Compilation of synchronous observers as code contracts

Dieumegard, Arnaud; Garoche, Pierre-Löıc; Kahsai, Temesghen; Taillar, Alice; Thirioux, Xavier

doi:10.1145/2695664.2695819

Cited by 9 publications

(7 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This compilation is modular and produces a Lustre node for each Simulink subsystem. Once the Lustre model is obtained, it can be either compiled to C code with the LustreC compiler [16] or submitted to Lustre model checkers such as Kind2 [12,28] or Zustre [21].…”

Section: Cocosimmentioning

confidence: 99%

“…These assume/guarantee pairs can thus be used to specify requirements at the component level. This approach was first proposed by Hoare [27] to specify axiomatic semantics of imperative programs; however, it was later lifted to reactive systems through the notion of synchronous observers [12,16,25,26,35]. When contracts are specified formally for individual components, they can facilitate several development activities, such as compositional reasoning during static analysis, step-wise refinement, systematic component reuse, and component-level and integration-level test case generation.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

From Lustre to Simulink

Bourbouh

Garoche

Garion

et al. 2021

ACM Trans. Cyber-Phys. Syst.

Self Cite

View full text Add to dashboard Cite

Model-based design is now unavoidable when building embedded systems and, more specifically, controllers. Among the available model languages, the synchronous dataflow paradigm, as implemented in languages such as MATLAB Simulink or ANSYS SCADE, has become predominant in critical embedded system industries. Both of these frameworks are used to design the controller itself but also provide code generation means, enabling faster deployment to target and easier V&V activities performed earlier in the design process, at the model level. Synchronous models also ease the definition of formal specification through the use of synchronous observers, attaching requirements to the model in the very same language, mastered by engineers and tooled with simulation means or code generation. However, few works address the automatic synthesis of MATLAB Simulink annotations from lower-level models or code. This article presents a compilation process from Lustre models to genuine MATLAB Simulink, without the need to rely on external C functions or MATLAB functions. This translation is based on the modular compilation of Lustre to imperative code and preserves the hierarchy of the input Lustre model within the generated Simulink one. We implemented the approach and used it to validate a compilation toolchain, mapping Simulink to Lustre and then C, thanks to equivalence testing and checking. This backward compilation from Lustre to Simulink also provides the ability to produce automatically Simulink components modeling specification, proof arguments, or test cases coverage criteria.

show abstract

Section: Cocosimmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

From Lustre to Simulink

Bourbouh

Garoche

Garion

et al. 2021

ACM Trans. Cyber-Phys. Syst.

Self Cite

View full text Add to dashboard Cite

show abstract

“…CoCoSim [1] is a verification tool that can check properties of top level Simulink models using an underlying model checker. Given an existing Simulink model, an "observer" [6,7] is added to the system using the installed CoCoSim menu. All of the inputs of the system, identified by Simulink inport blocks, must be routed as inputs to the observer.…”

Section: Verification Softwarementioning

confidence: 99%

Investigation of a Verification and Validation Tool with a Turbofan Aircraft Engine Application

Uth

Narang-Siddarth

Wong

2018

2018 AIAA Guidance, Navigation, and Control Conference

View full text Add to dashboard Cite

The development of new capabilities in system intelligence and autonomy will require new means of verification and validation (V&V) to ensure safety and performance requirements are satisfied. As a step towards this goal, CoCoSim, a publicly available V&V tool, is being developed to analyze the validity of user-defined assertions on MATLAB/Simulink models. This paper demonstrates CoCoSim's capabilities by applying it to C-MAPSS40k, a 40,000 lbf class turbofan engine model developed at NASA for testing new control algorithms. Due to the current limitations of the CoCoSim V&V software, several modifications are made to C-MAPSS40k to achieve compatibility with CoCoSim. Some of these modifications sacrifice fidelity of the original model, but the analysis is still useful even with that limitation. Several safety and performance requirements typical of turbofan engines are identified and constructed into a series of assertions to be tested as part of the V&V framework. Preliminary results for these requirements using C-MAPSS40k's industry standard turbofan engine controller are presented. While CoCoSim's capabilities are demonstrated, a truly comprehensive analysis will require further development of the tool.

show abstract

“…One motivation for verifying a Lustre compiler is to ensure that properties verified on models also hold on generated code. An alternative is to also compile the properties and to reverify them at the code level [22]. This is an interesting approach, but it has two disadvantages: the compilation of properties and the re-verification must be trusted; verification may succeed on the model but fail on the code.…”

Section: Related Workmentioning

confidence: 99%

A formally verified compiler for Lustre

BourkeTimothy¹,

BrunLélio²,

DagandPierre-Evariste³

et al. 2017

SIGPLAN Not.

View full text Add to dashboard Cite

The correct compilation of block diagram languages like Lustre, Scade, and a discrete subset of Simulink is important since they are used to program critical embedded control software. We describe the specification and verification in an Interactive Theorem Prover of a compilation chain that treats the key aspects of Lustre: sampling, nodes, and delays. Building on CompCert, we show that repeated execution of the generated assembly code faithfully implements the dataflow semantics of source programs. We resolve two key technical challenges. The first is the change from a synchronous dataflow semantics, where programs manipulate streams of values, to an imperative one, where computations manipulate memory sequentially. The second is the verified compilation of an imperative language with encapsulated state to C code where the state is realized by nested records. We also treat a standard control optimization that eliminates unnecessary conditional statements.

show abstract

Compilation of synchronous observers as code contracts

Cited by 9 publications

References 22 publications

From Lustre to Simulink

From Lustre to Simulink

Investigation of a Verification and Validation Tool with a Turbofan Aircraft Engine Application

A formally verified compiler for Lustre

Contact Info

Product

Resources

About