Research in Parkas focuses on the design, semantics, and compilation of
programming languages which allow going from parallel deterministic
specifications to target embedded code executing on sequential or multi-core
architectures.
We are driven by the ideal of a mathematical and executable language used
both to program and simulate a wide variety of systems, including real-time
embedded controllers in interaction with a physical environment (e.g.,
fly-by-wire, engine control), computationally intensive applications (e.g.,
video), and compilers that produce provably correct and efficient code.

The team bases its research on the foundational work of Gilles Kahn on the semantics of deterministic parallelism, the theory and practice of synchronous languages and typed functional languages, synchronous circuits, modern (polyhedral) compilation, and formal models to prove the correctness of low-level code.

To realize our research program, we develop languages (Lucid Synchrone,
ReactiveML, Lucy-n, Zelus), compilers,
contributions to open-source projects (Sundials/ML), and formalizations in Interactive Theorem
Provers of language semantics (Vélus and n-synchrony).
These software projects constitute essential “laboratories”: they
ground our scientific contributions, guide and validate our research
through experimentation, and are an important vehicle for long-standing
collaborations with industry.

We study the definition of languages for reactive and Cyber-Physical Systems in which distributed control software interacts closely with physical devices. We focus on languages that mix discrete-time and continuous-time; in particular, the combination of synchronous programming constructs with differential equations, relaxed models of synchrony for distributed systems communicating via periodic sampling or through buffers, and the embedding of synchronous features in a general purpose ML language.

The synchronous language
Scade
based on synchronous languages principles, is ideal for programming embedded
software and is used routinely in the most critical applications. But
embedded design also involves modeling the control software together with
its environment made of physical devices that are traditionally defined by
differential equations that evolve on a continuous-time basis and
approximated with a numerical solver. Furthermore, compilation usually
produces single-loop code, but implementations increasingly involve multiple
and multi-core processors communicating via buffers and shared-memory.

The major player in embedded design for cyber-physical systems is
undoubtedly
Simulink,
with Modelica a new player.
Models created in these tools are used not only for simulation,
but also for test-case generation, formal verification, and
translation to embedded code.
That said, many foundational and practical aspects are not well-treated by
existing theory (for instance, hybrid automata), and current tools.
In particular, features that mix discrete and continuous time often suffer
from inadequacies and bugs.
This results in a broken development chain: for the most critical
applications, the model of the controller must be reprogrammed into either
sequential or synchronous code, and properties verified on the source model
have to be reverified on the target code.
There is also the question of how much confidence can be placed in the code
used for simulation.

We attack these issues through the development of the Zelus research
prototype, industrial collaborations with the SCADE team at
ANSYS/Esterel-Technologies, and collaboration with Modelica developers at
Dassault-Systèmes and the Modelica association.
Our approach is to develop a conservative extension of a synchronous
language capable of expressing in a single source text a model of the
control software and its physical environment, to simulate the whole using
off-the-shelf numerical solvers, and to generate target embedded code.
Our goal is to increase faithfulness and confidence in both what is actually
executed on platforms and what is simulated.
The goal of building a language on a strong mathematical basis for hybrid
systems is shared with the Ptolemy project at UC Berkeley; our approach is
distinguished by building our language on a synchronous semantics, reusing
and extending classical synchronous compilation techniques.

Adding continuous time to a synchronous language gives a richer programming
model where reactive controllers can be specified in idealized physical
time.
An example is the so called quasi-periodic architecture studied by Caspi,
where independent processors execute periodically and communicate by
sampling.
We have applied Zelus to model a class of quasi-periodic protocols and to
analyze an abstraction proposed for model-checking such systems.

Communication-by-sampling is suitable for control applications where value
timeliness is paramount and lost or duplicate values tolerable, but other
applications—for instance, those involving video streams—seek a
different trade-off through the use of bounded buffers between processes.
We developed the n-synchronous model and the programming language
Lucy-n to treat this issue.

We develop compilation techniques for sequential and multi-core processors, and efficient parallel run-time systems for computationally intensive real-time applications (e.g., video and streaming). We study the generation of parallel code from synchronous programs, compilation techniques based on the polyhedral model, and the exploitation of synchronous Single Static Assignment (SSA) representations in general purpose compilers.

