow-preserving first-in-first-out buffer
of size N . In Definition 4.1, we write predC(t) (resp. succC(t)) for the immediate predecessor (resp.
successor) of the tag t in the chain C.
Definition 4.1. (finite relaxation)
The behavior c is a 1-relaxation of x in b, written b vx1 c iff vars(b) = vars(c) and there exists d/m ≥ b
such that d/x = c/x and a chain C = tags(d(m)) = tags(d(x)) ∪ tags(c(x)) such that:
∀t ∈ C, t ∈ tags(d(x)) ⇒ d(m)(t) = d(x)(t)
t 6∈ tags(d(x)) ⇒ d(m)(t) = d(m)(predC(t))
t ∈ tags(c(x)) ⇒ c(x)(t) = d(m)(t)
and satisfying ∀t ∈ tags(c(x))∃t′ ∈ {t, succC(t)}, c(x)(t′) = d(x)(t). We write b v1 c iff b vx1 c for
all x ∈ vars(b), and, for all n > 0, b vn+1 c iff there exists d such that b v1 d vn c.
12 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
Desynchronization Now, recall the process buffer of Figure 12. It essentially differs from process
fifo by the policy implemented by process alternate. Process alternate synchronizes i and o to
the true and false values of an alternating signal b.
This guarantees the independence or exclusion between the clocks of i and o. Each tag t′i of an event
along o can only happen strictly between the tags ti and ti+1 of two consecutive events along i, i.e.
ti < t
′
i < ti+1, and vice-versa.
process alternate = (? i, o ! )
(| b := not (b$1 init true)
| i ^= when b
| o ^= when not b
|) / b
process buffer = (? i ! o)
(| alternate (i, o)
| o := current (i)
|)
i: • •
b: • • • •
o: • •
Figure 15. A desynchronization buffer in SIGNAL
Definition 4.2. (desynchronization)
The behavior c is a desynchronization of b, written b @ c iff vars(b) = vars(c) and there exists d ≥ b
such that, for all x ∈ vars(b), d(x) = (ti, vi)i≥0, c(x) = (t′i, vi)i≥0 and, for all i ≥ 0, ti < t′i < ti+1.
The relation between Definitions 4.1 and 4.2 and the implementation of fifo and buffer of Fig-
ure 13 and 15are brought together by the following proposition. The proof of property (1) consists of
formulating the four requirements of definition 4.1 by observers written in SIGNAL and of checking them
against the model of fifo. Property (2) is proved by observing that all tags of i and o satisfy ti < t′i by
induction on i and that ti and t′i form two disjoint sub-chains of the domain of b.
Proposition 4.1.
(1) ∀b ∈ [[x := fifo(y)]], [z 7→ b(y)] vz1 [z 7→ b(x)]
(2) ∀b ∈ [[x := buffer(y)]], [z 7→ b(y)] @z [z 7→ b(x)]
Formal properties The series of relations (≈n)n≥0 defines a spectrum between synchrony and asyn-
chrony that can be modeled using the SIGNAL formalism. It is hence tempting to interpret the asyn-
chronous partial-order v as the (inaccessible) limit or union ∪N≥0 vN of this series.
Lemma 4.1.
- b ∼ b′ implies b ≈1 b′,
- b ≈n b′ implies b ≈ b′, for all n > 0
- b ≈m b′ ≈n b′′ implies b ≈m+n b′′, for all m and n
Instead, we focus on the largest equivalence relation that can be modeled using SIGNAL. It consists
of behaviors equal up to a timing deformation performed by a finite FIFO protocol.
Definition 4.3. (finite flow-equivalence)
b and c are finitely flow-equivalent, written b ≈∗ c, iff there exists n > 0 and d s.t. d vn b and d vn c.
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 13
We say that a process P is finitely flow-preserving iff given finitely flow-equivalent inputs, it can
only produce behaviors that are finitely flow equivalent. Example of finitely flow-preserving processes
are endochronous processes. An endochronous process which receives finitely flow equivalent inputs
produces clock-equivalent outputs.
Definition 4.4. (finite flow-preservation)
p is finitely flow-preserving with I ⊂ vars(p) iff ∀b, c ∈ p, (b|I)≈(c|I)⇒ b ≈∗ c.
A refinement-based design methodology based on the property of finite flow-preservation consists of
characterizing sufficient invariants for a given model transformation to preserve flows.
Definition 4.5. (finite flow-invariance)
The refinement of p by q is finitely flow-invariant, written p ¿∗ q, iff I ⊂ vars(p) = vars(q) and
∀(b, c) ∈ p× q, (b|I)≈(c|I)⇒ b ≈∗ c.
The property of finite flow-invariance is a very general methodological criterion. It is reflexive (p¿∗
p) and transitive (p ¿∗ q ¿∗ r ⇒ p ¿∗ r) for all flow-preserving processes (p, q, r). For instance, it
can be applied to the characterization of correctness criteria for model transformations such as protocol
insertion or desynchronization.
Verification methodology Property 4.1 provides all necessary elements to define an observer giving
sufficient conditions for finite flow-preservation to hold and be provable by model checking. To this end,
we consider the template SIGNAL process observer of Figure 16. It is parameterized by the notation
{P, Q} over two processes named P and Q which we want to check finitely flow-equivalent.
process observer = {P, Q} (? i ! o)
(| o := fifo (P (buffer (i))) = fifo (Q (buffer (i))) |);
Figure 16. Observer function for the property of finite flow-equivalence
The observer receives an input signal i. This input signal is used to generate two desynchronized
signals (i.e. satisfying the hypothesis b|i ≈ c|i) by using the process buffer. The flows b|i and c|i are
injected to P and Q and the outputs collected by using fifo to avoid the synchronization of the out-
puts performed by the comparison =. If the output of the observer is always true then the equality
is an invariant. For the sake of simplicity, process observer is displayed Figure 16 for two processes
P and Q that have only one input and one output signal and with a fifo buffer of length 1. Extend-
ing the observer to accept processes with m inputs, n outputs and a buffer of lenght k is obtained
by structural induction starting from fifo and buffer. Theorem 4.1 formalizes the implication of
processobserver for refinement checking by considering flow-preserving processes P and Q of same
cardinality i.e. vars(P ) = vars(Q) and in(P ) = in(Q).
Theorem 4.1. (refinement checking)
Let P and Q be finitely flow-preserving processes of same cardinality m = |in(P )| = |in(Q)|. If, for all
b ∈ [[x := observer{P, Q}(y1, . . . ym)]] and, for all t ∈ tags(b(x)), b(x)(t) = true , then P ¿∗ Q.
