

# Modular interpretation of heterogeneous modeling diagrams into synchronous equations using static single assignment

Jean-Pierre Talpin, Julien Ouy, Thierry Gautier, Loïc Besnard, Cortier Alexandre

# ► To cite this version:

Jean-Pierre Talpin, Julien Ouy, Thierry Gautier, Loïc Besnard, Cortier Alexandre. Modular interpretation of heterogeneous modeling diagrams into synchronous equations using static single assignment. [Research Report] RR-7036, INRIA. 2009, pp.22. <iria-00417682>

# HAL Id: inria-00417682 https://hal.inria.fr/inria-00417682

Submitted on 16 Sep 2009

**HAL** is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire **HAL**, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.



INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE

# Modular interpretation of heterogeneous modeling diagrams into synchronous equations using static single assignment

Jean-Pierre Talpin, Julien Ouy, Thierry Gautier, INRIA Loic Besnard, CNRS, and Alexandre Cortier, CNES-IRIT





# Modular interpretation of heterogeneous modeling diagrams into synchronous equations using static single assignment

Jean-Pierre Talpin, Julien Ouy, Thierry Gautier, INRIA Loic Besnard, CNRS, and Alexandre Cortier, CNES-IRIT

> Thème COM — Systèmes communicants Équipes-Projets Espresso

Rapport de recherche n° 7036 — September 2009 — 19 pages

Abstract: The ANR project SPACIFY develops a domain-specific programming environment, Synoptic, to engineer embedded software for space applications. Synoptic is an Eclipse-based modeling environment which supports all aspects of aerospace software design. As such, it is a domainspecific environment consisting of heterogeneous modeling and programming principles defined in collaboration with the industrial partners and end users of the project : imperative synchronous programs, data-flow diagrams, mode automata, blocks, components, scheduling, mapping and timing. This article focuses on the essence and distinctive features of its behavioral or programming aspects : actions, flows and automata, for which we use the code generation infrastructure of the synchronous modeling environment SME. It introduces an efficient method for transforming a hierarchy of blocks consisting of actions (sequential Esterel-like programs), data-flow diagrams (to connect and time modules) and mode automata (to schedule or mode blocks) into a set of synchronous equations. This transformation minimizes the needed state variables and block synchronizations. It consists of an inductive static-single assignment transformation algorithm across a hierarchy of blocks that produces synchronous equations. The impact of this new transformation technique is twofold. With regards to code generation objectives, it minimizes the needed resynchronization of each block in the system with respects to its parents, potentially gaining substantial performance from way less synchronizations. With regards to verification requirements, it minimizes the number of state variables across a hierarchy of automata and hence maximizes model checking performances.

**Key-words:** Synchronous programming, model-driven engineering, program transformation, static-single assignment

# Interpretation modulaire de modèles hétérogènes utilisant l'assignation unique

**Résumé :** Ce rapport décrit une technique de transformation de programme utilisée dans le cadre du projet ANR Spacify afin de transformer un ensemble de diagrammes hétérogènes, représentant différentes vue d'un système pendant sa conception, en utilisant une représentation intermédiaire SSA (static-signgle assignment). La forme intermédiaire, modulaire et compacte, ainsi obtenue, est alors interprété dans lem odèle de calcul synchrone de l'atelier SME pour obtenir enfin une modélisation formelle supportant une vérification accéléré et un code gnéré efficace

**Mots-clés :** Programmation synchrone, ingénierie de modèles, transformation de programmes, assignation unique

# Contents

| 1 | Introduction         1.1       Motivation         1.2       Outline                             | $\begin{array}{c} 4 \\ 4 \\ 5 \end{array}$  |
|---|-------------------------------------------------------------------------------------------------|---------------------------------------------|
| 2 | Model of computation         2.1       Model of timed traces         2.2       Formal semantics | <b>6</b><br>6<br>7                          |
| 3 | Interpretation and semantics of Synoptic3.1Blocks                                               | <b>8</b><br>9<br>10<br>11<br>13<br>15<br>16 |
| 4 | Experimental Results                                                                            | 16                                          |
| 5 | Related Work                                                                                    | 17                                          |
| 6 | Conclusions                                                                                     | 17                                          |

# 1 Introduction

In the ANR project SPACIFY [10], we develop a domain-specific programming environment, Synoptic, for engineering for space application and control software. Synoptic is an Eclipse-based modeling environment which supports all aspects of aerospace software design. It covers the design of application and control modules using imperative synchronous programs, data-flow diagrams, mode automata, and also the partitioning, timing and mapping of these module onto satellite architectures. As such, Synoptic is a domain-specific environment : its aim is to provide the engineer with a unified modeling environment to cover all heterogeneous programming, analysis and verification tasks, as defined in collaboration with the industrial end users of the project. One typical case study under investigation in the project is a generic satellite positioning software, responsible for automatically moving the satellite into a correct position before initiating interaction with the ground.



Its specification, Fig. 1, consists of the composition of heterogeneous diagrams. Each diagram represents one specific aspect of the software's role: automata, Fig. 1-1, control its modes of operation for specific conditions (e.g. a solar eclipse). Data-flows, Fig. 1, define communication links and/or periodic processing tasks. Timed imperative programs, Fig. 1, specify sequential algorithmic behaviors.

Figure 1: Specification of the positionning software



### 1.1 Motivation

In this article, we are concerned with the heterogeneity of modeling notations of the Synoptic language and propose a method to embed them in a suitable model of computation for the purpose of formal verification and code generation. To model and compile all distinctive programming features of Synoptic : imperative programs, data-flows and automata, we use the code generation infrastructure of the synchronous modeling environment SME [2].

This model transformation or interpretation introduces an efficient method for transforming a hierarchy of blocks consisting of actions (sequential Esterel-like programs), data-flow diagrams (to connect and time modules) and mode automata (to schedule or mode blocks) into a set of synchronous equations. This transformation minimizes the needed state variables and block synchronizations. It consists of an inductive static-single assignment transformation algorithm across a hierarchy of blocks that produces synchronous equations.

#### 1.2 Outline

The impact of this transformation technique is twofold. With regard to code generation objectives, it maximizes the amount of atomic operations that are performed within one cycle of execution, gaining substantial performance from way less synchronizations. With regard to verification requirements, it minimizes the number and updates of state variables across automata and hence provides better model checking performances.

**Example** The principle of our transformation technique can be illustrated by considering a simple (Esterel-like) imperative Synoptic program. When the program receives control, it first initializes x and then increments it if y is true. Otherwise, x is decremented, a skip is issued (to synchronize with the parent block), and x is decremented again. At the end, control is released to the parent (caller) block.

$$\begin{array}{l} x=0;\\ \text{if}\,y\;\;\text{then}\;\{x=x+1\}\\ \;\;\text{else}\;\{x=x-1;\;\text{skip}\,;x=x-1\}\\ \text{end} \end{array}$$

The static single assignment form of this program (Fig. 2, left) assigns a different name  $x_{1...4}$  to each definition of x and uses a so called  $\phi$ -node to merge the values  $x_2$  and  $x_4$  of x flowing from then and else branches of the if. It is interpreted (Fig. 2, right) by a merge (the default keyword) of two flows,  $x_2$  and  $x_4$ , that are sampled (the when keyword) by the corresponding condition of the control-flow. All other data-flow equations match an instruction of the intermediate SSA form and its control-flow point. The signals s and s' record the current and next states of the program (0 and 1) using a delay keyword pre.

