Translation Validation for Transformations on Abstract Clocks in Synchronous Languages by Ngo, Van Chan et al.
Translation Validation for Transformations on Abstract
Clocks in Synchronous Languages
Van Chan Ngo, Jean-Pierre Talpin, Thierry Gautier, Paul Le Guernic
To cite this version:
Van Chan Ngo, Jean-Pierre Talpin, Thierry Gautier, Paul Le Guernic. Translation Validation
for Transformations on Abstract Clocks in Synchronous Languages. [Research Report] RR-
8064, INRIA. 2012. <hal-00730926v5>
HAL Id: hal-00730926
https://hal.inria.fr/hal-00730926v5
Submitted on 30 Jan 2013
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
IS
S
N
02
49
-6
39
9
IS
R
N
IN
R
IA
/R
R
--
80
64
--
FR
+E
N
G
RESEARCH
REPORT
N° 8064
September 2012
Project-Team ESPRESSO
Formal Verification of
Transformations on
Abstract Clocks in
Synchronous Compilers
Van Chan Ngo, Jean-Pièrre Talpin, Thierry Gautier, Paul Le Guernic

RESEARCH CENTRE
RENNES – BRETAGNE ATLANTIQUE
Campus universitaire de Beaulieu
35042 Rennes Cedex
Formal Verification of Transformations on
Abstract Clocks in Synchronous Compilers
Van Chan Ngo, Jean-Pièrre Talpin, Thierry Gautier, Paul Le
Guernic
Project-Team ESPRESSO
Research Report n° 8064 — September 2012 — 23 pages
Abstract: Translation validation was introduced in the 90’s by Pnueli et al. as a technique to for-
mally verify correctness of code generated from the synchronous data-flow language Signal. Rather
than certifying the code generator (by writing it entirely using a theorem prover) or exhaustively
qualifying it (by obeying the 27 required documents of DO-178C), translation validation provides
a scalable approach to assess the functional correctness of generated code. By revisiting the trans-
lation validation approach, which in the 90’s suffered from the limitations of theorem proving and
model checking techniques, we aim at developing a scalable and flexible approach that can be
applied to an existing 500k-lines implementation of the Signal compiler, and handle large-scale,
possibly automatically generated Signal programs using efficient SAT/SMT-solving libraries.
We implement translation validation in step-by-step style, by proving each transformation of the
compiler from the initial step, until the latest step of actual C-code generation. In this work, we
focus on proving the preservation of timing properties during the compilation process. We define
a correct transformation relation between two formal representations of source and transformed
programs, called clock models. Then we use an SMT-solver (Satisfiability Modulo Theory) for
checking the existence of this relation.
Key-words: Formal Verification, Translation Validation, Certified Compiler, SMT Solver, Multi-
clocked Synchronous Programs, Embedded Systems
Vérification Formelle des Transformations sur Les Horloges
dans Compilateurs Synchrones des Données de Flux
Résumé : Translation validation a été introduit dans les années 90 par Pnueli et al. Comme une
technique pour vérifier formellement exactitude de code généré à partir de la langue synchrone
de donnée de flux Signal. Plutôt que de certifier le générateur de code (en l’écrivant entièrement
à l’aide de la démonstration de théorèmes) ou de façon exhaustive le qualifiant (en obéissant
aux 27 documentations requises selon la norme DO-178C), la translation validation fournit une
approche évolutive pour évaluer l’exactitude fonctionnelle du code généré. En re-visitant la
translation validation, qui dans les années 90 a souffert des limitations de la démonstration
de théorèmes et de model checking techniques disponibles alors, nous visons à développer une
approche évolutive et flexible qui peut s’appliquer à un existant 500k lignes de la mise en oeuvre
de Signal compilateur, et de traiter à grande échelle, peut-être générés automatiquement Signal
programmes efficaces en utilisant les bibliothèques de SAT/SMT-solving.
Nous mettons en oeuvre la translation validation dans l’étape-par-étape de la mode, en prou-
vant chaque transformation de l’étape initiale, jusqu’à ce que la dernière étape de réelle C-
génération de code. Dans ce travail, nous nous concentrons sur la préservation de prouver les
propriétés de minutage lors de la compilation. Nous définissons une transformation correcte re-
lation entre deux représentations formelles de source et des programmes transformées, appelées
modèles d’horloge. Ensuite, nous utilisons un SMT-solver(Satisfiability Modulo Theory) perme-
ttant de vérifier cette relation.
Mots-clés : Vérification formelle, Validation traduction, Compilateur certifié, SMT solver,
Programmes synchrones multi-horloges, Systèmes embarqués
Formal Verification of Transformations on Abstract Clocks in Synchronous Compilers 3
1 Introduction
Adhering to the synchronous paradigm, synchronous data-flow languages such as Esterel, Lustre,
Signal [2, 14, 12] have been introduced and successfully used to design and implement embedded
and critical real-time systems. Each synchronous data-flow language is generally associated with
a compiler which transforms, compiles synchronous programs and usually generates code in some
general-purpose programming language. Safety-critical, high-assurance systems specified using
such languages are verified by the use of formal methods (e.g. model checking, program proof,
and static analysis). The verification is usually applied to the source code of a synchronous
program. The designer always expects that all the formally verified properties of the considered
system can be carried out to the transformed program and the automatically generated code.
However, before code can be generated, the compilation of high-level, synchronous, specification
is a complex process that involves many analysis and program transformation stages. Some
transformations may introduce additional information or constraints, to refine the meaning of
the original specification and/or remove, specialize the behavior of the source specification, such
as optimization, static scheduling. Thus, and even if compliant with a “five-nines" (99.999%)
reliability, large-scale use of compilers for large specifications may improbably yet not uncertainly
yield bugs. Therefore, it is naturally required that the compiler must be formally checked as well
to ensure that the source program semantics is preserved.
Means to circumvent compiler bugs are to entirely rewrite the code generator (in our case,
e.g., the 500k C-code lines of the Signal compiler) using a theorem proving tool such as Coq
[9], or qualify its compliance to DO-178C documents for a particular execution platform, or to
formally verify the conformance of its output to its input for each run of the code generator. The
first two solutions yield a situation where the code generator can either hardly or impossibly be
further optimized and updated, whereas the last one provides ideal separation between the tool
under verification and its checker.
In this aim, translation validation was introduced in the 90’s by Pnueli et al. [22, 23] as a
technique to formally verify the correctness of code generated from the language Signal using
model checking. Rather than certifying the code generator (by writing it entirely using a theo-
rem prover) or exhaustively qualifying it (by obeying the 27 required documents of DO-178C),
translation validation provides a scalable approach to assess the functional correctness of gen-
erated code. First, we do not modify or instrument the compiler, and we treat the compiler
as a “black box”, hence our validator is not suffered from the update or modification of the
compiler. Our approach is to apply formal methods to the compiler transformations themselves
in order to automatically generate formal evidence that the semantics of the source program is
preserved during program transformation and compilation, as per applicable qualification stan-
dard (DO-178C). Second, it is important that the validator can be scaled to large programs, in
which we represent the desired program semantics with our scalable abstraction and use efficient
SMT libraries [5, 18] to achieve the expected goals: traceability and formal evidence. In this
paper, we focus on proving the preservation of timing properties during the compilation process.