14 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
Let p = [[P ]] and q = [[Q]] be two flow-preserving processes and let I = in(p) = in(q) be the input
signals. By definition of process observer, Figure 16, and by Property 4.1, we have:
(1) : ∀b ∈ B|I , ∀(c, d) ∈ p× q, b @I c|I ∧ b @I d|I ⇒ c ≈1 d
By hypothesis, p and q are both finitely flow-preserving. By definition 4.4, this requires that c|I ≈ d|I
implies c ≈∗ d for all (c, d) ∈ p2 as well as all (c, d) ∈ q2. Applied to (1), this hypothesis means that
c|I ≈ d|I also implies c ≈1 d for all (c, d) ∈ p × q. By lemma 4.1, this yields the result expected in
Theorem 4.1, as c ≈1 d implies c ≈∗ d.
5. Formal Methods for Refinement-Based Besign in SPECC
The model and method presented in Sections 2 and 4 are applied to checking refinements between design
abstraction-levels correct. Section 5.2 proposes a technique to automatically represent SPECC programs
in the POLYCHRONY workbench. Section 5.3 applies the methodology of Section 4 to formally establish
the correctness of design refinements (Figure 17). We consider a simple SPECC programming example
as case study to illustrate our methodology. It demonstrate the usability of the POLYCHRONY workbench
to provide the needed model, method and tool to automatically derive conditions on specifications, veri-
fiable by static checking or model checking, and under which the refinement of a high-level specification
by its lower-level implementation can be formally checked, in a manner that is independent of a particular
formalism (we consider SPECC in [36], JAVA in [35], SYSTEMC in [37]).
ones even
wait
notify
ﬀ ﬀ
- -
ﬀ
-
ﬀ
-
⇓
POLYCHRONY model
SPECC
refinement
⇒
conformance
checking
⇒ ⇐
ones even
channel
send
recvﬀ
-
ﬀ
-
ﬀ
-
ﬀ
-
⇓
POLYCHRONY model
Figure 17. Checking conformance of a design refinement
Larger case studies applied to concrete examples (e.g. a finite input response filter and an ARM bus)
are currently under way to demonstrate the capability of our technique to provide modular verification
and an environmnent for co-simulation. In particular, modular verification is envisaged by considering
the verification of a property in a system by checking it against the model of the very components that
affects it while considering a static abstraction (in terms of clock and scheduling constraints) of all
other components in the system under validation. Cosimulation is being investigated by considering the
controller synthesis techniques provided in the POLYCHRONY workbench and with the aim of applying
them to the generation of optimized and control-sensitive simulators for large SYSTEMC designs.
5.1. Refinement-Based Design in SPECC
The SPECC system-level design methodology is depicted in Figure 18. It is based on the concept of
refinement: an initial system model is gradually refined through transformations performed at several
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 15
levels of abstraction: specification, architecture, communication, and implementation. System design
starts with a set of requirements and constraints, both in terms of functionality and quality, possibly
captured in different models of computation.
The specification level describes the system functionality in a unified way as a starting point for
system synthesis. At the architecture level, the system functionality is partitioned and partitions are
assigned to different components. In the process, the computational parts of the system are ordered
based on execution times and a scheduling of computation on each component. At the communication
level, components are refined into bus-functional representations, which accurately describe the timing
of events on the wires of the busses. Finally, at the implementation level, the components are defined in
terms of their register-transfer or instruction-set architecture.
Figure 18. SPECC design methodology [15]
5.2. Modeling SPECC Behaviors in SIGNAL
The formal grammar of SPECC programs under consideration, Table 19, is represented in static single-
assignment intermediate form akin to that of the Tree-SSA package of the GCC project [34]. SSA
provides a language-independent, locally optimized intermediate representation (Tree-SSA currently ac-
cepts C, C++, Fortran 95, and Java inputs) in which language-specific syntactic sugar is absent. SSA
transforms a given programming unit (a function, a method or a thread) into a structure in which all
variables are read and written once and all native operations are represented by 3-address instructions.
16 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
An intermediate representation A program pgm consists of a sequence of labeled blocks L:blk . Each
block consists of a label L and of a sequence of statements stm terminated by a return statement rtn . In
the remainder, a block always starts with a label and finishes with a return statement: stm1;L:stm2 is
rewritten as stm1; gotoL;L:stm2. A wait is always placed at the beginning of a block: stm1; wait v;
stm2 is rewritten as stm1; gotoL; L:wait v; stm2. Block instructions consist of native method invo-
cations x = f(y∗), lock monitoring and branches ifx gotoL. Blocks are returned from by either
a gotoL, a return or an exception throwx. The declaration catchx fromL1 toL2 usingL3 that
matches an exception x raised at block L1 activates the exception handler L3 and continues at block L2.
(program) pgm ::= L:blk | pgm; pgm
(instruction) stm ::= x = f(y∗) (invoke)
| waitx (lock)
| notifyx (unlock)
| ifx gotoL (test)
(block) blk ::= stm; blk | rtn
(return) rtn ::= gotoL (goto)
| return (return)
| throwx; (throw)
catchx fromL toL usingL (catch)
Figure 19. SSA intermediate representation for SPECC programs
We depict the structure of the SSA for a typical SPECC program by considering the core of the EPC,
Figure 20. The behavior ones counts the number of bits set to 1 in a bit-array data. It consists of three
blocks. The block labeled L1 waits for the lock istart before initializing the local state variable idata
to the value of the input signal data and icount to 0. Label L2 corresponds to a loop that shifts idata
right and adds its right-most bit to icount until termination (condition T2). Finally, in the block L3,
icount is sent to the signal ocount and idone is unlocked before going back to L1.
while true {
wait (istart);
idata = data;
icount = 0;
while (idata != 0) {
icount += (idata & 1);
idata >>= 1; }
ocount = icount;
notify (idone); }
L1: wait (istart);
idata = data;
icount = 0;
goto L2;
L3: ocount = icount;
notify (idone);
goto L1;
L2: T1 = idata;
T2 = T1 == 0;
if T2 goto L3;
T3 = icount;
T4 = T1 & 1;
icount = T3 + T4;
idata = T1 >> 1;
goto L2;
Figure 20. From SPECC to static single assignment
Translation algorithm The function I[[pgm]], Table 22, implements the translation from SSA to SIG-
NAL. It was first developed for the JIMPLE intermediate representation of JAVA [35], then redesigned
and adapted to the wider spectrum of programming languages admitting the SSA intermediate represen-
tation [34] and its used exemplified for SYSTEMC in [37].
