Papers by Jean-louis Colaço
ACM Transactions in Embedded Computing Systems, Sep 8, 2023
International Journal on Software Tools for Technology Transfer, Aug 1, 2004
One of the appreciated features of the synchronous data-flow approach is that a program defines a... more One of the appreciated features of the synchronous data-flow approach is that a program defines a perfectly deterministic behavior. But the use of the delay primitive leads to undefined values at the first cycle; thus a data-flow program is really deterministic only if it can be shown that such undefined values do not affect the behavior of the system. This paper presents an initialization analysis that guarantees the deterministic behavior of programs. This property being undecidable in general, the paper proposes a safe approximation of the property, precise enough for most data-flow programs. This analysis is a one-bit analysis-expressions are either initialized or uninitialized-and is defined as an inference type system with sub-typing constraints. This analysis has been implemented in the Lucid Synchrone compiler and in a new Scade-Lustre prototype compiler at Esterel-Technologies. The analysis gives very good results in practice.
High-level tools have become unavoidable in industrial software development processes. Safety-cri... more High-level tools have become unavoidable in industrial software development processes. Safety-critical embedded programs don't escape this trend. In the context of safety-critical embedded systems, the development processes follow strict guidelines and requirements. The development quality assurance applies as much to the final embedded code, as to the tools themselves. The French company Esterel Technologies decided in 2006 to base its new SCADE SUITE 6 TM certifiable code generator on Objective Caml. This paper outlines how it has been challenging in the context of safety critical software development by the rigorous norms DO-178B, IEC 61508, EN 50128 and such.
HAL (Le Centre pour la Communication Scientifique Directe), Sep 13, 2017
SCADE is a high-level language and environment for developing safety critical embedded control so... more SCADE is a high-level language and environment for developing safety critical embedded control software. It is used for more than twenty years in various application domains like avionics, nuclear plants, transportation, automotive. SCADE has been founded on the synchronous data-flow language Lustre invented by Caspi and Halbwachs. In the early years, it was mainly seen as a graphical notation for Lustre but with the unique and key addition of a code generator qualified with the highest standards for safety critical applications. In 2008, a major revision based on the new language 'Scade 6' was released. This language originally combines the Lustre data-flow style with control structures borrowed from Esterel and SyncCharts, compilation and static analyses from Lucid Synchrone to ensure safety properties. This expressiveness increase for SCADE together with a qualified code generator have dramatically widened the scope of applications developed with. While previous publications have described some of its language constructs and compiler algorithms, no reference publication on 'Scade 6' existed so far. In this paper, we come back to the decisions made for its design, illustrate the main language features, static analyses, and the compiler organization in the context of a qualification process.
Proceedings of the 9th ACM SIGPLAN International Workshop on Libraries, Languages and Compilers for Array Programming
Proceedings of the 11th International Modelica Conference, Versailles, France, September 21-23, 2015, 2015
The ever growing requirement for safety in embedded systems, together with the willingness of hav... more The ever growing requirement for safety in embedded systems, together with the willingness of having a modelling language to describe both the physics and the software that controls it makes Modelica an interesting candidate to design, simulate and implement complex systems. Originally designed to address multi-physics, since its version 3.3 Modelica integrates constructions to describe discrete controllers. Now the question of using Modelica to design critical embedded software arises. In this paper we address the problem of defining a practical Modelica subset that can be entirely formalized and we sketch the formalization of this subset with the concrete example of static name resolution. This work should serve as a basis to define a suitable language that can be used to both simulate systems and generate embedded critical code.