We consider distribution and parallelism as two distinct concepts.

We also see a strong relation between the foundations of synchronous languages and the design of compiler intermediate representations for concurrent programs. These representations are essential to the construction of compilers enabling the optimization of parallel programs and the management of massively parallel resources. Polyhedral compilation is one of the most popular research avenues in this area. Indirectly, the design of intermediate representations also triggers exciting research on dedicated runtime systems supporting parallel constructs. We are particularly interested in the implementation of non-blocking dynamic schedulers interacting with decoupled, deterministic communication channels to hide communication latency and optimize local memory usage.

While distribution and parallelism issues arise in all areas of computing, our programming language perspective pushes us to consider four scenarios:

We work on a multitude of research experiments, algorithms and prototypes related to one or more of these scenarios. Our main efforts focused on extending the code generation algorithms for synchronous languages and on the development of more scalable and widely applicable polyhedral compilation methods.

Compilers are complex software and not immune from bugs. We work on validation and proof tools for compilers to relate the semantics of source programs with the corresponding executable code.

The formal validation of a compiler for a synchronous language, or more generally for a language based on synchronous block diagrams, promises to reduce the likelihood of compiler-introduced bugs, the cost of testing, and also to ensure that properties verified on the source model hold of the target code. Such a validation would be complementary to existing industrial qualifications which certify the development process and not the functional correctness of a compiler. The scientific interest is in developing models and techniques that both facilitate the verification and allow for convenient reasoning over the semantics of a language and the behavior of programs written in it.

Most embedded systems evolve in an open, noisy environment that they only perceive through noisy sensors (e.g., accelerometers, cameras, or GPS).
Another level of uncertainty comes from interactions with other autonomous entities (e.g., surrounding cars, or pedestrians crossing the street).
Yet, to date, existing tools for cyber-physical system have had limited support for modeling uncertainty, to simulate the behavior of the systems, or to infer parameters from noisy observations.
The classic approach consists in hand-coding robust stochastic controllers.
But this solution is limited to well-understood and relatively simple tasks like the lane following assist system.
However, no such controller can handle, for example, the difficult to anticipate behavior of a pedestrian crossing the street.
A modern alternative is to rely on deep-learning techniques.
But neural networks are black-box models that are notoriously difficult to understand and verify.
Training them requires huge amounts of curated data and computing resources which can be problematic for corner-case scenarios in embedded control systems.

Over the last few years, Probabilistic Programming Languages (PPL) have been introduced to describe probabilistic models and automatically infer distributions of parameters from observed data. Compared to deep-learning approaches, probabilistic models show great promise: they overtly represent uncertainty, and they enable explainable models that can capture both expert knowledge and observed data.

A probabilistic reactive language provides the facilities of a synchronous language to write control software, with probabilistic constructs to model uncertainties and perform inference-in-the-loop. This approach offers two key advantages for the design of embedded systems with uncertainty: 1) Probabilistic models can be used to simulate an uncertain environment for early stage design and incremental development. 2) The embedded controller itself can rely on probabilistic components which implement skills that are out of reach for classic automatic controllers.

Embedded control software defines the interactions of specialized hardware with the physical world. It normally ticks away unnoticed inside systems like medical devices, trains, aircraft, satellites, and factories. This software is complex and great effort is required to avoid potentially serious errors, especially over many years of maintenance and reuse.

Engineers have long designed such systems using block diagrams and state
machines to represent the underlying mathematical models.
One of the key insights behind synchronous programming languages is that
these models can be executable and serve as the base for simulation,
validation, and automatic code generation.
This approach is sometimes termed Model-Based Development (MBD).
The SCADE language and associated code generator allow the application of
MBD in safety-critical applications.
They incorporate ideas from Lustre, Lucid Synchrone, and other programming languages.

Modern embedded systems are increasingly conceived as rich amalgams of software, hardware, networking, and physical processes. The terms Cyberphysical System (CPS) or Internet-of-Things (IoT) are sometimes used as labels for this point of view.

