Analyzing and Verifying Esterel Programs Taisook Han 2009-12-19, Division of Computer Science, KAIST.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Simulation executable (simv)
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Vered Gafni – Formal Development of Real Time Systems 1 Statecharts Semantics.
The cardiac pacemaker – SystemJ versus Safety Critical Java Heejong Park, Avinash Malik, Muhammad Nadeem, and Zoran Salcic. University of Auckland, NZ.
Hardware Description Language (HDL)
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Give qualifications of instructors: DAP
Simulation Verification of Different Constraints in System Level Design in SystemC Piyush Ranjan Satapathy CS220 Class Project Presentation.
Optimized State Encoding for Esterel Programs Dumitru POTOP-BUTUCARU.
Copyright © 2001 Stephen A. Edwards All rights reserved The Synchronous Language Esterel Prof. Stephen A. Edwards.
CS 151 Digital Systems Design Lecture 37 Register Transfer Level
Event Driven Real-Time Programming CHESS Review University of California, Berkeley, USA May 10, 2004 Arkadeb Ghosal Joint work with Marco A. Sanvido, Christoph.
1 Static Testing: defect prevention SIM objectives Able to list various type of structured group examinations (manual checking) Able to statically.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Esterel Overview Roberto Passerone ee249 discussion section.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
Chair of Software Engineering Fundamentals of Program Analysis Dr. Manuel Oriol.
Review of “Embedded Software” by E.A. Lee Katherine Barrow Vladimir Jakobac.
Models of Computation for Embedded System Design Alvise Bonivento.
Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.
Expressing Giotto in xGiotto and related schedulability problems Class Project Presentation Concurrent Models of Computation for Embedded Software University.
November 18, 2004 Embedded System Design Flow Arkadeb Ghosal Alessandro Pinto Daniele Gasperini Alberto Sangiovanni-Vincentelli
Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.
Chapter 2: Algorithm Discovery and Design
A Mystery Esterel –small no type inference, subtyping, … no recursion, functions, … no pointers, malloc, GC, … no complex data structures, libraries,
1 Chapter 2 Problem Solving Techniques INTRODUCTION 2.2 PROBLEM SOLVING 2.3 USING COMPUTERS IN PROBLEM SOLVING : THE SOFTWARE DEVELOPMENT METHOD.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Lecture 6 Template Semantics CS6133 Fall 2011 Software Specification and Verification.
Fundamentals of Python: From First Programs Through Data Structures
Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Timed UML State Machines Ognyana Hristova Tutor: Priv.-Doz. Dr. Thomas Noll June, 2007.
CMSC 345 Fall 2000 Unit Testing. The testing process.
Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
An introduction to Esterel and its compilation
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
“Software” Esterel Execution (work in progress) Dumitru POTOP-BUTUCARU Ecole des Mines de Paris
Static Program Analyses of DSP Software Systems Ramakrishnan Venkitaraman and Gopal Gupta.
© S. Ramesh / Kavi Arya / Krithi Ramamritham 1 IT-606 Embedded Systems (Software) S. Ramesh Kavi Arya Krithi Ramamritham KReSIT/ IIT Bombay.
Fall 2004EE 3563 Digital Systems Design EE 3563 VHSIC Hardware Description Language  Required Reading: –These Slides –VHDL Tutorial  Very High Speed.
Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.
Semantics In Text: Chapter 3.
Theory of Programming Languages Introduction. What is a Programming Language? John von Neumann (1940’s) –Stored program concept –CPU actions determined.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke Presented by: Xia Cheng.
Verification & Validation By: Amir Masoud Gharehbaghi
1 Control Flow Analysis Topic today Representation and Analysis Paper (Sections 1, 2) For next class: Read Representation and Analysis Paper (Section 3)
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
CS412/413 Introduction to Compilers Radu Rugina Lecture 18: Control Flow Graphs 29 Feb 02.
1 Control Flow Graphs. 2 Optimizations Code transformations to improve program –Mainly: improve execution time –Also: reduce program size Can be done.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
Winter 2007SEG2101 Chapter 121 Chapter 12 Verification and Validation.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
55:032 - Intro. to Digital DesignPage 1 VHDL and Processes Defining Sequential Circuit Behavior.
SystemC Semantics by Actors and Reduction Techniques in Model Checking Marjan Sirjani Formal Methods Lab, ECE Dept. University of Tehran, Iran MoCC 2008.
1 Introduction to Turing Machines
Flow Control in Imperative Languages. Activity 1 What does the word: ‘Imperative’ mean? 5mins …having CONTROL and ORDER!
Agenda  Quick Review  Finish Introduction  Java Threads.
Software Testing and Maintenance 1
2. Specification and Modeling
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Control Flow Analysis (Chapter 7)
Translating Linear Temporal Logic into Büchi Automata
Presentation transcript:

