A Behavioral Type Inference System for Compositional System-on-Chip Design by Talpin, Jean-Pierre et al.
A Behavioral Type Inference System for Compositional
System-on-Chip Design
Jean-Pierre Talpin, David Berner, Sandeep Shukla, Paul Le Guernic,
Abdoulaye Gamatie´, R.K. Gupta
To cite this version:
Jean-Pierre Talpin, David Berner, Sandeep Shukla, Paul Le Guernic, Abdoulaye Gamatie´, et
al.. A Behavioral Type Inference System for Compositional System-on-Chip Design. Fourth In-
ternational Conference on Application of Concurrency to System Design (ACSD’04), Jun 2004,
Hamilton, Ontario, Canada. pp.47-56, 2004, <10.1109/CSD.2004.1309115>. <hal-00542146>
HAL Id: hal-00542146
https://hal.archives-ouvertes.fr/hal-00542146
Submitted on 1 Dec 2010
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
A behavioral type inference system for compositional system-on-chip design
Jean-Pierre Talpin1 David Berner1 Sandeep Kumar Shukla2
Paul Le Guernic1 Abdoulaye Gamatie´1 Rajesh Gupta3
1INRIA-IRISA 2Virginia Tech 3University of California at San Diego
Abstract
The design productivity gap has been recognized by the
semiconductor industry as one of the major threats to the
continued growth of system-on-chips and embedded sys-
tems. Ad-hoc system-level design methodologies, that lifts
modeling to higher levels of abstraction, and the concept
of intellectual property (IP), that promotes reuse of exist-
ing components, are essential steps to manage design com-
plexity. However, the issue of compositional correctness
arises with these steps. Given components from different
manufacturers, designed with heterogeneous models, at dif-
ferent levels of abstraction, assembling them in a correct-
by-construction manner is a difficult challenge. We address
this challenge by proposing a process algebraic model to
support system design with a formal model of computation
and serve as a behavioral type system to capture the behav-
ior of system components at the interface level. The pro-
posed type system is conceptually minimal and supports a
scalable notion and a flexible degree of abstraction. Our
presentation targets the de facto standard SystemC, yet with
a generic and language-independent method. Applications
of our technique range from the detection of local design
errors to the compositional assembly of modules.
1 Introduction
The design productivity gap has been recognized by the
semiconductor industry as one of the major threats to the
continued growth of complex system-chips and their appli-
cations. System level design methodology that moves from
RTL-based design entry into design methods at higher-level
of abstraction is essential to manage design complexity. A
number of advances in high-level modeling and validation
have been proposed over the past decade in an attempt to
improve the level of abstraction in system design, most of
these enable greater reuse of existing intellectual property
(IP) blocks. Design correctness is an important part of this
move. Given the complexity of system-level designs, it is
important that the composition of system-level IP blocks
be guaranteed correct. However, a posteriori validation of
component compositions is a difficult problem. Techniques
are needed that ensure design correctness as a part of the
design process itself. To address this issue, methodological
precepts have been developed that separately focus on de-
sign reuse and correctness by construction. Both reuse and
elevation of abstraction at design entry critically depend on
guaranteed design correctness.
To improve the state of the art in component composi-
tion from existing IP libraries, we specifically seek to ad-
dress the following issue: given a high level architectural
description (e.g., a ”virtual” architecture) and a library of
implemented components, how can one automate the se-
lection of implementation of virtual components from the
library, and automatically ensure composability of data and
behavior? Our approach is based on a high-level modeling
and specification methodology that ensures compositional
correctness through a type theory capturing behavioral as-
pects of component interfaces. The proposed system builds
upon previous work on scalable design exploration using
refinement/abstraction-based design methodologies [8], im-
plemented in the Polychrony workbench, and on a layered
Component Composition Environment, Balboa [2], which
allows specification of SystemC components with mixed
levels of structural and behavioral details and high degree
of concurrency and timing requirements. Our behavioral
type system consists of a minimalist formalism, called the
iSTS (implicit synchronous transition systems), akin to a
subset of Pnueli’s synchronous transition systems [6]. It is
used as a type system to describe the behavior of system
components and allow for global model transformations to
be performed on the system based on behavioral type in-
formation. In [9], it is equipped with a formal semantics
defined in polychronous model of computation [4] and im-
plemented by the Polychrony workbench (available from
http : //www.irisa.fr/espresso/Polychrony).
2 Rationale
To allow for an easy grasp on the proposed behavioral
type inference technique, we outline the analysis of a Sys-
temC program (Figure 1, left), by depicting the construction
1
(C source) (SSA code) (behavioral type) (static type) (scheduling)
while (idata != 0)
{
ocount = ocount
+ (idata & 1);
idata = idata >> 1;
}
L2:T1 = idata;
T0 = T1 != 0;
if T0 then goto L3;
T2 = ocount;
T3 = T1 & 1;
ocount = T2 + T3;
idata = T1 >> 1;
goto L2;
xL2⇒T1 := idata
T0 := (T1 6= 0)
T0 ⇒x′L3
¬T0⇒T2 := ocount
T3 := T1&1
ocount
′ := T2 + T3
idata
′ := T1 >> 1
x
′
L2
xL2⇒Tˆ1 = ˆidata
Tˆ0 = Tˆ1
T0 ⇒x′L3
¬T0⇒Tˆ2 = ˆocount
Tˆ3 = Tˆ1
ˆocount = Tˆ2 ∧ Tˆ3
ˆidata = T1
x
′
L2
T1←idata
T1→T0
T0→x′L3
T2←ocount
T1→T3
T2→ocount’←T3
T1→idata’
T0→x′L2
Figure 1. From a SystemC program to a behavioral types and its abstraction
of its behavioral type (Figure 1, middle) and the inference
of its static abstraction (Figure 1, right). Then we elaborate
the notion of proof obligations synthesis by giving a brief
outline of the design correctness issues which can be mod-
eled and checked in the framework of our type system.
Static single assignment. Figure 1, left, depicts a sim-
ple C code fragment consisting of an iterative program that
counts the number of bits set to one in the variable idata.
While idata is not equal to zero, it adds its right-most bit to
an output count variable ocount and shifts it right in order
to process the next bit. In the static single-assignment (SSA)
representation of the program (Figure 1, second column) all
variables (idata and ocount) are read and written once per
cycle. Label L2 is the entry point of the SSA block associ-
ated with the while loop. The first instruction loads the input
variable idata into the register T1. The second instruction
stores the result of its comparison with 0 in the register T0.
