Compositional design of isochronous systems by Talpin, Jean-Pierre et al.
Compositional design of isochronous systems
Jean-Pierre Talpin, Julien Ouy, Lo¨ıc Besnard, Paul Le Guernic
To cite this version:
Jean-Pierre Talpin, Julien Ouy, Lo¨ıc Besnard, Paul Le Guernic. Compositional design of
isochronous systems. [Research Report] RR-6227, INRIA. 2007, pp.24. <inria-00156499v5>
HAL Id: inria-00156499
https://hal.inria.fr/inria-00156499v5
Submitted on 23 Nov 2007
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
appor t  

de  r ech er ch e
IS
SN
02
49
-6
39
9
IS
RN
IN
R
IA
/R
R-
-6
22
7-
-F
R+
EN
G
Thème COM
INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE
Compositional design of isochronous systems
Jean-Pierre Talpin — Julien Ouy — Loïc Besnard — Paul Le Guernic
N° 6227 — version 2
initial version June 2007 — revised version November 2007

Unité de recherche INRIA Rennes
IRISA, Campus universitaire de Beaulieu, 35042 Rennes Cedex (France)
Téléphone : +33 2 99 84 71 00 — Télécopie : +33 2 99 84 71 71
Compositional design of isochronous systems
Jean-Pierre Talpin, Julien Ouy, Loı¨c Besnard, Paul Le Guernic
The`me COM — Syste`mes communicants
Projets Espresso
Rapport de recherche n° 6227 — version 2 — initial version June 2007 — revised version
November 2007 — 30 pages
Abstract: The synchronous modeling paradigm provides strong execution correctness guar-
antees to embedded system design while making minimal environmental assumptions. In most
related frameworks, global execution correctness is achieved by ensuring endochrony: the in-
sensitivity of (logical) time in the system from (real) time in the environment. Interestingly, en-
dochrony can be statically checked, making it fast to ensure design correctness. Unfortunately,
endochrony is not preserved by composition, making it difficult to exploit with component-based
design concepts in mind. Compositionality can be achieved by weakening the objective of en-
dochrony but at the cost of an exhaustive state-space exploration. These observations raise a
tradeoff between performance and precision. Our aim is to balance this tradeoff by proposing a
formal design methodology that adheres to a weakened global design objective, namely, the non-
blocking composition of weakly endochronous processes, while preserving local endochrony
objectives. This yields an ad-hoc yet cost-efficient approach to compositional synchronous mod-
eling.
Key-words: formal methods, embedded systems, program analysis, synchronous paradigm
Mise en œuvre compositionelle de syste`mes isochrones
Re´sume´ : Le paradigme synchrone met en œuvre des me´thodes formelles permettant de garantir
la correction d’un programme en faisant peu d’hypothe`se sur son environnement (d’exe´cution).
Cette correction est assure´e par la proprie´te´ d’endochronie: l’insensibilite´ du temps logique, dans
le programme, au temps r ’eel, dans l’environnement. L’endochronie peut eˆtre ve´rifie´e par ana-
lyse statique. elle donne donc facilement et rapidement l’assurance qu’un programme est correct.
Malheureusement, elle n’est pas stable par composition, cela complique donc son utilisation dans
le cas d’une conception modulaire de programmes. La compositionalie´ peut cependant eˆtre ob-
tenue en affaiblissant la proprie´te´ d’endochronie, mais au prix d’une mise en œuvre plus couˆteuse
car ne´ce´ssitant l’exploration de l’espace de´tats du programme. Cela nous confronte a` un dile`me
entre performance et pre´cision, entre simplicite´ et compositionalite´. Notre objectif est d’aller au
dela` de cet e´quilibre en proposant une me´thodologie de conception fonde´e sur l’objectif global
de composer des modules non-blocants et sur l’objectif local d’assurer l’endochronie (de chaque
module). La proprie´te´ obtenue est compositionelle et le couˆt de sa ve´rification est faible.
Mots-cle´s : me´thodes formelles, syste`mes embarque´s, analyse de programmes, paradigme syn-
chrone
Compositional design of isochronous systems 3
1 Introduction
The synchronous paradigm to embedded system design provides strong execution correctness
guarantees while requiring minimal assumptions on the execution environment. In most syn-
chronous formalisms, this is achieved by locally verifying that computation (in the system) is in-
sensitive to communication delays (from the environment), i.e., that the system is endochronous
(“time is defined from inside”).
Example Process filter emits x every time the value of its input y changes. Output tags t2,4 are
timely related to input tags t1..4: Process filter is endochronous.
x : (t1, 1) (t2, 0) (t3, 0) (t4, 1) → y = filter(x) → y : (t2, 1) (t4, 1)
In the data-flow formalism Signal, for instance, design is driven by the safety objective of
endochrony: endochrony guarantees a synchronization of computations and communications that
is independent of possible network latency. Unfortunately, endochrony is not a compositional
property: it is not preserved by synchronous composition.
Example The synchronous composition of filter with an endochronous merge equation (to
mean “d equals if c then y else z”) is no longer endochronous: timing of the output d is not
related to one of the inputs c and y.
c :(t0, 0) (t2, 1) (t4, 1) (t7, 0)
y : (t2, 1) (t4, 1)
z :(t0, 1) (t7, 0)
→ d = merge(c, y, z) → d : (t0, 1) (t2, 1) (t4, 1) (t7, 0)
In [18], it is shown that compositionality can be achieved by weakening the objective of en-
dochrony: a weakly endochronous system is a deterministic system that can perform independent
communications in any order as long as this does not alter its state (i.e. it satisfies the diamond
property). It is further shown that the non-blocking composition of weakly endochronous pro-
cesses is isochronous.
Example The untimed asynchronous composition of processes filter and merge is isochronous:
synchronous and asynchronous compositions yield the same flow of values.
x : 1 0 0 1
c : 0 1 1 0
z : 1 0 1 0
→ x = filter(y) ‖ d = merge(c, y, z) → d : 1 1 1 0
However, checking that a system is weakly endochronous requires an exhaustive exploration
of its state-space to guarantee that its behavior is independent from the order of inbound commu-
nications. This raises a tradeoff between performance (incurred by state-space exploration) and
RR n° 6227
4 J.-P. Talpin et al.
flexibility (gained from compositionality). We aim at balancing this trade-off by proposing a for-
mal design methodology that weakens the global design objective (non-blocking composition)
and preserves design objectives secured locally (by accepting endochronous components).
Our approach consists in globally maintaining a compositional design objective (non-blocking
composition) while preserving properties secured locally (endochrony). This yields a less gen-
eral yet cost-efficient approach to compositional modeling that is able to encompass most of
the practical engineering situations. It is particularly aimed at efficiently reusing most of the
existing program analysis and compilation algorithms of Signal. To support the present design
methodology, we have designed a simple controller synthesis and code generation scheme [16].
Plan
The article starts in Section 2 with an introduction to Signal and its polychronous model of
computation. Section 3 defines the necessary analysis framework and Section 4 present our
contributed formal properties and methodology. It is applied to the exposition of a concurrent
code generation scheme in Section 5. We review related works in Section 6 and conclude.
2 An introduction to Polychrony
In Signal, a process (written P or Q) consists of the synchronous composition (noted P |Q) of
equations on signals (written x = y f z). A signal x represents an infinite flow of values. It is
sampled according to the discrete pace of its clock, noted xˆ. An equation x = y f z defines the
output signal x by the relation of its input signals y and z through the operator f . A process
defines the simultaneous solution of the equations it is composed of.
P,Q ::= x = y f z | P |Q | P/x (process)
As a result, an equation partially relates signals in an abstract timing model, represented by clock
relations, and a process defines the simultaneous solution of the equations in that timing model.
Signal defines the following kinds of primitive equations:
• A functional equation x = y f z defines an arithmetic or boolean relation f between its
operands y, z and the result x.
• A delay equation x = y pre v initially defines the signal x by the value v and then by the
value of the signal y from the previous execution of the equation. In a delay equation,
the signals x and y are assumed to be synchronous, i.e. either simultaneously present or
simultaneously absent at all times.
• A sampling x = y when z defines x by y when z is true and both y and z are present. In a
sampling equation, the output signal x is present iff both input signals y and z are present
and z holds the value true.
• A merge x = y default z defines x by y when y is present and by z otherwise. In a merge
equation, the output signal is present iff either of the input signals y or z is present.
INRIA
Compositional design of isochronous systems 5
The process P/x restricts the lexical scope of the signal x to the process P . In the remainder,
we write V(P ) for the set of free signal names x of P (they occur in an equation of P and their
scope is not restricted). A free signal is an output iff it occurs on the left hand-side of an equation.
Otherwise, it is an input signal.
Example We define the process filter depicted in Section 1. It receives a boolean input signal
y and produces an output signal x every time the value of the input changes. The local signal z
holds the previous value of the input y at all times. When y first arrive, z is initialized to true. If
y and z differ then the output x is true, otherwise it is absent.
x=filter(y)
def
= (x= true when (y 6=z) |z=y pre true ) /z
2.1 Model of computation
The formal semantics of Signal in defined in the polychronous model of computation [9]. The
polychronous MoC is a refinement of Lee’s tagged signal model [14]. In this model, symbolic
tags t or u denote periods in time during which execution takes place. Time is defined by a partial
order relation ≤ on tags (t ≤ u means that t occurs before u). A chain is a totally ordered set of
tags and defines the clock of a signal: it samples its values over a series of totally related tags.
