This paper describes the language Lustre, which is a dataflow synchronous language, designed for programming reactive systems --- such as automatic control and monitoring systems --- as well as for describing hardware. The dataflow aspect of Lustre makes it very close to usual description tools in these domains (block-diagrams, networks of operators, dynamical samples-systems, etc: : : ), and its synchronous interpretation makes it well suited for handling time in programs. Moreover, this synchronous interpretation allows it to be compiled into an efficient sequential program. Finally, the Lustre formalism is very similar to temporal logics. This allows the language to be used for both writing programs and expressing program properties, which results in an original program verification methodology. 1 Introduction Reactive systems Reactive systems have been defined as computing systems which continuously interact with a given physical environment, when this environment is unable to sy...

Fran (Functional Reactive Animation) is a collection of data types and functions for composing richly interactive, multimedia animations. The key ideas in Fran are its notions of behaviors and events. Behaviors are time-varying, reactive values, while events are sets of arbitrarily complex conditions, carrying possibly rich information. Most traditional values can be treated as behaviors, and when images are thus treated, they become animations. Although these notions are captured as data types rather than a programming language, we provide them with a denotational semantics, including a proper treatment of real time, to guide reasoning and implementation. A method to e#ectively and efficiently perform event detection using interval analysis is also described, which relies on the partial information structure on the domain of event times. Fran has been implemented in Hugs, yielding surprisingly good performance for an interpreter-based system. Several examples are given, including the ability to describe physical phenomena involving gravity, springs, velocity, acceleration, etc. using ordinary di#erential equations.

We present anoverview and synthesis of existing results about process algebras for the speci cation and analysis of timed systems. The motivation is double: present anoverview of some relevant and representative approaches and suggest a unifying framework for them. time, we propose a general model for them: transition systems whose labels are either elements ofavocabulary of actions or elements of a time domain. Many properties of this model are studied concerning their impact on description capabilities and on realisability issues. An overview of the language features of the process algebras considered is presented, by focusing on constructs used to express time constraints. The presentation is organised as an exercise of building a timed process algebra from a standard process algebra for untimed systems. The overview is completed by a discussion about description capabilities according to semantic and pragmatic criteria. 1

We present the notion of translation validation as a new approach to the verification of translators (compilers, code generators). Rather than proving in advance that the compiler always produces a target code which correctly implements the source code (compiler verification), each individual translation (i.e. a run of the compiler) is followed by a validation phase which verifies that the target code produced on this run correctly implements the submitted source program. Several ingredients are necessary to set up the -- fully automatic -- translation validation process, among which are: 1. A common semantic framework for the representation of the source code and the generated target code. 2. A formalization of the notion of "correct implementation" as a refinement relation. 3. A syntactic simulation-based proof method which allows to automatically verify that one model of the semantic framework, representing the produced target code, correctly implements another model which repres...

. Real-time systems operate in "real," continuous time and state changes may occur at any real-numbered time point. Yet many verification methods are based on the assumption that states are observed at integer time points only. What can we conclude if a real-time system has been shown "correct" for integral observations? Integer time verification techniques suffice if the problem of whether all real-numbered behaviors of a system satisfy a property can be reduced to the question of whether the integral observations satisfy a (possibly modified) property. We show that this reduction is possible for a large and important class of systems and properties: the class of systems includes all systems that can be modeled as timed transition systems; the class of properties includes time-bounded invariance and time-bounded response. 1 Introduction Over the past few years, we have seen a proliferation of formal methodologies for software and hardware design that emphasize the treatm...

: The state/transition paradigm has been used extensively for the description of event-driven, parallel systems. However, the lack for hierarchic structure in such descriptions usually prevents us from using this paradigm in a real programming language. We propose the Argos language for reactive systems. The basic components of a program are input/output-labeled transition systems verifying reactivity (a property similar to input-enabling in IOautomata) . The composition operations (parallel composition and refinement, providing hierarchy) are based upon the synchronous broadcast mechanism of Esterel. We define the language formally in an algebraic framework, and give an operational semantics. The main result is the compositionality of the semantics; we prove that the bisimulation of models induces an equivalence which is a congruence for the operators we propose. An interesting point is the way we introduce hierarchy in a compositional way. 1 1 Introduction The problem ...

We present the Argos graphical synchronous language for the description of reactive systems, and the Argonaute environment associated with it. Systems like communication protocols, real time process controllers or man/machine interfaces contain a reactive kernel. Its behaviour can be described in a convenient manner by an automaton , for formal validation purposes. But, in general, complex systems cannot be described directly as automata. The Statecharts [4,5] and Argos [7,8] are automata-based languages. The high level constructs of the language deal with states and transitions directly. A consequence of this choice is the graphical syntax, since the best representation of small automata is graphical. A consequence of this graphical syntax is the need for graphical constructs: the constructs of the language must allow the decomposition of a system into small parts that can be represented directly by automata, and they must be given a readable graphical syntax. 1 Introduction The term ...

A vast amount of work has been done in recent years on the design, analysis, implementation and verification of special purpose parallel computing systems. This paper presents a survey of various aspects of this work. A long, but by no means complete, bibliography is given. 1. Introduction Turing [365] demonstrated that, in principle, a single general purpose sequential machine could be designed which would be capable of efficiently performing any computation which could be performed by a special purpose sequential machine. The importance of this universality result for subsequent practical developments in computing cannot be overstated. It showed that, for a given computational problem, the additional efficiency advantages which could be gained by designing a special purpose sequential machine for that problem would not be great. Around 1944, von Neumann produced a proposal [66, 389] for a general purpose storedprogram sequential computer which captured the fundamental principles of...

We propose a method for the implementation and analysis of real-time systems, based on the compilation of specifications into extended automata. Such a method has been already adopted for the so called "synchronous" real-time programming languages.

We investigate the benefits of using a synchronous data-flow language for programming critical real-time systems. These benefits concern ergonomy --- since the dataflow approach meets traditional description tools used in this domain ---, and ability to support formal design and verification methods. We show, on a simple example, how the language Lustre and its associated verification tool Lesar, can be used to design a program, to specify its critical properties, and to verify these properties. As the language Lustre and its use have been already published in several papers (e.g., [11, 18]), we put particular emphasis on program verification. A preliminary version of this paper has been published in [28]. 1 Introduction It is useless to repeat why real-time programs are among those in which errors can have the most dramatic consequences. Thus, these programs constitute a domain where there is a special need of rigorous design methods. We advocate a "language approach" to this problem...