var y rs r rs exp e es r reset f es xs var x xs Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys var x xs Modular reset eqn x (restart f every y )( e ) r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs ⊢ ⊢ eqn x = f ( e ) ⊢ 7/22
var y rs r rs exp e es r reset f es xs var x xs Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys Modular reset eqn x (restart f every y )( e ) r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ 7/22
Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys var y rs r rs exp e es r reset f es xs var x xs r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset eqn x = (restart f every y )( e ) ⊢ 7/22
Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys var y rs r rs r reset f es xs r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset exp e ⇓ es var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ 7/22
Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys r rs r reset f es xs r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset var y ⇓ rs ⊢ exp e ⇓ es var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ 7/22
Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys r reset f es xs r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset var y ⇓ rs r = bools-of rs ⊢ exp e ⇓ es var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ 7/22
Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset var y ⇓ rs r = bools-of rs ⊢ exp e ⇓ es r ⊢ reset f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ 7/22
Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset var y ⇓ rs r = bools-of rs ⊢ exp e ⇓ es r ⊢ reset f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ r ⊢ reset f ( xs ) ⇓ ys 7/22
FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset var y ⇓ rs r = bools-of rs ⊢ exp e ⇓ es r ⊢ reset f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ Use of an universally quantifjed relation as a constraint: node f (mask k r xs ) ⇓ mask k ∀ k , ⊢ r ys r ⊢ reset f ( xs ) ⇓ ys 7/22
• validated parsing ( menhir --coq ) • elaboration to get clock and type information • i-translation to Stc code • scheduling of Stc code • s-translation to Obc code • fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments Implemented in Coq and (some) OCaml optimization initialization Obc generation Clight compilation CompCert Assembly printing 8/22
• elaboration to get clock and type information • i-translation to Stc code • scheduling of Stc code • s-translation to Obc code • fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc generation Clight compilation CompCert Assembly printing 8/22
• i-translation to Stc code • scheduling of Stc code • s-translation to Obc code • fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information generation Clight compilation CompCert Assembly printing 8/22
• scheduling of Stc code • s-translation to Obc code • fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation Clight compilation CompCert Assembly printing 8/22
• s-translation to Obc code • fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [BL09] [JPL12] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight compilation CompCert Assembly printing 8/22
• fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight • s-translation to Obc code compilation CompCert Assembly printing 8/22
• initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight • s-translation to Obc code compilation • fusion optimization of conditionals CompCert Assembly printing 8/22
• Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight • s-translation to Obc code compilation • fusion optimization of conditionals CompCert • initialization of variable arguments Assembly printing 8/22
• Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight • s-translation to Obc code compilation • fusion optimization of conditionals CompCert • initialization of variable arguments Assembly • Generation of Clight code printing 8/22
[Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight • s-translation to Obc code compilation • fusion optimization of conditionals CompCert • initialization of variable arguments Assembly • Generation of Clight code printing • Rely on CompCert for compilation 8/22
SYNTACTIC GRANULARITY reset: schedulable separate construct SEMANTIC GRANULARITY transient states WHY STC? Two issues: 9/22
SEMANTIC GRANULARITY transient states WHY STC? Two issues: SYNTACTIC GRANULARITY reset: schedulable separate construct 9/22
WHY STC? Two issues: SYNTACTIC GRANULARITY reset: schedulable separate construct SEMANTIC GRANULARITY transient states 9/22
Problem with fusion optimization: x, ax = (restart ins every r)(x0, u); y, ay = (restart ins every r)(y0, v); Schedule node applications and resets separately FIRST ISSUE: NAIVE COMPILATION NLustre Obc x, a = (restart ins every r)(x0, u); if ck_r { if r { ins(i).reset() } }; x, a := ins(i).step(x0, u) 10/22
Schedule node applications and resets separately FIRST ISSUE: NAIVE COMPILATION NLustre Obc x, a = (restart ins every r)(x0, u); if ck_r { if r { ins(i).reset() } }; x, a := ins(i).step(x0, u) Problem with fusion optimization: if ck_r { x, ax = (restart ins every r)(x0, u); if r { ins(i).reset() } y, ay = (restart ins every r)(y0, v); }; x, ax := ins(i).step(x0, u); if ck_r { if r { ins(j).reset() } }; y, ay := ins(j).step(y0, v) 10/22
Schedule node applications and resets separately FIRST ISSUE: NAIVE COMPILATION NLustre Obc x, a = (restart ins every r)(x0, u); if ck_r { if r { ins(i).reset() } }; x, a := ins(i).step(x0, u) Problem with fusion optimization: if ck_r { x, ax = (restart ins every r)(x0, u); if r { y, ay = (restart ins every r)(y0, v); ins(i).reset(); ins(j).reset() } }; x, ax := ins(i).step(x0, u); y, ay := ins(j).step(y0, v) 10/22
FIRST ISSUE: NAIVE COMPILATION NLustre Obc x, a = (restart ins every r)(x0, u); if ck_r { if r { ins(i).reset() } }; x, a := ins(i).step(x0, u) Problem with fusion optimization: if ck_r { x, ax = (restart ins every r)(x0, u); if r { y, ay = (restart ins every r)(y0, v); ins(i).reset(); ins(j).reset() } }; x, ax := ins(i).step(x0, u); y, ay := ins(j).step(y0, v) → Schedule node applications and resets separately 10/22
SECOND ISSUE: PROOF OF CORRECTNESS NLustre “easy”: ∃ M V ω × V ω too weak for NLustre induction “hard” M V ω × M ω × V ω Obc x i v M’ S × V → S × V 11/22
SECOND ISSUE: PROOF OF CORRECTNESS NLustre “easy”: ∃ M V ω × V ω too weak for NLustre induction “hard” M V ω × M ω × V ω Obc x i v M’ S × V → S × V 11/22
SECOND ISSUE: PROOF OF CORRECTNESS NLustre “easy”: ∃ M V ω × V ω too weak for NLustre induction “hard” M V ω × M ω × V ω Obc x i v M’ S × V → S × V 11/22
SECOND ISSUE: PROOF OF CORRECTNESS NLustre “easy”: ∃ M V ω × V ω too weak for NLustre induction “hard” M V ω × M ω × V ω Obc x i v M’ S × V → S × V 11/22
• The “easy” proof can be done • The “hard” one failed SECOND ISSUE: PROOF OF CORRECTNESS What about the reset? • Similar semantics in the memory model 11/22
• The “hard” one failed SECOND ISSUE: PROOF OF CORRECTNESS What about the reset? • Similar semantics in the memory model • The “easy” proof can be done 11/22
SECOND ISSUE: PROOF OF CORRECTNESS What about the reset? • Similar semantics in the memory model • The “easy” proof can be done • The “hard” one failed 11/22
• Reset as a separate construct • Explicit state, as in the memory model of NLustre • Transient states scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization STC: SYNCHRONOUS TRANSITION CODE Propose a new intermediate language • Declarative, like NLustre 12/22
• Explicit state, as in the memory model of NLustre • Transient states scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization STC: SYNCHRONOUS TRANSITION CODE Propose a new intermediate language • Declarative, like NLustre • Reset as a separate construct 12/22