Figure 2: A timed sequential program and its data-flow interpretation

 $\begin{array}{ll} x_1 = 0; \\ \text{if } y \\ \text{then } x_2 = x_1 + 1 \\ \text{else } \{ \\ x_3 = x_1 - 1; \\ x = x_3; \\ \text{skip }; \\ x_4 = x - 1 \\ \}; \\ x = \phi(x_2, x_4) \\ \text{end} \end{array} \right| \begin{array}{ll} x_1 = 0 \text{ when } (s = 0) \\ x_2 = x_1 + 1 \text{ when } (s = 0) \text{ when } y \\ x_2 = x_1 + 1 \text{ when } (s = 0) \text{ when not } y \\ x_3 = x_1 - 1 \text{ when } (s = 0) \text{ when not } y \\ x_4 = (x \text{ pre } 0) - 1 \text{ when } (s = 1) \\ x = x_2 \text{ when } (s = 0) \text{ when not } y \\ \text{ default } x_3 \text{ when } (s = 0) \text{ when not } y \\ \text{ default } x_4 \text{ when } (s = 1) \\ s' = 0 \text{ when } (s = 1) \\ \text{ default } 0 \text{ when } (s = 0) \text{ when not } y \\ \text{ default } 0 \text{ when } (s = 0) \text{ when not } y \\ \text{ s = s' pre } 0 \end{array}$ 

In the present paper, we show how to not only translate the core imperative programming features into equation by generalizing the above idea, but also extend it to the mode automata that control the activation of such elementary blocks and to the data-flow diagrams that connect them. This yields, just as in the case of the above simple programs (one variable update instead of three) a significant gain in the number of transitions and of synchronization needed to verify and to execute programs.

# 2 Model of computation

The model of computation on which Synoptic relies for program transformation and code generation purposes is that of the Eclipse-based synchronous modeling environment SME [11]. The core of SME is based on compiler of the synchronous programming language Signal [6]. In Signal, a process Pconsists of the composition of simultaneous equations x = f(y, z) over signals x, y, z.

$$P, Q ::= x = y f z | P/x | P | Q \qquad (\text{process})$$

A delay equation  $x = y \operatorname{pre} v$  defines x every time y is present. Initially, x is defined by the value v, and then, it is defined by the previous value of y. A sampling equation  $x = y \operatorname{when} z$  defines x by y when z is true. Finally, a merge equation  $x = y \operatorname{default} z$  defines x by y when y is present and by z otherwise. An equation x = y f z can use a boolean or arithmetic operator f to define all of the  $n^{th}$  values of the signal x by the result of the application of f to the  $n^{th}$  values of the signals y and z. The synchronous composition of processes P | Q consists of the simultaneous solution of the equations in P and in Q. It is commutative and associative. The process P/x restricts the signal x to the lexical scope of P.

In Signal, the presence of a value along a signal x is an expression noted  $\hat{x}$ . It is true when x is present. Otherwise, it is absent. Specific processes and operators are defined in Signal to manipulate clocks explicitly. We only use the simplest one,  $x \operatorname{sync} y$ , that synchronizes all occurrences of the signals x and y.

**Example** We exemplify the model of computation of Signal by considering an equation that defines a counter. The output signal **counter** is defined by 0 when the input signal **reset** is true and, otherwise, by an increment of its previous value (**counter pre** 0) which is initially 0.

#### counter = 0 when reset default 1 + counter pre 0

Notice that the clock of the output signal is left deliberately larger than that of the input signal. One may later refine it with an additional clock equation counter sync reset to generate a count every time an occurrence of the input signal reset, true or false, is present.

#### 2.1 Model of timed traces

In the timing model of Polychrony [6], symbolic tags t or u denote periods in time during which execution takes place. Time is defined by a partial order relation  $\leq$  on tags:  $t \leq u$  stipulates that t occurs before u or at the same time. A chain is a totally ordered set of tags. It corresponds to the clock of a signal: it samples its values over a series of totally related tags. The domains for events, signals, behaviors and processes are defined as follows:

- an *event* is a pair consisting of a tag  $t \in \mathbb{T}$  and a value  $v \in \mathbb{V}$ ,
- a signal  $s \in S$  is a function from a chain of tags  $C \subset \mathbb{T}$  to a set of values  $v \in \mathbb{V}$ ,
- a behavior  $b \in \mathcal{B}$  is a function from a finite set of signal names  $X \subset \mathcal{V}$  to signals,
- a process  $p \in \mathcal{P}$  is a set of behaviors that have the same domain.

**Example** To illustrate these definitions, consider a possible behavior of the signals x and y defined by the process x = filter(y). The time tags at which the output x is present correspond to the time tags at which the previous and present value of y differ. Hence, evenly tagged values belong both to x and y.

$$\begin{array}{l} y \mapsto (t_1, \operatorname{true}) \ (t_2, \operatorname{false}) \ (t_3, \operatorname{false}) \ (t_4, \operatorname{true}) \ (t_5, \operatorname{true}) \ (t_6, \operatorname{false}) \\ x \mapsto (t_2, \operatorname{true}) \ (t_4, \operatorname{true}) \ (t_6, \operatorname{true}) \end{array}$$

**Notations** We write  $\mathcal{T}(s)$  for the chain of tags of a signal s and min s and max s for its minimal and maximal tag. We write  $\mathcal{V}(b)$  for the domain of a behavior b (a set of signal names). The restriction of a behavior b to X is noted  $b|_X$  (i.e.  $\mathcal{V}(b|_X) = X$ ). Its complementary  $b_{/X}$  satisfies  $b = b|_X \uplus b_{/X}$  (i.e.  $\mathcal{V}(b_{/X}) = \mathcal{V}(b) \setminus X$ ). We overload  $\mathcal{T}$  and  $\mathcal{V}$  to designate the tags of a behavior b and the set of signal names of a process p.

Since tags along a signal s form a chain  $C = \mathcal{T}(s)$ , we write  $C_i$  for the *i*th instant in chain C and have that  $C_i \leq C_j$  iff  $i \leq j$  for all  $i, j \geq 0$ .

**Reaction** A reaction r is a behavior with (at most) one time tag t. We write  $\mathcal{T}(r)$  for the tag of a non empty reaction r. The empty signal is noted  $\emptyset$ . If a reaction r is concatenable to a behavior b, written  $b \cdot r$  then the concatenation of r to b is written  $b \cdot r$ .

$$b \cdot c \Leftrightarrow \mathcal{V}(b) = \mathcal{V}(c) \wedge \max(\mathcal{T}(b)) < \min(\mathcal{T}(c)) \qquad b \cdot c \Rightarrow \forall x \in \mathcal{V}(b), (b \cdot c)(x) = b(x) \uplus r(x)$$

**Synchronous structure** A behavior c is a *stretching* of a behavior b, written  $b \le c$ , iff  $\mathcal{V}(b) = \mathcal{V}(c)$  and there exists a bijection f on tags s.t.

 $\forall t, u, t \le f(t) \land (t < u \Leftrightarrow f(t) < f(u))$ 

 $\forall x \in \mathcal{V}(b), \mathcal{T}(c(x)) = f(\mathcal{T}(b(x))) \land \forall t \in \mathcal{T}(b(x)), b(x)(t) = c(x)(f(t))$ 

b and c are *clock-equivalent*, written  $b \sim c$ , iff there exists a behavior d s.t.  $d \leq b$  and  $d \leq c$ . The synchronous composition p | q of two processes p and q is defined by combining behaviors  $b \in p$  and  $c \in q$  that are identical on the interface between p and  $q : I = \mathcal{V}(p) \cap \mathcal{V}(q)$ .

$$p \mid q = \{ b \cup c \mid (b, c) \in p \times q \land b \mid_{I} = c \mid_{I} \land I = \mathcal{V}(p) \cap \mathcal{V}(q) \}$$

Alternatively, the synchronous structure of a process can be interpreted as an equivalence relation  $\sim$  that refines the causal tag structure of individual signals (for all  $b \in \mathcal{B}$ , for all  $x \in \mathcal{V}(b)$ ,  $\mathcal{T}(b(x))$  is a chain of  $\mathbb{T}$ ). If we make the assumption that the only phenomenological structure is this causal structure, then the synchronous structure of a behavior  $\sim^b$  can be seen as a way to slice time across individual signals in a way that preserves causality: for all  $t, u \in \mathcal{T}(b)$ , 1. t < u iff  $t \not\sim^b u$  and 2.  $t \leq u$  iff  $t \sim u$  or t < v and  $v \sim^b u$ .

#### 2.2 Formal semantics

We examplify the use of the model of computation by considering the kernel operators of Signal. The meaning  $\llbracket P \rrbracket$  of a Signal process P is a set of behaviors that are inductively defined by the concatenation of reactions (we assume that  $\emptyset_{\mathcal{V}(P)} \in \llbracket P \rrbracket$  for all P).

