## Verified Compilation of Synchronous Dataflow with State Machines

Timothy Bourke Basile Pesin Marc Pouzet

Inria Paris

École normale supérieure, CNRS, PSL University

ESWEEK 2023 - EMSOFT Monday, September 18 11:22am - 11:47am CET

## Block-Diagram Languages for Embedded Systems



- Widely used in safety-critical applications:
   Aerospace, Defense, Rail Transportation, Heavy Equipment, Energy, Nuclear...
- Scade 6: Qualified compiler for Lustre + Control Structures
- Our work: Verified compilation in an Interactive Theorem Prover (Coq)















































## Hierarchical State Machines – Example



## Hierarchical State Machines – Example



## Hierarchical State Machines – Example

```
node feed_pause(pause : bool) returns (ena, step : bool)
var time : int:
                                                    pause F F F ... F F ... F ... F ...
let
                                                    time 0 0 50 ... 750 0 ... 150 ... 350 ... 500 ...
 reset
                                                    step T F F ... T F ... F ... F ... T ...
   time = count_up(50)
                                                     ena | T T T ... T T ... T ... T ...
 every (false fby step);
                                                                 Feeding Holding Feeding
 automaton initially Feeding
                                                                   state Holding do
  state Feeding do
                                                                     step = false:
    ena = true:
    automaton initially Starting
                                                                     automaton initially Waiting
       state Starting do
                                                                      state Waiting do
         step = true -> false
                                                                       ena = true
       unless false -> time >= 750 then Moving
                                                                      unless time >= 500 then Modulating
       state Moving do
                                                                      state Modulating do
         step = true -> false
                                                                       ena = pwm(true)
       unless time >= 500 then Moving
                                                                     end:
    end:
                                                                   unless
  unless pause then Holding
                                                                      not pause and time >= 750 then Feeding
                                                                      not pause continue Feeding
 end
tel
```









```
node feed_pause(pause : bool) returns (ena, step : bool)
var time : int:
let
 reset
   time = count_up(50)
 every (false fby step);
 automaton initially Feeding
                                                                         state Holding do
   state Feeding do
                                                                           step = false:
    ena = true:
    automaton initially Starting
                                                                           automaton initially Waiting
        state Starting do
                                                                            state Waiting do
          step = true -> false
                                                                             ena = true
        unless false -> time >= 750 then Moving
                                                                            unless time >= 500 then Modulating
        state Moving do
                                                                            state Modulating do
          step = true -> false
                                                                             ena = pwm(true)
        unless time >= 500 then Moving
                                                                           end:
    end:
                                                                         unless
  unless pause then Holding
                                                                            not pause and time >= 750 then Feeding
                                                                            not pause continue Feeding
 end
tel
```

```
automaton initially Starting
   state Starting do
     step = true -> false
   unless false -> time >= 750 then Moving
   state Moving do
     step = true -> false
   unless time >= 500 then Moving
end:
```

```
state Starting do
   step = true -> false
unless false -> time >= 750 then Moving

state Moving do
   step = true -> false
unless time >= 500 then Moving
```

