Translation Validation

Translation Validation A.Pnueli M.Siegel E.Singerman

Motivation • Prove that high level specification is correctly implemented in low level code. • Verifying compiler is not feasible. • Development freezing. Solution: Translation Validation

Translation Validation After each compiler run verify that the target code produced on this run correctly implements the source code.

Necessary Ingredients • A common semantic framework. • Notion of “correct implementation”. • A proof method. • Automation of the proof method.

Example logical DEC_iterate() { l0: h1C = TRUE; l1: h2C = ZNC <= 1; l2: if (h2C) l2.1: read(FBC); l3: if (h2C) l3.1: NC = FBC; else l3.2: NC = ZNC - 1; l4: write(NC); l5: ZNC = NC; return TRUE; } process DEC = ( ? integer FB ! integer N ) ( | N := FB default (ZN-1) | ZN := N $ init 1 | FB ^= when (ZN <= 1) |) where integer ZN init 1 ; end

FB :  N : ZN : 1 FB : 3 N : 3 ZN : 1 FB :  N : 2 ZN : 3 FB :  N : 1 ZN : 2 FB : 5 N : 5 ZN : 1 FB :  N : 4 ZN : 5 … FB : * N : * ZN : 1 h1 : * h2 : * pc : l0 FB : * N : * ZN : 1 h1 : t h2 : t pc : l2 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1 FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5 … FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2 FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5 …

Common Semantic Framework Synchronous Transition System S = (V,O,Θ, ρ) • V a set of state variables • O  V a set of observable variables • Θ an initial condition characterizing the initial states of the system • ρ a transition relation, relating a state to its possible successors

process DEC = ( ? integer FB ! integer N ) ( | N := FB default (ZN-1) | ZN := N $ 1 | FB ^= when (ZN <= 1) |) where integer ZN init 1 ; end V = {FB,N,ZN,m.ZN} Θ = (FB =  N =  ZN =  m.ZN = 1) N’ = if FB’  then FB’ else ZN’ -1  m.ZN’ = if N’  then N’ else m.ZN  ZN’ = if N’  then m.ZN else   ZN’  1  FB’   =

V = {FBC,NC,ZNC,h1C,h2C} Θ = (ZNC = 1  pc = l0) (pc=l0 h1’C=T  pc’=l1  pres_but(pc.h1c))  (pc=l1  h2’C=(ZNC 1)  pc’=l2 pres_but(pc,h2C))  (pc=l2 h2C  pc’=l2.1 pres_but(pc))  (pc=l2h2C pc’=l3 pres_but(pc))  (pc=l2.1 pc’=l3 pres_but(pc,FBC))  (pc=l3 h2C pc’=l3.1 pres_but(pc))  (pc=l3h2C pc’=l3.2 pres_but(pc))  (pc=l3.1 N’C=FBC pc’=l4 pres_but(pc,NC))  (pc=l3.2 N’C=ZNC–1  pc’=l4 pres_but(pc,NC))  (pc=l4 pc’=l5 pres_but(pc))  (pc=l5 ZN’C=NC pc’=l0 pres_but(pc,ZNC)) C= logical DEC_iterate() { l0: h1 = TRUE; l1: h2 = ZN <= 1; l2: if (h2) l2.1: read(FB); l3: if (h2) l3.1: N = FB; else l3.2: N = ZN - 1; l4: write(N); l5: ZN = N; return TRUE; }

STS computation Let A = (V,O,Θ, ρ) • s[v] – a value state s assigns to each variable vV. • σ: s0,s1… - A computation s0|= Θ (si,si+1) |= ρiN • ||A|| - the set of computations of A.

Defining Refinement OAOC A = (VA,OA,ΘA, ρA) C = (VC,OC,ΘC, ρC) Clocked interface mapping: I: C OA xOA, sC. I(s)[x]=s[x] or I(s)[x]= Definition: C refines A if there exists a clocked interface mapping I from C to A such that I(||C||)||A||O.

Proving Refinement Clocked refinement mapping from C to A: f: C A xOA, sC. f(s)[x]=s[x] or f(s)[x]= Theorem: C refines A if there exists a clocked refinement mapping f: C A such that • sC . s|= ΘC f(s) |= ΘA • s,s’ Cr . (s,s’)|= ρC (f(s),f(s’))|= ρA Such f called inductive.