The meaning of the synchronous composition P | Q is the synchronous composition  $\llbracket P | Q \rrbracket = \llbracket P \rrbracket | \llbracket Q \rrbracket$  of the meaning of P and Q. The meaning of restriction is defined by  $\llbracket P/x \rrbracket = \{c | b \in \llbracket P \rrbracket \land c \leq (b_{/x})\}.$ 

The semantics of a delay  $x = y \operatorname{pre} v$  is defined by appending a reaction r of tag t to a behavior b. It initially defines x by the value v (when b is empty) and then by the previous value of y (i.e. b(y)(u) where u is the maximal tag of b).

$$\begin{split} \llbracket x = y \operatorname{pre} v \rrbracket &= \left\{ b \in \mathcal{B}|_{x,y} \quad \begin{vmatrix} \mathcal{T}(b(x)) = \mathcal{T}(b(y)) \\ \forall t \in \mathcal{T}(b(x)), \ b(x)(\operatorname{succ}_{C}(t)) = b(y)(t) \\ b(x)(\min(C)) = v \end{vmatrix} \right\} \\ \llbracket x = y f z \rrbracket &= \left\{ b \in \mathcal{B}|_{x,y,z} \mid \begin{matrix} \mathcal{T}(b(x)) = \mathcal{T}(b(y)) = \mathcal{T}(b(z)) \\ \forall t \in \mathcal{T}(b(x)), \ b(x)(t) = f(b(y)(t), b(z)(t)) \end{matrix} \right\} \end{split}$$

Similarly, the semantics of a sampling x = y when z defines x by y when z is true. Finally,  $x = y \operatorname{default} z$  defines x by y when y is present and by z otherwise. We write  $\mathcal{T}_{\mathsf{true}}(s) \{t \in \mathcal{T}(s) | s(t) = \mathsf{true}\}$  for the chain of tags at which a signal s is true.

$$\llbracket x = y \text{ when } z \rrbracket = \left\{ b \in \mathcal{B}|_{x,y,z} \middle| \begin{array}{l} \mathcal{T}(b(x)) = \mathcal{T}_{\mathsf{true}}(b(y)) \cap \mathcal{T}(b(z)) \\ \forall t \in \mathcal{T}(b(x)), \ b(x)(t) = b(y)(t) \end{array} \right\}$$
$$\llbracket x = y \text{ default } z \rrbracket = \left\{ b \in \mathcal{B}|_{x,y,z} \middle| \begin{array}{l} \mathcal{T}(b(x)) = \mathcal{T}(b(y)) \cup \mathcal{T}(b(z)) \\ \forall t \in \mathcal{T}(b(x)), \ b(x)(t) = \begin{cases} b(y)(t), \ t \in \mathcal{T}(b(y)) \\ b(z)(t), \ t \notin \mathcal{T}(b(y)) \end{cases} \right\}$$

## **3** Interpretation and semantics of Synoptic

We formalize the semantics Synoptic by isolating the core syntactic categories that characterize its expressive capability: blocks, dataflows, actions and automata.

**Blocks** are the main structuring element of Synoptic. A block block xA defines a functional unit of compilation and of execution that can be called from many contexts and with different modes in the system under design. A block x encapsulates a functionality A that may consists of subblocks, automata and dataflows. A block x is implicitly associated with two signals x.trigger and x.reset. The signal x.trigger starts the execution of A. The specification A may then operate at its own pace until the next x.trigger is signaled. The signal x.reset is delivered to x at at some x.trigger and forces A to reset its state and variables to initial values.

$$(blocks)$$
 block  $xA$  where  $A, B ::=$  block  $xA \mid$  dataflow  $xA \mid$  automaton  $xA \mid A \mid B$ 

**Dataflows** ensure the inter-connection between data (inputs and outputs) and events (e.g. trigger and reset signals) within a block. A flow can be the connection of an event x to an event y, written event  $x \to y$ , data y and z combined by a simple operation f to form the flow x, written data  $y f z \to x$  or a delayed connection from y to x to implement feedback, written data  $y \operatorname{pre} v \to x$ . The signal x is initially defined by  $x_0 = v$ . Then, at each occurrence n > 0 of the signal y, it takes its previous value  $x_n = y_{n-1}$ .

(dataflow) dataflow  $x A where A, B ::= data y \operatorname{pre} v \to x \mid data y f z \to x \mid event x \to y \mid A \mid B$ 

The execution of a data-flow is controlled by its parent clock. A data-flow simultaneously executes each connection it is composed of every time it is triggered by its parent block.

Actions are sequences of operations on variables that are performed during the execution of automata. An assignment x = y f z defines the new value of the variable x from the current values of y and z by the function f. The skip statement stores the new values of variables that have been defined before it, so that they become current past it. The conditional if x then A else B executes A if the current value of x is true and executes B otherwise. A sequence A; B executes A and then B.

$$(action)$$
  $A, B ::= skip | x = y f z | if x then A else B | A; B$ 

Automata schedule the execution of operations and blocks by performing timely guarded transitions. An automaton receives control from its trigger and reset signals *xtrigger* and *x.reset* as specified by its parent block. When an automaton is first triggered, or when it is reset, its starts execution from its initial state, specified as initial state S. On any state S : do A, it performs the action A. From this state, it may perform an immediate transition to new state T, written  $S \rightarrow {}^{\text{on } x} T$ , if the value of the current variable x is true. It may also perform a delayed transition to T, written  $S \rightarrow {}^{\text{on } x} T$ , that waits until the next trigger to resume execution (in state T). If no transition condition applies, it then waits the next trigger and resumes execution in st ate S. States and transitions are composed as  $A \mid B$ .

(automaton) automaton x A where A, B ::= state S : do A |  $S \rightarrow {}^{\mathsf{on } x} T | S \rightarrow {}^{\mathsf{on } x} T | A | B$ 

9

The syntax for automata supports additional constructs to facilitate the definition of more complex policies. The initial (and terminal) state(s) of an automaton are explicitly specified by initial state S: do A and terminal state S: do A while, in the semantics, the initial state is just an initial or reset value of the state and a terminal state a state without outgoing transition. The actions performed in a state can be further decomposing into the actions of entering a state state S on entry do A, the action repetitively performed in a given state state S during do A, the action performed when leaving a state state S on exit do A, the action performed while leaving a state  $S \rightarrow On x \text{ do } A T$ .

 $\begin{array}{ll} A,B::= \text{ initial state }S: \text{ do }A \mid \text{ terminal state }S: \text{ do }A \mid \text{ state }S \text{ on entry do }A \\ \mid \text{ state }S \text{ during do }A \mid \text{ state }S \text{ on exit do }A \mid S \twoheadrightarrow \overset{\texttt{on }x \text{ do }A}{T} \end{array}$ 

The timed execution of an automaton combines the behavior of an action or a data-flow. The execution of a delayed transition or of a stutter is controlled by an occurrence of the parent trigger signal (as for a data-flow). The execution of an immediate transition is performed without waiting for a trigger or a reset (as for an action).

### 3.1 Blocks

A block x receives control from its trigger and reset signals x.trigger and x.trigger. The translation of a block block x A is the same as that of A but it is parameterized by the pair of trigger and reset signals.

$$\llbracket \mathsf{block} \ x A \rrbracket = \llbracket A \rrbracket^{x.\mathsf{trigger}, x.\mathsf{reset}}$$

**Denotation** The corresponding denotation is parameterized by the time tags at which the trigger and reset events occur. They are defined by the chains  $C^t$  (for the trigger) and  $C^r$  (for the reset). Therefore, the operation of A is controlled by  $C = (C^t, C^r)$ .

$$\llbracket \mathsf{block} \ x A \rrbracket = \left\{ b \, | \, c \, | \, b \in \llbracket A \rrbracket^C, \, c \in \mathcal{B}|_{\substack{x. \mathsf{trigger} \\ x. \mathsf{reset}}}, \, C^t = \mathcal{T}_{\mathsf{true}} \left( c(x. \mathsf{trigger}) \right) \supseteq \mathcal{T}(c(x. \mathsf{reset})) = C^r \right\}$$

In addition to the above, an enable signal x enable can be used to initiate the delayed execution of a block. Therefore, assuming  $C^t = \mathcal{T}_{true}(c(x.trigger))$  and  $C^e = \mathcal{T}_{true}(c(x.enable))$ , we should have that,  $\forall t \in C^t \exists u \in C^e, t \leq u$ .