end

```
automaton initially Starting
                                               state Starting do
                                                                       step = true -> false
                                               unless false -> time >= 750 then Moving
                                               state Moving do
                                                                         step = true -> false
                                               unless time >= 500 then Moving
end
                     Colaço, Pagano, and Pouzet (EMSOFT 2005): A Conservative
                   Extension of Synchronous Data-flow with State Machines
                                                                                                                                                                           Chloth (s) |C_{i\rightarrow j}| (D_i, N_i) \cup (C_{i\rightarrow j}|D_i, N_k)) = 
C^{k}desquite: S_{i\rightarrow k} + (D_{i\rightarrow j}, N_k) \cup (D_{i\rightarrow j}
                                                                                                                                                                                                                                                                                                                                                            \stackrel{-}{S_{1}} \rightarrow y where s = cs'_{1} where s = cs'_{1} and D'_{1} where y = cs'_{2}
                                                                                                                                                                                                                                                                                                                                                       and match s with S_{s-1} and S_{s-1} and S_{s-1} and S_{s-1} are S_{s-1}.
                                                                                                                                                                                                                                                                                                                                                  S_n \rightarrow y exact n^q = sw_n and n^p = sw_n and D_n exactly s
                                                                                                                                                                                                                                                                                                                                                S_n \rightarrow y \text{ easy } \text{ of } m \text{ one, }

y \text{ od } \in L_0 \cap \mathbb{R} \text{ prop } m \text{ od }

\text{ and } \in L_0 \cap \mathbb{R} \text{ prop } m \text{ False } \text{ Fly } \text{ or }

\text{ where } \forall i_{i-1}, m, m, r, m^* \notin FY(m, i) \cup FY(m)

\text{ where } \forall i_{i-1}, m, r, r, m^* \notin FY(m, i) \cup FY(m)
                                                                                                                                                                                                                                                                                                                                                Vacuum to The translation of segumnate
                                                                                                                                                                                                                                                                                                                                                  once with the Sync-Centry or SysteCaldite, simplifies program understanding and analysis.
                                                                                                                                                                                                                                                                                                                                           simplifies program industrianijes and analysis.

3.2. The TDE System
We should free attend the typing spin for the new pro-
yellowing constraints. The cytons since devolat almost the
yellowing constraints. The cytons since the same typin as
production amounted and in Views plan the major typin of
the Cytonic of the transfer constraints are said; glained in generalist
(left might) with a state of constraints are said; glained in the
third might with a state of constraints are said; glained in the
production of the cytonic constraints are said; glained in the
```

```
automaton initially Starting
      state Starting do
          step = true -> false
      unless false -> time >= 750 then Moving
      state Moving do
          step = true -> false
      unless time >= 500 then Moving
end
   Colaço, Pagano, and Pouzet (EMSOFT 2005): A Conservative
   Extension of Synchronous Data-flow with State Machines
                         \begin{array}{l} \operatorname{CSFunh}\left(s\right)\left(C_1 \to \{D_1,N_1\}\right)...\left(C_n \to \{D_n,N_n\}\right) = \\ B_1^{\prime\prime} \text{ and } \ldots \text{ and } B_n^{\prime\prime} \text{ and } \\ \in \operatorname{Se}\left(n,n\right) = s \text{ and} \end{array}
```

```
(pst, pres) = (Starting, false) fby (st, res);
switch pst
| Starting do
 reset
   (st. res) =
     if false \rightarrow time >= 750
     then (Moving, true)
     else (Starting, false)
 every pres
| Moving do ...
end:
switch st
| Starting do
 reset
   step = true -> false
 every res
| Moving do ...
end
```

```
automaton initially Starting
      state Starting do
          step = true -> false
      unless false -> time >= 750 then Moving
      state Moving do
          step = true -> false
      unless time >= 500 then Moving
end
   Colaço, Pagano, and Pouzet (EMSOFT 2005): A Conservative
   Extension of Synchronous Data-flow with State Machines
                         \begin{array}{l} \operatorname{CSFunh}\left(s\right)\left(C_1 \to \{D_1,N_1\}\right)...\left(C_n \to \{D_n,N_n\}\right) = \\ B_1^{\prime\prime} \text{ and } \ldots \text{ and } B_n^{\prime\prime} \text{ and } \\ \leq 1s < n \text{ or } n = \epsilon \text{ and} \end{array}
```

```
(pst, pres) = (Starting, false) fby (st. res):
switch pst
| Starting do
 reset
    (st. res) =
     if false \rightarrow time >= 750
     then (Moving, true)
     else (Starting, false)
 every pres
| Moving do ...
end:
switch st
| Starting do
 reset
   step = true -> false
 every res
| Moving do ...
end
```

```
automaton initially Starting
                                                                           (pst, pres) = (Starting, false) fby (st, res);
     state Starting do
                                                                           switch pst
        step = true -> false
                                                                           | Starting do
     unless false -> time >= 750 then Moving
                                                                              reset
                                                                                 (st. res) =
     state Moving do
                                                                                   if false -> time >= 750
        step = true -> false
                                                                                   then (Moving, true)
     unless time >= 500 then Moving
                                                                                    else (Starting, false)
                                                                              every pres
end
                                                                           | Moving do ...
  Colaço, Pagano, and Pouzet (EMSOFT 2005): A Conservative
                                                                           end:
  Extension of Synchronous Data-flow with State Machines
                                                                           switch st
                                                                           | Starting do
                  \begin{array}{l} \operatorname{CSFunh}\left(s\right)\left(C_1 \to \{D_1,N_1\}\right)...\left(C_n \to \{D_n,N_n\}\right) = \\ B_1^{\prime\prime} \text{ and } \ldots \text{ and } B_n^{\prime\prime} \text{ and } \\ \in \operatorname{Se}\left(n,n\right) = s \text{ and} \end{array}
                                                                              reset
                                                                                 step = true -> false
                                                                             every res
                                                                           | Moving do ...
                                                                           end
```

```
automaton initially Starting
      state Starting do
          step = true -> false
      unless false -> time >= 750 then Moving
      state Moving do
          step = true -> false
      unless time >= 500 then Moving
end
   Colaço, Pagano, and Pouzet (EMSOFT 2005): A Conservative
                                                                                                    end:
   Extension of Synchronous Data-flow with State Machines
                         \begin{array}{l} \operatorname{CSFunh}\left(s\right)\left(C_1 \to \{D_1,N_1\}\right)...\left(C_n \to \{D_n,N_n\}\right) = \\ B_1^{\prime\prime} \text{ and } \ldots \text{ and } B_n^{\prime\prime} \text{ and } \\ \in \operatorname{Se}\left(n,n\right) = s \text{ and} \end{array}
                                                                                                    end
```

```
(pst, pres) = (Starting, false) fby (st, res);
switch pst
| Starting do
 reset
    (st res) =
     if false \rightarrow time >= 750
     then (Moving, true)
     else (Starting, false)
 every pres
| Moving do ...
switch st
| Starting do
 reset
   step = true -> false
 every res
| Moving do ...
```

```
automaton initially Starting
      state Starting do
          step = true -> false
      unless false -> time >= 750 then Moving
      state Moving do
          step = true -> false
      unless time >= 500 then Moving
end
   Colaço, Pagano, and Pouzet (EMSOFT 2005): A Conservative
   Extension of Synchronous Data-flow with State Machines
                         \begin{array}{l} \operatorname{CSFunh}\left(s\right)\left(C_1 \to \{D_1,N_1\}\right)...\left(C_n \to \{D_n,N_n\}\right) = \\ B_1^{\prime\prime} \text{ and } \ldots \text{ and } B_n^{\prime\prime} \text{ and } \\ \in \operatorname{Se}\left(n,n\right) = s \text{ and} \end{array}
```

```
(pst, pres) = (Starting, false) fby (st, res);
switch pst
| Starting do
 reset
    (st. res) =
     if false \rightarrow time >= 750
     then (Moving, true)
     else (Starting, false)
 every pres
| Moving do ...
end:
switch st
| Starting do
 reset
   step = true -> false
 every res
| Moving do ...
end
```

```
automaton initially Starting
      state Starting do
          step = true -> false
      unless false -> time >= 750 then Moving
      state Moving do
          step = true -> false
      unless time >= 500 then Moving
end
   Colaço, Pagano, and Pouzet (EMSOFT 2005): A Conservative
   Extension of Synchronous Data-flow with State Machines
                         \begin{array}{l} \operatorname{CSFunh}\left(s\right)\left(C_1 \to \{D_1,N_1\}\right)...\left(C_n \to \{D_n,N_n\}\right) = \\ B_1^{\prime\prime} \text{ and } \ldots \text{ and } B_n^{\prime\prime} \text{ and } \\ \leq 1s < n \text{ or } n = \epsilon \text{ and} \end{array}
```

```
(pst, pres) = (Starting, false) fby (st. res):
switch pst
| Starting do
 reset
    (st. res) =
     if false \rightarrow time >= 750
     then (Moving, true)
     else (Starting, false)
 every pres
| Moving do ...
end:
switch st
| Starting do
 reset
   step = true -> false
 every res
| Moving do ...
end
```

```
switch st
| Starting do
  reset
    step = true -> false
  every res
| Holding do ...
end
```

```
resS = res when (st=Starting);
resM = res when (st=Moving);
step = merge st (Starting => stepS) (Moving => stepM);
reset
  stepS = true when (st=Starting) -> false when (st=Starting)
every resS;
```

