Separate Compilation of Polychronous Specifications  by Ouy, Julien et al.
Separate Compilation of Polychronous
Speciﬁcations
Julien Ouy Jean-Pierre Talpin Lo¨ıc Besnard Paul Le Guernic
INRIA - IRISA, Campus de Beaulieu, 35042 Rennes, France
Abstract
As code generation for synchronous programs requires strong safety properties to be satisﬁed, composition-
ality becomes a diﬃcult goal to achieve. Most synchronous languages, such as Esterel, Lustre or Signal
require a given module or compilation unit to be insensitive to latency that communication with its envi-
ronment may incur. In Lustre or Signal, for instance, a compilation unit must satisfy the so-called property
of endochrony. To preserve endochrony in an asynchronous environment, an ad-hoc protocol is synthesized
to interface the module. However, endochrony is not preserved by composition. Consequently, the proto-
col has to be rebuilt every time a new module is added in the environment. We propose a methodology
and code generation scheme which simpliﬁes this concern. It consists of weakening the global objective of
globally preserving endochrony. Instead, we aim at the preservation of a more liberal and compositional
objective, weak endochrony [14], which is compositional and much closer from the expected requirement
of insensitivity to communication latency. As a result, our code generation scheme supports true separate
compilation: a locally compiled synchronous module does not require its synthesized interface with the
environment to be rebuilt once composed with another module.
Keywords: Synchronous programming, mutil-clocked systems, code generation, separate compilation.
1 Introduction
To facilitate embedded system design, synchronous programming languages oﬀer
analysis, transformation and code generation services that guarantee the correct
execution of a program by construction. To achieve this goal, most synchronous
languages, such as Esterel, Lustre or Signal, require a given compilation unit or
module to be insensitive to latency that may possibly be incurred when communi-
cating with the environment.
This requires a safety property to be locally satisﬁed: endochrony. Endochrony
is the property of a module that is able to deterministically deﬁne the pace of its
output from that of its inputs. Endochrony is usually enforced by the synthesis of
appropriate protocols that interface the speciﬁed module for its correct execution
in an asynchronous environment.
Unfortunately, endochrony is not preserved by composition: the composition
of two endochronous modules may not be endochronous. Should an endochronous
Electronic Notes in Theoretical Computer Science 200 (2008) 51–70
1571-0661 © 2008 Elsevier B.V. 
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2008.02.006
Open access under CC BY-NC-ND license.
module be ﬁrst compiled and later be composed to another, then its interface may
possibly need to be recompiled to meet the requirements of its new environment.
To circumvent this, synchronous programming language usually perform dis-
tributed code generation once the system is entirely speciﬁed and globally adheres
to the property of isochrony (the equivalence of the synchronous and asynchronous
composition of the modules).
To gain from the ﬂexibility and ergonomy that separate compilation services
would oﬀer, we propose a simple analysis and code generation technique that ad-
dresses this limitation. Our approach consists in weakening the global safety objec-
tive usually targeted in related frameworks: isochrony. Instead, we consider a more
liberal one of weak isochrony recently proposed in [14].
Starting from this objective, we design a simple code generation scheme, that
merely reuses most of the existing code generation suite of Polychrony [13] and has
the advantage of being compositional: a locally compiled synchronous module does
not need its interface with the environment to be rebuilt once composed to another
synchronous module.
Previous work
To our knowledge, work that relates to the issue addressed in the present article
is essentially concerned with the distribution of synchronous data-ﬂow programs.
The issue of compositionally generating separately compiled code has not, to our
knowledge, been addressed in isolation in the related work, although it implies
results on distributed code generation.
Regarding the Signal language, related work has been introduced by Maﬀeis [4]
and Aubry [1]. The approach proposed in Signal is to partition a synchronous mod-
ule and synthesise suﬃcient inter-partition communications to ensure the preser-
vation of the property that was initially secured for the synchronous module: en-
dochrony.
Endochrony guarantees that the system responds to events incoming from an
asynchronous environment by locally and deterministically choosing which of them
needs to be synchronized at all times. Endochrony ensures the insensitivity of local
computations and communications to global network latency. But, it is unfortu-
nately not compositional.
A diﬀerent approach is proposed by Girault [3] in the context of the Lustre and
Esterel languages. It consists of the replication of the automaton obtained from the
synchronous module and then on the optimized elimination of replicated transitions,
replaced by inter-partition communications. Of course, distributed code generation
is based on the objective of globally preserving the formal property secured locally:
endochrony.
In [14], the so-called property of weak endochrony is proposed. Weak endochrony
is a local property of synchronous programs that supports the compositional con-
struction of globally asynchronous system that are insensitive to latency by adher-
ing to the global objective of weak-isochrony. A weakly endochronous program is a
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–7052
deterministic synchronous program in which independent reaction support the dia-
mond property. A weakly isochronous system is composed of non-blocking weakly
endochronous programs: a synchronous transition initiated locally results in a glob-
ally asynchronous execution.
In [16], we proposed an analysis of Signal programs to check the property of weak
endochrony in order to compositionally check the insensitivity of a synchronous
module to latency. However, we observe that checking weak endochrony is far more
costly to be usable for code generation purposes, as it requires the exploration of
the state-space of the synchronous module being analyzed.
Our approach consists in maintaining a less costly yet compositional objective of
weak-isochrony while considering the composition of endochronous modules. This
appears to be a much more cost-eﬀcient approach to code generation. Our con-
tribution consists in an implementation of this methodology that eﬃciently reuses
most of Polychronys compilation tool-chain to propose a simple synthesis scheme
ensuring the aimed compilation objectives.
Outline
The article presents existing and contributed compilation techniques in the manner
of a tutorial and through a series of illustrative examples. It does not address
or prove the related formal aspects. Instead, it merely relies on existing analysis
algorithms (and proofs) implemented in Polychrony.
The article starts, Section 2, as a tutorial on the Signal data-ﬂow speciﬁcation
language and on its analysis of synchronization and scheduling relations. Section 3
continues this tutorial with a presentation of the code generation techniques cur-
rently implemented in Polychrony, the toolset supporting the Signal language. Our
contribution, built upon these techniques, is presented in Section 4.
2 Position of the problem
To position the problem, we start with an informal yet thorough tutorial on the
