copilot-sbv Another back-end that translates to SBV, using its code generator to generate hard real-time C code as well, with ACSL contracts, for the value-analysis plugin and compiling the code with CompCert.

Copilot is a stream (i.e., infinite lists) domain-specific language (DSL) in Haskell that compiles into embedded C. Copilot is similar in spirit to languages like Lustre. Copilot contains an interpreter, multiple back-end compilers, and other verification tools.

Please see the files under the Examples directory in the Copilot for a number of examples showing the syntax, use of libraries, and use of the interpreter and back-ends. The examples is the best way to start.

The Copilot library is cabalized. Assuming you have cabal and the GHC compiler installed (the Haskell Platform is the easiest way to obtain these), it should merely be a matter of running

     cabal install copilot-sbv

However, we strongly recommend you install Copilot, which installs copilot-sbv and other packages automatically. Execute

     cabal install copilot

copilot-sbv depends on the latest SBV library to generate hard real-time C code. It is recommanded to obtain it from the git repository, and compile it yourself (ghc 7.10 needed).

For the ACSL , you need an up-to-date frama-c (Sodium), and the value analysis plugin that goes with. Run to verify :

     make fval

For compiling it with CompCert, you need to install it, install the Standard C library for it, wait until SBV allows you to change the compiler (or do it manually by changing the makefile generated), and run the following command :

     make all

There is also a splint support for the project. You need to install splint and run :

     make splint

copilot-sbv generates automatic ACSL contracts for all functions and for global variables (in the form of global invariants, which needs an up to date value analysis plugin for frama-c). The most important part of generating contracts is transforming an expression about queues (such as drop 1 s1 + 3) into a ACSL contract. This is done by a pretty printer, which translates each construct of the language into its ACSL equivalent. However, some features are not implemented in the plugin yet, but are specified by ACSL (logical predicates ...). This may result in a verification status "unknown" for predicates containing these expressions. Some are not specified at all (asinh, ...), hence it compiles in a predicate that has to be user defined when implemented.

Casts are badly supported (unknown status), hence it is recommanded to avoid them. Remember, your computer has more than 8kb of memory since 1980, use it !

Floats are very badly supported by SBV (only constant floats can be operands of floating functions). Some issues are beeing fixed about that.

copilot-sbv is available on Hackage.

Sources for each package are available on Github as well. Just go to Github and search for the package of interest. Feel free to fork!

Copilot is distributed with the BSD3 license. The license file contains the BSD3 verbiage.

We are grateful for NASA Contract NNL08AD13T to Galois, Inc and the National Institute of Aerospace, which partially supported this work.