Pipit on the Post: Proving Pre- and Post-Conditions of Reactive Systems

Abstract

Synchronous languages such as Lustre and Scade are used to implement safety-critical control systems; proving such programs correct and having the proved properties apply to the compiled code is therefore equally critical. We introduce Pipit, a small synchronous language embedded in F✶, designed for verifying control systems and executing them in real-time. Pipit includes a verified translation to transition systems; by reusing F✶’s existing proof automation, certain safety properties can be automatically proved by k-induction on the transition system. Pipit can also generate executable code in a subset of F✶ which is suitable for compilation and real-time execution on embedded devices. The executable code is deterministic and total and preserves the semantics of the original program. Show more