We define a correct transformation relation between two formal representations of source and
transformed programs, called clock models. Then we use an SMT-solver (Satisfiability Modulo
Theory) for checking the existence of this relation. A clock model is represented as a first-order
logic formula over boolean variables. This boolean formula deterministically characterizes the
presence/absence status of all discrete data-flows (input, output and local variables of the pro-
gram) manipulated by the specification. Based on the features of the compilation, we apply our
translation validation to the abstract clock calculation phase and implement it in step-by-step
style, by proving each transformation in this phase to provide the explicit proof of the preserva-
tion of timing properties. Another significant contribution of our work is that this preservation of
RR n° 8064
4 Ngo & Talpin & Gautier & Le Guernic
timing properties will be used to verify the equivalence between data-flows and the correspond-
ing variables from the program and its generated code. The verification of equivalences will be
done by using a normalizing value-graph [25], however, because of the preservation of timing
properties the resulting value-graph contains only the computations of data-flows and there is
no timing information. Therefore we can evaluate it more efficiently and increase in speed.
The remainder of this paper is organized as follows. Section 3 introduces our translation
validation approach by example. Section 4 presents the translation of a synchronous program
into its clock model. In Section 5, we consider the definition of correct transformation on abstract
clocks which formally proves conformance between the original specification and that reverse-
engineered from its compiled program. It also addresses the application of the verification process
to the Signal compiler, and its implementation integrated in the Polychrony toolset [21]. Section
6 presents some related works, concludes our work and outlines future directions.
Inria
Formal Verification of Transformations on Abstract Clocks in Synchronous Compilers 5
2 Preliminaries
In this section, we will recall some basic elements of propositional and first-order logics, their
semantics and validity, satisfiability checking problems [11, 15].
2.1 Propositional logic
The expressions in propositional logic are called propositional formulas which can be any string
whose evaluation is either true or false. Propositional formulas are expressed in a propositional
language which consists a countable set P whose elements are called boolean variables and denoted
by p, q, r.
Definition (formula.) Propositional formulas are defined inductively as:
• Every boolean variable is a formula, called atom,
• > and ⊥ are formulas,
• If A1, A2 are formulas, then A1 ./ A2 is a formula.
where ./∈ {∧,∨,¬,→,↔} used to build formulas are called connectives. A formulas of forms
A1 ∨A2, A1 ∧A2 are respectively a disjunction and conjunction.
The semantics of propositional logic is based on the following assumptions: (i) the mean-
ing of atomic propositions depends on their interpretation, (ii) the meaning of more complex
propositions depends on the meaning of their components as it is shown in Table 1.
Definition (boolean value, interpretation, truth. ) A boolean value (or truth value) is either
1 or 0. An interpretation (or truth assignments) for a set of boolean variables P is a mapping
from P to the set of boolean values {1, 0}.
Interpretations can be extended to arbitrary propositional formulas inductively as following:
• I(>) = 1 and I(⊥) = 0.
• I(A1 ∧ ... ∧An) = 1 iff I(Ai) = 1 for all i.
• I(A1 ∨ ... ∨An) = 1 iff I(Ai) = 1 for some i.
• I(¬A) = 1 iff I(A) = 0.
• I(A→ B) = 1 iff I(A) = 0 or I(B) = 1.
• I(A↔ B) = 1 iff I(A) = I(B).
Given an interpretation I, we say that formula A is true (respectively false) in I if I(A) = 1
(respectively I(A) = 0), denoted by I |= A(I 6|= A).
The following definition defines the satisfiability, validity, and equivalence of formulas.
Definition (model, satisfiability, validity, equivalence) An interpretation I satisfies a formula
A if A is true in I, and I is called a model of A. A formula A is satisfiable (valid) if it is true
in some (every) interpretation. A valid formula is called tautology. Two formulas A and B are
equivalent (A ≡ B) if every model of A is a model of B, and vice versa.
The above definition can be generalized to sets of formulas as follows. We say that an interpre-
tation I is a model of a set of formulas S if it satisfies every formula in S, denoted as I |= S.
A set of formulas is satisfiable if there exists some model. We consider here some main lemmas
which are useful for the problems of checking equivalence, validity, and satisfiability.
RR n° 8064
6 Ngo & Talpin & Gautier & Le Guernic
∧ 1 0 ∨ 1 0 ¬ → 1 0 ↔ 1 0
1 1 0 1 1 1 1 0 1 1 0 1 1 0
0 0 0 0 1 0 0 1 0 1 1 0 0 1
Table 1: Operators semantics
Lemma 2.1 (i) A formula A is valid iff ¬A is unsatisfiable. (ii) A formula A is satisfiable iff
¬A is not valid. (iii) A formula A is valid iff A is equivalent to >. (iv) Formula A and B are
equivalent iff the formula A↔ B is valid.
Proof The proofs of properties (i), (ii), (iii), (iv) use the same method. Thus, we will only prove
property (iv).
⇒) Assume that A ↔ B is valid, given any interpretation I, we have I |= (A ↔ B), following
the truth table of ↔ we can see that I |= A iff I |= B, so A and B are equivalent.
⇐) Assume that A and B are equivalent, given any interpretation I. If I |= A, then by the
equivalence I |= B, thus I |= A ↔ B. In the similar way, if I 6|= A, then by the equivalence
I 6|= B, and hence I |= A↔ B. Therefore, A↔ B is valid.
The following lemma can help us reduces satisfiability checking for set of formulas to satisfiability
checking for a formula.
Lemma 2.2 Let S = {A1, ..., An} be a finite set of formulas. Then S is satisfiable iff the formula
A1 ∧ ... ∧An is satisfiable.
Proof We prove in the same manner as the proof of Lemma 2.1 by using the interpretation
property of A1 ∧ ... ∧An and the truth table of ∧. Hence, we omit the detailed proof here.
Evaluating a formula in an interpretation can be formalized as the following decision problem:
Definition (formula evaluation. ) Formula evaluation a decision problem whose instance is a
pair (A, I), where A is formula and I is an interpretation. The answer is "yes" if I |= A.
We can evaluate formulas in interpretations by using straightforward the above definition. In
other hand, we can first evaluate its sub-formulas, then using the truth tables to evaluate the
formula.
Example We consider the formula A = (p→ q)∧ (p∧ q → r)→ (p→ r) and the interpretation
I = {p 7→ 1, q 7→ 0, r 7→ 1}. The decision problem using the evaluations of sub-formulas is
described as Table 2. Verification engines that can reason on propositional formulas to answer
whether I |= A are called SAT solvers.
