Equation-Directed Axiomatization of Lustre Semantics to Enable Optimized Code Validation
Article No.: 151, Pages 1 - 24
Abstract
Model-based design tools like SCADE Suite and Simulink are often used to design safety-critical embedded software. Consequently, generating correct code from such models is crucial. We tackle this challenge on Lustre, a dataflow synchronous language that embodies the concepts that base such tools. Instead of proving correct a whole code generator, we turn an existing compiler into a certifying compiler from Lustre to C, following a translation validation approach.
We propose a solution that generates both C code and an attached specification expressing a correctness result for the generated and optionally optimized code. The specification yields proof obligations that are discharged by external solvers through the Frama-C platform.
References
[1]
Hafiz Muhammad Amjad, Kai Hu, Jianwei Niu, Noor Khan, Loïc Besnard, and Jean-Pierre Talpin. 2019. Translation validation of code generation from the SIGNAL data-flow language to verilog. In 2019 15th International Conference on Semantics, Knowledge and Grids (SKG’19). 153–160. DOI:
[2]
ANSYS. 2021. SCADE Suite. (2021). https://www.ansys.com/products/embedded-software/ansys-scade-suite
[3]
Clément Ballabriga, Hugues Cassé, Christine Rochange, and Pascal Sainrat. 2010. OTAWA: An open toolbox for adaptive WCET analysis. In Software Technologies for Embedded and Ubiquitous Systems, (Lecture Notes in Computer Science), Sang Lyul Min, Robert Pettit, Peter Puschner, and Theo Ungerer (Eds.). Springer, 35–46. DOI:
[4]
Clark W. Barrett, Christopher L. Conway, Morgan Deters, Liana Hadarean, Dejan Jovanovic, Tim King, Andrew Reynolds, and Cesare Tinelli. 2011. CVC4. In Computer Aided Verification - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14–20, 2011. Proceedings (Lecture Notes in Computer Science), Ganesh Gopalakrishnan and Shaz Qadeer (Eds.), Vol. 6806. Springer, 171–177. DOI:
[5]
Patrick Baudin, François Bobot, David Bühler, Loïc Correnson, Florent Kirchner, Nikolai Kosmatov, André Maroneze, Valentin Perrelle, Virgile Prevosto, Julien Signoles, and Nicky Williams. 2021. The dogged pursuit of bug-free C programs: The frama-C software analysis platform. Commun. ACM 64, 8 (July2021), 56–68. DOI:
[6]
Albert Benveniste, Paul Caspi, Stephen A. Edwards, Nicolas Halbwachs, Paul Le Guernic, and Robert de Simone. 2003. The synchronous languages 12 years later. Proc. IEEE 91, 1 (Jan.2003), 64–83. DOI:
[7]
Albert Benveniste and Paul Le Guernic. 1990. Hybrid dynamical systems theory and the signal language. IEEE Trans. Automat. Control 35, 5 (May1990), 535–546. DOI:
[8]
Dariusz Biernacki, Jean-Louis Colaço, Gregoire Hamon, and Marc Pouzet. 2008. Clock-directed modular code generation for synchronous data-flow languages. In Proceedings of the 2008 ACM SIGPLAN-SIGBED Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES’08). ACM, New York, NY, USA, 121–130. DOI:
[9]
Brandon Bohrer, Yong Kiam Tan, Stefan Mitsch, Magnus O. Myreen, and André Platzer. 2018. VeriPhy: Verified controller executables from verified cyber-physical system models. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’18). Association for Computing Machinery, New York, NY, USA, 617–630. DOI:
[10]
Hamza Bourbouh, Pierre-Loïc Garoche, Thomas Loquen, Eric Noulard, and Claire Pagetti. 2020. CoCoSim, a code generation framework for control/command applications: An overview of CoCoSim for multi-periodic discrete simulink models. In Embedded Real Time Systems (ERTS) 2020 (ERTS’20).