**Example** The execution of a block is driven by the trigger t of its parent block. The block resynchronizes with that trigger every time, itself or one of its sub-block, performs an explicitly delayed transition, e.g.  $S \to T$  for an automaton, or makes an explicit reference to time (e.g. skip for an action). Otherwise, the elapse of time shall not be sensed from within the block, whose operations (e.g., on  $c_i$ ), should be perceived as belonging to the same period as within  $[t_i, t_{i+1}]$ . To implement this feature, we make use of an encoding of actions and automata using static single assignment. As a result, and from within a block, every immediate sequence of actions A; B or transitions  $A \to B$  only defines the value of the block's variable once, while defining several intermediate ones in the flow of its execution.

### 3.2 Dataflow

Data-flows are structurally similar to Signal programs and equally combined using synchronous composition. The interpretation  $[\![A]\!]^{rt} = \langle P \rangle$  of a data-flow is parameterized by the reset and trigger signals of the parent block and returns a process  $P^1$ . A delayed flow data  $y \operatorname{pre} v \to x$  initially defines x by the value v. It is reset to that value every time the reset signal r occurs. Otherwise, it takes the previous value of y in time. A functional flow data  $y f z \to x$  defines x by the product of (y, z) by f. An event flow event  $y \to x$  connects y to define x. The operator ?(y) converts an event y to a boolean data. The operator  $^{(y)}$  converts the boolean data y to an event. We write  $\operatorname{in}(A)$  and  $\operatorname{out}(A)$  for the input and output signals of a dataflow A.

$$\begin{bmatrix} \operatorname{dataflow} f A \end{bmatrix}^{n} = \langle \llbracket A \rrbracket^{n} \mid \left( \prod_{x \in \operatorname{in}(A)} x \operatorname{sync} t \right) \rangle$$
  

$$\begin{bmatrix} \operatorname{data} y \operatorname{pre} v \to x \rrbracket^{n} = \langle x = (v \operatorname{when} r) \operatorname{default} (y \operatorname{pre} v) \mid (x \operatorname{sync} y) \rangle$$
  

$$\begin{bmatrix} \operatorname{data} y f z \to x \rrbracket^{n} = \langle x = y f z \rangle$$
  

$$\begin{bmatrix} \operatorname{event} y \to x \rrbracket^{n} = \langle x = \operatorname{when} y \rangle$$
  

$$\begin{bmatrix} \operatorname{data} ?(y) \to x \rrbracket^{n} = \langle x = \operatorname{true} \operatorname{when} y \operatorname{default} \operatorname{false} \mid x \operatorname{sync} t \rangle$$
  

$$\begin{bmatrix} \operatorname{event} \hat{}(y) \to x \rrbracket^{n} = \langle x = \operatorname{when} y \rangle$$
  

$$\begin{bmatrix} A \mid B \rrbracket^{n} = \langle \llbracket A \rrbracket^{n} \mid \llbracket B \rrbracket^{n} \rangle$$

By default, the convention of Synoptic is to synchronize the input signals of a data-flow to the parent trigger. It is however, possible to define alternative policies. One is to down-sample the input signals at the pace of the trigger. Another is to adapt or resample them at that trigger. Alternatively, adaptors could better be installed around the input and output signals of a block in order to resample them with respect to the specified frequency of the block.

$$[\![\mathsf{sample data} \ y \to x]\!]^{tt} = \langle x = y \text{ when } t \rangle \qquad [\![\mathsf{adapt data} \ y \to x]\!]^{tt} = \langle x = y \text{ cell } t \rangle$$

**Denotation** A data-flow dataflow f A is defined by the meaning of A controlled by the parent timing C. A delayed flow data  $y f z \to x$  assigns v to the signal x upon reset  $t \in C^r$  and the previous value of y otherwise, at time  $\operatorname{pred}_{C^x}(t)$ . An operation data  $y f z \to x$  assigns the product of the values u and v of y and z by the operation f to the signal x. An event event  $x \to y$  triggers x every time y occurs. Composition  $A \mid B$  merges all timely compatible traces of A and B under the same context.

$$\begin{bmatrix} \mathsf{dataflow} \ f \ A \end{bmatrix}^C = \{ b \in \llbracket A \rrbracket^C \mid \forall x \in \mathrm{in}(A) \ C^t = \mathcal{T}(b(x)) \}$$

$$\begin{bmatrix} \mathsf{data} \ y \ \mathsf{pre} \ v \to x \rrbracket^C = \left\{ b \in \mathcal{B}|_{x,y} \quad \begin{vmatrix} C^x = \mathcal{T}(b(x)) = \mathcal{T}(b(y)) \supseteq C^v = C^r \cup \{\mathrm{min}(\mathcal{T}(b(x)))\} \\ \forall t \in C^x, b(x)(t) = if \ t \in C^v \ then \ v \ else \ b(y)(\mathrm{pred}_{C^x}(t)) \\ \end{bmatrix} \right\}$$

$$\begin{bmatrix} \mathsf{data} \ y \ f \ z \to x \rrbracket^C = \{ b \in \mathcal{B}|_{x,y,z} \ | \forall t \in \mathcal{T}(b(x)) = \mathcal{T}(b(y)) = \mathcal{T}(b(z)), \ b(x)(t) = f(b(y)(t), b(z)(t)) \\ \end{bmatrix}$$

$$\begin{bmatrix} \mathsf{event} \ y \to x \rrbracket^C = \{ b \in \mathcal{B}|_{x,y} \quad | \mathcal{T}(b(x)) = \mathcal{T}(b(y)) \} \\ \\ \llbracket A \ \| B \rrbracket^C = \llbracket A \rrbracket^C \mid \llbracket B \rrbracket^C \end{bmatrix}$$

<sup>&</sup>lt;sup>1</sup>The input term A and the output term P are marked by [A] and  $\langle P \rangle$  for convenience

### 3.3 Actions

The execution of an action A starts at an occurrence of its parent trigger and shall end before the next occurrence of that event. During the execution of an action, one may also wait and synchronize with this event by issuing a skip statement.

A skip statement has no behavior but to signal the end of an instant: all the newly computed values of signals are flushed in memory and execution is resumed upon the next parent trigger. A statement x! sends the signal x to its environment. Execution may continue within the same symbolic instant unless a second emission is performed: one shall issue a skip statement before that. An operation x = y f z takes the current value of y and z to define the new value of x by the product with f. A conditional if x then A else B executes A or B depending on the current value of x.

As a result, only one new value of a variable x should at most be defined within an instant delimited by the start and the end or skip statement. Therefore, the interpretation of an action consists of its decomposition in static single assignment form. To this end, we use an environment E to associate each variable with its definition, an expression, and a guard, that locates it (in time).

An action holds an internal state s that stores an integer n denoting the current portion of the actions that is being executed. State 0 represents the start of the program and each n > 0 labels a skip statement that materializes a synchronized sequence of actions.

The interpretation  $[A]^{s,m,g,E} = \langle P \rangle_{n,h,F}$  of an action A takes as parameters the state variable s, the state m of the current section, the guard g that leads to it, and the environment E. It returns a process P, the state n and guard h past it, and an updated environment F. We write  $use_E^g(x)$  for the expression that returns the definition of the variable x at the guard g and  $def_E^g(x)$  for storing the final values of all variables x defined in E at the guard g.

$$\operatorname{use}_E^g(x) = if \, x \in \mathcal{V}(E) \, then \, \langle E(x) \rangle \, else \, \langle (x \operatorname{pre} 0) \operatorname{when} g \rangle \qquad \operatorname{def}_g(E) = \prod_{x \in \mathcal{V}(E)} \, (x = \operatorname{use}_E^g(x))$$

Execution is started with s = 0 upon receipt of a trigger t. It is also resumed from a skip statement at s = n with a trigger t. Hence the signal t is synchronized to the state s of the action. The signal r is used to inform the parent block (an automaton) that the execution of the action has finished (it is back to its initial state 0). An end statement resets s to 0, stores all variables x defined in E with an equation  $x = use_E^g(x)$  and finally stops (its returned guard is false).

