Abstract
Specifications based on block diagrams and state machines are used to design control software, especially in the certified development of safety-critical applications. Tools like SCADE Suite and Simulink/Stateflow are equipped with compilers that translate such specifications into executable code. They provide programming languages for composing functions over streams as typified by Dataflow Synchronous Languages like Lustre.
Recent work builds on CompCert to specify and verify a compiler for the core of Lustre in the Coq Interactive Theorem Prover. It formally links the stream-based semantics of the source language to the sequential memory manipulations of generated assembly code. We extend this work to treat a primitive for resetting subsystems. Our contributions include new semantic rules that are suitable for mechanized reasoning, a novel intermediate language for generating optimized code, and proofs of correctness for the associated compilation passes.
Supplemental Material
- Mark M. Adams and Philip B. Clayton. 2005. ClawZ: Cost-Effective Formal Verification for Control Systems. In 7th Int. Conf. on Formal Methods and Software Engineering (ICFEM 2005) (LNCS), Kung-Kiu Lau and Richard Banach (Eds.), Vol. 3785. Springer, Manchester, UK, 465–479. Google Scholar
Digital Library
- Rajeev Alur, Aditya Kanade, S. Ramesh, and K.C. Shashidhar. 2008. Symbolic Analysis for Improving Simulation Coverage of Simulink/Stateflow Models. In Proc. 8th ACM Int. Conf. on Embedded Software (EMSOFT 2008). ACM Press, Atlanta, GA, USA, 89–98. https://www.cis.upenn.edu/~alur/Emsoft08GM.pdfGoogle Scholar
Digital Library
- Rob D. Arthan, Paul Caseley, Colin O’Halloran, and Alf Smith. 2000. ClawZ: control laws in Z. In 2nd Int. Conf. on Formal Methods and Software Engineering (ICFEM 2000), Shaoying Liu, John A. McDermid, and Michael G. Hinchey (Eds.). IEEE Computer Society, York, UK, 169–176. Google Scholar
Cross Ref
- Cédric Auger. 2013. Compilation certifiée de SCADE/LUSTRE. Ph.D. Dissertation. Univ. Paris Sud 11, Orsay, France. https://tel.archives- ouvertes.fr/tel- 00818169/documentGoogle Scholar
- Cédric Auger, Jean-Louis Colaço, Gregoire Hamon, and Marc Pouzet. 2014. A Formalization and Proof of a Modular Lustre Code Generator. (2014). In preparation.Google Scholar
- Gérard Berry. 1989. Real Time Programming: Special Purpose or General Purpose Languages. In Proc. 11th Int. Federation for Information Processing (IFIP) World Computer Congress, Gerhard Ritter (Ed.). Int. Federation for Information Processing (IFIP), San Francisco, USA, 11–17. https://hal.inria.fr/inria- 00075494/documentGoogle Scholar
- Gérard Berry. 1993. Preemption in Concurrent Systems. In Foundations of Software Technology and Theoretical Computer Science (LNCS), R. K. Shyamasundar (Ed.), Vol. 761. Springer, Bombay, India, 72–93. http://www- sop.inria.fr/members/ Gerard.Berry/Papers/preemption.zipGoogle Scholar
- Gérard Berry. 2000. The Esterel v5 Language Primer (5.91 ed.). Ecole des Mines and INRIA. http://www- sop.inria.fr/ members/Gerard.Berry/Papers/primer.zipGoogle Scholar
- Gérard Berry. 2002. The Constructive Semantics of Pure Esterel (draft version 3 ed.). Sophia-Antipolis, France. http://wwwsop.inria.fr/members/Gerard.Berry/Papers/EsterelConstructiveBook.pdfGoogle Scholar
- Dariusz Biernacki, Jean-Louis Colaço, Gregoire Hamon, and Marc Pouzet. 2008. Clock-directed modular code generation for synchronous data-flow languages. In Proc. 9th ACM SIGPLAN Conf. on Languages, Compilers, and Tools for Embedded Systems (LCTES 2008). ACM Press, Tucson, AZ, USA, 121–130. https://www.di.ens.fr/~pouzet/bib/lctes08a.pdfGoogle Scholar