2.2 First-order logic
As with propositional logic, expressions in first-order logic are made up of sequences of symbols
which divided into two categories: logical symbols and non-logical symbols or parameters. Logical
symbols consists of parentheses ((, )), propositional connectives (¬,∨,∧,→,↔), variable, and
quantifiers (∀,∃). Parameters consists of equality symbol (=), predicate symbols (e.g. x > y),
constant symbols (e.g. 0, pi), function symbols (e.g. x + y ∗ z). Each predicate and function
symbol has an associated arity which is a natural number indicating how many arguments it
takes. Equality and constant symbols can be considered as a special predicate symbol of arity 2,
Inria
Formal Verification of Transformations on Abstract Clocks in Synchronous Compilers 7
subformula value
1 (p→ q) ∧ (p ∧ q → r)→ (p→ r) 1
2 (p→ r) 1
3 (p→ q) ∧ (p ∧ q → r) 0
4 (p ∧ q → r) 1
5 (p→ q) 0
6 p ∧ q 0
7 p 1
8 q 0
9 r 1
Table 2: Evaluation of formula using truth tables
and a function of arity 0, respectively. We denote P is the set of predicate symbols, F is the set
of function symbols, C is the set of constant symbols. And Σ = P ∪ F ∪ C is called a signature.
As propositional logic, the expressions in first-order logic are called formulas which can be
any sequences of symbols (logical and parameter symbols) whose evaluation is either true or
false. First-order formulas are expressed in a first-order language which must first specify its
parameters. First, we consider the terms of a first-order language which made up of logical and
parameter symbols as following:
Definition (terms. ) Terms are defined as follows.
• Any variable is a term.
• If c ∈ C, then c is a term
• If t1, ..., tn are terms and f ∈ F with arity n > 0, then f(t1, ..., tn) is a term.
• Nothing else is a term.
Or we can write in Backus Naur form: t ::= x | c | f(t, ..., t) where x is a variable. Given the
definition of terms, we can now define the formulas in first-order language.
Definition Given the set of terms, first-order formulas are defined inductively as follows:
• If P ∈ P whose arity n ≥ 1, and t1, ..., tn are terms, then P (t1, ..., tn) is a formula (atomic
formula).
• If φ is a formula, then ¬φ is a formula.
• If φ and ψ are formulas, then so are (φ ∨ ψ), (φ ∧ ψ), (φ→ ψ) and (φ↔ ψ).
• If φ is a formula and x is a variable, then (∀x.φ) and (∃x.φ) are formulas.
• Nothing else is a formula.
The above definition can be represented in the Backus Naur form as:
φ ::= P (t1, ..., tn) | (¬φ) | (φ ∨ φ) | (φ ∧ φ) | (φ→ φ) | (φ↔ φ) | (∀x.φ) | (∃x.φ)
The set of well-formed formulas is the set of formulas generated inductively from the atomic
formulas by using the operations E¬, E→, and E∀, where E¬(φ) = (¬φ), E→(φ, ψ) = (φ→ ψ) and
E∀(φ) = ∀vi.φ, i = 1, 2, .... Given a well-formed formula φ, a variable x is said free in φ:
RR n° 8064
8 Ngo & Talpin & Gautier & Le Guernic
• If φ is an atomic formula, then x is free iff x occurs in φ.
• x is free in (¬φ) iff x is free in φ.
• x is free in φ→ ψ iff x is free in φ or ψ.
• x is free in ∀vi.φ iff x is free in φ and x 6= vi.
If ∀vi appears in φ, then vi is said to be bound in φ. A formula without free variable is called a
sentence.
In first-order logic, we use a model (also called a structure) to determine the truth of a
formula. Given a signature Σ, a modelM of the pair (F ,P) consists of the following set of data:
• A non-empty set A, the universe of concrete values,
• For each constant c ∈ Σ, a concrete element cM of A,
• For each function f ∈ F with arity n > 0, a concrete function fM : An → A, and
• For each P ∈ P with arity n > 0, a subset of PM ⊆ An.
Here, it is totally different between f and fM and between P and PM. The symbols f and P
are just that symbols, whereas fM and PM denote a concrete function and relation in a model
M, respectively.
Example Let F = {i} and P = {T, F} [15] where i is a constant, F and T are predicate
symbols with arities one and two, respectively. A model M a set of concrete values A which
may be considered as a states of an automata. The interpretations iM, TM, and FM would
be an initial state, a translation relation, and a set of final states, respectively. For instance,
let A = {a, b, c}, iM = a, TM = {(a, a), (a, b), (a, c), (b, c), (c, c)}, and FM = {b, c} where (a, b)
means that there exists a transition from state a to state b. This model can be used to check a
formula of first-order logic ∃y.T (i, y). This formula says that there is a transition from the initial
state to some state, and it is true in our model since there exists transitions from the initial state
a to states a, b, and c.
It remains the value assignments of variables in our model. Given a model M, a variable
assignment is a mapping which assigns to each variable x a value ofM. Finally, we are able to
give a semantics to first-order logic formulas as follows:
Definition Given a model M for a signature Σ and a variable assignment l, we define the
satisfaction relation, denoted by M |=l φ for each formula φ over the signature Σ and the
variable assignment l by using structural induction on φ. If M |=l φ holds, we say that φ
computes to true in the modelM with respect to the environment l.
The structural induction on formula φ is described as the following:
• P : If φ of the form P (t1, ..., tn), then we interpret the terms t1, ..., tn in the set A by re-
placing all variables with their values according to l. Assume that concrete values a1, ..., an
of A for each of these terms, where any function symbol f is interpreted by fM. Then
M |=l P (t1, ..., tn holds iff (a1, ..., an) ∈ PM.
• ∀x : M |=l ∀xφ holds iffM |=l[x7→a] φ holds for all a ∈ A.
• ∃x : M |=l ∃xφ holds iffM |=l[x7→a] φ holds for some a ∈ A.
Inria
Formal Verification of Transformations on Abstract Clocks in Synchronous Compilers 9
• ¬ : M |=l ¬φ holds iffM |=l φ does not hold.
• ∨ : M |=l φ1 ∨ φ2 holds iffM |=l φ1 orM |=l φ2 holds.
• ∧ : M |=l φ1 ∧ φ2 holds iffM |=l φ1 andM |=l φ2 hold.
• →: M |=l φ1 → φ2 holds iffM |=l φ2 holds wheneverM |=l φ1 holds.
We useM 6|= φ to denote the fact thatM |= φ does not hold. Given a modelM for a signature
Σ and a variable assignment l, verification engines that can reason on formulas of first-order logic
to answer whether M |= φ are called Satisfiability Modulo Theories (SMT) solvers. A primary
goal of a SMT solver is to create a verification engine that can reason natively at a higher level
of abstraction, while still retaining the speed and automation of boolean engines.
RR n° 8064
10 Ngo & Talpin & Gautier & Le Guernic
3 Verification by Example
3.1 Overview of Signal
In Signal language [17, 12], the reactions of a reactive system and its environment’s events along
time are represented by flows of data, called signals. A signal is a sequence of values with the
same type along an infinite sequence of instants. The set of instants (or time tags) where a signal
is present is the abstract clock of the signal. The constructs of the language use an equational
style to specify the relations and dependencies of data and clocks between signals. Systems of
equations on signals are built using a composition which construct a process. A whole program is
a process which runs infinitely taking parameters, input signals for computing the output signals
to react to the environment.
