6.1.1 Zelus

• Keywords:
  Numerical simulations, Compilers, Embedded systems, Hybrid systems
• Scientific Description:
  The Zélus implementation has two main parts: a compiler that transforms Zélus programs into OCaml programs and a runtime library that orchestrates compiled programs and numeric solvers. The runtime can use the Sundials numeric solver, or custom implementations of well-known algorithms for numerically approximating continuous dynamics.
• Functional Description:
  Zélus is a new programming language for hybrid system modeling. It is based on a synchronous language but extends it with Ordinary Differential Equations (ODEs) to model continuous-time behaviors. It allows for combining arbitrarily data-flow equations, hierarchical automata and ODEs. The language keeps all the fundamental features of synchronous languages: the compiler statically ensure the absence of deadlocks and critical races, it is able to generate statically scheduled code running in bounded time and space and a type-system is used to distinguish discrete and logical-time signals from continuous-time ones. The ability to combines those features with ODEs made the language usable both for programming discrete controllers and their physical environment.
• URL:
  https://­zelus.­di.­ens.­fr
• Publications:
  hal-03051954v1, hal-02333603v1, hal-02426533v1, inria-00554271v1, hal-01242732v1, hal-00654113v1, hal-00909029v1, hal-01575621v4, hal-01575631v1, hal-00766726v1, hal-00938891v1, hal-00654112v1, hal-01879026v1, hal-01549183v2, hal-00938866v1
• Contact:
  Marc Pouzet
• Participants:
  Marc Pouzet, Timothy Bourke
• Partner:
  ENS Paris

6.1.2 Vélus

• Name:
  Verified Lustre Compiler
• Keywords:
  Synchronous Language, Compilation, Software Verification, Coq, Ocaml
• Functional Description:
  Vélus is a prototype compiler from a subset of Lustre to assembly code. It is written in a mix of Coq and OCaml and incorporates the CompCert verified C compiler. The compiler includes formal specifications of the semantics and type systems of Lustre, as well as the semantics of intermediate languages, and a proof of correctness that relates the high-level dataflow model to the values produced by iterating the generated assembly code.
• Release Contributions:
  Vélus 3.0 introduces syntax and semantics for Lustre (previous versions only treated the normalized form of Lustre). It includes a verified normalization pass that transforms Lustre programs into NLustre programs.
• URL:
  https://­velus.­inria.­fr
• Publications:
  hal-01817949, hal-03287572, hal-01512286, hal-01403830, tel-03068862, hal-02005639, hal-02426573, hal-03370264
• Contact:
  Timothy Bourke
• Participants:
  Timothy Bourke, Basile Pesin, Paul Jeanmaire, Marc Pouzet

6.1.3 presseail

• Name:
  All-in-Lustre Compiler
• Keywords:
  Embedded systems, Compilers, Synchronous Language, Real-time application
• Functional Description:
  The input to the compiler is the rate-synchronous language described in our ECRTS 2023 article. The compiler generates and Integer Linear Programming (ILP) problem that includes data dependency and resource constraints. The problem is solved using an external solver and the resulting schedule is used by the compiler to generate sequential code using a generalization of the modular clock-driven compilation scheme used in modern Lustre/Scade compilers. The compiler implements special features for analyzing and eliminating cyclic data dependencies.
• Release Contributions:
  First version described in the ECRTS 2023 publication.
• Contact:
  Timothy Bourke

6.1.4 SundialsML

• Name:
  Sundials/ML
• Keywords:
  Simulation, Mathematics, Numerical simulations
• Scientific Description:

  Sundials/ML is a comprehensive OCaml interface to the Sundials suite of numerical solvers (CVODE, CVODES, IDA, IDAS, KINSOL). Its structure mostly follows that of the Sundials library, both for ease of reading the existing documentation and for adapting existing source code, but several changes have been made for programming convenience and to increase safety, namely:

  solver sessions are mostly configured via algebraic data types rather than multiple function calls,

  errors are signalled by exceptions not return codes (also from user-supplied callback routines),

  user data is shared between callback routines via closures (partial applications of functions),

  vectors are checked for compatibility (using a combination of static and dynamic checks), and

  explicit free commands are not necessary since OCaml is a garbage-collected language.