Digital Library
- Sandrine Blazy and Xavier Leroy. 2009. Mechanized Semantics for the Clight Subset of the C Language. J. Automated Reasoning 43, 3 (Oct. 2009), 263–288. https://hal.inria.fr/inria- 00352524/documentGoogle Scholar
Cross Ref
- Olivier Bouissou and Alexandre Chapoutot. 2012. An operational semantics for Simulink’s simulation engine. In Proc. 13th ACM SIGPLAN Conf. on Languages, Compilers, and Tools for Embedded Systems (LCTES 2012), Reinhard Wilhelm, Heiko Falk, and Wang Yi (Eds.). ACM Press, Beijing, China, 129–138. https://perso.ensta- paristech.fr/~chapoutot/recherche/ lctes12_bc.pdfGoogle Scholar
Digital Library
- Timothy Bourke, Lélio Brun, Pierre-Évariste Dagand, Xavier Leroy, Marc Pouzet, and Lionel Rieg. 2017. A Formally Verified Compiler for Lustre. In Proc. 2017 ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI). ACM Press, Barcelona, Spain, 586–601. Google Scholar
Digital Library
- Timothy Bourke, Lélio Brun, and Marc Pouzet. 2018. Towards a verified Lustre compiler with modular reset. In Proc. 21st Int. Workshop on Software and Compilers for Embedded Systems (SCOPES’18). ACM, Sankt Goar, Germany, 14–17. Google Scholar
Digital Library
- Timothy Bourke and Marc Pouzet. 2019. Arguments cadencés dans un compilateur Lustre vérifié. In 30 ièmes Journées Francophones des Langages Applicatifs (JFLA 2019), Nicolas Magaud and Zaynah Dargaye (Eds.). Les Rousses, Haut-Jura, France, 109–124. https://hal.inria.fr/hal- 02005639/documentGoogle Scholar
- Paul Caspi. 1992. Clocks in dataflow languages. Theoretical Computer Science 94, 1 (March 1992), 125–140. Google Scholar
Digital Library
- Paul Caspi. 1994. Towards recursive block diagrams. Annual Review in Automatic Programming 18 (1994), 81–85. Google Scholar
Cross Ref
- Paul Caspi, Daniel Pilaud, Nicolas Halbwachs, and John A. Plaice. 1987. LUSTRE: A declarative language for programming synchronous systems. In Proc. 14th ACM SIGPLAN-SIGACT Symp. Principles of Programming Languages (POPL 1987). ACM Press, Munich, Germany, 178–188. Google Scholar
Digital Library
- Paul Caspi and Marc Pouzet. 1997. A Co-iterative Characterization of Synchronous Stream Functions. Research Report 97-07. VERIMAG, Gières, France.Google Scholar
- Paul Caspi and Marc Pouzet. 1998. A Co-iterative Characterization of Synchronous Stream Functions. In First Workshop on Coalgebraic Methods in Computer Science (CMCS’98) (ENTCS), Vol. 11. Elsevier Science, Lisbon, Portugal, 1–21. Google Scholar
Digital Library
- Ana Cavalcanti, Phil Clayton, and Colin O’Halloran. 2011. From control law diagrams to Ada via Circus. Formal Aspects of Computing 23, 4 (July 2011), 465–512. https://www- users.cs.york.ac.uk/~alcc/publications/papers/CCO11.pdfGoogle Scholar
Cross Ref
- Alexandre Chapoutot and Matthieu Martel. 2009. Abstract Simulation: A Static Analysis of Simulink Models. In Proc. Int. Conf. on Embedded Software and Systems (ICESS 2009). IEEE Computer Society, IEEE, Zhejiang, China, 83–92. http://www.ensta- paristech.fr/~chapoutot/recherche/icess09_chapoutot_martel.pdfGoogle Scholar
Digital Library
- Chunqing Chen, Jin Song Dong, and Jun Sun. 2009. A formal framework for modeling and validating Simulink diagrams. Formal Aspects of Computing 21, 5 (Oct. 2009), 451–483. Google Scholar
Cross Ref
