Building a hybrid systems modeler from synchronous language principles

Abstract

Hybrid systems modeling languages are widely used in the development of embedded systems. Two representatives are Simulink/Stateflow1 that combine Ordinary Differential Equations (ODEs), data-flow and difference equations, hierarchical automata a la StateCharts [14] together with imperative features; and the Modelica language [1]2 based on DAEs with features for modeling discrete components. Ptolemy II3 is another example in which several models of computation are combined [15].The formal verification of hybrid systems has been extensively studied [9]. Yet, we share the viewpoint of Lee and Zheng that hybrid modeling languages are best viewed as programming languages that happen to have a hybrid systems semantics [16, 17]. This raises important questions related to their design, semantics and implementation, to get efficient and reliable simulations as well as provably equivalent embedded target code. While sequential code generation in hybrid modeling tools is routinely used for efficient simulation, it is little used or not used at all to produce target embedded code in critical applications that are submitted to strong safety requirements. This results in a break in the development chain: parts of applications must be rewritten into sequential code and all properties verified on the source model cannot be trusted and have to be reverified on the target code.Sequential code generation from a synchronous language like Lustre [12] has been studied in detail [13]. It can be formalized as a series of source-to-source transformations that eliminate high level constructs like hierarchical automata [11] and the generation of a generic intermediate representation for transition functions, turned itself into C code [6]. This approach, initiated in Lucid Synchrone [18], is implemented in the Scade Suite KCG code generator of Scade 64, used for developing various critical applications.Yet, synchronous languages only manipulate discrete-time signals. Their expressiveness is limited to insure important safety properties like determinacy, execution in bounded time and space, and simple, traceable code generation. Their cyclic execution requires minimal run-time support and does not suffer the complications that accompany numerical solvers of ordinary differential equations. Conversely, a hybrid modeling language allows discrete and continuous time behaviors to interact. But this interaction is not constrained enough, nor specified with adequate precision in tools like Simulink/Stateflow and this occasion semantics pitfalls and bugs [10, 5, 2]. A precise description of all the compilation steps, that is, the actual implemented semantics, is mandatory in safety critical development processes where target code must be trustworthy. Our goal, in short, is to increase the expressiveness of synchronous languages without sacrificing any confidence in their compilers.In previous works, we introduced a novel approach for the design and implementation of a hybrid modeling language that reuses synchronous language principles and an existing compiler infrastructure. We introduced an ideal synchronous semantics based on non standard analysis [5] for a Lustre-like language with ODEs [4], and then extended the kernel language with hierarchical automata [3] and a modular causality analysis [2]. These results form the foundation of Zelus [8]5 and were validated inside the industrial Scade Suite KCG code generator (Release 6.4, 2014) developed at Esterel-Technologies/ANSYS [7].In this talk, I will summarize the ongoing work on Zelus and the way it has been applied to the Scade Suite KCG code generator. In the later, it was possible to reuse the existing infrastructure entirely with little modifications: static typing, the causality and initialization analysis, intermediate languages and the various compiler optimizations. The proposed language extension is conservative in that regular synchronous functions are compiled as before --- the same synchronous code is used both for simulation and for execution on target platforms. It also shows the versatility of the KCG infrastructure based on a successive rewriting. The precise definition of all compilation steps, built on the proven compiler infrastructure of a synchronous language avoids the rewriting of control software and may also increase the confidence in simulation results.This work results from a collaboration with Albert Benveniste, Benoit Caillaud (INRIA, Rennes), Timothy Bourke (INRIA, Paris-Rocquencourt), Jean-Louis Colaco, Bruno Pagano and Cedric Pasteur (Esterel-Technologies/ANSYS).