Polychronous Design of Real-Time Applications with Signal
Thierry Gautier, Paul Le Guernic, Jean-Pierre Talpin

To cite this version:
Polychronous Design of Real-Time Applications with SIGNAL

Thierry Gautier, Paul Le Guernic and Jean-Pierre Talpin *

June 30, 2008

Abstract. This paper provides an introduction to the synchronous, multi-clocked, data-flow specification language SIGNAL. The main operators are described and their use is illustrated through a few simple examples. Basic techniques for compiling SIGNAL programs are outlined.

1 Introduction

High-level embedded system design has gained prominence in the face of rising technological complexity, increasing performance requirements and shortening time to market demands for electronic equipments. Today, the installed base of intellectual property (IP) further stresses the requirements for adapting existing components with new services within complex integrated architectures, calling for appropriate mathematical models and methodological approaches to that purpose.

Over the past decade, numerous programming models, languages, tools and frameworks have been proposed to design, simulate and validate heterogeneous systems within abstract and rigorously defined mathematical models. Formal design frameworks provide well-defined mathematical models that yield a rigorous methodological support for the trusted design, automatic validation, and systematic test-case generation of systems.

However, they are usually not amenable to direct engineering use nor seem to satisfy the present industrial demand.

Despite overwhelming advances in embedded systems design, existing techniques and tools merely provide ad-hoc solutions to the challenging issue of the so-called productivity gap. The pressing demand for design tools has sometimes hidden the need to lay mathematical foundations below design languages. Many illustrating examples can be found, e.g. the variety of very different formal semantics found in state-diagram formalisms. Even though these design languages benefit from decades of programming practice, they still give rise to some diverging interpretations of their semantics.

*INRIA Rennes – Bretagne Atlantique, Campus de Beaulieu, 35042 Rennes Cedex, France. {thierry.gautier, paul.leguernic, jean-pierre.talpin}@irisa.fr
The need for higher abstraction-levels and the rise of stronger market constraints now make the need for unambiguous design models more obvious. This challenge requires models and methods to translate a high-level system specification into a distribution of purely sequential programs and to implement semantics-preserving transformations and high-level optimizations such as hierarchization (sequentialization) or desynchronization (protocol synthesis).

In this aim, system design based on the so-called “synchronous hypothesis” has focused the attention of many academic and industrial actors. The synchronous paradigm consists of abstracting the non-functional implementation details of a system and lets one benefit from a focused reasoning on the logics behind the instants at which the system functionalities should be secured.

With this point of view, synchronous design models and languages provide intuitive models for embedded systems [7]. This affinity explains the ease of generating systems and architectures and verify their functionalities using compilers and related tools that implement this approach.

In the relational mathematical model behind the design language Signal, the supportive data-flow notation of the integrated development environment Polychrony, this affinity goes beyond the domain of purely sequential systems and synchronous circuits and embraces the context of complex architectures consisting of synchronous circuits and desynchronization protocols: globally asynchronous and locally synchronous architectures (GALS).

This unique feature is obtained thanks to the fundamental notion of polychrony [31]: the capability to describe systems in which components obey to multiple clock rates. It provides a mathematical foundation to a notion of refinement: the ability to model a system from the early stages of its requirement specifications (relations, properties) to the late stages of its synthesis and deployment (functions, automata).

The notion of polychrony goes beyond the usual scope of a programming language, allowing for specifications and properties to be described. As a result, the Signal design methodology draws a continuum from synchrony to asynchrony, from specification to implementation, from abstraction to refinement, from interface to implementation. Signal gives the opportunity to seamlessly model embedded systems at multiple levels of abstraction while reasoning within a simple and formally defined mathematical model.

The inherent flexibility of the abstract notion of signal handled in Signal invites and favors the design of correct-by-construction systems by means of well-defined model transformations that preserve the intended semantics and stated properties of the architecture under design.

Synchronous languages rely on the synchronous hypothesis, which lets computations and behaviors be divided into a discrete sequence of computation steps which are equivalently called reactions or execution instants. In itself this assumption is rather common in practical embedded system design.

But the synchronous hypothesis adds to this the fact that, inside each instant, the behavioral propagation is well-behaved (causal), so that the status of every signal or variable is established and defined prior to being tested or used. This criterion ensures strong semantic soundness by allowing universally
recognized mathematical models to be used as supporting foundations. In turn, these models give access to a large corpus of efficient optimization, compilation, and formal verification techniques.

In this article, we consider the SIGNAL language, which is based on the polychronous semantic model [31] and its associated toolset POLYCHRONY to design embedded real-time applications.

**Outline.** We present the main operators of the SIGNAL language in Section 2, discussing first the principles of synchronized data-flow. We describe a few simple examples allowing to illustrate constraint programming with SIGNAL and the specific feature of oversampling. Then in Section 3, we present the basic tools for compilation: clock calculus and graph calculus. Sequential code generation is illustrated and notions for partitioning programs toward separate compilation or distributed code generation are introduced. Finally, a technique for temporal analysis of SIGNAL programs is briefly presented. Concluding remarks in Section 4 refer to the POLYCHRONY workbench.

**Historical notes.** First of all, before introducing the language, we draw a few steps of its “history”. The first studies for a new language started in INRIA-Rennes in 1981 in a project for the design of software for signal processing machines (the application domain was later widened). Le Guernic and Benveniste were in charge of the design of the language, with Gautier. The whole project was a cooperation between teams from INRIA-Rennes and INRIA-Rocquencourt, and CNET (French telecommunication organism). The first paper on SIGNAL, viewed as an algebraic description of networks of flows, was published by Le Guernic in 1982 [27]. It was recognized later that several teams in France worked in parallel with similar ideas: this gave rise to the so-called “synchronous school”, around the synchronous languages Esterel, Lustre and SIGNAL, with many contacts and fruitful scientific exchanges. The first complete description of the SIGNAL language (version 1) was provided by Gautier in his PhD [18]. The encoding of clocks using $\mathbb{Z}/3\mathbb{Z}$ was proposed by Le Guernic and Benveniste in 1986 [28]. A full compiler, including clock calculus (with hierarchies of Boolean clocks), was described by Besnard [11]. The clock calculus was later improved by Amagbegnon [1], who defined arborescent canonical forms. The semantics of the language has been described using different models: operational semantics [9], denotational semantics [10], trace semantics [29, 39] (used in the current reference manual for SIGNAL V4 [12]), tagged model [31] (now considered as a reference paper for the polychronous model). Nowak [36] proposed a co-inductive semantics that was used for modeling SIGNAL in the proof assistant Coq. A number of PhD’s have been devoted to different aspects of SIGNAL implementation, many of these works were conducted in the context of cooperative projects including European ones such as Synchron, Syrf, Sacres, SafeAir, etc. To mention only some of them that are in phase with the mainstream of the current SIGNAL version: Chéron [13] proposed optimization methods; Le Goff [26] defined clustering models for SIGNAL programs; Maffeis [33] formalized the required notions for abstraction and sep-
arate compilation; Aubry [3] described distributed implementation (the PhD’s mentioned here are written in French but corresponding articles written in English may be found on the POLYCHRONY site). Many other studies, not detailed here, concerned extensions of SIGNAL, translations to or from SIGNAL, specific applications, etc. We also mention the definition of an affine clock calculus for affine clocks by Smarandache [39] and the polychronous modeling of real-time executive services of the ARINC avionic standard by Gamatié [17]. Belhadj [4], Kountouris [23] and Le Lann [32], also with Wolinski, used SIGNAL for hardware description and synthesis ([23] describes also a method for temporal interpretation of SIGNAL programs). Dutertre [16], Le Borgne [25] and Marchand [34] developed the theory of polynomial dynamical systems on $\mathbb{Z} / 3\mathbb{Z}$, implemented it in the SIGAL tool and applied it for verification and controller synthesis on SIGNAL programs. Le Guernic and others had characterized specific classes of polychronous programs such as endochronous ones. In [6], Benveniste, Caillaud and Le Guernic analyzed the links between synchrony and asynchrony and introduced the property of isochrony in the context of synchronous transition systems. In [31], Le Guernic, Talpin and Le Lann expressed the notion of endo- isochrony in the tagged model of polychrony. A property of weak endochrony was described by Potop-Butucaru, Caillaud and Benveniste [38]. In his PhD, Ouy [37] introduced polyendochrony and showed that it is possible to test it in a polynomial way.

