Presentation is loading. Please wait.

Presentation is loading. Please wait.

Translation Validation A.PnueliM.SiegelE.Singerman.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Translation Validation A.PnueliM.SiegelE.Singerman."— Presentation transcript:

1 Translation Validation A.PnueliM.SiegelE.Singerman

2 Motivation Prove that high level specification is correctly implemented in low level code. –Verifying compiler is not feasible. –Development freezing. Solution: Translation Validation

3 Translation Validation After each compiler run verify that the target code produced on this run correctly implements the source code.

4 A common semantic framework. Notion of “correct implementation”. A proof method. Automation of the proof method. Necessary Ingredients

5 Example process DEC = ( ? integer FB ! integer N ) ( | N := FB default (ZN-1) | ZN := N $ init 1 | FB ^= when (ZN <= 1) |) where integer ZN init 1 ; end logical DEC_iterate() { l0:h1 C = TRUE; l1:h2 C = ZN C <= 1; l2:if (h2 C ) l2.1: read(FB C ); l3:if (h2 C ) l3.1: N C = FB C ; else l3.2: N C = ZN C - 1; l4:write(N C ); l5:ZN C = N C ; return TRUE; }

6 FB : 3 N : 3 ZN : 1 FB :  N : 2 ZN : 3 FB :  N : 1 ZN : 2 FB : 5 N : 5 ZN : 1 FB :  N : 4 ZN : 5 … FB : * N : * ZN : 1 h1 : * h2 : * pc : l0 FB : * N : * ZN : 1 h1 : t h2 : t pc : l2 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1 FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5 FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0 … FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2 FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5 FB :  N :  ZN : 1 …

7 Common Semantic Framework Synchronous Transition System S = (V,O,Θ, ρ) –V a set of state variables –O  V a set of observable variables –Θ an initial condition characterizing the initial states of the system –ρ a transition relation, relating a state to its possible successors

8 process DEC = ( ? integer FB ! integer N ) ( | N := FB default (ZN-1) | ZN := N $ 1 | FB ^= when (ZN <= 1) |) where integer ZN init 1 ; end V = {FB,N,ZN,m.ZN} Θ = (FB =   N =   ZN =   m.ZN = 1) N’ = if FB’   then FB’ else ZN’ -1  m.ZN’ = if N’   then N’ else m.ZN  ZN’ = if N’   then m.ZN else   ZN’  1  FB’     =

9 logical DEC_iterate() { l0:h1 = TRUE; l1:h2 = ZN <= 1; l2:if (h2) l2.1: read(FB); l3:if (h2) l3.1: N = FB; else l3.2: N = ZN - 1; l4:write(N); l5:ZN = N; return TRUE; } V = {FB C,N C,ZN C,h1 C,h2 C } Θ = (ZN C = 1  pc = l 0 ) (pc=l 0  h1 ’ C =T  pc ’ =l 1  pres_but(pc.h1 c ))  (pc=l 1  h2’ C =(ZN C  1)  pc’=l 2  pres_but(pc,h2 C ))  (pc=l 2  h2 C  pc’=l 2.1  pres_but(pc))  (pc=l 2   h2 C  pc’=l 3  pres_but(pc))  (pc=l 2.1  pc’=l 3  pres_but(pc,FB C ))  (pc=l 3  h2 C  pc’=l 3.1  pres_but(pc))  (pc=l 3   h2 C  pc’=l 3.2  pres_but(pc))  (pc=l 3.1  N’ C =FB C  pc’=l 4  pres_but(pc,N C ))  (pc=l 3.2  N’ C =ZN C –1  pc’=l 4  pres_but(pc,N C ))  (pc=l 4  pc’=l 5  pres_but(pc))  (pc=l 5  ZN’ C =N C  pc’=l 0  pres_but(pc,ZN C )) C=C=

10 Let A = (V,O,Θ, ρ) s[v] – a value state s assigns to each variable v  V. σ: s 0,s 1 … - A computation s 0 |= Θ (s i,s i+1 ) |= ρ  i  N ||A|| - the set of computations of A. STS computation

11 A = (V A,O A,Θ A, ρ A ) C = (V C,O C,Θ C, ρ C ) Clocked interface mapping: I:  C   O A  x  O A, s  C. I(s)[x]=s[x] or I(s)[x]=  Definition: C refines A if there exists a clocked interface mapping I from C to A such that I(||C||)  ||A|| O. Defining Refinement OAOCOAOC

12 Proving Refinement Clocked refinement mapping from C to A: f:  C   A  x  O A, s  C. f(s)[x]=s[x] or f(s)[x]=  Theorem: C refines A if there exists a clocked refinement mapping f:  C   A such that  s  C. s|= Θ C  f(s) |= Θ A  s,s’  C r. (s,s’)|= ρ C  (f(s),f(s’))|= ρ A Such f called inductive.

