translation validation a.pnuelim.siegele.singerman
Post on 20-Dec-2015
215 views
TRANSCRIPT
Translation ValidationTranslation ValidationTranslation ValidationTranslation ValidationA.PnueliA.Pnueli
M.SiegelM.Siegel
E.SingermanE.Singerman
Motivation
• Prove that high level specification is correctly implemented in low level code.– Verifying compiler is not feasible.– Development freezing.
Solution: Translation Validation
Translation Validation
After each compiler run verify that the target code produced on this run correctly implements the source code.
• A common semantic framework.
• Notion of “correct implementation”.
• A proof method.
• Automation of the proof method.
Necessary Ingredients
Exampleprocess DEC =
( ? integer FB ! integer N )
( | N := FB default (ZN-1) | ZN := N $ init 1 | FB ^= when (ZN <= 1) |)
where integer ZN init 1 ;
end
logical DEC_iterate() {l0: h1C = TRUE;
l1: h2C = ZNC <= 1;
l2: if (h2C)
l2.1: read(FBC);
l3: if (h2C)
l3.1: NC = FBC;
elsel3.2: NC = ZNC - 1;
l4: write(NC);
l5: ZNC = NC;
return TRUE;}
FB : 3 N : 3 ZN : 1
FB : N : 2 ZN : 3
FB : N : 1 ZN : 2
FB : 5 N : 5 ZN : 1
FB : N : 4 ZN : 5
…
FB : * N : * ZN : 1 h1 : * h2 : * pc : l0
FB : * N : * ZN : 1 h1 : t h2 : t pc : l2
FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3
FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1
FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5
FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0
…FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2
FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3
FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2
FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5
FB : N : ZN : 1
…
Common Semantic Framework
Synchronous Transition SystemS = (V,O,Θ, ρ)
– V a set of state variables– O V a set of observable variables – Θ an initial condition characterizing the
initial states of the system– ρ a transition relation, relating a state
to its possible successors
process DEC = ( ? integer FB ! integer N )
( | N := FB default (ZN-1) | ZN := N $ 1 | FB ^= when (ZN <= 1) |)
where integer ZN init 1 ;
end V = {FB,N,ZN,m.ZN}Θ = (FB = N = ZN = m.ZN = 1)
N’ = if FB’ then FB’ else ZN’ -1 m.ZN’ = if N’ then N’ else m.ZN ZN’ = if N’ then m.ZN else ZN’ 1 FB’
=
logical DEC_iterate() {l0: h1 = TRUE;l1: h2 = ZN <= 1;l2: if (h2)l2.1:
read(FB);l3: if (h2)l3.1: N = FB;
elsel3.2: N = ZN - 1;l4: write(N);l5: ZN = N;
return TRUE;}
V = {FBC,NC,ZNC,h1C,h2C}
Θ = (ZNC = 1 pc = l0)
(pc=l0 h1’C=T pc’=l1 pres_but(pc.h1c))
(pc=l1 h2’C=(ZNC 1) pc’=l2 pres_but(pc,h2C))
(pc=l2 h2C pc’=l2.1 pres_but(pc))
(pc=l2 h2C pc’=l3 pres_but(pc))
(pc=l2.1 pc’=l3 pres_but(pc,FBC))
(pc=l3 h2C pc’=l3.1 pres_but(pc))
(pc=l3 h2C pc’=l3.2 pres_but(pc))
(pc=l3.1 N’C=FBC pc’=l4 pres_but(pc,NC))
(pc=l3.2 N’C=ZNC–1 pc’=l4 pres_but(pc,NC))
(pc=l4 pc’=l5 pres_but(pc))
(pc=l5 ZN’C=NC pc’=l0 pres_but(pc,ZNC))
C=
Let A = (V,O,Θ, ρ)• s[v] – a value state s assigns to
each variable vV.
• σ: s0,s1… - A computation
s0 |= Θ
(si,si+1) |= ρ iN
• ||A|| - the set of computations of A.
STS computation
A = (VA,OA,ΘA, ρA)
C = (VC,OC,ΘC, ρC)
Clocked interface mapping:I: C O
A
xOA, sC. I(s)[x]=s[x] or I(s)[x]=
Definition: C refines A if there exists a clocked interface mapping I from C to A such that I(||C||)||A||O.
Defining Refinement
OAOC
Proving RefinementClocked refinement mapping from C to A:
f: C A
xOA, sC. f(s)[x]=s[x] or f(s)[x]=
Theorem: C refines A if there exists a clocked refinement mapping f: C A such that
sC . s|= ΘC f(s) |= ΘA
s,s’ Cr . (s,s’)|= ρC (f(s),f(s’))|= ρA
Such f called inductive.