The POLYCHRONY workbench, which is now freely distributed from http://www.irisa.fr/espresso/Polychrony, was built progressively during these years and includes a lot of the previously mentioned works. It is regularly updated. In parallel with the POLYCHRONY academic set of tools, an industrial implementation, called SILDEX, was developed by the TNI company, now included in Geensys. This commercial toolset, which is now called RT-BUILDER, is supplied by Geensys (http://www.geensys.com/).

2 The SIGNAL language

SIGNAL [9] is a declarative design language expressed within the polychronous model of computation. In the following, we present the SIGNAL language and its associated concepts.

2.1 Synchronized data-flow

Consider as an example the following program expressed in some conventional data-flow formalism [22]:

\[
\text{if } a > 0 \text{ then } x = a; \quad y = x + a
\]

What is the meaning of this program? In an interpretation where the edges are considered as FIFO queues [2], if $a$ is a sequence with non-positive values, the queue associated with $a$ will grow forever, or (if $a$ is a finite sequence) the queue associated with $x$ will eventually be empty although $a$ is non-empty. It
is not clear that the meaning of this program is the meaning that the author had in mind! Now, suppose that each FIFO queue consists of a single cell [15]. Then as soon as a negative value appears on the input, the execution can no longer go on: there is a deadlock. This is usually represented by the special undefined value ⊥ (stating for “no event”).

It would be somewhat significant if such deadlocks could be statically prevented. For that, it is necessary to be able to statically verify timing properties. Then the ⊥ should be handled when reasoning about time, but it has to be considered with a non standard meaning. In the framework of synchronized data-flow, the ⊥ will correspond to the absence of value at a given logical instant for a given variable (or signal). In particular, it must be possible to insert ⊥’s between two defined values of a signal. Such an insertion corresponds to some resynchronization of the signal. However, the main purpose of synchronized data-flow is that the whole synchronization should be completely handled at compile time, in such a way that the execution phase has nothing to do with ⊥. This will be assumed by a static representation of the timing relations expressed by each operator. Syntactically, the timing will be implicit in the language. SIGNAL describes processes which communicate through (possibly infinite) sequences of (typed) values with implicit timing: the signals. For example, x denotes the infinite sequence \( \{x_t\}_{t \geq 0} \) where \( t \) denotes a logical time index. At any instant, a signal may be present, at which point it holds a value; or absent and denoted by ⊥ in the semantic notation. There is a particular type of signals called event. A signal of this type is always true when it is present (otherwise, it is ⊥). Signals defined with the same time index are said to have the same clock, so that clocks are equivalence classes of simultaneous signals. The clock of a signal x, noted \( \wedge x \) in the language, represents the set of instants at which the signal x is present. A process is a system of equations over signals that specifies relations between values and clocks of the signals. A program is a process.

Consider a given operator which has, for example, two input signals and one output signal. We shall speak of synchronous signals if they are logically related in the following sense: for any \( t \), the \( t^{th} \) token on the first input is evaluated with the \( t^{th} \) token on the second input, to produce the \( t^{th} \) token on the output. This is precisely the notion of simultaneity. However, for two tokens on a given signal, we can say that one is before the other (chronology). Then, for the synchronous approach, an event is a set of instantaneous calculations, or equivalently, of instantaneous communications.

### 2.2 Signal constructs

SIGNAL [30] relies on a handful of primitive constructs, which can be combined using a composition operator. These core constructs are of sufficient expressive power to derive other constructs for comfort and structuring. Here, we give a sketch of the primitive constructs (bold-faced) and a few derived constructs.
(italics) often used. For each of them, the corresponding syntax and definition are mentioned.

**Functions/Relations.** Let \( f \) be a symbol denoting a n-ary function \([f]\) on instantaneous values (e.g., arithmetic or Boolean operation). Then, the **Signal** expression

\[
y := f(x_1, \ldots, x_n)
\]

defines an elementary process such that:

\[
y_t \neq \bot \iff x_1_t \neq \bot \iff \ldots \iff x_n_t \neq \bot, \forall t : y_t = f(x_1_t, \ldots, x_n_t),
\]

where \( x_{i_k} \) denotes the \( k^{th} \) element of the sequence denoted by \( \{x_{i_t}\}_{t \geq 0} \).

**Delay.** This operator defines the signal whose \( t^{th} \) element is just the \( (t-1)^{th} \) element of its input, at any instant but the first one, where it takes an initialization value. Then, the **Signal** expression

\[
y := x \downarrow 1 \text { init } c
\]

defines an elementary process such that:

\[
x_t \neq \bot \iff y_t \neq \bot, \forall t > 0 : y_t = x_{t-1}, y_0 = c.
\]

At the first instant, the signal \( y \) takes the initialization value \( c \). Then, at any instant, \( y \) takes the previous value of \( x \).