Events, signals, behaviors and processes are defined as follows:
- an event is the pair of a tag t ∈ T and a value v ∈ V
- a signal is a function from a chain of tags to values
- a behavior b is a function from names to signals
- a process p is a set of behaviors of same domain
- a reaction r is a behavior with one time tag t
Example The meaning of process filter is denoted by a set of behaviors on the signals x and y.
Line one, below, we choose a behavior for the input signal y of the equation. Line two defines
the meaning of the local signal z by the previous value of y. Notice that it is synchronous to y (it
has the same set of tags). Line three, the output signal x is defined at the time tags ti at which y
and z hold different values, as expected in the previous example.
y 7→ (t1, 1) (t2, 0) (t3, 0) (t4, 1) (t5, 1) (t6, 0)
z 7→ (t1, 1) (t2, 1) (t3, 0) (t4, 0) (t5, 1) (t6, 1)
x 7→ (t2, 1) (t4, 1) (t6, 1)
RR n° 6227
6 J.-P. Talpin et al.
Notations We introduce the notations that are necessary to the formal exposition of the poly-
chronous model of computation. We write T (s) for the chain of tags of a signal s and min s
and max s for its minimal and maximal tag. We write V(b) for the domain of a behavior b (a
set of signal names). The restriction of a behavior b to X is noted b|X (i.e. V(b|X) = X). Its
complementary b/X satisfies b = b|X unionmulti b/X (i.e. V(b/X) = V(b) \X). We overload the use of T
and V to talk about the tags of a behavior b and the set of signal names of a process p.
Synchrony and asynchrony Informaly, two behaviors b and c are clock-equivalent, written
b ∼ c, iff they are equal up to an isomorphism on tags. For instance,(
y 7→(t1, 1)(t2, 0)(t3, 0)
x 7→ (t2, 1)
)
∼
(
y 7→(u1, 1)(u3, 0)(u5, 0)
x 7→ (u3, 1)
)
The synchronization of a behavior b with a behavior c is noted b ≤ c and is defined as the effect
of “stretching” its timing structure. A behavior c is a stretching of a behavior b, written b ≤ c, iff
V(b) = V(c) and there exists a bijection f on tags s.t.
∀t, u, t ≤ f(t) ∧ (t < u⇔ f(t) < f(u))
∀x ∈ V(b), T (c(x)) = f(T (b(x))) ∧ ∀t ∈ T (b(x)), b(x)(t) = c(x)(f(t))
b and c are clock-equivalent, written b ∼ c, iff there exists a behavior d s.t. d ≤ b and d ≤ c. The
synchronous composition p |q of two processes p and q is defined by combining behaviors b ∈ p
and c ∈ q that are identical on I = V(p) ∩ V(q), the interface between p and q.
p |q = {b ∪ c | (b, c) ∈ p× q ∧ b|I = c|I ∧ I = V(p) ∩ V(q)}
Asynchrony Similarly, two behaviors b and c are flow-equivalent, written b ≈ c, iff they have
the same domain and all signals carry the same values in the same order. For instance,(
y 7→(t1, 1)(t2, 0)(t3, 0)
x 7→ (t2, 1)
)
≈
(
y 7→(u1, 1)(u2, 0)(u3, 0)
x 7→(u1, 1)
)
Desynchronization is defined as the effect of “relaxing” the timing structure of a behavior: a
behavior c is a relaxation of b, written b v c, iff V(b) = V(c) and, for all x ∈ V(b), b|x ≤ c|x. Two
behaviors b and c are flow-equivalent, written b ≈ c, iff there exists a behavior d s.t. b w d v c.
The asynchronous composition p ‖ q of two processes p and q is defined by the set of behaviors
d that are flow-equivalent to behaviors b ∈ p and c ∈ q along the interface I = V(p) ∩ V(q).
p ‖ q = {d | (b, c) ∈ p× q ∧ b/I ∪ c/I ≤ d/I ∧ b|I v d|I w c|I ∧ I = V(p) ∩ V(q)}
Concatenation The semantics [[P ]] of a Signal process P , presented next, is defined by a set
of behaviors that are inductively constructed by the concatenation of reactions. A reaction r is
a behavior with (at most) one time tag t. We write T (r) for the tag of a non empty reaction r.
An empty reaction of the signals X is noted Ø|X . The empty signal is noted ∅. A reaction r is
concatenable to a behavior b iff V(b) = V(r), and, for all x ∈ V(b), max(b(x)) < T (r(x)). If
so, concatenating r to b is defined by
∀x ∈ V(b),∀u ∈ T (b) ∪ T (r), (b · r)(x)(u) = if u ∈ T (r(x)) then r(x)(u) else b(x)(u)
INRIA
Compositional design of isochronous systems 7
Example Two reactions of signal-wise related time tags can be concatenated, written r · s, to
form a behavior. For instance,(
y 7→(t1, 1)
x 7→
)
·
(
y 7→(t2, 0)
x 7→(t2, 1)
)
=
(
y 7→(t1, 1)(t2, 0)
x 7→ (t2, 1)
)
2.2 Semantics of Signal
The semantics [[P ]] of a Signal process P is a set of behaviors that are inductively defined by the
concatenation of reactions.
Initially, we assume that Ø|V(p) ∈ [[P ]]. The semantics of a delay x = y pre v is defined by
appending a reaction r of tag t to a behavior b. It initially defines x by the value v (when b is
empty) and then by the previous value of y (i.e. b(y)(u) where u is the maximal tag of b).
[[x = y pre v]] =
b · r
∣∣∣∣∣∣
b ∈ [[x = y when z]],
u = max(T (b(y))),
t = T (r),
r(x) =
∣∣∣∣∣∣
t 7→ b(y)(u), r(y) 6= ∅ ∧ b 6= Øxy
t 7→ v, r(y) 6= ∅ ∧ b = Øxy
∅, r(y) = ∅ ∧ b = Øxy

Similarly, the semantics of a sampling x = y when z defines x by y when z is true.
[[x = y when z]] =
b · r
∣∣∣∣∣∣
b ∈ [[x = y when z]],
u = max(T (b(y))),
t = T (r),
r(x) =
∣∣∣∣∣∣
r(y), r(z)(t) = true
∅, r(z)(t) = false
∅, r(z) = ∅

Finally, x = y default z defines x by y when y is present and by z otherwise.
[[x = y default z]] =
{
b · r
∣∣∣∣b ∈ [[x = y default z]], r(x) = ∣∣∣∣r(y), r(y) 6= ∅r(z), r(y) = ∅
}
The meaning of the synchronous composition P |Q is the synchronous composition [[P |Q]] =
[[P ]] | [[Q]] of the meaning of P and Q. The meaning of restriction is defined by [[P/x]] = {c | b ∈
[[P ]] ∧ c ≤ (b/x)}.
Example The meaning of the equation x = true when (y 6= (y pre true )) consists of a set of
behaviors with two signals x and y. On line one, below, we choose a behavior for the input signal
y of the equation. On line two, we define the signal for the expression y pre true by application
of the function [[]]. Notice that y and y pre true are synchronous (they have the same set of tags).
On line three, the output signal x is defined at the time tags ti when y and y pre true hold differ-
ent values, as expected in the previous example.
y 7→ (t1, true ) (t2, false ) (t3, false ) (t4, true ) (t5, true ) (t6, false )
y pre true 7→ (t1, true ) (t2, true ) (t3, false ) (t4, false ) (t5, true ) (t6, true )
x 7→ (t2, true ) (t4, true ) (t6, true )
RR n° 6227
8 J.-P. Talpin et al.
Formal properties The formal properties considered in the remainder pertain the insensitivity
of timing relations in a process p (its local clock relations) to external communication delays.
The property of endochrony, Definition 1, guarantees that the synchronization performed by a
process p is independent from latency in the network. Formally, let I be a set of input signals
of p, whenever the process p admits two input behaviors b|I and c|I that are assumed to be flow
equivalent (timing relations have been altered by the network) then p always reconstructs the
same timing relations in b and c (up to clock-equivalence).
Definition 1 A process p is endochronous iff there exists I ⊂ V(p) s.t., for all b, c ∈ p, b|I≈c|I
implies b ∼ c.
Example To check that the filter is endochronous, consider two of its possible trace b and c with
flow-equivalent input signals b(y) = (t1, 1)(t2, 0)(t3, 0)(t4, 1) and c(y) = (u1, 1)(u2, 0)(u3, 0)(u4, 1)
(they share no tags, but carry the same flow of values). The filter necessarily constructs the output
signals b(x) = (t2, 1)(t4, 1) and c(x) = (u2, 1)(u4, 1). One notices that b and c are equivalent by
a bijection (ti 7→ ui)0<i<5 on tags: they are clock-equivalent. Hence, the filter is endochronous.