[11]
Timothy Bourke, Lélio Brun, Pierre-Évariste Dagand, Xavier Leroy, Marc Pouzet, and Lionel Rieg. 2017. A formally verified compiler for lustre. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’17). ACM, Barcelona, Spain, 586–601. DOI:
[12]
Timothy Bourke, Lélio Brun, and Marc Pouzet. 2020. Mechanized semantics and verified compilation for a dataflow synchronous language with reset. In Proceedings of the 47th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL’20), Vol. 4. ACM, New Orleans, LA, USA, 29. DOI:
[13]
Timothy Bourke, Paul Jeanmaire, Basile Pesin, and Marc Pouzet. 2021. Verified lustre normalization with node subsampling. 20 (2021), 98:1–98:25. Issue 5s. DOI:
[14]
Lélio Brun. Mechanized Semantics and Verified Compilation for a Dataflow Synchronous Language with Reset. (n.d.). https://www.leliobrun.net/files/thesis.pdf
[15]
Quentin Carbonneaux, Jan Hoffmann, Tahina Ramananandro, and Zhong Shao. 2014. End-to-end verification of stack-space bounds for C programs. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (2014-06-09) (PLDI’14). Association for Computing Machinery, 270–281. DOI:
[16]
Paul Caspi, Adrian Curic, Aude Maignan, Christos Sofronis, Stavros Tripakis, and Peter Niebert. 2003. From simulink to SCADE/lustre to TTA: A layered approach for distributed embedded applications. In Proceedings of the 2003 ACM SIGPLAN Conference on Language, Compiler, and Tool for Embedded Systems (LCTES’03). ACM, New York, NY, USA, 153–162. DOI:
[17]
Paul Caspi, Daniel Pilaud, Nicolas Halbwachs, and John Alexander Plaice. 1987. LUSTRE: A declarative language for programming synchronous systems. In In 14th Symposium on Principles of Programming Languages (POPL’87). ACM (POPL’87).
[18]
Ana Cavalcanti, Phil Clayton, and Colin O’Halloran. 2011. From control law diagrams to Ada via Circus. Formal Aspects of Computing 23, 4 (July2011), 465–512. DOI:
[19]
Adrien Champion, Alain Mebsout, Christoph Sticksel, and Cesare Tinelli. 2016. The kind 2 model checker. In Proceedings of the 28th International Conference on Computer Aided Verification (CAV’16), Swarat Chaudhuri and Azadeh Farzan (Eds.), Vol. 9780. Springer, Toronto, ON, Canada, 510–517. DOI:
[20]
Van Chan Ngo, Jean-Pierre Talpin, and Thierry Gautier. 2015. Translation validation for synchronous data-flow specification in the SIGNAL compiler. In Formal Techniques for Distributed Objects, Components, and Systems (Lecture Notes in Computer Science), Susanne Graf and Mahesh Viswanathan (Eds.). Springer International Publishing, Cham, 66–80. DOI:
[21]
Mingshuai Chen, Xiao Han, Tao Tang, Shuling Wang, Mengfei Yang, Naijun Zhan, Hengjun Zhao, and Liang Zou. 2017. MARS: A toolchain for modelling, analysis and verification of hybrid systems. In Provably Correct Systems, Mike Hinchey, Jonathan P. Bowen, and Ernst-Rüdiger Olderog (Eds.). Springer International Publishing, Cham, 39–58. DOI:
[22]
Jean-Louis Colaço, Bruno Pagano, and Marc Pouzet. 2017. SCADE 6: A formal language for embedded critical software development. In 2017 International Symposium on Theoretical Aspects of Software Engineering (TASE’17) (TASE’17). 1–11. DOI:
[23]
Jean-Louis Colaço and Marc Pouzet. 2003. Clocks as first class abstract types. In Embedded Software (Lecture Notes in Computer Science). Springer, Berlin, Heidelberg, 134–155. DOI:
[24]
Sylvain Conchon, Albin Coquereau, Mohamed Iguernlala, and Alain Mebsout. 2018. Alt-ergo 2.2. In SMT Workshop: International Workshop on Satisfiability modulo Theories. Oxford, United Kingdom.