ACM SIGPLAN Notices, 2009
This paper addresses the problem of designing and implementing complex control systems for real-t... more This paper addresses the problem of designing and implementing complex control systems for real-time embedded software. Typical applications involve different control laws corresponding to different phases or modes , e.g., take-off, full flight and landing in a fly-by-wire control system. On one hand, existing methods such as the combination of Simulink/Stateflow provide powerful but unsafe mechanisms by means of imperative updates of shared variables. On the other hand, synchronous languages and tools such as Esterel or SCADE/Lustre are too restrictive and forbid to fully separate the specification of modes from their actual instantiation with a particular control automaton. In this paper, we introduce a conservative extension of a synchronous data-flow language close to Lustre, in order to be able to define systems with modes in a more modular way, while insuring the absence of data-races. We show that such a system can be viewed as an object where modes are methods acting on a sh...
Jean-Louis Colaco, Marc Pantel, Patrick Salle LIMA/ENSEEIHT/INPT/IRIT 2, rue C. Camichel, 31071 T... more Jean-Louis Colaco, Marc Pantel, Patrick Salle LIMA/ENSEEIHT/INPT/IRIT 2, rue C. Camichel, 31071 TOULOUSE CEDEX FRANCE Phone: (33) 561 588 346 Fax: (33) 561 588 306 fcolaco,pantel,salleg@enseeiht.fr http://www.enseeiht.fr/Recherche/Info/Logiciel/vestale/vestale.html Abstract This paper presents an extension of Aiken and Wimmers set constraints solver used for typing concurrent object oriented languages. In order to take into account the non-uniform behaviors of concurrent objects, this extension requires the use of multisets instead of sets. This article describes the multiset-based type abstraction and gives insights on the associated constraints solver. 1
This paper presents an extension of a synchronous data-flow language such as Lustre with imperati... more This paper presents an extension of a synchronous data-flow language such as Lustre with imperative features expressed in terms of powerful state machine à la SyncChart. This extension is fully conservative in the sense that all the programs from the basic language still make sense in the extended language and their semantics is preserved. From a syntactical point of view this extension consists in hierarchical state machines that may carry at each hierarchy level a bunch of equations. This proposition is an alternative to the joint use of Simulink and Stateflow but improves it by allowing a fine grain mix of both styles. The central idea of the paper is to base this extension on the use of clocks, translating imperative constructs into well clocked data-flow programs from the basic language. This clock directed approach is an easy way to define a semantics for the extension, it is light to implement in an existing compiler and experiments show that the generated code compete favora...
Synchronous data-flow languages such as Scade/Lustre manage infinite sequences, or streams, as pr... more Synchronous data-flow languages such as Scade/Lustre manage infinite sequences, or streams, as primitive values making them naturally adapted to the description of datadominated systems. Their conservative extension with means to define control-structures or modes has been a long-term research topic through which several solutions have emerged. In this paper, we pursue this effort and generalize existing solutions by providing two constructs: a general form of state machines called parameterized state machines, and valued signals, as can be found in Esterel. Parameterized state machines greatly reduce the reliance on error-prone mechanisms such as shared memory in automaton-based programming. Signals provide a new way of programming with multi-rate data in synchronous data-flow languages. Together, they allow for a much more direct and natural programming of systems that combine data-flow and statemachines. The proposed extension is fully implemented in the new Lucid Synchrone compi...
The compilation of synchronous block diagrams into sequential imperative code has been addressed ... more The compilation of synchronous block diagrams into sequential imperative code has been addressed in the early eighties and can be considered now as folklore. However, separate or modular code generation, though largely used in existing compilers and particularly in industrial ones, has been neither precisely described nor entirely formalized. Such a formalization appears now as a fundamental need in the long-term goal to develop a mathematically certified compiler for a synchronous language as well as in simplifying existing implementations. This article presents in full detail the modular compilation of synchronous block diagrams into sequential code. We consider a first-order functional language reminiscent of Lustre which it extends with a general n-ary merge operator, a reset construct and a richer notion of clocks. The clocks are used to express activation of computations in the program and are specifically taken into account during the compilation process to produce ecient imp...