The language is based on seven different types of equations to construct primitive processes
or equations specifying computations over signals. And a composition operation is used to build
more elaborate processes in the form of systems of equations. We will present each equation
along with its semantic meaning and the implicit relationships between the clocks of the input
and output signals.
• Equation on Data: The equation y := f(x1, ..., xn) where f is a n-ary relation over nu-
merical or boolean data types, defines a process whose output y(t) for instant t ∈ yˆ
is y(t) = f(x1(t), ..., xn(t)). The clock constraint of the input and output signals is
yˆ = xˆ1 = ... = xˆn.
• Delay: The equation y := x$1 init a defines a process whose output y(ti) = a if ti is the
initial instant, and for every other instant, y(ti) = x(ti−1). The clock constraint of the
input and output signals is yˆ = xˆ.
• Merge: The merge equation y := x default z defines a process whose output at instant t is
y(t) = x(t) when t ∈ xˆ and y(t) = z(t) if t 6∈ xˆ ∧ t ∈ yˆ. The clock constraint of the merge
equation is yˆ = xˆ ∪ zˆ.
• Sampling: The sampling equation y := x when b defines a process whose output signal
y(t) has value x(t) when the signal x is present and the boolean signal b is present with
the value true. The clock constraint of input and output signals is yˆ = xˆ ∩ [b] where
[b] = {t ∈ bˆ|b(t) = true}.
• Composition: P , P1 | P2 where P1 and P2 are processes. P consists of the composition
of the systems of equations. The composition operator is commutative and associative.
• Restriction: P , P1 where x, where P1 and x are a process and a signal, respectively. It
enables local declarations in the process P1, and leads to the same constraints as P1.
• Equation on clocks: The language allows clock constraints to be defined explicitly by equa-
tions. The signal’s clock is represented by a special signal of type event which carries
only a single value true. Thus, equations on clocks over signals are equations over their
corresponding event signals. They are: (i) the synchronization relation x =ˆ y , xˆ = yˆ,
(ii) clock union relationship x +ˆ y , xˆ default yˆ, (iii) clock intersection relationship
x ∗ˆ y , xˆ when yˆ, (iv) difference relationship x −ˆ y , when(not( yˆ) default xˆ).
3.2 Illustrative Example
We begin by showing how our verification process works for an illustrative example. Consider
the following synchronous program DEC written in Signal language:
Inria
Formal Verification of Transformations on Abstract Clocks in Synchronous Compilers 11
process DEC=
(? integer FB;
! integer N)
(| N := FB default (ZN -1)
| ZN := N$1 init 1
| FB ^= when (ZN <=1)
|)
where integer ZN init 1
end;
Figure 1: DEC in Signal
In program DEC, there are an input signal FB, an output signal N, and a local signal ZN, all
declared as integer signals. When it receives a new positive value FB, the program will compute
the output N as the sequence of values FB, FB-1,...,2,1. When the output value is 1, it will
accept the next input. The output N is equal to FB if its previous value (referring to ZN with
the delay operator $) is less than or equal to 1. Otherwise, it is decremented by 1. The input
FB is accepted (or it is present) only when ZN becomes less than or equal to 1. This is defined
by the equation FB =ˆ when (ZN<=1) which defines the clock of FB. We will use the symbol ⊥
to denote the fact that a signal holds no value, or it is absent. And at a particular instant, if
a signal is present, then we use a value 1 to represent the value of its clock, otherwise we use a
value 0. Then a possible computation and the corresponding clocks of variables of this program
are:  FB : ⊥N : ⊥
ZN : 1
 FB : 2N : 2
ZN : 1
 FB : ⊥N : 1
ZN : 2
 FB : 3N : 3
ZN : 1
 ...
 clk(FB) : 0clk(N) : 0
clk(ZN) : 1
 clk(FB) : 1clk(N) : 1
clk(ZN) : 1
 clk(FB) : 0clk(N) : 1
clk(ZN) : 1
 clk(FB) : 1clk(N) : 1
clk(ZN) : 1
 ...
The output program DEC_BASIC_TRA.SIG obtained by compiling program DEC in the first phase
of the Signal compiler (in which the clocks are made explicit) is given by:
...
CLK_N := CLK_N ^+ CLK_FB
| CLK_N ^= N ^= ZN
| CLK_FB := when (ZN <=1)
| CLK_FB ^= FB
...
The clocks of the variables in the program for the same computation as above are given below.
We skip the clocks of local intermediate variables. clk(FB) : 0clk(N) : 0
clk(ZN) : 1
 clk(FB) : 1clk(N) : 1
clk(ZN) : 1
 clk(FB) : 0clk(N) : 1
clk(ZN) : 1
 clk(FB) : 1clk(N) : 1
clk(ZN) : 1
 ...
We can have an observation that the transformed program is a correct transformation of the
source program if for all possible clocks of the variables in the transformed program, they are
also the clocks of the variables in the source program.
RR n° 8064
12 Ngo & Talpin & Gautier & Le Guernic
In the next sections, we will show how we formalize this process and propose a method to
automate it. First, we compute the formal models, called clock models, which represent the clock
information of the source program and its compiled program. Once we have the clock models, we
check that all possible clocks in the clock model of the transformed program are also the clocks
in the clock model of the source program.
Inria
Formal Verification of Transformations on Abstract Clocks in Synchronous Compilers 13
4 Signal to Clock Model
In synchronous languages, the logical time is completely determined by the system reactions on
the occurrences of observed events. The system is supposed to react fast enough to produce
the corresponding output events on the occurrence of input event before the next input event
arrives. Each reaction denotes a single logical instant in the synchronous model, where the
relations between observed events and the data dependencies are expressed [1]. Synchronous
data-flow languages represent data as infinite sequences of values called data-flows, and each
data-flow is combined with an associated abstract clock to define the presence or absence of the
data in its data-flow. Thus, the principle of our encoding scheme is that, at a particular instant,
the abstract clock can be represented as a variable whose values are true (the corresponding
data-flow is present) or false (the corresponding data-flow is absent).
Consider a program P , we denote by XP = {x1, x2, ..., xn} the set of all data-flow variables.
For each data-flow xi of type numerical, boolean, or event, we encode its clock with a boolean
variable xˆi. In consequence of the equational structure of program, we represent the relations
between abstract clocks described implicitly or explicitly in terms of first-order logic formulas
over boolean variables. And the combination of equations can be represented by the conjunction
of the corresponding formulas. We assume that all considered programs are supposed to be
written with the primitive operators, meaning that derived operators are replaced by their cor-
responding primitive ones. And there is no nested operators such as z := x default (y when b)
by using fresh variables to break nested operators. These formulas use the usual logic operators
and numerical comparison functions [15]. For the boolean expressions defined by numerical com-
parison functions and numerical expressions, to ensure the resulting formulas are boolean, we
only encode the fact that the clocks of boolean and numerical expressions are synchronized, and
we avoid encoding the values of the expressions. For each equation eqi in program P , we denote
by Φeqi its abstract clock semantics, then the abstract clock semantics of P can be represented
by a first-order logic formula, called its clock model, denoted as:
ΦP =
n∧
i
Φeqi (1)
where n denotes the number of equations composed in P .