Colaço, Pagano, and Pouzet (EMSOFT 2005): A Conservative Extension of Synchronous Data-flow with State Machines

Continued to the continue of t

sampling explicited by when

```
switch st
                                                       resS = res when (st=Starting);
   Starting do
                                                       resM = res when (st=Moving);
                                                       step = merge st (Starting => stepS) (Moving => stepM);
    reset
        step = true -> false
                                                       reset
                                                          stepS = true when (st=Starting) -> false when (st=Starting)
    every res
    Holding do ...
                                                       every resS;
 end
Colaço, Pagano, and Pouzet (EMSOFT 2005): A Conservative
Extension of Synchronous Data-flow with State Machines

    sampling explicited by when

    choice explicited by merge

                                     C^{\text{Automator.}} \begin{array}{c} S_1 \rightarrow (D_1, ex_1, er_1) \left(D_1', ex_1', er_1\right) \cdots \\ S_1 \rightarrow (D_n, ex_n, er_1) \left(D_n', ex_n', e^p_n\right) \end{array}
                                        at the principles S_1 \rightarrow g was t_1 = e e'_1 and r = e v'_1 and U'_1 wise g principles.
                                        Figure 6: The translation of augumngs
```

Colaço, Pagano, and Pouzet (EMSOFT 2005): A Conservative Extension of Synchronous Data-flow with State Machines



- sampling explicited by when
- choice explicited by merge
- constants are also sampled

Colaço, Pagano, and Pouzet (EMSOFT 2005): A Conservative Extension of Synchronous Data-flow with State Machines