- Mingshuai Chen, Xiao Han, Tao Tang, Shuling Wang, Mengfei Yang, Naijun Zhan, Hengjun Zhao, and Liang Zou. 2017. MARS: A Toolchain for Modelling, Analysis and Verification of Hybrid Systems. In Provably Correct Systems (NASA Monographs in Systems and Software Engineering), Mike G. Hinchey, Jonathan P. Bowen, and Ernst-Rüdiger Olderog (Eds.). Springer, Cham, Switzerland, 39–58. Google Scholar
Cross Ref
- Albert Cohen, Léonard Gérard, and Marc Pouzet. 2012. Programming Parallelism with Futures in Lustre. In Proc. 12th ACM Int. Conf. on Embedded Software (EMSOFT 2012). ACM Press, Tampere, Finland, 197–206. Google Scholar
Digital Library
- Jean-Louis Colaço, Bruno Pagano, and Marc Pouzet. 2005. A Conservative Extension of Synchronous Data-flow with State Machines. In Proc. 5th ACM Int. Conf. on Embedded Software (EMSOFT 2005). ACM Press, Jersey City, USA, 173–182. Google Scholar
Digital Library
- Jean-Louis Colaço, Bruno Pagano, and Marc Pouzet. 2017. Scade 6: A Formal Language for Embedded Critical Software Development. In Proc. 11th Int. Symp. Theoretical Aspects of Software Engineering (TASE 2017). IEEE Computer Society, Nice, France, 4–15. https://hal.inria.fr/hal- 01666470/documentGoogle Scholar
Cross Ref
- Jean-Louis Colaço and Marc Pouzet. 2003. Clocks as First Class Abstract Types. In Proc. 3rd Int. Conf. on Embedded Software (EMSOFT 2003) (LNCS), Vol. 2855. Springer, Philadelphia, PA, USA, 134–155. Google Scholar
Cross Ref
- Jean-Louis Colaço and Marc Pouzet. 2004. Type-based initialization analysis of a synchronous dataflow language. Int. J. Software Tools for Technology Transfer 6, 3 (Aug. 2004), 245–255. https://www.di.ens.fr/~pouzet/bib/sttt04.pdfGoogle Scholar
Cross Ref
- Coq Development Team. 2019. The Coq proof assistant reference manual. Inria. https://coq.inria.fr/distrib/current/refman/ v. 8.9.Google Scholar
- Léonard Gérard, Adrien Guatto, Cédric Pasteur, and Marc Pouzet. 2012. A modular memory optimization for synchronous data-flow languages: application to arrays in a Lustre compiler. In Proc. 13th ACM SIGPLAN Conf. on Languages, Compilers, and Tools for Embedded Systems (LCTES 2012), Reinhard Wilhelm, Heiko Falk, and Wang Yi (Eds.). ACM Press, Beijing, China, 51–60. https://www.di.ens.fr/~guatto/papers/lctes12.pdfGoogle Scholar
Digital Library
- Grégoire Hamon. 2005. A Denotational Semantics for Stateflow. In Proc. 5th ACM Int. Conf. on Embedded Software (EMSOFT 2005). ACM Press, Jersey City, USA, 164–172. Google Scholar
Digital Library
- Gégoire Hamon and Marc Pouzet. 2000. Modular Resetting of Synchronous Data-Flow Programs. In Proc. 2nd ACM SIGPLAN Int. Conf. on Principles and Practice of Declarative Programming (PPDP 2000), Frank Pfenning (Ed.). ACM, Montreal, Canada, 289–300. Google Scholar
Digital Library
- Grégoire Hamon and John Rushby. 2004. An Operational Semantics for Stateflow. In Proc. 7th Int. Conf. on Fundamental Approaches to Software Engineering (FASE’04) (LNCS), Michel Wermelinger and Tiziana Margaria-Steffen (Eds.), Vol. 2984. Springer, Barcelona, Spain, 229–243. http://www.csl.sri.com/users/rushby/papers/sttt07.pdfGoogle Scholar
Cross Ref
- David Harel. 1987. Statecharts: A Visual Formalism for Complex Systems. Science of Computer Programming 8, 3 (June 1987), 231–274. Google Scholar
Digital Library
- David Harel and Amnon Naamad. 1996. The STATEMATE Semantics of Statecharts. ACM Trans. Software Engineering and Methodology (TOSEM) 5, 4 (Oct. 1996), 293–333. Google Scholar
Digital Library
- Erwan Jahier, Pascal Raymond, and Nicolas Halbwachs. 2019. The Lustre V6 Reference Manual. Verimag, Grenoble. http://www- verimag.imag.fr/DIST- TOOLS/SYNCHRONE/lustre- v6/doc/lv6- ref- man.pdfGoogle Scholar