If T0 is false, control is passed to block L3. Otherwise, the
next instruction is executed: the variable ocount is loaded
into T2, the last bit of T1 is loaded into T3, the sum of
T2 and T3 assigned to ocount and the right-shift of T1 as-
signed to idata. The block terminates with an unconditional
branch back to label L2.
Behavioral types. The SSA intermediate representation
of an imperative program represents an otherwise arbitrar-
ily obfuscating C program in a form that can be easily ma-
nipulated by an automatic program analyzer. Let us zoom
on the block L2 in the example of Figure 1. The behav-
ioral type of the block L2, middle, consists of the simul-
taneous composition of logical propositions (middle) that
form a synchronous transition system. Each proposition is
associated with one instruction: it specifies its invariants.
In particular, it tells when the instruction is executed, what
it computes, when it passes control to the next statement,
when it branches to another block.
On line 1 for instance, we associate the instruction
T1 := idata to the proposition xL2 ⇒ T1 := idata. In
this proposition, the variable xL2 is a boolean that is true iff
the block of label L2 is being executed. Hence, the propo-
sition says that, if the label L2 is being executed, then T1 is
equal to idata. Otherwise, another proposition may hold. In
the present case, all propositions are conditioned by xL2 to
mean that they hold when block L2 is being executed.
The extent of a proposition is the duration of a reaction.
A reaction can be an arbitrarily long period of time provided
that it is finite and that every variable or register changes its
value at most once during that period. For instance, con-
sider the instruction if T0 then L3. It is likely that label L3
will, just as L2, perform some operation on the input idata.
Therefore, its execution is delayed until after the current re-
action. We refer to x′
L3
as the next value of the state variable
xL3, to indicate that it will be active during the next reaction.
Hence, the proposition xL2 ⇒ T0 ⇒ x′L3 says that control
will be passed to L3 at the next reaction when control is
presently at L2 and when T0 is true. The instructions that
follow this test are conditioned by the negative ¬T0, this
means: ”in the block L2 and not in its branch to L3”.
Static abstraction. We have seen that every instruction of
an SSA program could be associated with a proposition to
render its control-flow and data-flow behaviors. This rep-
resentation provides a formal and expressive way to model,
analyze, optimize and verify the behavior of ordinary Sys-
temC programs. To ease both optimization and verification
of such programs based on that representation, we abstract it
over its control flow, characterized by boolean relations be-
tween clocks, and its data flow, characterized by scheduling
relations between signals. Let us first define some terminol-
ogy. A clock xˆ is associated with a signal x.
The signal x corresponds to the flow of the successive
values of a variable, sampled by the discrete periods of time
that we call reactions. The clock of xˆ denotes that set of
periods or instants. On Figure 1, right, all operations on
integers reported in the behavioral type are abstracted by
boolean relations between clocks and by scheduling rela-
tions. This is in fact sufficient information to reconstruct
the entire control and data flow graphs of the program. All
information abstracted from this view essentially consists
of computational instructions with which we could decorate
this graph to regenerate the original program.
For instance, the instruction T0 = (T1! = 0) is ab-
stracted by the type xL2 ⇒ Tˆ1 = Tˆ0 . It means: ”when
the block L2 is executed, T0 is present iff T1 is present”.
The scheduling constraint xL2 ⇒ T0 → xL3 additionally
says that ”x′
L3
cannot happen before T0 at L2”. Indeed, one
2
first needs to examine the status of T0 before to branch to
L3. The type associated with the block L2 uses the clocks
denoted by the booleans xL2, T0 and ¬T0. Each clock de-
notes a branch in the control-flow graph of the block L2.
The other clocks, e.g. Tˆ1, denote the presence of data. They
are partially related to the ”label” clocks xL2, T0 and ¬T0.
Typed modules. Section 5 develops the use of the infor-
mation provided by the behavioral type inference system to
perform design correctness checks. The most salient feature
of the behavioral type system is yet the capability to reduce
compositional design correctness verification to the valida-
tion of synthesized proof obligations. It is presented in the
context of the inference system proposed for the SystemC
module system, Section 4.
As an example, consider a class whose virtual fields
are two clocks x and y, and a procedure f . It defines
an interface, named m0, and will be used to type another
class. Next, assume an explicit behavioral type declaration
#TYPE(f, Q) which associates f with a description of its be-
havior: the proposition Q (a denotation of all possible im-
plementations satisfying an expected functionality).
classm0 { virtual sc clockx, y;
virtual void f() {} #TYPE(f, Q) };
template 〈classm1〉 #TYPE(m1, m0)
SC MODULE(m2) {
SC CTOR(m2) {
SC THREAD(m1.f) sensitive ¿ x } };
classm3 { sc clockx, y;
void f() { pgm} #TYPE(f, P ) };
m2〈m3〉m4;
Next, we associate the interface m0 with the class parameter
m1 of a template class m2. The interface m0 now gives a
behavioral type to the method f in the class parameter m1
expected by the module m2. Indeed, the template class m2
uses the class parameter m1, that implements m0, to launch
a thread m1.f sensitive to x. The behavioral type Q, which
gives an assumption on the behavior of m1.f , is required
to provide a guarantee on the behavior of the module m2,
produced by the template class.
Proof obligations. Let m3 be a candidate parameter for
the template class m2. It structurally implements the inter-
face m0, because it provides the clocks x and y and defines
the method f by the program pgm . Using the type inference
technique previously outlined, the program pgm is associ-
ated with a proposition P that describes its behavioral type,
and the class m3 be decorated with the corresponding type
declaration #TYPE(f, P ). Finally, let m4 be the class defined
by the instantiation of the template m2 with the actual pa-
rameter m3. To check the compatibility of the actual param-
eter m3 with the formal parameter m0, we need to establish
the containment of the behaviors denoted by the proposition
P (the behavioral type of the actual parameter) in the deno-
tation of the proposition Q, the type abstraction declared in
m0. This amounts to check that P implies Q. This proof
obligation can either be implemented using model checking
(if P and Q are dynamic interfaces) or using SAT checking,
if Q is a static interface, by calculating the static abstraction
Pˆ of P and by verifying that Pˆ implies Q.
3 A polychronous type system
We now give an informal outline of the type system
that will support and materialize the polychronous model
of computation and type, and sign the behavior of SystemC
programs and classes. The key principles put to work in this
notation are essentially borrowed to Pnueli’s STS [6] and its
syntax to Dijkstra’s guarded command language, we call is-
the iSTS (i for implicit). In the iSTS, a process consists of
simultaneous propositions that manipulate signals. A sig-
nal is an infinite flow of values that is sampled by a discrete
series of instants or reactions. An event corresponds to the
value carried by a signal during a particular reaction.