This is no longer the case if it is composed with process merge.
The weaker definition of endochrony, presented next, requires a definition of the union, writ-
ten runionsq s, of two reactions r and s. We say that two reaction r and s are independent iff they have
disjoint domains. Two independent reactions of same time tag t can be merged, as r unionsq s.
∀x ∈ V(r), (r unionsq s)(x) = if r(x) 6= ∅ then r(x) else s(x)
For instance,
(y 7→ (t2, 0)) unionsq (x 7→ (t2, 1)) = (y 7→ (t2, 0)x 7→ (t2, 1))
Definition 2, below, defines the compositional property of weak endochrony in the poly-
chronous model of computation. Informally, process p is weakly endochronous iff it is deter-
ministic and can perform independent reactions r and s in any order. Note that, by Definition 1,
endochrony implies weak-endochrony (e.g. filter is weakly endochronous).
Definition 2 A process p is weakly-endochronous iff
1. p is deterministic: ∃I⊂V(p),∀b,c∈p, b|I=c|I ⇒ b=c
2. for all independent reactions r and s, p satisfies:
(a) if b · r · s ∈ p then b · s ∈ p
(b) if b · r ∈ p and b · s ∈ p then b · (r unionsq s) ∈ p
(c) if b · (r unionsq s), b · (r unionsq t) ∈ p then b · r · s, b · r · t ∈ p
Example For instance, the synchronous composition of processes filter and merge is weakly
endochronous: it is deterministic and all combinations of reactions consisting of the signals
x, y, z and c belong to its possible behaviors.
Definition 3 p and q are isochronous iff p |q ≈ p ‖ q
INRIA
Compositional design of isochronous systems 9
A process p is non-blocking iff, in any reachable state (characterized by a behavior b), it has
a path to a stuttering state (characterized by a reaction r). Notice that the composition of filter
and merge is non-blocking.
Definition 4 p is non-blocking iff ∀b ∈ p, ∃r, b · r ∈ p
In [18], it is proved that weakly endochronous processes p and q are isochronous if they are
non-blocking (a locally synchronous reaction of p or q yields a globally asynchronous execution
p ‖ q).
3 Formal analysis
For the purpose of program analysis and program transformation, the control-flow tree and the
data-flow graph of multi-clocked Signal specifications are constructed. These data structures
manipulate clocks and signal names.
3.1 Clock and scheduling relations
A clock c denotes a series of instants (a chain of time tags). The clock xˆ of a signal x denotes the
instants at which the signal x is present. The clock [x] (resp. [¬x]) denotes the instants at which
x is present and holds the value true (resp. false).
c ::= xˆ | [x] | [¬x] (clock)
A clock expression e is either the empty clock, noted 0, a signal clock c, or the conjunction
e1 ∧ e2, the disjunction e1 ∨ e2, the symmetric difference e1 \ e2 of e1 and e2.
e ::= 0 | c | e1 ∧ e2 | e1 ∨ e2 | e1 \ e2 (clock expression)
Signals and clocks are related by synchronization and scheduling relations, noted R. A schedul-
ing relation a →c b specifies that the calculation of the node b, a signal or a clock, cannot be
scheduled before that of the node a when the clock c is present.
a, b ::= x | xˆ (node)
A clock relation c = e specifies that the signal clock c is present iff the clock expression e is true.
Just as ordinary processes P , relations R are subject to composition R |S and to restriction R/x.
R,S ::= c=e | a→c b | (R |S) |R/x (timing relation)
RR n° 6227
10 J.-P. Talpin et al.
3.2 Clock inference system
The inference system P : R associates a process P with its implicit timing relations R. De-
duction starts from the assignment of clock relations to primitive equations and is defined by
induction on the structure of P : the deduction for composition P |Q and for P/x are are induced
by the deductions P : R and Q : S for P and Q.
P : R ∧Q : S ⇒ P |Q : R |S P : R⇒ P/x : R/x
In a delay equation x = y pre v, the input and output signals are synchronous, written xˆ = yˆ, and
do not have any scheduling relation.
x = y pre v : (xˆ = yˆ)
In a sampling equation x = y when z, the clock of the output signal x is defined by that of yˆ
and sampled by [z]. The input y is scheduled before the output when both yˆ and [z] are present,
written y →xˆ x.
x = y when z : (xˆ = yˆ ∧ [z] |y →xˆ x)
In a merge equation x = y default z the output signal x is present if either of the input signals y
or z are present. The first input signal y is scheduled before x when it is present, written y →yˆ x.
Otherwise z is scheduled before x, written z →zˆ\yˆ x.
x = y default z : (xˆ = yˆ ∨ zˆ |y →yˆ x |z →zˆ\yˆ x)
A functional equation x = y f z synchronizes and serializes its input and output signals.
x = y f z : (xˆ = yˆ = zˆ |y →xˆ x |z →xˆ x)
We write R |= S to mean that R satisfies S in the Boolean algebra in which timing relations
are expressed: composition R |S stands for conjunction and restriction R/x for existential quan-
tification (some examples are given below). For all boolean signal x in V(R), we assume that
R |= xˆ = [x] ∨ [¬x] and R |= [x] ∧ [¬x] = 0.
Example To outline the use of clock and scheduling relation analysis in Signal, we consider the
specification and analysis of a one-place buffer. Process buffer implements two functionalities:
flip and current.
x=buffer(y)
def
= (x=current(y) |flip(x, y))
The process flip synchronizes the signals x and y to the true and false values of an alternating
boolean signal t.
flip(x, y)
def
= (s= t pre true | t= not s | xˆ=[t] | yˆ=[¬t]) /st
The process current stores the value of an input signal y and loads it into the output signal x upon
request.
x=current(y)
def
= (r=y default (r pre false ) |x=rwhen xˆ | rˆ= xˆ ∨ yˆ) /r
INRIA
Compositional design of isochronous systems 11
The inference system P : R infers the clock relations that denote the synchronization constraints
implied by process buffer. There are four of them:
rˆ = sˆ tˆ = xˆ ∨ yˆ xˆ = [t] yˆ = [¬t]
From these equations, we observe that process buffer has three clock equivalence classes. The
clocks sˆ, tˆ, rˆ are synchronous and define the master clock synchronization class of buffer. Two
other synchronization classes, xˆ = [t] and yˆ = [¬t], are samples of the signal t.
rˆ = sˆ = tˆ xˆ = [t] yˆ = [¬t]
Together with scheduling analysis, the inference system yields the timing relation Rbuffer of the
process under analysis.
Rbuffer
def
=
(
xˆ = [t] | yˆ = [¬t] | rˆ = xˆ ∨ yˆ
s→sˆ t |y →yˆ r |r →xˆ x
)
/rst
From Rbuffer, we deduce rˆ = tˆ. Since t is a boolean signal, tˆ = [t] ∨ [¬t] (a signal is always true
or false when present). By definition of Rbuffer, xˆ = [t] and yˆ = [¬t] (x and y are sampled from
t). Hence, we have rˆ = xˆ ∨ yˆ and can deduce that Rbuffer |= (rˆ = tˆ).
3.3 Clock hierarchy
The internal data-structures manipulated by the Signal compiler for program analysis and code
generation consist of a clock hierarchy and of a scheduling graph. The clock hierarchy represents
the control-flow of a process by a partial order relation. The scheduling graph defines a fine-
grained scheduling of otherwise synchronous signals.
The structure of a clock hierarchy is denoted by a partial order relation . It is defined by
inductive application of the following rules :
(1) for all boolean signals x of R, define xˆ  [x] and xˆ  [¬x]. This means that, if we know
that x is present, then we can determine whether x is true or false.
(2) if b = c is deductible from R then define b  c and c  b, written b ∼ c. This means that
if b and c are synchronous, and if either of the clocks b or c is known to be present, then
the presence of the other can be determined.
(3) if R |= b1 = c1 f c2, f ∈ {∧,∨, \}, b2  c1, b2  c2 and b2 is maximal (in the sense that
b2  b for any b such that b  c1 and b  c2) then b2  b1. This means that if b1 is defined
by c1 f c2 in g and if both clocks c1 and c2 can be determined once their common upper
bound b2 is known, then b1 can also be determined when b2 is known.
Definition 5 The hierarchy of a process P : R is the transitive closure of the maximal relation
defined by the following axioms and rules:
RR n° 6227
12 J.-P. Talpin et al.
1. for all boolean signals x, xˆ  [x] and xˆ  [¬x]
2. if R |= b = c then b  c and c  b, written b ∼ c
3. if R |= b1 = c1 f c2, f ∈ {∧,∨, \}, b2  c1, b2  c2 and b2 is maximal then b2  b1.
We refer to c∼ as the clock equivalence class of c in the hierarchy 
A well-formed hierarchy has no relation b  c that contradicts Definition 5. For instance, the
hierarchy of the process x = y and z |z = y when y is ill-formed, since yˆ ∼ [y]. A process with
an ill-formed hierarchy may block.