- Jacques-Henri Jourdan, François Pottier, and Xavier Leroy. 2012. Validating LR(1) parsers. In 21st European Symposium on Programming (ESOP 2012), held as part of European Joint Conferences on Theory and Practice of Software (ETAPS 2012) (LNCS), Helmut Seidl (Ed.), Vol. 7211. Springer, Tallinn, Estonia, 397–416. https://hal.inria.fr/hal- 01077321/documentGoogle Scholar
Digital Library
- Gilles Kahn. 1974. The Semantics of a Simple Language for Parallel Programming. In Proc. Int. Federation for Information Processing (IFIP) Congress 1974, Jack L. Rosenfeld (Ed.). North-Holland, Stockholm, Sweden, 471–475. https://perso.enstaparistech.fr/~chapoutot/various/kahn_networks.pdfGoogle Scholar
- Ramana Kumar, Magnus O. Myreen, Michael Norrish, and Scott Owens. 2014. CakeML: A Verified Implementation of ML. In Proc. 41st ACM SIGPLAN-SIGACT Symp. Principles of Programming Languages (POPL 2014). ACM Press, San Diego, CA, USA, 179–191. https://cakeml.org/popl14.pdfGoogle Scholar
Digital Library
- Xavier Leroy. 2009. Formal verification of a realistic compiler. Comms. ACM 52, 7 (2009), 107–115. https://hal.inria.fr/inria00415861/documentGoogle Scholar
Digital Library
- Florence Maraninchi and Nicolas Halbwachs. 1996. Compiling Argos into Boolean equations. In Proc. 4th Int. Symp. Formal Techniques for Real-Time and Fault-Tolerance (FTRTFT ’96) (LNCS), Bengt Jonsson and Joachim Parrow (Eds.), Vol. 1135. Springer, Uppsala, Sweden, 72–89. http://www- verimag.imag.fr/~halbwach/FTRTFT96.psGoogle Scholar
Cross Ref
- Florence Maraninchi and Yann Rémond. 2001. Argos: an automaton-based synchronous language. Computer Languages 27, 1–3 (2001), 61–92. https://hal.archives- ouvertes.fr/hal- 00273055/documentGoogle Scholar
Digital Library
- Florence Maraninchi and Yann Rémond. 2003. Mode-Automata: a new Domain-Specific Construct for the Development of Safe Critical Systems. Science of Computer Programming 46, 3 (2003), 219–254. Google Scholar
Digital Library
- Van Chan Ngo, Jean-Pierre Talpin, and Thierry Gautier. 2015. Translation Validation for Synchronous Data-Flow Specification in the SIGNAL Compiler. In Proc. 35th IFIP WG 6.1 Int. Conf. on Formal Techniques for Distributed Objects, Components, and Systems (FORTE 2015) (LNCS), Susanne Graf and Mahesh Viswanathan (Eds.), Vol. 9039. Springer, Grenoble, France, 66–80. https://hal.inria.fr/hal- 01767328Google Scholar
- Christine Paulin-Mohring. 2009. A constructive denotational semantics for Kahn networks in Coq. In From Semantics to Computer Science: Essays in Honour of Gilles Kahn, Yves Bertot, Gérard Huet, Jean-Jacques Lévy, and Gordon Plotkin (Eds.). CUP, Cambridge, UK, 383–413. https://hal.inria.fr/inria- 00431806/documentGoogle Scholar
- Simon Peyton Jones (Ed.). 2003. Haskell 98 Language and Libraries: The Revised Report. CUP, Cambridge, UK. https: //www.haskell.org/definition/haskell98- report.pdfGoogle Scholar
- Dumitru Potop-Butucaru, Stephen A. Edwards, and Gérard Berry. 2007. Compiling Esterel. Springer, New York, NY, USA. Google Scholar
Cross Ref
- Marc Pouzet. 2006. Lucid Synchrone, v. 3. Tutorial and reference manual. Université Paris-Sud. https://www.di.ens.fr/ ~pouzet/lucid- synchrone/lucid- synchrone- 3.0- manual.pdfGoogle Scholar
- Michael Ryabtsev and Ofer Strichman. 2009. Translation Validation: From Simulink to C. In Proc. 21st Int. Conf. on Computer Aided Verification (CAV 2009) (LNCS), Ahmed Bouajjani and Oded Maler (Eds.), Vol. 5643. Springer, Grenoble, France, 696–701. Google Scholar