To each block of label L ∈ Lf , the function I[[pgm]] associates an input clock xL and an output clock
xexitL . The clock xL is true iff L has been activated in the previous transition. The boolean signal xexitL
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 17
is true iff execution of block L is terminates. The default activation condition of a block is hence xL$1
(equation (1) of Table 22).
For a return instruction or for a block, function I returns a type P . For a block instruction stm ,
function I[[stm]]e1L = 〈P 〉e2 takes three arguments: an instruction stm , the label L of the block it belongs
to, and an input clock e1. It returns the type P of the instruction and its output clock e2. The output clock
of stm corresponds to the input clock of the instruction that immediately follows it in the execution
sequence of the block.
For instance, consider block L2 of behavior ones, Figure 21. The instruction T1 = idata, left, is
associated with the partial equation T1 ::= idata$1 when L2$1, right. It means that, if the label L2 is
being executed, then T1 is equal to idata$1. Next, consider instruction if T2 goto L3. It corresponds
to the partial equation L3 ::= true when T2. It means that control is passed to L3 when T2 is true.
Instructions that follow are conditioned by the negative not T2 to means: ”in the block L2 and not in its
branch going to L3”.
L2: T1 = idata;
T2 = T1 == 0;
if T2 goto L3;
T3 = icount;
...
T1 ::= idata$1 when L2$1
| T2 ::= T1 = 0 when L2$1
| L3 ::= true when T2
| T3 ::= icount$1 when not T2
...
Figure 21. From SSA to SIGNAL
Rules (1− 2) are concerned with the iterative decomposition of a program pgm into blocks blk and
with the decomposition of a block into stm and rtn instructions. In rule (2), the input clock e of the
block stm; blk is passed to stm . The output clock e1 of stm becomes the input clock of blk .
(1) I[[L:blk ; pgm]] =I[[blk ]]xL$1L |I[[pgm]]
(2) I[[stm; blk ]]eL=let 〈P 〉e1 = I[[stm]]eL inP |I[[blk ]]e1L
(3) I[[x = f(y1...n)]]eL=〈E(f)(x1...ne)〉e
(4) I[[ifx gotoL1]]eL=〈y := x when e |xL1 ::= true when y〉 not y〉
(5) I[[notifyx]]eL=〈x ::= not x$1 when e〉e
(6) I[[waitx]]eL=〈 y := (x = x$1) when e |xL ::= true when y
|z := true when y default false 〉z$1
(7) I[[gotoL1]]eL=xexitL ::= true when e |xL1 ::= true when e
(8) I[[return]]eL=xexitL ::= true when e |xexitf ::= true when e
(9) I[[throwx]]eL=xexitL ::= true when e |x ::= true when e
(10) I[[catchx fromL toL1 usingL2]]eL= xL2 ::= true when ^x whenxexitL
|xL1 ::= true whenxexitL2
Figure 22. Modeling of SSA expressions into SIGNAL
Rule (3) is concerned with the translation of native and external method invocations x = f(y1...n).
18 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
The generic type of f is taken from an environment E(f). It is given the name of the result x, of the
actual parameters y1...n and of the input clock e to obtain the type of x = f(y1...n).
For instance, Figure 23 depicts the translation of native operations in block L2 of behavior ones. The
assignment of icount to the local variable T3 is translated by the partial equation T3 ::= icount$1
when not T2 which assigns the previous value of icount to the temporary T3 at the clock not T2 (i.e.
when T1 is not 0, Figure 21).
T3 = icount;
T4 = T1 & 1;
icount = T3 + T4;
idata = T1 >> 1;
T3 ::= icount$1 when not T2
| T4 ::= T1 & 1 when not T2
| icount ::= T3 + T4 when not T2
| idata ::= T1 >> 1 when not T2
Figure 23. Translating bative operations in SIGNAL
The input and output clocks of an instruction may differ. This is the case, rule (4), for an ifx gotoL1
instruction in a block L. Let e be the input clock of the instruction and define the fresh signal name y by
the equation y := x when e. When y is false, then control is passed to the rest of the block: the output
clock is not y. Otherwise, the control is passed to the block L1 at the clock y. The wait-notify protocol,
rules (5− 6), is modeled using a boolean flip-flop variable x. Method notify, rule (5), defines the next
value of the lock x by the negation of its current value at the input clock e. The wait method, rule (6),
activates its output clock y iff the value of the lock x has changed at the input clock e. Otherwise, control
goes back to L.
For example, consider the wait-notify protocol at the blocks labeled L1 and L3 in the ones counter.
The wait instruction receives control at the clock xL1. If the value of istart changes (i.e. when not T0)
then icount and idata are initialized and the control is passed to the block L2. Otherwise, at the clock
when T0, a transition back to L1 is scheduled.
L1: wait (istart);
...
L3: ocount = icount;
notify (idone);
goto L1;
T1 ::= istart = istart$1 when L1$1
| L1 ::= true when T1
| L1b ::= true when not T1
...
| ocount ::= icount$1 when L3$1
| idone ::= not idone$1 when L3$1
| L1 ::= true when L3$1
Figure 24. Model of wait-notify in the EPC
All return instructions, rules (7 − 9), define the output clock xexitL of the current block L by their
input clock e. This is the right place to do that: e defines the very condition upon which the block
actually reaches its return statement. A gotoL1 instruction, rule (7), passes control to block L1 uncon-
ditionally at the input clock e. A return instruction, rule (8), sets the exit clock xf to true at clock
e to inform the caller that f is terminated. A throwx statement in block L, rule (9), triggers the ex-
ception signal x at the input clock e by x ::= true when e. The matching catch statement, of the
form catchx fromL toL1 usingL2 passes the control to the handler L2 and then to the block L1 upon
termination of the handler. This requires, first, to activate L2 from L when x is present and then to pass
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 19
control to L1 upon termination of the handler.
Completion Table 22 requires all entry clocks xL and xf to be simultaneously present when the f
is being executed. Each signal xL holds the value true iff the block L is active during a transition
currently being executed. Otherwise, xL is set to false by L ::= defaultvalue false. The same
holds for local variables T with the default equation T ::= defaultvalue T$1. The SIGNAL compiler
guarantees the completion of the next-state logic by aggregating partial equations.
L1 := true when (T1 default L3$1) default false
| L2 := true when (L1b$1 default not T3) default false
| L3 := true when T3 default false
| L1 ^= L2 ^= L3
Figure 25. Completion of the next-state-logic for the EPC
The translation technique proposed in [35, 37] is modular (block-wise), conceptually simple (one
equation perinstruction) and language-independent (SSA is the input formalism). The host formalism,
SIGNAL, supports a scalable notion and a flexible degree of abstraction. Notice that the structure of the
original program is represented by program labels L which play an essential role during modeling as they
represent clocks, i.e. the data-structure used by the POLYCHRONY workbench to represent the control
flow of programs. This information is propagated during modeling, verification and transformation. As a
result, traceability is easily provided by this information to relate an error to its original block, in addition
to the name of all variables it implies.