An example. The system of equations below puts to-
gether the main features of the behavioral type system. It
describes the behavior of a counter modulo 2, noted P
(=def means ”is defined by”), through a set of simultane-
ous propositions, labeled from (1) to (3).
P
def
=
¬s0 (1)
| xˆ ⇒ s′ = ¬s (2)
| s ⇒ yˆ (3)
Proposition (1) is an invariant. It says that the initial value
of the signal s, denoted by s0, is false. This is specified
by the proposition ¬s0 (or s0 = 0). Proposition (2) is a
guarded command. It says that if the signal x is present
during a given reaction then the value of s is toggled. The
left-most part of the sentence, the proposition xˆ, is a con-
dition or a guard. It denotes the clock of x. It is true if the
signal x is present during the current reaction. The right-
most part of the sentence, the proposition s′ = ¬s, is a tran-
sition. The term s′ refers to the next value of the signal s.
The proposition s′ = ¬s says that the next value of s is the
negation of the present value of s. Proposition (3) is another
guarded command. It says that if s is true then y is present.
Notice that, in proposition (3), the guard expects the signal
s to hold the value 1 but that its action does not actually
specify the value of the signal y: it simply requires it to be
present. Proposition (3) is hence an abstraction: a proposi-
tion that partially describes the properties of the system un-
der consideration without implying a particular implemen-
tation. To implement a function or a system, this proposition
needs to be compositionally refined by another one, saying
what value y should hold at all time (i.e. when present). To
3
(component) sys ::= [template 〈classm1〉 #TYPE(m1, m2)] classm {dec} | SC MODULE(m) {dec; SC CTOR(m) {new}} | sys; sys
(declaration) dec ::=m〈m∗〉x | void f() {pgm} | dec; dec (constructor)new ::= SC THREAD(f) sensitive ¿ x∗ |new ; pgm
(program)pgm ::= L:blk | pgm ; pgm (instruction) stm ::=x = f(x∗) |waitx | notify x | if x then L
(block) blk ::= stm; blk | rtn (return) rtn ::= gotoL | return | throw x; catch x from L toL usingL
Figure 2. Abstract syntax for SystemC
this end, one could for instance compose the counter P with
the proposition Q=def
(
y′ = y + 1 |y0 = 0
)
.
Notice that the iteration specified by the proposition Q is
not guarded. This means that it is an invariant that describes
the successive values of the signal y in time but not the par-
ticular time samples at which the signal y should occur. The
composition of Q with P has the effect of synchronizing the
signal y in Q to the clock s in P : to the time samples during
which the signal s holds the value true. This composition
is called a refinement: the system obeys the specification
denoted by the initial proposition P and is constrained to
further satisfy the additional conditions implied by Q.
The notation introduced so far holds necessary and suf-
ficient ingredients to specify the behavior of multi-clocked
synchronous systems. Pnueli’s original STS notation fea-
tures two additional notions essentially geared towards ver-
ification by model-checking: one is choice P ∨Q, the other
explicit absence ⊥. Both can be modeled in the iSTS. An
order of execution can be imposed to a proposition by its re-
finement with a scheduling constraint, noted y → x. Then,
x = y is an abstraction of x = y |y → x where y → x
informally means that ”x cannot happen before y”. In do-
ing so, we refine the time scale, from one in which x and
y happen simultaneously, to a more precise one in which
one observes that x cannot happen before y. In the remain-
der, we adopt the syntax x := y borrowed to Signal for an
assignment of y to x: (x = y |y → x).
Formal syntax of the type system. The formal syntax of
propositions in the behavioral type system is defined by the
inductive grammar P . A propositon or process P manip-
ulates boolean values noted v ∈ {0, 1} and signals noted
x, y, z. A location l refers to the initial value x0, the present
value x and the next value x′ of a signal. A reference r is
either a value v or a signal x.
(reference) r::=x | v (location) l ::= x0 |x |x′
(clock) e, f ::=0 |x = r | e ∧ f | e ∨ f | e \ f | 1
(process) P, Q::=1 | l = r |x → l | e ⇒ P | (P |Q) |P/x
A clock expression e is a proposition on boolean values that,
when true, defines a particular period in time. The clocks 0
and 1 denote events that never/always happen. The clock
x = r denotes the proposition: ”x is present and holds the
value r”. Particular instances are: the clock xˆ=def(x = x),
which stands for ”x is present”; the clock x=def(x = 1) for
”x is true”, and the clock ¬x=def(x = 0) for ”x is false”.
Clocks are propositions combined using the logical com-
binators of conjunction e∧f , to mean that both e and f hold,
disjunction e∨f , to mean that either e or f holds, and sym-
metric difference e \ f , to mean that e holds and not f . A
process P consists of the simultaneous composition of el-
ementary propositions. 1 is the process that does nothing.
The proposition l = r means that ”l holds the value r”. The
proposition x → l means that ”l cannot happen before x”.
The process e ⇒ P is a guarded command. It means: ”if
e is present then P holds”. Processes are combined using
synchronous composition P |Q to denote the simultaneity
of the propositions P and Q. Restricting a signal name x to
the lexical scope of a process P is written P/x.
4 Behavioral types for SystemC modules
We are now equipped with the required mathematical
framework and formal methodology to address the model-
ing of GALS architectures described using SystemC. This
model is described in terms of a type inference system and
extended to the structuring elements of SystemC in terms of
a module system. This framework allows to give a behav-
ioral signature of the component of the system, composi-
tionally check the correct composition of such components
to form architecture, to optimize the described software el-
ements from the imposed hardware elements by, first, de-
taching the formal model from the functional architecture
description and, second, using the model to regenerate an
optimized software matching the requirements of the execu-
tion architecture. As a by-product, the association of types
with SystemC programs provides a formal denotational se-
mantics implied by the interpretation of types in the poly-
chronous model of computation.