**Under-sampling.** This operator has one data input and one Boolean “control” input, but it has a different meaning when one of the inputs holds \( \bot \). In this case, the output is also \( \bot \); at any logical instant where both input signals are defined, the output will be different from \( \bot \) if and only if the control input holds the value \( \text{true} \). Then, the **Signal** expression

\[
y := x \text { when } b
\]

defines an elementary process such that:

\[
y_t = x_t \text{ if } b_t = \text{true}, \text{ else } y_t = \bot.
\]

The derived statement \( y := \text{when } b \text{ is equivalent to } y := b \text{ when } b \). In this case, \( y \) has the type \( \text{event} \) (it is always \( \text{true} \) when present).

**Deterministic merging.** The unique output provided by this operator is defined (i.e., with a value different from \( \bot \)) at any logical instant where at least one of its two inputs is defined (and non-defined otherwise); a priority makes it deterministic. Then, the **Signal** expression

\[
z := x \text { default } y
\]

defines an elementary process such that:

\[
z_t = x_t \text{ if } x_t \neq \bot, \text{ else } z_t = y_t.
\]
**Parallel composition**: Resynchronizations (that is to say, possible insertions of \( \perp \)) have to take place when composing processes with common signals. However, this is only a formal manipulation. If \( P \) and \( Q \) denote two processes, the *composition* of \( P \) and \( Q \) defines a new process, denoted by

\[
| P | \quad | Q | \quad |
\]

where common names refer to common signals. Then, \( P \) and \( Q \) communicate through their common signals.

**Restriction.** This operator allows one to consider as local signals a subset of the signals defined in a given process. If \( x \) is a signal defined in a process \( P \),

\[
P \text{ where } x
\]
defines a new process where communication ways (for composition) are those of \( P \), except \( x \).

Derived operators are defined from the kernel of primitive operators. In particular:

- **Clock extraction**: \( h := \sim x \) specifies the clock \( h \) of \( x \) as a signal of type *event*, and can be defined as: \( h := (x = x) \).
- **Synchronization**: \( x1 \sim= x2 \) specifies that \( x1 \) and \( x2 \) have the same clock, and is defined as: \( | h := (\sim x1 = \sim x2) | \) where \( h \).
- **Clock union**: \( h := x1 \sum x2 \) specifies the clock union of \( x1 \) and \( x2 \), which is also defined as: \( h := \sim x1 \text{ default } \sim x2 \).
- **Clock intersection**: \( h := x1 \sim x2 \) specifies the clock intersection of \( x1 \) and \( x2 \), which is also defined as: \( h := \sim x1 \text{ when } \sim x2 \).
- **Memory**: \( y := x \text{ cell } b \text{ init } y0 \) allows to memorize in \( y \) the latest value carried by \( x \) when \( x \) is present or when \( b \) is *true*. It is defined as:
  \[
  | y := x \text{ default } (y \text{ if } 1 \text{ init } y0) | \quad y \sim x \sim (\text{when } b) | \).

**2.3 A simple example**

The purpose of the following process is to define a signal \( v \) which counts in the reverse order the number of occurrences of the events at which a Boolean signal \( \text{reset} \) holds the value *false*; \( v \) is reinitialized (with a value \( v0 \)) each time \( \text{reset} \) is *true*.

\[
| \text{zv} := v \text{ if } 1 \text{ init } 0 \\
| \text{vreset} := v0 \text{ when } \text{reset} \\
| \text{zvdec} := \text{zv when (not reset)} \\
| \text{vdec} := \text{zvdec} - 1 \\
| v := \text{vreset default vdec} \\
| \text{reach0} := \text{when (zv = 1)} \\
|)
\]

where integer \( \text{zv}, \text{vreset}, \text{zvdec}, \text{vdec} \);
**Comments:** \( v \) is defined with \( v_0 \) each time \( \text{reset} \) is present and has the value \text{true} (operator \text{when}); otherwise (operator \text{default}), it takes the value of \( z_{v_{\text{dec}}-1} \), \( z_{v_{\text{dec}}} \) being defined as the previous value of \( v \) (delay), \( z_v \), when this value is present and moreover, when \( \text{reset} \) is present and has the value \text{false} (operator \text{when}). The Boolean signal \( \text{reach0} \) is defined (with the value \text{true}) when the previous value of \( v \) was equal to 1. Notice that \( v \) is decremented when \( \text{reset} \) has a value \text{false}.

**Model of process:** The above process can be abstracted and declared as a model of process, with its ways of communication, stated explicitly (some intermediate variables have also been removed):

```plaintext
process RCOUNT =
{ integer v0; }
( ? boolean reset;
  ! event reach0;
  integer v; )
(| zv := v $ 1 init 0
 | v := (v0 when reset) default ((zv when (not reset)) - 1)
 | reach0 := when (zv = 1)
 |)
where
  integer zv;
end;
```

It may be referred to as, for example, \( \text{RCOUNT}(10) \) (\( v_0 \) is a formal parameter of the process; “?” stands as a tag for the input signals and “!” for the output ones). Here, there are one input signal, \( \text{reset} \), and two output signals, \( \text{reach0} \) and \( v \).

### 2.4 Constraint programming with SIGNAL

We demonstrate definition of programs by property specification and addition of constraints, that illustrates the style of programming that SIGNAL leads to: programming by composition of systems of equations. We consider the example of a “mailbox”, defined in an incremental way.

In a first step, we define a simple memory, that may be represented by a cell \( M_{\text{In}} \) with one input \( \text{In} \) and one output \( \text{Out} \): each time a new value arrives on the input \( \text{In} \), it replaces the previously memorized one and is itself memorized in \( M_{\text{In}} \); each time a value is required on the output \( \text{Out} \), the current value of \( M_{\text{In}} \) is delivered on this output.

In SIGNAL, this is specified by the following equations:

\[
\begin{align*}
(a) & \quad M_{\text{In}} := \text{In} \text{ default } (M_{\text{In}} \ $ 1 \text{ init } V0) \\
(b) & \quad \text{Out} := M_{\text{In}} \text{ when } \sim \text{Out}
\end{align*}
\]

(1)
(V0 represents a constant value, used as initial value of the memory). Memorization is through the delay operator: memorized signals are the state variables of a SIGNAL program.

The notation ^Out is the syntax that represents the clock of the signal Out, considered as an event-type signal (Boolean which is true when it is present).

Let us comment both equations of (1). To simplify, we name zM_In the signal (M_In $ 1 init V0). The equation

\[ M_In := In \text{ default } zM_In \]

defines the signal M_In as made up from:

- the values of the signal In when In is defined (i.e., at the instants of the clock of In),
- the values of the signal zM_In when In is not present, but zM_In is.

When neither In nor zM_In are present, M_In is also not defined. The instants of the clock of the signal M_In are the union of the instants of In and of those of zM_In. Since at each one of its instants, the signal zM_In has the value that M_In had at the previous instant, equation (a) expresses indeed that M_In is defined by In when a new value arrives on the input In and keeps its previous value at the other instants.

In SIGNAL, every signal is characterized by its clock (the set of instants at which it is defined), including signals representing state variables. A signal (X $ 1) always has the same clock as the corresponding signal X. Here, zM_In and M_In have the same clock, which is written: zM_In ^= M_In. Thus, considering clocks, equation (a) states simply that the clock of M_In is at least as frequent as the clock of In, which may be written: M_In ^> In.

Consider now equation (b) of (1). The signal Out is defined by the value of the signal M_In when M_In is defined and the second argument of the when operator (here, the signal ^Out, which represents a clock, has the value true whenever it is defined). Thus the instants of the clock of the signal Out are the intersection of the instants of M_In and the instants at which the condition that forms the second argument of the when is true. Here, the signal Out is defined by the value of the memory at the instants of its own clock (the instants at which some value is required on the output Out). Considering clocks, equation (b) states that the clock of M_In is at least as frequent as the clock of Out: M_In ^> Out.

The process (1) does not fix the clock of the memory M_In. If one wants to specify that this clock must be exactly the union of the instants of In and the instants of Out, it is sufficient to add the following synchronization equation:

\[ M_In ^= In ^+ Out \]

Let us declare and name this small program:

```plaintext
process MEM =
   { type T; T V0; }
```
\begin{verbatim}
( ? T In;
  ! T Out; )
(| M_In := In default (M_In $ 1 init V0)
 | Out := M_In when (~Out)
 | M_In ^= In ^+ Out
 |)
where
  T M_In;
end;
\end{verbatim}

Comments: There are two static parameters for this program: the first one is the generic type, \( T \), of memorized values; the second one is the initial value \( V_0 \).

In a first step, we have defined a program \texttt{MEM} that works asynchronously, according to arrivals and requests of messages, without particular constraints. If \( \bot \) denotes the absence of value at a given instant, we have, for any instant \( t \):

\begin{align*}
\text{In}_t \neq \bot & \Rightarrow M_{\text{In}}_t = \text{In}_t \\
\text{In}_t = \bot & \Rightarrow M_{\text{In}} = M_{\text{In}}_{t-1} \\
\text{Out}_t \neq \bot & \Rightarrow \text{Out}_t = M_{\text{In}}_t
\end{align*}

(2)

Suppose now we want to add a first constraint to the program, that there is no loss of messages: every data that arrives in the memory has to be read. For any instant \( t \):

\[ \text{In}_t \neq \bot \Rightarrow \exists s \geq 0 \text{Out}_{t+s} = \text{In}_t \]  

(3)

For that purpose, we define a Boolean signal, \texttt{accept}, which is \texttt{true} when some value is emitted to the environment (instants of \(^\text{Out}\)) and \texttt{false} when some value is received on the input of the memory (instants of \(^\text{In}\)):

\begin{verbatim}
(| accept := (~Out) default (not ^\text{In}) default z_accept
 | z_accept := accept $ 1 init true
 |)
\end{verbatim}

(4)

(note that (not \(^\text{In}\)) means (false when \(^\text{In}\)). At the instants which are not instants of \texttt{In} nor instants of \texttt{Out}, the Boolean \texttt{accept} keeps its previous value.

The property (3) is easily translated as a constraint on the instants at which \( \text{In}_t \neq \bot \): a new input \texttt{In} can be accepted only when the previous value has been emitted, i.e., when the Boolean \texttt{accept} was \texttt{true} at the previous instant. In SIGNAL, if we rename here WRITE_ACCEPT the previous value of the Boolean accept:

\begin{verbatim}
(| WRITE_ACCEPT := z_accept
 | In ^= In when WRITE_ACCEPT
 |)
\end{verbatim}

(5)

(the clock of the Boolean WRITE_ACCEPT could be fixed, for instance at the clock of all instants at which a new input may be read). If we compose the program
MEM with the equations (4) and (5), we get a new program the behavior of which is the intersection of the behaviors of its components. Thus it is a memory that accepts a new input only when the previous value has been emitted.

Suppose now we accept loss of messages, but we want to avoid their possible duplication on the output: a given message cannot be emitted several times on the output Out. Here, we forget the equations (5), but we keep the definition of the Boolean accept since the problem is the dual of the previous one: a new value can be emitted on Out only from the input of a new value in the memory, i.e., when the previous value of the Boolean accept was the value false. However, keeping the same definition of accept, we must add as possible instants of Out the instants at which there is, at the same time, some input on In (if this is not forbidden: in that case, a value that arrives on In is immediately emitted on Out):

\[
\begin{align*}
\text{READ_ACCEPT} &= \text{not } z_{\text{accept}} \\
\text{DIRECT_READ_ACCEPT} &= (\neg \text{In}) \text{ default } \text{READ_ACCEPT} \\
\text{Out} &= \text{Out when } \text{DIRECT_READ_ACCEPT} \\
\end{align*}
\]

Then, the composition of the program MEM with the equations (4) and (6) specifies a memory that emits at most once the memorized values.

If we want to add both constraints, in other words, to specify a mailbox, for which every received message will be emitted once and only once, then it is sufficient to compose the program MEM with the equations (4), (5) and (6).

2.5 Oversampling in SIGNAL

We describe in this section, again with a small example, a characteristic feature of the SIGNAL language: the ability to specify oversampling, i.e. programs for which outputs may be more frequent than inputs.

We consider a communication protocol for which FDMA accesses (frequency division multiple access) are transformed into TDMA ones (time division multiple access). In addition, we suppose that the number of simultaneous users varies along time. Part of the specification consists in receiving packets containing some variable number \( u \) of information, and re-emitting these information as a sequence of \( u \) successive information. This mechanism of variable rate oversampling can be expressed as follows in SIGNAL (we concentrate here on the mechanism itself, forgetting the content of carried information):

```
process OVERSAMPLE =
  ( ? integer u;
    ! boolean b; )
  (| z := u default v (i)
    | v := (z $ 1 init 1) - 1 (ii)
    | b := v <= 0 (iii)
    | u ^= when b (iv)
  )
```

11
where
    integer z, v;
end;

A trace for this program is given below:

| u  | 3 2 5 ... |
| z  | 3 2 1 2 1 5 ... |
| v  | 0 2 1 0 1 0 ... |
| b  | T F F T F T ... |

Equation (iv) expresses that the clock of the input u is defined by the set of instants at which the Boolean b is true. Thus the input u is read when the Boolean b is true. From equation (iii), the Boolean b is true at the instants at which v is negative or null, and false at the other instants of v (from this equation, b and v are also defined at the same instants, as it is always the case for signals appearing in arithmetic or Boolean functions/relations). From equation (ii), v is defined as the delayed value of z, decremented by 1 (from (ii), v and z have also the same clock). Finally, equation (i) expresses that z is equal to u as a priority, or by default to v when u is absent.

The clock of the output b is more frequent than the clock of the input u.

