A Formally Verified Compiler for Lustre

These source files contain the implementation, models, and proof of correctness of a formally verified Lustre compiler

This file contains instructions for (i) using the compiler from (ii) a local opam installation.

The examples/ subdirectory contains another readme file presenting several example programs that can be used to test the compiler.

The pre operator used in many Lustre programs is not yet treated. An uninitialized delay pre e must be replaced by an initialized one 0 fby e.

Compiler error messages are still very brutal. In particular the parser only reports syntax errors with a line number and character offset. We will implement more helpful messages when we have finalized one or two remaining details of the final language.

Using the compiler

To run the compiler:

./velus -h

In particular, typing

./velus examples/count.lus

will compile the Lustre program in examples/count.lus into an assembler program examples/count.s.

The compiler also accepts the options

• -dnolast Output the Lustre code after compilation of last declarations into .nolast.lus

• -dnoauto Output the Lustre code after compilation of state machines into .noauto.lus

• -dnoswitch Output the Lustre code after compilation of switch blocks into .noswitch.lus

• -dnolocal Output the Lustre code after inlining of local scopes into .nolocal.lus

• -dnlustre Output the normalized NLustre code into .n.lus

• -dstc Output the Stc intermediate code into .stc

• -dsch Output the scheduled code into .sch.stc

• -dobc Output the Obc intermediate code into .obc

• -dclight Output the generated Clight code into .light.c

• -nofusion Disable the if/then/else fusion optimization.

• -sync Generate an optional main_sync entry point and a .sync.c containing a simulation that prints the outputs at each cycle and requests inputs. In contrast to main_proved, this entry point is not formally verified but it is useful for testing the dynamic behaviour of compiled programs. See examples/Makefile for examples.

Local installation

Using opam

Vélus has been implemented in Coq.8.20.1. It includes a modified version of CompCert and depends on menhir.

To build a self-contained installation for compiling and running Vélus, we recommend installing an ad-hoc opam directory:

$ git clone https://github.com/INRIA/velus
$ cd velus
$ git submodule --init --recursive
$ opam switch create velus --packages=ocaml.4.14.2,coq.8.20.1
$ eval $(opam env --switch=velus --set-switch)
$ opam install -j ocamlbuild menhir ocamlgraph

To check the proofs and build Vélus:

$ ./configure [options] <target>
$ make -j # Uses all the available cores

The <target> must be one of the supported target platforms of CompCert.

Configuration options

The configuration script has the same options as CompCert's with the following specfic to Vélus:

• -velus-only Only compile Vélus (and not CompCert). This option may be useful with -compcertdir.

• -compcertdir Overrides the default path to the directory containing your local version of CompCert.

• -flocqdir Set the path to the directory containing Flocq if you're not using the one packaged in CompCert.

• -menhirlibdir Set the path to the directory containing MenhirLib if you're not using the one packaged in CompCert.

Using nix

If you are using the nix package manager, you can directly compile Vélus using the flake with the command nix build. This does not require a local version of CompCert to build.