Velus: towards a modular reset Lélio Brun 1 , 2 – PARKAS Team Timothy Bourke 1,2 Pierre-Évariste Dagand 4,3,1 Marc Pouzet 4,2,1 1 Inria Paris 2 DI ENS 3 CNRS 4 UPMC SYNCHRON’17 — November 30, 2017
Lustre 1 : example rect d + y node rect(d: int) returns (y: int) py var py: int; let y = py + d; z -1 py = 0 fby y; 0 tel (discrete) integrator 1 Caspi et al. (1987): “LUSTRE: A declarative language for programming synchronous systems” 1 / 22
Lustre: example rect node rect(d: int) returns (y: int) d + y var py: int; py let y = py + d; py = 0 fby y; z -1 tel 0 (discrete) integrator (discrete) integrator node integrator (a: int) returns (v, x: int) a v rect let v = rect(a); x = rect(v); tel x rect excess 1 / 22
Lustre: example rect d node rect(d: int) returns (y: int) + y var py: int; py let y = py + d; py = 0 fby y; z -1 tel 0 (discrete) integrator (discrete) integrator node integrator (a: int) returns (v, x: int) a v rect let v = rect(a); x = rect(v); tel x rect excess excess node excess(max , a: int) max returns (e: bool; x: int) < e var v: int; let v (v, x) = integrator (a); a integrator e = max < v; x tel 1 / 22
Context Critical aspect • specification norms (DO-178B), industrial certification 2 / 22
Context Critical aspect • specification norms (DO-178B), industrial certification • formal verification, mechanized proofs, proof assistant (eg. Coq 1 ) 1 The Coq Development Team (2016): The Coq proof assistant reference manual 2 / 22
Context Critical aspect • specification norms (DO-178B), industrial certification • formal verification, mechanized proofs, proof assistant (eg. Coq) Goal Develop a formally verified code generator 2 / 22
Vélus: a verified compiler parsing elaboration normalization scheduling Unannotated Lustre N-Lustre SN-Lustre Lustre dataflow translation imperative fusion optimization Obc generation Clight compilation Assembly printing 3 / 22
Vélus: a verified compiler parsing elaboration normalization scheduling Unannotated Lustre N-Lustre SN-Lustre Lustre dataflow translation imperative fusion optimization Implemented in Coq and (some) OCaml Obc generation Clight compilation Assembly printing 3 / 22
Vélus: a verified compiler parsing elaboration normalization scheduling Unannotated Lustre N-Lustre SN-Lustre Lustre dataflow translation imperative fusion optimization • Validated parsing ( menhir –coq ) a Obc generation Clight compilation Assembly printing a Jourdan, Pottier, and Leroy (2012): “Validating LR(1) parsers” 3 / 22
Vélus: a verified compiler parsing elaboration normalization scheduling Unannotated Lustre N-Lustre SN-Lustre Lustre dataflow translation imperative fusion optimization • Validated parsing ( menhir –coq ) Obc • Elaboration to get clock and type informations generation Clight compilation Assembly printing 3 / 22
Vélus: a verified compiler parsing elaboration normalization scheduling Unannotated Lustre N-Lustre SN-Lustre Lustre dataflow translation imperative fusion optimization • Validated parsing ( menhir –coq ) Obc • Elaboration to get clock and type informations generation • Not yet implemented: normalization a Clight compilation Assembly printing a Auger (2013): “Compilation certifiée de SCADE/LUSTRE” 3 / 22
Vélus: a verified compiler parsing elaboration normalization scheduling Unannotated Lustre N-Lustre SN-Lustre Lustre dataflow translation imperative fusion optimization • Validated parsing ( menhir –coq ) Obc • Elaboration to get clock and type informations generation • Not yet implemented: normalization • Scheduling of dataflow equations Clight compilation Assembly printing 3 / 22
Vélus: a verified compiler parsing elaboration normalization scheduling Unannotated Lustre N-Lustre SN-Lustre Lustre dataflow translation imperative fusion optimization • Validated parsing ( menhir –coq ) Obc • Elaboration to get clock and type informations generation • Not yet implemented: normalization • Scheduling of dataflow equations Clight • Translation to intermediate Obc code compilation Assembly printing 3 / 22
Vélus: a verified compiler parsing elaboration normalization scheduling Unannotated Lustre N-Lustre SN-Lustre Lustre dataflow translation imperative fusion optimization • Validated parsing ( menhir –coq ) Obc • Elaboration to get clock and type informations generation • Not yet implemented: normalization • Scheduling of dataflow equations Clight • Translation to intermediate Obc code compilation • Optimization of intermediate Obc code Assembly printing 3 / 22