- sampling explicited by when
- choice explicited by merge
- constants are also sampled
- only reset blocks remain









$$\frac{G(f) = \text{node } f(x_1, \dots, x_n) \text{ returns } (y_1, \dots, y_m) \text{ } blk}{\forall i, H(x_i) \equiv xss_i \qquad \forall j, H(y_j) \equiv yss_j \qquad G, H \vdash blk}{G \vdash f(xss) \Downarrow yss} \text{ sem\_node}$$

$$\frac{G(f) = \text{node } f(x_1, \dots, x_n) \text{ returns } (y_1, \dots, y_m) \text{ } blk}{\forall i, H(x_i) \equiv xss_i \qquad \forall j, H(y_j) \equiv yss_j \qquad G, H \vdash blk}{G \vdash f(xss) \Downarrow yss} \text{ sem\_node}$$

| pause |   |   |   |       |   |       |       |       |  |
|-------|---|---|---|-------|---|-------|-------|-------|--|
| time  |   |   |   |       |   |       |       |       |  |
| step  | Т | F | F | <br>Т | F | <br>F | <br>F | <br>Т |  |

$$\frac{G(f) = \text{node } f(x_1, \dots, x_n) \text{ returns } (y_1, \dots, y_m) \text{ } blk}{\forall i, H(x_i) \equiv xss_i \qquad \forall j, H(y_j) \equiv yss_j \qquad G, H \vdash blk}{G \vdash f(xss) \Downarrow yss} \text{ sem\_node}$$

$$\frac{\forall i, H(xs_i) \equiv vss_i \qquad G, H \vdash es \Downarrow vss}{G, H \vdash xs = es} \text{ sem\_equation}$$

$$\frac{G(f) = \text{node } f(x_1, \dots, x_n) \text{ returns } (y_1, \dots, y_m) \text{ } blk}{\forall i, H(x_i) \equiv xss_i \qquad \forall j, H(y_j) \equiv yss_j \qquad G, H \vdash blk}{G \vdash f(xss) \Downarrow yss} \text{ sem\_node}$$

$$\frac{\forall i, H(xs_i) \equiv vss_i \qquad G, H \vdash es \Downarrow vss}{G, H \vdash xs = es} \text{ sem\_equation}$$

$$\frac{G, H \vdash e \Downarrow [vs]}{\forall i, G, (\text{when}^{C_i} vs H) \vdash blks_i}$$

$$\frac{\forall i, G, (\text{when}^{C_i} vs H) \vdash blks_i}{G, H \vdash \text{switch } e [C_i \text{ do } blks_i]^i \text{ end}} \text{ sem\_switch}$$

$$\frac{G(f) = \text{node } f(x_1, \dots, x_n) \text{ returns } (y_1, \dots, y_m) \text{ } blk}{\forall i, H(x_i) \equiv xss_i \qquad \forall j, H(y_j) \equiv yss_j \qquad G, H \vdash blk}{G \vdash f(xss) \Downarrow yss} \text{ sem\_node}$$

$$\frac{\forall i, H(xs_i) \equiv vss_i \qquad G, H \vdash es \Downarrow vss}{G, H \vdash xs = es} \text{ sem\_equation}$$

$$\frac{G, H \vdash e \Downarrow [vs]}{\forall i, G, (\mathsf{when}^{C_i} \ vs \ H) \vdash blks_i} \frac{\forall i, G, (\mathsf{when}^{C_i} \ vs \ H) \vdash blks_i}{G, H \vdash \mathsf{switch} \ e \ [C_i \ \mathsf{do} \ blks_i]^i \ \mathsf{end}} \ \mathsf{sem\_switch}$$

- when for switch blocks
- mask for reset blocks
- select for state machines

# Compilation correctness – state machines



Lemma (State machines correctness)

if  $G, H \vdash blk$  then  $G, H \vdash |blk|$ 

## Compilation correctness – state machines



Lemma (State machines correctness)

if  $G, H \vdash blk$  then  $G, H \vdash |blk|$ 

#### Works well:

- local transformation and reasoning
- correspondence between select, mask and when

## Compilation correctness – state machines



Lemma (State machines correctness)

if 
$$G, H \vdash blk$$
 then  $G, H \vdash |blk|$ 

#### Works well:

- local transformation and reasoning
- correspondence between select, mask and when

#### Works less well:

- static invariants (typing, clock-typing, . . . )
- fresh identifiers

## Compilation correctness – switch blocks



Lemma (Switch correctness)

if  $G, H_1 \vdash blk$  and  $H_1 \sqsubseteq_{\sigma} H_2$  then  $G, H_2 \vdash \lfloor blk \rfloor_{\sigma, ck}$ 

## Compilation correctness – switch blocks



### Lemma (Switch correctness)

if  $G, H_1 \vdash blk$  and  $H_1 \sqsubseteq_{\sigma} H_2$  then  $G, H_2 \vdash \lfloor blk \rfloor_{\sigma, ck}$ 

#### Works less well:

- reasoning is not local: renaming propagates to sub-blocks
- static invariants, in particular clock-typing