Definition 6 A hierarchy  is ill-formed iff either xˆ  [x] or xˆ  [¬x], for any x, or b1  b2
for any b1 = c1 f c2 such that c1  b2  c2 and b2  b1
Example The hierarchy of the buffer is constructed by application of the first and second rules
of Definition 5. Rule 2 defines three clock equivalence classes {rˆ, sˆ, tˆ}, {xˆ, [t]} and {yˆ, [¬t]}.
rˆ ∼ sˆ ∼ tˆ
[t] ∼ xˆ [¬t] ∼ yˆ
Rule 1 places the first class above the two others and yields the following structure
rˆ ∼ sˆ ∼ tˆ
ooo
ooo PPP
PPP
[t] ∼ xˆ [¬t] ∼ yˆ
Next, one has to define a proper scheduling of all computations to be performed within each
clock equivalence class (e.g. to schedule s before t) and across them (e.g. to schedule x or y
before r). This task is devoted to scheduling analysis, presented next.
3.4 Disjunctive form
But, before that, Polychrony attempts to eliminate all clocks that are expressed using symmetric
difference from the graph g of a process. This transformation consists in rewriting clock expres-
sions of the form e1 \ e2 present in the synchronization and scheduling relations of g in a way
that does no longer denote the absence of an event e2, but that is instead computable from the
presence or the value of signals.
Example In the case of process current, for instance, consider the alternative input r pre false
in the first equation:
r = y default (r pre false )
Its clock is rˆ \ yˆ, meaning that the previous value of r is assigned to r only if y is absent. To
determine that y is absent, one needs to relate this absence to the presence or the value of another
signal.
INRIA
Compositional design of isochronous systems 13
In the present case, there is an explicit clock relation in the alternate process: yˆ = [¬t]. It
says that y is absent iff t is present and true. Therefore, one can test the value of t instead of the
presence or absence of y in order to deterministically assign either y or r pre false to r
y →[¬t] r [t] ← r pre false
In [?], it is shown that the symmetric difference c \ d between two clocks c and d has a
disjunctive form only if c and d have a common minimum b in the hierarchy  of the process,
i.e.,
c  b  d
We say that the timing relation R is in disjunctive form iff it has no clock expression defined by
symmetric difference. The implicit reference to absence incurred by symmetric difference can
be defined as c \ d=defc ∧ d and can be isolated using logical decomposition rules :
• conjunction c ∧ d def= c ∨ d and disjunction c ∨ d def= c ∧ d.
• positive [x] def= xˆ ∨ [¬x] and negative [¬x] def= xˆ ∨ [x] signal occurrences.
The reference to the absence of a signal x, noted xˆ, is eliminated if (and only if) one of the
possible elimination rules applies:
• The zero rule: xˆ ∧ xˆ def= 0, because a signal is either present or absent, exclusively.
• The ”one” rule: c ∧ (xˆ ∨ xˆ) def= c, because the presence or the absence of a signal is
subsumed by any clock c.
• The synchrony rule: if d ∼ xˆ then xˆ def= d, to mean that if xˆ cannot be eliminated but xˆ is
synchronous to the clock d, then d can possibly be eliminated possibly instead.
Example In the case of process current in the example of the buffer one has that
yˆ ∼ [¬t] xˆ ∼ [t] rˆ ∼ tˆ
Hence xˆ  tˆ  yˆ and therefore rˆ \ yˆ can be interpreted as [t].
Timing relations are in disjunctive form iff they has no clock defined by a symmetric differ-
ence relation. For instance, suppose that d ∼ [x] and that c  b  d. Then, the expression c \ d
can be eliminated because it can be expressed with c ∧ [¬x].
Definition 7 A process P of timing R and hierarchy  is well-clocked iff  is well-formed and
R is disjunctive.
RR n° 6227
14 J.-P. Talpin et al.
3.5 Scheduling graph
Given the control-flow backbone produced using the hierarchization algorithm and clock equa-
tions in disjunctive form, the compilation of a Signal specification reduces to finding a proper
way to schedule computations within and across clock equivalence classes. The inference sys-
tem of the previous section defines the precise scheduling between the input and output signals
of process buffer. Notice that t is needed to compute the clocks xˆ and yˆ.
s→sˆ t y →yˆ r r →xˆ x
As seen in the previous section, however, the calculation of clocks in disjunctive form induces
additional scheduling constraints, and, therefore, one has to take them into account at this stage.
This is done by refining the R with a reinforced one, S, satisfying S |= R, and by ordered
application of the following rules:
1. S |= xˆ →xˆ x for all x ∈ V(P ). This means that the calculation of x cannot take place
before its clock xˆ is known.
2. if R |= xˆ = [y] or R |= xˆ = [¬y] then S |= y →yˆ xˆ. This means that, if the clock of x is
defined by a sample of y, then it cannot be computed before the value of y is known.
3. if R |= xˆ = yˆ f zˆ with f ∈ {∨,∧} then S |= yˆ →yˆ xˆ | zˆ →zˆ xˆ. This means that, if the
clock of x is defined by an operation on two clocks y and z, then it cannot be computed
before these two clocks are known.
Reinforcing the scheduling graph of the buffer yields a refinement of its inferred graph with a
structure implied by the calculation of clocks (we just ommitted clocks on arrows to lighten the
depiction). Notice that t is now scheduled before the clocks xˆ and yˆ.
tˆ // t //
:
::
:: xˆ
// x roo rˆoo
sˆ // s
OO
yˆ // y
BB
Code can be generated starting from this refined structure only if the graph is acyclic. To
check whether it is or not, we compute its transitive closure:
1. if R |= a →c b then R |= a c b. This just tells that the construction of the transitive
closure relation starts from the scheduling graph→ of the process.
2. if R |= a c b and R |= a d b then R |= a c∨d b. If b is scheduled after a at clock c
and at clock d then so it is at clock c ∨ d
3. if R |= a c b and R |= b d z then R |= a c∧d z. If b is scheduled after a at clock c
and z after b at clock d then z is necessarily scheduled after a at clock c ∧ d
The complete graph R of a process P is acyclic iff R |= ae a implies R |= e = 0 for all nodes
a of R. The graph of our example is.
Definition 8 A process P of timing relations R is acyclic iff the transitive closure  of its
scheduling relations R satisfy, for all nodes a, if ae a then R |= e = 0.
INRIA
Compositional design of isochronous systems 15
3.6 Sequential code generation
Together with the control-flow graph implied by the timing relations of a process, the scheduling
graph is used by Polychrony to generate sequential or distributed code. To sequentially schedule
this graph, Polychrony further refines it in order to remove internal concurrency without affecting
its composability with the environment. This is done by observing the following rule.
Definition 9 The scheduling graph of S reinforces R iff, for any graph T such that R |T is
acyclic, then R |S |T is acyclic.
Starting from a sequential schedule and a hierarchy of process buffer, Polychrony generates
simulation code split in several files.
int main() {
bool code;
buffer_OpenIO();
code = buffer_initialize();
while (code) code = buffer_iterate();
buffer_CloseIO();
}
The main C file consists of opening the input-output streams of the program, of initializing the
value of delayed signals and iteratively executing a transition function until no values are present
along the input streams (return code 0). Simulation is finalized by closing the IO streams.
The most interesting part is the transition function. It translates the structure of the hierarchy
and of the serialized scheduling graph in C code. It also makes a few optimizations along the
way. For instance, r has disappeared from the generated code. Since the value stored in y from
one iteration to another is the same as that of r, it is used in place of it for that purpose.
In the C code, the three clock equivalence classes of the hierarchy correspond to three blocks:
line 2 (class sˆ ∼ tˆ), lines 3 − 5 (class [t] ∼ yˆ) and lines 6 − 9 (class [¬t] ∼ xˆ). The sequence
of instructions between these blocks follows the sequence t → y → x of the scheduling graph.
Line 10 is the finalization of the transition function. It stores the value that s will hold next time.
01. bool buffer_iterate () {
02. t = !s;
03. if t {
04. if !r_buffer_y (&y) return FALSE;
05. }
06. if !t {
07. x = y;
08. w_buffer_x (x);
09. }
10. s = t;
11. return TRUE;
12. }
Also notice that the return code is true, line 11, when the transition function finalizes, but
false if it fails to get the signal y from its input stream, line 4. This is fine for simulation code, as
we expect the simulation to end when the input stream sample reaches the end. Embedded code
does, of course, operate differently. It either waits for y or suspends execution of the transition
function until it arrives.
RR n° 6227
16 J.-P. Talpin et al.
3.7 Endochrony revisited
The above code generation scheme yields a way to analyze, transform and execute endochronous
specifications. The buffer process, for instance satisfies this property. Literally, it means that the
buffer is locally timed. In the transition function of the buffer, this is easy to notice by observing
that, at all times, the function synchronizes on either receiving y from its environment or sending
x to its environment. Hence, the activity of the transition function is locally paced by the instants
at which the signals x and y are present.