• Functional Description:
  Sundials/ML is an OCaml interface to the Sundials suite of numerical solvers (CVODE, CVODES, IDA, IDAS, KINSOL, ARKODE).
• Release Contributions:
  Sundials/ML v6.0.0p0 adds support for v5.x and v6.x of the Sundials Suite of numerical solvers. This includes the latest Arkode features, many vectors, and nonlinear solvers.
• URL:
  http://­inria-parkas.­github.­io/­sundialsml/
• Publications:
  hal-01408230v1, hal-01967659v1
• Contact:
  Timothy Bourke
• Participants:
  Jun Inoue, Marc Pouzet, Timothy Bourke

6.1.5 Heptagon

• Keywords:
  Compilers, Synchronous Language, Controller synthesis
• Functional Description:

  Heptagon is an experimental language for the implementation of embedded real-time reactive systems. It is developed inside the Synchronics large-scale initiative, in collaboration with Inria Rhones-Alpes. It is essentially a subset of Lucid Synchrone, without type inference, type polymorphism and higher-order. It is thus a Lustre-like language extended with hierchical automata in a form very close to SCADE 6. The intention for making this new language and compiler is to develop new aggressive optimization techniques for sequential C code and compilation methods for generating parallel code for different platforms. This explains much of the simplifications we have made in order to ease the development of compilation techniques.

  The current version of the compiler includes the following features: - Inclusion of discrete controller synthesis within the compilation: the language is equipped with a behavioral contract mechanisms, where assumptions can be described, as well as an "enforce" property part. The semantics of this latter is that the property should be enforced by controlling the behaviour of the node equipped with the contract. This property will be enforced by an automatically built controller, which will act on free controllable variables given by the programmer. This extension has been named BZR in previous works. - Expression and compilation of array values with modular memory optimization. The language allows the expression and operations on arrays (access, modification, iterators). With the use of location annotations, the programmer can avoid unnecessary array copies.

• URL:
  https://­gitlab.­inria.­fr/­synchrone/­heptagon
• Contact:
  Gwenaël Delaval
• Participants:
  Adrien Guatto, Brice Gelineau, Cédric Pasteur, Eric Rutten, Gwenaël Delaval, Léonard Gerard, Marc Pouzet
• Partners:
  UGA, ENS Paris, Inria, LIG

6.1.6 ZRun

• Name:
  The ZRun Synchronous Language Interpreter
• Functional Description:

  ZRun is an executable semantics of a synchronous data-flow language. It takes the form of a purely functional interpreter and is implemented in OCaml. The input of Zrun is a large subset of the language Zélus, but only its discrete-time (synchronous) subset. The basic primitives are those of Lustre: a unit non-initialized delay (pre), the initialization operator (->), the initialized delay (fby), and streams can be defined by mutually recursive definitions. It also provides richer programming constructs that were introduced in Lucid Synchrone and Scade 6, but are not in Lustre: the by-case definition of streams, the last computed value of a signal, hierarchical automata with parameters, stream functions with static parameters that are either know at compile time or at instanciation time, and two forms of iteratiors on arrays: the "forward" to perform an iteration in time, the "foreach" to perform an iteration on space.

  The objective of this prototype is to give a reference executable semantics that is independent of a compiler. It can be used, e.g., as an oracle for compiler testing, to execute unfinished programs or programs that are semantically correct but are statically rejected by the compiler.

• Release Contributions:

  Branch Master (2000) - v1.x. - first-order language, streams, hierarchical automata, by-case definition of streams, operator last.

  Branch Works (2023): - v2.x - static higher-order, hierarchical automata with parameters, valued signals. - arrays, - "forward" and "foreach" iterations.