Proof Rule • : VA (VC) sA  ā(sC) For  - state formula over VA: ā(sC)|=  iff sC|= [] For assertion inv and substitution  : VA E(VC) R1. ΘC inv inv holds initially R2. inv  ρC inv` inv is propagated R3. ΘC  ΘA[] Initiation R4. inv  ρC  ρA[] Propagation R5. inv (v[] = v  v[] = ) vOA C refines A

Translation Validation: from Signal to C A.Pnueli O.Shtrichman M.Siegel

Observation Functions and Correct Implementation A = (VA,ΘA,A,OA) C = (VC,ΘC,C,OC) • OA, OC – observation functions • Given  : s0, s1, …, - O(s0),O(s1), …, is observation of STS. • Obs(A) is the set of A observations. Definition: C refines A if Obs(C)  Obs(A)

Adaptation to Signal compilation

Choosing Observation process MUX = ( ? integer FB ! integer N ) ( | N := FB default (ZN-1) | ZN := N $ init 1 | FB ^= when (ZN <= 1) |) where integer ZN init 1 ; end OCFB: if rd.FBC then FBC else  OCN : if wr.NC then NC else  • OA = (FB,N) • OC = (OCFB,OCN) logical MUX_iterate() { rd.FBC=F; wr.NC=F; l0: h1C = TRUE; l1: h2C = ZNC <= 1; l2: if (h2C){ l2.1: read(FBC); rd>FBC=T; } l3: if (h2C) l3.1: NC = FBC; else l3.2: NC = ZNC - 1; l4: write(NC); wr.NC=T; l5: ZNC = NC; return TRUE; } logical MUX_iterate() { l0: h1C = TRUE; l1: h2C = ZNC <= 1; l2: if (h2C) l2.1: read(FBC); l3: if (h2C) l3.1: NC = FBC; else l3.2: NC = ZNC - 1; l4: write(NC); l5: ZNC = NC; return TRUE; }

FB :  N : ZN : 1 FB : 3 N : 3 ZN : 1 FB :  N : 2 ZN : 3 FB :  N : 1 ZN : 2 FB : 5 N : 5 ZN : 1 FB :  N : 4 ZN : 5 … FB : * N : * ZN : 1 h1 : * h2 : * pc : l0 FB : * N : * ZN : 1 h1 : t h2 : t pc : l2 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1 FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5 FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2 FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5 …

Composite STS • V : {FBC,NC,ZNC,h1C,h2C,rd.FBC,wr.NC} • Θ : ZNC = 1  pc = l0 • (h1’C=T) • (h2’C=(ZNC 1)) • (h2’C(N’C=FBC) • (h2’C(FB’C=FBC N’C=ZNC–1)) • (ZN’C=N’C) • (rd.FB’C=h2’C) • (wr.N’C=T) • OCFB: if rd.FBC then FBC else  • OCN : if wr.NC then NC else  • Compose the transition relations of the individual statements inside the loop’s body. • no nested loops C :

Composite STS • V : {FBC,NC,ZNC,h1C,h2C} • Θ : ZNC = 1  pc = l0 • (h1’C=T) • (h2’C=(ZNC 1)) • (h2’C(N’C=FBC) • (h2’C(FB’C=FBC N’C=ZNC–1)) • (ZN’C=N’C) • OCFB: if h2C then FBC else  • OCN : NC C :

Rule Ref. Establish by induction that, for every C:s0C,s1C,… there exists A:s0A,s1A,… such that sjA=(sjC) and their observations are equal. For an abstraction mapping VA = (VC) R1. ΘC VA = (VC) ΘA Initiation R2. VA = (VC)  C V’A = (V’C)  A Propagation R3. VA = (VC)  OA=OC Compatibility with observations C refines A

Construction of the Mapping  For vVA, v(Vc) – the value of v in sA related to sC. • For v  IO, v(Vc) = OCv(VC) • For each register flow m.r = rC ’m.r = r’C • For each Register or Local variable v’ = eqv  ’v = eqv(determinate programs) W1. ΘC  rR(m.r = rC)  vIORL(v = )  ΘA W2. rR(m.r = rC  m.r’ = r’C)  C  vIO( v’ = (OCv)’ )  vRL(v’ = eqv)  A

Theorem: If verification conditions W1 and W2 are valid, then C refines A.

FB =   N =   ZN =   m.ZN= 1 FB =   N =   ZN =  m.ZN = ZNC  FB’ = if h2’C then FB’ else   N’ = N’C  m.ZN’ = ZN’C  ZN’ = if N’   then m.ZN else  Example U1. ZNC = 1  m.ZN = ZNc   U2. C   A

m.ZN = ZNC  FB’ = if h2’C then FB’ else   N’ = N’C  m.ZN’ = ZN’C  ZN’ = if N’   then m.ZN else  m.ZN = ZNC  FB’ = if h2’C then FB’ else   N’ = N’C  m.ZN’ = ZN’C  ZN’ = ZNC Example U2. C   A U2. C   A

The End

Translation Validation

Translation Validation

Presentation Transcript

Validation

VALIDATION

Validation

Validation

Validation

VALIDATION

Validation

Translation Validation via Linear Recursion Schemes

Translation Validation for an Optimizing Compiler

Validation

VALIDATION

Validation

Validation and Validation Checks

Translation Translation

Validation

Translation Validation: From Simulink to C

Validation

Validation

Validation

Translation Validation of Compilers for Model-based Programming

Validation

Translation Validation for an Optimizing Compiler