Document Open Access Logo

Pipit on the Post: Proving Pre- and Post-Conditions of Reactive Systems

Authors Amos Robinson , Alex Potanin

PDF

File

Thumbnail PDF
PDF
LIPIcs.ECOOP.2024.34.pdf
  • Filesize: 0.95 MB
  • 28 pages

Document Identifiers

Subject Classification

ACM Subject Classification
  • Computer systems organization → Real-time languages
  • Theory of computation → Program verification
  • Software and its engineering → Specialized application languages
Keywords
  • Lustre
  • streaming
  • reactive
  • verification

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads
    0
    Metadata Views

Abstract

Synchronous languages such as Lustre and Scade are used to implement safety-critical control systems; proving such programs correct and having the proved properties apply to the compiled code is therefore equally critical. We introduce Pipit, a small synchronous language embedded in F*, designed for verifying control systems and executing them in real-time. Pipit includes a verified translation to transition systems; by reusing F*’s existing proof automation, certain safety properties can be automatically proved by k-induction on the transition system. Pipit can also generate executable code in a subset of F* which is suitable for compilation and real-time execution on embedded devices. The executable code is deterministic and total and preserves the semantics of the original program.

Cite As Get BibTex

Amos Robinson and Alex Potanin. Pipit on the Post: Proving Pre- and Post-Conditions of Reactive Systems. In 38th European Conference on Object-Oriented Programming (ECOOP 2024). Leibniz International Proceedings in Informatics (LIPIcs), Volume 313, pp. 34:1-34:28, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024) https://doi.org/10.4230/LIPIcs.ECOOP.2024.34

Author Details

Amos Robinson
  • Sydney, Australia
Alex Potanin
  • Australian National University, Canberra, Australia