However, remember that the structure of control in the transition function is constructed using
the hierarchy of process buffer. In the case of an internally timed process, this structure has the
particular shape of a tree.
if t {
if !r_buffer_y (&y) return FALSE;
} else {
x = y;
w_buffer_x (x);
}
At any time, one can always start reading the state s of the buffer, and calculate t. Then, if t
is true, one emits x and, otherwise, one receives y. The presence of any signal in process buffer
is determined from the value of a signal higher in the hierarchy or, at last, from its root.
rˆ ∼ sˆ ∼ tˆ
ooo
ooo PPP
PPP
[t] ∼ xˆ [¬t] ∼ yˆ
Formally, whatever the exact time samples t1 and t2 at which it receives an input signal y, or the
time samples u1 and u2 at which it sends an output signal x, the buffer always behaves according
to the same timing relations: ti occurs strictly before ui and s is always used at ti and ui.
. . . . . . . . . . .
y t1 t2 t
′
1 t
′
2
s t1 u1 t2 u2 t
′
1 u
′
1 t
′
2 u
′
2
x u1 u2 u
′
1 u
′
2
The timing relations between the signals x and y of the buffer are independent from latency
incurred by communications with its environment: this is the formal definition of endochrony
given in [9].
4 Compositional design criterion
We shall revisit the above schema in light of the compositional design methodology to be pre-
sented. We start by formulating a decision procedure that uses the clock hierarchy and the
scheduling graph of a Signal process to compositionally check the property of isochrony.
INRIA
Compositional design of isochronous systems 17
Compilability We start by considering the class of Signal processes P that are reactive and
deterministic.
Definition 10 A process P is compilable iff it is acyclic and its relations R are well-clocked.
Property 1 A compilable process P is reactive and deterministic.
Proof An immediate consequence of Property 5, in [20], where a well-clocked and acyclic
process is proved to be deterministic.
Roots of a hierarchy Next, we consider the structure of a compilable Signal specification. It is
possibly paced by several, independent, input signals. It necessarily corresponds to a hierarchy
 that has several roots. To represent them, we refer to ◦ as the minimal clock equivalence
classes of , and to c as the tree of root c in the hierarchy .
◦= {c∼ | c ∈ min } c= {(c, d)}∪ d | c  d
When the hierarchy of a process has a unique root, it is endochronous: he presence of any clock
is determined by the presence and values of clocks above it in the hierarchy.
Definition 11 A process p is hierarchic iff its hierarchy has a unique root.
Property 2 A compilable and hierarchic process p is endochronous.
Proof A detailed proof appears in [20].
Example The hierarchies of process filter (Section 1), left, and of the buffer, right, are both
hierarchic: they are endochronous. Let e = ([y] ∧ [¬z]) ∨ ([¬y] ∧ [z]) and f = ([¬y] ∧ [¬z]) ∨
([y] ∧ [z]),
yˆ ∼ zˆ
ss
ss
s
EE
EE
E
xˆ ∼ e f
rˆ ∼ sˆ ∼ tˆ
rrr
rrr NNN
NNN
xˆ[t] yˆ[¬t]
By contrast, a process with several roots necessarily defines concurrent threads of execution.
Indeed, and by definition of a hierarchy, its roots cannot be expressed or calculated (or, a for-
tiori, synchronized or sampled) one with the others. Hence, they naturally define the source of
concurrency for the verification of weak endochrony.
RR n° 6227
18 J.-P. Talpin et al.
4.1 Model checking weak endochrony
Checking that a compilable process p is weakly endochronous reduces to proving that the roots
of a process hierarchy satisfy property (2a) of definition 2 by using bounded model checking.
Property (2a) can be formulated as an invariant in Signal and submitted to its model checker
Sigali [10].
(1) i = StateIndependent (x, y)
def
= [cxt+1] = xˆ | cxt = cxt+1 pre false| [cyt+1] = yˆ | cyt = cyt+1 pre false
| i = ( not cxt or cyt) or (cxt+1 or not cyt+1) or (cxt and cyt)
/ cxt, cxt+1
cyt, cyt+1
The invariant returned by StateIndependent (x, y) is defined for all pairs of root clock equiva-
lence classes. It says that, if x is present and y absent at time t (i.e. cxt∧¬cyt) and if y is present
and x absent at time t + 1 (i.e. ¬cxt+1 ∧ cyt+1) then x and y can both be present at time t (i.e.
cxt ∧ cyt), written (¬cxt ∨ cyt) ∨ (cxt+1 ∨ ¬cyt+1) ∨ (cxt ∧ cyt).
Properties (2b-2c) can similarly be checked with the properties OrderIndependent and FlowIndependent .
Property OrderIndependent is defined by (cxt ∧ ¬cyt) ∧ (cyt ∧ ¬cxt) ⇒ (cxt ∧ cyt). It means
that x and y are independently available at all times.
(2) i = OrderIndependent (x, y)
def
=(
[cxt] = xˆ | [cyt] = yˆ | i = ( not cxt or cyt) or (cxt or not cyt) or (cxt and cyt)
)
/cxt, cyt
Property FlowIndependent is defined for any signal z ∈ V(p) by czt ∧ ((cxt ∧¬cyt)∧ (cyt ∧
¬cxt))⇒ czt ∧ ((cxt+1 ∧ ¬cyt+1) ∨ (cyt+1 ∧ ¬cxt+1)).
(3) i = FlowIndependent (x, y, z)
def
=
[cxt+1] = xˆ
| [cyt+1] = yˆ
| [czt+1] = zˆ
| cxt = cxt+1 pre false
| cyt = cyt+1 pre false
| czt = czt+1 pre false
| i = ( not czt or (( not cxt or cyt) or (cxt+1 or not cyt+1)))
or (czt and ((cxt+1 and not cyt+1) or ( not cxt+1 and cyt+1)))

/ cxt, cxt+1
cyt, cyt+1
czt, czt+1
When the clock hierarchy of a compilable process P consists of multiple roots, we can use
the above properties to verify that it is weakly endochronous.
Property 3 A compilable process P whose roots satisfy criteria (1-3) is weakly endochronous.
Proof We observe that the formulation of properties (1 − 3) directly translate Definition 2 in
terms of timed Boolean equations. Since they are expressed in Signal, one can model-check
them against the specification of the process P under consideration to verify that it is weakly
endochronous.
INRIA
Compositional design of isochronous systems 19
4.2 Static checking isochrony
Unfortunately, model-checking is unaffordable for purposes such as program transformation or
code generation. In the aim of generating sequential or concurrent code starting from weakly
endochronous specifications, we would like to define a simple and cost-efficient criterion to
allow for a large and easily identifiable class of weakly endochronous programs to be statically
checked and compiled. To this end, we define the following formal design methodology.
Definition 12 If P is compilable and hierarchic then it is weakly hierachic. If P and Q are
weakly hierarchic, P |Q is well-clocked and acyclic then P |Q is weakly hierarchic.
By induction on its structure, a process P is weakly hierarchic iff it is compilable and its
hierarchy has roots r1..n such that, for all 1 ≤ i < n, Xi = V(ri), Pi = P |Xi is weakly
hierarchic and the pair (
∏i
j=1 Pj, Pi+1) is well-clocked and acyclic.
Theorem 1
1. A weakly hierarchic process P is weakly endochronous.
2. If P,Q are weakly hierarchic and P |Q is well-clocked and acyclic then P and Q are
isochronous.
Proof
1. By definition, a weakly hierarchic process P consists in the composition of a series of
processes Pi that are individually compilable and hierarchic, hence endochronous. Since
endochrony implies weak endochrony, and since weak endochrony is preserved by com-
position, the composition P of the Pis is weakly endochronous.
2. Consider the hierarchy of any pair of endochronous processes Pi and Pj in P |Q that
share a common signal x of clock xˆ. The processes Pi and Pj have roots ri and rj and
synchronize on xˆ at a sub-clock ci, computed using ri (since Pi is hierarchic) and at a
clock cj , computed using rj (since Pj is hierarchic).
ri



KKK
KKK
rj
sss
sss
99
99
9
{ci, xˆ, cj}
Since Pi |Pj is well-clocked, the clocks ci, cj and hence xˆ have a disjunctive form. Hence,
it cannot be the case that xˆ is defined by the symmetric difference of a clock under ri and
another (e.g. under rj). Therefore, any reaction initiated in Pi to produce xˆ can locally
and deterministically decide to wait for a rendez-vous with a reaction of Pj consuming xˆ.
Since Pi and Pj are well-formed, then it cannot be the case that xˆ = 0, which would mean
that the rendez-vous would never happen. Finally, since Pi |Pj is acyclic, the rendez-vous
of ci and cj cannot deadlock. This holds for any pair of endochronous processes Pi and Pj
in P |Q, hence P |Q is non–blocking.
RR n° 6227
20 J.-P. Talpin et al.
3. These conditions precisely correspond to the weak isochrony criterion of [18], namely,
that non-blocking composition (2) of weakly endochronous processes (1) is isochronous.
Consequently, the composition of P and Q is isochronous.
A compositional design methodology Our static criterion for checking the composition of
endochronous processes isochronous defines a cost-effective methodology for the integration
of components in the aim of architecture exploration or simulation. Interestingly, this formal
methodology meets most of the engineering practice and industrial usage of Signal: the real-time
simulation of embedded architectures (e.g. integrated modular avionics) starting from hetero-
geneous functional blocks (endochronous data-flow functions) and architecture service models
(e.g. [11]).