We use the method above to compute the clock model of a Signal program. It means that for
each signal x, we use a boolean variable xˆ to encode its abstract clock. We only need to define the
translation of the primitive equations to formulas encoding the abstract clocks, and the implicit
or explicit clock relations of the signals involved in the equations. The composition of equations
is simply translated as the conjunction of the corresponding first-order logic formulas. For the
delay operator $ (e.g. x$1), it requires memorizing the past value of the signal, that is done
by introducing a new variable m.x, where m.x stores the previous value of signal x and m.x′
stores the current value of signal x. Table 3 shows the translation of the primitive equations
of the language, where ↔ denotes the equivalent relation. For instance, the primitive equation
y := x1 and x2 is represented by this first-order logic formula: yˆ ↔ x̂1 ↔ x̂2 ∧ y ↔ x1 ∧ x2.
Signal allows clock constraints to be defined explicitly by equations; in this context, the signal
clock is represented by a special signal of type event and our abstraction encodes the clock by
using a boolean variable. By applying the above translation scheme, the following translations
are obtained for equations on clocks:
• xˆ= y 7→ xˆ↔ yˆ (synchronization)
• z := xˆ+ y 7→ zˆ ↔ (xˆ ∨ yˆ) (union)
RR n° 8064
14 Ngo & Talpin & Gautier & Le Guernic
Boolean signals Non-boolean signals
y := not x yˆ ↔ xˆ∧ y ↔ ¬x
y := x and z yˆ ↔ xˆ↔ zˆ y := f(x1, ..., xn) yˆ ↔ x̂1 ↔ ...↔ x̂n∧ y ↔ x ∧ z
y := x or z yˆ ↔ xˆ↔ zˆ∧ y ↔ x ∨ z
y := x default z yˆ ↔ xˆ ∨ zˆ y := x default z yˆ ↔ xˆ ∨ zˆ∧ y ↔ (xˆ ∧ x ∨ ¬xˆ ∧ zˆ ∧ z)
y := x when b yˆ ↔ (xˆ ∧ bˆ ∧ b) y := x when b yˆ ↔ (xˆ ∧ bˆ ∧ b)∧ y ↔ (xˆ ∧ x ∧ bˆ ∧ b)
y := x$1 init a
yˆ ↔ xˆ y := x$1 init a yˆ ↔ xˆ
∧ y ↔ (xˆ ∧m.x)
∧ m.x0 ↔ a
∧ m.x′ ↔ (xˆ ∧ x ∨ ¬xˆ ∧m.x)
P1 | P2 ΦP1 ∧ ΦP2
P where x ∃x. ΦP
Table 3: Translation of the primitive equations
• z := xˆ∗ y 7→ zˆ ↔ (xˆ ∧ yˆ) (intersection)
• z := xˆ− y 7→ zˆ ↔ (xˆ ∧ ¬yˆ) (difference)
For example, for the Signal program DEC shown in Figure 1, following the encoding scheme above,
we can obtain the clock model ΦDEC of DEC as:
N := FB default (ZN− 1) 7→ N̂↔ F̂B ∨ ẐN
ZN := N$1 init 1 7→ ẐN↔ N̂
FB ^= when (ZN <= 1) 7→ F̂B↔ ẐN1 ∧ ZN1
ZN1 := ZN <= 1 7→ ẐN↔ ẐN1
ΦDEC = N̂↔ F̂B ∨ ẐN ∧ ẐN↔ N̂ ∧ F̂B↔ ẐN1 ∧ ZN1 ∧ ẐN↔ ẐN1
Inria
Formal Verification of Transformations on Abstract Clocks in Synchronous Compilers 15
Process P Semantics [[P ]]c
y := R(x1, ..., xn) {Tc ∈ T c{y,x1,...,xn} | ∀t ∈ N, (∀i, Tc(t)(xi) = Tc(t)(y))}
y := x default z {Tc ∈ T c{x,y,z} | ∀t ∈ N, (Tc(t)(y) = Tc(t)(x) = 1) ∨
(Tc(x) = 0 ∧ Tc(t)(y) = Tc(t)(z) = 1) ∨
(Tc(t)(y) = Tc(t)(x) = Tc(t)(z) = 0)}
y := x when b {Tc ∈ T c{x,y,b} | ∀t ∈ N, (Tc(t)(x) = 1 ∧ T (t)(b) = 1 ∧ Tc(t)(y) = 1) ∨
(Tc(x) = 0 ∧ Tc(t)(y) = 0) ∨
(Tc(t)(x) = 1 ∧ Tc(t)(b) = 0 ∧ Tc(t)(y) = 0)}
y := x$1 init a {Tc ∈ T c{x,y} | ∀t ∈ N, (Tc(t)(x) = Tc(t)(y))}
xˆ= y {Tc ∈ T c{x,y} | ∀t ∈ N, (Tc(t)(x) = Tc(t)(y))}
z := xˆ+ y {Tc ∈ T c{x,y,z} | ∀t ∈ N, (Tc(t)(x) = 1 ∧ Tc(t)(z) = 1) ∨
(Tc(t)(x) = 0 ∧ Tc(t)(y) = 1 ∧ Tc(t)(z) = 1) ∨
(Tc(t)(x) = 0 ∧ Tc(t)(y) = 0 ∧ Tc(t)(z) = 0)}
z := xˆ∗ y {Tc ∈ T c{x,y,z} | ∀t ∈ N, (Tc(t)(x) = 1 ∧ Tc(t)(y) = 1 ∧ Tc(t)(z) = 1) ∨
(Tc(t)(x) = 0 ∧ Tc(t)(z) = 0) ∨
(Tc(t)(y) = 0 ∧ Tc(t)(z) = 0)}
z := xˆ− y {Tc ∈ T c{x,y,z} | ∀t ∈ N, (Tc(t)(x) = 1 ∧ Tc(t)(y) = 0 ∧ Tc(t)(z) = 1) ∨
(Tc(t)(x) = 0 ∧ Tc(t)(z) = 0) ∨
(Tc(t)(x) = 1 ∧ Tc(t)(y) = 1 ∧ Tc(t)(z) = 0)}
Table 4: Clock semantics of the primitive equations
5 Translation Validation for Clock Transformations
5.1 Soundness of The Clock Model
Let X = {x1, ..., xn} be a finite set of typed data-flow variables of a program P . We base on
the basic elements of trace semantics [13, 16] to define the clock semantics of a synchronous
program.