Formal syntax of SystemC core. We start with the def-
inition of the core of the SystemC syntax relevant to the
present study. A system consists of the composition of
classes and modules sys , Figure 2. A class declaration
classm {dec} associates a class name m with a sequence
of fields dec. It is optionally parameterized by a class with
template 〈classm1〉. To enforce a strong typing policy, we
annotate the class parameter m1 with #TYPE(m1, m2) to de-
note the type of m1 with the virtual class m2. A module
SC MODULE(m) is a class that defines an architecture com-
ponent. Its constructor SC CTOR(m) {new ; pgm} allocates
threads (e.g. SC THREAD(f)) and executes an initialization
4
while true { wait (epc.lock);
idata = epc.data;
ocount = 0;
while (idata != 0) {
ocount = ocount + (idata & 1);
idata = idata >> 1; }
epc.count = ocount;
notify (epc.lock); }
L1:wait (epc.lock);
idata = epc.data;
ocount = 0;
goto L2;
L3:epc.count = ocount;
notify (epc.lock);
goto L1;
L2:T1 = idata;
T0 = T1 == 0;
if T0 then goto L3;
T2 = ocount;
T3 = T1 & 1;
ocount = T2 + T3;
idata = T1 >> 1;
goto L2;
xL2⇒T1 := idata
T0 := (T1 6= 0)
T0 ⇒x′L3
¬T0⇒T2 := ocount
T3 := T1&1
ocount
′ := T2 + T3
idata
′ := T1 >> 1
x
′
L2
Figure 3. Translation of the SystemC thread of the EPC into SSA form
program pgm . While declared sequentially in the program
text, modules define threads whose execution is concurrent.
Declarations dec associate locations x with native classes
or template class instances m〈m∗〉 and procedures with a
name f and a definition pgm . For instance, int x defines an
integer variable x while sc signal〈bool〉 x defines a boolean
signal x. We assume x to denote the name of a variable or
signal and to be possibly prefixed as m :: x by the name of
the class it belongs to. We assume the relation ≤ to denote
C++ sub-typing (e.g., bool ≤ num, int ≤ num).
The formal grammar of SystemC programs, Figure 2,
is represented in static single-assignment intermediate form
akin to that of the Tree-SSA package of the GCC project [5].
SSA provides a language-independent, locally optimized
intermediate representation (Tree-SSA currently accepts C,
C++, Fortran 95, and Java inputs) in which language-
specific syntactic sugar is absent. SSA transforms a given
programming unit (a function, a method or a thread)
into a structure in which all variables are read and writ-
ten once and all native operations are represented by 3-
address instructions x = f(y, z). A program pgm con-
sists of a sequence of labeled blocks L:blk . Each block
consists of a label L and of a sequence of statements
stm terminated by a return statement rtn. In the re-
mainder, a block always starts with a label and finishes
with a return statement: stm1; L:stm2 is rewritten as
stm1; gotoL; L:stm2. A wait is always placed at the
beginning of a block: stm1; wait v; stm2 is rewritten as
stm1; gotoL; L:wait v; stm2. Block instructions consist of
native method invocations x = f(x∗), lock monitoring and
branches if x thenL. Blocks are returned from by either a
gotoL, a return or an exception throw x. The declaration
catchx from L1 toL2 using L3 that matches an exception x
raised at block L1 activates the exception handler L3 and
continues at block L2.
Example 1 To outline the construction of the intermediate
representation of a SystemC program, let us reconsider the
example of Section 2 and detail the method that counts the
number of bits set to 1 in a bit-array epc.data (Figure 3).
The method consists of three blocks. The block labeled L1
waits for the lock epc.lock before initializing the local state
variable idata to the value of the input signal epc.data and
ocount to 0. Label L2 corresponds to a loop that shifts idata
right to add its right-most bit to ocount until termination
(condition T0). In the block L3, ocount is sent to the signal
epc.count and epc.lock is unlocked before going back to L1.
Behavioral type inference. The type inference function
I[[pgm ]], Figure 4, is defined by induction on the formal
syntax of pgm . To define it, we assume that the finite set Lf
of program labels L defined in a given method f respects
the order of appearance in the text: L1 < L2 means that
L1 occurs before L2. To each block of label L ∈ Lf , the
function I[[pgm ]] associates an input clock xL, an immediate
clock ximmL and an output clock xexitL .
The clock xL is true iff L has been activated in the pre-
vious transition (by posting the event x′L). The clock ximmL
is set to true to activate the block L immediately. The clock
xexitL is set to true when the execution of block L terminates.
The default activation condition of a block of label L is the
clock xL ∨ximmL (equation (1) of Figure 4). The block L is
executed iff the proposition xL ∨ ximmL holds, meaning that
the program counter is at L. Otherwise, it is set to 0.
For a return instruction or a block, the type inference
function returns a type P . For a block instruction stm, the
type inference function I[[stm]]e1L = 〈P 〉
e2 takes three ar-
guments: an instruction stm, the label L of the block it be-
longs to, and an input clock e1. It returns the type P of
the instruction and its output clock e2. The output clock of
stm corresponds to the input clock of the instruction that
immediately follows it in the sequence of the block.
Example 2 Let us zoom on the block L2 of the ones counter
(Figure 3). On the first line, for instance, we associate the
instruction T1 = idata of block label L2 to the proposition
xL2 ⇒ T1 = idata. In this proposition, the new variable
xL2 is a boolean that is true iff the label L2 is being exe-
cuted. So, the proposition says that, if the label L2 is be-
ing executed, then T1 is always equal to idata. If not, then
another proposition may hold. In our case, all subsequent
propositions are conditioned by xL2 meaning that they hold
when L2 is being executed. Next, consider the instruction
if T0 then L3. It is likely that label L3 will, just as L2, per-
form some operation on the input idata. Therefore, we delay
its execution until after the current reaction and refer to x′
L3
as the next value of the state variable xL3, to indicate that it
5
(1) I[[L:blk ; pgm]] =I[[blk ]]
xL∨x
imm
L
L |I[[pgm ]]
(2) I[[stm ; blk ]]eL=let 〈P 〉
e1 = I[[stm]]eL in P |I[[blk ]]
e1
L
(3) I[[if x then L1]]eL=〈GL(L1, e ∧ x)〉
e∧¬x
(4) I[[x = f(y∗)]]eL=〈E(f)(xy
∗e)〉e
(5) I[[notify x]]eL=〈e ⇒ (x
′ = ¬x)〉e
(5) I[[notify x]]eL=〈e ⇒ (x
′ = ¬x)〉e
(6) I[[wait x]]eL=〈e ∧ (x 6= x
′) ⇒ yˆ |e \ yˆ ⇒ x′L〉
yˆ
(7) I[[gotoL1]]eL=(e ⇒ x
exit
L |GL(L1, e))
(8) I[[return]]eL=(e ⇒ (x
exit
L |x
exit
f ))
(9) I[[throw x]]eL=(e ⇒ (x
exit
L | xˆ))
where GL(L1, e) = if SL(L1) then e ⇒ ximmL1 else 〈e ⇒ x
′
L1
〉 and E(f)(xyze) = e ⇒ (yˆ ∧ zˆ ⇒ (xˆ |y → x |z → x))
I[[catch x from L toL1 using L2]]eL = GL(L2, xˆ ∧ x
exit
L ) |GL2(L1, x
exit
L2
)
Figure 4. Type inference
will be active during the next reaction. Hence, the proposi-
tion xL2 ⇒ T0 ⇒ x′L3 says that control passes to L3 at the
next reaction when control is presently at L2 and when T0
is true. The instructions that follow this test are conditioned
by the negative ¬T0, this means: ”in the block L2 and not
in its branch to L3”.