Supplementary Materials

References

  1. ISO/CD 11898-4. Road vehicles - Controller area network (CAN) - Part 4: Time triggered communication. Standard, International Organization for Standardization, 2000. Google Scholar
  2. Clark Barrett, Pascal Fontaine, and Cesare Tinelli. The Satisfiability Modulo Theories Library (SMT-LIB). www.SMT-LIB.org, 2016. Google Scholar
  3. Dariusz Biernacki, Jean-Louis Colaço, Grégoire Hamon, and Marc Pouzet. Clock-directed modular code generation for synchronous data-flow languages. In Proceedings of the 2008 ACM SIGPLAN-SIGBED conference on Languages, compilers, and tools for embedded systems, pages 121-130, 2008. Google Scholar
  4. Sylvain Boulmé and Grégoire Hamon. A clocked denotational semantics for Lucid-Synchrone in Coq. Rap. tech., LIP6, 2001. Google Scholar
  5. Timothy Bourke, Lélio Brun, Pierre-Évariste Dagand, Xavier Leroy, Marc Pouzet, and Lionel Rieg. A formally verified compiler for Lustre. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2017. Google Scholar
  6. Timothy Bourke, Paul Jeanmaire, and Marc Pouzet. Towards a denotational semantics of streams for a verified Lustre compiler, 2022. URL: https://types22.inria.fr/files/2022/06/TYPES_2022_slides_28.pdf.
  7. Timothy Bourke, Basile Pesin, and Marc Pouzet. Verified compilation of synchronous dataflow with state machines. ACM Transactions on Embedded Computing Systems, 22(5s):1-26, 2023. Google Scholar
  8. Aaron R Bradley. SAT-based model checking without unrolling. In Verification, Model Checking, and Abstract Interpretation: 12th International Conference, VMCAI 2011, Austin, TX, USA, January 23-25, 2011. Proceedings 12. Springer, 2011. Google Scholar
  9. Lélio Brun, Christophe Garion, Pierre-Loïc Garoche, and Xavier Thirioux. Equation-directed axiomatization of Lustre semantics to enable optimized code validation. ACM Transactions on Embedded Computing Systems, 22(5s):1-24, 2023. Google Scholar
  10. Paul Caspi and Marc Pouzet. A functional extension to Lustre. Intensional Programming I, 1995. Google Scholar
  11. Adrian Champion, Alain Mebsout, Christoph Sticksel, and Cesare Tinelli. The Kind 2 model checker. In Computer Aided Verification, 2016. Google Scholar
  12. Jiawei Chen, José Luiz Vargas de Mendonça, Shayan Jalili, Bereket Ayele, Bereket Ngussie Bekele, Zhemin Qu, Pranjal Sharma, Tigist Shiferaw, Yicheng Zhang, and Jean-Baptiste Jeannin. Synchronous programming and refinement types in robotics: From verification to implementation. In Proceedings of the 8th ACM SIGPLAN International Workshop on Formal Techniques for Safety-Critical Systems, 2022. Google Scholar
  13. Jean-Louis Colaço, Bruno Pagano, and Marc Pouzet. Scade 6: A formal language for embedded critical software development. In 2017 International Symposium on Theoretical Aspects of Software Engineering (TASE), pages 1-11. IEEE, 2017. Google Scholar
  14. Niklas Eén, Alan Mishchenko, and Robert Brayton. Efficient implementation of property directed reachability. In 2011 Formal Methods in Computer-Aided Design (FMCAD). IEEE, 2011. Google Scholar
  15. Thomas Fuehrer, Bernd Mueller, Florian Hartwich, and Robert Hugel. Time triggered CAN (TTCAN). SAE transactions, pages 143-149, 2001. Google Scholar
  16. Andrew Gacek, John Backes, Mike Whalen, Lucas Wagner, and Elaheh Ghassabani. The JKind model checker. In Computer Aided Verification: 30th International Conference, CAV 2018, Held as Part of the Federated Logic Conference, FloC 2018, Oxford, UK, July 14-17, 2018, Proceedings, Part II 30, pages 20-27. Springer, 2018. Google Scholar
  17. Emilio Jesús Gallego Arias, Pierre Jouvelot, Sylvain Ribstein, and Dorian Desblancs. The W-calculus: a synchronous framework for the verified modelling of digital signal processing algorithms. In Proceedings of the 9th ACM SIGPLAN International Workshop on Functional Art, Music, Modelling, and Design, pages 35-46, 2021. Google Scholar
  18. Pranav Garg, Christof Löding, Parthasarathy Madhusudan, and Daniel Neider. ICE: A robust framework for learning invariants. In Computer Aided Verification: 26th International Conference, CAV 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 18-22, 2014. Proceedings 26. Springer, 2014. Google Scholar
  19. Léonard Gérard, Adrien Guatto, Cédric Pasteur, and Marc Pouzet. A modular memory optimization for synchronous data-flow languages: application to arrays in a Lustre compiler. ACM SIGPLAN Notices, 47(5), 2012. Google Scholar
  20. Xiaoyun Guo, Toshiaki Aoki, and Hsin-Hung Lin. Model checking of in-vehicle networking systems with CAN and FlexRay. Journal of Systems and Software, 161:110461, 2020. Google Scholar
  21. George Hagen and Cesare Tinelli. Scaling up the formal verification of Lustre programs with SMT-based techniques. In 2008 Formal Methods in Computer-Aided Design. IEEE, 2008. Google Scholar