3 Compiling SIGNAL programs

Among relevant questions when compiling SIGNAL programs, there are the following ones:

- Is the program deadlock free?
- Has it an effective execution?
- If so, what scheduling may be statically calculated (for a multiprocessor implementation)?

To be able to answer these questions, two basic tools are used before execution on a given architecture. The first one is the modeling of the synchronization relations in $F_3$ by polynomials with coefficients in the finite field $\mathbb{Z}/3\mathbb{Z}$ of integers modulo 3. The second one is the directed graph of data dependencies. These basic tools are used for all compiling services: program transformations, optimizations, abstraction, code generation, temporal profiling, etc.

3.1 The synchronization space

First, let us consider SIGNAL processes restricted to the single domain of Boolean values. The equation

$$x_3 := x_1 \text{ when } x_2$$

expresses the following assertions:
• if \( x_1 \) is defined, and \( x_2 \) is defined and \( true \), then \( x_3 \) is defined and \( x_3 = x_1 \),
• if \( x_1 \) is not defined, or \( x_2 \) is not defined, or \( x_2 \) is defined and \( false \), then \( x_3 \) is not defined.

It appears that useful information are (if \( x \) is a signal):
• \( x \) is defined and \( false \),
• \( x \) is defined and \( true \),
• \( x \) is not defined.

They can be respectively encoded in the finite field \( \mathbb{Z}/3\mathbb{Z} \) of integers modulo 3 as the following values: \(-1, 1 \) and \( 0 \). Then, if \( v \) is the encoding value associated with the signal \( x \), the presence of the signal \( x \) may be clearly represented by \( v^2 \). This representation of an indeterminate value of \( x \) (\( true \) or \( false \)) leads to an immediate generalization to non-Boolean values: their presence is encoded as 1 and their absence as 0. In this way, \( v^2 \) may be considered as the proper clock of the signal \( x \).

This principle is used to represent synchronization relations expressed through SIGNAL programs. In the following, each signal and its encoding value are denoted by the same variable. The coding of the elementary operators is deduced from their definition. This coding is introduced below:

• The equations
  \[ y^2 = x_1^2 = \ldots = x_n^2 \]
  denoting the equality of the respective clocks of signals \( y, \ x_1, \ldots, x_n \) are associated with \( y := f(x_1, \ldots, x_n) \) (all the synchronous processes are encoded in this way, however, “dynamical systems” in \( F_3 \) must be used to encode Boolean delays—this is not detailed here [8]).

• Boolean relations may be completely encoded in \( F_3 \). For instance, \( x_2 = -x_1 \) corresponds to \( x_2 := \text{not} \ x_1 \):
  if \( x_1 = true \), then \( x_1 = 1 \) and \( -(x_1) = -1 \), which is associated with \( false \).

• The equation
  \[ x_3 = x_1(-x_2 - x_2^2) \]
  is associated with \( x_3 := x_1 \ \text{when} \ x_2 \ (x_1, x_2, x_3 \ \text{Boolean signals}); \) it may be interpreted as follows: \( x_3 \) holds the same value as \( x_1 \) (\( x_3 = x_1 \)) when \( x_2 \) is \( true \) (when \( -x_2 - x_2^2 = 1 \)).

The equation
  \[ x_3^2 = x_1^2(-x_2 - x_2^2) \]
  is associated with \( x_3 := x_1 \ \text{when} \ x_2 \) when \( x_1, x_3 \) are non-Boolean signals.
• The equation

\[ x_3 = x_1 + (1 - x_1^2)x_2 \]

is associated with \( x_3 := x_1 \text{ default } x_2 \) (\( x_1, x_2, x_3 \) Boolean signals): it is interpreted as follows: \( x_3 \) has a value when \( x_1 \) is defined, i.e., when \( x_1^2 = 1 \) (then \( x_3 \) holds the same value as \( x_1 \): \( x_3 = x_1^2 x_1 = x_1 \)), or when \( x_2 \) is defined but not \( x_1 \), i.e., when \( (1 - x_1^2)x_2^2 = 1 \) (then \( x_3 \) holds the same value as \( x_2 \): \( x_3 = (1 - x_1^2)x_2^2 x_2 = (1 - x_1^2)x_2 \)).

The equation

\[ x_3^2 = x_1^2 + (1 - x_1^2)x_2^2 \]

is associated with \( x_3 := x_1 \text{ default } x_2 \) when \( x_1, x_2, x_3 \) are non-Boolean signals.

Then the composition of \textsc{signal} processes collects the clock expressions of every composing process.

### 3.2 The clock calculus

The algebraic coding of the synchronization relations has a double function. First, it is the way to detect synchronization constraints. Consider for example the following program (which is that of section 2.1):

\[
(| c := a > 0 | x := a \text{ when } c | y := x + a |)
\]

The meaning of this program is “add \( a \) to \((a \text{ when } a > 0)\)” ; remember that it must be “rejected” if \( a \) can take any value since the clocks are then inconsistent. More exactly, this program constrains the possible values of \( a \). Its algebraic encoding is

\[
\begin{align*}
c^2 &= a^2 \\
x^2 &= a^2(-c - c^2) \\
y^2 &= x^2 = a^2
\end{align*}
\]

which results in \( c^2 = a^2 = y^2 = x^2 = a^2(-c - c^2) \) and by substitution \( c^2 = c^2(-c - c^2) \) and then \( c = 1 \) or \( c = 0 \).

But \( c \) is the result of the evaluation of the non-Boolean signal \( a \). However the coding in \( \mathcal{F}_3 \) does not allow reasoning about non-Boolean values, therefore the actual value (\textit{true} or \textit{false}) of \( c \) cannot be predicted.

The other function of this coding is to organize the control of the program. An order relation may be defined on the set of clocks: a clock \( h^2 \) is said to be greater than a clock \( k^2 \), which is denoted by \( h^2 \geq k^2 \), if the set of instants of \( k \) is included in the set of instants of \( h \) (\( k \) is an undersampling of \( h \)). The set of clocks with this relation is a lattice. The purpose of the clock calculus is to synthesize the upper bound of the lattice, which is called the \textit{master clock}, and
to define each clock by some computation expression, i.e., an undersampling of the master clock according to values of Boolean signals. However, for a given SIGNAL process, the master clock may not be the clock of a signal of the process. In this case, several maxima (local master clocks) will be found.

For a program to be “correct”, the partial order induced by the inclusion of instants, restricted to the undersamplings by a free Boolean condition (input Boolean signal or Boolean expression on non-Boolean signals), must be a tree, the root of which is the more frequent clock. Then such a program, also referred to as endochronous\(^1\), can be run in an autonomous way (master mode). Otherwise, there are several local master clocks, and the process needs extra information from its environment to be run in a deterministic way. So, an endochronous program is deterministic \([31]\).