## Compilation correctness – switch blocks



### Lemma (Switch correctness)

if 
$$G, H_1 \vdash blk$$
 and  $H_1 \sqsubseteq_{\sigma} H_2$  then  $G, H_2 \vdash \lfloor blk \rfloor_{\sigma, ck}$ 

#### Works well:

- correspondence between switch and when/merge: implicit to explicit sampling
- less cases to handle

#### Works less well:

- reasoning is not local: renaming propagates to sub-blocks
- static invariants, in particular clock-typing

# The Vélus Compiler



```
resS = res when (st=Starting);
reset
  stepS = (true when (st=Starting)) fby (false when (st=Starting))
every resS;
ena = true;
step = merge st (Starting => stepS) (Moving => stepM);
                                       Biernacki, Colaco, Hamon, and Pouzet (LCTES
                                       2008): Clock-directed modular code generation
                                       for synchronous data-flow languages
```

NLustre

Stc

Obc

Clight

```
resS = res when (st=Starting):
             reset
               stepS = (true when (st=Starting)) fby (false when (st=Starting))
             every resS;
             ena = true:
              step = merge st (Starting => stepS) (Moving => stepM);
                                                                                              NLustre
switch(st) { case Starting: resS = res; }
                                                   Biernacki, Colaco, Hamon, and Pouzet (LCTES
                                                   2008): Clock-directed modular code generation
switch(st) {
                                                   for synchronous data-flow languages
  case Starting:
                                                                                               Stc
                                               • Each controlled expression/reset produces
    if(resS) st.stepS = true;
                                                  a switch instruction
ena = true:
                                                                                               Obc
switch(st) {
  case Starting:
    step = st.stepS;
                                                                                              Clight
    break;
  case Moving: ...
switch(st) { case Starting: st.stepS = false; }
```

```
resS = res when (st=Starting);
             reset
               stepS = (true when (st=Starting)) fby (false when (st=Starting))
             every resS;
             ena = true:
             step = merge st (Starting => stepS) (Moving => stepM);
                                                                                             NLustre
switch(st) { case Starting: resS = res; }
                                                   Biernacki, Colaco, Hamon, and Pouzet (LCTES
                                                   2008): Clock-directed modular code generation
switch(st) {
                                                   for synchronous data-flow languages
  case Starting:
                                                                                               Stc
                                               • Each controlled expression/reset produces
    if(resS) st.stepS = true;
                                                  a switch instruction
ena = true:
                                                                                               Ohc
switch(st) {
  case Starting:
    step = st.stepS;
                                                                                              Clight
    break;
  case Moving: ...
switch(st) { case Starting: st.stepS = false; }
```

```
resS = res when (st=Starting);
             reset
               stepS = (true when (st=Starting)) fby (false when (st=Starting))
             every resS;
             ena = true;
             step = merge st (Starting => stepS) (Moving => stepM);
                                                                                              NLustre
switch(st) { case Starting: resS = res; }
                                                   Biernacki, Colaco, Hamon, and Pouzet (LCTES
                                                   2008): Clock-directed modular code generation
switch(st) {
                                                   for synchronous data-flow languages
  case Starting:
                                                                                               Stc
                                               • Each controlled expression/reset produces
    if(resS) st.stepS = true;
                                                  a switch instruction
ena = true;
                                                                                               Obc
switch(st) {
  case Starting:
    step = st.stepS;
                                                                                              Clight
    break;
  case Moving: ...
switch(st) { case Starting: st.stepS = false; }
```

```
resS = res when (st=Starting);
             reset
               stepS = (true when (st=Starting)) fby (false when (st=Starting))
             every resS;
             ena = true:
             step = merge st (Starting => stepS) (Moving => stepM);
                                                                                             NLustre
switch(st) { case Starting: resS = res; }
                                                   Biernacki, Colaco, Hamon, and Pouzet (LCTES
                                                   2008): Clock-directed modular code generation
switch(st) {
                                                   for synchronous data-flow languages
  case Starting:
                                                                                               Stc
                                               • Each controlled expression/reset produces
    if(resS) st.stepS = true;
                                                  a switch instruction
ena = true:
                                                                                               Obc
switch(st) {
  case Starting:
    step = st.stepS;
                                                                                              Clight
    break;
  case Moving: ...
switch(st) { case Starting: st.stepS = false; }
```

```
resS = res when (st=Starting);
             reset
               stepS = (true when (st=Starting)) fby (false when (st=Starting))
             every resS;
             ena = true:
             step = merge st (Starting => stepS) (Moving => stepM);
                                                                                              NLustre
switch(st) {
                                                   Biernacki, Colaco, Hamon, and Pouzet (LCTES
                                                   2008): Clock-directed modular code generation
  case Starting:
                                                   for synchronous data-flow languages
   resS = res:
                                                                                                Stc
                                                • Each controlled expression/reset produces
    if(resS) st.stepS = true;
                                                  a switch instruction
ena = true:
                                                                                                Obc
switch(st) {
  case Starting:
    step = st.stepS;
                                                                                               Clight
    st.stepS = false;
    break:
  case Moving: ...
```

```
resS = res when (st=Starting);
             reset
               stepS = (true when (st=Starting)) fby (false when (st=Starting))
             every resS:
             ena = true:
             step = merge st (Starting => stepS) (Moving => stepM);
                                                                                               NLustre
switch(st) {
                                                   Biernacki, Colaco, Hamon, and Pouzet (LCTES
                                                   2008): Clock-directed modular code generation
  case Starting:
                                                   for synchronous data-flow languages
   resS = res:
                                                                                                Stc
                                                • Each controlled expression/reset produces
    if(resS) st.stepS = true;
                                                  a switch instruction
ena = true:
                                                                                                Ohc
switch(st) {
  case Starting:
    step = st.stepS;
                                                                                               Clight
    st.stepS = false;
    break;
  case Moving: ...
```

```
resS = res when (st=Starting);
             reset
                stepS = (true when (st=Starting)) fby (false when (st=Starting))
              every resS:
              ena = true:
              step = merge st (Starting => stepS) (Moving => stepM);
                                                                                                NLustre
ena = true:
                                                    Biernacki, Colaco, Hamon, and Pouzet (LCTES
                                                   2008): Clock-directed modular code generation
switch(st) {
                                                    for synchronous data-flow languages
  case Starting:
                                                                                                  Stc
                                                • Each controlled expression/reset produces
    resS = res:
                                                   a switch instruction
    if(resS) st.stepS = true;
    step = st.stepS;

    Quality of fusion depends on the

                                                                                                 Obc
                                                   scheduling
    st.stepS = false:
    break:
  case Moving: ...
                                                                                                 Clight
```

```
resS = res when (st=Starting);
              reset
                stepS = (true when (st=Starting)) fby (false when (st=Starting))
              every resS:
              ena = true:
              step = merge st (Starting => stepS) (Moving => stepM);
                                                                                                 NLustre
ena = true:
                                                     Biernacki, Colaco, Hamon, and Pouzet (LCTES

    2008): Clock-directed modular code generation.

switch(st) {
                                                     for synchronous data-flow languages
  case Starting:
                                                                                                   Stc
                                                 • Each controlled expression/reset produces
    resS = res:
                                                    a switch instruction
    if(resS) st.stepS = true;
    step = st.stepS;

    Quality of fusion depends on the

                                                                                                  Obc
                                                    scheduling
    st.stepS = false:
    break:
                                                 Extensions of Stc: reset on state
  case Moving: ...
                                                    variables, multiple reset conditions
                                                                                                  Clight
```