Example of a loosely time-triggered architecture We consider a simple yet realistic case
study build upon the examples we previously presented. We wish to design a simulation model
for a loosely time-triggered architecture (LTTA). The LTTA is composed of three devices, a
writer, a bus, and a reader. Each device is paced by its own clock.
At the nth clock tick (time tw(n)), the writer generates the value xw(n) and an alternating
flag bw(n). At any time tw(n), the writer’s output buffer (yw, bw) contains the last value that was
written into it. At tb(n), the bus fetches (yw, bw) to store in the input buffer of the reader, denoted
by (yb, bb). At tr(n), the reader loads the input buffer (yb, bb) into the variables yr(n) and br(n).
Then, in a similar manner as for an alternating bit protocol, the reader extracts yr(n) iff br(n) has
changed.
writer reader
? ?
? ?
· (yb, bb) - ·bus
xw
tw
(yw, bw)
xr
tr
(yr, br)
tb writer
bus
reader
6 6
6 6 6
xw xw
xr xr
bw
xw
A simulation model of the LTTA To model an LTT architecture in Signal, we consider two
data-processing functions that communicate by writing and reading values on an LTT bus. In
Signal, we model an interface of these functions that exposes their (limited) control. The writer
accepts an input xw and defines the boolean flag bw that is carried along with it over the bus.
(yw, bw) = writer(xw, cw)
def
=
(
xˆw = bˆw = [cw] |yw = xw |bw = not (bw pre true )
)
The reader loads its inputs yr and br from the bus and filters xr upon a switch of br.
xr = reader(yr, br, cr)
def
= (xr = yr when filter(br) | yˆr = [cr])
INRIA
Compositional design of isochronous systems 21
The bus buffers and forwards the inputs yw and bw to the reader. The clock cb is not used since
the buffers have local clocks.
(yr, br) = bus(yw, bw, cb)
def
= ((yr, br) = buffer(buffer(yw, bw)))
The process ltta is defined by its three components reader, bus and writer.
xr = ltta(xw, cw, cb, cr)
def
= (xr = reader(bus(writer(xw, cw), cb), cr))
We observe that the hierarchy of the LTTA is composed of four trees. Each tree corresponds to an
endochronous and separately compiled process, connected to the other at four rendez-vous points
(depicted by equivalence relations∼). The LTTA itself is not endochronous, but it is isochronous
because its four components are endochronous and their composition is well-clocked and acyclic.
cˆw rˆwsˆw tˆw
sss
ss
RRRR
RRRR
rˆrsˆr tˆr
mmm
mmm
mm
KKK
KK
cˆr
bˆwxˆw[cw] ∼ xˆbw[tw] [¬tw]yˆbw ∼ [tr]xˆbr [¬tr]yˆbr ∼ yˆrbˆr[cr]
[fr]xˆr
5 A compositional code generation scheme
The above design methodology invites us to revisit the code generation process of Polychrony
in the aim of implementing a separate compilation technique which accommodates the concur-
rent composition of endochronous processes by synthesizing rendez-vous protocols to compo-
sitionally interface processes. As we observe, it defines a new way to regard design using a
synchronous multi-clocked model of computation by the component-based integration of en-
dochronous functionalities, hence favoring modular exploration of the design space. We start
this exposition by a careful analysis on the current features and limitations of Polychrony’s code
generator.
5.1 Current scheme
Both sequential, concurrent and distributed code generation schemes in Polychrony rely on the
property of endochrony to generate the code. This observation also holds for code generation in
related synchronous languages, Lustre and Esterel, without much salient difference. However, it
is well-known that endochrony is not preserved by composition. To illustrate that, consider the
following pair of processes, a producer and a consumer. The producer increments its output u
when its input a is true and increments its output x otherwise.
(u, x) = producer(a)
def
=
(
uˆ = [a] |u = 1 + (u pre 0)
| xˆ = [¬a] |x = 1 + (x pre 0)
) aˆ

 BBB
BB
[a] ∼ uˆ [¬a] ∼ xˆ
RR n° 6227
22 J.-P. Talpin et al.
The consumer adds the value of x to the count v when b is true and 1 otherwise. Hierarchies are
depicted on the right.
y = consumer(b, x)
def
=
 vˆ = bˆ| xˆ = when b
| v = (v pre 0) + (x default 1)
 bˆ ∼ vˆ
yy
yy ??
??
[b] ∼ xˆ [¬b]
The signal x default 1 is implicitly created. It has the same clock as b, its value is that of x at the
clock [b] and 1 at the clock [¬b]. Notice that the producer and the consumer are endochronous
(their hierarchies are trees). Now, consider the composition of producer and consumer in the
main process below.
(u, v) = main(a, b)
def
=
(
(u, x) = producer(a)
| v = consumer(b, x)
)
Polychrony produces a hierarchy in which two synchronized boolean signals Ca and Cb are added
on top of the hierarchies of the producer and the consumer. This allows to (artificially) form an
endochronous simulation process that relies on the environment to determine when to read a
and/or b.
Ca ∼ Cb
UUUUUjjjj
j
[Ca] ∼ aˆ
oooo SSS
SS
[Cb] ∼ bˆ ∼ vˆ
iiii PPPP
P
[a] ∼ uˆ [¬a] ∼ xˆ ∼ [b] [¬b]
This structure yields the generation of code that differs from what we have seen so far in that
the transition function now expects the clocks Ca and Cb to be synchronously delivered by the
environment, instead of being computed internally.
bool main_iterate() {
if (!r_main_C_a(&C_a)) return FALSE;
if (!r_main_C_b(&C_b)) return FALSE;
if (C_b) {
if (!r_main_b(&b)) return FALSE;
}
if (C_a) {
if (!r_main_a(&a)) return FALSE;
C_ = !a;
if (a) {
u = 1 + u;
w_main_u(u);
}
if (C_) {
x = 1 + x;
}
}
C__63 = (C_a ? C_ : FALSE);
if ((C_) != b)
polychrony_exception
("Exception for (C_, b)");
if (C_b) {
if (C__63) XZX_36 = x;
else XZX_36 = 1;
v = v + XZX_36;
w_main_v(v);
}
C_ = FALSE;
return TRUE;
}
In the C code, the functions r main C a, r main C b, r main a and r main b read the
input signals Ca, Cb, a, b and the functions w main u and w main v write the outputs u and v.
INRIA
Compositional design of isochronous systems 23
The compiler places the clocks [¬a], xˆ and [b] in the same equivalence class. However, one
easily notices that the equation [¬a] = [b], incurred by the composition of the producer and
the consumer, is non-trivial. At present, it is bailed out as a so-called “clock constraint” by
Polychrony.
To handle this clock constraint, Polychrony can either generate a proof obligation, which
will have to be checked by the user, or generate defensive code to raise an exception if the clock
constraint is violated during execution. In the generated code below, if !a != b, an exception
is reported by the simulation loop.
The functionality of Polychrony to detect and report such a constraint is central in the code
generation scheme that will be presented next. Let us have a second look at the present situation:
- the producer and the consumer are endochronous
- the signal x is defined in one process, the producer
- its clock xˆ is used in both processes
In the composition of the consumer and the producer, one can hence define x by a shared
variable and use its clock constraint to define when it can deterministically be defined and/or
used by either the processes.
5.2 Contributed code generation scheme
Our contribution builds upon this simple idea, that is suitable for the simulation of otherwise
deterministic specifications, and uses the facility of Polychrony to report clock constraints (such
as [b] = [¬a]) and to export independent clocks (such as Ca and Cb) to build a scheduler that
satisfies the expected safety properties.
In this aim, and first of all, we would like to avoid increasing the interface of the program
(with Ca or Cb) in order to have an efficient (sequential or concurrent) execution scheme. In the
present code generation scheme of Polychrony, Ca and Cb are added to rebuild an endochronous
simulation loop.
In the present case, however, the composition of the producer and the consumer is weakly
endochronous: the very interleaving of a and b during execution is not relevant to the correct
propagation of input and output values. The transitions involving only a or only b may be exe-
cuted in any order. However, transitions involving both a and b need to be synchronized. This is
precisely where the clock constraint [b] = [¬a] comes into play.
Building a controller
Using the information provided by Polychrony, namely, the exportation of non-hierarchized
clocks Ca and Cb, the report of a clock constraint on shared signals such as [b] = [¬a], we
can easily build a process for controlling the execution of the composition of the producer and
the consumer so as to keep it within a suitable safety objective.
To allow for a correct resynchronization on the values of x, the controller needs to obey the
requirement expressed by the clock constraint [¬a] = [b] while imposing no additional synchro-
nization constraint (on a or b).
RR n° 6227
24 J.-P. Talpin et al.
Nicely, this controller can be expressed and synthesized in Signal. It uses the clock constraint
of the shared variable (xˆ = when not a = when b) to synchronize instants that need to be.
The controller accepts the input signals a and b and feeds the producer and the consumer
with copies c and d until one of the constraints is met, [when not a] or [when b]. As soon as
this occurs, it stops reading input from the signal (a or b), suspending the corresponding process,
until the other meets the constraint.
