Table Of ContentExtending a User Interface Prototyping Tool with Automatic
MISRA C Code Generation
GioacchinoMauro
DepartmentofInformationEngineering,UniversityofPisa,Pisa,Italy
giocchi27@gmail.com
HaroldThimbleby
SwanseaUniversity—PrifysgolAbertawe,Swansea/Abertawe,UK
harold@thimbleby.net
AndreaDomenici CinziaBernardeschi
DepartmentofInformationEngineering,UniversityofPisa,Pisa,Italy
{cinzia.bernardeschi,andrea.domenici}@unipi.it
Weareconcernedwithsystems,particularlysafety-criticalsystems,thatinvolveinteractionbetween
usersanddevices,suchastheuserinterfaceofmedicaldevices. WethereforedevelopedaMISRAC
code generator for formal models expressed in the PVSio-web prototyping toolkit. PVSio-web
allowsdeveloperstorapidlygeneraterealisticinteractiveprototypesforverifyingusabilityandsafety
requirementsinhuman-machineinterfaces. Thevisualappearanceoftheprototypesisbasedona
pictureofaphysicaldevice,andthebehaviouroftheprototypeisdefinedbyanexecutableformal
model. OurapproachtransformsthePVSio-webprototypingtoolintoamodel-basedengineering
toolkitthat,startingfromaformallyverifieduserinterfacedesignmodel,willproduceMISRACcode
thatcanbecompiledandlinkedintoafinalproduct. Aninitialvalidationofourtoolispresentedfor
thedataentrysystemofanactualmedicaldevice.
1 Introduction
Formalmethodsareimportantfordevelopingandunderstandingsafeandsecuresystems. ThePVSio-web
framework [20, 21, 22, 26] allows developers to use formal methods in a friendly and appealing way
asitprovidesrealisticanimationsandisintegratedwithagraphicaleditorfortheEmuchartslanguage
[23]. (Emuchartsisastatemachineformalismwithguardsandactionsassociatedwithtransitions;itis
explainedfurtherinSect.3.4below.)
PVSio-web uses the formal modelling language of the Prototype Verification System (PVS) [27],
includingthePVSioextension[24]. PVSisanindustrial-strengththeoremprovingsystemthatallows
formalverificationofsafetyandreliabilitypropertiesofhardwareandsoftwaresystems[5,31]. Although
PVS itself is very effective, it is not widely used for model-based development and analysis of user
interfaces,asthetoolhasasteeplearningcurve. PVSio-websoftensthislearningcurve,makingthetool
moreuser-friendlyandaccessible,providingdeveloperswithagraphicalmodellingenvironment,anda
toolboxfordevelopingrealisticvisualprototypesofuserinterfaces.
Theapplicationsofembeddedsoftwareinsafety-criticalapplicationsincreasecontinuously. Taking
thisintoaccount,togetherwiththerequirementstoreducetimeandoverallproductioncosts,automatic
code generation plays an essential role. Automatic code generation guarantees a smooth conversion
C.Dubois,P.Masci,D.Méry(Eds.):F-IDE2016
EPTCS240,2017,pp.53–66,doi:10.4204/EPTCS.240.4
54 MISRACcodegeneration
PVS environment
PVSio−web Proof
Theorem
Prover
Developer
Emucharts PVS Model Editor
Simulation
Editor generator
Ground
Evaluator
PVS theory
HB Templates
Emucharts C Code
Model
C Code
Generator
Figure1: CcodegenerationinthePVSio-webdevelopmentprocess.
frommodeltocodeandreducesthedebuggingandtestingrequiredforsourcecode,providedthatthe
correctnessofcodegenerationandofthehigh-levelmodelhavebeenverified.
WethereforepresentanextensiontoPVSio-webthatgeneratesCcode. Specifically,ourextension
generatesMISRAC[1],asafety-orientedsubsetofCdevelopedbytheMotorIndustrySoftwareReliability
Association(MISRA). MISRACiscommonlyusedinsafety-criticalsubsystems,suchascarbrakingin
automotivesystems.
With this new extension, formal PVS specifications generated from Emucharts diagrams are auto-
maticallyconvertedtoC,significantlyshorteningprojectdevelopmenttime. Becauseoftheapproach,
thesemanticsofgeneratedCcodeisequivalenttotheformalmodels,andthereforethecoderetainsthe
reliabilityandsafetypropertiesformallyverifiedforthePVSmodel.
