Translation Validation A.PnueliM.SiegelE.Singerman

Motivation Prove that high level specification is correctly implemented in low level code. –Verifying compiler is not feasible. –Development freezing. Solution: Translation Validation

Translation Validation After each compiler run verify that the target code produced on this run correctly implements the source code.

A common semantic framework. Notion of “correct implementation”. A proof method. Automation of the proof method. Necessary Ingredients

Example process DEC = ( ? integer FB ! integer N ) ( | N := FB default (ZN-1) | ZN := N $ init 1 | FB ^= when (ZN <= 1) |) where integer ZN init 1 ; end logical DEC_iterate() { l0:h1 C = TRUE; l1:h2 C = ZN C <= 1; l2:if (h2 C ) l2.1: read(FB C ); l3:if (h2 C ) l3.1: N C = FB C ; else l3.2: N C = ZN C - 1; l4:write(N C ); l5:ZN C = N C ; return TRUE; }

FB : 3 N : 3 ZN : 1 FB :  N : 2 ZN : 3 FB :  N : 1 ZN : 2 FB : 5 N : 5 ZN : 1 FB :  N : 4 ZN : 5 … FB : * N : * ZN : 1 h1 : * h2 : * pc : l0 FB : * N : * ZN : 1 h1 : t h2 : t pc : l2 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1 FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5 FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0 … FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2 FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5 FB :  N :  ZN : 1 …

Common Semantic Framework Synchronous Transition System S = (V,O,Θ, ρ) –V a set of state variables –O  V a set of observable variables –Θ an initial condition characterizing the initial states of the system –ρ a transition relation, relating a state to its possible successors

process DEC = ( ? integer FB ! integer N ) ( | N := FB default (ZN-1) | ZN := N $ 1 | FB ^= when (ZN <= 1) |) where integer ZN init 1 ; end V = {FB,N,ZN,m.ZN} Θ = (FB =   N =   ZN =   m.ZN = 1) N’ = if FB’   then FB’ else ZN’ -1  m.ZN’ = if N’   then N’ else m.ZN  ZN’ = if N’   then m.ZN else   ZN’  1  FB’     =

logical DEC_iterate() { l0:h1 = TRUE; l1:h2 = ZN <= 1; l2:if (h2) l2.1: read(FB); l3:if (h2) l3.1: N = FB; else l3.2: N = ZN - 1; l4:write(N); l5:ZN = N; return TRUE; } V = {FB C,N C,ZN C,h1 C,h2 C } Θ = (ZN C = 1  pc = l 0 ) (pc=l 0  h1 ’ C =T  pc ’ =l 1  pres_but(pc.h1 c ))  (pc=l 1  h2’ C =(ZN C  1)  pc’=l 2  pres_but(pc,h2 C ))  (pc=l 2  h2 C  pc’=l 2.1  pres_but(pc))  (pc=l 2   h2 C  pc’=l 3  pres_but(pc))  (pc=l 2.1  pc’=l 3  pres_but(pc,FB C ))  (pc=l 3  h2 C  pc’=l 3.1  pres_but(pc))  (pc=l 3   h2 C  pc’=l 3.2  pres_but(pc))  (pc=l 3.1  N’ C =FB C  pc’=l 4  pres_but(pc,N C ))  (pc=l 3.2  N’ C =ZN C –1  pc’=l 4  pres_but(pc,N C ))  (pc=l 4  pc’=l 5  pres_but(pc))  (pc=l 5  ZN’ C =N C  pc’=l 0  pres_but(pc,ZN C )) C=C=

Let A = (V,O,Θ, ρ) s[v] – a value state s assigns to each variable v  V. σ: s 0,s 1 … - A computation s 0 |= Θ (s i,s i+1 ) |= ρ  i  N ||A|| - the set of computations of A. STS computation

A = (V A,O A,Θ A, ρ A ) C = (V C,O C,Θ C, ρ C ) Clocked interface mapping: I:  C   O A  x  O A, s  C. I(s)[x]=s[x] or I(s)[x]=  Definition: C refines A if there exists a clocked interface mapping I from C to A such that I(||C||)  ||A|| O. Defining Refinement OAOCOAOC

Proving Refinement Clocked refinement mapping from C to A: f:  C   A  x  O A, s  C. f(s)[x]=s[x] or f(s)[x]=  Theorem: C refines A if there exists a clocked refinement mapping f:  C   A such that  s  C. s|= Θ C  f(s) |= Θ A  s,s’  C r. (s,s’)|= ρ C  (f(s),f(s’))|= ρ A Such f called inductive.