Vélus: a verified compiler parsing elaboration normalization scheduling Unannotated Lustre N-Lustre SN-Lustre Lustre dataflow translation imperative fusion optimization • Validated parsing ( menhir –coq ) Obc • Elaboration to get clock and type informations generation • Not yet implemented: normalization • Scheduling of dataflow equations Clight • Translation to intermediate Obc code compilation • Optimization of intermediate Obc code Assembly • Generation of Clight code printing 3 / 22
Vélus: a verified compiler parsing elaboration normalization scheduling Unannotated Lustre N-Lustre SN-Lustre Lustre dataflow translation imperative fusion optimization • Validated parsing ( menhir –coq ) Obc • Elaboration to get clock and type informations generation • Not yet implemented: normalization • Scheduling of dataflow equations Clight • Translation to intermediate Obc code compilation • Optimization of intermediate Obc code Assembly • Generation of Clight code • Rely on CompCert a for compilation printing a Blazy, Dargaye, and Leroy (2006): “Formal verification of a C compiler front-end” 3 / 22
N-Lustre: abstract syntax le := expression ce := control expression | (constant) | (merge) k merge x ce ce | (variable) | (if) x if x then ce else ce | (when) | (expression) le when x le | op e (unary operator) | e bop e (binary operator) eq := equation | x :: c = ce (def) | x :: c = k fby le (fby) x :: c = x ( − → − → | le ) (app) x :: c = x ( − → − → | le ) every x (reset) n := node node x ( − x ty :: c ) returns ( − − − → → x ty :: c ) | [var − − → x ty :: c ] let − → eq ; tel 4 / 22
Lustre semantics in Coq streams as maps N → value • not as direct as in literature • maybe too difficult to adapt to Lustre 5 / 22
Lustre semantics in Coq streams as maps N → value • not as direct as in literature • maybe too difficult to adapt to Lustre Goal Propose a new formalization based on co-inductive • suitable to our proofs • as a reference semantics for Lustre • suitable to do verification of programs 5 / 22
Lustre semantics in Coq streams as maps N → value • not as direct as in literature • maybe too difficult to adapt to Lustre Goal Propose a new formalization based on co-inductive • suitable to our proofs • as a reference semantics for Lustre • suitable to do verification of programs Bonus Formalize the semantics of the modular reset 5 / 22
N-Lustre semantics k fby x fby # k ( ⊥ · xs ) = ⊥ · fby # k xs fby # k ( x · xs ) = k · fby # x xs 6 / 22
N-Lustre semantics k fby x fby # k ( ⊥ · xs ) = ⊥ · fby # k xs fby # k ( x · xs ) = k · fby # x xs x when c when # ( ⊥ · xs ) ( ⊥ · cs ) = ⊥ · when # xs cs when # ( x · xs ) ( false · cs ) = ⊥ · when # xs cs when # ( x · xs ) ( true · cs ) = x · when # xs cs 6 / 22
N-Lustre semantics if x then t else f ite # ( ⊥ · xs ) ( ⊥ · ts ) ( ⊥ · fs ) = ⊥ · ite # xs ts fs ite # ( true · xs ) ( x · ts ) ( y · fs ) = x · ite # xs ts fs ite # ( false · xs ) ( x · ts ) ( y · fs ) = y · ite # xs ts fs 7 / 22
N-Lustre semantics if x then t else f ite # ( ⊥ · xs ) ( ⊥ · ts ) ( ⊥ · fs ) = ⊥ · ite # xs ts fs ite # ( true · xs ) ( x · ts ) ( y · fs ) = x · ite # xs ts fs ite # ( false · xs ) ( x · ts ) ( y · fs ) = y · ite # xs ts fs merge c x y merge # ( ⊥ · cs ) ( ⊥ · xs ) ( ⊥ · ys ) = ⊥ · merge # cs xs ys merge # ( true · cs ) ( x · xs ) ( ⊥ · ys ) = x · merge # cs xs ys merge # ( false · cs ) ( ⊥ · xs ) ( y · ys ) = y · merge # cs xs ys 7 / 22
Streams formalization in Coq • maps N → value • not as direct as in literature • maybe too difficult to adapt to Lustre • rather intricate to formalize 8 / 22
Streams formalization in Coq • maps N → value • not as direct as in literature • maybe too difficult to adapt to Lustre • rather intricate to formalize • co-inductive streams CoInductive Stream {A : Type} : Type := Cons : A → Stream → Stream. Infix " · " := Cons. 8 / 22
Streams formalization in Coq • maps N → value • not as direct as in literature • maybe too difficult to adapt to Lustre • rather intricate to formalize • co-inductive streams CoInductive Stream {A : Type} : Type := Cons : A → Stream → Stream. Infix " · " := Cons. Fixpoint hd {A : Type} (s : Stream A) : A := match s with x · _ ⇒ x end. 8 / 22
Recommend
More recommend