Proceedings of the 7th ACM SIGPLAN International Workshop on Reactive and Event-Based Languages and Systems, 2020
ANSYS® SCADE Suite® is a development environment for safety critical embedded software used for m... more ANSYS® SCADE Suite® is a development environment for safety critical embedded software used for more than twenty years in various application domains like avionics, nuclear plants, transportation, automotive. Its code generator is qualified for several industrial standards (DO-178C, IEC 61508, EN 50128, IEC 60880 and ISO 26262) to be used in the development of the most safety critical systems. Scade is historically based on the synchronous language Lustre designed in Grenoble in the VERIMAG laboratory by its two mains authors Paul Caspi and Nicolas Halbwachs. In its early days, it was mainly seen as a graphical notation for this academic language. In 2008, a major new version was released, based on the language Scade 6 that extended the dataflow point of view offered by Lustre to integrate new constructs inspired by Esterel and SyncCharts in order to allow more control oriented design style. This language is formally specified following the work of Marc Pouzet on the design of Lucid...
This RATP document, based on an original document from Prover Technology, details the syntax and ... more This RATP document, based on an original document from Prover Technology, details the syntax and semantics of the formal modelling language " High Level Language " (HLL). HLL is used for several years by RATP and some other companies (e.g. SYSTEREL, Prover Technology) to perform formal verification on CBTC and interlocking safety critical software.
Cet article est un retour d’experience d’une etude menee sur l’utilisation du langage Objective C... more Cet article est un retour d’experience d’une etude menee sur l’utilisation du langage Objective Caml pour la realisation d’outils de developpement de logiciel critique. Dans le cas d’espece, il s’agit d’un generateur de code embarque pour le langage Scade T M . Meme si les contraintes pour la realisation d’outils sont moins fortes que celles qui pesent sur le code embarque, elles demeurent neanmoins assez lourdes et liees a la nature des langages imperatifs ordinairement utilises pour ce type de developpement. L’usage d’Objective Caml sort du cadre ordinaire autant par ses traits de haut niveau (langage fonctionnel d’ordre superieur, polymorphisme parametrique, filtrage par motif) que par les mecanismes de bas niveau mis en œuvre par la bibliotheque d’execution (GC, exceptions). Des lors, il est necessaire de reinterpreter pour ce langage les normes de developpement que la certification pour le logiciel critique exige, de developper les outils capables de mesurer le respect a ces no...
L'objectif de cette these est de definir des analyses statiques par typage pour des langages ... more L'objectif de cette these est de definir des analyses statiques par typage pour des langages fondes sur le modele d'acteurs d'agha. Pour atteindre ce but, la demarche presentee dans ce memoire consiste a definir un calcul de processus dedie a la description des mecanismes essentiels des langages d'acteurs. Dans une premiere partie, nous survolons quelques modeles de programmation concurrente dont celui des acteurs d'agha ainsi qu'un certain nombre de travaux sur l'analyse statique de langages paralleles/concurrents. Nous proposons ensuite un calcul de processus baptise cap (calcul d'acteurs primitifs) dans lequel s'expriment aisement les notions presentes dans le modele d'acteurs : adresse, comportement, envoi de message, changement de comportement. Nous definissons trois systemes de type permettant de detecter statiquement les differentes erreurs dynamiques qui peuvent etre levees lors de l'execution d'un programme cap. Le premier sys...
This paper presents a formalization of the compilation of a synchronous data-flow language into a... more This paper presents a formalization of the compilation of a synchronous data-flow language into an imperative sequential language. We consider MiniLS, a minimalistic yet full-featured synchronous language reminiscent of Lustre. It provides original constructs such as a reset and an n-ary merge operator. These constructs play a central role in generating efficient code and in making the language suitable as a backend for compiling advanced features such as hierarchical state machines. We introduce a generic imperative language to represent transition functions and a clockdirected translation from the source into this language. This translation is modular : every synchronous function is translated into a single transition function. We address the target code generation phase by presenting code emitters to Java and C. The paper comes with a precise description of each compilation step, a formal semantics for the source and destination languages and a proof that whenever the compilation...