Analyzing and Verifying Esterel Programs Taisook Han , Division of Computer Science, KAIST

Contents  Introduction to Esterel  Over-approximated CFGs (Control Flow Graphs)  A Logical Semantics with Separating Micro- and Macro-steps  Summary of Execution Traces  Conclusion Taisook Han2

Taisook Han3 Introduction to Esterel

Esterel  Introduction  A synchronous programming language by Gérard Berry at 1983  Well-adopted to complex control-dominant reactive systems  Man-machine interfaces or supervision programs are typical examples  Characteristics  Synchronous model of time  Time is divided into a sequence of discrete logical time units  Program executions are synchronized to an external clock  Imperative and concurrent language  An Esterel program can be compiled into both software (C, SystemC) and hardware (Verilog, VHDL) Taisook Han4 Reactive systems are embedded systems that instantly react to environmental changes Instant

Synchronization & Preemption  Synchronization can be controlled by pause stmt  A pause stmt indicates the end of the current instant  All operations within an instant are performed simultaneously  Reset signals when a new instant starts  Preemption between threads  Strong preemption  Halt the remaining task immediately, and perform the preempted task  Weak preemption  After finishing the remaining task in the current instant, perform the preempted task Taisook Han5 Signal statuses are Preserved only for an instant ⇒ suspend stmt ⇒ trap & exit stmt

Kernel Language of Esterel StatementsIntuitive Meanings nothing Do nothing pause Consume a clock tick (finish the current instant) emit S Emit a signal S (change the status of S to present) p ; q After finishing p, run q instantly p || q Run both p and q simultaneously loop p end Repeat p infinitely signal S in p end Declare a new local signal S ; it is valid only within p present S then p else q end Test the status of the signal S suspend p when S Suspend p while S is present trap T in p end Declare a new exception T ; it is valid only within p exit T Raise exception T Taisook Han6

Goals  Synchronization and preemption in Esterel make it difficult  To represent the exact behavior  To analyze, verify, or detect errors  To analyze an Esterel program, analyzers can  Describe when and how synchronization occurs  Represent implicit interferences between threads  Specify and detect errors of Esterel programs  We want to develop useful static analysis bases on Esterel Taisook Han7

Taisook Han8 Over-approximated CFGs

Example 1: trap U in 2: trap T in 3: emit A; pause; exit T 4: || 5: emit B; pause; exit U 6: end trap 7:emit C 8: end trap Taisook Han9 Start trap U trap T || emit Aemit B pause exit Texit U end of || end of trap T end of trap U End emit C U T T U U

Schizophrenic Stmt. Detection Algorithm Taisook Han loop … … end loop emit S; First-surface Last-surface Schizophrenic Emit Statements An emit statement is executed more than once in an instant.

Example Taisook Han loop_start loop_end parallel_start parallel_end test(I) pause test(J) emit(X) pause emit(O) test_end(I) test_end(J) loop_start loop_end parallel_start parallel_end test(I) pause test(J) emit(X) pause emit(O) test_end(I) test_end(J) Schizophrenic Emit Statement

Experiments ProgramsLOC# of loops Schizophrenic Signal Declarations # of candidates Previous work Our resultManual check atds mca mejia tcint ww dlx fbus Total