#### Performances

|               | Vélus | Hept+CompCert |         | Hept+gcc          | Hept+gcci          |  |
|---------------|-------|---------------|---------|-------------------|--------------------|--|
| stepper_motor | 930   | 1185          | (+27%)  | <b>610</b> (-34%) | 535 (-42%)         |  |
| chrono        | 505   | 970           | (+92%)  | 570 (+12%)        | 570 (+12%)         |  |
| cruisecontrol | 1405  | 1745          | (+24%)  | 960 (-31%)        | 895 (-36%)         |  |
| heater        | 2415  | 3125          | (+29%)  | 730 (-69%)        | <b>515</b> (-78 %) |  |
| buttons       | 1015  | 1430          | (+40 %) | 625 (-38%)        | 625 (-38%)         |  |
| stopwatch     | 1305  | 1970          | (+50%)  | 1290 (-1%)        | 1290 (-1%)         |  |

WCET estimated by OTAWA 2  $\begin{bmatrix} Ballabriga, Cassé, Rochange, and Sainrat (LNCS 2010): \\ OTAWA: An Open Toolbox for Adaptive WCET Analysis \end{bmatrix}$  for an armv7

Vélus generally better than Heptagon, but worse than Heptagon+GCC

### Performances

|               | Vélus | Hept+ | CompCert | Hept+gcc          | Hept+gcci         |  |
|---------------|-------|-------|----------|-------------------|-------------------|--|
| stepper_motor | 930   | 1185  | (+27%)   | <b>610</b> (-34%) | 535 (-42%)        |  |
| chrono        | 505   | 970   | (+92%)   | 570 (+12%)        | 570 (+12%)        |  |
| cruisecontrol | 1405  | 1745  | (+24%)   | 960 (-31%)        | 895 (-36%)        |  |
| heater        | 2415  | 3125  | (+29%)   | 730 (-69%)        | <b>515</b> (-78%) |  |
| buttons       | 1015  | 1430  | (+40 %)  | 625 (-38%)        | 625 (-38%)        |  |
| stopwatch     | 1305  | 1970  | (+50 %)  | 1290 (-1%)        | 1290 (-1%)        |  |