syntax, analysis and code generation techniques for Signal implemented in the Poly-
chrony toolset.
Introduction to Signal
A Signal process, noted p, consists of the synchronous composition, noted p |q, of
equations on signals, noted x = y f z. A signal x is an inﬁnite ﬂow of values that is
discretely sampled according to the pace of a symbolic clock, noted xˆ. Therefore,
an equation partially relates in an abstract timing model, represented by clock rela-
tions, and a process, that deﬁnes the simultaneous solution of a system of equations
in that timing domain.
p ::= x = y f z | p |q | p/x
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–70 53
The process p/x restricts the lexical scope of the signal x to the process p. Signal
deﬁnes the following primitive equations:
• A functional equation x = y f z deﬁnes an arithmetic or boolean relation f be-
tween its operands y, z and the result x.
• A delay equation x = y pre v initially deﬁnes the signal x by the value v and then
by the value of the signal y from the previous execution of the equation. In a
delay equation, the signals x and y are assumed to be synchronous, i.e. either
simultaneously present or simultaneously absent at all times.
• A sampling x = y when z deﬁnes x by y when z is true and both y and z are
present. In a sampling equation, the output signal x is present iﬀ both input
signals y and z are present and z holds the value true.
• A merge x = y default z deﬁnes x by y when y is present and by z otherwise. In
a merge equation, the output signal is present iﬀ either of the input signals y or
z is present.
A formal semantics of Signal in the polychronous model of computation is pro-
vided in [11] and quoted in appendix.
Clock and scheduling relations
The data-ﬂow synchronous formalism Signal supports a representation of the
control-ﬂow and data-ﬂow graphs of multi-clocked speciﬁcations for the purpose
of analysis and transformation. In this structure, a clock c denotes a set of instants
and deﬁnes a discrete sample of time. It is used as the condition upon which (or
the time at which) a data-ﬂow relation is executed.
The clock xˆ of a signal x denotes the instants at which the signal x is present.
The clocks [x] (resp. [¬x]) denotes the instants at which the signal x is present and
holds the value true (resp. false).
c ::= xˆ | [x] | [¬x]
A clock expression e is either the empty clock, noted 0 to mean the empty set of
instants, a signal clock c, or the conjunction e1 ∧ e2, the disjunction e1 ∨ e2, the
complement e1 \ e2 of two clock expressions e1 and e2.
e ::= 0 | c | e1 ∧ e2 | e1 ∨ e2 | e1 \ e2
Signals and clocks are nodes, noted a or b, in a labeled directed graph. Such a
graph, noted g or h, describes synchronization and scheduling relations between
nodes.
a, b ::= x | xˆ (node)
A clock relation c = e speciﬁes that the clock c is present iﬀ the clock expression e
is true. A scheduling relation a →c b speciﬁes that the calculation of the node b, a
signal or a clock, cannot be scheduled before that of a when the clock c is present.
Since a graph g is the abstraction of a Signal process p, it is subject to the same
composition g |h and scoping g/x rules as processes.
g, h ::= c = e | a →c b | (g |h) | g/x
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–7054
Any Signal process p corresponds to a system of implicit clock and scheduling re-
lations g that denotes its timing and scheduling structure. It forms the interface
of that process in the code generator process. All the analysis and transformation
of the process p are based on g. We write p : g to mean that p has graph g. The
inference system p : g is deﬁned by structural induction on p. In a delay equation
x = y pre v, the input and output signals are synchronous, written xˆ = yˆ, and do
not have any scheduling relation.
x = y pre v : (xˆ = yˆ)
In a sampling equation x = y when z, the clock of the output signal x is deﬁned by
that of the input signal yˆ at the sampling condition [z]. The input y is scheduled
before the output when both yˆ and [z] hold, written y →xˆ x.
x = y when z : (xˆ = yˆ ∧ [z] |y →xˆ x)
In a merge equation x = y default z the output signal x is present if either of the
input signals y, z are. The input signal y is scheduled before x when it is present,
written y →yˆ x, and otherwise z is, written z →zˆ\yˆ x.
x = y default z : (xˆ = yˆ ∨ zˆ |y →yˆ x |z →zˆ\yˆ x)
A functional equation x = y f z synchronizes and serializes its inputs and output
signal.
x = y f z : (yˆ = zˆ | xˆ = yˆ |y →xˆ x |z →xˆ x)
The rule for composition p |q is deﬁned by induction on the deductions p : g and
q : h made on the sub-terms of the expressions, it reads: ”if p : g and q : h then
p |q : g |h”. Same with the rule for restriction p/x.
p : g q : h
p |q : g |h
p : g
p/x : g/x
In the remainder, we write g |= h to mean that the clock and scheduling relations
of g (a model) satisﬁes the clock and scheduling relations h (a property). For any
process p of graph g and any boolean signal x in p, the assertions g |= xˆ = [x]∨ [¬x]
and g |= [x] ∧ [¬x] = 0 always hold.
3 Current practice illustrated
To illustrate the sequential code generation scheme implemented in Polychrony,
we consider the speciﬁcation and analysis of a one-place buﬀer. Process buﬀer
implements two functionalities: alternate and current.
x = buﬀer(y)
def
= (x = current(y) |alternate(x, y))
Process alternate synchronizes the signals x and y to the true and false values of an
alternating boolean signal t.
alternate(x, y)
def
= (s = t pre true |t = not s | xˆ = [t] | yˆ = [¬t]) /st
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–70 55
Process current stores the values of an input signal y and sends them along the
output signal x upon request.
x = current(y)
def
= (r = y default (r pre false ) |x = r when xˆ | rˆ = xˆ ∨ yˆ) /r
Synchronization analysis
The inference system p : g infers the clock relations that denote the synchronization
constraints implied by process buﬀer. There are four of them:
rˆ = sˆ tˆ = xˆ ∨ yˆ xˆ = [t] yˆ = [¬t]
From these equations, we observe that process buﬀer has three clock equivalence
classes. The clocks sˆ, tˆ, rˆ are synchronous and deﬁne the master clock synchroniza-
tion class of buﬀer. Two other synchronization classes, xˆ and yˆ, correspond to the
true and false values of the boolean signal t.
rˆ = sˆ = tˆ xˆ = [t] yˆ = [¬t]
Hierarchization
Hierarchization is the ﬁrst source-to-source transformation step performed by the
Signal compiler. It consists of syntactically restructuring a program in a way that
reﬂects the ordering of its clock equivalence classes. This hierarchy or ordering
deﬁnes a control-ﬂow tree structure that will later become that of the transition
function in the generated code.
The structure of a hierarchy is denoted by a partial order relation . It is deﬁned
by inductive application of the following rules :
(1) for all boolean signals x of g, deﬁne xˆ  [x] and xˆ  [¬x]. This means that, if
we know that x is present, then we can determine whether x is true or false.
(2) if b = c is deductible from g then deﬁne b  c and c  b, written b ∼ c. This
means that if b and c are synchronous, and if either of the clocks b or c is known
to be present, then the presence of the other can be determined.
(3) if g |= b1 = c1 f c2, f ∈ {∧,∨, \}, b2  c1, b2  c2 and b2 is minimal
1 then
b2  b1. This means that if b1 is deﬁned by c1 f c2 in g and if both clocks c1
and c2 can be determined once their common upper bound b2 is known, then
b1 can also be determined when b2 is known.
For example, the hierarchy of the buﬀer is build in three steps by application of
rules 1 to 3.
(i) From rule 1, one infers that tˆ is above two branches [t] and [¬t] as [t]  tˆ  [¬t].
tˆ

