Analyzing and Verifying Esterel Programs Taisook Han , Division of Computer Science, KAIST
Contents Introduction to Esterel Over-approximated CFGs (Control Flow Graphs) A Logical Semantics with Separating Micro- and Macro-steps Summary of Execution Traces Conclusion Taisook Han2
Taisook Han3 Introduction to Esterel
Esterel Introduction A synchronous programming language by Gérard Berry at 1983 Well-adopted to complex control-dominant reactive systems Man-machine interfaces or supervision programs are typical examples Characteristics Synchronous model of time Time is divided into a sequence of discrete logical time units Program executions are synchronized to an external clock Imperative and concurrent language An Esterel program can be compiled into both software (C, SystemC) and hardware (Verilog, VHDL) Taisook Han4 Reactive systems are embedded systems that instantly react to environmental changes Instant
Synchronization & Preemption Synchronization can be controlled by pause stmt A pause stmt indicates the end of the current instant All operations within an instant are performed simultaneously Reset signals when a new instant starts Preemption between threads Strong preemption Halt the remaining task immediately, and perform the preempted task Weak preemption After finishing the remaining task in the current instant, perform the preempted task Taisook Han5 Signal statuses are Preserved only for an instant ⇒ suspend stmt ⇒ trap & exit stmt
Kernel Language of Esterel StatementsIntuitive Meanings nothing Do nothing pause Consume a clock tick (finish the current instant) emit S Emit a signal S (change the status of S to present) p ; q After finishing p, run q instantly p || q Run both p and q simultaneously loop p end Repeat p infinitely signal S in p end Declare a new local signal S ; it is valid only within p present S then p else q end Test the status of the signal S suspend p when S Suspend p while S is present trap T in p end Declare a new exception T ; it is valid only within p exit T Raise exception T Taisook Han6
Goals Synchronization and preemption in Esterel make it difficult To represent the exact behavior To analyze, verify, or detect errors To analyze an Esterel program, analyzers can Describe when and how synchronization occurs Represent implicit interferences between threads Specify and detect errors of Esterel programs We want to develop useful static analysis bases on Esterel Taisook Han7
Taisook Han8 Over-approximated CFGs
Example 1: trap U in 2: trap T in 3: emit A; pause; exit T 4: || 5: emit B; pause; exit U 6: end trap 7:emit C 8: end trap Taisook Han9 Start trap U trap T || emit Aemit B pause exit Texit U end of || end of trap T end of trap U End emit C U T T U U
Schizophrenic Stmt. Detection Algorithm Taisook Han loop … … end loop emit S; First-surface Last-surface Schizophrenic Emit Statements An emit statement is executed more than once in an instant.
Example Taisook Han loop_start loop_end parallel_start parallel_end test(I) pause test(J) emit(X) pause emit(O) test_end(I) test_end(J) loop_start loop_end parallel_start parallel_end test(I) pause test(J) emit(X) pause emit(O) test_end(I) test_end(J) Schizophrenic Emit Statement
Experiments ProgramsLOC# of loops Schizophrenic Signal Declarations # of candidates Previous work Our resultManual check atds mca mejia tcint ww dlx fbus Total
Taisook Han13 A Logical Semantics with Separating Micro- and Macro-steps
A Logical Semantics Separation of micro-steps and macro-steps Moves ( ) : computations within an instant (Micro-steps) Instant changes ( ): computations across instants (Macro-steps) Formal specification and detection of errors Postpone error-declarations until instant changes We define execution processes using configurations and their transitions Taisook Han14 Ignore inconsistent configurationsApply all proper moves
Error Detection Attach the location information to assumed or emitted signals Where the signal is assumed or emitted? Location information helps to detect errors Basic procedure of error detection Micro-steps: mark the configurations having errors Macro-steps: check if the marked configuration is consistent Target errors Instantaneous loops Schizophrenic signal decl & schizophrenic parallel stmt Multiple emission of a single signal Taisook Han15
Taisook Han16 Summary of Execution Traces
Goal: Summary of Execution Traces We want to get a new representation that comprehends all possible execution scenarios of a given Esterel program. We call the representation the behavior of a program. We summarize execution traces of pure Esterel programs based on abstract interpretation Taisook Han17
Safety property verification using observer ProgramObserver ∥ Model Checker (XEVE) SpecToObs Safety Property Model Observer: A program that generates a warning signal when a target program does not satisfy given safety property Taisook Han18
Safety property verification using behavior ProgramObserver ∥ Checker SpecToObs Safety Property Behavior time signals status Taisook Han19
CFG & Atomic terms Esterel semantics is composed of control-flows and data-flows. We use a CFG to denote the control-flow and define CFG- based denotational semantics. Since data-flows are influenced by time progress and changes of signal status, we preserve such meanings as atomic terms. Each edge represents a control-flow between program points and labeled by an atomic term. Each node represents the program points after executing the atomic terms on the incoming edge Taisook Han20
Example module Ex1: loop pause; emit a; pause; end loop end module Taisook Han21
More Example module Ex3: input s; output a, b, c; emit a; loop present s then emit b; pause; else pause; emit c; end present; end loop end module traces after the second iteration Taisook Han22
Trace vs. Behavior Taisook Han23
Concrete States vs. Abstract States Concrete State (CStates) An abstract state at a program point is composed of The time at the point The behavior summarized up to the point until the time The execution condition if the point is in a conditional branch Abstract State (AStates) Taisook Han24
Observation (Symbolic Tick) The instant to run a statement may not be unique because a program can reach a certain statement through many different paths. We need a new time unit to summarize several instants Taisook Han25
Symbolic Tick Domain Taisook Han26
Symbolic Tick Domain Taisook Han27
Widening Operator Widening operator captures the repeated actions in a single loop. time * ** * * Taisook Han28
Example (Widening) Taisook Han29
Example: a small bus arbiter A bus arbiter of 3 cells Taisook Han30
Cell module (a small bus arbiter) Taisook Han31
Evaluation We summarize program traces in the general form so that programmers can easily figure out the program validity without execution and debugging. The behavior of the cell program Taisook Han32
Evaluation ( Arbiter) Analysis results for arbiter growth Safety property: there is at least one response incase of any request. The size of the observers is proportional to the number of cells Taisook Han33
Conclusion Taisook Han34
Summary Over-approximated CFGs Do not use any additional data structure or handlers Show program structures as is Our CFGs are proper to analyze programs via graph reachability A new logical semantics with separating micro-steps (moves) and macro-steps (instant changes) We specify some well-known errors of Esterel program Instantaneous loop, schizophrenia ( signal, parallel ), multiple emission A new representation of Esterel programs: “behavior” We design new domains and CFG-based denotational semantics for the sake of path-sensitive analysis. We devise widening operators that condense regularly-repeated actions Taisook Han35
Conclusion Our CFGs Approximated edges allow to represent all possible execution paths including implicit control flows Simple construction and structure make it easy to apply graph-based program analyses Our semantics Separating micro- and macro-steps helps to specify precise behaviors of Esterel programs and to detect well-known errors Presented CFGs and semantics can be a good framework for analyzing Esterel programs Our representation New domains and operators summarize execution traces of pure Esterel programs based on abstract interpretation Taisook Han36
Q or C Thanks! Taisook Han37