• Transient states scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization STC: SYNCHRONOUS TRANSITION CODE Propose a new intermediate language • Declarative, like NLustre • Reset as a separate construct • Explicit state, as in the memory model of NLustre 12/22
scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization STC: SYNCHRONOUS TRANSITION CODE Propose a new intermediate language • Declarative, like NLustre • Reset as a separate construct • Explicit state, as in the memory model of NLustre • Transient states 12/22
STC: SYNCHRONOUS TRANSITION CODE Propose a new intermediate language • Declarative, like NLustre • Reset as a separate construct • Explicit state, as in the memory model of NLustre • Transient states scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization 12/22
NLUSTRE STC scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization 13/22
NLUSTRE STC system euler { init i = true, px = 0.; node euler(x0, u: double) returns (x: double); transition (x0, u: double) var i: bool, px: double; returns (x: double) let { i = true fby false; next i = false; x = if i then x0 else px; x = if i then x0 else px; px = 0.0 fby (x + 0.1 * u); next px = x + 0.1 * u; tel } } 13/22
NLUSTRE STC system euler { init i = true, px = 0.; node euler(x0, u: double) returns (x: double); transition (x0, u: double) var i: bool, px: double; returns (x: double) let { i = true fby false; next i = false; x = if i then x0 else px; x = if i then x0 else px; px = 0.0 fby (x + 0.1 * u); next px = x + 0.1 * u; tel } } 13/22
NLUSTRE STC system euler { init i = true, px = 0.; node euler(x0, u: double) returns (x: double); transition (x0, u: double) var i: bool, px: double; returns (x: double) let { i = true fby false; next i = false; x = if i then x0 else px; x = if i then x0 else px; px = 0.0 fby (x + 0.1 * u); next px = x + 0.1 * u; tel } } 13/22
NLUSTRE STC system ins { init k = 0, px = 0.; node ins(gps, xv: double) sub xe: euler; returns (x: double, alarm: bool) var k: int, px: double, transition (gps, xv: double) xe: double whenot alarm; returns (x: double, alarm: bool) let var xe: double whenot alarm; k = 0 fby k + 1; { alarm = (k ≥ 50); next k = k + 1; xe = euler(gps whenot alarm, alarm = (k ≥ 50); xv whenot alarm); xe = euler<xe,0>(gps whenot alarm, x = merge alarm (px when alarm) xe; xv whenot alarm); px = 0. fby x; x = merge alarm (px when alarm) xe; tel next px = x; } } 13/22
NLUSTRE STC system ins { init k = 0, px = 0.; node ins(gps, xv: double) sub xe: euler; returns (x: double, alarm: bool) var k: int, px: double, transition (gps, xv: double) xe: double whenot alarm; returns (x: double, alarm: bool) let var xe: double whenot alarm; k = 0 fby k + 1; { alarm = (k ≥ 50); next k = k + 1; xe = euler(gps whenot alarm, alarm = (k ≥ 50); xv whenot alarm); xe = euler<xe,0>(gps whenot alarm, x = merge alarm (px when alarm) xe; xv whenot alarm); px = 0. fby x; x = merge alarm (px when alarm) xe; tel next px = x; } } 13/22
NLUSTRE STC system driver { sub x: ins, y: ins; node driver(x0, y0, u, v: double, transition (x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool; var ax, ay: bool; let { x, ax = (restart ins every r)(x0, u); x, ax = ins<x,1>(x0, u); y, ay = (restart ins every r)(y0, v); reset ins<x> every (. on r); tel y, ay = ins<y,1>(y0, v); reset ins<y> every (. on r); } } 13/22
NLUSTRE STC system driver { sub x: ins, y: ins; node driver(x0, y0, u, v: double, transition (x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool; var ax, ay: bool; let { x, ax = (restart ins every r)(x0, u); x, ax = ins<x,1>(x0, u); y, ay = (restart ins every r)(y0, v); reset ins<x> every (. on r); tel y, ay = ins<y,1>(y0, v); reset ins<y> every (. on r); } } 13/22
NLUSTRE STC system driver { sub x: ins, y: ins; node driver(x0, y0, u, v: double, transition (x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool; var ax, ay: bool; let { x, ax = (restart ins every r)(x0, u); x, ax = ins<x,1>(x0, u); y, ay = (restart ins every r)(y0, v); reset ins<x> every (. on r); tel y, ay = ins<y,1>(y0, v); reset ins<y> every (. on r); } } 13/22