(c, d) = controller(a, b)
def
=

c = scheduler(a, ra, r)
| d = scheduler(b, rb, r)
|ra = not a default (ra pre false )
| rb = b default (rb pre false )
| r = ra and rb
 /rarbr
The controller contains two schedulers that are responsible for suspending and resuming the
input signals a and b (hence the producer and the consumer) in order to correctly schedule the
operations in the sequential implementation of the rendez-vous.
y = scheduler(x, rx, r)
def
=

xˆ = true when cx
|rx = not a default r′x
|r′x = rx pre false
| cx = ( true when (r pre false ))
default ( false when r′x)
default true
| cy = (cx and not rx) or r
| y = (x cell cy)when cy

/cxcy
Last, we need to patch the main program with the controller to correctly feed the producer and
the consumer with the values of a and b that satisfy the clock constraint.
(u, v) = main(a, b)
def
=
 (u, x) = producer(c)| v = consumer(d, x)
| (c, d) = controller(a, b)
 /cdx
Notice that each of the producer and the consumer is able to independently react when either
[¬a] or [b] holds, as no synchronization needs to take place in those cases.
Sequential code generation scheme
The controller is build upon the clocks exported and the constraints reported by Polychrony.
This provides sufficient information to generate the necessary code to control the execution of
the composition of endochronous processes.
In the controlled main program, variables prefixed with pre_ register the values of signal (of
corresponding suffix) until the next cycle. The generated r variables translate the synchroniza-
tion obligation implied by the reported clock constraint as r = ra && rb. Functions named
{r|w}_main_x read and write the signal x.
INRIA
Compositional design of isochronous systems 25
As opposed to the generated code presented Section ??, the present program does not need its
master clocks to be synchronized: C a and C b are local variables, not input signals. As a result,
the interface of the composition of the producer and the consumer is the union of interfaces.
We observe that, since the producer and the consumer are endochronous, and since their
composition is such that all clocks which can be computed (all have a disjunctive form), the
main program is weakly isochronous in the sense of [17]: any synchronous reaction, initiated
from one side, yields a globally isochronous execution. This yields to a generic methodological
principle, presented next.
bool main_iterate() {
/* c = scheduler (a, ra, r) */
if (pre_r) C_a = TRUE;
else if (pre_ra) C_a = FALSE;
else C_a = TRUE;
if (C_a) {
if (!r_main_a(&a)) return FALSE;
}
if (C_a) ra = !a;
else ra = pre_ra;
/* d = scheduler (b, rb, r) */
if (pre_r) C_b = TRUE;
else if (pre_rb) C_b = FALSE;
else C_b = TRUE;
if (C_b) {
if (!r_main_b(&b)) return FALSE;
}
if (C_b) rb = b;
else rb = pre_rb;
/* main */
r = ra && rb;
C_c = (C_a && !ra) || r;
C_d = (C_b && !rb) || r;
/* (x,u) = producer (c) */
C_1 = FALSE;
if (C_c) {
C_1 = !a;
if (a) {
u = 1 + u;
w_main_u(u);
}
if (C_1) x = 1 + x;
}
/* y = consumer (d,x) */
C_2 = (C_c ? C_1 : FALSE);
if (C_d) {
if (C_2) X_1 = x;
else X_1 = 1;
v = v + X_1;
w_main_v(v);
}
/* finalisation */
pre_ra = ra;
pre_rb = rb;
pre_r = r;
return TRUE;
}
Compositionality
In our example, we observe that, should the main process be composed with an additional en-
dochronous process (or weakly endochronous network), then we would only need to build an
additional controller between those two, based on the same principle as previously mentionned:
to capture the clocks exported by Polychrony and to implement rendez-vous between toplevel
clock constraints (here: bˆ = [c]) in the hierarchy.
(u,w) = main2(a, b, c)
def
= ((u, v) = main(a, d) |w = consumer(e, v) |(d, e) = controller2(b, c)) /de
RR n° 6227
26 J.-P. Talpin et al.
Concurrent code generation scheme
The generation of code for concurrent execution differs from sequential code generation by the
construction of clusters that match the physical partition of signals on the target execution ar-
chitecture. In the present case, these clusters are the composed endochronous processes, the
producer and the consumer.
Our compilation technique for sequential code generation can easily be adapted for concur-
rent execution. It allows to define an interface or controller that performs minimum arbitration
with its environment. As a result, producer and consumer are compiled separately and the global
safety guarantee of weak isochrony is relied on assess the safety of the concurrent composition.
pthread_barrier_t *begin_RDV, *end_RDV ;
pthread_barrier_init(begin_RDV, 2);
pthread_barrier_init(end_RDV, 2);
In the example, we have separately compiled the producer and consumer to ready them for
concurrent execution. They use the local read/write functions of the producer and the consumer:
{r|w}_{consumer|producer}_x). The clock constraint [¬a] = b is again used to syn-
chronize the threads with a barrier: a mutex zone RDV protects the shared variable x.
bool consumer() {
if (!r_consumer_b(&b))
return FALSE;
if (b) {
pthread_barrier_wait(begin_RDV);
X_1 = x;
pthread_barrier_wait(end_RDV);
} else X_1 = 1;
v = v + X_1;
w_consumer_v(v);
return TRUE;
}
bool producer() {
if (!r_producer_a(&a))
return FALSE;
if (a) {
u = 1 + u;
w_producer_u(u);
}
if (!a) {
pthread_barrier_wait(begin_RDV);
x = 1 + x;
pthread_barrier_wait(end_RDV);
}
return TRUE;
}
The generated code is otherwise unchanged. We obtain a concurrent code generation scheme
that modularly and compositionally supports separate compilation. It efficiently uses existing
report functionalities of the present implementation of Polychrony to effectively support the syn-
thesis of a controller that is able to assemble endochronous processes so as to maintain a global
objective of weak isochrony.
6 Related Work
In synchronous design formalisms, the design of an embedded architecture is achieved by con-
structing an endochronous model of the architecture and then by automatically synthesizing ad-
hoc synchronization protocols between the elements of this model that will be physically dis-
tributed. This technique is called desynchronization and a thorough survey on it is proposed
INRIA
Compositional design of isochronous systems 27
in [12]. In the case of Signal, automated distribution is proposed by Aubry [1]. It consists
in partitioning endochronous specifications and synthesizing inter-partition protocols to ensure
preservation of endochrony.
In [13], Girault et al. propose a different approach for the synchronous languages Lustre and
Esterel. It consists in replicating the generated code of an endochronous specification and in
replacing duplicated instructions by inter-partition communications. As it uses notions of bi-
simulation to safely eliminate blocks, it leads to the construction of a distributed program that
consists of endochronously connected programs. But again, distributed code generation is also
driven by the global preservation of endochrony.
In [18], the so-called property of weak endochrony is proposed. Weak endochrony supports
the compositional construction of globally asynchronous system by adhering to a global objective
of weak-isochrony. In [19], we propose an analysis of Signal programs to check this property.
However, we observe that it is far more costly than necessary, at least for code generation pur-
poses, as it requires an exhaustive state-space exploration. In [8], Dasgupta et al. also propose a
technique to synthesize delay-insensitive protocols for synchronous circuits described with Pe´tri
Nets.
In the model of latency-insensitive protocols [5], components are denoted by the notion of
pearl (“intellectual property under a shell”). A pearl is required to satisfy an invariant of patience
(which, in turn, implies endochrony [20]) and a latency-insensitive protocol wraps the pearl with
a generic client-side controller: a so-called relay station.
The relay station ensures the functional correctness of the pearl by guaranteeing the preser-
vation of signal flows (i.e. isochrony). It implements this function by suspending the pearl’s
incoming traffic as soon as it is reported to exceed its consumption capability. A technique pro-
posed by Casu et al. in [7] refines this protocol to prevent unnecessary traffic suspension by
controlling traffic through pre-determined periodic schedules.
The latency-insensitive protocol is a compositional approach, and can be seen as a ”black-
box” approach, in that no knowledge on the pearl (but its capability to be patient) is required. Just
as desynchronization, Casu’s variant [7] is a “grey-box” approach, where knowledge on the pearl
is needed to synthesize an an-hoc controller and, at the same time, ensure functional correctness.
7 Conclusions
The clock analysis at the core of our approach shares similarities with both approaches (desyn-
chronization and latency insensitivity). It avoids the need for any explicit suspension mechanism
thanks to the determination of precise timing relations.
This yields a cost-effective methodology for the compositional design of globally asyn-
chronous architectures starting from synchronous modules. This methodology balances a trade-
off between cost (of verification) and compositionality (of design). It maintains a compositional
global design objective of isochrony while preserving properties secured locally (endochrony) by
checking that composition is non-blocking. This yields an efficient approach to compositional
modeling embedded architectures which, in addition, meets actual industrial usage.