5.3. A Case Study: the Even-Parity Checker
We focus on a simple SPECC programming example: an even-parity checker (EPC, figure 26), to il-
lustrate our refinement-based methodology. We shows how the specification of the EPC can be refined
toward a GALS implementation with the help of the tool POLYCHRONY, showing in what respects and at
which critical design stages formal methods matter for engineering its architecture. This example demon-
strates the capabilities of the polychronous model of computation of SIGNAL to provide formal modeling
and verification support for the capture of behavioral abstractions of high-level system descriptions.
ones even IO
ﬀ
-
ﬀ
-
data
ocount
In
Out
istartﬀ
idone-
startﬀ
done-
Figure 26. Functional architecture of an even-parity checker (EPC).
The even-parity checker (EPC), Figure 26, consists of three functionalities: an interface thread IO, a
master test thread even and a slave counting thread ones (gray elements are SPECC-specific). Numbers
20 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
are sent from IO to even via the input port In. Then, IO notifies start to even which forwards In to
ones via the data port. Upon notification istart, ones counts the number of bits set to one in data
and returns it to even via the ocount port. Upon notification idone, even forwards the result to IO via
port Out and notifies done.
5.3.1. Specification-Level Design in SPECC
In SPECC, the design level of specification defines the functionalities and behavior of a system composed
of hardware and software by means of parallel threads (called behaviors) of computations exchanging
data via ports and synchronized by wait and notify events. Behavior ones, Figure 27, first waits the event
istart before to load data from the input port data into the variable idata. Then, it iteratively scans
idata to count the number of bits set to one in it. This is done by shifting the bits in idata right and by
comparing the right-most one to 1. When the data is processed (it equals 0 and there is no more bit to
shift and count) the internal count icount is returned to the ocount port and the event idone is notified.
The behavior even passes values from port In to port data, notifies istart, waits idone, and returns
either 0 (if ocount is odd) or 1 (it is even) along the port Out before to notify Done.
behavior ones (in unsigned int data,
in event istart,
out unsigned int ocount,
out event idone) {
void main (void) {
unsigned int idata;
unsigned int icount;
while (true) {
wait(istart);
idata = data;
icount = 0;
while (idata != 0) {
icount += idata & 1;
idata >> 1; }
ocount = icount;
notify(idone);
}}}
behavior even (in unsigned int In,
in unsigned int ocount,
in event start,
in event idone,
out unsigned int Out,
out unsigned int data,
out event istart,
out event done) {
void main(void) {
while (true) {
wait(start);
data = In;
notify(istart);
wait(idone);
Out = ocount & 1;
notify(done);
}}}
Figure 27. Specification-level design of the EPC in SPECC.
5.3.2. Model of the Specification-Level Design in SIGNAL
Figure 28 gives a model of behavior ones in SIGNAL. It displays partial equations obtained from the
translation algorithm of Figure 22. An endochronous SIGNAL program which implements the specifica-
tion model of the EPC is given Appendix A. It is obtained from Figure 28 by completion of the next-state
logics and by the synchronization of local variables.
In state L1, behavior ones waits for istart. It receives it at clock when not T0 and initializes
idata to data, icount to 0 and steps to state L2. While in state L2 (at clock when not T2) it adds
the right-most bit of idata to icount, shifts idata right and goes back to L2. If idata is zero (at
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 21
clock when T2), ones steps to L3, passes the value of icount to ocount, notifies idone and goes to
L1. Process even depicts a similar decomposition of the SPECC behavior in SSA form.
process ones = ()
(| T1 ::= istart = istart$1 when L1$1
| L1 ::= true when T1
| L2 ::= true when not T1
| idata ::= data$1 when L2$1
| icount ::= 0 when L2$1
| L3 ::= true when L2$1
| T2 ::= idata$1 when L3$1
| T3 ::= T2 = 0 when L3$1
| L4 ::= true when T3
| T4 ::= icount$1 when not T3
| T5 ::= T2 & 1 when not T3
| icount ::= T4 + T5 when not T3
| idata ::= T2 >> 1 when not T3
| L3 ::= true when not T3
| ocount ::= icount$1 when L4$1
| idone ::= not idone$1 when L4$1
| L1 ::= true when L4$1
|) / L1, L2, L3, L4, T1, T2,
T3, T4, T5, idata, icount;
process even = ()
(| T1 ::= start = start$1 when L1$1
| L1 ::= true when T1
| L2 ::= true when not T1
| data ::= In$1 when L2$1
| istart ::= not istart$1 when L2$1
| L3 ::= true when L2$1
| T2 ::= idone = idone$1 when L3$1
| L3 ::= true when T2
| L4 ::= true when not T2
| Out ::= ocount$1 & 1 when L4$1
| done ::= not done$1 when L4$1
| L1 ::= true when L4$1
|) / L1, L2, L3, L4, T1, T2;
Figure 28. Specification-level design of the EPC in SIGNAL.
5.3.3. Architecture-Level Design Refinement
The translation of the even-parity checker of Section 31 demonstrates the capability of SIGNAL to model
components for specification-level SPECC designs. The typical SPECC design-flow starts with the cap-
ture of IP-blocks represented as C functions and automatic partitioning according to an appropriate cost
function. After partitioning, double handshake protocols (message sequence below), or other appropriate
HW-SW protocols (request-acknowledge) are inserted between the functional units.
send recvIn - ready -
eReady-
data -
ackﬀ
eAckﬀ
¬ready-
eReady-
¬ackﬀ
eAckﬀ rdata-
channel ChMP() {
bool ready = false, ack = false;
event eReady, eAck;
unsigned int data;
void send (unsigned int in) {
data = in;
ready = true;
notify (eReady);
while (!ack) wait (eAck);
ready = false;
notify (eReady);
while (ack) wait (eAck);
}
unsigned int recv () {
unsigned int rtn;
while (!ready)
wait (eReady);
rtn = data;
ack = true;
notify (eAck);
while (ready)
wait (eReady);
ack = false;
notify (eAck);
return rtn;
}};
Figure 29. Implementation of a channel with double hand-shake in SPECC.
22 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
At specification-level, data exchange between the behaviors ones and even is performed by shared
variables and arbitrated by a wait-notify protocol. At architecture-level, this protocol is refined by a
double handshake protocol defined by the methods send and recv of the module ChMP, figure 29. The
channel encapsulates the wait and notify operations performed in the specification model together with
locally shared variables ack and ready.