Figure 4 defines the behavioral type inference system.
Rules (1−2) are concerned with the iterative decomposition
of a program pgm into blocks blk and with the decomposi-
tion of a block into stm and rtn instructions. In rule (2),
the input clock e of the block stm; blk is passed to stm.
The output clock e1 of stm becomes the input clock of blk .
The input and output clocks of an instruction may differ.
This is the case, rule (3), for an if x then L1 instruction in a
block L. Let e be the input clock of the instruction. When
x is false then control is passed to the rest of the block, at
the output clock e∧¬x. Otherwise, control is passed to the
block L1, at the clock e ∧ x.
There are two ways of passing control from L to L1
at a given clock e. They are defined by the function
GL(L1, e): either immediately, by activating the immedi-
ate clock ximmL1 , i.e., e ⇒ x
imm
L1
; or by a delayed transition
to L1 at e, i.e., e ⇒ x′L1 . This choice is decided by the aux-
iliary function SL(L1). It checks whether the block L1 can
be executed immediately after the block L. By definition,
SL(L1) holds iff L1 > L (L1 is after L in the control flow)
and defs(L1) ∩ defs(L) = ∅ (the set of variables defined in
L and L1 are disjoint).
Example 3 In Example 1, defs(L1) = defs(L2) =
{ocount, idata} and defs(L3) = {count, lock}. Hence, go-
ing from L1 to L2 requires a delayed transition because both
L1 and L2 define ocount and idata. Conversely, going from
L2 to L3 can be done immediately since L3 does not define
ocount or idata.
Rule (4) is concerned with the typing of native and ex-
ternal method invocations x = f(y∗). The generic type of
f is taken from an environment E(f). It is given the name
of the result x, of the actual parameters y∗ and of the input
clock e to obtain the type of x = f(y∗). On the right, the
generic type of 3-address instructions x = f(y, z) at clock
e is given by E(f)(xyze). The wait-notify protocol (rules
(5 − 6)) is modeled using a boolean flip-flop variable x.
The notify method, rule (5), defines the next value of the
lock x by the negation of its current value at the input clock
e. The wait method, rule (6), activates its output clock yˆ
iff the value of the lock x has changed at the input clock e:
e∧ (x 6= x′) ⇒ yˆ. Otherwise, at the clock e \ yˆ, the control
is passed to L by a delayed transition e \ yˆ ⇒ x′L.
Example 4 Consider the wait-notify protocol at the blocks
labeled L1 and L3 in the ones counter. The type of the wait
instruction defines the output clock yˆ if L1 receives con-
trol at the clock xL1, and if the value of lock has changed
(proposition lock 6= lock′). If so, at the clock yˆ, ocount and
idata are initialized and the control is passed to the block
L2 by GL1(L2, yˆ). Otherwise, at the clock xL1 \ yˆ, a delayed
transition to L1 is scheduled: xL1 \ yˆ ⇒ x′L1.
code type
L1: wait (epc.lock);
.
.
.
goto L2;
.
.
.
L3: epc.count = ocount;
notify (epc.lock);
goto L1;
xL1 ∧ (lock 6= lock
′)⇒yˆ
xL1 \ yˆ⇒x
′
L1
.
.
.
yˆ⇒x′L2
.
.
.ˆocount ∧ xL3⇒ ˆcount
xL3⇒lock
′ = ¬lock
xL3⇒x
′
L1
All return instructions, rules (7 − 9), define the output
clock xexitL of the current block L by their input clock e.
This is the right place to do that: e defines the very condition
upon which the block actually reaches its return statement.
A gotoL1 instruction, rule (7), passes control to block L1
unconditionally at the input clock e by GL(L1, e). A return
instruction, rule (8), sets the exit clock xf to true at clock
e to inform the caller that f is terminated. A throw x state-
ment in block L, rule (9), triggers the exception signal x at
the input clock e by e ⇒ xˆ. The matching catch statement,
of the form catchx from L toL1 using L2 passes the control
to the handler L2 and then to the block L1 upon termination
of the handler. This requires, first, to activate L2 from L
when x is present, i.e., GL(L2, xˆ ∧ xexitL ), and then to pass
the control to L1 upon termination of the handler.
6
Completion of the state logic. The encoding of Figure 4
requires all entry clocks xL, ximmL and xf to be simultane-
ously present when the f is being executed. Each signal xL
holds the value 1 iff the block L is active during a transition
currently being executed. Otherwise, xL is set to 0. This de-
fault setting of the entry clocks requires a completion of the
next-state logic by considering, for all L ∈ Lf , the propo-
sition eL ⇒ x′L implied by the inferred type P = I[[pgm ]]
and define the default rule by xf \ eL ⇒ ¬x′L. Comple-
tion is identical for the immediate and exit clocks ximmL and
xexitL of the block L. We write xf \ eL ⇒ ¬x′L where
eL=
def
∨
(e |P |= e ⇒ x′L ).
Extension to method calls. The type inference scheme
defined for wait, notify and operations, rules (4 − 6) can
be extended to handle externally defined method calls in a
modular and compositional way, as depicted next. Consider
a method f with formal parameters x1..m (whose data-types
are not displayed) and a result of type m, rule (a). Let y be
an exception raised by the definition pgm of f and escap-
ing from it. The type of f consists of a lambda abstrac-
tion whose arguments are the inputs x1..m, the entry clock
xf , the exit clock xexitf , the return value yf and the excep-
tion y. It is used to parameterize the proposition P , which
corresponds to pgm , with respect to these arguments. The
lambda abstraction is instantiated in place of a method in-
vocation L : x0 = f(x1..m), rule (b), which needs to be
placed at the beginning of a block (assuming that this block
can take several transitions before termination). To model
the method call, one just needs to activate the entry clock
xf of the method at the input clock e.
