The design of embedded real-time systems requires specific toolchains to guarantee time constraints and safe behavior. These tools and their artifacts need to be managed in a coherent way all along the design process and need to address timing constraints and execution semantic in a holistic way during the system’s modeling, verification, and implementation phases. However, modeling languages used by these tools do not always share a common semantic. This can introduce a dangerous gap between what designers want to express, what is verified and the behavior of the final executable code. In order to address this problem, we propose a new toolchain, called Hippo, that integrates tools for design, verification and execution built around a common formalism.

Our approach is based on an extension of the Fiacre specification language with runtime features, such as asynchronous function calls and synchronization with events. We formally define the behavior of these additions and describe a compiler to generate both an executable code and a verifiable model from the same high-level specification. The execution of the resulting code is supported by a dedicated execution engine that guarantees real-time behavior and that reduces the semantic gap between high-level models and executable code.

We illustrate our approach with a non-trivial use case: the autonomous navigation of a Segway RMP440 robotic platform. We describe how we derive a Hippo model from an initial specification of the system based on the robotics programming framework

嵌入式实时系统的设计需要特定的工具链来保证时间限制和安全行为。这些工具及其工件需要在整个设计过程中以一致的方式进行管理，并且需要在系统的建模、验证和实施阶段以整体方式解决时序约束和执行语义。然而，这些工具使用的建模语言并不总是具有共同的语义。这可能会在设计人员想要表达的内容、经过验证的内容和最终可执行代码的行为之间引入危险的差距。为了解决这个问题，我们提出了一个名为Hippo的新工具链，它集成了围绕通用形式构建的设计、验证和执行工具。

我们的方法基于具有运行时功能的Fiacre规范语言的扩展，例如异步函数调用和事件同步。我们正式定义了这些添加的行为，并描述了一个编译器，用于从相同的高级规范生成可执行代码和可验证模型。结果代码的执行由专用执行引擎支持，该引擎保证实时行为并减少高级模型和可执行代码之间的语义差距。

我们用一个重要的用例来说明我们的方法：Segway RMP440 机器人平台的自主导航。我们描述了如何从基于机器人编程框架的系统初始规范中推导出Hippo模型