13 Proof Rule  : V A   (V C )s A  ā(s C ) For  - state formula over V A : ā(s C )|=  iff s C |=  [  ] For assertion inv and substitution  : V A  E(V C ) R1. Θ C  invinv holds initially R2. inv  ρ C  inv`inv is propagated R3. Θ C  Θ A [  ]Initiation R4. inv  ρ C  ρ A [  ]Propagation R5. inv  (v[  ] = v  v[  ] =  )  v  O A C refines A

14 Translation Validation: from Signal to C A.PnueliO.ShtrichmanM.Siegel

15 Observation Functions and Correct Implementation A = (V A,Θ A,  A,O A )C = (V C,Θ C,  C,O C ) O A, O C – observation functions Given  : s 0, s 1, …, - O(s 0 ),O(s 1 ), …, is observation of STS. Obs(A) is the set of A observations. Definition: C refines A if Obs(C)  Obs(A)

16 Adaptation to Signal compilation

17 process MUX = ( ? integer FB ! integer N ) ( | N := FB default (ZN- 1) | ZN := N $ init 1 | FB ^= when (ZN <= 1) |) where integer ZN init 1 ; end Choosing Observation O A = (FB,N) O C = (O C FB,O C N ) logical MUX_iterate() { l0:h1 C = TRUE; l1:h2 C = ZN C <= 1; l2:if (h2 C ) l2.1: read(FB C ); l3:if (h2 C ) l3.1: N C = FB C ; else l3.2: N C = ZN C - 1; l4:write(N C ); l5:ZN C = N C ; return TRUE; } logical MUX_iterate() { rd.FB C =F; wr.N C =F; l0:h1 C = TRUE; l1:h2 C = ZN C <= 1; l2:if (h2 C ){ l2.1: read(FB C ); rd>FB C =T; } l3:if (h2 C ) l3.1: N C = FB C ; else l3.2: N C = ZN C - 1; l4:write(N C ); wr.N C =T; l5:ZN C = N C ; return TRUE; } O C FB : if rd.FB C then FB C else  O C N : if wr.N C then N C else 

18 FB : 3 N : 3 ZN : 1 FB :  N : 2 ZN : 3 FB :  N : 1 ZN : 2 FB : 5 N : 5 ZN : 1 FB :  N : 4 ZN : 5 … FB : * N : * ZN : 1 h1 : * h2 : * pc : l0 FB : * N : * ZN : 1 h1 : t h2 : t pc : l2 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3 FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1 FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5 FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0 … FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3 FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2 FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5 FB :  N :  ZN : 1

19 Composite STS Compose the transition relations of the individual statements inside the loop’s body. –no nested loops V : {FB C,N C,ZN C,h1 C,h2 C,rd.FB C,wr.N C } Θ : ZN C = 1  pc = l 0  (h1 ’ C =T)  (h2’ C =(ZN C  1))  (h2’ C  (N’ C =FB C )  (  h2’ C  (FB’ C =FB C  N’ C =ZN C –1))  (ZN’ C =N’ C )  (rd.FB’ C =h2’ C )  (wr.N’ C =T) O C FB : if rd.FB C then FB C else  O C N : if wr.N C then N C else   C :

20 Composite STS V : {FB C,N C,ZN C,h1 C,h2 C } Θ : ZN C = 1  pc = l 0  (h1 ’ C =T)  (h2’ C =(ZN C  1))  (h2’ C  (N’ C =FB C )  (  h2’ C  (FB’ C =FB C  N’ C =ZN C –1))  (ZN’ C =N’ C ) O C FB : if h2 C then FB C else  O C N : N C  C :

21 For an abstraction mapping V A =  (V C ) R1. Θ C  V A =  (V C )  Θ A Initiation R2. V A =  (V C )   C  V’ A =  (V’ C )   A Propagation R3. V A =  (V C )  O A =O C Compatibility with observations C refines A Rule Ref. Establish by induction that, for every  C :s 0 C,s 1 C,… there exists  A :s 0 A,s 1 A,… such that s j A =  (s j C ) and their observations are equal.

22 Construction of the Mapping  For v  V A,  v (V c ) – the value of v in s A related to s C. For v  IO,  v (V c ) = O C v (V C ) For each register flow  m.r = r C  ’ m.r = r’ C For each Register or Local variable v’ = eq v   ’ v = eq v (determinate programs) W1. Θ C   r  R (m.r = r C )   v  IORL (v =  )  Θ A W2.  r  R (m.r = r C  m.r’ = r’ C )   C   v  IO ( v’ = (O C v )’ )   v  RL (v’ = eq v ) AA

23 Theorem: If verification conditions W1 and W2 are valid, then C refines A.

24 Example U1. ZN C = 1  m.ZN = ZNc   FB =   N =   ZN =  FB =   N =   ZN =   m.ZN= 1 U2.  C    A m.ZN = ZN C  FB’ = if h2’ C then FB’ else   N’ = N’ C  m.ZN’ = ZN’ C  ZN’ = if N’   then m.ZN else 

25 Example U2.  C    A m.ZN = ZN C  FB’ = if h2’ C then FB’ else   N’ = N’ C  m.ZN’ = ZN’ C  ZN’ = if N’   then m.ZN else  U2.  C    A m.ZN = ZN C  FB’ = if h2’ C then FB’ else   N’ = N’ C  m.ZN’ = ZN’ C  ZN’ = ZN C

26 The End

Download ppt "Translation Validation A.PnueliM.SiegelE.Singerman."

Similar presentations

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Copyright 2003-04, Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.

Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23.

Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Control-Flow Graphs & Dataflow Analysis CS153: Compilers Greg Morrisett.

Control-Flow Graphs & Dataflow Analysis CS153: Compilers Greg Morrisett.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.
This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.

This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages

CS 355 – Programming Languages
10.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Similar presentations

Ads by Google