In summary, our main contribution is an approach to software development that integrates logic-
andstatemachine-basedformalmodelling,validationbysimulation,andautomaticimplementationby
generatingproductioncodetoberunontheactualsystemhardware,allbasedonanindustrial-strength
formalmethodstoolkit.
2 Related work
Model-basedapproachesarecommonlyusedinthefieldofhumancomputerinteraction,forexample[13].
Mostapproachesarefocusedondescribinguserinterfacesandtheirimplementationsatvariouslevelsof
abstraction. Developersofuserinterfacesforinteractivesystemsalsohavetoaddressheterogeneityand
adaptationtothecontextofuse. Forexample,in[29],amodel-baseddeclarativelanguageforthedesign
ofinteractiveapplicationsbasedonWebservicesinubiquitousenvironmentswaspresented. Incontrast
tothesefamiliarapproaches,thepresentworkproposesaframeworkenablingaformalverificationof
userinteraction. Theframeworkismeantforsafetyanalysisofsafety-criticaldevicesandnotwithuser
interfacedesignissuesasdiscussedin[29],
Similarlytoourapproach,formalmodelswereusedin[6]todescribefunctionalityandcomponent
interactions,wheretheywerecombinedwithuserinterfacemodelsinordertogettheentiremodelofthe
G.Mauro,H.Thimbleby,A.Domenici&C.Bernardschi 55
system. Moreover,anAndroidemulatorapplicationwasgenerated,usingJavaandXMLtechnologies.
Presentationmodelsandpresentationinteractionmodelswereusedin[9]tomodelinteractivesoftware
systems;thesemodelswereshowntobeusablewithaformalspecificationofthesystemfunctionality. In
[7]thesameformalismswereusedtomodelusermanualsofmodalmedicaldevices,provingthattheuser
manualmaybenotalwaysconsistentwithactualdevicebehaviour.
In [17], model checking was used to model and prove properties of specifications of interactive
systemssothatpossiblyunexpectedconsequencesofinterfacemodechangescanbecheckedearlyin
the design process. In [19], the complementary role of model checking and theorem proving in the
analysisofinteractivedeviceswasconsidered. Recentwork[16]exploredthepathsthatauserwilltakein
interactingwithmedicaldevicesfortheanalysisofpropertiesofthebehaviourofsafety-criticaldevices.
Amodel-checkingapproachhasalsobeenusedtoanalysehardwarebehaviour[4].
Adiscussionofproductioncodegenerationinmodel-baseddevelopmentcanbefoundin[11]. Many
papers deal with specific code generators, for example TargetLink [3]. Code generators specifically
designedformedicalsystemsaredescribedin[2]and[28].
3 PVS, model-driven development and Emucharts
This section provides background information on the PVSio-web framework and its relationship to
model-drivendevelopment.
3.1 PVS,thePrototypeVerificationSystem
ThePVSisaninteractivetheoremproverforatypedhigher-orderlogiclanguage,providinganextensive
setofinferencerulesbasedonthesequentcalculus[30]. ItsPVSioextensionisagroundevaluatorthat
cancomputetheresultsofgroundfunctionapplications,thatisPVSexpressionsconsistingofafunction
nameappliedtovariable-freearguments. PVSfunctionsarepurelydeclarativedefinitionsofmathematical
mappings, without any procedural information on how to compute them, but the PVSio package can
derive and execute an algorithm to evaluate a ground function application, turning it into a procedure
call. ThePVSiopackagealsoprovidesfunctionswithsideeffects,suchasinputandoutput,whichdonot
interferewiththesemanticsofatheory.
A system is modelled in PVS as a theory, a collection of logical statements and definitions about
thestructuralandbehaviouralaspectsofthesystem. Thesystem’srequiredpropertiesareexpressedas
theoremstobeverifiedwiththePVStheoremprover. Ifthebehaviouralaspectsareexpressedasfunctions,
thesystemcanalsobesimulatedwiththePVSioextension. Thesamelogicalmodelcanthenbeused
bothforverificationandsimulation.