In terms of modeling languages, the main challenges are to specify both
discrete and continuous processes in a single hybrid language, give
meaning to their compositions, simulate their interactions, analyze the
behavior of the overall system, and extract code either for target control
software or more efficient, possibly online, simulation.
Languages like Simulink and Modelica are already used in the design and
analysis of embedded systems; it is more important than ever to understand
their underlying principles and to propose new constructs and analyses.

Ingkarat Rak-amnouykit, Ana Milanova, Guillaume Baudart, Martin Hirzel and Julian Dolby received a ACM SIGSOFT Distinguished Papers for "The Raise of Machine Learning Hyperparameter Constraints in Python Code" 14 at the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA) in July 2022.

Heptagon is an experimental language for the implementation of embedded real-time reactive systems. It is developed inside the Synchronics large-scale initiative, in collaboration with Inria Rhones-Alpes. It is essentially a subset of Lucid Synchrone, without type inference, type polymorphism and higher-order. It is thus a Lustre-like language extended with hierchical automata in a form very close to SCADE 6. The intention for making this new language and compiler is to develop new aggressive optimization techniques for sequential C code and compilation methods for generating parallel code for different platforms. This explains much of the simplifications we have made in order to ease the development of compilation techniques.

The current version of the compiler includes the following features: - Inclusion of discrete controller synthesis within the compilation: the language is equipped with a behavioral contract mechanisms, where assumptions can be described, as well as an "enforce" property part. The semantics of this latter is that the property should be enforced by controlling the behaviour of the node equipped with the contract. This property will be enforced by an automatically built controller, which will act on free controllable variables given by the programmer. This extension has been named BZR in previous works. - Expression and compilation of array values with modular memory optimization. The language allows the expression and operations on arrays (access, modification, iterators). With the use of location annotations, the programmer can avoid unnecessary array copies.

Sundials/ML is a comprehensive OCaml interface to the Sundials suite of numerical solvers (CVODE, CVODES, IDA, IDAS, KINSOL). Its structure mostly follows that of the Sundials library, both for ease of reading the existing documentation and for adapting existing source code, but several changes have been made for programming convenience and to increase safety, namely:

solver sessions are mostly configured via algebraic data types rather than multiple function calls,

errors are signalled by exceptions not return codes (also from user-supplied callback routines),

user data is shared between callback routines via closures (partial applications of functions),

vectors are checked for compatibility (using a combination of static and dynamic checks), and

explicit free commands are not necessary since OCaml is a garbage-collected language.

Vélus is a compiler for a subset of
Lustre and Scade that is specified in the Coq 21
Interactive Theorem Prover (ITP). It integrates the CompCert C compiler
19, 18 to define the semantics of
machine operations (integer addition, floating-point multiplication,
etcetera) and to generate assembly code for different architectures. The
research challenges are to

Work continued this year on this long-running project in two main directions: adding state machines, and developing constructive denotational models to facilitate interactive verification.

This year, in the context of causality labels. This technique permits, for example, to have different
dependency relations in different branches of the switch construct.
We completed a proof of determinism for the extended
semantic model. This required the introduction of a novel intermediate model
to simplify reasoning about variable dependencies and clock correctness.

We developed a small example to demonstrate these ideas, implemented a web interface to showcase the compiler, and submitted two articles on our new results.

To date we have focused on proving the correctness of compilation passes.
This involves specifying semantic models to define the input/output relation
associated with a program, implementing compilation functions to transform
the syntax of a program, and proving that the relation is unchanged by the
functions. In addition to specifying compiler correctness, semantic models
can also serve as a base for verifying individual programs. The challenge is
to present and manipulate such detailed specifications in interactive
proofs. The potential advantage is to be able to reason on abstract models
and to obtain, via the compiler correctness theorem, proofs that apply to
generated code. Making this idea work requires solving several scientific
and technical challenges. It is the subject of

This year we continued developing a Kahn-style semantics in Coq using C. Paulin-Mohring's library 20. The model now includes most features from the dataflow core of Lustre, notably including node instances with subsampling. We have also treated the node reset construction in a limited setting (single input-single output nodes). Work continues to extend the model to account for multiple equations, rather than just a single equation with multiple expressions. We have formally shown that this new constructive model satisfies the relational semantic predicates used in the compiler correctness proof. These results required developing invariants and tools to reason about dependencies and fixpoints. One of the main challenges in developing a constructive model is to represent and reason explicitly about errors due to incorrect types, incorrect clocks, or partial operations from the underlying Clight language. We made good progress on definitions and proofs that treat these issues and work continues. We tried to eliminate the base clock argument in our semantic rules by working in a Present/Absent/Ready model where the new Ready tag indicates that a stream can be “pulled”. Unfortunately, this does not work due to an underlying causality issue. This work was presented at TYPES 2022.