Definition (clock events). Given a non-empty set X, the set of clock events on X, denoted by
EcX , is the set of all interpretations I for X. An interpretation is a mapping from X to the set
of boolean values {0, 1}. I(x) = 1 if data-flow x holds a value while I(x) = 0 if it holds no value.
For example, consider a set of data-flow variables X = {x1, x2}, then the possible clock events
are EcX = {(x1 7→ 0, x2 7→ 0), (x1 7→ 0, x2 7→ 1), (x1 7→ 1, x2 7→ 0), (x1 7→ 1, x2 7→ 1)}.
Definition (clock traces). Given a non-empty set of X, the set of clock traces on X, denoted
by T cX , is defined by the set of functions Tc defined from the set N of natural numbers to EcX .
The natural numbers represent the instants t = 0, 1, 2, ..., a trace Tc is a chain of clock events
along the instants. We denote the interpreted value (0 or 1) of a variable x at instant t by Tc(t)(x).
Consider the above example, we have Tc : (0, (x1 7→ 0, x2 7→ 0)), (1, (x1 7→ 1, x2 7→ 0)), ... as one
of the possible clock traces on X, and Tc(0)(x1) = Tc(0)(x2) = 0.
Then the clock semantics of a program P is a set of constrained clock traces, denoted by
[[P ]]c. Table 4 shows the clock semantics of each Signal primitive equation [13].
To show the soundness of our translation, we consider a similar reasoning as in [13]. Let
X = {x1, ..., xn} be a finite set of typed data-flow variables of a synchronous program P and its
clock model ΦP over the corresponding set of clocks Xˆ = {x̂1, ..., x̂n}. Given an interpretation Iˆ
RR n° 8064
16 Ngo & Talpin & Gautier & Le Guernic
over Xˆ, at a particular instant, it is called a clock configuration if and only if Iˆ |= ΦP . Given a
clock configuration Iˆ, the set of clock events of Iˆ is computed as: Ssat(Iˆ) = {I ∈ EcX | ∀i, I(xi) =
Iˆ(x̂i)}. Then the set of all clock events of clock model ΦP is Ssat(ΦP ) =
⋃
Iˆ|=ΦP Ssat(Iˆ). With
a set of clock events Ssat(ΦP ), the concretization of ΦP is the set of clock traces:
Γ(ΦP ) = {Tc ∈ T cX | ∀t, Tc(t) ∈ Ssat(ΦP )} (2)
Definition Given the clock model ΦP , we say that a property ϕ defined over the set of clocks
Xˆ is satisfied by ΦP if for any interpretation Iˆ, Iˆ |= ΦP whenever Iˆ |= ϕ, denoted by ΦP |= ϕ.
Our translation scheme above is sound in term of preserving the clock behaviors of the abstracted
program: if a clock model satisfies a property defined over the clocks, then the corresponding
program also satisfies this property as stated by the following proposition.
Proposition 5.1 Let P,ΦP be a program and its clock model, respectively, ϕ is a property defined
over the clocks. If ΦP |= ϕ then [[P ]]c ⊆ Γ(ϕ).
Proof The proof of Proposition 5.1 is done by using Lemma 5.2. Given a clock trace Tc ∈ [[P ]]c,
applying Lemma 5.2, Tc ∈ Γ(ΦP ) means that ∀t, Tc(t) ∈ Ssat(ΦP ). Since ΦP |= ϕ, then every
interpretation Iˆ satisfying ΦP also satisfies ϕ. Thus, any clock event I ∈ Ssat(ΦP ) is also in
Ssat(ϕ), meaning that ∀t, Tc(t) ∈ Ssat(ϕ). Therefore, we have Tc ∈ Γ(ϕ).
Lemma 5.2 For all program P, [[P ]]c ⊆ Γ(ΦP ).
Proof We prove it by induction on the structure of program P , meaning that for all primitive
operators of the language we show that the clock semantics is a subset of the corresponding
concretization.
• Equation on data: P = y := f(x1, ..., xn). First, consider y as numerical signal; following
the translation scheme, we have the clock model ΦP = yˆ ↔ x̂1 ↔ ... ↔ x̂n. If an
interpretation Iˆ is a model of ΦP then:
– either ∀i, yˆ = 0 and x̂i = 0;
– or ∀i, yˆ = 1 and x̂i = 1.
Ssat(ΦP ) is the set of all interpretations of the form above. Let Tc ∈ [[P ]]c be a clock trace
and t ∈ N be any instant, then either ∀i, Tc(t)(y) = Tc(xi) = 0 or Tc(t)(y) = Tc(xi) = 1,
thus Tc ∈ Γ(ΦP ). When y is a boolean signal, the proof is similar.
• Delay, sampling, and merging operators: we prove in the same manner.
• Composition: P = P1|P2. We have [[P ]]c ⊆ [[P1]]c ⊆ Γ(ΦP1) by applying the induction
hypothesis. In the same way, we also have [[P ]]c ⊆ Γ(ΦP2). Then, [[P ]]c ⊆ Γ(ΦP1)∩Γ(ΦP2).
Since Γ(ΦP1) ∩ Γ(ΦP2) ⊆ Γ(ΦP1 ∧ ΦP2), we have [[P ]]c ⊆ Γ(ΦP1 ∧ ΦP2) = Γ(ΦP ).
• Restriction: P = P1 where x. By definition of clock semantics we have [[P ]]c ⊆ [[P1]]c and
Γ(ΦP1) ⊆ Γ(∃x.ΦP1). Since [[P1]] ⊆ Γ(ΦP1) by induction then we have the proof.
Inria
Formal Verification of Transformations on Abstract Clocks in Synchronous Compilers 17
5.2 Definition of Correct Transformation: Refinement
We adopt the translation validation approach [22, 23] to verify formally that the abstract clock
semantics is preserved for every transformation of the compiler. In order to do that, we propose
a formal definition of correct transformation on clock models. Consider the two clock models
ΦP1 ,ΦP2 , to which we refer respectively as a source program and its transformed program pro-
duced by the compiler. We assume that they have the same set of variables. We say that P1 and
P2 have the same clock semantics if they have the same set of clock traces:
∀Tc.(Tc ∈ Γ(ΦP1)↔ Tc ∈ Γ(ΦP2)) (3)
Requirement (3) is too strong in general to be practice for synchronous data-flow languages. The
source language might be non-deterministic, compilers are allowed to select one of the possible
behaviors of the source program. Additionally, compilers do transformations, optimizations
for removing or eliminating some redundant behaviors of the source program (e.g. eliminating
subexpressions, trivial clock constraints). To address these issues, we relax the requirement above
as follows:
∀Tc.(Tc ∈ Γ(ΦP2)→ Tc ∈ Γ(ΦP1)) (4)
Requirement (4) says that all clock traces of ΦP2 are clock traces of ΦP1 as well, or Γ(ΦP2) ⊆
Γ(ΦP1). We say that ΦP2 is a correct transformation on abstract clocks of ΦP1 or P2 refines P1
w.r.t the clock semantics. We write P2 vclock P1 to denote the fact that P2 refines P1.