(a) I[[m f(x1..m) raises y{ pgm }]] =
λx1..mxf x
exit
f y.
(
I[[pgm ]] |xf ⇒ xminLf
)
/Lf
(b) I[[L : x0 = f(x1..m)]]eL =
e ⇒ (E(f)(x1..mexy) |e \ (yˆ ∨ xˆ) ⇒ x′L)
e∧xˆ
(c) I[[return x]]eL = (e ⇒ (x
exit
L |x
exit
f := x))
The output signal x is used to carry the value of the result.
Its clock determines when the method has reached the cor-
responding return statement (rule (c)). When the method
terminates, the exit clock of the method call is defined by
e∧ xˆ. Otherwise, if the exception y is raised, a correspond-
ing catch statement handles it. If f has not finished at the
end of the transition (at the clock e \ (yˆ ∨ xˆ)), a delayed
transition to L is performed e \ (yˆ ∨ xˆ) ⇒ x′L in order to
resume its execution at the next transition.
A behavioral module system. We define a module sys-
tem starting from the behavioral type system of Section 4.
The type T of a module m consists of an environment E ,
that associates fields f and x with types, of a type P that
denotes the behavior of its constructor, and of a proof obli-
gation C. The type T1 → T2 denotes a template class that
produces a module of type T2 given a parameter of type T1.
A proof obligation is a conjunction of propositions of the
form P ⇒ Q. A proof obligation P ⇒ Q is incurred by the
instantiation of a template class, whose formal parameter
has type P and by an actual class parameter, of type Q.
(type) T ::= 〈E , P, C〉 | T → T
(context) E ::= [] | E [x : m] | E [f : P ] | E [m : T ]
(obligation) C ::= 1 |P ⇒ Q | C ∧ C
The type inference function for modules, I[[sys ]]E , Fig-
ure 5, assumes a type environment E that associates names
with types. We write E(x) for the type of the location x
and E(m.x) = F(m)(x) for the path m to x iff E(m) =
〈F , P, C〉.
Type inference for declarations. Rule (a) sequentially
processes the declarations dec in a module. Class field dec-
larations contribute to building the type T of a module: rule
(b) associates the location x with the type name m in the
class-field [x : m], rule (c) associates the procedure f with
the class-field [f : P ]. The type τ denotes a program that
does nothing. It is neutral by composition. In rule (d),
the initialization of a thread SC THREAD(f) sensitive ¿ x
in the constructor is associated with the behavior E(f) of
the method f it forks and with the type xˆf ⇐ xˆ, meaning
that x triggers f .
Type inference for modules. Rule (e) processes a se-
quence of module declarations sys1; sys2. We write
〈E1, P1, C1〉 unionmulti 〈E2, P2, C2〉 = 〈E1E2, P1 |P2, C1 ∧ C2〉 to
merge the types of sys1 and sys2. Whereas processing is
sequential, the composition of the behavioral type P1 |P2
is synchronous. Rule (f) first obtains the type T1 =
〈E1, P1, C1〉 of its class fields. Then, in the environment E
extended with that of the class fields E1, the body new ; pgm
of the constructor is processed to obtain its type T2. The
type of the module becomes m · (T1 unionmulti T2). The notation
m · 〈E , P, C〉 = 〈[m : E ], P, C〉 (resp. m · (T1 → T2) =
T1 → (m · T2)) defines the type of the class m from the
type 〈E , P, C〉 of its class fields.
Rule (g) determines the type of a template class m2
whose formal parameter is a class m1 that implements the
virtual class m. The virtual class m provides the type,
and hence the expected behavior, of the formal parame-
ter name m1. It is obtained from the environment E by
m · T = E(m). The body of the template (i.e. the field
declarations dec of the class m2) is type-checked with the
environment E extended with the association of m1 to the
type of the class fields E1 declared in m. This yields the
type m2 ·T2 of the class. The type of the template is defined
by associating m2 with the type (m1 · T1) → T2 (and hence
m1 with the type T1). Rule (h) performs the instantiation
m2〈m〉x of a template class m2 with an actual parameter
m to define the class name x. The type (m1 · T1) → T2
7
(a) I[[dec1; dec2}]]E = let 〈E1, P1, C1〉 = I[[dec1]]E in 〈E1, P1, C1〉 unionmulti I[[dec2]]EE1 (b) I[[m x]]E = 〈[x : m], τ, 1〉
(d) I[[SC THREAD(f) sensitive ¿ x]]E = 〈[], E(f) |(xˆf ⇐ xˆ), 1〉 (c) I[[void f() {pgm}]]E = 〈[f : I[[pgm ]]E ], τ, 1〉
(e) I[[sys1; sys2]]E=let 〈E1, P1, C1〉 = I[[sys1]]E in 〈E1, P1, C1〉 unionmulti I[[sys2]]EE1
(f) I
[
SC MODULE(m) {
dec; SC CTOR(m) {new ; pgm}}
]
E
=let 〈E1, P1, C1〉 = I[[dec]]E and T2 = I[[new ; pgm ]]EE1
in m · (〈E1, P1, C1〉 unionmulti T2)
(g) I
[
template 〈class m1〉
#TYPE(m1, m) class m2 {dec}
]
E
=let m · T = E(m) and 〈E1, , 〉 = m1 · T andT2 = I[[dec]]EE1
in 〈[m2 : (m1 · T1) → T2], τ, 1〉
(h) I[[m2〈m〉x]]E=let (m1 · T1) → T2 = E(m2) andm · T = E(m)
in x · (T2[m2.m/m1]) unionmulti 〈[], τ, (R(T1[m2.m/m1], T [m2.m/m]))〉)
Figure 5. Type inference for declarations and modules
of the template class m2 and the type m · T of the actual
parameter m are obtained from the supplied environment
E . Type matching between T and T1 requires the resolution
of a sub-typing between T1[m2.m/m1] and T2[m2.m/m].
The term T1[m2.m/m1] stands for the substitution of the
name m1 by the concatenation m2.m in T1. The resolution
of the type matching constraints reduces to the synthesis of
the proof obligation C by the algorithm R. If C is satisfied,
then the type of the location x is T2[m2.m/m1].