External collaborators:
Michel Angot,
Vincent Bregeon,
and
Matthieu Boitrel,
(Airbus).

It is sometimes desirable to compile a single synchronous language program into multiple tasks for execution by a real-time operating system. We have been investigating this question from three different perspectives.

In this approach, the top-level node of a Lustre program is
distinguished from inner nodes. It may contain special annotations
to specify the triggering and other details of node instances from
which separate “tasks” are to be generated. Special operators are
introduced to describe the buffering between top-level
instances. Notably, different forms of the when and
current operators are provided. Some of the operators are
under-specified and a constraint solver is used to determine their
exact meaning, that is, whether the signal is delayed by zero, one,
or more cycles of the receiving clock, which depends on the
scheduling of the source and destination nodes. Scheduling is
formalized as a constraint solving problem based on latency
constraints between some pairs of input/outputs that are specified
by the designer.

This year we continued work on our prototype compiler, notably adding support for constraints on node sequencing and features for scheduling across two computation units. We developed an XML-RPC interface to the NEOS online ILP solvers to facilitate testing. We added features for finding conflicts between constraints and spent a lot of time debugging our compiler. We developed a new, far simpler encoding for end-to-end latency constraints and evaluated its efficacy. We formalized and refined the main code generation predicates and algorithms. We reimplemented the small ROSACE case study as a complement to our work on the full-scale industrial example. We wrote and submitted articles on our work.

This work is funded by a direct industrial contract with Airbus.

This year we made major updates to the Sundials/ML OCaml interface to support support v6.x of the Sundials Suite of numerical solvers. This required adding support for the new logging and profiling frameworks, continuing to adapt to changes in the ARKode solver, supporting new nvector and solver features, and adding new example programs. We fixed compilation and many bugs under OCaml 5.x. We also discovered and reported a problem in the new OCaml 5.x runtime. We presented our work at the OCaml Users in Paris (OUPS) meeting.

This library is being used in the Miking, OWL (OCaml Scientific Computing), and Zelus projects.

Zelus is our laboratory to experiment our research on programming languages for hybrid systems. It is devoted to the design and implementation of systems that may mix discrete-time/continuous-time signals and systems between those signals. It is first a synchronous language reminiscent of Lustre and Lucid Synchrone with the ability to define functions that manipulate continuous-time signals defined by Ordinary Differential Equations (ODEs) and zero-crossing events. The language is functional in the sense that a system is a function from signals to signals (not a relation). It provides some features from ML languages like higher-order and parametric polymorphism as well as dedicated static analyses.

The language, its compiler and examples (release 2.1) are on GitHub. It is also available as an OPAM package. All the installation machinery has been greatly simplified.

The implementation of Zelus is now relatively mature. The language has been used in a collection of advances projects; the most important of the recent years being the design and implementation of ProbZelus on top of Zelus. This experiment called for several internal deep changes in the Zelus language.

One of the biggest troubles we faced when implementing Zelus was the
lack of a tool to automatically test the compiler and to prototype
language extensions before finding how to incorporate in the language
and how to compile them. This is what motivated first our work on an
executable semantics. The tool zrun works now quite well
and, based on it, we have started a new implementation so that every
pass of the compiler can be automatically tested.

External collaborator:
Francois Bidet (Ecole Polytechnique).

Hybrid systems modeling languages and tools are used to write an executable model with mixed signals — discrete-time and continuous-time —, e.g., a model for the software and its physical environment. Given a numerical solver for differential equations, concrete simulation of a model computes an approximation of all the signals up to a given time horizon. While routinely used, concrete simulation raises an intrinsic difficulty when debugging a model: even a small change, e.g., adding a continuous-time block that only observe a signal, may change the simulation results of what is observed.