Taisook Han13 A Logical Semantics with Separating Micro- and Macro-steps

A Logical Semantics  Separation of micro-steps and macro-steps  Moves ( ) : computations within an instant (Micro-steps)  Instant changes ( ): computations across instants (Macro-steps)  Formal specification and detection of errors  Postpone error-declarations until instant changes  We define execution processes using configurations and their transitions Taisook Han14 Ignore inconsistent configurationsApply all proper moves

Error Detection  Attach the location information to assumed or emitted signals  Where the signal is assumed or emitted?  Location information helps to detect errors  Basic procedure of error detection  Micro-steps: mark the configurations having errors  Macro-steps: check if the marked configuration is consistent  Target errors  Instantaneous loops  Schizophrenic signal decl & schizophrenic parallel stmt  Multiple emission of a single signal Taisook Han15

Taisook Han16 Summary of Execution Traces

Goal: Summary of Execution Traces  We want to get a new representation that comprehends all possible execution scenarios of a given Esterel program.  We call the representation the behavior of a program.  We summarize execution traces of pure Esterel programs based on abstract interpretation Taisook Han17

Safety property verification using observer ProgramObserver ∥ Model Checker (XEVE) SpecToObs Safety Property Model Observer: A program that generates a warning signal when a target program does not satisfy given safety property Taisook Han18

Safety property verification using behavior ProgramObserver ∥ Checker SpecToObs Safety Property Behavior time signals status Taisook Han19

CFG & Atomic terms  Esterel semantics is composed of control-flows and data-flows.  We use a CFG to denote the control-flow and define CFG- based denotational semantics.  Since data-flows are influenced by time progress and changes of signal status, we preserve such meanings as atomic terms.  Each edge represents a control-flow between program points and labeled by an atomic term.  Each node represents the program points after executing the atomic terms on the incoming edge Taisook Han20

Example module Ex1: loop pause; emit a; pause; end loop end module Taisook Han21

More Example module Ex3: input s; output a, b, c; emit a; loop present s then emit b; pause; else pause; emit c; end present; end loop end module traces after the second iteration Taisook Han22

Trace vs. Behavior     Taisook Han23

Concrete States vs. Abstract States  Concrete State (CStates)  An abstract state at a program point is composed of  The time at the point  The behavior summarized up to the point until the time  The execution condition if the point is in a conditional branch  Abstract State (AStates) Taisook Han24

Observation (Symbolic Tick)  The instant to run a statement may not be unique because a program can reach a certain statement through many different paths.  We need a new time unit to summarize several instants Taisook Han25

Symbolic Tick Domain Taisook Han26

Symbolic Tick Domain Taisook Han27

Widening Operator  Widening operator captures the repeated actions in a single loop. time * ** * *  Taisook Han28

Example (Widening) Taisook Han29

Example: a small bus arbiter  A bus arbiter of 3 cells Taisook Han30

Cell module (a small bus arbiter) Taisook Han31

Evaluation  We summarize program traces in the general form so that programmers can easily figure out the program validity without execution and debugging.  The behavior of the cell program Taisook Han32

Evaluation ( Arbiter)  Analysis results for arbiter growth  Safety property: there is at least one response incase of any request.  The size of the observers is proportional to the number of cells Taisook Han33

Conclusion Taisook Han34

Summary  Over-approximated CFGs  Do not use any additional data structure or handlers  Show program structures as is  Our CFGs are proper to analyze programs via graph reachability  A new logical semantics with separating micro-steps (moves) and macro-steps (instant changes)  We specify some well-known errors of Esterel program  Instantaneous loop, schizophrenia ( signal, parallel ), multiple emission  A new representation of Esterel programs: “behavior”  We design new domains and CFG-based denotational semantics for the sake of path-sensitive analysis.  We devise widening operators that condense regularly-repeated actions Taisook Han35

Conclusion  Our CFGs  Approximated edges allow to represent all possible execution paths including implicit control flows  Simple construction and structure make it easy to apply graph-based program analyses  Our semantics  Separating micro- and macro-steps helps to specify precise behaviors of Esterel programs and to detect well-known errors  Presented CFGs and semantics can be a good framework for analyzing Esterel programs  Our representation  New domains and operators summarize execution traces of pure Esterel programs based on abstract interpretation Taisook Han36

Q or C Thanks! Taisook Han37