![Figure 1: Clock hierarchy of an endochronous program.](image)

Figure 1 illustrates the clock hierarchy of an endochronous program. It is described by a unique tree where the root node represents the master clock (\(Ck\)). We can notice that from this global tree, one can derive several “endochronous” sub-trees (for example \(T_i\)).

Clock expressions can be rewritten as Boolean expressions of a SIGNAL program. The operator “\(+\)” represents the sum of clocks (upper bound) and the operator “\(*\)” represents the product (lower bound). Then, any clock expression may be recursively reduced to a sum of monomials, where each monomial is a product of undersamplings (otherwise, the clock is a root).

\(^1\)A more formal characterization of endochrony can be found in [31].
3.3 An example

Consider again the process RCOUNT of section 2.3 (in the version written with intermediate signals). The clock calculus finds the following clocks:

\[
\begin{align*}
\text{reset}^2 \\
\text{vreset}^2 &= -\text{reset} - \text{reset}^2 \\
v^2 &= \text{zv} = \alpha^2 = (-\text{reset} - \text{reset}^2) + (\text{reset} - \text{reset}^2)v^2 \\
v_{\text{dec}}^2 &= \text{zv}_{\text{dec}}^2 = v^2(\text{reset} - \text{reset}^2) \\
\text{reach0}^2 &= -\alpha - v^2
\end{align*}
\]

where \(\alpha\) is the coding of \(zv = 1\).

The clock calculus does not synthesize a master clock for this process. In fact, it is not endochronous (and it is non-deterministic): when \(\text{reset}\) is \(false\), then \(\text{zv}_{\text{dec}}\) is defined if \(zv\) is defined, i.e., if \(v\) is defined; but \(v\) is defined (when \(\text{reset}\) is \(false\)) if \(\text{v}_{\text{dec}}\) is defined, i.e., if \(\text{zv}_{\text{dec}}\) is defined, and then, when \(\text{reset}\) is \(false\), an occurrence of \(v\) may occur, but does not necessarily occur.

The hierarchy of clocks is represented by the following SIGNAL process, which defines several trees (the roots of which are \(\text{clk}\_\text{reset}\), \(\text{clk}\_\text{v}_{\text{dec}}\) and \(\text{clk}\_v\)):

\[
\begin{align*}
| & (\ | & \text{clk}\_\text{reset} ^= \text{reset} \\
| & \ & \ | & \text{clk}\_\text{vreset} := \text{when} \ \text{reset} \\
| & \ & \ & \ | & \text{clk}\_\text{vreset} ^= \text{vreset} \\
| & \ & \ & \ & \ | & \text{clk}\_1\_2 := \text{when} \ (\text{not} \ \text{reset}) \\
| & \ & \ & \ & \ | & |) \\
| & \ & \ & \ & \ | & (\ | & \text{clk}\_\text{v}_{\text{dec}} := \text{clk}\_1\_2 ^* \text{ck}\_v \\
| & \ & \ & \ & \ & \ | & \text{clk}\_\text{v}_{\text{dec}} ^= \text{v}_{\text{dec}} ^= \text{zv}_{\text{dec}} \\
| & \ & \ & \ & \ & |) \\
| & \ & \ & \ & \ & (\ | & \text{ck}\_v := \text{ck}\_\text{vreset} ^* \text{ck}\_\text{v}_{\text{dec}} \\
| & \ & \ & \ & \ & \ | & \text{ck}\_v ^= \text{v} ^= \text{zv} \\
| & \ & \ & \ & \ & \ | & (\ | & \text{reach0} := \text{when} \ (\text{zv}=1) \\
| & \ & \ & \ & \ & | |) \\
| & \ & \ & \ & \ & |) \\
| & \ & \ & \ & \ |)
\end{align*}
\]

The hierarchy is represented by the composition embeddings; the \(\text{clk}_i\)'s represent the names of the clocks considered as signals (the suffixes \(i\) are given by the compiler), or they keep their own name if they are event-type signals (like \(\text{reach0}\)).

Now, we consider the following process, where RCOUNT is used in some context:

\[
\begin{align*}
\text{process USE\_RCOUNT} = \\
\{ \text{integer v0;} \} \\
(\ ? \ \text{boolean h};
\end{align*}
\]
! event reach0;
  integer v; )
(| h ^= v
 | reset := (~reach0 when (~h)) default (not (~h))
 | (reach0, v) := RCOUNT {v0} (reset)
 |)
where
  boolean reset;
end;

An external Boolean clock \( h \) defines the instants at which \( v \) has a value. The reset signal is also synchronous with \( h \) and it has the value \textit{true} exactly when reach0 is present. There is a master clock \((h^2 = v^2 = \text{reset}^2)\) and a tree may be built by the compiler. Therefore, the program becomes endochronous.

### 3.4 The graph of conditional dependencies

The second tool necessary to implement a Signal program on a given architecture is the graph of dependencies. Then, according to criteria to be developed, it will be possible to define subgraphs that may be distributed on different processors. However, a classical data-flow graph would not really represent the dependencies of a Signal program. Since the language handles signals the clocks of which may be different, the dependencies are not constant in time. For that reason, the graph has to express \textit{conditional} dependencies, where the conditions are nothing but the clocks at which dependencies are effective. Moreover, in addition to dependencies between signals, the following relation has to be considered: for any signal \( x \), the values of \( x \) cannot be known before its clock; in other words, \( x \) depends on \( x^2 \). This relation will be implicit below.

The \textit{Graph of Conditional Dependencies} (GCD) calculated by the Signal compiler for a given program is a labeled directed graph where:

- the vertices are the signals, plus clock variables,
- the edges represent dependence relations,
- the labels are polynomials on \( F_3 \) which represent the clocks at which the relations are valid.

The following describes the dependencies associated with elementary processes. The notation \( c^2 : x_1 \rightarrow x_2 \) means that \( x_2 \) depends on \( x_1 \) (or more exactly, \( x_1 \) cannot depend on \( x_2 \)) when \( c^2 = 1 \). It has to be noticed that the processes which involve only Boolean signals do not generate data dependencies.
Then, we consider only processes defining non-Boolean signals:

\[ y := f(x_1, \ldots, x_n) \]
\[ y^2 : x_1 \rightarrow y, \ldots, y^2 : x_n \rightarrow y \]
\[ y := x \text{ when } b \]
\[ y^2 : x \rightarrow y, \ y^2 : b \rightarrow y^2 \]
\[ z := x \text{ default } y \]
\[ x^2 : x \rightarrow z, \ y^2 - x^2 y^2 : y \rightarrow z \]

Notice that the delay does not produce data dependencies (nevertheless, remember that any signal is preceded by its clock).

