Lustre annotation/specification language

#+AUTHORS: PierreLoic Garoche, RĂ©mi Delmas, Temesghen Kahsai

#+LATEX_HEADER: \usepackage{tikz,listings,stmaryrd,pgfplots,mathrsfs,syntax}

#+LATEX_HEADER: \input{lustre_lst}

This document intends to define the bases of a specification language for

Lustre. Such specifications' role are threefold:

1. Precise the required behavior of a Lustre model, ie. the behavior of Lustre

nodes. Those specifications could then ease the application of tools.

2. Enrich the Lustre code itself with non functionnal annotations; for example

parametrization of tools to be applied on the Lustre model, or for

documentation purpose.

3. Enable the compilation of the annotation/specification as C code ACSL

annotations.

* Syntax

** Comments

All specifications and annotations are expressed within lustre comments starting

with the character "@".

#+begin_latex

\begin{lstlisting}[language=lustre]

@ line comment

(*@ multi line

block comment

*)

\end{lstlisting}

#+end_latex

** Extended lustre/arithmethic expressions

33

We introduce here an extended flavour of lustre expressions: lustre expressions extended with quantification over basic datatypes and

34

string constants.

36

These expressions will be used to express preconditions and

37

postconditions over nodes input and output flows. Those conditions have to apply

38

on any non nil value of the flow ie. when the flow is defined.

The figure\ref{fig:expr} gives a BNF for such extended expressions

42

#+begin_latex

\begin{figure}

\begin{grammar}

<expression> ::= <constant>

\alt <ident>

\alt <int>  <float>  <bool>  <string>

\alt <unop> <expression>

\alt if <expression> then <expression> else <expression>

\alt <expression> <binop> <expression>

\alt '(' <expression> ( ',' <expression> )*')'

\alt <ident> '(' <expression> ( ',' <expression> )* ')'

\alt <quantifier> <var decl> ';' <expression>

55

<int> ::= ['0''9']+

57

<float> ::= ['0''9']+'.'['0''9']+

59

<bool> ::= 'true'  'false'

61

<string> ::= '\"' .* '\"'

63

<unop> ::= ''  'pre'  'current'  'not'

65

<binop> ::= <temporal ops>  <logical ops>  <arithm ops>

67

<temporal ops> ::= '>'  'when'

69

<logical ops> ::= 'xor'  '=>'  'or'  'and'  '='  '\textless\textgreater'  '\textless'  '\textless ='  '\textgreater'  '\textgreater ='

71

<arithm ops> ::= '*'  '/'  'mod'  'div'  '+'  ''

73

<quantifier> ::= 'forall'  'exists'

75

<var decl> ::= 'const'? <ident> (',' <ident>)* ':' <type> ( ';' 'const'? <ident> ':' <type> )*

77

<type> ::= 'int'  'bool'  'float'

\end{grammar}

\caption{Definition of extended lustre expressions}

\label{fig:expr}

\end{figure}

#+end_latex

84

*** String constants

86

String constants are part of the language. A valid expression could then be the

87

tuple

89

#+begin_latex

\begin{lstlisting}[language=lustre]

"blue", if x then y + 1 else node1 (x, y, z), 3.2 + z

\end{lstlisting}

#+end_latex

95

Those new string constants will be used to define parameters within annotations.

97

*** Quantifications

99

Lustre expression are lift to first order. The syntax to declare quantified

100

variables follow the variable declaration in node inputs and outputs:

102

#+begin_latex

\begin{lstlisting}[language=lustre]

ident: type

\end{lstlisting}

#+end_latex

108

The keywork const express the additional constraint:

109

#+begin_latex

\begin{lstlisting}[language=lustre]

ident = pre ident

\end{lstlisting}

#+end_latex

115

Quantified variables denote typed flows.

116


118

** Annotation identifiers

120

Annotation identifiers are usual alphanumeric identifiers extended with '.'.

122

** Key paths in annotation bindings

124

Keys in annotation declaration are either simple identifier or sequence of them

125

separated by "/":

127

/key/(key/)+ or key

129

* Node specification

131

Node specification are inspired from ACSL function contracts. A node will be

132

associated to a set of requirements and expected properties on the resulting

133

flows.

135

Scope: inputs, outputs

137

** Basic contracts

138

Requirements are expressed on input flows using the keyword /requires/

139

while expected behavior can either be defined

140

 with a first order boolean expression over the input flows and the output flows using the

141

keyword /ensures/ or

142

 with a synchronous observer specified in a separate lustre node, using the

143

keyword /observer/.

145

Synchronous observers allow more complex behavior specification since they

146

usually encode a safety property (or bounded liveness) composed with the system

147

state machine. For example, the use of observers allow to declare new variables

148

to express the property.

