Abstract
The correct compilation of block diagram languages like Lustre, Scade, and a discrete subset of Simulink is important since they are used to program critical embedded control software. We describe the specification and verification in an Interactive Theorem Prover of a compilation chain that treats the key aspects of Lustre: sampling, nodes, and delays. Building on CompCert, we show that repeated execution of the generated assembly code faithfully implements the dataflow semantics of source programs.
We resolve two key technical challenges. The first is the change from a synchronous dataflow semantics, where programs manipulate streams of values, to an imperative one, where computations manipulate memory sequentially. The second is the verified compilation of an imperative language with encapsulated state to C code where the state is realized by nested records. We also treat a standard control optimization that eliminates unnecessary conditional statements.
- A. W. Appel, R. Dockins, A. Hobor, L. Beringer, J. Dodds, G. Stewart, S. Blazy, and X. Leroy. Program Logics for Certified Compilers. Cambridge University Press, Apr. 2014. Google Scholar
Digital Library
- C. Auger. Compilation certifiée de SCADE/LUSTRE. PhD thesis, Université Paris Sud 11, Orsay, France, Apr. 2013.Google Scholar
- C. Auger, J.-L. Colaço, G. Hamon, and M. Pouzet. A formalization and proof of a modular Lustre code generator. Draft, Jan. 2013.Google Scholar
- C. Ballabriga, H. Cassé, C. Rochange, and P. Sainrat. OTAWA: An open toolbox for adaptive WCET analysis. In 8th IFIP WG 10.2 International Workshop on Software Technologies for Embedded and Ubiquitous Systems (SEUS 2010), volume 6399 of Lecture Notes in Computer Science, pages 35–46, Waidhofen/Ybbs, Austria, Oct. 2010. Springer. Google Scholar
Digital Library
- G. Baudart, A. Benveniste, and T. Bourke. Loosely Time-Triggered Architectures: Improvements and comparisons. ACM Transactions on Embedded Computing Systems, 15(4): article no. 71, Aug. 2016. Google Scholar
Digital Library
- A. Benveniste, T. Bourke, B. Caillaud, and M. Pouzet. A hybrid synchronous language with hierarchical automata: Static typing and translation to synchronous code. In Proceedings of the 11th ACM International Conference on Embedded Software (EMSOFT 2011), pages 137–147, Taipei, Taiwan, Oct. 2011. Google Scholar
Digital Library
- ACM Press.Google Scholar
- A. Benveniste, T. Bourke, B. Caillaud, and M. Pouzet. Divide and recycle: Types and compilation for a hybrid synchronous language. In J. Vitek and B. De Sutter, editors, Proceedings of the 12th ACM SIGPLAN Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2011), pages 61–70, Chicago, USA, Apr. 2011. ACM Press. Google Scholar
Digital Library
- D. Biernacki, J.-L. Colaço, G. Hamon, and M. Pouzet. Clockdirected modular code generation for synchronous data-flow languages. In Proceedings of the 9th ACM SIGPLAN Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2008), pages 121–130, Tucson, AZ, USA, June 2008. ACM Press. Google Scholar
Digital Library
- S. Blazy and X. Leroy. Mechanized semantics for the Clight subset of the C language. Journal of Automated Reasoning, 43 (3):263–288, Oct. 2009.Google Scholar
Cross Ref
- S. Blazy, Z. Dargaye, and X. Leroy. Formal verification of a C compiler front-end. In Proceedings of the 14th International Symposium on Formal Methods (FM 2006), volume 4085 of Lecture Notes in Computer Science, pages 460–475, Hamilton, Canada, Aug. 2006. Springer. Google Scholar
Digital Library
- F. Boniol and V. Wiels. The Landing Gear System Case Study. In ABZ 2014: The Landing Gear Case Study—Proceedings of the Case Study Track at the 4th International Conference on Abstract State Machines, volume 433 of Communications in Computer Information Science, Toulouse, France, 2014.Google Scholar
Cross Ref