SCHEDULING scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization 14/22
SCHEDULING system driver { system driver { sub x: ins, y: ins; sub x: ins, y: ins; transition (x0, y0, u, v: double, transition (x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool; var ax, ay: bool; { { x, ax = ins<x,1>(x0, u); reset ins<x> every (. on r); reset ins<x> every (. on r); reset ins<y> every (. on r); y, ay = ins<y,1>(y0, v); x, ax = ins<x,1>(x0, u); reset ins<y> every (. on r); y, ay = ins<y,1>(y0, v); } } } } 14/22
STC OBC scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization 15/22
STC OBC class euler { state i: bool, px: double; system euler { init i = true, px = 0.; step(x0, u: double) returns (x: double) transition (x0, u: double) { returns (x: double) if state (i) { x := x0 } { else { x := state (px) }; x = if i then x0 else px; state (i) := false; next i = false; state (px) := x + 0.1 * u next px = x + 0.1 * u; } } } reset() { state (i) := true; state (px) := 0. } } 15/22
STC OBC class euler { state i: bool, px: double; system euler { init i = true, px = 0.; step(x0, u: double) returns (x: double) transition (x0, u: double) { returns (x: double) if state (i) { x := x0 } { else { x := state (px) }; x = if i then x0 else px; state (i) := false; next i = false; state (px) := x + 0.1 * u next px = x + 0.1 * u; } } } reset() { state (i) := true; state (px) := 0. } } 15/22
STC OBC class euler { state i: bool, px: double; system euler { init i = true, px = 0.; step(x0, u: double) returns (x: double) transition (x0, u: double) { returns (x: double) if state (i) { x := x0 } { else { x := state (px) }; x = if i then x0 else px; state (i) := false; next i = false; state (px) := x + 0.1 * u next px = x + 0.1 * u; } } } reset() { state (i) := true; state (px) := 0. } } 15/22
STC OBC class ins { state k: int, px: double; instance xe: euler; system ins { init k = 0, px = 0.; step(gps, xv: double) sub xe: euler; returns (x: double, alarm: bool) var xe: double transition (gps, xv: double) { returns (x: double, alarm: bool) alarm := state (k) ≥ 50; var xe: double whenot alarm; state (k) := state (k) + 1; { if alarm { } alarm = (k ≥ 50); else { xe := euler(xe).step(gps, xv) }; next k = k + 1; if alarm { x := state (px) } xe = euler<xe,0>(gps whenot alarm, else { x := xe }; xv whenot alarm); state (px) := x x = merge alarm (px when alarm) xe; } next px = x; } reset() { state (k) := 0; } state (px) := 0.; euler(xe).reset() } } 15/22
STC OBC class ins { state k: int, px: double; instance xe: euler; system ins { init k = 0, px = 0.; step(gps, xv: double) sub xe: euler; returns (x: double, alarm: bool) var xe: double transition (gps, xv: double) { returns (x: double, alarm: bool) alarm := state (k) ≥ 50; var xe: double whenot alarm; state (k) := state (k) + 1; { if alarm { } alarm = (k ≥ 50); else { xe := euler(xe).step(gps, xv) }; next k = k + 1; if alarm { x := state (px) } xe = euler<xe,0>(gps whenot alarm, else { x := xe }; xv whenot alarm); state (px) := x x = merge alarm (px when alarm) xe; } next px = x; } reset() { state (k) := 0; } state (px) := 0.; euler(xe).reset() } } 15/22
STC OBC class driver { instance x: ins, y: ins; system driver { sub x: ins, y: ins; step(x0, y0, u, v: double, r: bool) transition (x0, y0, u, v: double, returns (x, y: double) r: bool) var ax, ay: bool returns (x, y: double) { var ax, ay: bool; if r { ins(x).reset() }; { if r { ins(y).reset() }; reset ins<x> every (. on r); x, ax := ins(x).step(x0, u); reset ins<y> every (. on r); y, ay := ins(y).step(y0, v) x, ax = ins<x,1>(x0, u); } y, ay = ins<y,1>(y0, v); } reset() { ins(x).reset(); } ins(y).reset() } } 15/22
FUSION OPTIMIZATION scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization 16/22