 


[t] [¬t]
1 i.e. for any b such that b  c1 and b  c2, b2  b
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–7056
(ii) From rule 2, three equivalence classes rˆ ∼ sˆ ∼ tˆ, xˆ ∼ [t] and yˆ ∼ [¬t] are
constructed.
rˆ ∼ sˆ ∼ tˆ
[t] ∼ xˆ [¬t] ∼ yˆ
(iii) From rule 3, tˆ is placed just above the least upper-bound of xˆ and yˆ, that is to
say sˆ.
rˆ ∼ sˆ ∼ tˆ

 

[t] ∼ xˆ [¬t] ∼ yˆ
Next, one has to deﬁne a proper scheduling of all computations to be performed
within each clock equivalence class (e.g. to schedule s before t) and across them
(e.g. to schedule x or y before r). This task is devoted to scheduling analysis,
presented next.
Disjunctive form
Before that, Polychrony attempts to eliminate all clocks that are expressed using
symmetric diﬀerence from the graph g of a process. This transformation consists
in rewriting clock expressions of the form e1 \ e2 present in the synchronization and
scheduling relations of g in a way that does no longer denote the absence of an event
e2, but that is instead computable from the presence or the value of signals.
In the case of process current, for instance, consider the alternative input
r pre false in the ﬁrst equation:
r = y default (r pre false )
Its clock is rˆ \ yˆ, meaning that the previous value of r is assigned to r only if y
is absent. To determine that y is absent, one needs to relate this absence to the
presence or the value of another signal.
In the present case, there is an explicit clock relation in the alternate process:
yˆ = [¬t]. It says that y is absent iﬀ t is present and true. Therefore, one can test
the value of t instead of the presence or absence of y in order to deterministically
assign either y or r pre false to r
y →[¬t] r [t] ← r pre false
In [2], it is shown that the symmetric diﬀerence c \ d between two clocks c and d
has a disjunctive form only if c and d have a common minimum b in the hierarchy
 of the process, i.e.,
c  b  d
We say that a graph g is in disjunctive form iﬀ it has no clock expression deﬁned
by symmetric diﬀerence. The implicit reference to absence incurred by symmet-
ric diﬀerence can be deﬁned as c \ d=defc ∧ d and can be isolated using logical
decomposition rules :
• conjunction c ∧ d
def
= c ∨ d and disjunction c ∨ d
def
= c ∧ d.
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–70 57
• positive [x]
def
= xˆ ∨ [¬x] and negative [¬x]
def
= xˆ ∨ [x] signal occurrences.
The reference to the absence of a signal x, noted xˆ, is eliminated if (and only if)
one of the possible elimination rules applies:
• The zero rule: xˆ∧ xˆ
def
= 0, because a signal is either present or absent, exclusively.
• The ”one” rule: c ∧ (xˆ ∨ xˆ)
def
= c, because the presence or the absence of a signal
is subsumed by any clock c.
• The synchrony rule: if d ∼ xˆ then xˆ
def
= d, to mean that if xˆ cannot be eliminated
but xˆ is synchronous to the clock d, then d can possibly be eliminated possibly
instead.
In the case of process current in the example of the buﬀer one has that
yˆ ∼ [¬t] xˆ ∼ [t] rˆ ∼ tˆ
Hence xˆ  tˆ  yˆ and therefore rˆ \ yˆ can be interpreted as [t].
Scheduling analysis
Given the skeleton control-ﬂow tree produced using the hierarchization algorithm
and clock equations in disjunctive form, the compilation of a Signal program re-
duces to ﬁnding a proper way to schedule computations within and across clock
equivalence classes. The inference system of the previous section deﬁnes the precise
scheduling between the input and output signals of process buﬀer. Notice that t is
needed to compute the clocks xˆ and yˆ.
s →sˆ t y →yˆ r r →xˆ x
As seen in the previous section, however, the calculation of clocks in disjunctive form
induces additional scheduling constraints, and, therefore, one has to take them into
account at this stage. This is done by reﬁning the graph g with a reinforced one, h,
satisfying h |= g, and by ordered application of the following rules:
(i) h |= xˆ →xˆ x for all x ∈ vars(p). This means that the calculation of x cannot
take place before its clock xˆ is known.
(ii) if g |= xˆ = [y] or g |= xˆ = [¬y] then h |= y →yˆ xˆ. This means that, if the clock
of x is deﬁned by a sample of y, then it cannot be computed before the value
of y is known.
(iii) if g |= xˆ = yˆ f zˆ with f ∈ {∨,∧} then h |= yˆ →yˆ xˆ | zˆ →zˆ xˆ. This means that, if
the clock of x is deﬁned by an operation on two clocks y and z, then it cannot
be computed before these two clocks are known.
Reinforcing the graph of the buﬀer yields a reﬁnement of its inferred graph with a
structure implied by the calculation of clocks (we just ommitted clocks on arrows
to lighten the depiction). Notice that t is now scheduled before the clocks xˆ and yˆ.
tˆ  t 