5.3.4. Model of the Architecture Refinement in SIGNAL
The SIGNAL model of the send method, Figure 30, of the recv method, of the architecture-layer re-
finement of the EPC, are obtained in the very same way as for the behaviors even and ones of the
specification level. The send method of the ChMP module assigns the current value of the input In to
the shared variable data, sets the shared ready flag to true and waits for the notification eAck from the
recv process until the shared flag ack becomes true. The same transaction is repeated to wait until the
transmission of its return data to ready a new transaction.
Process send receives two parameters L1 and L7 in addition to its input data In. The boolean signal
L1 is true when send receives control from its caller. The boolean signal L7 is true when send returns
control to its caller. Appendix B gives the complete listing of the send and recv functionalities of
the channel ChMP which were checked endochronous using the POLYCHRONY workbench to qualify for
validation using our refinement checking methodology.
process send = (? In, L1 ! L7)
(| L2 ::= true when L1$1
| data ::= In$1 when L1$1
| ready ::= true when L1$1
| eReady ::= not eReady$1 when L1$1
| T2 := ack$1 when L2$1
| L3 ::= true when not T2
| L4 ::= true when T2
| T1 := eAck = eAck$1 when L3$1
| L2 ::= true when not T1
| L3 ::= true when T1
| ready ::= false when L4$1
| eReady ::= not eReady$1 when L4$1
| L5 ::= true when L4$1
| T4 := ack$1 when L5$1
| L6 ::= true when T4
| L7 ::= true when not T4
| T3 := eAck = eAck$1 when L6$1
| L5 ::= true when not T3
| L6 ::= true when T3
|) / L2, L3, L4, L5, L6,
T1, T2, T3, T4;
Figure 30. Model of the architecture-level channel (send method) in SIGNAL.
5.3.5. Validation of the Specification-to-Architecture Refinement
The installation of a channel between the processes even and ones incurs an additional desynchroniza-
tion of the transmission between the In and Out signals. Showing that the refinement of the EPC from
the specification level, process epc1, to the architecture level, process epc2, is correct requires checking
that the refinement is finitely flow-invariant: epc1¿∗ epc2.
The verification of this property amounts to proving that, for all behaviors b and c of epc1 and epc2,
flow equivalence of the input signal In, i.e. b|In ≈ c|In implies flow equivalence of the output signal
Out, i.e. b|Out ≈ c|Out.
(1) : ∀b ∈ [[epc1]], ∀c ∈ [[epc2]], b|In ≈ c|In ⇒ b|Out ≈ c|Out
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 23
Preliminary observations are in order to facilitate the proof of equation (1). The architecture model of the
EPC only differs from the specification model by the introduction of a channel in place of a wait-notify
protocol to synchronize concurrent accesses to shared variables. By contrast, the architecture model
epc2 uses the double handshake protocol of the send and recv functionality of the module ChMP.
Figure 31 isolates the pattern specif that characterizes the wait-notify protocol in the specification
model. The variables of the EPC models specif and archi are interfaced to signals In and Out for the
purpose of verification. The producer and consumer processes prod1 and cons1 are defined by infinite
loops that wrap the patterns of interest.
process specif = (? boolean In
! boolean Out)
(| Out := cons1() | prod1(In) |)
where boolean istart init false,
data init false;
process prod1 = (? In !)
(| data := In default data$1
| istart := not istart$1 when ^In
default istart$1 |);
process cons1 = (? ! Out)
(| T1 := istart = istart$1 when L1$1
| L1 := true when (T1 default L2$1)
default false
| L2 := true when not T1 default false
| Out := data$1 when L2$1
| L1 ^= L2 ^= istart ^= data
|) where boolean L1 init true, L2, T1;
end;
Figure 31. Isolation of the synchronization protocol in the specification model
Figure 32 isolates the matching communication pattern of the architecture model wrapped in the
process archi. In Figure 31, the presence of an input In triggers a wait-notify protocol that synchronizes
the transmission of data from even to ones. In Figure 32, this synchronization is embedded in the call
to the send and recv methods. Control to and from send and recv is provided by the labels L2 and L3.
The additional label L1 closes the infinite loop.
process archi = (? boolean In ! boolean Out)
(| Out := cons2() | prod2(In) |)
where process cons2 = (? ! Out)
(| L2 := L1$1 init true
| Out := data$1 when L3$1
| L1 := true when L3$1
default false
| L1 ^= L2 ^= L3 ^= data
| (L3, data) := recv(L2)
|) where boolean L1, L2, L3, data; end;
process prod2 = (? In !)
(| data := In when L1$1 default data$1
| T1 := true when ^In when L1$1
| L1 := true when (not T1 default L3$1)
default false
| L2 := true when T1 default false
| L3 := send(data$1, L2)
| L1 ^= L2 ^= L3 ^= data
|) where boolean T1, L1 init true,
L2, L3, data; end;
Figure 32. Isolation of the synchronization protocol in the architecture model
Proving equation (1) reduces to showing that the desynchronization protocol introduced by module
ChMP preserves the flow of the original wait-notify protocol of the specification model. This proof is
done by checking that, given desynchronized input flows b|In and c|In, the specification and architecture
models spec and arch provide equivalent flows along the output idata
(2) : ∀b ∈ [[specif]], ∀c ∈ [[archi]], b|In ≈ c|In ⇒ b|Out ≈ c|Out
To formulate equation (2) in the model checker SIGALI, we consider a formulation of the protocol
that manipulates boolean data In and Out. This approximation still implies the expected property (2),
24 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
since neither In nor Out interfere with control in specif and archi. We obtain the formulation of
the appropriate observer function (see appendix C). It is be checked invariant by SIGALI and yields the
expected proof of conformance, by application of Theorem 4.1.
(3) : cqfd := observer {specif, archi} (In)
5.3.6. Refinement of the Architecture Model Toward Implementation
The communication layer of the EPC, Figure 33, consists of a refinement of the data structures manipu-
lated in the ChMP channel and of modeling (in SPECC) the behavior of the actual bus of the architecture
in place of the channel abstraction ChMP. The model of the bus consists of the decomposition of the
methods send and receive into sub-processes that implement the bus read and write methods.