Proof Rule
: VA (VC) sA ā(sC)
For - state formula over VA:
ā(sC)|= iff sC|= []
For assertion inv and substitution : VA E(VC)
R1. ΘC inv inv holds initially
R2. inv ρC inv` inv is propagated
R3. ΘC ΘA[] Initiation
R4. inv ρC ρA[] Propagation
R5. inv (v[] = v v[] = ) vOA
C refines A
Translation Validation: Translation Validation: from Signal to Cfrom Signal to C
Translation Validation: Translation Validation: from Signal to Cfrom Signal to C
A.PnueliA.PnueliO.ShtrichmanO.Shtrichman
M.SiegelM.Siegel
Observation Functions and Correct Implementation
A = (VA,ΘA,A,OA) C = (VC,ΘC,C,OC)
• OA, OC – observation functions
• Given : s0, s1, …, - O(s0),O(s1), …, is observation of STS.
• Obs(A) is the set of A observations.
Definition: C refines A if Obs(C) Obs(A)
process MUX = ( ? integer FB ! integer N )
( | N := FB default (ZN-1) | ZN := N $ init 1 | FB ^= when (ZN <= 1) |)
where integer ZN init 1 ;
end
Choosing Observation
• OA = (FB,N)
• OC = (OCFB,OC
N)
logical MUX_iterate()
{
l0: h1C = TRUE;
l1: h2C = ZNC <= 1;
l2: if (h2C)
l2.1: read(FBC);
l3: if (h2C)
l3.1: NC = FBC;
else
l3.2: NC = ZNC - 1;
l4: write(NC);
l5: ZNC = NC;
return TRUE;
}
logical MUX_iterate() { rd.FBC=F; wr.NC=F;
l0: h1C = TRUE;
l1: h2C = ZNC <= 1;
l2: if (h2C){
l2.1: read(FBC);
rd>FBC=T;
}l3: if (h2C)
l3.1: NC = FBC;
elsel3.2: NC = ZNC - 1;
l4: write(NC);
wr.NC=T;
l5: ZNC = NC;
return TRUE;}
OCFB: if rd.FBC then FBC else
OCN : if wr.NC then NC else
FB : 3 N : 3 ZN : 1
FB : N : 2 ZN : 3
FB : N : 1 ZN : 2
FB : 5 N : 5 ZN : 1
FB : N : 4 ZN : 5
…
FB : * N : * ZN : 1 h1 : * h2 : * pc : l0
FB : * N : * ZN : 1 h1 : t h2 : t pc : l2
FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3
FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1
FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5
FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0
…FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2
FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3
FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2
FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5
FB : N : ZN : 1
Composite STS• Compose the transition relations of the individual
statements inside the loop’s body.– no nested loops
V : {FBC,NC,ZNC,h1C,h2C,rd.FBC,wr.NC}
Θ : ZNC = 1 pc = l0
(h1’C=T)
(h2’C=(ZNC 1))
(h2’C(N’C=FBC)
(h2’C(FB’C=FBC N’C=ZNC–1))
(ZN’C=N’C)
(rd.FB’C=h2’C)
(wr.N’C=T)
OCFB: if rd.FBC then FBC else
OCN : if wr.NC then NC else
C :
Composite STS
V : {FBC,NC,ZNC,h1C,h2C}
Θ : ZNC = 1 pc = l0
(h1’C=T)
(h2’C=(ZNC 1))
(h2’C(N’C=FBC)
(h2’C(FB’C=FBC N’C=ZNC–1))
(ZN’C=N’C)
OCFB: if h2C then FBC else
OCN : NC
C :
For an abstraction mapping VA = (VC)
R1. ΘC VA = (VC) ΘA Initiation
R2. VA = (VC) C V’A = (V’C) A Propagation
R3. VA = (VC) OA=OC Compatibility with observations
C refines A
Rule Ref.
Establish by induction that, for every C:s0C,s1
C,… there exists A:s0
A,s1A,… such that sj
A=(sjC) and
their observations are equal.
Construction of the Mapping For vVA, v(Vc) – the value of v in sA related to sC.
• For v IO, v(Vc) = OCv(VC)
• For each register flowm.r = rC ’m.r = r’C
• For each Register or Local variablev’ = eqv ’v = eqv (determinate programs)
W1. ΘC rR(m.r = rC) vIORL(v = ) ΘA
W2. rR(m.r = rC m.r’ = r’C) C
vIO( v’ = (OCv)’ ) vRL(v’ = eqv)
A
Example
U1. ZNC = 1 m.ZN = ZNc FB = N = ZN =
FB = N = ZN = m.ZN= 1
U2. C A
m.ZN = ZNC
FB’ = if h2’C then FB’ else N’ = N’C
m.ZN’ = ZN’C
ZN’ = if N’ then m.ZN else
Example
U2. C A
m.ZN = ZNC
FB’ = if h2’C then FB’ else N’ = N’C
m.ZN’ = ZN’C
ZN’ = if N’ then m.ZN else
U2. C A
m.ZN = ZNC
FB’ = if h2’C then FB’ else N’ = N’C
m.ZN’ = ZN’C
ZN’ = ZNC