3.2 Model-drivendevelopment
Model-driven development (MDD) is based on creating an executable system model by assembling
functionalblocks. Anexecutablemodelmakesitpossiblebothtosimulatethesystemandtogenerate
production software to control it. Together with the naturalness of the graphic language of functional
blocks,thesefeaturesmakeMDDveryattractivetodevelopers. However,thisapproachhastwolimits:
first,functionalblockslendthemselvestobuildingdesignmodels,butnotspecificationones;andsecondly,
formalverificationofablock-basedmodelistedious,andinfactitisuncommoninindustrialpractice.
A formal approach can be used to create both specification and design models and intrinsically
lends itself to rigorous verification of system properties. In particular, logic specification languages,
56 MISRACcodegeneration
suchasPVS,aresupportedbyautomaticorinteractivetheoremproversusedbydeveloperstocheckif
systemrequirements,expressedaslogicalformulas,areimpliedbyasystem’sdescriptionexpressedina
logictheory. However,formalmethodsrequireexpertiseinlanguagesandmethodsthatarenotwidely
known in the wider developer community. Further, most formal languages abstract from the familiar
procedure-orientedcomputationmodelofpopularprogramminglanguages,makingithardertogenerate
executablesoftware.
Itisthendesirabletohavetoolsandmethodsprovidingdeveloperswiththefeaturesofbothapproaches.
The present work is part of a research effort aimed at this goal. With the PVSio-web framework, a
developercanbuildamodelinagraphicalstate-machinelanguageoralogiclanguage,orboth(Sect.3).
Thegraphicalmodelistranslatedintothelogiclanguageautomatically,andtheresultingtranslationis
both verifiable and executable using the PVSio ground evaluator, which acts as an interpreter for the
PVS language. The PVSio-web framework thus provides features of the formal approach: A formal
specification language and a verification tool, and features of MDD, thus providing a full graphical
modelling language and a simulation engine. A translator from Emucharts to C makes it possible to
generate code from a state machine-based model that can be validated by simulation and verified by
theoremproving. TheotherimportantfeatureofMDD—generationofproductioncodecapabletobe
runontheactualsystemhardware—isakeycontributionofthispaper.
3.3 PVSio-web
ThePVSio-webframeworkisasetoftools,co-ordinatedbyaweb-basedinterface,forprototypingand
simulationofinteractivedevices. Itsmaincomponentsare, besidesPVSwithitsPVSioextension: (i)
thePrototypeBuilder, agraphicaltoolusedtochooseapictureofanexistingoranticipateddevice’s
front panel and to associate PVS functions with active areas of the picture representing device inputs
(e.g., buttons or keys) and outputs (e.g., alphanumeric displays or lights); (ii) the Model Editor, a
textual interface to write PVS code; (iii) the Emucharts Editor, a graphical tool to draw Emucharts
statemachinediagrams;(iv)aSimulationEnvironment;and(v)CodeGeneratorsforPVSandother
formallanguages(currentlyPresentationInteractionModels[8],ModalActionLogic[15],andVienna
DevelopmentMethod[12])—andforMISRAC,aspresentedinthispaper.
PVSio-webcanbeusedtoprototypeanewdeviceinterface,ortocreateareverse-engineeredmodel
ofanexistingone. Ineithercase,adevelopercreatesformaldescriptionsofthedevice’sresponsestouser
actions,usingthemodelandEmuchartseditors,andassociatesthesedescriptionswiththeactiveareasof
thesimulatedinterface,usingtheprototypebuilder. Inthesimulationenvironment,thedeveloper,ora
domainexpertorapotentialuser,interactswiththeprototypeclickingontheinputwidgets. Theseactions
aretranslatedtoPVSfunctioncallsexecutedbythePVSiointerpreter.
3.4 Emucharts
An Emucharts diagram is the representation of an extended state machine in the form of a directed
graph composed of labelled nodes and transitions. Transitions are labelled with triples of the form
trigger[guard]{action},wheretriggeristhenameofanevent,guard isanenablingBooleanexpression,
andactionisasetofassignmentstotypedvariablesdeclaredinthestatemachine’scontext. Thedefault
guardisthetruevalueandthedefaultactionisano-operation. Thestateofthemachineisdefinedbythe
currentnodeandthecurrentvaluesofthecontextvariables.
The code generator for PVS produces a theory containing functions that define the state machine
behaviourontheoccurrenceoftriggerevents. SinceanEmuchartsdiagramusuallyrepresentsadevice
G.Mauro,H.Thimbleby,A.Domenici&C.Bernardschi 57
Figure2: ThePVSio-webuserinterfacewiththePrototypeBuilderandEmuchartsEditorframes.
responsetouseractions,sucheventsrepresentuseractions,suchaspressingabuttononacontrolpanel.
DuringsimulationonaPC,auserclickonanactiveareaofthedevicepicturecausesthesimulatorto
generateafunctionapplicationexpressionthatispassedtothePVSiogroundevaluator.
4 From Emucharts to safe C
The aim of programming code generation in the PVSio-web framework is producing a module that
implements the user interface of a device, which can be compiled and linked into the device software
withoutanyparticularassumptionsonitsarchitecture. Inthisway,theuserinterfacemodulecanbeused
withoutforcingdesignchoicesontherestofthesoftware. Inourapproach,thegeneratedmodulecontains
asetofCfunctions. Themainonesare,foreachEmuchartstrigger: (i)apermissionfunction,tocheckif
thetriggereventispermitted,i.e.,whetheritisassociatedwithanytransitionfromthecurrentstate,and
(ii)atransitionfunctionthat,accordingtothecurrentstate,updatesit,providedthattheguardcondition
ofanoutgoingtransitionholds. Thecodeincludeslogicallyredundanttests(assertmacros)toimprove
robustness.
Togenerateproduction-qualitycodefitforsafety-criticalapplicationsweadoptMISRAguidelines.
The MISRA guidelines for the C language, originally conceived for the automotive industry, enforce
programmingpracticestoimprovemaintainabilityandportabilityand,aboveall, toreducetheriskof
malfunctionduetoimplementation-orplatform-dependentaspectsoftheClanguage. Forinstance,there
arerulesthatbartheuseofconstructssuchasgoto,andrulesrequiringthatnumericliteralsbesuffixed
toindicatetheirtypeexplicitly. Thegeneratedcodecurrentlycomplieswiththefirstversionofthe1998
MISRACguidelines.
58 MISRACcodegeneration
(cid:104)headerfile(cid:105) ::= (cid:104)preprocessor_directives(cid:105)
[(cid:104)constant_definitions(cid:105)]
(cid:104)typedef_definitions(cid:105)
(cid:104)state_labels_enum(cid:105)
(cid:104)state_structure(cid:105)
(cid:104)utility_functions(cid:105)
(cid:104)init_function(cid:105)
(cid:104)permission_functions(cid:105)
(cid:104)transition_functions(cid:105)
Table1: Structureofaheaderfile. Non-terminalsymbolsareenclosedbetweenanglebrackets;square
bracketsencloseoptionalsymbols.
4.1 Codegeneration
OurMISRACcodegeneratorwasimplementedinJavaScriptusingHandlebars[14],amacro-expansion
toolforwebapplications. AHandlebarstemplateisapieceoftextcontaining“Handlebarexpressions,”
whichrefertoelementsofthesurroundingcontext,typicallyanHTMLdocument. AHandlebarsexpres-
sionspecifiesacharacterstringasafunctionofcontextelements,whichiscompiledintoaJavaScriptfunc-
tionthatreturnsthetemplatetextwiththesubstitutionscomputedbytheHandlebarsexpressions. Forex-
ample,atemplatefragmentforaCpreprocessor#includedirectiveis#include "{{filename}}.h",
wheretheHandlebarsexpression{{filename}}containsthefilenameparameterthatwillbereplaced
bytheactualnameofthefiletobeincluded.
Thecodegeneratorproducesaheaderfile,animplementationfile,amakefile,asimpletestdriverfile,
andadocumentationmanual.
ThestructureoftheheaderfileisdefinedbythegrammarinTable1. Theheaderfilecontains,among
otheritems,thedeclarations(typedef_definitionsinthegrammar)fortypeswithexplicitrepresentation
of size and sign, e.g., UC_8, for eight-bit unsigned char, the declaration (state_labels_enum) for an
enumerationtypedefiningthenodelabels,andthedeclaration(state_structure)forthestatestructuretype
representingthestateoftheEmuchartsmodel. Thisstructurecontainsonecontextfieldforeachvariable
definedintheEmuchartscontext,andtwomorefields(curr_nodeandprev_node)containthelabelsof
thecurrentandthepreviousnode.