WCET estimated by OTAWA 2  $\begin{bmatrix} Ballabriga, Cassé, Rochange, and Sainrat (LNCS 2010): \\ OTAWA: An Open Toolbox for Adaptive WCET Analysis \end{bmatrix}$  for an armv7

- Vélus generally better than Heptagon, but worse than Heptagon+GCC
- Inlining of CompCert not fine tuned to small functions generated by Vélus

### Performances

|               | Vélus | Hept+CompCert |         | Hept+gcc           | Hept+gcci         |  |
|---------------|-------|---------------|---------|--------------------|-------------------|--|
| stepper_motor | 930   | 1185          | (+27%)  | <b>610</b> (-34 %) | 535 (-42%)        |  |
| chrono        | 505   | 970           | (+92%)  | 570 (+12%)         | 570 (+12%)        |  |
| cruisecontrol | 1405  | 1745          | (+24%)  | 960 (-31%)         | 895 (-36%)        |  |
| heater        | 2415  | 3125          | (+29%)  | 730 (-69%)         | <b>515</b> (-78%) |  |
| buttons       | 1015  | 1430          | (+40 %) | 625 (-38%)         | 625 (-38%)        |  |
| stopwatch     | 1305  | 1970          | (+50 %) | 1290 (-1%)         | 1290 (-1%)        |  |

WCET estimated by OTAWA 2  $\begin{bmatrix} Ballabriga, Cassé, Rochange, and Sainrat (LNCS 2010): \\ OTAWA: An Open Toolbox for Adaptive WCET Analysis \end{bmatrix}$  for an armv7

- Vélus generally better than Heptagon, but worse than Heptagon+GCC
- Inlining of CompCert not fine tuned to small functions generated by Vélus
- Some possible improvements
  - Better compilation of last to reduce useless updates (done in unpublished version)
  - Memory optimization: state variables in mutually exclusive states can be be reused

#### Conclusion

#### Our contributions:

- a Coq-based semantics for the control blocks of Scade 6
  - switch blocks
  - reset blocks
  - state machines
- a verified implementation of an efficient compilation scheme for these blocks

#### Conclusion

#### Our contributions:

- a Coq-based semantics for the control blocks of Scade 6
  - switch blocks
  - reset blocks
  - state machines
- a verified implementation of an efficient compilation scheme for these blocks

https://velus.inria.fr/emsoft2023

### Semantics – switch blocks

when 
$$(\langle \cdot \rangle \cdot xs) (\langle \cdot \rangle \cdot cs) \equiv \langle \cdot \rangle \cdot \text{when}^C xs cs$$
  
when  $(\langle \cdot v \rangle \cdot xs) (\langle \cdot C \rangle \cdot cs) \equiv \langle \cdot v \rangle \cdot \text{when}^C xs cs$   
when  $(\langle \cdot v \rangle \cdot xs) (\langle \cdot C' \rangle \cdot cs) \equiv \langle \cdot \rangle \cdot \text{when}^C xs cs$ 

$$(when^C H cs)(x) \equiv when^C (H(x)) cs$$

$$\frac{G, H, bs \vdash e \Downarrow [cs] \quad \forall i, \ G, \text{when}^{C_i} (H, bs) \ cs \vdash blks_i}{G, H, bs \vdash \text{switch } e \left[C_i \text{ do } blks_i\right]^i \text{ end}}$$

### Semantics – reset blocks

$$\mathsf{mask}_{k'}^k (\mathtt{F} \cdot rs) \, (\mathit{sv} \cdot \mathit{xs}) \equiv (\mathsf{if} \, \mathit{k'} = \mathit{k} \, \mathsf{then} \, \mathit{sv} \, \mathsf{else} \, \circlearrowleft) \cdot \mathsf{mask}_{k'}^k \, \mathit{rs} \, \mathit{xs} \\ \mathsf{mask}_{k'}^k \, (\mathtt{T} \cdot \mathit{rs}) \, (\mathit{sv} \cdot \mathit{xs}) \equiv (\mathsf{if} \, \mathit{k'} + 1 = \mathit{k} \, \mathsf{then} \, \mathit{sv} \, \mathsf{else} \, \circlearrowleft) \cdot \mathsf{mask}_{k'+1}^k \, \mathit{rs} \, \mathit{xs}$$

$$G, H, bs \vdash es \Downarrow xss$$
 $G, H, bs \vdash e \Downarrow [ys]$  bools-of  $ys \equiv rs$ 
 $\forall k, G \vdash f(\mathsf{mask}^k rs xss) \Downarrow (\mathsf{mask}^k rs yss)$ 
 $G, H, bs \vdash (\mathtt{reset} f \mathtt{every} e)(es) \Downarrow yss$ 

$$\frac{G, H, bs \vdash e \Downarrow [ys] \quad \text{bools-of } ys \equiv rs}{\forall k, \ G, \text{mask}^k \ rs \ (H, bs) \vdash blks}$$
$$G, H, bs \vdash \text{reset } blks \text{ every } e$$