• URL:
  https://­github.­com/­marcpouzet/­zrun
• Contact:
  Marc Pouzet

Denotational semantics for program verification:   

To date we have focused on proving the correctness of compilation passes. This involves specifying semantic models to define the input/output relation associated with a program, implementing compilation functions to transform the syntax of a program, and proving that the relation is unchanged by the functions. In addition to specifying compiler correctness, semantic models can also serve as a base for verifying individual programs. The challenge is to present and manipulate such detailed specifications in interactive proofs. The potential advantage is to be able to reason on abstract models and to obtain, via the compiler correctness theorem, proofs that apply to generated code. Making this idea work requires solving several scientific and technical challenges. It is the subject of Paul Jeanmaire 's thesis.

This year we completed the first phase of work to develop a Kahn-style semantics in Coq using C. Paulin-Mohring's library 31. The model treats the dataflow core of Lustre with resettable node instances as presented in our EMSOFT 2021 article 22 with the generalization to enumerated types. We show that, under specific conditions, the denotational model satisfies the relational predicates used in the compiler correctness proof. This allows us to strengthen the overall compiler correctness theorem. Rather than state “If a semantics exists for a program, then it is preserved by the generated code”, we show that “Under specific conditions, a semantics exists and it is preserved by the generated code”. The “specific conditions” are, as usual, that the source program satisfies typing and clock typing rules, but also, that it is not subject to run-time errors. Run-time errors cannot be ignored in our context of end-to-end proof. The CompCert definitions for several arithmetic and logical operators are partial, for example, integer division by zero is not defined. Such partiality simply propogates to the the Vélus relational model, but the denotational model is a total function and operator failures must thus be modeled explicitly. We expressed the absence of run-time errors as a predicate over the dynamic behavior of a program. We implemented a simple static analysis, that nevertheless suffices for many practical programs, and showed that it is a sufficient condition for the absence of run-time errors. The next version of the Vélus compiler will now print warning messages if the source program uses features not treated in the denotational model or if the simple static analysis cannot guarantee the absence of errors. In this case, it becomes the user's responsability to show that run-time errors cannot occur. We proved that the relational definition of resettable node instances, used in the compiler correctness proof, corresponds with two previously proposed functional definitions 26, 25. Clock typing constraints are necessary on a source program to maintain the possibility of a Kahn-style semantics. However, they can be relaxed within the compiler as successive passes rewrite the program into a normalized form, since the intermediate programs are assigned a synchronous semantics that defines the behaviour cycle-by-cycle. An article on these results has been submitted. Paul Jeanmaire defended his thesis on this topic in December 2024 15.

The PhD work of Paul Jeanmaire specifies when the semantic predicates of Vélus admit at least one solution. By building on a determinancy theorem within CompCert, we strengthened the Vélus correctness theorem to show that the generated code only has one behavior — the one that corresponds to the dataflow source semantics.

Scheduling and code generation for periodic streams:   

In this approach, the top-level node of a Lustre program is distinguished from inner nodes. It may contain special annotations to specify the triggering and other details of node instances from which separate “tasks” are to be generated. Special operators are introduced to describe the buffering between top-level instances. Notably, different forms of the when and current operators are provided. Some of the operators are under-specified and a constraint solver is used to determine their exact meaning, that is, whether the signal is delayed by zero, one, or more cycles of the receiving clock, which depends on the scheduling of the source and destination nodes. Scheduling is formalized as a constraint solving problem based on latency constraints between some pairs of input/outputs that are specified by the designer.