  22. Florian Hartwich, Thomas Führer, Bernd Müller, and Robert Hugel. Integration of time triggered CAN (TTCAN_TC). SAE Transactions, pages 112-119, 2002. Google Scholar
  23. Son Ho, Jonathan Protzenko, Abhishek Bichhawat, and Karthikeyan Bhargavan. Noise*: A library of verified high-performance secure channel protocol implementations. In 2022 IEEE Symposium on Security and Privacy (SP), pages 107-124. IEEE, 2022. Google Scholar
  24. Erwan Jahier, Pascal Raymond, and Nicolas Halbwachs. The Lustre V6 reference manual. Verimag, Grenoble, Dec, 2016. Google Scholar
  25. Kind2. Integer division rounds to negative infinite. Github issues, 2023. URL: https://github.com/kind2-mc/kind2/issues/978.
  26. Kind2. Kind2 user documentation, 2.1.1 edition, 2023. URL: https://kind.cs.uiowa.edu/kind2_user_doc/doc.pdf.
  27. Kind2. Top-level array definition causes runtime failures. Github issues, 2024. URL: https://github.com/kind2-mc/kind2/issues/1043.
  28. Jonathan Laurent, Alwyn Goodloe, and Lee Pike. Assuring the guardians. In Runtime Verification: 6th International Conference, RV 2015, Vienna, Austria, September 22-25, 2015. Proceedings. Springer, 2015. Google Scholar
  29. Gabriel Leen and Donal Heffernan. Modeling and verification of a time-triggered networking protocol. In International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06), pages 178-178. IEEE, 2006. Google Scholar
  30. Xin Li, Jian Guo, Yongxin Zhao, and Xiaoran Zhu. Formal modeling and verifying the TTCAN protocol from a probabilistic perspective. Journal of Circuits, Systems and Computers, 28(10):1950177, 2018. Google Scholar
  31. Guido Martínez, Danel Ahman, Victor Dumitrescu, Nick Giannarakis, Chris Hawblitzel, Cătălin Hriţcu, Monal Narasimhamurthy, Zoe Paraskevopoulou, Clément Pit-Claudel, Jonathan Protzenko, et al. Meta-F^*: Proof automation with SMT, tactics, and metaprograms. In Programming Languages and Systems: 28th European Symposium on Programming, ESOP 2019, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019, Prague, Czech Republic, April 6-11, 2019, Proceedings. Springer International Publishing Cham, 2019. Google Scholar
  32. Liam O'Connor. Deferring the details and deriving programs. In Proceedings of the 4th ACM SIGPLAN International Workshop on Type-Driven Development, pages 27-39, 2019. Google Scholar
  33. Can Pan, Jian Guo, Longfei Zhu, Jianqi Shi, Huibiao Zhu, and Xinyun Zhou. Modeling and verification of CAN bus with application layer using UPPAAL. Electronic Notes in Theoretical Computer Science, 309:31-49, 2014. Google Scholar
  34. Jonathan Protzenko, Jean Karim Zinzindohoué, Aseem Rastogi, Tahina Ramananandro, Peng Wang, Santiago Zanella Béguelin, Antoine Delignat-Lavaud, Catalin Hritcu, Karthikeyan Bhargavan, Cédric Fournet, et al. Verified low-level programming embedded in F^*. Proc. ACM program. lang., 1(ICFP), 2017. Google Scholar
  35. Pascal Raymond. Synchronous program verification with Lustre/Lesar. Modeling and Verification of Real-Time Systems, 2008. Google Scholar
  36. Robert Bosch GmbH. M_TTCAN Time-triggered Controller Area Network User’s Manual, 3.3.0 edition, 2019. URL: https://www.bosch-semiconductors.com/media/ip_modules/pdf_2/m_can/mttcan_users_manual_v330.pdf.
  37. Amos Robinson and Ben Lippmeier. Machine fusion: merging merges, more or less. In Proceedings of the 19th International Symposium on Principles and Practice of Declarative Programming, pages 139-150, 2017. Google Scholar
  38. Amos Robinson and Alex Potanin. Pipit: Reactive systems in F^* (extended abstract). In Proceedings of the 8th ACM SIGPLAN International Workshop on Type-Driven Development, 2023. Google Scholar
  39. Indranil Saha and Suman Roy. A finite state analysis of time-triggered CAN (TTCAN) protocol using Spin. In 2007 International Conference on Computing: Theory and Applications (ICCTA'07), pages 77-81. IEEE, 2007. Google Scholar
  40. Ryan G Scott, Mike Dodds, Ivan Perez, Alwyn E Goodloe, and Robert Dockins. Trustworthy runtime verification via bisimulation (experience report). Proceedings of the ACM on Programming Languages, 7(ICFP):305-321, 2023. Google Scholar
  41. Michael Short and Michael J Pont. Fault-tolerant time-triggered communication using CAN. IEEE transactions on Industrial Informatics, 3(2):131-142, 2007. Google Scholar
  42. Joachim Zahnentferner, Dmytro Kaidalov, Jean-Frédéric Etienne, and Javier Díaz. Djed: a formally verified crypto-backed autonomous stablecoin protocol. In 2023 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pages 1-9. IEEE, 2023. Google Scholar
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail
© 2023-2025 Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact