We investigate the benefits of using a synchronous data-flow language for programming critical real-time systems. These benefits concern ergonomy --- since the dataflow approach meets traditional description tools used in this domain ---, and ability to support formal design and verification methods. We show, on a simple example, how the language Lustre and its associated verification tool Lesar, can be used to design a program, to specify its critical properties, and to verify these properties. As the language Lustre and its use have been already published in several papers (e.g., [11, 18]), we put particular emphasis on program verification. A preliminary version of this paper has been published in [28]. 1 Introduction It is useless to repeat why real-time programs are among those in which errors can have the most dramatic consequences. Thus, these programs constitute a domain where there is a special need of rigorous design methods. We advocate a "language approach" to this problem...

. Hybrid systems are modeled as phase transition systems with sampling semantics. By identifying a set of important events it is ensured that all significant state changes are observed, thus correcting previous drawbacks of the sampling computations semantics. A proof rule for verifying properties of hybrid systems is presented and illustrated on several examples. Keywords: Temporal logic, real-time, specification, verification, hybrid systems, statecharts, proof rules, phase transition system, sampling semantics, important events. 1 Introduction Hybrid systems are reactive systems that intermix discrete and continuous components. Typical examples are digital controllers that interact with continuously changing physical environments. A formal model for hybrid systems was proposed in [MMP92], based on the notion of phase transition systems (PTS). Two types of semantics were considered in [MMP92]. The first semantics, to which we refer here as the super dense semantics, is based on hyb...

Synchronous programming (Berry (1989)) is a powerful approach to programming reactive systems. Following the idea that "processes are relations extended over time" (Abramsky (1993)), we propose a simple but powerful model for timed, determinate computation, extending the closure-operator model for untimed concurrent constraint programming (CCP). In (Saraswat et al. 1994a) we had proposed a model for this called tcc--- here we extend the model of tcc to express strong time-outs: if an event A does not happen through time t, cause event B to happen at time t. Such constructs arise naturally in practice (e.g. in modeling transistors) and are supported in synchronous programming languages. The fundamental conceptual difficulty posed by these operations is that they are nonmonotonic. We provide a compositional semantics to the non-monotonic version of concurrent constraint programming (Default cc) obtained by changing the underlying logic from intuitionistic logic to Reiter's default logic...

Process preemption deals with controlling the life and death of concurrent processes. Well-defined preemption mechanisms are essential in control-dominated reactive and real-time programming, and accurate handling of preemption requires a time-dependent model. We first informally discuss what preemption is about and argue for the need of preemption primitives that are fully orthogonal with sequencing and concurrency ones. Then, we formally present the preemption operators of the Esterel zero-delay process calculus, which is a theoretical version of the Esterel synchronous programming language. 1 Introduction In concurrent systems, one deals with concurrent processes that coordinate with each other. Coordination can result from information exchange, using for example messages circulating on channels with possibly some implied synchronization. It can also result from process preemption, which is a more implicit control mechanism that consists in denying the right to work to a pro...

We present a new programming paradigm called Communicating Reactive Processes or CRP that unifies the capabilities of asynchronous and synchronous concurrent programming languages. Asynchronous languages such as CSP, Occam, or Ada are well-suited for distributed algorithms; their processes are loosely coupled and communication takes time. The Esterel synchronous language is dedicated to reactive systems; its processes are tightly coupled and deterministic, communication being realized by instantaneous broadcasting. Complex applications such as process or robot control require to couple both forms of concurrency, which is the object of CRP. A CRP program consists of independent locally reactive Esterel nodes that communicate with each other by CSP rendezvous. CRP faithfully extends both Esterel and CSP and adds new possibilities such as precise local watchdogs on rendezvous. We present the design of CRP, its semantics, a translation into classical process calculi for program verificatio...

Verifying temporal specifications of reactive and concurrent systems commonly relies on generating auxiliary assertions and strengthening given properties of the system. Two dual approaches find solutions to these problems: the bottom-up method performs an abstract forward propagation of the system, generating auxiliary assertions; the top-down method performs an abstract backward propagation to strengthen given properties. Exact application of these methods is complete but is usually infeasible for large-scale verification. An approximate analysis can often supply enough information to complete the verification. The paper overviews some of the exact and approximate analysis methods to generate and strengthen assertions for the verification of invariance properties. By formulating and analyzing a generic safety verification rule, we extend these methods to the verification of general temporal safety properties.

... This paper describes an extension of the C programming language called RC (for `Reactive C') to program reactive systems. The language RC is described, then some programming examples are given to illustrate the reactive approach. The main RC notions come directly from the Esterel synchronous programming language. Finally, the Esterel and RC languages are compared.

. In the field of reactive system programming, dataflow synchronous languages like Lustre [BCH + 85,CHPP87] or Signal [GBBG85] offer a syntax similar to block-diagrams, and can be efficiently compiled into C code, for instance. Designing a system that clearly exhibits several "independent" running modes is not difficult since the mode structure can be encoded explicitly with the available dataflow constructs. However the mode structure is no longer readable in the resulting program; modifying it is error prone, and it cannot be used to improve the quality of the generated code. We propose to introduce a special construct devoted to the expression of a mode structure in a reactive system. We call it mode-automaton, for it is basically an automaton whose states are labeled by dataflow programs. We also propose a set of operations that allow the composition of several mode-automata (parallel and hierarchic compositions taken from Argos [Mar92]), and we study the properties...

Abstract SML is a language for describing complex finite-state hardware controllers. It provides many of the standard control structures found in modern programming languages. The state tables produced by the SML compiler can be used as input to a temporal logic model checker that can automatically determine whether a specification in the logic CTL is satisfied. We describe extensions to SML for the design of modular controllers. These extensions allow a compositional approach to model checking which can substantially reduce its complexity. To demonstrate our methods, we discuss the specification and verification of a simple CPU controller. 0

This paper explores Lhc expressive power of Lhc tcc paradigm. The origin of Lhc work in Lhc inLcgraLion of synchronous and consLrainL programming is described. The basic conceptual and maLhcmaLical framework developed in Lhc spirk of Lhc model-based approach characLcrisLic of LhcorcLical compuLcr science is reviewed. Wc show LhaL a range of consLrucLs for expressing LimcouLs, prccmpLion and oLhcr complicaLcd paLLcrns of Lcmporal acLivky arc expressible in the basic model and language-framework. Indeed, we present a single construct on processes, definable in the language, that can simulate the effect of other preemption constructs