This year we continued working on the possibility of eliminating inter-period instantaneous cycles by adding constraints to the ILP scheduling problem. This problem is related to the detection of feedback arc sets for which there are two well-known encodings. Unfortunately, they can both induce a very large number of additional variables and constraints in the ILP encoding. This is not surprising since the base problem is NP-hard. We thus worked on mitigating heuristics. On the positive side, it turns out that our existing data-dependency and end-to-end latency constraints are readily generalized to allow for “variable concomitance” which may sometimes be useful for breaking instantanous cycles. In particular, we can require that the end-to-end latency along a cycle of data dependencies be strictly greater than zero. The ILP solver is then free to break dependencies by either scheduling the components in different phases or choosing concomitance values to prevent cycles during microscheduling. We presented these results at the workshop on Time-Centric Reactive Software as part of ESWEEK 2024 in Raleigh, NC, USA 13.

We also continued working on integration with the LoPHt compiler developed by Dumitru Potop Butucaru. In this approach, our compiler assigns tasks to phases and LoPHt parallelizes the tasks within a phase by allocating them to cores and adding additional synchronization instructions. We tested the combined toolchain on case studies provided by Airbus.

In parallel, we started experimenting with an alternative approach where the ILP constraints also encode the allocation of tasks to cores. In our approach, inter-core communications within a single cycle are forbidden, and additional synchronization instructions are thus not needed. Results to date have been mixed. For small examples where no equations execute at the base rate, the approach works well. For large examples, the solution process still takes an unreasonable amount of time. We tried reducing the problem size using graph partitioning techniques, but the size reduction is limited and feasible solutions are often eliminated unless many partitions are used, somewhat defeating the purpose of this approach. We are currently working on alternative encodings that we hope will reduce the solution time. New ideas are still required to handle applications containing equations that execute at the base rate.

Together with our collaborators at Airbus and support from the transfer (Estelle Gaspard), legal (Manon Coger), and financial (Odette Dabire) services of Inria Paris, we contributed to a project proposal on mixing control algorithms and matrix manipulations within a dataflow synchronous language.

This work is funded by direct industrial contracts with Airbus.

Distribution of the language

The language, its compiler and examples (release 2.1) are on GitHub. It is also available as an OPAM package. All the installation machinery has been greatly simplified.

The implementation of Zelus is now relatively mature. The language has been used in a collection of advances projects; the most important of the recent years being the design and implementation of ProbZelus on top of Zelus. This experiment called for several internal deep changes in the Zelus language.

One of the biggest troubles we faced when implementing Zélus was the lack of a tool to automatically test the compiler and to prototype language extensions before finding how to incorporate in the language and how to compile them. This is what motivated first our work on an executable semantics. The tool Zrun works well now. It is detailled in the Section below. Based on it, we have started a new implementation of Zélus with the objective that every pass of the compiler can be tested, using Zrun as an oracle.

In 2024, we have started a new implementation of Zélus and its compiler (see the current development at the Zélus repository. The main new features are the following:

• The input langage now include new programming constructs: functions parameterized by (integer) sizes that are ultimately known at compile-time. Size expressions can appear in the type of arrays (e.g., iterators) and to define recursive functions on sizes (e.g., FFT, recursive search by dichotomy). Two important new constructs have been added : the forward loop construct which iterate a stream function on an array (cf. PhD of Baptiste Pauget) and the foreach loop constructs which corresponds to running several stream functions in parallel (e.g., also called "multi-instanciation).
• The type system and compilation has been extended to deal with those new constructs. Through the techniques are classical and well understood (essentially, a simple variant of HM(X)), it have demanded quite an important work.
• The compiler is now paired with ZRun which is used as an oracle for (black-box, random) testing of the compiler.

We simplified and reorganised several parts of the compiler; e.g., a new implementation of the typing phrase, a new way of implementing the sequence of source-to-source transformations for generating sequential code; new static analyses; and the pairing with ZRun for testing the compiler. We also wanted that the compiler organisation to be easier for other to use it for their research and experiment with new ideas.

One promising extension is driven by Prof. Jean-Baptiste Jeannin (Univ. Michigan, Ann Arbor), who is spending a sabbatical year at Parkas (June 2024-June 2025). With his students, he develops MarVeLus, an extension of Zélus with refinement types. We collaborate on the extension of Zélus to integrate a new typing pass for formally verifying safety properties as types and expressed by synchronous observers.