The graph, together with the clock hierarchy, represents all the necessary control-flow and data-flow information. It is used to detect incorrect dependencies. Such a bad dependency will appear as a circuit in the graph. However, since dependencies are labeled by clocks, some circuits may not occur at any time. An effective circuit is such that the product of the labels of its arcs is not null. This may be compared with the cycle sum test of [40], to detect deadlock on the dependence graph of a data-flow program.

All the above properties checked by the SIGNAL compiler during the clock calculus are mainly static. Properties such as reachability or liveness, which are dynamic, cannot be addressed with the compiler. For that, the SIGALI tool, which implements a symbolic model checking technique, can be used [35]. Basically, a SIGNAL program denotes an automaton in which states are described by the so-called “state variables” that are defined by the delay operator. At each logical instant, the current state of a program is given by the current values of its state variables. The technique adopted in SIGALI consists in manipulating the system of equations resulting from the modeling of SIGNAL programs in \( \mathcal{F}_3 \) instead of the sets of its states. This avoids the enumeration of the state space, which can potentially explode. So, each set of states is uniquely characterized by a predicate and operations on sets can be equivalently performed on the associated predicates. A few experiments showed that the symbolic model-checking technique adopted by SIGALI enables to check properties on automata with several millions of states within a reasonable delay. More details on SIGALI can be found in [35].

### 3.5 Sequential code generation

Automatic sequential code generation for endochronous SIGNAL programs is based on the clock hierarchy obtained from the clock calculus and on the graph of conditional dependencies.

To illustrate code generation, we consider the following alternative specification of a one-place buffer in SIGNAL. It uses two sub-processes, one is the process alternate which desynchronizes the signals \( i \) and \( o \) by synchronizing them to the true and false values of an alternating Boolean signal \( b \). The other one is the process current. It defines a cell in which values are stored at the input clock \( ^i \) and loaded at the output clock \( ^o \).
process buffer = (? i; ! o;)
  (| alternate (i, o)
   | o := current (i)
   |)
where
  process alternate = (? i, o; ! )
    (| zb := b$1 init true
     | b := not zb
     | o ^= when (not b)
     | i ^= when b
     |)
where boolean b, zb;
end;

process current = (? i; ! o;)
  (| zo := i cell ^o init false
   | o := zo when ^o
   |)
where zo;
end;
end;

The clock calculus determines three synchronization classes. We observe that
clk\_b, b, zb, zo are synchronous and define the master clock synchronization
class of buffer; clk\_i and clk\_o are sub-clocks of clk\_b, that correspond to
the true and false values of the Boolean flip-flop variable b, respectively. We
represent also the dependencies (scheduling relations) calculated by the compiler
(this may be written in the Signal syntax):

(| clk\_b ^= b ^= zb ^= zo
  | (| clk\_i := when b
     | clk\_i ^= i
     | clk\_o := when (not b)
     | clk\_o ^= o
     | (| {zo -> o} when clk\_o |)
     |)
  | (| zb -> b
     | {i -> zo} when clk\_i
     |)
  |)

The compiler uses the hierarchization algorithm to find a sequential execution
path starting from a system of clock relations. At the main clock clk\_b, b and clk\_o are calculated from zb. At the sub-clock clk\_i, the input signal
i is read. At the sub-clock clk\_o the output signal o is written. Finally, zb
is calculated. Notice that the sequence of instructions follows the scheduling
relations determined during clock inference.
buffer_iterate () {
    b = !zb;
    c_o = !b;
    if (b) {
        if (!r_buffer_i(&i)) return FALSE;
    };
    if (c_o) {
        o = i;
        w_buffer_o(o);
    };
    zb = b;
    return TRUE;
}

Such a piece of code is executed within an infinite loop, representing the infinite sequence of reactions of the specified system. Each iteration step corresponds to an instant of the master clock of the system.

### 3.6 Partitioning programs

The notions presented below are used for partitioning SIGNAL programs into clusters, so as to get abstractions for separate compilation, and from which it is possible to generate code, either with static scheduling of the clusters, or multi-threaded code with dynamic scheduling. It is also the base for generating distributed code. Further technical details on this topic can be found in [19, 5]. In the following, an application is represented by a SIGNAL program $P = P_1 | P_2 | ... | P_n$, where each sub-program $P_i$ can be itself recursively composed of other sub-programs (i.e., $P_i = P_{i1} | P_{i2} | ... | P_{im}$). The following hypothesis are assumed:

1. considered programs $P$ are endochronous (see Section 3.2), hence deterministic;
2. they do not contain any definition leading to cycles;
3. there is a set of processors $q = \{q_1, q_2, ..., q_m\}$; and
4. a function $\text{locate} : \{P_i\} \rightarrow P(q)$, which associates with each subpart of an application $P = P_1 | P_2 | ... | P_n$ a non-empty set of processors (the allocation can be done either manually or automatically).

**First transformation.** Let us consider a SIGNAL program $P = P_1 | P_2$, as illustrated in Fig. 2. Each sub-program $P_i$ (represented by a circle) is itself composed of four sub-programs $P_{i1}$, $P_{i2}$, $P_{i3}$ and $P_{i4}$. The program $P$ is distributed on two processors $q_1$ and $q_2$ as follows:

$$
\forall i \in \{1, 2\} \quad \forall k \in \{1, 2\}, \quad \text{locate}(P_{ik}) = \{q_1\}, \quad \text{and} \\
\forall i \in \{1, 2\} \quad \forall k \in \{3, 4\}, \quad \text{locate}(P_{ik}) = \{q_2\}
$$
Hence, $P$ can be rewritten into $P = Q_1 \parallel Q_2$, where $Q_1 = P_{11} \parallel P_{12} \parallel P_{21} \parallel P_{22}$ and $Q_2 = P_{13} \parallel P_{14} \parallel P_{23} \parallel P_{24}$:

$$
P = P_1 \parallel P_2
= (P_{11} \parallel P_{12} \parallel P_{13} \parallel P_{14}) \parallel (P_{21} \parallel P_{22} \parallel P_{23} \parallel P_{24})
= (P_{11} \parallel P_{12}) \parallel (P_{13} \parallel P_{14}) \parallel (P_{21} \parallel P_{22}) \parallel (P_{23} \parallel P_{24})
= (P_{11} \parallel P_{12}) \parallel (P_{21} \parallel P_{22}) \parallel (P_{13} \parallel P_{14}) \parallel (P_{23} \parallel P_{24}) \quad (	ext{commutativity of } \parallel)
= (P_{11} \parallel P_{12} \parallel P_{21} \parallel P_{22}) \parallel (P_{13} \parallel P_{14} \parallel P_{23} \parallel P_{24})
= Q_1 \parallel Q_2
$$

The sub-programs $Q_1$ and $Q_2$ resulting from the partitioning of $P$ are called $s$-tasks [19]. This transformation yields a new form of the program $P$ that reflects a multi-processor architecture. It also preserves the semantics of the transformed program (since it simply consists of program rewriting).