- Springer.Google Scholar
- S. Boulmé and G. Hamon. Certifying synchrony for free. In R. Nieuwenhuis and A. Voronkov, editors, Proceedings of the 8th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2001), volume 2250 of Lecture Notes in Computer Science, pages 495–506, Havana, Cuba, Dec. 2001. Springer. Google Scholar
Digital Library
- P. Caspi, D. Pilaud, N. Halbwachs, and J. Plaice. LUSTRE: A declarative language for programming synchronous systems. In Proceedings of the 14th ACM SIGPLAN-SIGACT Symposium on Principles Of Programming Languages (POPL 1987), pages 178–188, Munich, Germany, Jan. 1987. ACM Press. Google Scholar
Digital Library
- P. Caspi, C. Mazuet, and N. Reynaud Paligot. About the design of distributed control systems: The quasi-synchronous approach. In U. Voges, editor, Proceedings of the International Conference on Computer Safety, Reliability and Security (SAFECOMP’01), number 2187 in Lecture Notes in Computer Science, pages 215–226, Budapest, Hungary, Sept. 2001. Google Scholar
Digital Library
- Springer.Google Scholar
- P. Caspi, A. Curic, A. Maignan, C. Sofronis, S. Tripakis, and P. Niebert. From Simulink to SCADE/Lustre to TTA: a layered approach for distributed embedded applications. In Proceedings of the 4th ACM SIGPLAN Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2003), pages 153–162. ACM Press, 2003. Google Scholar
Digital Library
- A. Champion, A. Gurfinkel, T. Kahsai, and C. Tinelli. Co-CoSpec: A mode-aware contract language for reactive systems. In R. De Nicola and E. Kühn, editors, Proceedings of the 14th International Conference on Software Engineering and Formal Methods (SEFM 2016), volume 9763 of Lecture Notes in Computer Science, pages 347–366, Vienna, Austria, July 2016.Google Scholar
- Springer.Google Scholar
- A. Champion, A. Mebsout, C. Sticksel, and C. Tinelli. The Kind 2 model checker. In S. Chaudhuri and A. Farzan, editors, Proceedings of the 28th International Conference on Computer Aided Verification (CAV 2016), Part II, volume 9780 of Lecture Notes in Computer Science, pages 510–517, Toronto, Canada, July 2016. Springer.Google Scholar
- A. Chlipala. Certified Programming with Dependent Types: A Pragmatic Introduction to the Coq Proof Assistant. MIT Press, 2013. Google Scholar
Digital Library
- J.-L. Colaço and M. Pouzet. Clocks as first class abstract types. In R. Alur and I. Lee, editors, Proceedings of the 3rd International Conference on Embedded Software (EMSOFT 2003), volume 2855 of Lecture Notes in Computer Science, pages 134–155, Philadelphia, Pennsylvania, USA, Oct. 2003.Google Scholar
- Springer.Google Scholar
- J.-L. Colaço, B. Pagano, and M. Pouzet. A conservative extension of synchronous data-flow with state machines. In W. Wolf, editor, Proceedings of the 5th ACM International Conference on Embedded Software (EMSOFT 2005), pages 173–182, Jersey City, USA, Sept. 2005. ACM Press. Google Scholar
Digital Library
- S. Coupet-Grimal and L. Jakubiec. Hardware verification using co-induction in Coq. In Y. Bertot, G. Dowek, A. Hirschowitz, C. Paulin, and L. Théry, editors, Proceedings of the 12th International Conference on Theorem Proving in Higher Order Logics (TPHOLs 1999), volume 1690 of Lecture Notes in Computer Science, pages 91–108, Nice, France, Sept. 1999. Google Scholar
Digital Library
- Springer.Google Scholar
- A. Dieumegard, P.-L. Garoche, T. Kahsai, A. Taillar, and X. Thirioux. Compilation of synchronous observers as code contracts. In Proceedings of the 30th ACM Symposium on Applied Computing (SAC’15), pages 1933–1939, Salamanca, Spain, Apr. 2015. ACM Press. Google Scholar
Digital Library
- L. Gérard, A. Guatto, C. Pasteur, and M. Pouzet. A modular memory optimization for synchronous data-flow languages: application to arrays in a Lustre compiler. In Proceedings of the 13th ACM SIGPLAN Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2012), pages 51–60, Beijing, China, June 2012. ACM Press. Google Scholar