FUSION OPTIMIZATION class ins { class ins { state k: int, px: double; state k: int, px: double; instance xe: euler; instance xe: euler; step(gps, xv: double) step(gps, xv: double) returns (x: double, alarm: bool) returns (x: double, alarm: bool) var xe: double var xe: double { { alarm := state (k) ≥ 50; alarm := state (k) ≥ 50; state (k) := state (k) + 1; state (k) := state (k) + 1; if alarm { x := state (px) } if alarm { } else { else { xe := euler(xe).step(gps, xv) }; xe := euler(xe).step(gps, xv); if alarm { x := state (px) } x := xe else { x := xe }; }; state (px) := x state (px) := x } } reset() { state (k) := 0; reset() { state (k) := 0; state (px) := 0.; state (px) := 0.; euler(xe).reset() } euler(xe).reset() } } } 16/22
FUSION OPTIMIZATION class ins { class ins { state k: int, px: double; state k: int, px: double; instance xe: euler; instance xe: euler; step(gps, xv: double) step(gps, xv: double) returns (x: double, alarm: bool) returns (x: double, alarm: bool) var xe: double var xe: double { { alarm := state (k) ≥ 50; alarm := state (k) ≥ 50; state (k) := state (k) + 1; state (k) := state (k) + 1; if alarm { x := state (px) } if alarm { } else { else { xe := euler(xe).step(gps, xv) }; xe := euler(xe).step(gps, xv); if alarm { x := state (px) } x := xe else { x := xe }; }; state (px) := x state (px) := x } } reset() { state (k) := 0; reset() { state (k) := 0; state (px) := 0.; state (px) := 0.; euler(xe).reset() } euler(xe).reset() } } } 16/22
FUSION OPTIMIZATION class driver { class driver { instance x: ins, y: ins; instance x: ins, y: ins; step(x0, y0, u, v: double, step(x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool var ax, ay: bool { { if r { if r { ins(x).reset() }; ins(x).reset(); if r { ins(y).reset() }; ins(y).reset() x, ax := ins(x).step(x0, u); }; y, ay := ins(y).step(y0, v) x, ax := ins(x).step(x0, u); } y, ay := ins(y).step(y0, v) } reset() { ins(x).reset(); ins(y).reset() } reset() { ins(x).reset(); } ins(y).reset() } } 16/22
FUSION OPTIMIZATION class driver { class driver { instance x: ins, y: ins; instance x: ins, y: ins; step(x0, y0, u, v: double, step(x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool var ax, ay: bool { { if r { if r { ins(x).reset() }; ins(x).reset(); if r { ins(y).reset() }; ins(y).reset() x, ax := ins(x).step(x0, u); }; y, ay := ins(y).step(y0, v) x, ax := ins(x).step(x0, u); } y, ay := ins(y).step(y0, v) } reset() { ins(x).reset(); ins(y).reset() } reset() { ins(x).reset(); } ins(y).reset() } } 16/22
• Declarative f f r T r F S S S S g g g reset S i I i S i S i I i S i initial initial STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } 17/22
• Declarative f r F S S g S i I i S i initial STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f r = T S S ′ g g reset S [ i ] I [ i ] S ′ [ i ] initial 17/22
• Declarative f r F S S g S i I i S i initial STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f r = T S S ′ g g reset S [ i ] I [ i ] S ′ [ i ] initial 17/22
• Declarative f r F S S g S i I i S i initial STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f r = T S S ′ g g reset S [ i ] I [ i ] S ′ [ i ] initial 17/22
• Declarative STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f f r = T r = F S S ′ S S ′ g g g reset S [ i ] I [ i ] S ′ [ i ] S [ i ] ∼ I [ i ] S ′ [ i ] ∼ ∼ initial initial 17/22
• Declarative STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f f r = T r = F S S ′ S S ′ g g g reset S [ i ] I [ i ] S ′ [ i ] S [ i ] ∼ I [ i ] S ′ [ i ] ∼ ∼ initial initial 17/22
• Declarative STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f f r = T r = F S S ′ S S ′ g g g reset S [ i ] I [ i ] S ′ [ i ] S [ i ] ∼ I [ i ] S ′ [ i ] ∼ ∼ initial initial 17/22
STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { y = g<i,1>(x); • Declarative reset g<i> every (. on r); } } f f r = T r = F S S ′ S S ′ g g g reset S [ i ] I [ i ] S ′ [ i ] S [ i ] ∼ I [ i ] S ′ [ i ] ∼ ∼ initial initial 17/22
Recommend
More recommend