[25]
Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08/ETAPS’08). Springer-Verlag, Berlin, Heidelberg, 337–340.
[26]
Gwenaël Delaval, Adrien Guatto, Hervé Marchand, Marc Pouzet, and Rutten Éric. Heptagon/BZR Manual. PARKAS (ENS) and Ctrl-A (LIG/Inria). https://gitlab.inria.fr/synchrone/heptagon/-/blob/master/manual/heptagon-manual.pdf
[27]
Bernd Finkbeiner, Stefan Oswald, Noemi Passing, and Maximilian Schwenger. Verified rust monitors for lola specifications. In Runtime Verification: 20th International Conference, RV 2020, Los Angeles, CA, USA, October 6– 9, 2020, Proceedings (2020-10-06) (RV’20). Springer-Verlag, 431–450. DOI:
[28]
Pierre-Loïc Garoche, Arie Gurfinkel, and Temesghen Kahsai. 2014. Synthesizing modular invariants for synchronous code. In Proceedings First Workshop on Horn Clauses for Verification and Synthesis, HCVS 2014, Vienna, Austria, 17 July 2014 (EPTCS), Nikolaj S. Bjørner, Fabio Fioravanti, Andrey Rybalchenko, and Valerio Senni (Eds.), Vol. 169. 19–30. DOI:
[29]
George Hagen and Cesare Tinelli. 2008. Scaling up the formal verification of lustre programs with SMT-based techniques. In Proceedings of the 2008 International Conference on Formal Methods in Computer-Aided Design (FMCAD’08). IEEE Press, Portland, Oregon, 1–9.
[30]
Grégoire Hamon and Marc Pouzet. 2000. Modular resetting of synchronous data-flow programs. In Proceedings of the 2Nd ACM SIGPLAN International Conference on Principles and Practice of Declarative Programming (PPDP’00). ACM, New York, NY, USA, 289–300. DOI:
[31]
Erwan Jahier, Pascal Raymond, and Nicolas Halbwachs. 2020. The Lustre V6 Reference Manual. Verimag. http://www-verimag.imag.fr/DIST-TOOLS/SYNCHRONE/lustre-v6/doc/lv6-ref-man.pdf
[32]
Xavier Leroy. 2009. Formal verification of a realistic compiler. Commun. ACM 52, 7 (July2009), 107–115. DOI:
[33]
Mathworks. 2021. Simulink. (2021). https://www.mathworks.com/products/simulink
[34]
Amir Pnueli, Michael Siegel, and Eli Singerman. 1998. Translation validation. In Tools and Algorithms for the Construction and Analysis of Systems (Lecture Notes in Computer Science), Bernhard Steffen (Ed.). Springer, Berlin, 151–166.
[35]
Amir Pnueli, Ofer Strichman, and Michael Siegel. 1998. Translation validation for synchronous languages. In Proceedings of the 25th International Colloquium on Automata, Languages and Programming (ICALP’98). Springer-Verlag, Berlin, 235–246.
[36]
Amir Pnueli, Ofer Strichman, and Michael Siegel. 1999. Translation validation: From SIGNAL to C. In Correct System Design: Recent Insights and Advances, Ernst-Rüdiger Olderog and Bernhard Steffen (Eds.). Springer, Berlin, 231–255. DOI:
[37]
Michael Ryabtsev and Ofer Strichman. 2009. Translation validation: From simulink to C. In Computer Aided Verification (Lecture Notes in Computer Science), Ahmed Bouajjani and Oded Maler (Eds.). Springer, Berlin, 696–701. DOI:
[38]
Norman R. Scaife, Christos Sofronis, Paul Caspi, Stavros Tripakis, and Florence Maraninchi. 2004. Defining and translating a “Safe” subset of simulink/stateflow into lustre. In Proceedings of the 4th ACM International Conference on Embedded Software (EMSOFT’04). ACM, New York, NY, USA, 259–268. DOI:
[39]
Gang Shi, Yuanke Gan, Shu Shang, Shengyuan Wang, Yuan Dong, and Pen-Chung Yew. 2017. A formally verified sequentializer for lustre-like concurrent synchronous data-flow programs. In Proceedings of the 39th International Conference on Software Engineering Companion (ICSE-C’17). IEEE Press, Piscataway, NJ, USA, 109–111. DOI:
[40]
Gang Shi, Yucheng Zhang, Shu Shang, Shengyuan Wang, Yuan Dong, and Pen-Chung Yew. 2019. A formally verified transformation to unify multiple nested clocks for a lustre-like language. Science China Information Sciences 62, 1 (Jan.2019), 12801. DOI:
[41]
The Coq Team. 2021. Coq. (2021). https://coq.inria.fr
[42]
Xavier Thirioux and Pierre-Loïc Garoche. 2021. LustreC. (2021). https://github.com/Embedded-SW-VnV/lustrec
[43]
Andres Toom, Nassima Izerrouken, Tõnu Näks, Marc Pantel, and Olivier Ssi Yan Kai. 2010. Towards reliable code generation with an open tool: Evolutions of the gene-auto toolset. In ERTS2 2010, Embedded Real Time Software & Systems. Toulouse, France.