Digital Library
- E. Gimenez and E. Ledinot. Certification de SCADE V3. Rapport final du projet GENIE II, Verilog SA, Jan. 2000.Google Scholar
- G. Hagen and C. Tinelli. Scaling up the formal verification of Lustre programs with SMT-based techniques. In A. Cimatti and R. B. Jones, editors, Proceedings of the 8th International Conference on Formal Methods in Computer-Aided Design, pages 15:1–15:9, Portland, OR, USA, Nov. 2008. IEEE. Google Scholar
Digital Library
- N. Halbwachs. Synchronous Programming of Reactive Systems. Kluwer Academic Publishers, 1993. Google Scholar
Digital Library
- N. Halbwachs and L. Mandel. Simulation and verification of aysnchronous systems by means of a synchronous model. In Proceedings of the 6th International Conference on Application of Concurrency to System Design (ACSD 2006), pages 3–14, Turku, Finland, June 2006. IEEE. Google Scholar
Digital Library
- N. Halbwachs, P. Caspi, P. Raymond, and D. Pilaud. The synchronous dataflow programming language LUSTRE. Proceedings of the IEEE, 79(9):1305–1320, Sept. 1991.Google Scholar
Cross Ref
- N. Halbwachs, P. Raymond, and C. Ratel. Generating efficient code from data-flow programs. In J. Maluszy´nski and M. Wirsing, editors, Proceedings of the 3rd International Symposium on Programming Language Implementation and Logic Programming (PLILP’91), volume 528 of Lecture Notes in Computer Science, pages 207–218, Passau, Germany, Aug. 1991. Springer.Google Scholar
- N. Halbwachs, F. Lagnier, and C. Ratel. Programming and verifying real-time systems by means of the synchronous dataflow language LUSTRE. IEEE Transactions on Software Engineering, 18(9):785–793, Sept. 1992. Google Scholar
Digital Library
- N. Halbwachs, J.-C. Fernandez, and A. Bouajjani. An executable temporal logic to express safety properties and its connection with the language Lustre. In Proceedings of the 6th International Symposium on Lucid and Intensional Programming (ISLIP’93), Quebec, Canada, Apr. 1993.Google Scholar
- L. Holenderski. Lustre. In C. Lewerentz and T. Lindner, editors, Formal Development of Reactive Systems—Case Study Production Cell, volume 891 of Lecture Notes in Computer Science, chapter 6, pages 101–112. Springer, Berlin, 1995. Google Scholar
Digital Library
- S. Ishtiaq and P. W. O’Hearn. BI as an assertion language for mutable data structures. In Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL 2001), pages 14–26, London, UK, Jan. 2001. Google Scholar
Digital Library
- ACM Press.Google Scholar
- N. Izerrouken, X. Thirioux, M. Pantel, and M. Strecker. Certifying an automated code generator using formal tools: Preliminary experiments in the GeneAuto project. In Proceedings of the 4th European Congress on Embedded Real-Time Software (ERTS 2008). Société des Ingénieurs de l’Automobile, Jan./Feb. 2008.Google Scholar
- E. Jahier, P. Raymond, and N. Halbwachs. The Lustre V6 Reference Manual. Verimag, Grenoble, Dec. 2016.Google Scholar
- J.-H. Jourdan, F. Pottier, and X. Leroy. Validating LR(1) parsers. In H. Seidl, editor, 21st European Symposium on Programming (ESOP 2012), held as part of European Joint Conferences on Theory and Practice of Software (ETAPS 2012), volume 7211 of Lecture Notes in Computer Science, pages 397– 416, Tallinn, Estonia, Mar./Apr. 2012. Springer. Google Scholar
Digital Library
- G. Kahn. The semantics of a simple language for parallel programming. In J. L. Rosenfeld, editor, Proceedings of the International Federation for Information Processing (IFIP) Congress 1974, pages 471–475. North-Holland, Aug. 1974.Google Scholar
- T. Kahsai and C. Tinelli. PKIND: A parallel k-induction based model checker. In J. Barnat and K. Heljanko, editors, Proceedings of the 10th International Workshop on 2011, number 72 in Electronic Proceedings in Theoretical Computer Science, pages 55–62, Snowbird, UT, USA, July 2011.Google Scholar
