Section: New Results
RealTime multicore programming
Participants : Vagelis Bebelis, Adnan Bouakaz, Pascal Fradet, Alain Girault, Gregor Goessler, Xavier Nicollin, JeanBernard Stefani.
A time predictable programming language for multicores
Time predictability (PRET) is a topic that emerged in 2007 as a solution to the ever increasing unpredictability of today's embedded processors, which results from features such as multilevel caches or deep pipelines [59] . For many realtime systems, it is mandatory to compute a strict bound on the program's execution time. Yet, in general, computing a tight bound is extremely difficult [92] . The rationale of PRET is to simplify both the programming language and the execution platform to allow more precise execution times to be easily computed [38] .
Following our past results on the PretC programming language [36] , we have proposed a time predictable synchronous programming language for multicores, called ForeC . It extends C with a small set of Esterel like synchronous primitives to express concurrency, interaction with the environment, looping, and a synchronization barrier [93] (like the pause statement in Esterel ). ForeC threads communicate with each other via shared variables, the values of which are combined at the end of each tick to maintain deterministic execution. ForeC is compiled into threads that are then statically scheduled for a target multicore chip. Our WCET analysis takes into account the access to the shared TDMA bus and the necessary administration for the shared variables. We achieve a very precise WCET (the overapproximation being less than $2\%$) thanks to a reachable space exploration of the threads' states.
Recent results have addressed the semantics, the compiler, and the experiments. In particular, we have seeked to provide several combine policies for shared variables, in a way similar as concurrent revisions [49] .
This work has been conducted within the Rippes associated team.
Modular distribution of synchronous programs
Synchronous programming languages describe functionally centralized systems, where every value, input, output, or function is always directly available for every operation. However, most embedded systems are nowadays composed of several computing resources. The aim of this work is to provide a languageoriented solution to describe functionally distributed reactive systems. This research started within the Inria large scale action Synchronics and is a joint work with Marc Pouzet (ENS, Parkas team from Rocquencourt) and Gwenaël Delaval (UGA, CtrlA team from Grenoble).
We are working on defining a fullyconservative extension of a synchronous dataflow programming language (the Heptagon language, inspired from Lucid Synchrone [51] ). The extension, by means of annotations adds abstract location parameters to functions, and communications of values between locations. At deployment, every abstract location is assigned an actual one; this yields an executable for each actual computing resource. Compared to the PhD of Gwenaël Delaval [56] , [57] , the goal here is to achieve modular distribution even in the presence of nonstatic clocks, i.e., clocks defined according to the value of inputs.
By fullyconservative, we have three aims in mind:

A nonannotated (i.e., centralized) program will be compiled exactly as before;

An annotated program eventually deployed onto only one computing location will behave exactly as its centralized couterpart;

The inputoutput semantics of a distributed program is the same as its centralized counterpart.
By modular, we mean that we want to compile each function of the program into a single function capable of running on any computing location. At deployment, the program of each location may be optimized (by simple Booleanconstantpropagation, deadcode and unusedvariable elimination), yielding different optimized code for each computing location.
We have formalized the typesystem for inferring the location of each variable and computation. In the presence of local clocks, added information is computed from the existing clockcalculus and the locationcalculus, to infer necessary communication of clocks between location. The overall structure of the new compiler is defined, including new algorithms for deployment (and code optimization), achieving the three aims detailed above.
Analysis and scheduling of parametric dataflow models
Recent dataflow programming environments support applications whose behavior is characterized by dynamic variations in resource requirements. The high expressive power of the underlying models (e.g., Kahn Process Networks or the CAL actor language) makes it challenging to ensure predictable behavior. In particular, checking liveness (i.e., no part of the system will deadlock) and boundedness (i.e., the system can be executed in finite memory) is known to be hard or even undecidable for such models. This situation is troublesome for the design of highquality embedded systems.
Recently, we have introduced the Schedulable Parametric DataFlow (SPDF) MoC for dynamic streaming applications [62] , which extends the standard dataflow model by allowing rates to be parametric, and the Boolean Parametric Data Flow (BPDF) MoC [42] , [41] which combines integer parameters (to express dynamic rates) and boolean parameters (to express the activation and deactivation of communication channels). High dynamicity is provided by integer parameters which can change at each basic iteration and boolean parameters which can change even within the iteration. We have presented static analyses that ensure the liveness and the boundedness of BDPF graphs.
This year, we have focused on the symbolic analysis of parametric dataflow graphs. This work has been conducted within the Rippes associated team.
Synthesis of switching controllers using approximately bisimilar multiscale abstractions
The use of discrete abstractions for continuous dynamics has become standard in hybrid systems design (see e.g., [90] and the references therein). The main advantage of this approach is that it offers the possibility to leverage controller synthesis techniques developed in the areas of supervisory control of discreteevent systems [83] . The first attempts to compute discrete abstractions for hybrid systems were based on traditional systems behavioral relationships such as simulation or bisimulation, initially proposed for discrete systems most notably in the area of formal methods. These notions require inclusion or equivalence of observed behaviors which is often too restrictive when dealing with systems observed over metric spaces. For such systems, a more natural abstraction requirement is to ask for closeness of observed behaviors. This leads to the notions of approximate simulation and bisimulation introduced in [63] .
These approaches are based on sampling of time and space where the sampling parameters must satisfy some relation in order to obtain abstractions of a prescribed precision. In particular, the smaller the time sampling parameter, the finer the lattice used for approximating the statespace; this may result in abstractions with a very large number of states when the sampling period is small. However, there are a number of applications where sampling has to be fast; though this is generally necessary only on a small part of the statespace. We have been exploring two approaches to overcome this statespace explosion.
We are currently investigating an approach using mode sequences of given length as symbolic states for our abstractions. By using mode sequences of variable length we are able to adapt the granularity of our abstraction to the dynamics of the system, so as to automatically trade off precision against controllability of the abstract states.
Typical WorstCase Analysis of realtime systems
We focus on the problem of computing tight deadline miss models for realtime systems, which bound the number of potential deadline misses in a given sequence of activations of a task. In practical applications, such guarantees are often sufficient because many systems are in fact not hard realtime. Our major contribution this year is a general formulation of that problem in the context of systems where some tasks occasionally experience sporadic overload [26] . Based on this new formulation, we present an algorithm that can take into account finegrained effects of overload at the input of different tasks when computing deadline miss bounds. We show in experiments with synthetic as well as industrial data that our algorithm produces bounds that are much tighter than in previous work, in sufficiently short time. In addition, we improve, in the preemptive case, the criterion proposed in [71] for establishing how much overload can be tolerated in a time window while still guaranteeing absence of deadline misses: our new criterion is a necessary and sufficient condition (as opposed to the sufficient condition of [71] ) and therefore yields better results.
In parallel, we have developed an extension of sensitivity analysis for budgeting in the design of weaklyhard realtime systems. During design, it often happens that some parts of a task set are fully specified while other parameters, e.g. regarding recovery or monitoring tasks, will be available only much later. In such cases, sensitivity analysis can help anticipate how these missing parameters can influence the behavior of the whole system so that a resource budget can be allocated to them. It is, however, sufficient in many application contexts to budget these tasks in order to preserve weaklyhard rather than hard guarantees. We have thus developed an extension of sensitivity analysis for deriving task budgets for systems with hard and weaklyhard requirements. We currently validate our approach on synthetic test cases and a realistic case study given by our partner Thales.