In 2022, we have worked on the following problem: how to express and
implement transparent observers for a hybrid system modeling language so that
the simulation with and without them give the same result and
with no supplementary approximation at the frontier. We have defined an executable formal semantics of the concrete simulation loop first; and extended to the general case of a model that
contains several, possibly nested, observers, each being
approximated with its own numerical solver.

We have pursued our work on the definition of an executable semantics for a synchronous language. The result is an interpreter (named zrun) implemented in purely functional style, in OCaml. A paper have been submitted for publication.

The software development is part of the working branch of Zelus (). During year 2022, we have started the implementation of new version of Zelus that uses zrun so that very compilation step is automatically tested.

External collaborators:
Jean-Louis Colaco (ANSYS, Toulouse).

We have pursed our work on the design and compilation of programming languages for safety-critical embedded
software that combines complex control code and intensive computations
using arrays. This year, we have focused on the compilation and more precisely the sequential code generation for
programs that manipulate data-structures (mainly arrays) expressed in
a purely functional synchronous language. The considered target for
code generation is a sequential program, e.g., C, where all the memory
must be known statically. Although extensively studied, the use of
arrays is still challenging when coupled with safety critical
real-time software constraints. This is because the functional
programming style (with operations like map, fold,
concat, etc.), that is recommended for verification, does not
mix well with the static memory management imposed by targeted
applications.

Here are two concrete examples that makes compilation challenging.

Taking care of memory has two main properties: (i) it reduces memory footprint and (ii) it avoids needless copies, that have a negative impact on the WCET, a central parameter for real-time application.

Instead of considering optimization passes to remove useless copies (such the built-in-place optimization of Sisal [1] and previous works done at PARKAS 5 we have designed a language that allows precise memory specification through compiler verified memory location hints, while remaining fully declarative. This builds on two key ideas:

For example, array transformations such as reversal, transposition or concatenation do not need any copy. Rather than generating fresh arrays (that would need to be removed by a fragile optimization step), these operations only express changes on indexes to access them.

These ideas have been experimented in a prototype. It allows to generate sequential code with a precise control of memory while keeping a straightforward compilation process, with few transformations and no optimizations.

[1]: Gaudiot, J.-L., Bohm, W., Najjar, W., DeBoni, T., Feo, J., and Miller, P. The Sisal model of functional programming and its implementation. In Proceedings of IEEE International Symposium on Parallel Algorithms Architecture Synthesis (1997), IEEE, pp. 112–123.

[2] Gérard, L., Guatto, A., Pasteur, C., and Pouzet, M. A Modular Memory Optimization for Synchronous Data-Flow Languages. Application to Arrays in a Lustre Compiler. In Languages, Compilers and Tools for Embedded Systems (LCTES’12) (Beijing, June 12-13 2012), ACM. Best paper award.

External collaborators:
Louis Mandel (IBM), Erik Atkinson, Michael Carbin and Charles Yuan (MIT), Waïss Azizian, Marc Lelarge, Reyyan Tekin (Inria).

Synchronous languages were introduced to design and implement real-time embedded systems with a (justified) enphasis on determinacy. Yet, they interact with a physical environment that is only partially known and are implemented on architectures subject to failures and noise (e.g., channels, variable communication delays or computation time). Dealing with uncertainties is useful for online monitoring, learning, statistical testing or to build simplified models for faster simulation. Actual synchronous and languages provide limited support for modeling the non-deterministic behaviors that are omnipresent in embedded systems. ProbZelus is a probabilistic extension of the synchronous language Zelus for the design of reactive probabilistic models in interaction with an environment.

This year we continued this project along three main directions: 1) automatic parallelization of sequential Monte Carlo methods, 2) a novel semi-symbolic streaming inference method, and 3) embedding ProbZelus ideas in Julia.

(with L. Mandel and R. Tekin). Compared to classic synchronous programming where a program is a stream processor mapping a stream of inputs to a stream of outputs, a ProbZelus models computes a stream of distributions from a stream of inputs. Unfortunately, this inference problem is in general intractable. Monte Carlo inference techniques thus rely on many independent executions to compute accurate approximations. These methods are expensive but can be parallelized. We used JAX to parallelize ProbZelus reactive inference engine.