- G. Klein, R. Kolanski, and A. Boyton. Mechanised separation algebra. In L. Beringer and A. Felty, editors, Proceedings of the 3rd International Conference on Interactive Theorem Proving (ITP 2012), volume 7406 of Lecture Notes in Computer Science, pages 332–337, Princeton, NJ, USA, Aug. 2012.Google Scholar
- Springer.Google Scholar
- X. Leroy. Formal verification of a realistic compiler. Communications of the ACM, 52(7):107–115, 2009. Google Scholar
Digital Library
- X. Leroy and S. Blazy. Formal verification of a C-like memory model and its uses for verifying program transformations. Journal of Automated Reasoning, 41(1):1–31, July 2008. Google Scholar
Digital Library
- X. Leroy, D. Doligez, A. Frisch, J. Garrigue, D. Rémy, and J. Vouillon. The OCaml system: Documentation and user’s manual. Inria, 4.03 edition, Apr. 2016.Google Scholar
- R. Lublinerman, C. Szegedy, and S. Tripakis. Modular code generation from synchronous block diagrams: Modularity vs. code size. In Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles Of Programming Languages (POPL 2009), pages 78–89, Savannah, GA, USA, Jan. 2009. ACM Press. Google Scholar
Digital Library
- F. Maraninchi and N. Halbwachs. Compiling Argos into Boolean equations. In B. Jonsson and J. Parrow, editors, Proceedings of the 4th International Symposium on Formal Techniques for Real-Time and Fault-Tolerance (FTRTFT ’96), volume 1135 of Lecture Notes in Computer Science, pages 72–89, Uppsala, Sweden, Sept. 1996. Springer. Google Scholar
Digital Library
- F. Maraninchi and Y. Rémond. Mode-automata: a new domainspecific construct for the development of safe critical systems. Science of Computer Programming, 46(3):219–254, 2003. Google Scholar
Digital Library
- Simulink—Using Simulink. The Mathworks, Natick, MA, U.S.A., 5.1 edition, Sept. 2003. Release 13SP1.Google Scholar
- Simulink ® Reference. The Mathworks, Natick, MA, U.S.A., r2016b edition, Sept. 2016. Release 2016b.Google Scholar
- V. C. Ngo, J.-P. Talpin, and T. Gautier. Translation validation for synchronous data-flow specification in the SIGNAL compiler. In S. Graf and M. Viswanathan, editors, Proceedings of the 35th IFIP WG 6.1 International Conference on Formal Techniques for Distributed Objects, Components, and Systems (FORTE 2015), volume 9039 of Lecture Notes in Computer Science, pages 66–80, Grenoble, France, June 2015. Springer.Google Scholar
- V.-C. Ngo, J.-P. Talpin, T. Gautier, L. Besnard, and P. Le Guernic. Modular translation validation of a full-sized synchronous compiler using off-the-shelf verification tools. In Proceedings of the 18th International Workshop on Software and Compilers for Embedded Systems (SCOPES’15), pages 109–112, St. Goar, Germany, June 2015. ACM. Google Scholar
Digital Library
- B. Pagano, O. Andrieu, B. Canou, E. Chailloux, J.-L. Colaço, T. Moniot, and P. Wang. Certified development tools implementation in Objective Caml. In P. Hudak and D. S. Warren, editors, Proceedings of the 10th International Symposium on Practical Aspects of Declarative Languages (PADL 2008), number 4902 in Lecture Notes in Computer Science, pages 2–17, San Francisco, CA, USA, Jan. 2008. Google Scholar
Digital Library
- C. Paulin-Mohring. A constructive denotational semantics for Kahn networks in Coq. In Y. Bertot, G. Huet, J.-J. Lévy, and G. Plotkin, editors, From Semantics to Computer Science: Essays in Honour of Gilles Kahn, pages 383–413. Cambridge University Press, 2009.Google Scholar
- A. Pnueli, M. Siegel, and O. Shtrichman. Translation validation for synchronous languages. In K. G. Larsen, S. Skyum, and G. Winskel, editors, Proceedings of the 25th International Colloquium on Automata, Languages and Programming, volume 1443 of Lecture Notes in Computer Science, pages 235–246. Springer, 1998. Google Scholar