Thedeclarationsarefollowedbythefunctionprototypesofthetwoutilityfunctionsenterandleave,
theinitfunction,and,foreachtrigger,onepermissionandonetransitionfunction. Thefunctionsreceivea
pointertoastructureoftypestatepassedbyacallingprogram. Theenterandleavefunctions,calledby
theinitandtransitionfunctions,updatethecurr_nodeandprev_nodefields,respectively,withthetarget
andsourcenodelabeloftheexecutedtransition. Theleavefunctionhasbeenintroducedtoallowfuture
versionstoimplementcheckpointingalgorithms. Theinit functioninitialisesthestate’scontextfields
withthevaluesofthecontextvariablesspecifiedintheEmuchartsdiagram,andthecurr_nodefieldwith
thelabeloftheinitialnode. Asmentionedabove,eachpermissionfunctionchecksifthecurrentnodehas
atransitionlabelledbytherespectiveevent. Then,thematchingtransitionfunctionchoosesamongthe
transitionstriggeredbythatevent,accordingtotherespectiveguards(assumedtobemutuallyexclusive).
The implementation file contains the function definitions. For example, consider the Emucharts
diagram of the data entry system of the Medtronic MiniMed 530G System shown in Figure 3. The
diagramhasacontextvariabledisplayoftypedoublerepresentedon64bits,whichholdsthevalueshown
onthedevice’sdisplay. Thenodelabelsandthestatetypearedefinedas
G.Mauro,H.Thimbleby,A.Domenici&C.Bernardschi 59
Figure3: EmuchartsdiagramfortheMedtronicMiniMed530Gdataentrysystem.
typedef enum { off, on } node_label;
typedef struct {
D_64 display;
node_label curr_node;
node_label prev_node; } state;
Thecodeforthepermissionfunctionassociatedwiththeclick_UPtriggeris
UC_8 per_click_UP(const state* st) {
if (st->current_state == on) {
return true;
}
return false;
}
where the return type UC_8 (eight-bit unsigned character) is used to represent the Boolean type. The
transitionfunctionis
state click_UP(state* st) {
assert(st->current_state == on);
assert(st->display < 10 || st->display == 10);
if (st->display < 10 && st->current_state == on) {
leave(on, st);
st->display = st->display + 0.1f;
enter(on, st);
assert(st->current_state == on);
return *st;
}
if (st->display == 10 && st->current_state == on) {
leave(on, st);
st->display = 10.0f;
enter(on, st);
60 MISRACcodegeneration
assert(st->current_state == on);
return *st;
}
return *st;
}
AproofofthecorrectnessofthistranslationschemaisshowninAppendixA.
5 Case study
TheAlarisGP,madebyBectonDickinsonandCompany,wasusedasacasestudyfortheMISRACcode
generator.
This volumetric infusion pump is a medical device used for controlled automatic delivery of fluid
medicationorbloodtransfusiontopatients,withaninfusionraterangebetween1ml/hand1200ml/h. It
hasamonochromedotmatrixdisplaywiththreesignificantdigits,andhas14buttonsforoperatingthe
device(seeFigure4). Thepumphasarathercomplexuserinterface,withdifferentmodesofoperation
andwaysofenteringdata,includingthepossibilityofchoosingfromalistofpreloadedtreatments. For
simplicity,inthispaperonlytheessentialpartofthedataentryinterface,concerningnumericalinputand
display,isconsidered.
Numericalinputisdonethroughthechevronsbuttons: upwardanddownwardchevronsincreaseand
decrease, respectively, the displayed value. The amount by which the value is increased or decreased
depends on whether a single or double chevron is pressed, and on the current displayed value. More
precisely, thedisplayed valueis changedas follows: (i)If thedisplayed valueis below 100, the value
changesby0.1unitsforasinglechevron,andstepsupordowntothenextdecadeforadoublechevron
(e.g.,from9.1to10.0);(ii)ifthedisplayedvalueisbetween100and1,000,thevaluechangesby1unit
forasinglechevron, andstepsupordowntoavalueequaltothenexthundredplusthedecadeofthe
displayedvalueforadoublechevron(e.g.,from310or315to410);(iii)ifthedisplayedvalueis1,000or
above,thevaluechangesby10unitsforasinglechevron,andstepsupordowntoavalueequaltothe
nexthundredforadoublechevron(e.g.,from1,010or1,080to1,100).