RR n° 6227
28 J.-P. Talpin et al.
The commercial implementation of Signal, Sildex, commercialized by TNI, is widely used
for the real-time simulation of embedded architectures starting from heterogeneous, possibly
foreign, functional blocks (merely endochronous, data-flow functions) and architecture service
models (e.g. the ARINC 653 real-time operating system [11]). As an example, TNI has devel-
oped a real-time, hardware in-the-loop, simulator of all onboard electronic equipments for a car
manufacturer.
Our technique efficiently reuses most of existing compilation tool-suites available for Signal
in order to implement our proposal, which justifies presenting it in sufficient details in the present
article. We are currently upgrading the Polychrony toolset, that supports the Signal specification
formalism, with a simple controller-synthesis and code generation scheme supporting the present
methodology.
References
[1] Pascal Aubry. Mises en oeuvre distribue´es de programmes synchrones. The`se de l’Universite´
de Rennes, 1997.
[2] Loı¨c Besnard. Compilation de Signal: horloges, de´pendances, environnements. The`se de
l’Universite´ de Rennes, 1992.
[3] Albert Benveniste, Benoit Caillaud, and Paul Le Guernic. Compositionality in dataflow
synchronous languages: Specification and distributed code generation. Information and
Computation, v. 163. Academic Press, 2000.
[4] Albert Benveniste, Paul Caspi, Stephen Edwards, Nicolas Halbwachs, Paul Le Guernic, and
Robert de Simone. The Synchronous Languages Twelve Years Later. Proceedings of the
IEEE, 2003.
[5] Luca Carloni, Ken McMillan, and Alberto Sangiovanni-Vincentelli. The theory of latency-
insensitive design. IEEE Transactions on Computer-Aided Design of Integrated Circuits and
Systems, v. 20(9). IEEE, 2001.
[6] Paul Caspi, Alain Girault, and Daniel Pilaud. Distributing Reactive Systems. International
Conference on Parallel and Distributed Computing Systems. ISCA, 1994.
[7] Mario Casu, Luca Macchiarulo. A new approach to latency insensitive design. Design Au-
tomation Conference. ACM, 2004.
[8] Sohini Dasgupta, Dumitru Potop-Butucaru, Benoıˆt Caillaud, Alex Yakovlev. Moving from
Weakly Endochronous Systems to Delay-Insensitive Circuits. Formal Methods for GALS
Design, Electronic Notes in Theoretica Computer Science. Elsevier, 2006.
[9] Paul Le Guernic, Jean-Pierre Talpin, and Jean-Christophe Le Lann. Polychrony for system
design. Journal of Circuits, Systems and Computers. World Scientific, 2003.
[10] Herve´ Marchand, Eric Rutten, Michel Le Borgne and M. Samaan. Formal Verification of
programs specified with Signal : application to a power transformer station controller. Sci-
ence of Computer Programming, v. 41(1). Elsevier, 2001.
INRIA
Compositional design of isochronous systems 29
[11] Abdoulaye Gamatie´, Thierry Gautier. Synchronous Modeling of Avionics Applications us-
ing the SIGNAL Language. Real-Time and Embedded Technology and Applications Sym-
posium. IEEE, 2003.
[12] Alain Girault. A survey of automatic distribution methods for synchronous programs. In
International Workshop on Synchronous Languages, Applications and Programs. Electronic
Notes in Theoretical Computer Science. Elsevier, 2005.
[13] Alain Girault, Xavier Nicollin, and Marc Pouzet. Automatic rate desynchronization of
embedded reactive programs. ACM Transactions on Embedded Computing Systems, 5(3).
ACM, 2006.
[14] LEE, E., SANGIOVANNI-VINCENTELLI, A. “A framework for comparing models of com-
putation”. In IEEE transactions on computer-aided design, v. 17, n. 12. IEEE Press, Decem-
ber 1998.
[15] Olivier Maffeı¨s. Ordonnancements de graphes de flots synchrones ; application a` la mise
en oeuvre de SIGNAL. The`se de l’Universit de Rennes, 1993.
[16] Julien Ouy, Jean-Pierre Talpin, Loı¨c Besnard, and Paul Le Guernic. Separate compilation
of polychronous specifications. Formal Methods for Globally Asynchronous Locally Syn-
chronous Design. Electronic Notes in Theoretical Computer Science, Elsevier, 2007.
[17] Dimitru Potop-Butucaru and Benoit Caillaud. Correct-by-construction asynchronous im-
plementation of modular synchronous specifications. In Application of concurrency to sys-
tem design. IEEE, 2005.
[18] Dimitru Potop-Butucaru, Benoit Caillaud, and Albert Benveniste. Concurrency in syn-
chronous systems. In Formal Methods in System Design. Kluwer, 2006.
[19] Jean-Pierre Talpin, Dimitru Potop-Butucaru, Julien Ouy, and Benoit Caillaud. From multi-
clocked synchronous specifications to latency-insensitive systems. In Embedded Software
Conference. ACM, 2005.
[20] Jean-Pierre Talpin and Paul Le Guernic. An algebraic theory for behavioral modeling and
protocol synthesis in system design. Formal Methods in System Design. Special Issue on
formal methods for GALS design. Springer, 2006.
[21] Jean-Pierre Talpin, Julien Ouy, Loı¨c Besnard, Paul Le Guernic. Compositional design of
isochronous systems. In Design Analysis and Test in Europe (DATE’08). IEEE, February
2008.
Appendix
The appendix recall the semantics of synchronization and scheduling relations in the poly-
chronous model of computation, presented in [9]. It is complementary material for information
to reviewers. A scheduling structure can be added to the polychronous model of computation
outlined in the present article to define a denotational semantics of scheduling relations x→c y.
RR n° 6227
30 J.-P. Talpin et al.
Scheduling structure To render scheduling relations between events occurring at the same
time tag t, we equip the domain of polychrony with a scheduling relation, noted tx → t′y, defined
on a domain of dates D = T × X , to mean that the event along the signal named y at t′ may
not happen before x at t. When no ambiguity is possible on the identity of b in a scheduling
constraint, we write it tx → ty. We constraint scheduling→ to contain causality so that t < t′
implies tx →b t′x and tx →b t′x implies ¬(t′ < t).
The definitions for the partial order structure of synchrony and asynchrony in the poly-
chronous model of computation extend point-wise to account for scheduling relations. We say
that a behavior c is a stretching of b, written b ≤ c, iff V(b) = V(c) and there exists a bijection f
on T which satisfies
∀t, t′ ∈ T (b), t ≤ f(t) ∧ (t < t′ ⇔ f(t) < f(t′))
∀x, y ∈ V(b),∀t ∈ T (b(x)),∀t′ ∈ T (b(y)), tx →b t′y ⇔ f(t)x →c f(t′)y
∀x ∈ V(b), T (c(x)) = f(T (b(x))) ∧ ∀t ∈ T (b(x)), b(x)(t) = c(x)(f(t))
Meaning of clocks The meaning [[e]]b of a clock e is defined with respect to a given behavior
b and consists of the set of tags satisfied by the proposition e in the behavior b. The meaning of
the clock x = v (resp. x = y) in b is the set of tags t ∈ T (b(x)) (resp. t ∈ T (b(x)) ∩ T (b(y)))
such that b(x)(t) = v (resp. b(x)(t = b(y)(t)). In particular, [[xˆ]]b = T (b(x)) and [[[x]]]b =
[[x = true ]]b. The meaning of a conjunction e ∧ f (resp. disjunction e ∨ f and difference e \ f )
is the intersection (resp. union and difference) of the meaning of e and f . Clock 0 has no tags.
[[1]]b=T (b) [[0]]b = ∅
[[x = v]]b={t ∈ T (b(x)) | b(x)(t) = v}
[[x = y]]b={t ∈ T (b(x)) ∩ T (b(y)) | b(x)(t) = b(y)(t)}
[[e ∧ f ]]b=[[e]]b ∩ [[f ]]b
[[e ∨ f ]]b=[[e]]b ∪ [[f ]]b
[[e \ f ]]b=b[[e]]b \ [[f ]]b
Meaning of scheduling relations A scheduling specification y → x at clock e denotes the
behaviors b on V(e) ∪ {x, y} which, for all tags t ∈ [[e]]b, requires x to preceed y: if t is in b(x)
then it is necessarily in b(y) and satisfies ty →b tx.
[[y →c x]] = {b | V(b) = V(c) ∪ {x, y} ∧ ∀t ∈ [[c]]b, t ∈ T (b(x))⇒ t ∈ T (b(y)) ∧ ty →b tx}
In [9], we finally show that, whenever a process P has graph R, then [[P ]] ⊆ [[R]].
INRIA
Unité de recherche INRIA Rennes
IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France)
Unité de recherche INRIA Futurs : Parc Club Orsay Université - ZAC des Vignes
4, rue Jacques Monod - 91893 ORSAY Cedex (France)
Unité de recherche INRIA Lorraine : LORIA, Technopôle de Nancy-Brabois - Campus scientifique
615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex (France)
Unité de recherche INRIA Rhône-Alpes : 655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier (France)
Unité de recherche INRIA Rocquencourt : Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex (France)
Unité de recherche INRIA Sophia Antipolis : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex (France)
Éditeur
INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)
http://www.inria.fr
ISSN 0249-6399