Showing this refinement correct reduces to proving that the model of the channel’s ChMP methods
send and recv are flow-equivalent to the methods read and write of the bus model. The control
structure of the bus model in SIGNAL is identical to that of the channel, except for the implementation
of the input/output integer signals as bit-vectors.
channel cBus() implements iBus {
unsigned bit[31:0] data; cSignal ready, ack;
void write (unsigned bit[31:0] wdata) {
ready.assign(1);
data = wdata;
ack.waitval(1);
ready.assign(0);
ack.waitval(0);
}
unsigned bit[31:0] read () {
unsigned bit[31:0] rdata;
ready.waitval(1);
rdata = data;
ack.assign(1);
ready.waitval(0);
ack.assign(0);
return data;
}}
Figure 33. Communication-level model of a bus in SPECC.
behavior ones(in,event,clk, ...) {
void main(void) {
unsigned bit[31:0] idata, icount;
enum state {S0, S1, S2, S3} state = S0;
while (1) {
wait(clk);
if (rst == 1b) state = S0;
switch (state) {
case S0: done = 0b;
ack_istart = 0b;
if (start == 1b) state=S1
else state=S0;
break;
case S1: ack_istart = 1b;
idata = inport;
icount = 0;
state = S2;
break;
case S2: icount = icount + idata & 1;
idata = idata >> 1;
if (idata == 0) state=S3
else state=S2;
break;
case S3: outport=icount;
done = 1b;
if (ack_idone == 1b) state=S0
else state=S3;
break;
Figure 34. RTL-level implementation of the EPC-core in SPECC.
Compared to the communication model of Figure 33, the RTL or implementation model of the EPC
in SPECC, Figure 34, consists of a cycle-accurate implementation of the EPC that is materialized the
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 25
introduction of a master clock clk and of a reset signal rst together with the conversion of the EPC
communication-layer specification into finite-state machine code. The structure of the ones thread itself
is close to the original one in SSA intermediate form. Each transition from a value of the state variable
is guarded by an explicit synchronization to the simulation clock clk.
5.4. Conclusive Remarks
By considering a simple SPECC programming example, featuring all salient aspects of the language,
we demonstrated the capability of the POLYCHRONY workbench to model the functionalities and the
architecture of a system and to provide the necessary services to express model transformations and
check them correct. The methodology of finite-flow invariance we employ is directly derived from
previous work pertaining on the design of globally asynchronous locally synchronous architectures. The
present case study departs from the very spectrum of GALS design by showing that imperative programs
in the style of communicating sequential processes are equally covered. In other words, flow equivalence
does not define the spectrum of architectures that are covered by our methodological principles but the
very criterion for checking design refinements correct.
Naturally, other criteria can be designed and other properties checked. The POLYCHRONY work-
bench provides scalable abstraction of SPECC design for verification. Previous results and case studies
span from the use theorem-proving [19, 25, 20] to prove properties on concrete models, model check-
ing [6, 36] to prove properties on models abstracted by finite-state machines, static checking [26, 37] to
prove properties over state-less boolean model abstractions. POLYCHRONY further provides means to
optimally reuse, adapt, transform pre-defined system components and modules: hierarchization (com-
bines several threads into one), distributed protocol synthesis (split synchronous threads into a network
of communicating threads). Its current limitations are the absence of support for reasoning on dynamic
resources management (memory or threads) and the lake of connexions to other models of computation
(untimed, real-timed, continuous).
6. Related Works
Synchronous programming being a computational model which is popular in hardware design, and
desynchronization being a technique to convert that computational model into a more general, globally
asynchronous and locally synchronous computational model, suitable for system-on-chip design, one
may naturally consider investigating further the links between these two models understood as Ptolemy
domains [9] and study the refinement-based design of GALS architectures starting from polychronous
specifications captured from heterogeneous elementary components.
Models of computation The aim of capturing both synchrony and asynchrony in a unifying model of
computation is shared by several approaches: the interaction categories of Abramsky et al. in [1], the
communicating sequential processes of Hoare [17] and Kahn networks [18] (communicating data-flow
functions) that is one of the models supported by Ptolemy [21] and the methodology of latency insensitive
protocols of Carloni et al. [10] and its extension to real-time [4]. All related models can be categorized
as stratified, in the sense that they dissociate the semantics structure representing synchronous islands
(the predefined pearls or IPs) from the one representing asynchrony. For instance, the heterogeneous
26 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
model of [4] is layered into a model of tag-less asynchrony and of tagged synchrony (where tags model
stuttering equivalence in a way akin to clock equivalence yet without scheduling). The polychronous
model of computation does not feature such a decoupling between its synchronous and asynchronous
structures.
Refinement-checking Most of the existing formal frameworks to refinement-checking, such as B [2],
Unity [11], CSP [17, 29], are essentially specification-based, in that modeling, transformation and ver-
ification are entirely envisaged within the framework of a formal notation and its companion methods
and tools. By contrast, our data-flow oriented approach to refinement-checking is novel and allows us
to combine a programatic approach (of SPECC) with the scalable modeling and verification techniques
of the polychronous model of computation: theorem-proving [19, 25, 20], model checking [6, 36], static
checking [26, 37]. Being combined to a language-independent translation technique enabling the cap-
ture of high-level system descriptions in general purpose languages such as C orJAVA, our workbench
departs from specification-oriented approaches, by combining software model-checking capabilities with
aggressive optimization services present in this workbench for the purpose of accelerated simulation and
synthesis.
7. Conclusions
Until now, the refinement of a system-level description toward its implementation, in SPECC or SYS-
TEMC was primarily envisaged as a manual process and proving conformance from the system-level ab-
straction to the implementation an unsolved issue. To solve it, we proposed a formal refinement-checking
methodology for system-level design formalized within the polychronous model of computation of the
multi-clocked synchronous formalism SIGNAL. We demonstrated the effectiveness of our approach by
the experimental case study of a SPECC programming example, showing the benefits of our approach to
give an accurate model of successive design abstractions of the system: functional, architecture, com-
munication. We introduced, proved and applied a refinement-checking criterion allowing for comparing
and validating behavioral equivalence relations between these successive refinements. Our methodology
relies on an automated modeling technique that is conceptually minimal and supports a scalable notion
and a flexible degree of abstraction. Our presentation targets SPECC yet with a generic and language-
independent method. Applications of our technique range from the detection of local design errors to the
compositional design refinement and conformance checking.
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 27
References
[1] ABRAMSKY, S., GAY, S. J., NAGARAJAN, R. Interaction categories and the foundations of typed concurrent
programming. In Deductive Program Design: Proceedings of the 1994 Marktoberdorf International Summer
School. NATO ASI Series F, Springer-Verlag, 1996.
[2] ABRIAL, J.-R. The B Book - Assigning Programs to Meanings. Cambridge University Press, August 1996.
[3] AMAGBEGNON, T. P., BESNARD, L., LE GUERNIC, P. “Implementation of the data-flow synchronous
language SIGNAL”. In Conference on Programming Language Design and Implementation. ACM Press,
1995.