A skip statement advances s to the next label n + 1 when it receives control upon the guard e and flushes the variables defined so far. It returns a new guard  $(s \operatorname{pre} 0) = n + 1$  to resume the actions past it. An action x! emits x when its guard e is true. A sequence A; B evaluates A to the process P and passes its state  $n_A$ , guard  $g_A$ , environment  $E_A$  to B. It returns P | Q with the state, guard and environment of B.

$$\begin{bmatrix} \operatorname{do} A \end{bmatrix}^{n} = \langle (P \mid s \operatorname{sync} t \mid r = (s = 0)) / s \rangle \quad and \langle P \rangle_{n,h,F} = \llbracket A; \operatorname{end} \rrbracket^{s,0,((s \operatorname{pre} 0)=0),\emptyset} \\ \\ \llbracket \operatorname{end} \rrbracket^{s,n,g,E} = \langle s = 0 \operatorname{when} g \mid \operatorname{def}_g(E) \rangle_{0,\operatorname{false},\emptyset} \\ \\ \llbracket \operatorname{skip} \rrbracket^{s,n,g,E} = \langle s = n+1 \operatorname{when} g \mid \operatorname{def}_g(E) \rangle_{n+1,((s \operatorname{pre} 0)=n+1),\emptyset} \\ \\ \llbracket x! \rrbracket^{s,n,g,E} = \langle x = \operatorname{true} \operatorname{when} g \rangle_{n,g,E} \\ \\ \llbracket x = y f z \rrbracket^{s,n,g,E} = \langle x = e \rangle_{n,g,E_x \uplus \{x \mapsto e\}} \operatorname{where} e = \langle f(\operatorname{use}_E^g(y), \operatorname{use}_E^g(z)) \operatorname{when} g \rangle \\ \\ \\ \llbracket A; B \rrbracket^{s,n,g,E} = \langle P \mid Q \rangle_{n_B,g_B,E_B} \quad where \langle P \rangle_{n_A,g_A,E_A} = \llbracket A \rrbracket^{s,n,g,E} \operatorname{and} \langle Q \rangle_{n_B,g_B,E_B} = \llbracket B \rrbracket^{s,n,g,E_A} \\ \end{aligned}$$

Similarly, a conditional evaluates A with the guard g when x to P and B with g when not x to Q. It returns P | Q but with the guard  $g_A$  default  $g_B$ . All variables  $x \in X$ , defined in both  $E_A$  and  $E_B$ , are merged in the environment F.

**∏**if

$$\begin{bmatrix} \text{if } x \text{ then } A \text{ else } B \end{bmatrix}^{s,n,g,E} = \langle P | Q \rangle_{n_B,(g_A \text{ default } g_B),(E_A \bowtie E_B)}$$

$$where \ \langle P \rangle_{n_A,g_A,E_A} = \llbracket A \rrbracket^{s,n,(g \text{ when } \text{use}_E^g(x)),E}$$

$$and \ \langle Q \rangle_{n_B,g_B,E_B} = \llbracket B \rrbracket^{s,n_A,(g \text{ when } \text{not } \text{use}_E^g(x)),E}$$

We write  $E \bowtie F$  to merge the definitions in the environments E and F.

$$\forall x \in \mathcal{V}(E) \cup \mathcal{V}(F), \ (E \bowtie F)(x) = \begin{cases} E(x), & x \in \mathcal{V}(E) \setminus \mathcal{V}(F) \\ F(x), & x \in \mathcal{V}(F) \setminus \mathcal{V}(E) \\ E(x) \text{ default } F(x), & x \in \mathcal{V}(E) \cap \mathcal{V}(F) \end{cases}$$

**Notes** An action cannot be reset from the parent clock because it is not synchronized to it. A sequence of emissions x!; x! yield only one event along the signal x because they occur at the same (logical) time, as opposed to x!; skip; x! which sends the second one during the next trigger.

**Denotation** Given its state b, the execution  $c_k = \llbracket A \rrbracket_b$  of an action A returns a new state c and a status k whose value is 1 if a skip occurred and 0 otherwise. We write  $b_{\downarrow x} = b(x)(\min \mathcal{T}(b))$  and  $b_{\uparrow x} = b(x)(\max \mathcal{T}(b))$  for the first and last value of x in b.

A sequence first evaluates A to  $c_k$  and then evaluates B with store  $b \cdot c$  to  $d_l$ . If k is true, then a skip has occurred in A, meaning that c and d belong to different instants. In this case, the concatenation of b and c is returned.

If k is false, then the execution that ended in A continues in B at the same instant. Hence, variables defined in the last reaction of c must be merged to variables defined in the first reaction of d. To this end, we write  $(b \bowtie c)(x) = b(x) \uplus c(x)$  for all  $x \in \mathcal{V}(b)$  if  $t = \max(\mathcal{T}(b)) = \min(\mathcal{T}(c))$ .

$$\begin{bmatrix} \operatorname{do} A \end{bmatrix}_b = b \cdot c \text{ where } c_k = \llbracket A \rrbracket_b$$
$$\llbracket \operatorname{skip} \rrbracket_b = \emptyset_1$$
$$\llbracket x! \rrbracket_b = \{(x, t, 1)\}_0$$
$$\llbracket x = y f z \rrbracket_b = \{((x, t, f(b_{\uparrow y}, b_{\uparrow z})))\}_0$$
$$x \text{ then } A \text{ else } B \rrbracket_b = if b_{\uparrow x} then \langle A \rangle_b else \langle B \rangle_b$$

$$\llbracket A; B \rrbracket_b = if \ k \ then \ (c \cdot d)_l \ else \ (c \bowtie d)_l \ where \ c_k = \llbracket A \rrbracket_b \ and \ d_l = \llbracket B \rrbracket_{b \cdot c}$$

**Example** Consider the simple sequential program of the introduction. Its static single assignment form is depicted in Fig. 3.

$$\begin{array}{l} x=0;\\ \text{if }y \;\; \text{then}\; \{x=x+1\}\\ \;\; \text{else}\; \{x=x-1;\; \text{skip}\; ; x=x-1\}\\ \text{end} \end{array}$$

As in GCC, it uses a  $\phi$ -node, line <sup>9</sup> to merge the possible values  $x_2$  and  $x_4$  of x flowing from each branch of the if. Our interpretation implements this  $\phi$  by a default equation that merges these two values with the third,  $x_3$ , that is stored into x just before the skip line <sup>6</sup>. The interpretation of all assignment instructions in the program follows the same pattern<sup>2</sup>. Line <sup>2</sup>, for instance, the value of

<sup>&</sup>lt;sup>2</sup>In the actual translation, temporarly names  $x_{1,...5}$  are substituted by the expression that defines them. We kept them in the figure for a matter of clarity.

x is  $x_1$ , which flows from line <sup>1</sup>. Its assignment to the new definition of x, namely  $x_2$ , is conditioned by the guard y on the path from line <sup>1</sup> to <sup>2</sup>. It is conditioned by the current state of the program, which needs to be 0, from line <sup>1</sup> to <sup>6</sup> and <sup>9</sup> (state 1 flows from line <sup>7</sup> to <sup>9</sup>, overlapping on the  $\phi$ -node). Hence the equation  $x_2 = x_1 + 1$  when (s=0) when y.

Figure 3: Tracing the interpretation of a timed sequential program

#### 3.4 Automata

An automaton describes a hierarchic structure consisting of actions execute upon entry in a state by immediate and delayed transitions. An immediate transition occurs during the period of time allocated to a trigger. Hence, it does not synchronize to it. Conversely, a delayed transition occurs upon synchronization with the next occurrence of the parent trigger event.

As a result, an automaton is partitioned in regions. Each region corresponds to the amount of calculation that can be performed within the period of a trigger, starting from a given initial state.