 xˆ  x r rˆ
sˆ  s

yˆ  y

J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–7058
Code can be generated starting from this reﬁned structure only if the graph is
acyclic. To check whether it is or not, we compute its transitive closure:
(i) if g |= a →c b then g |= a c b. This just tells that the construction of the
transitive closure relation starts from the scheduling graph→ of the process.
(ii) if g |= a c b and g |= ad b then g |= a c∨d b. If b is scheduled after a at
clock c and at clock d then so it is at clock c ∨ d
(iii) if g |= a c b and g |= b d z then g |= ac∧d z. If b is scheduled after a at
clock c and z after b at clock d then z is necessarily scheduled after a at clock
c ∧ d
The complete graph g of a process p is acyclic iﬀ g |= a e a implies g |= e = 0
for all nodes a of g. The graph of our example is. Using this structure, together
with the control-ﬂow graph skeleton denoted by the hierarchy , Polychrony can
generate sequential or distributed code.
Sequential code generation
To sequentially schedule the graph g, we need to further reﬁne it in order to remove
internal concurrency without aﬀecting the composability of the graph with its en-
vironment. This is done by observing the following rule: a graph h reinforces g iﬀ,
for any graph f , if f |g is acyclic then f |g |h is acyclic.
Starting from a sequential schedule and a hierarchy of process buﬀer, Polychrony
generates simulation code split in several ﬁles.
int main() {
bool code;
buffer_OpenIO();
code = buffer_initialize();
while (code) code = buffer_iterate();
buffer_CloseIO();
}
The main C ﬁle consists of opening the input-output streams of the program, of
initializing the value of delayed signals and iteratively executing a transition function
until no values are present along the input streams (return code 0). Simulation is
ﬁnalized by closing the IO streams.
The most interesting part is the transition function. It translates the structure
of the hierarchy and of the serialized scheduling graph in C code. It also makes a few
optimizations along the way. For instance, r has disappeared from the generated
code. Since the value stored in y from one iteration to another is the same as that
of r, it is used in place of it for that purpose.
In the C code, the three clock equivalence classes of the hierarchy correspond
to three blocks: line 2 (class sˆ ∼ tˆ), lines 3− 5 (class [t] ∼ yˆ) and lines 6− 9 (class
[¬t] ∼ xˆ). The sequence of instructions between these blocks follows the sequence
t → y → x of the scheduling graph. Line 10 is the ﬁnalization of the transition
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–70 59
function. It stores the value that s will hold next time.
01. bool buffer_iterate () {
02. t = !s;
03. if t {
04. if !r_buffer_y (&y) return FALSE;
05. }
06. if !t {
07. x = y;
08. w_buffer_x (x);
09. }
10. s = t;
11. return TRUE;
12. }
Also notice that the return code is true, line 11, when the transition function
ﬁnalizes, but false if it fails to get the signal y from its input stream, line 4. This is
ﬁne for simulation code, as we expect the simulation to end when the input stream
sample reaches the end. Embedded code does, of course, operate diﬀerently. It
either waits for y or suspends execution of the transition function until it arrives.
A deﬁnition of endochrony
The buﬀer process satisﬁes the property of endochrony. Literally, this means that
the buﬀer is locally timed. In the transition function of the buﬀer, this is easy to
notice by observing that, at all times, the function synchronizes on either receiving
y from its environment or sending x to its environment. Hence, the activity of the
transition function is locally paced by the instants at which the signals x and y are
present.
However, remember that the structure of control in the transition function is
constructed using the hierarchy of process buﬀer. In the case of an internally timed
process, this structure has the particular shape of a tree.
if t {
if !r_buffer_y (&y) return FALSE;
} else {
x = y;
w_buffer_x (x);
}
At any time, one can always start reading the state s of the buﬀer, and calculate
t. Then, if t is true, one emits x and, otherwise, one receives y. The presence of
any signal in process buﬀer is determined from the value of a signal higher in the
hierarchy or, at last, from its root.
rˆ ∼ sˆ ∼ tˆ