[4] BENVENISTE, A., CASPI, P., CARLONI, L. P., SANGIOVANNI-VINCENTELLI, A. L. “Heterogeneous Re-
active Systems Modeling and Correct-by-Construction Deployment”. In Embedded Software Conference.
Springer Verlag, October 2003.
[5] BENVENISTE, A., CASPI, P., EDWARDS, S., HALBWACHS, N., LE GUERNIC, P., DE SIMONE, R. “The
synchronous languages twelve years later”. In Proceedings of the IEEE, special issue on embedded systems.
IEEE Press, January 2003.
[6] BENVENISTE, A., CASPI, P., LE GUERNIC, P., MARCHAND, H., TALPIN, J.-P., TRIPAKIS, S. “A protocol
for loosely time-triggered architectures”. In Embedded Software Conference. Springer Verlag, October 2002.
[7] BENVENISTE, A., LE GUERNIC, P., JACQUEMOT, C. “Synchronous programming with events and relations:
the SIGNAL language and its semantics”. In Science of Computer Programming, v. 16. Elsevier, 1991.
[8] BERRY, G., GONTHIER, G. “The ESTEREL synchronous programming language: design, semantics, imple-
mentation”. In Science of Computer Programming, v. 19, 1992.
[9] BUCK, J., HA, S., LEE, A., AND MESSERSCHMITT, D. Ptolemy: A Framework for Simulating and Proto-
typing Heterogeneous Systems. In International Journal of Computer Simulation, special issue on ”Simula-
tion Software Development”, v. 4. Ablex, April 1994.
[10] CARLONI, L. P., MCMILLAN, K. L., SANGIOVANNI-VINCENTELLI, A. L. “Latency-Insensitive Proto-
cols”. In International Conference on Computer-Aided Verification. Lecture notes in computer science v.
1633. Springer Verlag, July 1999.
[11] CHANDY K. M., MISRA, J. Parallel Program Design: A Foundation. Addison Wesley, 1999.
[12] DE MICHELI, G., ERNST, E., AND WOLF, W. ”Readings in Hardware/Software Co-Design”. Morgan Kauf-
mann, 2001.
[13] F. DOUCET, F., OTSUKA,, M., SHUKLA, S., GUPTA, R. An environment for dynamic component compo-
sition for efficient co-design. In Design Automation and Test in Europe. IEEE Press, 2002.
[14] GAMATIE´, A., GAUTIER, T. ”Synchronous modeling of avionics applications using the SIGNAL language”.
In Real-time embedded technology and applications symposium. IEEE Press, 2002.
[15] GAJSKI, D., ZHU, J., DO¨MER, R., GERSTLAUER, A., ZHAO, S. SPECC: Specification Language and
Methodology. Kluwer Academic Publishers, March 2000.
[16] GROETKER, T., LIAO, S., MARTIN, G., SWAN, S. System Design with SYSTEMC. Kluwer Academic
Publishers, May 2002.
[17] HOARE, C. Communicating sequential processes. Prentice Hall, 1985.
[18] KAHN, G. The semantics of a simple language for parallel programming. In IFIP Congress. North Holland,
1974.
[19] KERBOEUF, M., NOWAK, D., TALPIN, J.-P. “The steam-boiler problem in SIGNAL-COQ”. International
Conference on Theorem Proving in Higher-Order Logics (TPHOLS). Springer Verlag Lectures Notes in Com-
puter Science, Aout 2000.
[20] KERBOEUF, M., NOWAK, D., TALPIN, J.-P. “Formal proof of a polychronous protocol for loosely time-
triggered architectures”. International conference on formal engineering methods. Springer Verlag Lectures
Notes in Computer Science, Novembre 2003.
[21] LEE, E., SANGIOVANNI-VINCENTELLI, A. “A framework for comparing models of computation”. In IEEE
transactions on computer-aided design, v. 17, n. 12. IEEE Press, December 1998.
28 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
[22] LE GUERNIC, P., TALPIN, J.-P., LE LANN, J.-L. Polychrony for system design. In Journal of Circuits,
Systems and Computers. Special Issue on Application Specific Hardware Design. World Scientific, 2002.
[23] MARCHAND, H., BOURNAI, P., LE BORGNE, M., LE GUERNIC, P. Synthesis of Discrete-Event Controllers
based on the Signal Environment. In Discrete Event Dynamic System: Theory and Applications, v. 10(4), pp.
325–346, 2000.
[24] H. MARCHAND, E. RUTTEN, M. LE BORGNE, M. SAMAAN. Formal Verification of SIGNAL programs:
Application to a Power Transformer Station Controller. Science of Computer Programming, v. 41(1), pp.
85–104, 2001.
[25] NOWAK, D., BEAUVAIS, J.-R., TALPIN, J.-P. “Co-inductive axiomatization of a synchronous language”. In
International Conference on Theorem Proving in Higher-Order Logics. Springer Verlag, October 1998.
[26] NOWAK, D., TALPIN, J.-P., GAUTIER, T., LE GUERNIC, P. “An ML-like module system for the
synchronous language Signal”. Proceedings of European Conference on Parallel Processing (EuroPAR).
Springer Verlag Lectures Notes in Computer Science, Aout 1997.
[27] NOWAK, D., TALPIN, J.-P., LE GUERNIC, P. “Synchronous structures”. In International Conference on
Concurrency Theory. Springer Verlag, August 1999.
[28] The Polychrony workbench, available from http://www.irisa.fr/espresso/Polychrony.
[29] ROSCOE, A. W.. The Theory and Practice of Concurrency. Prentice-Hall, 1997.
[30] The SPECC website, http://www.ics.uci.edu/~specc.
[31] The SYSTEMC website, http://www.systemc.org.
[32] The SYSTEM VERILOG website, http://www.systemverilog.org.
[33] The Gnu Compiler Collection (GCC). http://http://gcc.gnu.org, 2004.
[34] The GCC Tree-SSA Branch. http://gcc.gnu.org/projects/tree-ssa, 2004.
[35] TALPIN, J.-P., GAMATIE´, A., LE DEZ, B., BERNER, D., LE GUERNIC, P. Hard real-time implementa-
tion of embedded software in JAVA. In Interntional workshop on scientific engineering of distributed JAVA
applications. Lectures Notes in Computer Science, Springer Verlag, November 2003.
[36] TALPIN, J.-P., LE GUERNIC, P., SHUKLA, S., GUPTA, R., DOUCET, F. “Polychrony for formal refinement-
checking in a system-level design methodology”. Application of Concurrency to System Design. IEEE Press,
June 2003.