**Notations** We write  $\rightarrow_A$  and  $\rightarrow_A$  for the immediate and delayed transition relations of an automaton A. We write  $\operatorname{pred}_{\rightarrow_A}(S)$  and  $\operatorname{succ}_{\rightarrow_A}(S)$  (resp.  $\operatorname{pred}_{\rightarrow_A}(S)$  and  $\operatorname{succ}_{\rightarrow_A}(S)$ ) for the predecessor and successor states of the immediate (resp. delayed) transitions  $\rightarrow_A$  (resp.  $\rightarrow_A$ ) from a state S in an automaton A.

$$\operatorname{pred}_{R}(S) = \{T \mid (T, x, S) \in R\}$$
  $\operatorname{succ}_{R}(S) = \{T \mid (S, x, T) \in R\}$ 

We write  $\vec{S}$  for the region of a state S. It is defined by an equivalence relation.

$$\forall S, T \in \mathcal{S}(A) \ ((S, x, T) \in \rightarrow_A) \Leftrightarrow \vec{S} = \vec{T}$$

For any state S of A, written  $S \in \mathcal{S}(A)$ , it is required that the restriction of  $\rightarrow_A$  to the region  $\vec{S}$  is acyclic. Notice that, still, a delayed transition may take place between two states of the same region.

**Interpretation** An automaton A is interpreted by a process  $[[automaton x A]]^{rt}$  parameterized by its parent trigger and reset signals. The interpretation of A defines a local state s. It is synchronized to the parent trigger t. It is set to 0, the initial state, upon receipt of a reset signal r and, otherwise, takes the previous value of s', that denotes the next state. The interpretation of all states is performed concurrently.

We give all states  $S_i$  of an automaton A a unique integer label  $i = \lceil S_i \rceil$  and designate with  $\lceil A \rceil$  its number of states.  $S_0$  is the initial state and, for each state of index i, we call  $A_i$  its action i and

 $x_{ij}$  the guard of an immediate or delayed transition from  $S_i$  to  $S_j$ .

$$[\![\operatorname{automaton} x A]\!]^{rt} = \langle \left( t \operatorname{sync} s \, | \, s = (0 \operatorname{when} r) \operatorname{default} (s' \operatorname{pre} 0) \, | \, \left( \prod_{S_i \in \mathcal{S}(A)} [\![S_i]\!]^s \right) \right) \, / ss' \rangle$$

The concurrent interpretation  $[S_i]^s$  of all states  $0 \le i < \lceil A \rceil$  is implemented by a series of recursive equations that define the meaning of each state  $S_i$  depending on the result obtained for its predecessors  $S_j$  in the same region. Since regions are acyclic, this system of equations has therefore a unique solution. The interpretation of state  $S_i$  starts with that of its actions  $A_i$ . An action  $A_i$  defines a local state  $s_i$  synchronized to the parent state s = i of the automaton. The automaton stutters with s' = s if the evaluation of the action is not finished: it is in a local state  $s_i \neq 0$ .

Interpreting the actions  $A_i$  requires the definition of a guard  $g_i$  and of an environment  $E_i$ . The guard  $g_i$  defines when  $A_i$  starts. It requires the local state to be 0 or the state  $S_i$  to receive control from a predecessor  $S_j$  in the same region (with the guard  $x_{ji}$ ). The environment  $E_i$  is constructed by merging these  $F_j$  returned by its immediate predecessors  $S_j$ . Once these parameters are defined, the interpretation of  $A_i$  returns a process  $P_i$  together with an exit guard  $h_i$  and an environment  $F_i$  holding the value of all variables it defines.

Upon evaluation of  $A_i$ , delayed transition from  $S_i$  are checked. This is done by the definition of a process  $Q_i$  which, first, checks if the guard  $x_{ij}$  of a delayed transition from  $S_i$  evaluates to true with  $F_i$ . If so, variables defined in  $F_i$  are stored with  $def_{h_i}(F_i)$  and the state of the parent automaton becomes s' = j at the guard  $h_i$ .

$$\begin{split} \forall i < \lceil A \rceil & [\![S_i]\!]^s = \left\langle \left(P_i \mid Q_i \mid s_i \operatorname{sync} \left(s = i\right) \mid s' = s \operatorname{when} \left(s_i \neq 0\right)\right) / s_i \right\rangle \\ where \ \left\langle P_i \right\rangle_{n,h_i,F_i} &= [\![A_i]\!]^{s_i,0,g_i,E_i} \\ and & E_i = \Join_{S_j \in \operatorname{pred}_{\rightarrow_A}(S_i)} F_j \\ and & g_i = \operatorname{true} \operatorname{when} \left( \left(s_i \operatorname{pre} 0\right) = 0 \right) \operatorname{default} \left( \bigvee_{(S_j, x_{ji}, S_i) \in \rightarrow_A} \left( \operatorname{use}_E(x_{ji}) \right) \right) \\ and & Q_i = \prod_{(S_i, x_{ij}, S_j) \in \twoheadrightarrow_A} \left( \operatorname{def}_{h_i \operatorname{when} \left( \operatorname{use}_{F_i}(x_{ij}) \right) (F_i) \mid s' = j \operatorname{when} h_i \operatorname{when} \left( \operatorname{use}_{F_i}(x_{ij}) \right) \right) \end{split}$$

We write  $\prod_{i \leq n} P_i$  for a finite product of processes  $\mathcal{P}_1 \mid \ldots P_n$ ,  $\sum_{i \leq n} A_i$  for a finite sequence of actions  $A_1; \ldots A_n, \bigvee_{i \leq n} e_i$  for a finite merge  $e_1$  default  $\ldots e_n$  and  $\bigwedge_{i \leq n} e_i$  for a finite sampling  $e_1$  when  $\ldots e_n$ .

**Denotation** An automaton x receives control from its trigger at the clock  $C^t$  and is reset at the clock  $C^r$ . Its meaning is hence parameterized by  $C = (C^t, C^r)$ . The meaning of its specifications  $\langle A \rangle_b^s$  is parameterized by the finite trace b, that represents the store, by the variable s, that represents the current state of the automaton.

At the *i*th step of execution, given that it is in state j  $((b_i)_{\uparrow s} = j)$  the automaton produces a finite behavior  $b_{i+1} = \langle S_j \rangle_b^s$ . This behavior must match the timeline of the trigger:  $\mathcal{T}(b_i) \subseteq C^t$ . It must to the initial state 0 is a reset occurs:  $\forall t \in C^r$ ,  $b_i(s)(t) = 0$ .

$$\left[ \left[ \operatorname{automaton} x A \right] \right]^{C} = \left\{ \left( \circ_{i \ge 0} b_i \right) / s \middle| \begin{array}{l} b_0 = \{ (x, t_0, 0) \, | \, x \in \mathcal{V}(A) \cup \{s\} \} \\ \forall i \ge 0, \quad b_{i+1} \in \left[ S_j \right] \right]_{b_i}^s \\ j = if \, \min(\mathcal{T}(b_{i+1})) \in C^r \, then \, 0 \, else \, (b_i)_{\uparrow s} \\ \mathcal{T}(b_{i+1}) \subseteq C^t \end{array} \right\}$$

When an automaton is in the state  $S_i$ , its action  $A_i$  is evaluated to  $c \in \langle A_i \rangle_b$  given the store b. Then, immediate or delayed transitions departing from  $S_i$  are evaluated to return the final state d of the automaton.

$$\llbracket S_i \rrbracket_b^s = \begin{cases} \llbracket S_j \rrbracket_c^s, & (S_i, x_{ij}, S_j) \in \to_A \land c_{\uparrow x_{ij}} \\ c \uplus \{(s, t, j)\}, & (S_i, x_{ij}, S_j) \in \twoheadrightarrow_A \land c_{\uparrow x_{ij}} \\ c \uplus \{(s, t, i)\}, & otherwise \end{cases} \quad where \quad c/s = \llbracket \operatorname{do} A_i \rrbracket_b$$

**Simplifications** A generalized weak (or synchronized) transition from a state S to a state T translates into one leaving  $S_C$  (the exit substate of S) and entering  $T_S$  (the entry substate of T from S). In this translation, an automaton implicitly stutters the "during" action of its current state if no transition is applicable.

$$\begin{pmatrix} S: \\ \text{during do } A \\ \text{on exit do } B \end{pmatrix} \xrightarrow{\to} \text{on } g \text{ do } C \begin{pmatrix} T: \text{ on entry do } D \\ \end{pmatrix}$$
$$S: \text{ do } A \xrightarrow{\text{on } g} S_T: \text{ do } B \xrightarrow{\to} T_S: \text{ do } C; D \xrightarrow{\to} T$$

**Notes** An oversampling automaton cannot be reset until it performs a transition synchronized to its trigger (a weak transition). A terminal state S: terminal state A is a state S: do A from which no transition exists. It can only be reset to the initial state.