![Figure 2: Decomposition of a Signal process into two s-tasks $Q_1$ and $Q_2$.](image)

The above transformation remains valid even if $\text{locate}(P_{ik})$ is not a singleton. In that case, $P_{ik}$ is split into new sub-programs which are considered at the same level as $P_{jl}$’s where $\text{locate}(P_{jl})$ is a singleton. For instance, let us consider the program $P$, it can be rewritten as:

$$
P = P_{11,13} \parallel P_{12} \parallel P_{14} \parallel P_{21} \parallel P_{22} \parallel P_{23} \parallel P_{24}
$$

where $\text{locate}(P_{11,13}) = \{q_1, q_2\}$. Then it follows that

$$
P = P_{11} \parallel P_{13} \parallel P_{12} \parallel P_{14} \parallel P_{21} \parallel P_{22} \parallel P_{23} \parallel P_{24} \quad (P_{11,13} \text{ is split})
= P_{11} \parallel P_{12} \parallel P_{13} \parallel P_{14} \parallel P_{21} \parallel P_{22} \parallel P_{23} \parallel P_{24} \quad (\text{commutativity of } \parallel)
= P_1 \parallel P_2
$$

**Second transformation.** We want to refine the level of granularity resulting from the above transformation. For that, let us consider descriptions at processor level (in other words, $s$-tasks). We are now interested in how to decompose $s$-tasks into fine grain entities. An $s$-task can be seen as a set of nodes (e.g. $P_{11}$, $P_{12}$, $P_{21}$ and $P_{22}$ in $Q_1$). In order to have an optimized
execution at the s-task level, nodes are gathered in such a way that they can be executed atomically. By atomic execution, we mean that nodes execution completes without interruption. So, we distinguish two possible ways to define such subsets of nodes, also referred to as clusters: either they are composed of a single SIGNAL primitive construct, or they contain more than one primitive construct. The former yields a finer granularity than the latter. However, from the execution point of view, the latter is more efficient since more actions can be achieved at a same time (i.e. atomically).

The definition of atomic nodes uses the following criterion: all the expressions present in such a node depend on the same set of inputs. This relies on a sensitivity analysis of programs. We say that a causality path exists between a node $N_1$ (resp. an input $i$) and a node $N_2$ if there is at least one situation where the execution of $N_2$ depends on the execution of $N_1$ (resp. on the occurrence of $i$). In that case, all the possible intermediate nodes are also executed.

**Definition 3.1** Two nodes $N_1$ and $N_2$ are sensitively equivalent iff for each input $i$: there is a causality path from $i$ to $N_1$ ⇔ there is a causality path from $i$ to $N_2$.

![Figure 3: Decomposition of an s-task into two clusters $L_1$ and $L_2$.](image)

Sensitively equivalent nodes belong to the same cluster. Inputs always precede outputs within a cluster. Also, if a transformed program is endochronous, the resulting clusters are also endochronous. As a matter of fact, the clock hierarchy associated with each cluster is an endochronous sub-tree of the global clock tree characterizing the program. Hence, this ensures a deterministic execution of each cluster. **Figure 3** shows a decomposition of the s-task $Q_1$ into two clusters $L_1$ and $L_2$. The input of the sub-program $P_{11}$ (bold-faced arrow) is originally an input of $P$. The other arrows represent communications between s-tasks (these message exchanges are local to $P$). We can notice that after this second transformation, the semantic equivalence of the initial program and the resulting one is strictly preserved.

The two transformations presented above describe a partitioning of SIGNAL programs following a multi-task multi-processor architecture.
3.7 Temporal analysis of Signal programs

A technique has been defined in order to address timing issues of Signal programs on different implementation platforms [24]. Basically, it consists of formal transformations of a program into another Signal program that corresponds to a so-called temporal interpretation of the initial one. The new program serves as an observer of the initial program. An observer of a program \( P \) is an abstraction \( O(P) \) of \( P \) in which we only specify the properties we want to check. The term “abstraction” means here that \( O(P) \) does not constrain the original behavior of \( P \) when the two programs are composed. As shown in Figure 4, the observer receives from the observed program the signals required for analysis and indicates whether or not the considered properties have been satisfied (this can be expressed, e.g., through Boolean output signals like in Lustre programs [21]). The use of observers for verification is very practical because they can be easily described in the same formalism as the observed program. Thus, there is no need to combine different formalisms as in other analysis techniques such as some model-checking techniques, which associate temporal logics with automata [14].

![Figure 4: Composition of a program P together with its observer O(P).](image)

The Polychrony environment associated with the Signal language provides functionalities including those mentioned in the above sections.

4 Conclusions

The Polychrony workbench is an integrated development environment and technology demonstrator consisting of a compiler (set of services for, e.g., program transformations, optimizations, formal verification, abstraction, separate compilation, mapping, code generation, simulation, temporal profiling, etc.), a visual editor and a model checker. It provides a unified model-driven environment to perform embedded system design exploration by using top-down and bottom-up design methodologies formally supported by design model transformations from specification to implementation and from synchrony to asynchrony.

Polychrony supports the synchronous, multi-clocked, data-flow specification language Signal. It is being extended by plugins to capture SystemC modules or real-time Java classes within the workbench. It allows to
perform validation and verification tasks, e.g., with the integrated Sigali model checker, or with the Coq theorem prover. It is freely distributed from http://www.irisa.fr/espresso/Polychrony. Based on the SIGNAL language, it provides a formal framework:

1. to validate a design at different levels,
2. to refine descriptions in a top-down approach,
3. to abstract properties needed for black-box composition,
4. to assemble predefined components (bottom-up with COTS).

Many documents, reference publications and examples are also available on the Polychrony site.

Polychrony offers services for modeling application programs and architectures starting from high-level and heterogeneous input notations and formalisms. These models are imported in Polychrony using the data-flow notation Signal. Polychrony operates these models by performing global transformations and optimizations on them (hierarchization of control, desynchronization protocol synthesis, separate compilation, clustering, abstraction) in order to deploy them on mission specific target architectures. C, C++, multi-threaded and real-time Java and SynDex [20] code generators are provided.

In order to bring the synchronous multi-clock technology in the context of model-driven environments, a metamodel of Signal has been defined and an Eclipse plugin for Polychrony is being integrated in the open-source platforms TopCased from Airbus (http://www.topcased.org/) and OpenEmbeDD (http://www.openembeddd.org/).

The Geensys company supplies a commercial implementation of Polychrony, called RT-Builder, used for industrial scale projects by Snecma/Hispano-Suiza and Airbus Industries (see http://www.geensys.com/).

References