With an unverified synchronous data-flow compiler, each compilation task is followed by
our refinement verification process to provide formal guarantee as strong as that provided by a
formally verified compiler. Indeed, consider the following process:
Cp′(P1) = if Cp(P1) is
Error → Error
| OK(P2)→ if P2 vclock P1 then OK(P2) else Error
where Cp(P1) is the compilation task from source program P1 to either compiled code (written
as Cp(P1) = OK(P2)) or compilation errors (written as Cp(P1) = Error).
5.3 Proving Refinement
We now discuss an approach to check the existence of refinement between two clock models that
is based on the following theorem.
Theorem 5.3 Given a source program P1 and its transformed program P2, P2 is a correct trans-
formation of P1 on abstract clocks if it satisfies that for every interpretation Iˆ, if Iˆ is a clock
configuration of ΦP2 then it is a clock configuration of ΦP1 , then P2 vclock P1:
∀Iˆ .(Iˆ |= ΦP2 → Iˆ |= ΦP1)→ P2 vclock P1 (5)
Proof To prove Theorem 5.3, we show that if ∀Iˆ .(Iˆ |= ΦP2 → Iˆ |= ΦP1) then Γ(ΦP2) ⊆ Γ(ΦP1).
Given Tc ∈ Γ(ΦP2), it means that ∀t, Tc(t) ∈ Ssat(ΦP2). Since ∀Iˆ .(Iˆ |= ΦP2 → Iˆ |= ΦP1),
thus Ssat(ΦP2) ⊆ Ssat(ΦP1), meaning that Tc(t) ∈ Ssat(ΦP1) for every t. Therefore, we have
Tc ∈ Γ(ΦP1).
RR n° 8064
18 Ngo & Talpin & Gautier & Le Guernic
The checking of the existence of refinement in (5) can be implemented with a SMT-solver such
as in [10]. A SMT-solver decides the satisfiability of arbitrary logic formulas of linear real and
integer arithmetic, scalar types, other user-defined data structures, and uninterpreted functions.
The check formulas belong to decidable theory, this solver gives two types of answers: sat when
the formula has a model (there exists an interpretation that satisfies it); or unsat otherwise. In
our case, we will ask the solver to answer that the formula ¬(ΦP2 → ΦP1) is unsatisfiable. Since
our asked formula is over boolean variables, thus the solving is decidable and very efficient [5].
We will show that ¬(ΦP2 → ΦP1) is unsatisfiable if and only if ∀Iˆ .(Iˆ |= ΦP2 → Iˆ |= ΦP1) or it is
equivalent to show that if (ΦP2 → ΦP1) is valid then ∀Iˆ .((Iˆ |= ΦP2)→ (Iˆ |= ΦP1)) and vise-versa.
For any interpretation Iˆ such that Iˆ |= ΦP2 , it is easy to see that since (ΦP2 → ΦP1) is valid, for
every interpretation Iˆ if Iˆ |= ΦP2 then Iˆ |= ΦP1 . The inverse direction is based on the definition
of validity.
5.4 Implementation
In this section, we describe the main components of the implementation which is integrated in
the existing Polychrony toolset [21] to prove the correctness of the Signal compiler on abstract
clocks. The compiler [4] consists of a sequence of code transformations. Some transformations
are optimizations that rewrite the code to eliminate subexpressions, inefficient expressions. The
compilation process may be seen as a sequence of morphisms rewriting Signal programs to Signal
programs. And the final steps (C or Java code generation) are simple morphisms over the ulti-
mately transformed program. For convenience, the transformations of the compiler are divided
into three phases as depicted in Figure 2.
*.SIG *_TRA.SIG *_BOOL_TRA.SIG *_SEQ_TRA.SIG C/C++, Java
Clock calculation, 
Boolean abstraction Scheduling Code generation
Clock 
model
Clock 
model
Yices
solver
Yices
solver
Clock 
model
Figure 2: An overview of our integration within Polychrony toolset
The optimized final program *_SEQ_TRA.SIG is translated directly to executable code. We are
interested in the first stage of the compiler: clock calculation and boolean abstraction. The in-
termediate forms in the transformations of the compiler may be expressed in the Signal language
itself. To prove the correctness of the compiler transformations on abstract clocks our implemen-
tation approach takes the input program P.SIG and its transformed program P_TRA.SIG. It first
computes the clock models based on the above translation scheme. The clock models of input and
transformed programs are combined as the formula (ΦP_TRA.SIG → ΦP.SIG). Then it checks
Inria
Formal Verification of Transformations on Abstract Clocks in Synchronous Compilers 19
that |= (ΦP_TRA.SIG → ΦP.SIG) or equivalently M 6|= ¬(ΦP_TRA.SIG → ΦP.SIG). The result of
this checking can be exploited for the correctness of the compiler’s transformations. If the result
says that the checked formula is not valid (or the negation formula is satisfiable) then it emits
compilation error. Otherwise, the compiler continues its work. The same procedure is applied
for other steps of the compiler. Finally, our verification process asserts that P_BOOL_TRA.SIG
vclock P_TRA.SIG vclock P.SIG along the transformations of the compiler.
Here, we delegate the checking of the above formula against the clock models to a SMT-solver.
Our implementation uses the SMTLIB common format [7] to encode the clock models as input
of SMT-solver. For our implementation, we consider the Yices [10] solver, which is one of the
best two solvers at the last SMTCOMP competition [24].
RR n° 8064
20 Ngo & Talpin & Gautier & Le Guernic
6 Related Work and Conclusion
The notion of translation validation was introduced in [22, 23] by A. Pnueli et al. to verify the
code generator of Signal. In that work, the authors define a language of symbolic models to
represent both the source and target programs, called Synchronous Transition Systems (STS).
A STS is a set of logic formulas which describe the functional and temporal constraints of the
whole program and its generated C code. Then they use BDD [6] representations to implement
the symbolic STS models, and their proof method uses a SAT-solver to reason on the signal
constraints. The drawback of this approach is that it does not capture explicitly the clock se-
mantics and in some cases, the code generator eliminates the use of a local register variable in the
generated code and then, the mapping cannot be established. Additionally, for a large program,
the formula is very large, including numerical expressions that make some inefficiency. More-
over, the whole calculation of a synchronous program or the generated code is considered as one
atomic transition in STS, thus it does not capture the scheduling semantics, data dependencies
of the programs and does not explicitly prove the preservation of abstract clocks in the compiler
transformations. Another related work is the static analysis of Signal programs for efficient code
generation [13]. In a similar way, they formalize the abstract clocks and clock relations as first-
order logic formulas with the help of interval abstraction technique. Then, to make the generated
code more efficient by detecting and removing the dead-code segments (e.g., segment of code to
compute data-flow which is always absent). The approach is that they determine the existence
of empty clocks, mutual exclusion of two or more clocks, or clock inclusion by reasoning on the
formal model using a SMT-solver. There have been some other works which adopt the trans-
lation validation approach in verification of transformations, and optimizations. In [8, 19], the
programs before and after the transformations and optimizations of C compiler are represented
in a common intermediate form, then the preservation of semantics is checked by using symbolic
execution and the proof assistant Coq [9]. With the same purpose, in the work of [20], we encode
the source programs and the transformations with Polynomial Dynamical Systems and prove
that the transformations preserve the abstract clocks and clock relations of the source programs.