Example Reconsider our previous sequential program

$$x = 0$$
; if y then  $x = x + 1$  else  $\{x = x - 1; \text{ skip}; x = x - 1\}$  end

that is now represented by an automaton. The aim of our interpretation of automata is to merge, use and store the environments of variables defined in all the states  $S_{1...5}$  in order to provide its regions with an equivalent meaning as if it was defined by a sequential program. One can actually check that the translation of the automaton (right) is almost identical the that of the original program.

#### 3.5 Modularity

The above technique easily and compositionally generalizes to the modular programming framework under consideration in our project. It may indeed be suitable to have the capability of defining mode automata that operate blocks defined or compiled separately, and to allow block to possibly use shared variables.

In the present framework, this is done by associating each block with a def/use profile to register the association between the uses and definitions of global variables (e.g. x) with local variables (e.g.  $x_{0,...4}$ ). As an example, consider the following procedure f to increment the global integer variable x.

void 
$$f()\{x = x + 1\}$$

Our analysis locally records the definition and use of x with two integer variables  $x_0$  and  $x_1$ . This forms the profile of f. Associating f with it amounts to declaring the association of  $x_0$  with the use of x and of  $x_1$  with the definition of x, as follows (or differently).

void 
$$f(int x_0 \# use x, int * x_1 \# def x) \{ *x_1 = x_0 + 1 \}$$

Next, had our mode automaton been defined by calling two external functions f() and g() to respectively increment and decrement x (Fig. 4, left), we would then just had to rewrite it in SSA form as follows (Fig. 4, right). The final x can itself be defined as a parameter to the hence SSA-encoded automaton, making the whole technique modular, compositional, hierarchical.

Figure 4: Modular interpretation of a mode automaton into data-flow equations

### 3.6 Periodic behaviors

A periodic structure can be defined by the refinement of a causal and synchronous structure. A signal s samples a signal r with period  $\pi$  and phase  $\phi$ , written  $s = \pi r + \phi$  iff  $(C, D) = \mathcal{T}(r, s)$  and, for all  $i \ge 0$ ,  $C_{\pi,i+\phi} = D_i$ .

For any signal s, we can interpret the periodic structure of the chain  $\mathcal{T}(s) = (t_n)_{n\geq 0}$  by a morphism  $\Pi$  to the series of intervals  $([\pi \times n, \pi \times n + \phi])_{n\geq 0}$ .

A morphism  $\Pi$  is consistent with the synchronous structure  $\sim^{b}$  of a behavior b iff, for all  $t, u \in \mathcal{T}(b)$ , 1. t < u iff  $\max \Pi(t) < \min \Pi(u)$  and 2.  $t \sim^{b} u$  iff  $\min \Pi(t) < \max \Pi(u)$  or  $\min \Pi(u) < \max \Pi(t)$ .

$$\begin{split} \left[ \begin{array}{l} \operatorname{block} B P\left\langle F \right\rangle \right] &= \left[ \begin{array}{l} \operatorname{block} B P \right]^C, \, C^t \in \left[ \left[ F \right] \right] \\ \left[ \begin{array}{l} \operatorname{event} x \to y \left\langle F \right\rangle \right] &= \left[ \begin{array}{l} \operatorname{event} x \to y \right]^C, \, C^t \in \left[ \left[ F \right] \right] \\ \left[ \operatorname{frequency} n hz \right] &= \left\{ C \, | \, \forall i \geq 0, \, i/n \leq \Pi(C_i) < (i+1)/n \right\} \\ \left[ \left[ m \, hz \text{ with burst} \, n \, \operatorname{every} p \, hz \right] &= \left\{ C \, \left| \begin{array}{l} \forall i \geq 0, \, j = i \, div \, n, \, k = (i \, mod \, n) \\ j/p + k/m \leq \Pi(C_i) < j/p + (i+1 \, mod \, n)/m \end{array} \right\} \end{split} \right\} \end{split}$$

## 4 Experimental Results

Case studies previously presented in [1] in the frame of the FOTOVP project [9] gave experimental evidences on the performance of our interpretation technique compared to more classical encoding techniques based on automata. Performance improve both for code generation (minimization of synchronization points) and for verification (minimization of intermediate states). The examples in [1] consist of concurrent imperative programs counting bits in parallel.

Fig. 6, in Appendix, depicts the intermediate generated code for the main AOCS module of Fig. 1. It comprises an interpretation of the automaton itself as well as its data-flow connections with the safe (SAFE) and nominal (NM) modes. The first six equations define the state transitions of the automaton. Then, a case statement defines how the block corresponding to each mode is called by the definition of its data-flow connections and timing constraints (tick, trigger, reset). The last fourteen equation define the connection that are within the lexical scope of the automaton. There are only two state variables (\_AOCS\_aut\_A\_1\_previousState and \_AOCS\_aut\_A\_1\_zNextState) as well as two explicitly shared variables (\_LO\_CMD and \_LO\_ERR\_ATT). The process that interprets the AOCS automaton is compiled modularly and linked with its sub-modules DataFlowModel\_SAFE\_dtf and DataFlowModel\_NM\_dtf.

| program                    | vars | states   | reachable | transitions |                     |
|----------------------------|------|----------|-----------|-------------|---------------------|
| 2-bits parallel counters   |      | 04       |           |             |                     |
| (property true)            | 24   | $2^{24}$ | 36        | 116         | $0.15  { m s}$      |
| 2-bits parallel counters   |      |          |           |             |                     |
| with variant (prop. false) | 25   | $2^{25}$ | 107       | 359         | $0.27 \mathrm{\ s}$ |
| 8-bits parallel counters   |      |          |           |             |                     |
| (property true)            | 36   | $2^{36}$ | 1.296     | 3.896       | 66 s                |
| 8-bits parallel counters   |      |          |           |             |                     |
| with variant (prop. false) | 37   | $2^{37}$ | 328.715   | 1.117.223   | $124~{\rm s}$       |

Figure 5: States and transitions for the SSA interpretation of parallel counters

# 5 Related Work

One common mis-conception about SSA is that since multiple assignments to the same variable are translated into assignments to multiple intermediate variables, the explosion of the number of variables introduces a huge overhead. As our encoding demonstrates, this is indeed not a problem as all of these intermediate variables are encoded into temporary signals and can even be substituted by the expression that defines them. They can also be dealt efficiently by model-checkers as they require no additional BDD node. Our experiments have shown that the number of *state* variables does not explode by SSA transformation but are rather reduced to the number of explicit time boundaries (a skip) in the source program.

Our approach and tools are based on previous studies and experimental results on the translation of imperative programs into synchronous equations using SSA transformation [7]. In related works, SSA-based modeling is primarily used for the purpose of efficiently compiling imperative programs with GCC [3] or LLVM [5], with emphasis on aggressive optimizations [4] generated code safety, runtime optimization and for symbolic verification [8].

Our technique uses the underlying model of computation of SME platform, dedicated to offering such capabilities (efficient code-generation and accelerated verification) for timed synchronous specifications such as in the high-level, domain-specific, programming environment Synoptic. One big advantage of our approach is that it creates a minimal number of transitions in the generated code: the portion of code between two explicit synchronizations is indeed encoded as a single reaction. By contrast, a naive approach would consists of translating each instruction with an explicit control-point and generate a huge automaton. Its encoding would then introduce state variables with a large number of possible values. Our SSA-based translation avoids this overhead.

