skip to main content
article

A formally verified compiler for Lustre

Published:14 June 2017Publication History
Skip Abstract Section

Abstract

The correct compilation of block diagram languages like Lustre, Scade, and a discrete subset of Simulink is important since they are used to program critical embedded control software. We describe the specification and verification in an Interactive Theorem Prover of a compilation chain that treats the key aspects of Lustre: sampling, nodes, and delays. Building on CompCert, we show that repeated execution of the generated assembly code faithfully implements the dataflow semantics of source programs.

We resolve two key technical challenges. The first is the change from a synchronous dataflow semantics, where programs manipulate streams of values, to an imperative one, where computations manipulate memory sequentially. The second is the verified compilation of an imperative language with encapsulated state to C code where the state is realized by nested records. We also treat a standard control optimization that eliminates unnecessary conditional statements.

References

  1. A. W. Appel, R. Dockins, A. Hobor, L. Beringer, J. Dodds, G. Stewart, S. Blazy, and X. Leroy. Program Logics for Certified Compilers. Cambridge University Press, Apr. 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. C. Auger. Compilation certifiée de SCADE/LUSTRE. PhD thesis, Université Paris Sud 11, Orsay, France, Apr. 2013.Google ScholarGoogle Scholar
  3. C. Auger, J.-L. Colaço, G. Hamon, and M. Pouzet. A formalization and proof of a modular Lustre code generator. Draft, Jan. 2013.Google ScholarGoogle Scholar
  4. C. Ballabriga, H. Cassé, C. Rochange, and P. Sainrat. OTAWA: An open toolbox for adaptive WCET analysis. In 8th IFIP WG 10.2 International Workshop on Software Technologies for Embedded and Ubiquitous Systems (SEUS 2010), volume 6399 of Lecture Notes in Computer Science, pages 35–46, Waidhofen/Ybbs, Austria, Oct. 2010. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. G. Baudart, A. Benveniste, and T. Bourke. Loosely Time-Triggered Architectures: Improvements and comparisons. ACM Transactions on Embedded Computing Systems, 15(4): article no. 71, Aug. 2016. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. A. Benveniste, T. Bourke, B. Caillaud, and M. Pouzet. A hybrid synchronous language with hierarchical automata: Static typing and translation to synchronous code. In Proceedings of the 11th ACM International Conference on Embedded Software (EMSOFT 2011), pages 137–147, Taipei, Taiwan, Oct. 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. ACM Press.Google ScholarGoogle Scholar
  8. A. Benveniste, T. Bourke, B. Caillaud, and M. Pouzet. Divide and recycle: Types and compilation for a hybrid synchronous language. In J. Vitek and B. De Sutter, editors, Proceedings of the 12th ACM SIGPLAN Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2011), pages 61–70, Chicago, USA, Apr. 2011. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. D. Biernacki, J.-L. Colaço, G. Hamon, and M. Pouzet. Clockdirected modular code generation for synchronous data-flow languages. In Proceedings of the 9th ACM SIGPLAN Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2008), pages 121–130, Tucson, AZ, USA, June 2008. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. S. Blazy and X. Leroy. Mechanized semantics for the Clight subset of the C language. Journal of Automated Reasoning, 43 (3):263–288, Oct. 2009.Google ScholarGoogle ScholarCross RefCross Ref
  11. S. Blazy, Z. Dargaye, and X. Leroy. Formal verification of a C compiler front-end. In Proceedings of the 14th International Symposium on Formal Methods (FM 2006), volume 4085 of Lecture Notes in Computer Science, pages 460–475, Hamilton, Canada, Aug. 2006. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. F. Boniol and V. Wiels. The Landing Gear System Case Study. In ABZ 2014: The Landing Gear Case Study—Proceedings of the Case Study Track at the 4th International Conference on Abstract State Machines, volume 433 of Communications in Computer Information Science, Toulouse, France, 2014.Google ScholarGoogle ScholarCross RefCross Ref
  13. Springer.Google ScholarGoogle Scholar
  14. S. Boulmé and G. Hamon. Certifying synchrony for free. In R. Nieuwenhuis and A. Voronkov, editors, Proceedings of the 8th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2001), volume 2250 of Lecture Notes in Computer Science, pages 495–506, Havana, Cuba, Dec. 2001. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. P. Caspi, D. Pilaud, N. Halbwachs, and J. Plaice. LUSTRE: A declarative language for programming synchronous systems. In Proceedings of the 14th ACM SIGPLAN-SIGACT Symposium on Principles Of Programming Languages (POPL 1987), pages 178–188, Munich, Germany, Jan. 1987. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. P. Caspi, C. Mazuet, and N. Reynaud Paligot. About the design of distributed control systems: The quasi-synchronous approach. In U. Voges, editor, Proceedings of the International Conference on Computer Safety, Reliability and Security (SAFECOMP’01), number 2187 in Lecture Notes in Computer Science, pages 215–226, Budapest, Hungary, Sept. 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Springer.Google ScholarGoogle Scholar