JAX is a recent library to compile Python code which can then be executed on massively parallel architectures such as GPUs or TPUs. We implemented a new reactive inference engine implemented in JAX and the new associated JAX backend for ProbZelus. We then showed on existing examples that our new parallel implementation outperforms the original sequential implementation for a high number of particles.

The main article JAX-Based Parallel Inference for Reactive Probabilistic Programming was presented at the
ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2022) 13.
A preliminary version of this work in French was also presented at the Journées Francophones des Langages Applicatifs (JFLA 2022) 15.

(with Erik Atkinson, Michael Carbin, L. Mandel, and Charles Yuan).

Efficient inference is often possible in a streaming context using Rao-Blackwellized particle filters (RBPFs), which exactly solve inference problems when possible and fall back on sampling approximations when necessary. While RBPFs can be implemented by hand to provide efficient inference, the goal of streaming probabilistic programming is to automatically generate such efficient inference implementations given input probabilistic programs.

We proposed semi-symbolic inference, a technique for executing probabilistic programs using a runtime inference system that automatically implements Rao-Blackwellized particle filtering. To perform exact and approximate inference together, the semi-symbolic inference system manipulates symbolic distributions to perform exact inference when possible and falls back on approximate sampling when necessary. This approach enables the system to implement the same RBPF a developer would write by hand. To ensure this, we identify closed families of distributions ś such as linear-Gaussian and finite discrete models on which the inference system guarantees exact inference. We have implemented the runtime inference system in the ProbZelus streaming probabilistic programming language. Despite an average 1.6x slowdown compared to the state of the art on existing benchmarks, our evaluation shows that speedups of 3x-87x are obtainable on a new set of challenging benchmarks we have designed to exploit closed families.

The main article Semi-symbolic Inference for Efficient Streaming Probabilistic Programming was presented at the Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2022) and published in the Proceedings of the ACM on Programming Languages (PACMPL) 12.

(with Marc Lelarge and Waïss Azizian). OnlineSampling.jl is an embedded reactive probabilistic language in Julia. Inspired by ProbZelus we designed a domain specific language for describing reactive probabilistic models using Julia macros. Following ProbZelus ideas, the inference method is a Rao-Blackwellised particle filter, a semi-symbolic algorithm which tries to analytically compute closed-form solutions, and falls back to a particle filter when symbolic computations fail. For Gaussian random variables with linear relations, we use belief propagation instead of delayed sampling if the factor graph is a tree. We can thus compute exact solutions for a broader class of models.

This project is an opensource Julia package available on GitHub and was presented at JuliaCon 2022.

External collaborators:
Ingkarat Rak-amnoukit, Ana Milanova (RPI), Martin Hirzel, Julian Dolby (IBM).

Machine-learning operators often have correctness constraints that cut across multiple hyperparameters and/or data. Violating these constraints causes the operator to raise runtime exceptions. We designed an interprocedural weakest-precondition analysis for Python to extract hyperparameter constraints. The analysis is mostly static, but to make it tractable for typical Python idioms in machine-learning libraries, it selectively switches to the concrete domain for some cases. We evaluated the analysis on 181 operators from existing ML libraries.

Building on last year preliminary results, we continued this work and the main article The Raise of Machine Learning Hyperparameter Constraints in Python Code was presented at the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2022) 14 where it received an ACM SIGSOFT Distinguished Paper Award.

Our work on multi-clock Lustre programs is funded by a contract with Airbus.

The ANR JCJC project “FidelR” led by T. Bourke began in 2020 and continues for four years.

Using Modelica at scale to model and simulate very large Cyber-Physical Systems. Principal industrial partner: Dassault-Systèmes. INRIA contacts are Benoit Caillaud (HYCOMES, Rennes) and Marc Pouzet (PARKAS, Paris).

Develop a software and hardware platform for tomorrow's intelligent systems. PARKAS collaborates with the industrial participants ANSYS/Esterel Technologies, Kalray, and Safran Electronics & Defense. Inria contacts are Marc Pouzet (PARKAS, Paris) and Fabrice Rastello (CORSE, Grenoble).

This project treats the modelling and analysis of Cyber-Physical Systems at large scale. The PARKAS team contributes their expertise in programming language design for reactive and hybrid systems to this multi-team effort.