Digital Library
- Gang Shi, Yuanke Gan, Shu Shang, Shengyuan Wang, Yuan Dong, and Pen-Chung Yew. 2017. A Formally Verified Sequentializer for Lustre-Like Concurrent Synchronous Data-Flow Programs. In Proc. 39th Int. Conf. on Software Engineering Companion (ICSE-C’17). IEEE Press, Buenos Aires, Argentina, 109–111. Google Scholar
Digital Library
- Gang Shi, Yucheng Zhang, Shu Shang, Shengyuan Wang, Yuan Dong, and Pen-Chung Yew. 2019. A formally verified transformation to unify multiple nested clocks for a Lustre-like language. Science China Information Sciences 62, 1 (Jan. 2019), article 12801. Google Scholar
Cross Ref
- Yong Kiam Tan, Magnus O. Myreen, Ramana Kumar, Anthony Fox, Scott Owens, and Michael Norrish. 2016. A New Verified Compiler Backend for CakeML. In Proc. 21st ACM SIGPLAN Int. Conf. on Functional Programming (ICFP 2016). ACM Press, Nara, Japan, 60–73. https://cakeml.org/icfp16.pdfGoogle Scholar
Digital Library
- Stavros Tripakis, Christos Sofronis, Paul Caspi, and Adrian Curic. 2005. Translating Discrete-Time Simulink to Lustre. ACM Trans. Embedded Computing Systems 4, 4 (Nov. 2005), 779–818. http://www- verimag.imag.fr/~tripakis/papers/acmtecs05.pdfGoogle Scholar
Digital Library
- Changyan Zhou and Ratnesh Kumar. 2012. Semantic Translation of Simulink Diagrams to Input/Output Extended Finite Automata. Discrete Event Dynamic Systems 22, 2 (June 2012), 223–247. http://home.engineering.iastate.edu/~rkumar/ P UBS/ss2efa1.pdfGoogle Scholar
Digital Library
- Liang Zou, Naijun Zhan, Shuling Wang, and Martin Fränzle. 2015. Formal Verification of Simulink/Stateflow Diagrams. In Proc. 13th Int. Symp. Automated Technology for Verification and Analysis (ATVA 2015) (LNCS), Bernd Finkbeiner, Geguang Pu, and Lijun Zhang (Eds.), Vol. 9364. Springer, Shanghai, China, 464–481. http://lcs.ios.ac.cn/~znj/papers/atva2015b.pdfGoogle Scholar
Cross Ref
- Liang Zou, Naijun Zhan, Shuling Wang, Martin Fränzle, and Shengchao Qin. 2013. Verifying Simulink Diagrams via a Hybrid Hoare Logic Prover. In Proc. 13th ACM Int. Conf. on Embedded Software (EMSOFT 2013). IEEE, Montreal, Canada, 9:1–9:10. https://www.scedt.tees.ac.uk/s.qin/papers/emsoft13- final.pdfGoogle Scholar
Cross Ref
Index Terms
Mechanized semantics and verified compilation for a dataflow synchronous language with reset
Recommendations
A formally verified compiler for Lustre
PLDI 2017: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and ImplementationThe correct compilation of block diagram languages like Lustre, Scade, and a discrete subset of Simulink is important since they are used to program critical embedded control software. We describe the specification and verification in an Interactive ...
Verified Lustre Normalization with Node Subsampling
Special Issue ESWEEK 2021, CASES 2021, CODES+ISSS 2021 and EMSOFT 2021Dataflow languages allow the specification of reactive systems by mutually recursive stream equations, functions, and boolean activation conditions called clocks. Lustre and Scade are dataflow languages for programming embedded systems. Dataflow programs ...
Formally Verified Native Code Generation in an Effectful JIT: Turning the CompCert Backend into a Formally Verified JIT Compiler
Modern Just-in-Time compilers (or JITs) typically interleave several mechanisms to execute a program. For faster startup times and to observe the initial behavior of an execution, interpretation can be initially used. But after a while, JITs ...






Comments