 

[t] ∼ xˆ [¬t] ∼ yˆ
Formally, whatever the exact time samples t1 and t2 at which it receives an input
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–7060
signal y, or the time samples u1 and u2 at which it sends an output signal x, the
buﬀer always behaves according to the same timing relations: ti occurs strictly
before ui and s is always used at ti and ui.
. . . . . . . . . . .
y t1 t2 t
′
1 t
′
2
s t1 u1 t2 u2 t
′
1 u
′
1 t
′
2 u
′
2
x u1 u2 u
′
1 u
′
2
The timing relations between the signals x and y of the buﬀer are independent
from latency incurred by communications with its environment: this is the formal
deﬁnition of endochrony given in [11].
Current limitations illustrated
Both sequential, concurrent and distributed code generation schemes in Polychrony
rely on the property of endochrony to generate the code. This observation also
holds for code generation in related synchronous languages, Lustre and Esterel,
without much salient diﬀerence. However, it is well-known that endochrony is not
preserved by composition. To illustrate that, consider the following pair of processes,
a producer and a consumer. The producer increments its output u when its input
a is true and increments its output x otherwise.
(u, x) = producer(a)
def
=
(
uˆ = [a] |u = 1 + (u pre 0)
| xˆ = [¬a] |x = 1 + (x pre 0)
)
aˆ

 		
		
[a] ∼ uˆ [¬a] ∼ xˆ
The consumer adds the value of x to the count v when b is true and 1 otherwise.
Hierarchies are depicted on the right.
y = consumer(b, x)
def
=
⎛
⎜⎝ vˆ = bˆ| xˆ = when b
| v = (v pre 0) + (x default 1)
⎞
⎟⎠ bˆ ∼ vˆ





 

[b] ∼ xˆ [¬b]
The signal x default 1 is implicitly created. It has the same clock as b, its value is
that of x at the clock [b] and 1 at the clock [¬b]. Notice that the producer and
the consumer are endochronous (their hierarchies are trees). Now, consider the
composition of producer and consumer in the main process below.
(u, v) = main(a, b)
def
=
(
(u, x) = producer(a)
| v = consumer(b, x)
)
Polychrony produces a hierarchy in which two synchronized boolean signals Ca and
Cb are added on top of the hierarchies of the producer and the consumer. This
allows to (artiﬁcially) form an endochronous simulation process that relies on the
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–70 61
environment to determine when to read a and/or b.
Ca ∼ Cb




[Ca] ∼ aˆ

 

[Cb] ∼ bˆ ∼ vˆ




[a] ∼ uˆ [¬a] ∼ xˆ ∼ [b] [¬b]
This structure yields the generation of code that diﬀers from what we have seen
so far in that the transition function now expects the clocks Ca and Cb to be
synchronously delivered by the environment, instead of being computed internally.
In the C code, the functions r main C a, r main C b, r main a and r main b
read the input signals Ca, Cb, a, b and the functions w main u and w main v write
the outputs u and v.
The compiler places the clocks [¬a], xˆ and [b] in the same equivalence class.
However, one easily notices that the equation [¬a] = [b], incurred by the composition
of the producer and the consumer, is non-trivial. At present, it is bailed out as a
so-called “clock constraint” by Polychrony.
To handle this clock constraint, Polychrony can either generate a proof obliga-
tion, which will have to be checked by the user, or generate defensive code to raise
an exception if the clock constraint is violated during execution. In the generated
code below, if !a != b, an exception is reported by the simulation loop.
bool main_iterate() {
if (!r_main_C_a(&C_a)) return FALSE;
if (!r_main_C_b(&C_b)) return FALSE;
if (C_b) {
if (!r_main_b(&b)) return FALSE;
}
if (C_a) {
if (!r_main_a(&a)) return FALSE;
C_ = !a;
if (a) {
u = 1 + u;
w_main_u(u);
}
if (C_) {
x = 1 + x;
}
}
C__63 = (C_a ? C_ : FALSE);
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–7062
if ((C_) != b)
polychrony_exception
( "Exception for: (C_, b) " );
if (C_b) {
if (C__63) XZX_36 = x; else XZX_36 = 1;
v = v + XZX_36;
w_main_v(v);
}
C_ = FALSE;
return TRUE;
}
The functionality of Polychrony to detect and report such a constraint is central
in the code generation scheme that will be presented next. Let us have a second
look at the present situation:
- the producer and the consumer are endochronous
- the signal x is deﬁned in one process, the producer
- its clock xˆ is used in both processes
In the composition of the consumer and the producer, one can hence deﬁne x by
a shared variable and use its clock constraint to deﬁne when it can deterministically
be deﬁned and/or used by either the processes.
4 Our contribution illustrated
Our contribution builds upon this simple idea, that is suitable for the simulation of
otherwise deterministic speciﬁcations, and uses the facility of Polychrony to report
clock constraints (such as [b] = [¬a]) and to export independent clocks (such as Ca
and Cb) to build a scheduler that satisﬁes the expected safety properties.
In this aim, and ﬁrst of all, we would like to avoid increasing the interface of
the program (with Ca or Cb) in order to have an eﬃcient (sequential or concurrent)
execution scheme. In the present code generation scheme of Polychrony, Ca and Cb
are added to rebuild an endochronous simulation loop.
In the present case, however, the composition of the producer and the consumer
is weakly endochronous: the very interleaving of a and b during execution is not
relevant to the correct propagation of input and output values. The transitions
involving only a or only b may be executed in any order. However, transitions
involving both a and b need to be synchronized. This is precisely where the clock
constraint [b] = [¬a] comes into play.
A deﬁnition of weak endochrony
A weakly endochronous system is a deterministic process in which independent
actions, such as sending or receiving values through distinct signals, both
- can be triggered from the clock and value of higher signals, and,
- can be timely performed in any order (the state is unaﬀected)
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–70 63
For instance, the composition of the producer and of the consumer is weakly
endochronous. The presence of all signals in this composition is locally determined
from the value or presence of signals in either the producer or the consumer (it
is deterministic) and the very order of execution: producer ﬁrst, consumer ﬁrst,
or both, does not matter (they satisfy the diamond property). This is the very
deﬁnition of weak endochrony in [14].
◦
¬bvˆ




