1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

Slides:



Advertisements
Similar presentations
Program Analysis using Random Interpretation Sumit Gulwani UC-Berkeley March 2005.
Advertisements

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Demand-driven inference of loop invariants in a theorem prover
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Vilmos Zsombori , Shanghai
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Simplified Gated Assignment Surinder Jain Supervisor : Bernhard Scholz Assignment 3 – INFO5993.
1 Regression-Verification Benny Godlin Ofer Strichman Technion.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Undoing the Task: Moving Timing Analysis back to Functional Models Marco Di Natale, Haibo Zeng Scuola Superiore S. Anna – Pisa, Italy McGill University.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
Semantic Translation of Simulink/Stateflow Models to Hybrid Automata using Graph Transformations A. Agarwal, Gy. Simon, G. Karsai ISIS, Vanderbilt University.
CS 355 – Programming Languages
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
Copyright 2001, Agrawal & BushnellDay-1 PM Lecture 4a1 Design for Testability Theory and Practice Lecture 4a: Simulation n What is simulation? n Design.
1 Regression-Verification Benny Godlin Ofer Strichman Technion.
Automatically Proving the Correctness of Compiler Optimizations Sorin Lerner Todd Millstein Craig Chambers University of Washington.
A High Performance Application Representation for Reconfigurable Systems Wenrui GongGang WangRyan Kastner Department of Electrical and Computer Engineering.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
From Cooper & Torczon1 Implications Must recognize legal (and illegal) programs Must generate correct code Must manage storage of all variables (and code)
Overview of program analysis Mooly Sagiv html://
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
1 Regression Verification: Proving the equivalence of similar programs Benny Godlin Ofer Strichman Technion, Haifa, Israel (This presentation is a subset.
On the Correctness of Model Transformations Gabor Karsai ISIS/Vanderbilt University.
Guide To UNIX Using Linux Third Edition
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
By Ryan Mowry.  Graphical models of system  Entire system or just parts  Complex systems easier to understand  “Capture key requirements and demonstrate.
Compositional correctness of IP-based system design: Translating C/C++ Models into SIGNAL Processes Rennes, November 04, 2005 Hamoudi Kalla and Jean-Pierre.
Chapter 1 Introduction Dr. Frank Lee. 1.1 Why Study Compiler? To write more efficient code in a high-level language To provide solid foundation in parsing.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Lecture 2 Object Oriented Programming Basics of Java Language MBY.
1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.
CEFRIEL Consorzio per la Formazione e la Ricerca in Ingegneria dell’Informazione Politecnico di Milano Model Checking UML Specifications of Real Time Software.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Development of Symbolic Debuggers Based on Refinement Calculus RK Shyamasundar Rohit Kundaji Tata Institute of Fundamental Research Mumbai India.
Paper by: A. Pnueli O. Shtrichman M. Siegel Course: Served to: Professor Orna Grumberg Served By: Yehonatan Rubin.
Unit-1 Introduction Prepared by: Prof. Harish I Rathod
Fall 2004EE 3563 Digital Systems Design EE 3563 VHSIC Hardware Description Language  Required Reading: –These Slides –VHDL Tutorial  Very High Speed.
Overview of Previous Lesson(s) Over View  A program must be translated into a form in which it can be executed by a computer.  The software systems.
CSCI1600: Embedded and Real Time Software Lecture 28: Verification I Steven Reiss, Fall 2015.
Graphical Design Environment for a Reconfigurable Processor IAmE Abstract The Field Programmable Processor Array (FPPA) is a new reconfigurable architecture.
May08-21 Model-Based Software Development Kevin Korslund Daniel De Graaf Cory Kleinheksel Benjamin Miller Client – Rockwell Collins Faculty Advisor – Dr.
Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.
Java Software Solutions Lewis and Loftus Chapter 2 1 Copyright 1997 by John Lewis and William Loftus. All rights reserved. Software Concepts -- Introduction.
Introduction to Simulink Matlab based Both Continuous Time and Discrete Time Simulation Based on Blocksets Model Based Design: a software model of the.
PLC '06 Experience in Testing Compiler Optimizers Using Comparison Checking Masataka Sassa and Daijiro Sudo Dept. of Mathematical and Computing Sciences.
Developing a Framework for Simulation, Verification and Testing of SDL Specifications Olga Shumsky Lawrence Henschen Northwestern University
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Research Heaven, West Virginia 1 Translation Validation of Compilers for Model-based Programming Supratik Mukhopadhyay Research Heaven,
Carnegie Mellon Vadim Zaliva, Franz Franchetti Carnegie Mellon University Department of Electrical and Computer Engineering Funded by the DARPA I2O HACMS.
Proving Optimizations Correct using Parameterized Program Equivalence University of California, San Diego Sudipta Kundu Zachary Tatlock Sorin Lerner.
SAMCAHNG Yun Goo Kim I. Formal Model Based Development & Safety Analysis II. UML (Model) Based Safety RMS S/W Development February KIM, YUN GOO.
Credible Compilation With Pointers Martin Rinard and Darko Marinov Laboratory for Computer Science Massachusetts Institute of Technology.
Operational Semantics of Scheme
Introduction to the C Language
Benjamin Goldberg Compiler Verification and Optimization
CSCI1600: Embedded and Real Time Software
Formal Methods in software development
Formal Methods in software development
CSCI1600: Embedded and Real Time Software
Proving Mutual Termination of single-threaded programs
Rich Model Toolkit – An Infrastructure for Reliable Computer Systems
Presentation transcript:

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General Motors

2 Simulink  Simulink is MathWorks’ package for model-based design.  A de-facto industry standard for the design of control software  Automotive industry  Avionics  Medical devices ...  Automatic embedded code generation with Real-Time Workshop  Multiple embedded targets  Multiple optimization options

3 Simulink block diagram Inputs Outputs States

4 Automatic code generation void example_model_initialize(void) { UnitDelay_DSTATE = UnitDelay_X0; } void example_model_step(void) { double rtb_UnitDelay; if (Control >= Switch_Threshold) { rtb_UnitDelay = Constant_Value; } else { rtb_UnitDelay = In2; } UnitDelay_DSTATE += rtb_UnitDelay; rtb_UnitDelay = UnitDelay_DSTATE; Out1 = rtb_UnitDelay; } ?  Translation Validation: p rove that the model is implemented correctly.

5 Translation Validation Source program Target program Mapping Input Output State Translation validation engine ?  Technique for formally establishing the semantic equivalence of a source and a target of a code generator.

6 Previous work on translation validation  From synchronous languages:  DC+  C Pnueli, Siegel and Singerman (1998) / Translation Validation Pnueli, Strichman and Siegel (1998)/ Translation Validation: From DC+ to C  Scade-Lustre  C  C to binary:  An optimizing C compiler Zuck, Pnueli, Fang and B. Goldberg / VOC: A Methodology for the Translation Validation of Optimizing Compilers...  gcc optimizations Necula / Translation Validation for an Optimizing Compiler

7 Translation validation Translation Validation Verifying code generator  Applied separately to each translation  Applied once  For synchronous languages (in practice) decidable  In general undecidable  Sensitive to changes in the target code format  Sensitive to changes in the compiler  freezes the development

8 Symulink Code Generation Example  Synchronous system computations can be represented symbolically with an initial state predicate and a transition function. void example_model_initialize(void) { UnitDelay_state = UnitDelay_X0; } void example_model_step(void) { double local_UnitDelay; if (Control >= Switch_Threshold) { local_UnitDelay = Constant; } else { local_UnitDelay = In2; } UnitDelay_state += local_UnitDelay; local_UnitDelay = UnitDelay_state; Out1 = local_UnitDelay; } /*UnitDelay_X0 = 0*/ /*Switch_Threshold = 0*/ /*Constant = 0*/

9 Verification Condition  Need to prove: Equal input stream  Equal output stream.  The proof is based on induction.

10 Definitions  For transition system M  init(M) initial-state predicate over M’s state variables  TR(M) transition relation over M’s inputs, outputs, current and next state variables.  var(M) the variables defining M state(M) set of state variables inp(M) set of input variables out(M) set of output variables  For transition systems S and T map: var(S)  var(T) maps their inputs, outputs and state variables. disjoint

11 The Verification Condition 1. The initial states of the target are legitimate initial states in the source. 2. Equality between source and target outputs is propagated through program computation equal inputs equal state equal next stateequal outputs