Collaboration with Airbus

Participants: Timothy Bourke, Marc Pouzet.

Our work on multi-clock Lustre programs is funded by contracts with Airbus.

9.1.1 Visits of international scientists

• Jean-Baptiste Jeannin, Assistant Professor, University of Michigan — Ann Arbor, is on sabbatical in the team from 9/2024 until 8/2025.

10.1.1 Scientific events: organisation

10.1.2 Scientific events: selection

10.1.3 Journal

10.1.4 Invited talks

• Timothy Bourke gave a keynote talk at FDL 2024, Forum on Specification and Design Languages.

10.1.5 Research administration

• Timothy Bourke reviewed project proposals for the ANR.

10.2.1 Teaching

• Marc Pouzet is Director of Studies for the CS department, at ENS.
• Licence : Timothy Bourke : “Operating Systems” (L3), Lectures and TDs, ENS, France.
• Master : Marc Pouzet & Timothy Bourke , with presentations by Jean-Baptiste Jeannin, “Models and Languages for Programming Reactive Systems” (M1), Lectures and TDs, ENS, France.
• Master: Marc Pouzet & Timothy Bourke : “Synchronous Systems” (M2), Lectures and TDs, MPRI, France
• Master: Marc Pouzet : “Synchronous Reactive Languages” (M2), Lectures, Master CPS (Cyber-physical Systems, led by Sergio Mover (École Polytechnique).
• Master: Marc Pouzet "The Elements of Computing Systems". Cycle pluridisciplinaire d'études supérieures (CPES), L2.
• Master: Timothy Bourke : “A Programmer’s introduction to Computer Architectures and Operating Systems" (M1), École Polytechnique, France
• Master: Timothy Bourke presented two lectures and TPs on Synchronous Languages in Carlos Agon's course on concurrent models at Sorbonne Université.
• Bachelor: Timothy Bourke : “A Programmer’s introduction to Computer Architectures and Operating Systems" (L2), École Polytechnique, France
• Summer School: Timothy Bourke presented a course at the École Jeunes Chercheuses et Jeunes Chercheurs en Programmation, l'école du GDR GPL.

10.2.2 Supervision

• Marc Pouzet and Timothy Bourke supervised the PhD thesis of Gregoire Bussone .
• Timothy Bourke and Marc Pouzet supervised the PhD thesis of Paul Jeanmaire .
• Timothy Bourke supervised the L3 internship of Tita Philine Rosemeyer .
• Timothy Bourke and Marc Pouzet supervised the masters internship of Hector Denis-Blanchardon .
• Timothy Bourke and Marc Pouzet supervised the internship project of Remy Citerin .

10.2.3 Juries

• Timothy Bourke was an examiner for the “viva” of George Kaye at the University of Birmingham.

10.3.1 Others science outreach relevant activities

• Timothy Bourke gave “Chiche” presentations at Livry Gargan, Rocquencourt, and Saint-Denis.

International journals

• 13 articleT.Timothy Bourke and M.Marc Pouzet. Lustre, Fast First and Fresh.IEEE Embedded Systems Letters2024, 1-1HALDOIback to text

Invited conferences

• 14 inproceedingsG.Guillaume Baudart and C.Christine Tasson. Programmation réactive probabiliste.35es Journées Francophones des Langages Applicatifs (JFLA 2024)Saint-Jacut-de-la-Mer, FranceJanuary 2024HAL

Doctoral dissertations and habilitation theses

• 15 thesisP.Paul Jeanmaire. A denotational semantics for a verified synchronous compiler.Université PSL (Paris Sciences & Lettres)December 2024HALback to text

Reports & preprints

• 16 miscG.Guillaume Baudart, L.Louis Mandel and C.Christine Tasson. Density-Based Semantics for Reactive Probabilistic Programming.March 2024HAL