◦
auˆ

¬bvˆ




auˆ¬bvˆ  ◦
◦
auˆ

Building a controller
Using the information provided by Polychrony, namely, the exportation of non-
hierarchized clocks Ca and Cb, the report of a clock constraint on shared signals
such as [b] = [¬a], we can easily build a process for controlling the execution of the
composition of the producer and the consumer so as to keep it within a suitable
safety objective.
To allow for a correct resynchronization on the values of x, the controller needs
to obey the requirement expressed by the clock constraint [¬a] = [b] while imposing
no additional synchronization constraint (on a or b).
Nicely, this controller can be expressed and synthesized in Signal. It uses the
clock constraint of the shared variable (xˆ = when not a = when b) to synchronize
instants that need to be.
The controller accepts the input signals a and b and feeds the producer and the
consumer with copies c and d until one of the constraints is met, [when not a] or
[when b]. As soon as this occurs, it stops reading input from the signal (a or b),
suspending the corresponding process, until the other meets the constraint.
(c, d) = controller(a, b)
def
=
⎛
⎜⎜⎜⎜⎜⎜⎝
c = scheduler(a, ra, r)
| d = scheduler(b, rb, r)
|ra = not a default (ra pre false )
| rb = b default (rb pre false )
| r = ra and rb
⎞
⎟⎟⎟⎟⎟⎟⎠
/rarbr
The controller contains two schedulers that are responsible for suspending and re-
suming the input signals a and b (hence the producer and the consumer) in order
to correctly schedule the operations in the sequential implementation of the rendez-
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–7064
vous.
y = scheduler(x, rx, r)
def
=
⎛
⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝
xˆ = true when cx
|rx = not a default r
′
x
|r′x = rx pre false
|cx = ( true when (r pre false ))
default ( false when r′x)
default true
| cy = (cx and not rx) or r
| y = (x cell cy)when cy
⎞
⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠
/cxcy
Last, we need to patch the main program with the controller to correctly feed
the producer and the consumer with the values of a and b that satisfy the clock
constraint.
(u, v) = main(a, b)
def
=
⎛
⎜⎝ (u, x) = producer(c)| v = consumer(d, x)
| (c, d) = controller(a, b)
⎞
⎟⎠ /cdx
Notice that each of the producer and the consumer is able to independently react
when either [¬a] or [b] holds, as no synchronization needs to take place in those
cases.
Sequential code generation scheme
The controller is build upon the clocks exported and the constraints reported by
Polychrony. This provides suﬃcient information to generate the necessary code to
control the execution of the composition of endochronous processes.
In the controlled main program, variables preﬁxed with pre_ register the values
of signal (of corresponding suﬃx) until the next cycle. The generated r variables
translate the synchronization obligation implied by the reported clock constraint as
r = ra && rb. Functions named {r|w}_main_x read and write the signal x.
As opposed to the generated code presented Section 3, the present program does
not need its master clocks to be synchronized: C a and C b are local variables, not
input signals. As a result, the interface of the composition of the producer and the
consumer is the union of interfaces.
We observe that, since the producer and the consumer are endochronous, and
since their composition is such that all clocks which can be computed (all have
a disjunctive form), the main program is weakly isochronous in the sense of [14]:
any synchronous reaction, initiated from one side, yields a globally isochronous
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–70 65
execution. This yields to a generic methodological principle, presented next.
bool main_iterate() {
/* c = scheduler (a, ra, r) */
if (pre_r) C_a = TRUE;
else if (pre_ra) C_a = FALSE;
else C_a = TRUE;
if (C_a) {
if (!r_main_a(&a)) return FALSE;
}
if (C_a) ra = !a;
else ra = pre_ra;
/* d = scheduler (b, rb, r) */
if (pre_r) C_b = TRUE;
else if (pre_rb) C_b = FALSE;
else C_b = TRUE;
if (C_b) {
if (!r_main_b(&b)) return FALSE;
}
if (C_b) rb = b;
else rb = pre_rb;
/* main */
r = ra && rb;
C_c = (C_a && !ra) || r;
C_d = (C_b && !rb) || r;
/* (x,u) = producer (c) */
C_1 = FALSE;
if (C_c) {
C_1 = !a;
if (a) {
u = 1 + u;
w_main_u(u);
}
if (C_1) x = 1 + x;
}
/* y = consumer (d,x) */
C_2 = (C_c ? C_1 : FALSE);
if (C_d) {
if (C_2) X_1 = x;
else X_1 = 1;
v = v + X_1;
w_main_v(v);
}
/* finalisation */
pre_ra = ra;
pre_rb = rb;
pre_r = r;
return TRUE;
}
Contributed methodology
This simple observation translates into a global objective of preserving weak
isochrony. It is deﬁned by the following design methodology :
(1) if a process p is endochronous then p is weakly endochronous
(2) if p and q are weakly-endochronous and if p |q is both cycle-free and has clocks
in disjunctive form, then p |q is weakly endochronous (and weakly isochronous
as well).
Condition 1 allows us to deﬁne our methodology starting from the existing code
generation tool-chain of Polychrony. It also implies that the same approach could
be adapted to Lustre.