# 6 Conclusions

We gave a thorough description of a technique that embeds heterogeneous programming and modeling concepts by interpreting them into an expressive, synchronous data-flow and multi-clocked model of computation. The development of this technique is based on the use of a static single assignment decomposition technique that is applied across the boundaries of the source diagrams yet in a well-typed and modular manner. It demonstrates a striking affinity between SSA and synchronous data-flow models of computation.

As a result, we obtain an efficient method for transforming a hierarchy of blocks consisting of actions (sequential Esterel-like programs), data-flow diagrams (to connect and time modules) and mode automata (to schedule or mode blocks) into a set of synchronous equations.

The impact of this new transformation technique is twofolds. With regards to code generation objectives, it minimizes needed resynchronizations between blocks in the system, potentially gaining substantial performances from way less communication. With regards to verification requirements, it minimizes the number of state variables across hierarchic automata and hence maximizes model checking capabilities.

# References

- Besnard, L., Gautier, T, Moy, M., Talpin, J.-P., Johnson, K., Maraninchi, F. "Automatic translation of C/C++ parallel code into synchronous formalism using an SSA intermediate form". Automated Verification of Critical Systems. EASST, 2009.
- [2] Brunette, C., Talpin, J.-P., Gamatié, A., Gautier, T. "A metamodel for the design of polychronous systems" Journal of Logic and Algebraic Programming, Special Issue on Applying Concurrency Research to Industry. Elsevier, 2008.
- [3] R. Cytron, J. Ferrante, B. Rosen, M. Wegman, and K. Zadeck. "Efficiently Computing Static Single Assignment Form and the Control Dependence Graph". ACM Transactions on Programming Languages and Systems, 13(4): 451-490. ACM Press, October 1991.
- [4] B. Hardekopf and C. Lin. "Semi-sparse flow-sensitive pointer analysis". Symposium on Principles of programming languages. ACM Press, 2009.
- [5] C. Lattner and V. Adve. "LLVM: A Compilation Framework for Lifelong Program Analysis and Transformation". International Symposium on Code Generation and Optimization. ACM Press, 2004.
- [6] Le Guernic, P., Talpin, J.-P., Le Lann, J.-C. "Polychrony for system design". Journal for Circuits, Systems and Computers. Special Issue on Application Specific Hardware Design. World Scientific, August 2003.
- [7] Talpin, J.-P., Berner, D., Shukla, S., Le Guernic, P., Gamatié, A., Gupta, R. "Behavioral type inference for compositional system design". Chapter in Formal Methods and Models for System Design. Kluwer Academic Publishers, 2004.
- [8] A. Zaks and R. Joshi. "Verifying multi-threaded C Programs with SPIN". International SPIN Workshop on Model Checking of Software. Springer, 2008.
- [9] ANR project FotoVP http://www-verimag.imag.fr/SYNCHRONE/fotovp.
- [10] ANR project Spacify http://spacify.gforge.enseeiht.fr.
- [11] Polychrony and SME http://www.irisa.fr/espresso/polychrony.

Figure 6: Intermediate code for the main AOCS automaton

```
process Automaton_AOCS_aut =
  ( ? _POS_Data; _ATT_Data; _TO_NM; event _tick, _trigger, _reset; ! _CMD; _ERR_ATT; )
  (| subprocesses4 ::
             ? _POS_Data; _ATT_Data; _TO_NM; event _tick, _trigger, _reset; ! _URU; _EF
| subprocesse4 ::
(| _WT_2_SAFE_TO_NM_P_0 := true when _TO_NM
when (_AOCS_aut_A_1_currentState =#_SAFE)
| _WT_3_NM_TO_SAFE_P_0 := true when _ERR_ATT
when (_AOCS_aut_A_1_currentState =#_NM)
| _AOCS_aut_A_1_currentState := _AOCS_aut_A_1_ZNextState
| _AOCS_aut_A_1_nextState := (#_NM when _WT_2_SAFE_TO_NM_P_0)
default (#_SAFE when _WT_3_NM_TO_SAFE_P_0)
default _AOCS_aut_A_1_currentState
| _AOCS_aut_A_1_previousState := _AOCS_aut_A_1_currentState$ init #_SAFE
| _AOCS_aut_A_1_zNextState := _AOCS_aut_A_1_nextState$ init #_SAFE
| _aAOCS_aut_A_1_currentState in
               _AOCS_aut_A_1_currentState in
                                             .
ere _SAFE_POS_Data; _SAFE_ATT_Data; _SAFE_TO_NM;
_SAFE_CND; _SAFE_ERR_ATT; _CND1; _ERR_ATT2;
event _SAFF_tick, _SAFE_trigger, _SAFE_reset, _tick2, _trigger2, _reset2;
label _DataFlowModel_SAFE_dtf, _POS_Data1, _ATT_Data1, _TO_NM2;
                                       where
                                       end
                               where label subprocesses6;
                                         end
                              *_MM;
subprocesses7 :: (| subprocesses8 ::
(| _POS_Data2 := _NM_POS_Data
| _ATT_Data2 := _NM_TI_Data
| _ATT_Data2 := _NM_TI_Data
| _TO_NM3 := _NM_TI_Data
| _To_Sata2 := _NM_trigger
| _reset3 := _NM_trigger
| _reset3 := _NM_trigger
| _reset3 := _NM_trigger
| _DataFlowModel_NM_dtf {: (_CMD2,_ERR_ATT3) :=
DataFlowModel_NM_dtf {: (_CMD2,_ERR_ATT3) := _reset
| _NM_TO_NM := _rD_NM_N
| _NM_trigger := _reset
| _NM_CMD := _CMD2
| _NM_ERR_ATT := _ERR_ATT3
| _LO_CMD1 := _NM_CMD
| _LO_ERR_ATT1 := _MM_ERR_ATT
|) where _NM_FOS_Data; _NM_ATT_Data; _NM_TO_NM; _NM_CMD;
_NM_ERR_ATT; _CMD2; _ERR_ATT3;
event _NM_tick, _IM_trigger, _NM_reset, _tick3,
_trigger3, _reset3;
| abel_DataFlowModel_NM_dtf, _POS_Data2,
_ATT_Data2, _TO_NM3;
end
|) where label subprocesses8;
end
                        L)
                        {#_NM}:
(| subp
                                             end
                          D
              |)
|)
vhere type _AOCS_aut_A_1_type = enum (_SAFE, _NM);
event _WT_2_SAFE_TO_NM_P_0, _WT_3_NM_TO_SAFE_P_0;
_AOCS_aut_A_1_type _AOCS_aut_A_1_currentState,
_AOCS_aut_A_1_nextState, _AOCS_aut_A_1_previousState,
_AOCS_aut_A_1_zNextState;
                                 label subprocesses5, subprocesses7;
     ))
))
vhere shared _L0_CMD, event _L0_ERR_ATT;
_clock_10_Hz; _clock_20_Hz; _XMI_Id_3; _XMI_Id_4; _L0_CMD1; _L0_CMD2;
event _L0_ERR_ATT1, _L0_ERR_ATT2;
label subprocesses4;
                   end ·
```



#### Centre de recherche INRIA Rennes – Bretagne Atlantique IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France)

Centre de recherche INRIA Bordeaux – Sud Ouest : Domaine Universitaire - 351, cours de la Libération - 33405 Talence Cedex Centre de recherche INRIA Grenoble – Rhône-Alpes : 655, avenue de l'Europe - 38334 Montbonnot Saint-Ismier Centre de recherche INRIA Lille – Nord Europe : Parc Scientifique de la Haute Borne - 40, avenue Halley - 59650 Villeneuve d'Ascq Centre de recherche INRIA Nancy – Grand Est : LORIA, Technopôle de Nancy-Brabois - Campus scientifique 615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex Centre de recherche INRIA Paris – Rocquencourt : Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex Centre de recherche INRIA Saclay – Île-de-France : Parc Orsay Université - ZAC des Vignes : 4, rue Jacques Monod - 91893 Orsay Cedex Centre de recherche INRIA Sophia Antipolis – Méditerranée : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex

> Éditeur INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France) http://www.inria.fr ISSN 0249-6399