TheEmuchartsdiagramforthenumericdataentryisshowninFig.5. Triggersclick_alaris_upand
click_alaris_dnrepresentclicksontheupwardanddownwardsingle-chevronbuttons,respectively,and
triggers click_alaris_UP and click_alaris_DN represent clicks on the double-chevron ones. For each
event,combinationsofguardsandactionsspecifytherulesdescribedabove.
The PVS code generator translates the diagram into an executable logic theory, and the C code
generatorproducespermissionandtransitionfunctionsforeachtrigger,asexplainedpreviously.
5.1 Mobileapplications
The PVSio-web framework uses a standard web interface to integrate its tools: this approach offers a
uniforminterfacethatadevelopercanaccesswithanywebbrowser.
Our framework has been extended by providing the possibility to run simulations on a mobile
device. Smartphonesandtabletsimproveusabilityandhelpmakeuserinteractionsimilartoactualdevice
operation. Forexample,mobiledevicescouldbeusedinahospitalenvironmenttotrainmedicalpersonnel
andpatients.
AninteractivedevicecanbesimulatedusingtheCsourcecodeproducedbythePVSio-webgenerator,
compiledandlinkedwithamobiledevice-specificapplication. Forexample,thecodefortheuserinterface
G.Mauro,H.Thimbleby,A.Domenici&C.Bernardschi 61
Figure4: FrontpaneloftheAlarisGPinfusionpump.
oftheAlarisinfusionpumphasbeenportedtotheAndroid[10]platformusingtheAndroidNDK[25]
toolset,whichcanembedCcodeinaJavaproject,relyingontheJavaNativeInterface(JNI)[18].
6 Conclusions
WepresentedtheimplementationofourMISRACcodegeneratorforthePVSio-webprototypingtoolkit.
Automaticcodegenerationsignificantlyreducesprojectdevelopmenttime. Ourapproacheliminatesa
human-performedstepinthedevelopmentprocess: userinterfacesoftwareengineersnolongerneedto
convertthedesignspecificationsintoexecutabletargetcode.
Our tool improves the development of safe and dependable user interfaces, as it greatly facilitates
usingformalmethodseasilyandreliablywithrealUIs,whichwedemonstratedwiththemedicaldevice
examplesinthispaper.
CurrentandfuturedirectionsincludeimprovingthisinitialintegrationwithotherfeaturesofC,still
conformant to MISRA C under the most recent 2012 rules. We plan to develop code generators for
programminglanguagessuchasC++,JavaandADA.
62 MISRACcodegeneration
Figure5: Emuchartsdiagramfornumericdataentry.
Acknowledgements
ThisworkwaspartiallysupportedbythePRA2016project“AnalysisofSensoryData: fromTraditional
SensorstoSocialSensors”fundedbytheUniversityofPisa.
References
[1] MotorIndustrySoftwareReliabilityAssociation(1998): GuidelinesfortheUseoftheCLanguageinVehicle
BasedSoftware. MotorIndustryResearchAssociation.
[2] Ayan Banerjee & Sandeep K. S. Gupta (2014): Model Based Code Generation for Medical Cy-
ber Physical Systems. In: 1st Workshop on Mobile Medical Applications (MMA ’14), pp. 22–27,
doi:10.1145/2676431.2676646.
[3] M.Beine,R.Otterbach&M.Jungmann(2004): Developmentofsafety-criticalsoftwareusingautomaticcode
generation. TechnicalReport,SAETechnicalPapers,doi:10.4271/2004-01-0708.
[4] C.Bernardeschi,L.Cassano,A.Domenici&L.Sterpone(2013): UnexcitabilityAnalysisofSEUsAffecting
theRoutingStructureofSRAM-basedFPGAs. In: Proc.ofthe23rdACMGreatLakesSymposiumonVLSI,
GLSVLSI’13,pp.7–12,doi:10.1145/2483028.2483050.