150

** Synchronous observers

151


The node associated to the keywork /observer/ should only produce boolean

153

154

interpreted as

155

\(

156

\bigwedge_{1 \leq i \leq n} o_i

157

158

where /observer\_node/ is defined as

159

\[

160

observer\_node (...) \ returns\ (o_1, .., o_n);

161

\]

163

** Multiple definitions

164

Multiple definitions of /requires/ or /ensures/ / /observer/ are interpreted as

165

syntactic sugar for conjunctions.

166

Eg, the following function specification

167

168

169

170

171

172

173

174

175

176

is equivalent to

177

178

179

180

181

182

183

185

** Clocks

186

Those pre and postconditions are only defined for the node

187

clock. Those conditions have to apply on any non nil value of the flow ie. when

188

the flow is defined.

189


190

TODO: give an example using when/current

191


192

** Extension: Behaviors

193


194

Similarly to ACSL function contracts, the node specifications could be defined

195

with sub behaviors.

196


197

TODO: expliquer context du assumes

198


199

TODO: concrete example with forall

200


201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

235

** Grammar

237

TODO

239

* Local node annotations

241

Annotations could denote functionnal properties such as invariants or non

242

functional ones, eg. heuristics, tool specific parameters ...

243


244

Scope: inputs, outputs, local variables, locally defined variables, internal

245

flows.

246


247

** Assigning names to subexpression

249

Annotations could be used within expression to allocate a new

250

identifier to a subexpression using the keyword /id/.

252

For example, in the equation defining $z$:

253


254

255

256

257

258

260

This new identifier /subexpr1/ will be associated to the data flow expression (c

261

or x >= y) and could be used within other annotations.

262


263

One can also use single annotations

264

265

266

267

268

269

271

** Assigning identifiers to node instances

272


273

A node /foo/ can be used multiple times in a given node. It can appear in

274

different equations:

275

276

277

278

279

280

282

Or multiple times in the same equation:

283

#+begin_latex

\begin{lstlisting}[language=lustre]

x = foo(2) + (if g then foo(3) else (foo(4) + foo(1)))

\end{lstlisting}

#+end_latex

289

Names could be associated to a subexpression denoting a node instance:

290


291

292

293

294

295

296

297

298

300

Numerical identifier could also be assigned to specific instances using the "#"

301

key

302


303

304

305

306

307

308

309

311

In the expression above and in all the current node, the identifier "foo1" will

312

refer to the instance defined as foo(3) and "foo2" to the instance defined as

313

foo(4).

314


316

** Generic Tree based annotations

317


318

Annotations can be defined in function body between the /let/ and the /tel/

319

construct. They can either be associated to the node when placed between

320

flow definitions, ie. equations, or locally to a subexpression.

321

Similarly to node specification, annotations are defined using single line

322

comments "@ ...." or multilines ones "(*@ .... *)"

324

Annotations are defined as pairs key > value where key denotes a path in a tree

325

of alphanumeric identifiers and value is an extended lustre expression (cf

326

section syntax). The key denotes a path in a hierarchy of identifiers. Values

327

are accumulated through annotation definitions and associated to key paths.

328


329

330

331

332

333

334

335

336

337

338

339

340

342

343

344

346

In the example above, annotations are not specifically linked to their nearest

347

equation but rather summarized at node level. Together, they define the

348

following tree of values

349


350

351

352

353

354

355

356

358

359

360


362

363

364

365


367

368

369

370

371

372

373

374

376

Multiple annotations assigning a value to the same key will be gathered.

377

The value is extended lustre expression as introduced in Section syntax. It can

378

range from the simpliest string value, eg. the pair color > "blue" to complex

379

tuples of extended lustre expressions.

380


381

** Default keys

383

Key are not prespecified and can be associated to each Lustre tool feature.

384

However the keywords /invariant/ and /observers/ should be used to define proof objectives or

385

rely on existing expected properties. They act as the /ensures/ contract of

386

node specifications but allow to access local flows and internal ones.

387


388

* Advanced features

389


390

** Addressing internal flows

391


392

Internal flows are usually innaccessible in Lustre. However in order to ease

393

some annotation definition, the value of all local flow of a node instance are

394

available through named paths.

395


396

Let us consider a node foo with a local variable x, and the following expression

397

398

399

400

401

403

Then the variable x of this specific instance of the node foo could be accessed

404

through the identifier expression foo5.x

405


406

Recursively, if the node foo relies on an instance of node bar, identified as

407

"bar3", the local variable y of the instance bar3 of the node bar used in the

408

instance foo5 of node foo could be accessed through the expression:

409


410

411

412

413

414

416

Either numerical identifiers of node instances bound with '#' or names defined

417

with the 'id' key  again only for node instances  could be used to describe

418

such internal flows.

419


421

Example 1

423

424


429

* Grammar