12 Source transition relation (and (= m_Constant' 0 ) (= m_Sum' (+ m_Switch ‘ m_Unit_Delay') ) (= m_Switch ‘ (if (>= m_Control ‘ 0 ) m_Constant ‘ m_In2 ‘ ) ) (= m_Unit_Delay_state' m_Sum ‘ ) (= m_Unit_Delay' m_Unit_Delay_state ) (= m_Out1' m_Sum ‘ ) ) Yices format

13 Invariants  Variables in synchronous systems are volatile  In C global variables preserve their values between steps if (cond) mode = 1; else { mode = 0; } if (cond && mode == 0) mode = 1; if (!cond && mode == 1) mode = 0; ?  The unreachable executions are eliminated by the invariant mode == 0 mode = 1 Simulink side C side

14 Uninterpreted functions  In some cases we abstract arithmetical functions with uninterpreted functions.  Example:

15 Uninterpreted functions  Uninterpreted functions can be too abstract  We occasionally use partially interpreted functions  Example: consider a transformation such as a ¢ b à b ¢ a  Enforce commutativity:

16 Implementation  Source side: The Matlab script language  Target side: CTool, CPP, C++  Verification: Yices

17 Experiments  “rtwdemo_fuelsys” – a fuel injection controller that is distributed with Matlab.  ~100 blocks  The generated step function has ~250 loc  The generated verification condition: 790 lines in Yices format  Solving time: sec.  When injecting errors solving time is:.... ~ 10 sec.

18 Well, thank you

Simulink Step Semantics

20 (= Constant_Value__0 0) (= local_UnitDelay__1 (if (/= 0 (if (>= Control__0 Switch_Threshold__0) 1 0 ) ) Constant_Value__0 local_UnitDelay__0 ) (= local_UnitDelay__2 (if (not (/= 0 (if (>= Control__0 Switch_Threshold__0) 1 0 ) ) ) In2__0 local_UnitDelay__1 ) (= UnitDelay_state__1 (+ UnitDelay_state__0 local_UnitDelay__2)) (= local_UnitDelay__3 UnitDelay_state__1) (= Out1__1 local_UnitDelay__3) ) Target transition relation void example_model_step(void) { double local_UnitDelay; if (Control >= Switch_Threshold) { local_UnitDelay = Constant_Value; } else { local_UnitDelay = In2; } UnitDelay_state += local_UnitDelay; local_UnitDelay = UnitDelay_state; Out1 = local_UnitDelay; } ( and (= Switch_Threshold__0 0) (= UnitDelay_X0__0 0) Yices format / Static Single Assignment

21 (= m_Control' Control__0 ) (= m_In2 ‘ In2__0 ) (= m_Unit_Delay_state UnitDelay_state__0) void example_model_step(void) { double local_UnitDelay; if (Control >= Switch_Threshold) { local_UnitDelay = Constant_Value; } else { local_UnitDelay = In2; } UnitDelay_state += local_UnitDelay; local_UnitDelay = UnitDelay_state; Out1 = local_UnitDelay; } Induction Step Example (= m_Unit_Delay_state ‘ UnitDelay_state__1 ) (= m_Out1 ‘ Out1__1 ) equal inputs equal state equal next stateequal outputs

22 Tool: Translation Validation for Simulink (TVS)  Applies translation validation to the RealTime Workshop code generator.  Fully automated  Supports a large subset of the Simulink library  Easily extendable

23 TVS structure Simulink model (model.mdl) Model Transition Relation generator (Matlab script) Model Transition Relation Variable Mapping Verification Condition Generator C program C Transition relation Generator C variables list (SSA numeration) C Transition Relation Decision Procedure (Yices) Equivalent Not Equivalent Real-time Workshop code generator TVS

24 Source transition relation  Iterate over all model blocks  For each block create transition relation  Block located in enabled subsystem get a special treatment States when enabling Outputs when enabling Mapping

25 Target transition relation and SSA  Static Single Assignment if (v) a = b; else a = c; d = a; if ( v0) a0 = b0; else a1 = c0; a2 = v0 ? a0 : a1; d1 = a2; a0 = b0 a1 = c0 (v0 == 0)  a2 = a0 (v0 != 0)  a2 = a1 d0 = a2 a = b; b = b +1; c = b; a0 = b0 b1 = b0 + 1 c0 = b1 a = b b = b + 1 c = b

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.