Proof obligation synthesis. The resolution R(T1, T2) of
sub-typing constraints is defined by induction on the struc-
ture of the pair (T1, T2). It reduces to the proof of a con-
junction of propositions of the form P1 ⇒ P2. If P2 is
stateless (i.e. it defines no state transitions) then the problem
reduces to checking satisfaction of the boolean proposition
Pˆ1 ⇒ P2 (where Pˆ1 stands for the stateless abstraction of
P1, e.g., the right-most columns of figure 6). If P2 is state-
full then the problem reduces to verifying that P1 ⇒ P2 is
an invariant of P , the type of the program, by using model-
checking techniques. Both problems can be expressed and
decided in the Polychrony workbench by encoding behav-
ioral types in Signal.
R(E1 → T1, E2 → T2)⇔R(E2, E1) ∧ R(T1, T2)
R(E1[x : t1], E2[x : t2])⇔R(E1, E2) ∧ (t2 ≤ t1)
R(E1[f : P1], E2[f : P2])⇔R(E1, E2) ∧ (P2 ⇒ P1)
R(E1[m : T1], E2[m : T2])⇔R(E1, E2) ∧ R(T1, T2)
R(〈E1, P1, C1〉, 〈E2, P2, C2〉)⇔R(E1, E2) ∧R(P1, P2)
∧R(C1, C2)
5 Applications
We have introduced a type system allowing to model the
control and data flow graphs of a given imperative program
in SSA intermediate form and demonstrated that the expres-
sive capability of the type system’s semantics matched that
of de-facto standard design languages (e.g. SystemC) and as
well as that of related multi-clock synchronous formalisms
(e.g. Signal). As such, applications of the proposed type
system encompass optimization and verification issues en-
countered in related system design methodologies, yet with
the following features that merit a highlight.
Scalability. Just as the theory of interfaces automata [1],
types allow for a scalable level of abstraction to be auto-
matically obtained starting from the type inferred from a
SystemC module using a simple formalism. Behavioral
types share with interface automata the capability to define
static interfaces (boolean relations) and dynamic interfaces
(a transition system). Behavioral types allows to relate a
given proposition P to a more abstract one, Q, in several
ways: a transition e ⇒ x′ = y can be abstracted by a clock
relation between e, xˆ and yˆ; a bound signal x in P/x can be
abstracted by any proposition Q not referencing it and con-
taining P . These examples are instances of a more generic
abstraction pattern. In general, checking a user-specified
abstraction Q consistent with the type P inferred from a
given program amounts to the satisfaction of the contain-
ment relation [[P ]] ⊆ [[Q]] (i.e. the denotation of P is con-
tained in the denotation of Q). If P is a stateless interface,
this amounts to the satisfaction of boolean equations. Sim-
ilarly, checking that a statefull interface Q is an abstraction
of a process P amounts to verifying that Q simulates P by
model-checking.
Modularity. The main advantage of formulating a behav-
ioral type system for SystemC is the formal foundation
it offers to investigate modular and compositional design
methodologies using separate compilation techniques. For
instance, suppose that the declared type P of a SystemC
class template provides sufficient information about its for-
mal parameter for its body to be checked controllable and
compiled. One may then provide it with an actual class pa-
rameter, of type Q, satisfying Q ⇒ P , without having the
burden of fully instantiating the template code and recom-
pile its code for that given instance.
Design checking. The proposed type system allows to
easily formulate properties pertaining on common design
errors the analysis of which has been the subject of nu-
merous related works. Most of these approaches consist
8
x1:= when xL1 when (lock 6= lock
′)
x′
L1
::= when notx1 defaultxL1
idata::= data whenx1
ocount::= 0 whenx1
x′
L2
::= when x1
T1:= idata$1 whenxL2
T0:= (T1 = 0) whenxL2
xL3::= whenT0
x2:= when not xL3 defaultxL2
T2:= ocount$1 whenx2
T3:= T1whenx2
ocount::= T2 + T3whenx2
idata::= (T1 À 1) whenx2
x′
L2
::= whenx2
count::= ocountwhen xL3
lock::= not lock whenxL3
x′
L1
::= whenxL3
xfˆ=xL1ˆ = xL2ˆ = xL3
xL1 :=x
′
L1
$1 init true
xL2 :=x
′
L2
$1 init false
x′
L1
:=true when (not x1 defaultxL1 defaultxL3) default false
x′
L2
:=true when (x1 defaultx2) default false
xL3:=true whenT0default false
Figure 6. Model of the EPC in Signal
of proposing an ad-hoc type system for analyzing a specific
pattern of design errors: race conditions, deadlocks, threads
termination; and in a given programming language: Java,
C, SystemC. By contrast, our behavioral type system pro-
vides a unified framework to perform both static verification
via satisfaction checking or dynamic verification via model
checking of behavioral properties of embedded systems de-
scribed using imperative programming languages. The in-
ference technique itself is language independent and the se-
mantical peculiarities of language-specific runtime features
and libraries can be modeled in the polychronous model of
computation and its supportive type system.
Termination. One common design error found in embed-
ded system design is the unexpected termination of a thread
due to, e.g., an uncaught exception. The termination of the
infinite loop of a thread f can be expressed by the property
xexitf = 1. Unexpected termination can hence be avoided
by model-checking the property that the opposite is an in-
variant of f : P |= xexitf = 0.
Deadlocks. Another common design error is a wait state-
ment that does not match a notification and yields the thread
to block. Let xL1...n be the clocks of the blocks L1...n in
which a lock x is notified. Waiting for x at a given label L
eventually terminates if P |= xL ∧ ¬(∧ni=1xLi) = 0.
Race conditions. Similarly, concurrent write accesses to
a variable x shared by parallel threads can be checked exclu-
sive by considering the input clocks e1,..n of all write state-
ments x = f(y, z) by verifying that P |= (ei∧(∨j 6=iej)) =
0, ∀i = 1, ..n.
Example 5 For instance, consider checking exclusion be-
tween the transitions of the ones counter. The type P of
the counter implies the equations x′
L2
= (yˆ1 ∨ yˆ2) and
x′
L1
= xL3. Verifying exclusion between them amounts to
proving that (yˆ1 ∨ yˆ2) ∧ xL3 = 0 is an invariant of P . By
construction of P , we have: yˆ1 = xL1 ∧ (lock 6= lock′),
yˆ2 = xL2 \ T0 and xL3 = T0. The property follows by
observing that Tˆ0 = xL2.
Design exploration. Just as the multi-clocked syn-
chronous formalism Signal it is based upon, our type system
allows for the refinement-based design methodologies con-
sidered in [8] to be easily implemented. Checking the cor-
rectness of the refinement of an initial SystemC module, of
type P , by its upgraded version, of type Q, amounts to ver-
ifying that the final type Q satisfies the assumptions made
by the initial specification. In the spirit of the refinement-
checking methodology proposed in [8], this can be imple-
mented by checking the refinement Q to be finitely flow
preserving with respect to the initial design P . In general,
Q may differ from P by the insertion of a protocol between
two components of P , by the adaptation of the services pro-
vided by P with a new functionality implemented in Q.