  18. P. Caspi, A. Curic, A. Maignan, C. Sofronis, S. Tripakis, and P. Niebert. From Simulink to SCADE/Lustre to TTA: a layered approach for distributed embedded applications. In Proceedings of the 4th ACM SIGPLAN Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2003), pages 153–162. ACM Press, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. A. Champion, A. Gurfinkel, T. Kahsai, and C. Tinelli. Co-CoSpec: A mode-aware contract language for reactive systems. In R. De Nicola and E. Kühn, editors, Proceedings of the 14th International Conference on Software Engineering and Formal Methods (SEFM 2016), volume 9763 of Lecture Notes in Computer Science, pages 347–366, Vienna, Austria, July 2016.Google ScholarGoogle Scholar
  20. Springer.Google ScholarGoogle Scholar
  21. A. Champion, A. Mebsout, C. Sticksel, and C. Tinelli. The Kind 2 model checker. In S. Chaudhuri and A. Farzan, editors, Proceedings of the 28th International Conference on Computer Aided Verification (CAV 2016), Part II, volume 9780 of Lecture Notes in Computer Science, pages 510–517, Toronto, Canada, July 2016. Springer.Google ScholarGoogle Scholar
  22. A. Chlipala. Certified Programming with Dependent Types: A Pragmatic Introduction to the Coq Proof Assistant. MIT Press, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. J.-L. Colaço and M. Pouzet. Clocks as first class abstract types. In R. Alur and I. Lee, editors, Proceedings of the 3rd International Conference on Embedded Software (EMSOFT 2003), volume 2855 of Lecture Notes in Computer Science, pages 134–155, Philadelphia, Pennsylvania, USA, Oct. 2003.Google ScholarGoogle Scholar
  24. Springer.Google ScholarGoogle Scholar
  25. J.-L. Colaço, B. Pagano, and M. Pouzet. A conservative extension of synchronous data-flow with state machines. In W. Wolf, editor, Proceedings of the 5th ACM International Conference on Embedded Software (EMSOFT 2005), pages 173–182, Jersey City, USA, Sept. 2005. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. S. Coupet-Grimal and L. Jakubiec. Hardware verification using co-induction in Coq. In Y. Bertot, G. Dowek, A. Hirschowitz, C. Paulin, and L. Théry, editors, Proceedings of the 12th International Conference on Theorem Proving in Higher Order Logics (TPHOLs 1999), volume 1690 of Lecture Notes in Computer Science, pages 91–108, Nice, France, Sept. 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Springer.Google ScholarGoogle Scholar
  28. A. Dieumegard, P.-L. Garoche, T. Kahsai, A. Taillar, and X. Thirioux. Compilation of synchronous observers as code contracts. In Proceedings of the 30th ACM Symposium on Applied Computing (SAC’15), pages 1933–1939, Salamanca, Spain, Apr. 2015. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. L. Gérard, A. Guatto, C. Pasteur, and M. Pouzet. A modular memory optimization for synchronous data-flow languages: application to arrays in a Lustre compiler. In Proceedings of the 13th ACM SIGPLAN Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2012), pages 51–60, Beijing, China, June 2012. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. E. Gimenez and E. Ledinot. Certification de SCADE V3. Rapport final du projet GENIE II, Verilog SA, Jan. 2000.Google ScholarGoogle Scholar
  31. G. Hagen and C. Tinelli. Scaling up the formal verification of Lustre programs with SMT-based techniques. In A. Cimatti and R. B. Jones, editors, Proceedings of the 8th International Conference on Formal Methods in Computer-Aided Design, pages 15:1–15:9, Portland, OR, USA, Nov. 2008. IEEE. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. N. Halbwachs. Synchronous Programming of Reactive Systems. Kluwer Academic Publishers, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. N. Halbwachs and L. Mandel. Simulation and verification of aysnchronous systems by means of a synchronous model. In Proceedings of the 6th International Conference on Application of Concurrency to System Design (ACSD 2006), pages 3–14, Turku, Finland, June 2006. IEEE. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. N. Halbwachs, P. Caspi, P. Raymond, and D. Pilaud. The synchronous dataflow programming language LUSTRE. Proceedings of the IEEE, 79(9):1305–1320, Sept. 1991.Google ScholarGoogle ScholarCross RefCross Ref