[44]
Andres Toom, Tõnu Näks, Marc Pantel, Marcel Gandriau, and I. Wati. 2008. Gene-auto: An automatic code generator for a safe subset of simulink/stateflow and scicos. In Embedded Real Time Software and Systems (ERTS2008’08). Toulouse, France.
[45]
Stavros Tripakis, Christos Sofronis, Paul Caspi, and Adrian Curic. 2005. Translating discrete-time simulink to lustre. ACM Transactions on Embedded Computing Systems 4, 4 (Nov.2005), 779–818. DOI:
[46]
Zhibin Yang, Jean-Paul Bodeveix, Mamoun Filali, Kai Hu, Yongwang Zhao, and Dianfu Ma. 2016. Towards a verified compiler prototype for the synchronous language SIGNAL. Frontiers of Computer Science 10, 1 (Feb.2016), 37–53. DOI:
[47]
Liang Zou, Naijun Zhan, Shuling Wang, and Martin Fränzle. 2015. Formal verification of simulink/stateflow diagrams. In Automated Technology for Verification and Analysis (Lecture Notes in Computer Science), Bernd Finkbeiner, Geguang Pu, and Lijun Zhang (Eds.). Springer International Publishing, Cham, 464–481. DOI:
[48]
Liang Zou, Naijun Zhan, Shuling Wang, Martin Fränzle, and Shengchao Qin. 2013. Verifying simulink diagrams via a hybrid hoare logic prover. In Proceedings of the Eleventh ACM International Conference on Embedded Software (EMSOFT’13). IEEE Press, Piscataway, NJ, USA, 9:1–9:10.
Index Terms
- Equation-Directed Axiomatization of Lustre Semantics to Enable Optimized Code Validation
Recommendations
Defining and translating a "safe" subset of simulink/stateflow into lustre
EMSOFT '04: Proceedings of the 4th ACM international conference on Embedded softwareThe Simulink/Stateflow toolset is an integrated suite enabling model-based design and has become popular in the automotive and aeronautics industries. We have previously developed a translator called Simtolus from Simulink to the synchronous language ...
LMS-Verify: abstraction without regret for verified systems programming
POPL '17Performance critical software is almost always developed in C, as programmers do not trust high-level languages to deliver the same reliable performance. This is bad because low-level code in unsafe languages attracts security vulnerabilities and ...
Comments
Information & Contributors
Information
Published In
October 2023
1394 pages
Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.
Publisher
Association for Computing Machinery
New York, NY, United States
Journal Family
Publication History
Published: 09 September 2023
Accepted: 13 July 2023
Revised: 02 June 2023
Received: 23 March 2023
Published in TECS Volume 22, Issue 5s
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Defense Innovation Agency (AID) of the French Ministry of Defense
- Defense Innovation Agency (AID) of the French Ministry of Defense
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 242Total Downloads
- Downloads (Last 12 months)102
- Downloads (Last 6 weeks)15
Reflects downloads up to 23 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in