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–7066
Condition 2 on the composition of p and q translates the condition that is im-
posed to a pair of weakly endochronous processes in [14] for their composition to be
isochronous: the condition is, exactly, that any synchronous reaction initiated by p
or q should yield an execution of p |q.
A necessary condition is that the graph of p |q must be acyclic and a suﬃcient
condition is that the p |q should not incur a reaction to the absence of a signal i.e.
that all clocks in the graph of p |q should have a disjunctive form.
In our example, we observe that, should the main process be composed with an
additional endochronous process (or weakly endochronous network), then we would
only need to build an additional controller between those two, based on the same
principle as previously mentionned: to capture the clocks exported by Polychrony
and to implement rendez-vous between toplevel clock constraints (here: bˆ = [c]) in
the hierarchy.
(u,w) = main2(a, b, c)
def
=
⎛
⎜⎝ (u, v) = main(a, d)| w = consumer(e, v)
| (d, e) = controller2(b, c)
⎞
⎟⎠ /de
Concurrent code generation scheme
The generation of code for concurrent execution diﬀers from sequential code gen-
eration by the construction of clusters that match the physical partition of signals
on the target execution architecture. In the present case, these clusters are the
composed endochronous processes, the producer and the consumer.
Our compilation technique for sequential code generation can easily be adapted
for concurrent execution. It allows to deﬁne an interface or controller that performs
minimum arbitration with its environment. As a result, producer and consumer are
compiled separately and the global safety guarantee of weak isochrony is relied on
assess the safety of the concurrent composition.
In the example, we have separately compiled the producer and consumer to
ready them for concurrent execution. They use the local read/write functions of
the producer and the consumer: {r|w}_{consumer|producer}_x). The clock con-
straint [¬a] = b is again used to synchronize the threads with a barrier: a mutex
zone RDV is created to protect the shared variable x.
pthread_barrier_t *begin_RDV, *end_RDV ;
pthread_barrier_init(begin_RDV, 2);
pthread_barrier_init(end_RDV, 2);
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–70 67
bool consumer() {
if (!r_consumer_b(&b)) return FALSE;
if (b) {
pthread_barrier_wait(begin_RDV);
X_1 = x;
pthread_barrier_wait(end_RDV);
} else X_1 = 1;
v = v + X_1;
w_consumer_v(v);
return TRUE;
}
bool producer() {
if (!r_producer_a(&a)) return FALSE;
if (a) {
u = 1 + u;
w_producer_u(u);
}
if (!a) {
pthread_barrier_wait(begin_RDV);
x = 1 + x;
pthread_barrier_wait(end_RDV);
}
return TRUE;
}
The generated code is otherwise unchanged. We obtain a concurrent code gener-
ation scheme that modularly and compositionally supports separate compilation. It
eﬃciently uses existing report functionalities of the present implementation of Poly-
chrony to eﬀectively support the synthesis of a controller that is able to assemble
endochronous processes so as to maintain a global objective of weak isochrony.
5 Conclusions
We have introduced a sequential and concurrent code generation technique built
upon existing functionalities of the Polychrony compiler to provide a modular and
compositional way of assembling endochronous processes while maintaining a global
safety objective of insensitivity to latency.
Our code generation scheme supports true separate compilation: a locally com-
piled synchronous module does not require its interface to the global environment
be rebuilt once composed to another module since a compositional property of weak
isochrony needs only be checked and locally translated into an equivalent controller
or interface.
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–7068
References
[1] P. Aubry. Mises en oeuvre distribue´es de programmes synchrones. The`se de l’Universite´ de Rennes,
October 1997.
[2] L. Besnard. Compilation de Signal: horloges, de´pendances, environnements. The`se de l’Universite´ de
Rennes, September 1992.
[3] A. Girault and X. Nicollin. Clock-driven automatic distribution of Lustre programs. International
Conference on Embedded Software. Lectures notes in computer science, volume 2855. Springer Verlag,
October 2003.
[4] O. Maﬀe¨ıs. Ordonnancements de graphes de ﬂots synchrones ; application a` la mise en oeuvre de SIGNAL.
The`se de l’Universit? de Rennes, January 1993.
[5] A. Benveniste, B. Caillaud, and P. Le Guernic. Compositionality in dataﬂow synchronous languages:
Speciﬁcation and distributed code generation. Information and Computation, v. 163. Academic Press
2000.
[6] A. Benveniste, P. Caspi, S. Edwards, N. Halbwachs, P. Le Guernic, and R. de Simone. The Synchronous
Languages Twelve Years Later. Proceedings of the IEEE, 2003.
[7] A. Benveniste, P. Caspi, H. Marchand, J.-P. Talpin, and S. Tripakis. A protocol for loosely time-triggered
architectures. In Embedded Software Conference. Springer, 2003.
[8] C. Carloni, K. McMillan, and A. Sangiovanni-Vincentelli. The theory of latency-insensitive design. IEEE