  35. N. Halbwachs, P. Raymond, and C. Ratel. Generating efficient code from data-flow programs. In J. Maluszy´nski and M. Wirsing, editors, Proceedings of the 3rd International Symposium on Programming Language Implementation and Logic Programming (PLILP’91), volume 528 of Lecture Notes in Computer Science, pages 207–218, Passau, Germany, Aug. 1991. Springer.Google ScholarGoogle Scholar
  36. N. Halbwachs, F. Lagnier, and C. Ratel. Programming and verifying real-time systems by means of the synchronous dataflow language LUSTRE. IEEE Transactions on Software Engineering, 18(9):785–793, Sept. 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. N. Halbwachs, J.-C. Fernandez, and A. Bouajjani. An executable temporal logic to express safety properties and its connection with the language Lustre. In Proceedings of the 6th International Symposium on Lucid and Intensional Programming (ISLIP’93), Quebec, Canada, Apr. 1993.Google ScholarGoogle Scholar
  38. L. Holenderski. Lustre. In C. Lewerentz and T. Lindner, editors, Formal Development of Reactive Systems—Case Study Production Cell, volume 891 of Lecture Notes in Computer Science, chapter 6, pages 101–112. Springer, Berlin, 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. S. Ishtiaq and P. W. O’Hearn. BI as an assertion language for mutable data structures. In Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL 2001), pages 14–26, London, UK, Jan. 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. ACM Press.Google ScholarGoogle Scholar
  41. N. Izerrouken, X. Thirioux, M. Pantel, and M. Strecker. Certifying an automated code generator using formal tools: Preliminary experiments in the GeneAuto project. In Proceedings of the 4th European Congress on Embedded Real-Time Software (ERTS 2008). Société des Ingénieurs de l’Automobile, Jan./Feb. 2008.Google ScholarGoogle Scholar
  42. E. Jahier, P. Raymond, and N. Halbwachs. The Lustre V6 Reference Manual. Verimag, Grenoble, Dec. 2016.Google ScholarGoogle Scholar
  43. J.-H. Jourdan, F. Pottier, and X. Leroy. Validating LR(1) parsers. In H. Seidl, editor, 21st European Symposium on Programming (ESOP 2012), held as part of European Joint Conferences on Theory and Practice of Software (ETAPS 2012), volume 7211 of Lecture Notes in Computer Science, pages 397– 416, Tallinn, Estonia, Mar./Apr. 2012. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. G. Kahn. The semantics of a simple language for parallel programming. In J. L. Rosenfeld, editor, Proceedings of the International Federation for Information Processing (IFIP) Congress 1974, pages 471–475. North-Holland, Aug. 1974.Google ScholarGoogle Scholar
  45. T. Kahsai and C. Tinelli. PKIND: A parallel k-induction based model checker. In J. Barnat and K. Heljanko, editors, Proceedings of the 10th International Workshop on 2011, number 72 in Electronic Proceedings in Theoretical Computer Science, pages 55–62, Snowbird, UT, USA, July 2011.Google ScholarGoogle Scholar
  46. G. Klein, R. Kolanski, and A. Boyton. Mechanised separation algebra. In L. Beringer and A. Felty, editors, Proceedings of the 3rd International Conference on Interactive Theorem Proving (ITP 2012), volume 7406 of Lecture Notes in Computer Science, pages 332–337, Princeton, NJ, USA, Aug. 2012.Google ScholarGoogle Scholar
  47. Springer.Google ScholarGoogle Scholar
  48. X. Leroy. Formal verification of a realistic compiler. Communications of the ACM, 52(7):107–115, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. X. Leroy and S. Blazy. Formal verification of a C-like memory model and its uses for verifying program transformations. Journal of Automated Reasoning, 41(1):1–31, July 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. X. Leroy, D. Doligez, A. Frisch, J. Garrigue, D. Rémy, and J. Vouillon. The OCaml system: Documentation and user’s manual. Inria, 4.03 edition, Apr. 2016.Google ScholarGoogle Scholar
  51. R. Lublinerman, C. Szegedy, and S. Tripakis. Modular code generation from synchronous block diagrams: Modularity vs. code size. In Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles Of Programming Languages (POPL 2009), pages 78–89, Savannah, GA, USA, Jan. 2009. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. F. Maraninchi and N. Halbwachs. Compiling Argos into Boolean equations. In B. Jonsson and J. Parrow, editors, Proceedings of the 4th International Symposium on Formal Techniques for Real-Time and Fault-Tolerance (FTRTFT ’96), volume 1135 of Lecture Notes in Computer Science, pages 72–89, Uppsala, Sweden, Sept. 1996. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. F. Maraninchi and Y. Rémond. Mode-automata: a new domainspecific construct for the development of safe critical systems. Science of Computer Programming, 46(3):219–254, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Simulink—Using Simulink. The Mathworks, Natick, MA, U.S.A., 5.1 edition, Sept. 2003. Release 13SP1.Google ScholarGoogle Scholar
  55. Simulink ® Reference. The Mathworks, Natick, MA, U.S.A., r2016b edition, Sept. 2016. Release 2016b.Google ScholarGoogle Scholar