Along the way, one may abstract from the type Q the signals
and state variables introduced during the refinement in or-
der to accelerate verification. In most cases, such upgrades
may be checked incrementally, by statically checking the
containment relation between the stateless abstractions of
P and Q.
Implementation in the Polychrony workbench. The
Polychrony workbench supports the synchronous multi-
clocked data-flow programming language Signal in which
the translation of the behavioral type system into Signal is
easily defined.
Example 6 As an example, embedding the ones counter
into Signal, Figure 6, consists of emulating control by par-
tial equations and of wrapping computations using typed
pragmas statements. This embedding allows to operate
global architectural transformations on the initial program,
such as hierarchization or distributed protocol synthesis,
using the Polychrony platform or perform both static (SAT-
checking) or dynamic (model-checking) verification of its
design properties, whose spectrum is outlined next. The
completion of the state-logic is implemented by the aggre-
gation of partial state equations. Notice that L1 and L2 are
always activated by a delayed transition, whereas L3 is al-
ways immediate when T0 holds.
Thanks to the polychronous model of computation, the
SystemC scheduler, used to interleave the execution of
9
threads, does not have to be specified. Indeed, SystemC
scheduling amounts to determining a fixed-point to incon-
sistently propagated signal values using the notion of δ-
cycle, until a fixed-point is reached. Fixed-point of δ-cycles
relate to instants in the synchronous semantics using the no-
tion of Kantor metrics of Lee et al. [3]. By contrast, the
polychronous model of computation relies on the notion of
synchrony to denote this fixed-point directly. Its implemen-
tation makes use of type-based scheduling information to
determine a static scheduling of elementary instructions.
6 Related works and conclusions
The capture of the behavior of a system through a type
theoretical framework relates our technique to the work of
Rajamani et al. [7], and many others, on abstracting high-
level and concurrent specifications, e.g. the pi-calculus, by
using a formalism, e.g. Milner’s CCS, in which, primarily,
checking type equivalence, e.g. bisimulation, is decidable.
Our contribution contrasts from related studies by the ca-
pability to capture scalable abstractions of the type-checked
system. In our type system, scalability ranges from the ca-
pability to express the exact meaning of the program, in or-
der to make structural transformations and optimizations on
it, down to properties expressed by boolean equations be-
tween clocks, allowing for a rapid static-checking of design
correctness properties (as demonstrated in the examples of
Section 5, especially Example 5). Our system allows for
a wide spectrum of design abstraction and refinement pat-
terns to be applied on a model, e.g. abstraction of states by
clocks, abstraction of existentially quantified clocks, hierar-
chic abstraction, in the aim of choosing a better degree of
abstraction for faster verification.
We share the aim of a scalable and correct-by-
construction exploration of abstraction-refinement of sys-
tem behaviors with the work of Henzinger et al. on interface
automata [1]. Our approach primarily differs from inter-
face automata in the data-structure used in the Polychrony
workbench: clock equations, boolean propositions and state
variable transitions express the multi-clocked synchronous
behavior of a system. Compared to an automata-based ap-
proach, our declarative approach allows to hierarchically
explore abstraction capabilities and to cover design explo-
ration with the methodological notion of refinement along
the whole design cycle of the system, ranging from the early
requirements specification to the latest sequential and dis-
tributed code-generation [8, 4].
The main novelty in our approach is the use of a multi-
clocked synchronous formalism to support the construc-
tion of a scalable behavioral type inference system for the
de facto standard system-design language SystemC, and
the materialization of a companion refinement-based design
methodology imposed through the strong typing policy of a
module system, that reduces compositional design correct-
ness verification to the validation of synthesized proof obli-
gations. The proposed type system allows to capture the
behavior of an entire system-level design and to re-factor
it, allowing to modularly express a wide spectrum of static
and dynamic behavioral properties, and to automatically or
manually scale the desired degree of abstraction of these
properties for efficient verification. The type system is pre-
sented using a generic and language-independent intermedi-
ate representation. It operates transformations implemented
in the platform Polychrony, to perform refinement-based
design exploration and directly yields to verification tools
using SAT checking and model checking allowing for an
efficient verification of expected design properties and an
early discovery of design errors.
References
[1] DE ALFARO, L., HENZINGER, T. A. “Interface theo-
ries for component-based design”. International Work-
shop on Embedded Software. Lecture Notes in Com-
puter Science v. 2211. Springer-Verlag, 2001.
[2] F. DOUCET, S. SHUKLA, AND R. GUPTA. “Typing
abstractions and management in a component frame-
work”. Asia and South Pacific Design Automation Con-
ference, January 2003.
[3] LEE, E. A., SANGIOVANNI-VINCENTELLI, A. “A
framework for comparing models of computation”. In
IEEE transactions on computer-aided design, v. 17, n.
12. IEEE Press, December 1998.
[4] LE GUERNIC, P., TALPIN, J.-P., LE LANN, J.-C.
Polychrony for system design. In Journal of Circuits,
Systems and Computers. Special Issue on Application-
Specific Hardware Design. World Scientific, 2002.
[5] NOVILLO, D. “Tree SSA, a new optimization infras-
tructure for GCC”. GCC developers summit, 2003.
[6] PNUELI, A., SHANKAR, N., SINGERMAN, E. Fair
synchronous transition systems and their liveness
proofs. International School and Symposium on Formal
Techniques in Real-time and Fault-tolerant Systems.
Lecture Notes in Computer Science v. 1468. Springer
Verlag, 1998.
[7] S. K. RAJAMANI AND J. REHOF. “A behavioral mod-
ule system for the pi-calculus”. Static Analysis Sym-
posium. Lecture Notes in Computer Science. Springer
Verlag, July 2001.
[8] J.-P. TALPIN, P. LE GUERNIC, S. K. SHUKLA,
R. GUPTA, AND F. DOUCET. “Polychrony for formal
refinement-checking in a system-level design method-
ology”. Application of Concurrency to System Design.
IEEE Press, June 2003.
[9] J.-P. TALPIN, BERNER, D., SHUKLA, S. K., LE
GUERNIC, P., GAMATIE´, A., GUPTA, R. “Behavioral
type inference for compositional system design”. Tech-
nical report n. 5141. INRIA, March 2004.
10