[37] TALPIN, J.-P., BERNER, D., SHUKLA, S. K., LE GUERNIC, P., GUPTA, R. “A behavioral type inference
system for compositional system design”. Application of Concurrency to System Design. IEEE Press, 2004.
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 29
A. Listing of the Specification Model of the EPC
process epc = (? boolean start; integer In ! boolean done; integer Out)
(| (idone, ocount) := ones (istart, data)
| (done, Out) := even(start, In)
|) where integer ocount init 0, data init 0;
boolean istart init false, idone init false;
process ones = (? boolean istart; integer data ! boolean idone; integer ocount)
(| T1 := istart = istart$1 when L1$1
| T2 := idata$1 when L3$1 default T2$1
| T3 := T2 = 0 when L3$1
| T4 := icount$1 when not T3 default T4$1
| T5 := X2(T2, 1) when not T3 default T5$1
| L1 := true when (T1 default L4$1) default false
| L2 := true when not T1 default false
| L3 := true when (L2$1 default not T3) default false
| L4 := true when T3 default false
| idata := data$1 when L2$1 default X1(T2, 1) when not T3 default idata$1
| icount := 0 when L2$1 default T4 + T5 when not T3 default icount$1
| ocount := icount$1 when L4$1 default ocount$1
| idone := not idone$1 when L4$1 default idone$1
| idata ^= icount ^= ocount ^= idone ^= istart ^= data
^= L1 ^= L2 ^= L3 ^= L4 ^= T2 ^= T4 ^= T5
|) where boolean L1 init true, L2 init false, L3 init false, L4 init false, T1, T3;
integer idata init 0, icount init 0, T2, T4, T5; end;
process even = (? boolean start; integer In ! boolean done; integer Out)
(| T1 := start = start$1 when L1$1
| T2 := idone = idone$1 when L3$1
| L1 := true when (T1 default L4$1) default false
| L2 := true when not T1 default false
| L3 := true when (L2$1 default T2) default false
| L4 := true when not T2 default false
| data := In$1 when L2$1 default data$1
| istart := not istart$1 when L2$1 default istart$1
| Out := X2(ocount$1, 1) when L4$1 default Out$1
| done := not done$1 when L4$1 default done$1
| data ^= istart ^= Out ^= done ^= L1 ^= L2 ^= L3 ^= L4
|) where boolean L1 init true, L2 init false, L3 init false, L4 init false, T1, T2; end;
function X1 = (? i1, i2 ! i3)
spec (| i1^=i2^=i3 | i1 --> i2 | i2 --> i3 |)
pragmas C_CODE "&i3 = &i1 >> &i2" end pragmas;
function X2 = (? i1, i2 ! i3)
spec (| i1^=i2^=i3 | i1 --> i2 | i2 --> i3 |)
pragmas C_CODE "&i3 = &i1 & &i2" end pragmas;
end;
30 J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking
B. Listing of the Channel Model
module ChMP =
boolean ready init false, ack init false, eReady init false, eAck init false;
integer data init 0;
process send = (? In, L1 ! L7)
(| T1 := eAck = eAck$1 when L3$1
| T2 := ack$1 when L2$1
| T3 := eAck = eAck$1 when L6$1
| T4 := ack$1 when L5$1
| L2 := true when (L1$1 default not T1) default false
| L3 := true when (not T2 default T1) default false
| L4 := true when T2 default false
| L5 := true when (L4$1 default not T3) default false
| L6 := true when (T4 default T3) default false
| L7 := true when not T4 default false
| data := In$1 when L1$1 default data$1
| ready := true when L1$1 default false when L4$1 default ready$1
| eReady := not eReady$1 when (L1$1 default L4$1) default eReady$1
| L1 ^= L2 ^= L3 ^= L4 ^= L5 ^= L6 ^= L7
| L1 ^= ready ^= ack ^= eReady ^= eAck ^= data ^= In
|) where boolean L2, L3, L4, L5, L6, T1, T2, T3, T4; end;
process recv = (? L1 ! rtn, L7)
(| T1 := eReady = eReady$1 when L3$1
| T2 := not ready$1 when L2$1
| T3 := eReady = eReady$1 when L6$1
| T4 := not ready$1 when L5$1
| L2 := true when (L1$1 default not T1) default false
| L3 := true when (T2 default T1) default false
| L4 := true when not T2 default false
| L5 := true when (L4$1 default not T3) default false
| L6 := true when (T4 default T3) default false
| L7 := true when not T4 default false
| rtn := (data$1 when L4$1) default rtn$1
| ack := (true when L4$1) default (false when L7$1) default ack$1
| eAck := (not eAck$1 when (L4$1 default L7$1)) default eAck$1
| L1 ^= L2 ^= L3 ^= L4 ^= L5 ^= L6 ^= L7
| L1 ^= rtn ^= ack ^= eAck
|) where boolean L2, L3, L4, L5, L6, T1, T2, T3, T4; end;
end;
J.-P. Talpin, P. Le Guernic, S. K. Shukla, F. Doucet, R. Gupta / Polychrony for Formal Refinement Checking 31
C. Listing of the Observer Function
process observer = (? boolean In ! boolean cqfd)
(| cqfd := fifo (specif (buffer (In))) = fifo (archi (buffer (In)))
|) where
use ChMP;
use Fifo;
process specif = (? boolean In ! boolean Out)
(| Out := cons1() | prod1(In) |)
where boolean istart init false, data init false;
process cons1 = (? ! Out)
(| T1 := istart = istart$1 when L1$1
| L1 := true when (T1 default L2$1) default false
| L2 := true when not T1 default false
| Out := data$1 when L2$1
| L1 ^= L2 ^= istart ^= data
|) where boolean L1 init true, L2, T1; end;
process prod1 = (? In !)
(| data := In default data$1
| istart := not istart$1 when ^In default istart$1
|);
end;
process archi = (? boolean In ! boolean Out)
(| Out := cons2() | prod2(In) |)
where process cons2 = (? ! Out)
(| L2 := L1$1 init true
| Out := data$1 when L3$1
| L1 := true when L3$1 default false
| L1 ^= L2 ^= L3 ^= data
| (L3, data) := recv(L2)
|) where boolean L1 init true, L2, L3, data; end;
process prod2 = (? In !)
(| data := In when L1$1 default data$1
| T1 := true when ^In when L1$1
| L1 := true when (not T1 default L3$1) default false
| L2 := true when T1 default false
| L3 := send(data$1, L2)
| L1 ^= L2 ^= L3 ^= data
|) where boolean T1, L1 init true, L2, L3, data; end;
end;
end;