  56. V. C. Ngo, J.-P. Talpin, and T. Gautier. Translation validation for synchronous data-flow specification in the SIGNAL compiler. In S. Graf and M. Viswanathan, editors, Proceedings of the 35th IFIP WG 6.1 International Conference on Formal Techniques for Distributed Objects, Components, and Systems (FORTE 2015), volume 9039 of Lecture Notes in Computer Science, pages 66–80, Grenoble, France, June 2015. Springer.Google ScholarGoogle Scholar
  57. V.-C. Ngo, J.-P. Talpin, T. Gautier, L. Besnard, and P. Le Guernic. Modular translation validation of a full-sized synchronous compiler using off-the-shelf verification tools. In Proceedings of the 18th International Workshop on Software and Compilers for Embedded Systems (SCOPES’15), pages 109–112, St. Goar, Germany, June 2015. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. B. Pagano, O. Andrieu, B. Canou, E. Chailloux, J.-L. Colaço, T. Moniot, and P. Wang. Certified development tools implementation in Objective Caml. In P. Hudak and D. S. Warren, editors, Proceedings of the 10th International Symposium on Practical Aspects of Declarative Languages (PADL 2008), number 4902 in Lecture Notes in Computer Science, pages 2–17, San Francisco, CA, USA, Jan. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. C. Paulin-Mohring. A constructive denotational semantics for Kahn networks in Coq. In Y. Bertot, G. Huet, J.-J. Lévy, and G. Plotkin, editors, From Semantics to Computer Science: Essays in Honour of Gilles Kahn, pages 383–413. Cambridge University Press, 2009.Google ScholarGoogle Scholar
  60. A. Pnueli, M. Siegel, and O. Shtrichman. Translation validation for synchronous languages. In K. G. Larsen, S. Skyum, and G. Winskel, editors, Proceedings of the 25th International Colloquium on Automata, Languages and Programming, volume 1443 of Lecture Notes in Computer Science, pages 235–246. Springer, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. F. Pottier and Y. Régis-Gianas. Menhir Reference Manual. Inria, Aug. 2016.Google ScholarGoogle Scholar
  62. M. Pouzet. Lucid Synchrone, version 3. Tutorial and reference manual. Université Paris-Sud, LRI, Apr. 2006.Google ScholarGoogle Scholar
  63. M. Pouzet and P. Raymond. Modular static scheduling of synchronous data-flow networks: An efficient symbolic representation. In Proceedings of the 9th ACM International Conference on Embedded Software (EMSOFT 2009), pages 215–224, Grenoble, France, Oct. 2009. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. P. Raymond. Compilation efficace d’un langage déclaratif synchrone: le générateur de code Lustre-V3. PhD thesis, Grenoble INP, 1991.Google ScholarGoogle Scholar
  65. P. Raymond. The Lustre V4 distribution. http://wwwverimag.imag.fr/The-Lustre-Toolbox.html, Sept. 1992.Google ScholarGoogle Scholar
  66. P. Raymond. Recognizing regular expressions by means of dataflow networks. In F. Meyer auf der Heide and B. Monien, editors, Proceedings of the 23rd International Colloquium on Automata, Languages and Programming, number 1099 in Lecture Notes in Computer Science, pages 336–347, Paderborn, Germany, July 1996. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. J. C. Reynolds. Separation Logic: A logic for shared mutable data structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS 2002), pages 55–74, Copenhagen, Denmark, July 2002. IEEE. Google ScholarGoogle ScholarDigital LibraryDigital Library
  68. M. Ryabtsev and O. Strichman. Translation validation: From Simulink to C. In A. Bouajjani and O. Maler, editors, Proceedings of the 21st International Conference on Computer Aided Verification (CAV 2009), volume 5643 of Lecture Notes in Computer Science, pages 696–701, Grenoble, France, June 2009. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  69. N. Scaife, C. Sofronis, P. Caspi, S. Tripakis, and F. Maraninchi. Defining and translating a “safe” subset of Simulink/Stateflow into Lustre. In G. Buttazzo, editor, Proceedings of the 4th ACM International Conference on Embedded Software (EMSOFT 2004), pages 259–268, Pisa, Italy, Sept. 2004. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. K. Schneider. Embedding imperative synchronous languages in interactive theorem provers. In Proceedings of the 1st International Conference on Application of Concurrency to System Design (ACSD 2001), pages 143–154, Newcastle upon Tyne, UK, June 2001. IEEE. Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. The Coq Development Team. The Coq proof assistant reference manual. Inria, 2016. Version 8.5.Google ScholarGoogle Scholar
  72. W. W. Wadge and E. A. Ashcroft. LUCID, the dataflow programming language. Academic Press Professional, Inc., 1985. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A formally verified compiler for Lustre

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!