### Semantics – Hierarchical State Machines

```
H, bs \vdash ck \Downarrow bs' G, H, bs' \vdash autinits \Downarrow sts_0
fby sts_0 sts_1 \equiv sts \forall i, \forall k, G, (select_0^{C_i,k} sts(H, bs)), C_i \vdash_w autscope_i \Downarrow (select_0^{C_i,k} sts sts_1)
                    G, H, bs \vdash \text{automaton initially } autinits^{ck} [\text{state } C_i \text{ } autscope_i]^i \text{ end}
                                                  \forall x, x \in \text{dom}(H') \iff x \in locs
                           \forall x \, e, \, (\text{last } x = e) \in locs \implies G, H + H', bs \vdash_{\Gamma} \text{last } x = e
                              G. H + H'. bs \vdash blks G. H + H'. bs, C_i \vdash_{TR} trans \Downarrow sts
                                      G, H, bs, C_i \vdash_{w} var locs do blks until trans <math>\Downarrow sts
                                  H, bs \vdash ck \Downarrow bs' fby (const bs'(C, F)) sts_1 \equiv sts
                     \forall i, \forall k, G, (\text{select}_0^{C_i, k} \text{ sts } (H, bs)), C_i \vdash_{\mathbb{T}_R} trans_i \Downarrow (\text{select}_0^{C_i, k} \text{ sts } \text{ sts}_1)
                                           \forall i, \forall k, G, (\text{select}_{0}^{C_{i},k} sts_{1}(H, bs)) \vdash blks_{i}
               G, H, bs \vdash \text{automaton initially } C^{ck} [\text{state } C_i \text{ do } blks_i \text{ unless } trans_i]^i \text{ end}
```

#### Semantics – Transitions

$$G, H, bs \vdash e \Downarrow [ys]$$
bools-of  $ys \equiv bs'$   $G, H, bs \vdash_{\mathsf{T}} autinits \Downarrow sts$ 

$$\underbrace{sts' \equiv \mathsf{first-of}_{\mathsf{F}}^{C} bs' sts}_{G, H, bs \vdash_{\mathsf{T}} C \ \mathsf{if} \ e; \ autinits \ \Downarrow sts'}$$

$$\frac{sts \equiv \text{const } bs (C, F)}{G, H, bs \vdash_{I} \text{otherwise } C \Downarrow sts}$$

first-of<sub>r</sub><sup>C</sup> (T · bs) (st · sts) 
$$\equiv$$
 < C, r> · first-of<sub>r</sub><sup>C</sup> bs sts  
first-of<sub>r</sub><sup>C</sup> (F · bs) (st · sts)  $\equiv$  st · first-of<sub>r</sub><sup>C</sup> bs sts

$$\frac{sts \equiv const \ bs \ (C_i, F)}{G, H, bs, C_i \vdash_{TR} \epsilon \Downarrow sts}$$

$$G, H, bs \vdash e \Downarrow [ys]$$
 bools-of  $ys \equiv bs'$ 
 $G, H, bs, C_i \vdash_{TR} trans \Downarrow sts$ 
 $sts' \equiv \text{first-of}_F^C bs' sts$ 

$$G, H, bs, C_i \vdash_{TR} \text{if e continue } C \text{ trans } \Downarrow sts'$$

$$G, H, bs \vdash e \Downarrow [ys]$$
 bools-of  $ys \equiv bs'$ 
 $G, H, bs, C_i \vdash_{TR} trans \Downarrow sts$ 

$$sts' \equiv \text{first-of}_T^C bs' sts$$

$$G, H, bs, C_i \vdash_{TR} \text{if } e \text{ then } C \text{ } trans \Downarrow sts'$$

### Semantics – local blocks and last variables

$$\frac{H(\texttt{last}\,x) \equiv vs}{G, H, bs \vdash \texttt{last}\,x \Downarrow [vs]}$$

$$\frac{\forall x \ e, \ (\texttt{last} \ x = e) \in locs}{\forall x \ e, \ (\texttt{last} \ x = e) \in locs} \implies G, H + H', bs \vdash_{\mathbb{L}} \texttt{last} \ x = e}{G, H + H', bs \vdash_{\mathbb{L}} \texttt{locs}}$$

$$\frac{G, H, bs \vdash e \Downarrow [vs_0] \quad H(x) \equiv vs_1 \quad H(\texttt{last}\,x) \equiv \mathsf{fby}\,vs_0\,vs_1}{G, H, bs \vdash_{\!\!\!\!\!\!\perp} \mathtt{last}\,x = e}$$

$$(H_1 + H_2)(x) = \begin{cases} H_2(x) & \text{if } x \in H_2 \\ H_1(x) & \text{otherwise.} \end{cases}$$