Transactions on Computer-Aided Design of Integrated Circuits and Systems, v. 20(9). IEEE Press, 2001.
[9] P. Caspi, A. Girault, D. Pilaud. Distributing Reactive Systems. International Conference on Parallel
and Distributed Computing Systems. ISCA, 1994.
[10] P. Caspi, C. Mazuet, and N. Reynaud. About the design of distributed control systems: the quasi
synchronous approach. In International Conference on Computer Safety, Reliability and Security.
Springer, 2003.
[11] P. Le Guernic, J.-P. Talpin, and J.-C. Le Lann. Polychrony for system design. Journal of Circuits,
Systems and Computers. World Scientiﬁc, 2003.
[12] N. Lynch and E. Stark. A proof of the Kahn principle for input/output automata. Information and
Computation, v. 82(1). Academic Press, 1989.
[13] Polychrony is available from http://www.irisa.fr/espresso/Polychrony .
[14] D. Potop-Butucaru and B. Caillaud and A. Benveniste. Concurrency in Synchronous Systems. In Formal
Methods in System Design, v. 28(2). Springer, March 2006.
[15] Schneider, K., Brandt, J., Vecchie´, E. Eﬃcient code generation from synchronous programs. In Methods
and Models for Codesign. IEEE Press, 2006.
[16] J.-P. Talpin, D. Potop-Butucaru, J. Ouy, B. Caillaud. From multi-clocked synchronous speciﬁcations
to latency-insensitive systems. In Embedded Software Conference. ACM, 2005.
A Polychronous model of computation
We describe the semantics of Signal in the polychronous model of computation
(see [11] for more detail). In this model, symbolic tags t or u denote periods in time
during which execution takes place. Time is deﬁned by a partial order relation ≤
on tags: t ≤ u stipulates that t occurs before u. A chain is a totally ordered set of
tags. It corresponds to the clock of a signal: it samples its values over a series of
totally related tags. The domains for events, signals, behaviors and processes are
deﬁned as follows:
- an event is a pair consisting of a tag t ∈ T and a value v ∈ V,
- a signal is a function from a chain of tags to a set of values,
- a behavior b is a function from a set of signal names to signals,
- a process p is a set of behaviors that have the same domain.
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–70 69
We write T (s) for the chain of tags of a signal s and min s and max s for its
minimal and maximal tag. We write V(b) for the domain of a behavior b (a set of
signal names). The restriction of a behavior b to X is noted b|X (i.e. s.t. V(b|X) =
X). Its complementary b/X (i.e. s.t. V(b/X) = V(b) \X) satisﬁes b = b|X unionmulti b/X . We
overload the use of T and V to talk about the tags of a behavior b and the set of
signal names of a process p.
The synchronization of a behavior b with a behavior c is noted b ≤ c and is deﬁned
as the eﬀect of “stretching” its timing structure. A behavior c is a stretching of a
behavior b, written b ≤ c, iﬀ V(b) = V(c) and there exists a bijection f on tags s.t.
∀tu ∈ T (b), t ≤ f(t) ∧ (t < u ⇔ f(t) < f(u))
∀x ∈ V(b),T (c(x)) = f(T (b(x))) ∧ ∀t ∈ T (b(x)), b(x)(t) = c(x)(f(t))
b and c are clock-equivalent, written b ∼ c, iﬀ there exists a behavior d s.t. d ≤ b
and d ≤ c. The synchronous composition p |q of two processes p and q is deﬁned
by combining behaviors b ∈ p and c ∈ q that are identical on I = V(p) ∩ V(q), the
interface between p and q.
p |q = {b ∪ c | (b, c) ∈ p× q ∧ b|I = c|I ∧ I = V(p) ∩ V(q)}
The semantics [[P ]] of a Signal process P is a set of behaviors that are inductively
deﬁned by the concatenation of reactions. A reaction r is a behavior with (at
most) one time tag t. We write T (r) for the tag of a non empty reaction r. An
empty reaction of the signals X is noted ∅|X . The empty signal is noted ∅. A
reaction r is concatenable to a behavior b iﬀ V(b) = V(r), and, for all x ∈ V(b),
max(b(x)) < T (r(x)). If so, concatenating r to b is deﬁned by
∀x ∈ V(b),∀u ∈ T (b) ∪ T (r),
(b · r)(x)(u) = if u ∈ T (r(x)) then r(x)(u) else b(x)(u)
Initially, we assume that ∅|V(p) ∈ [[P ]]. The semantics of a delay x = y pre v is deﬁned
by appending a reaction r, of tag t, to a behavior b of x = y prew, for any value
w (the previous-previous value of y). In the reaction r, y is present (i.e. r(y) = ∅)
iﬀ x is present and its value of is v (i.e. r(x)(t) = v). The previous value of y in
behavior b, at tag u, is v.
[[x = y pre v]] =
{
b · r
∣∣∣∣∣∀w ∈ V, b ∈ [[x = y prew]], t = T (r), u = max(T (b(y))),(r(x)(t) = v ∧ r(y) = ∅) ∧ (b(y)(u) = v ∨ b = ∅xy)
}
Similarly, the semantics of a sampling x = y when z deﬁnes x by y when z is true.
[[x = y when z]] =
{
b · r
∣∣∣∣∣b ∈ [[x = y when z]], t = T (r), (r(z)(t) = true ∧ r(x)= r(y)) ∨ ((r(z)(t) = true ∨ r(z) = ∅) ∧ r(x) = ∅)
}
Finally, x = y default z deﬁnes x by y when y is present and by z otherwise.
[[x = y default z]] =
{
b · r
∣∣∣∣∣b ∈ [[x = y default z]], r(x) =
∣∣∣∣∣r(y), r(y) = ∅r(z), r(y) = ∅
}
The meaning of the synchronous composition P |Q is the synchronous composition
[[P |Q]] = [[P ]] | [[Q]] of the meaning of P and Q. The meaning of restriction is deﬁned
by [[P/x]] = {c | b ∈ [[P ]] ∧ c ≤ (b/x)}.
J. Ouy et al. / Electronic Notes in Theoretical Computer Science 200 (2008) 51–7070