Proof Rule  : V A   (V C )s A  ā(s C ) For  - state formula over V A : ā(s C )|=  iff s C |=  [  ] For assertion inv and substitution  : V A  E(V C ) R1. Θ C  invinv holds initially R2. inv  ρ C  inv`inv is propagated R3. Θ C  Θ A [  ]Initiation R4. inv  ρ C  ρ A [  ]Propagation R5. inv  (v[  ] = v  v[  ] =  )  v  O A C refines A

Translation Validation: from Signal to C A.PnueliO.ShtrichmanM.Siegel

Observation Functions and Correct Implementation A = (V A,Θ A,  A,O A )C = (V C,Θ C,  C,O C ) O A, O C – observation functions Given  : s 0, s 1, …, - O(s 0 ),O(s 1 ), …, is observation of STS. Obs(A) is the set of A observations. Definition: C refines A if Obs(C)  Obs(A)

Adaptation to Signal compilation

process MUX = ( ? integer FB ! integer N ) ( | N := FB default (ZN- 1) | ZN := N $ init 1 | FB ^= when (ZN <= 1) |) where integer ZN init 1 ; end Choosing Observation O A = (FB,N) O C = (O C FB,O C N ) logical MUX_iterate() { l0:h1 C = TRUE; l1:h2 C = ZN C <= 1; l2:if (h2 C ) l2.1: read(FB C ); l3:if (h2 C ) l3.1: N C = FB C ; else l3.2: N C = ZN C - 1; l4:write(N C ); l5:ZN C = N C ; return TRUE; } logical MUX_iterate() { rd.FB C =F; wr.N C =F; l0:h1 C = TRUE; l1:h2 C = ZN C <= 1; l2:if (h2 C ){ l2.1: read(FB C ); rd>FB C =T; } l3:if (h2 C ) l3.1: N C = FB C ; else l3.2: N C = ZN C - 1; l4:write(N C ); wr.N C =T; l5:ZN C = N C ; return TRUE; } O C FB : if rd.FB C then FB C else  O C N : if wr.N C then N C else 

FB : 3 N : 3 ZN : 1 FB :  N : 2 ZN : 3 FB :  N : 1 ZN : 2 FB : 5 N : 5 ZN : 1 FB :  N : 4 ZN : 5 … FB : * N : * ZN : 1 h1 : * h2 : * pc : l0 FB : * N : * ZN : 1 h1 : t h2 : t pc : l2 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1 FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5 FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0 … FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2 FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5 FB :  N :  ZN : 1

Composite STS Compose the transition relations of the individual statements inside the loop’s body. –no nested loops V : {FB C,N C,ZN C,h1 C,h2 C,rd.FB C,wr.N C } Θ : ZN C = 1  pc = l 0  (h1 ’ C =T)  (h2’ C =(ZN C  1))  (h2’ C  (N’ C =FB C )  (  h2’ C  (FB’ C =FB C  N’ C =ZN C –1))  (ZN’ C =N’ C )  (rd.FB’ C =h2’ C )  (wr.N’ C =T) O C FB : if rd.FB C then FB C else  O C N : if wr.N C then N C else   C :

Composite STS V : {FB C,N C,ZN C,h1 C,h2 C } Θ : ZN C = 1  pc = l 0  (h1 ’ C =T)  (h2’ C =(ZN C  1))  (h2’ C  (N’ C =FB C )  (  h2’ C  (FB’ C =FB C  N’ C =ZN C –1))  (ZN’ C =N’ C ) O C FB : if h2 C then FB C else  O C N : N C  C :

For an abstraction mapping V A =  (V C ) R1. Θ C  V A =  (V C )  Θ A Initiation R2. V A =  (V C )   C  V’ A =  (V’ C )   A Propagation R3. V A =  (V C )  O A =O C Compatibility with observations C refines A Rule Ref. Establish by induction that, for every  C :s 0 C,s 1 C,… there exists  A :s 0 A,s 1 A,… such that s j A =  (s j C ) and their observations are equal.

Construction of the Mapping  For v  V A,  v (V c ) – the value of v in s A related to s C. For v  IO,  v (V c ) = O C v (V C ) For each register flow  m.r = r C  ’ m.r = r’ C For each Register or Local variable v’ = eq v   ’ v = eq v (determinate programs) W1. Θ C   r  R (m.r = r C )   v  IORL (v =  )  Θ A W2.  r  R (m.r = r C  m.r’ = r’ C )   C   v  IO ( v’ = (O C v )’ )   v  RL (v’ = eq v ) AA

Theorem: If verification conditions W1 and W2 are valid, then C refines A.

Example U1. ZN C = 1  m.ZN = ZNc   FB =   N =   ZN =  FB =   N =   ZN =   m.ZN= 1 U2.  C    A m.ZN = ZN C  FB’ = if h2’ C then FB’ else   N’ = N’ C  m.ZN’ = ZN’ C  ZN’ = if N’   then m.ZN else 

Example U2.  C    A m.ZN = ZN C  FB’ = if h2’ C then FB’ else   N’ = N’ C  m.ZN’ = ZN’ C  ZN’ = if N’   then m.ZN else  U2.  C    A m.ZN = ZN C  FB’ = if h2’ C then FB’ else   N’ = N’ C  m.ZN’ = ZN’ C  ZN’ = ZN C

The End