By using the simulation in model checking techniques, this approach suffers from the increasing
of the state-space when it deals with large programs. On the contrary, in our present work, the
abstract clocks and clock relations are described as a logic formula over boolean variable. With
the efficiency SMT solver in processing formulas over boolean variables, our approach can deal
with large programs whose numbers of variables are huge that make the state-space explosion
problem in model checking techniques.
The present paper provides a proof of correctness of the multi-clocked synchronous pro-
gramming language compiler for clock semantics preservation and applies this approach to the
synchronous data-flow language Signal compiler. We have presented a technique based on SMT-
solving to prove the preservation of timing properties during compilation. Namely, we have shown
that implicit clock relations, describing the discrete timing model of a data-flow specification are
preserved in their implementation which deterministically characterizes the presence/absence
status of all its input/output signals.
The desired behavior of a given source program and the transformed one are represented as
clock models. A refinement relation between source and transformed programs is used to express
the preservation, which is checked by using a SMT-solver. All compilation stages are followed
by a similar refinement verification process.
We have implemented and integrated our translation validation process within the Polychrony
toolset by using the Yices solver to prove the correctness of the full compilation phases of the
compiler. As future work, we would like to use the proof of abstract clock semantic preservation
in this work to verify the equivalence between data-flows and the corresponding variables from
Inria
Formal Verification of Transformations on Abstract Clocks in Synchronous Compilers 21
the program and its generated code. The verification of equivalence will be done by using a
normalizing value-graph [25] which contains only the computations of data-flows and there is no
timing information. We therefore evaluate this graph more efficiently.
RR n° 8064
22 Ngo & Talpin & Gautier & Le Guernic
References
[1] A. Benveniste, P. Caspi, S.A. Edwards, N. Halbwachs, P. Le Guernic, and R. De Simone:
The synchronous languages 12 years later. Proceedings of the IEEE 91(1). pp.64-83, 2003
[2] G. Berry: The foundations of Esterel. In Proof, Language and Interaction: Essay in Honor
of Robin Milner, MIT Press, 2000.
[3] F. Besson, T. Jensen, and J-P. Talpin: Polyhedral analysis for synchronous languages. In
Proceedings of the 6th International Symposium on Static Analysis, volume 1694 LNCS.
pp.51-68, Sep 1999.
[4] L. Besnard, T. Gautier, P. Le Guernic, and J-P. Talpin: Compilation of polychronous data
flow equations. In Synthesis of Embedded Software, Springer, 2010.
[5] A. Biere, M. Heule, H. van Maaren, and T. Walsh: Handbook of satisfiability: Volume 185
Frontiers in Artificial Intelligence and Applications. IOS Press, Amsterdam, The Netherlands.
ISBN 978-1-5860-3929-5, 2009.
[6] R. Bryant: Graph-based algorithms for boolean function manipulation. IEEE Transactions
on Computers, C-35(8):677-691, Aug 1986.
[7] C. Barrett, S. Ranise, A. Stump, and C. Tinelli: The Satisfiability Modulo Theories Library
(SMT-LIB). http://www.SMT-LIB.org, 2008.
[8] Inria, France: The CompCert Project. http://compcert.inria.fr.
[9] Inria, France: The Coq Proof Assitant. http://coq.inria.fr.
[10] B. Dutertre, and L. de Moura: Yices sat-solver. http://yices.csl.ri.com, 2009.
[11] J.H. Gallier: Logic for computer science. John Wiley. 1987.
[12] A. Gamatié: Designing embedded systems with the Signal programming language: Syn-
chronous, Reactive Specification. Springer, New York. ISBN 978-1-4419-0940-4, 2009.
[13] A. Gamatié, and L. Gonnord: Static Analysis of Synchronous Programs in Signal for Effi-
cient Design of Multi-Clocked Embedded Systems. In ACM SIGPLAN/SIGBED Conference
on Languages, Compilers, Tools and Theory for Embedded Systems - LCTES’2011. Chicago,
IL, USA, April 2011.
[14] N. Halbwachs: A synchronous language at work: the story of Lustre. In 3th ACM-IEEE
International Conference on Formal Methods and Models for Codesign (MEMOCODE’05),
Jul 2005.
[15] M. Huth, and M. Ryan: Logic in computer science: Modelling and Reasoning about systems.
Cambridge University Press. ISBN 978-0-5215-4310-1, 2004.
[16] P. Le Guernic, and T. Gautier: Advanced topics in data-flow computing, chapter data-flow
to von Neumann: the Signal approach. Prentice-Hall. pp.413-438, 1991.
[17] P. Le Guernic, J-P. Talpin, and J-C. Le Lann: Polychrony for system design. Journal for
Circuits, Systems and Computers. 12(3):261-304, Apr 2003.
[18] L. de Moura, and N. Bjorner: Satisfiability Modulo Theories: An appetizer. In Brazilian
Symposium on Formal Methods (SBMF’2009), Gramado, Brazil, Aug 2009.
Inria
Formal Verification of Transformations on Abstract Clocks in Synchronous Compilers 23
[19] G.C. Necula: Translation Validation for an Optimizing Compiler. In Proceeding PLDI’00
Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and
Implementation. pp.83-94, May 2000.
[20] V.C. Ngo, J-P. Talpin, T. Gautier, P. Le Guernic, and L. Besnard: Formal Verification
of Compiler Transformations on Polychronous Equations. In Proceedings of IFM’12, LNCS
7321. pp.113-127, 2012.
[21] Inria/Espresso: Polychrony Toolset. http://www.irisa.fr/espresso/Polychrony.
[22] A. Pnueli, M. Siegel, and E. Singerman: Translation validation. In B. Steffen, editor, 4th
Intl. Conf. TACAS’98. LNCS 1384. pp.151-166, 1998.
[23] A. Pnueli, O. Shtrichman, and M. Siegel: Translation validation: From Signal to C. In
Correct Sytem Design Recent Insights and Advances. LNCS 1710. pp.231-255, 2000.
[24] A. Stump, and M. Deters: http://www.smtcomp.org/2009, 2009.
[25] J-B. Tristan, P. Govereau, and G. Morrisett: Evaluating value-graph translation validation
for LLVM. In ACM SIGPLAN Conference on Programming and Language Design Implemen-
tation. California, June 2011.
RR n° 8064
RESEARCH CENTRE
RENNES – BRETAGNE ATLANTIQUE
Campus universitaire de Beaulieu
35042 Rennes Cedex
Publisher
Inria
Domaine de Voluceau - Rocquencourt
BP 105 - 78153 Le Chesnay Cedex
inria.fr
ISSN 0249-6399