2018 Forum on Specification & Design Languages (FDL), Sep 1, 2018
SCADE is an environment for developing critical embedded software that is used for more than twen... more SCADE is an environment for developing critical embedded software that is used for more than twenty years in various application domains like avionics, nuclear plants, transportation, automotive. It comes with a language and a code generator which complies with the highest safety standards like DO-178C, IEC 61508, EN 50128, IEC 60880 and ISO 26262. The language has been founded on the pioneering work by Caspi and Halbwachs on Lustre. In 2008, a major revision of the language and compiler, named 'Scade 6', was released. One of its novelty was a smooth integration of the traditional dataflow style of Lustre with control-structures inspired from those of Esterel and SyncCharts, with static/dynamic semantics and a compilation inspired from Lucid Synchrone. In particular, it relies on four dedicated type systems-typing, clock calculus, causality analysis, initialization analysis-and a compilation through source-to-source transformations into a minimal clocked data-flow language, based on a Kahn semantics, that is translated to imperative code. One ongoing work is the generation of code for multi-core architectures. Because of the intrinsic deterministic parallelism of Scade, we propose a solution that relies on annotations that specify what must be executed concurrently but do not change the semantics. The paper is a survey of past to ongoing work on Scade 6 language definition and implementation. Index Terms-synchronous languages, compiler, multi-core. 1 SCADE stands for Safety-Critical Development Environment 2 http://www.ansys.com/products/embedded-software/ansys-scade-suite 3 To distinguish between the environment and its underlying programming language, we write SCADE for the former and SCADE (with small capitals) for the later.
Proceedings of the IEEE
Hybrid systems modeling languages that mix discrete and continuous time signals and systems are w... more Hybrid systems modeling languages that mix discrete and continuous time signals and systems are widely used to develop Cyber-Physical systems where control software interacts with physical devices. Compilers play a central role, statically checking source models, generating intermediate representations for testing and verification, and producing sequential code for simulation and execution on target platforms. This paper presents a novel approach to the design and implementation of a hybrid systems language, built on synchronous language principles and their proven compilation techniques. The result is a hybrid systems modeling language in which synchronous programming constructs can be mixed with Ordinary Differential Equations (ODEs) and zero-crossing events, and a runtime that delegates their approximation to an off-the-shelf numerical solver. We propose an ideal semantics based on non standard analysis, which defines the execution of a hybrid model as an infinite sequence of infinitesimally small time steps. It is used to specify and prove correct three essential compilation steps: (1) a type system that guarantees that a continuous-time signal is never used where a discrete-time one is expected and conversely; (2) a type system that ensures the absence of combinatorial loops; (3) the generation of statically scheduled code for efficient execution. Our approach has been evaluated in two implementations: the academic language Zélus, which extends a language reminiscent of Lustre with ODEs and zero-crossing events, and the industrial prototype Scade Hybrid, a conservative extension of Scade 6.
The paper introduces a higher-order synchronous data-flow language in which communication channel... more The paper introduces a higher-order synchronous data-flow language in which communication channels may themselves transport programs. This provides a mean to dynamically reconfigure data-flow processes. The language comes as a natural and strict extension of both Lustre and Lucid Synchrone. This extension is conservative, in the sense that a first-order restriction of the language can receive the same semantics. We illustrate the expressivity of the language with some examples, before giving the formal semantics of the underlying calculus. The language is equipped with a polymorphic type system allowing types to be automatically inferred and a clock calculus rejecting programs for which synchronous execution cannot be statically guaranteed. To our knowledge, this is the first higher-order synchronous data-flow language where stream functions are first class citizens. Categories and Subject Descriptors C.3 [Special-purpose and application-based systems]: Real-time and embedded system...
Uploads
Papers by Jean-louis Colaço