Digital Library
- F. Pottier and Y. Régis-Gianas. Menhir Reference Manual. Inria, Aug. 2016.Google Scholar
- M. Pouzet. Lucid Synchrone, version 3. Tutorial and reference manual. Université Paris-Sud, LRI, Apr. 2006.Google Scholar
- M. Pouzet and P. Raymond. Modular static scheduling of synchronous data-flow networks: An efficient symbolic representation. In Proceedings of the 9th ACM International Conference on Embedded Software (EMSOFT 2009), pages 215–224, Grenoble, France, Oct. 2009. ACM Press. Google Scholar
Digital Library
- P. Raymond. Compilation efficace d’un langage déclaratif synchrone: le générateur de code Lustre-V3. PhD thesis, Grenoble INP, 1991.Google Scholar
- P. Raymond. The Lustre V4 distribution. http://wwwverimag.imag.fr/The-Lustre-Toolbox.html, Sept. 1992.Google Scholar
- P. Raymond. Recognizing regular expressions by means of dataflow networks. In F. Meyer auf der Heide and B. Monien, editors, Proceedings of the 23rd International Colloquium on Automata, Languages and Programming, number 1099 in Lecture Notes in Computer Science, pages 336–347, Paderborn, Germany, July 1996. Springer. Google Scholar
Digital Library
- J. C. Reynolds. Separation Logic: A logic for shared mutable data structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS 2002), pages 55–74, Copenhagen, Denmark, July 2002. IEEE. Google Scholar
Digital Library
- M. Ryabtsev and O. Strichman. Translation validation: From Simulink to C. In A. Bouajjani and O. Maler, editors, Proceedings of the 21st International Conference on Computer Aided Verification (CAV 2009), volume 5643 of Lecture Notes in Computer Science, pages 696–701, Grenoble, France, June 2009. Springer. Google Scholar
Digital Library
- N. Scaife, C. Sofronis, P. Caspi, S. Tripakis, and F. Maraninchi. Defining and translating a “safe” subset of Simulink/Stateflow into Lustre. In G. Buttazzo, editor, Proceedings of the 4th ACM International Conference on Embedded Software (EMSOFT 2004), pages 259–268, Pisa, Italy, Sept. 2004. ACM Press. Google Scholar
Digital Library
- K. Schneider. Embedding imperative synchronous languages in interactive theorem provers. In Proceedings of the 1st International Conference on Application of Concurrency to System Design (ACSD 2001), pages 143–154, Newcastle upon Tyne, UK, June 2001. IEEE. Google Scholar
Digital Library
- The Coq Development Team. The Coq proof assistant reference manual. Inria, 2016. Version 8.5.Google Scholar
- W. W. Wadge and E. A. Ashcroft. LUCID, the dataflow programming language. Academic Press Professional, Inc., 1985. Google Scholar
Digital Library
Index Terms
A formally verified compiler for Lustre
Recommendations
A formally verified compiler for Lustre
PLDI 2017: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and ImplementationThe correct compilation of block diagram languages like Lustre, Scade, and a discrete subset of Simulink is important since they are used to program critical embedded control software. We describe the specification and verification in an Interactive ...
Formally Verified Native Code Generation in an Effectful JIT: Turning the CompCert Backend into a Formally Verified JIT Compiler
Modern Just-in-Time compilers (or JITs) typically interleave several mechanisms to execute a program. For faster startup times and to observe the initial behavior of an execution, interpretation can be initially used. But after a while, JITs ...
Towards a verified Lustre compiler with modular reset
SCOPES '18: Proceedings of the 21st International Workshop on Software and Compilers for Embedded SystemsThis paper presents ongoing work to add a modular reset construct to a verified Lustre compiler. We present a novel formal specification for the construct and sketch our plans to integrate it into the compiler and its correctness proof.






Comments