Translation ValidationTranslation ValidationTranslation ValidationTranslation ValidationA.PnueliA.Pnueli

M.SiegelM.Siegel

E.SingermanE.Singerman

Motivation

• Prove that high level specification is correctly implemented in low level code.– Verifying compiler is not feasible.– Development freezing.

Solution: Translation Validation

Translation Validation

After each compiler run verify that the target code produced on this run correctly implements the source code.

• A common semantic framework.

• Notion of “correct implementation”.

• A proof method.

• Automation of the proof method.

Necessary Ingredients

Exampleprocess DEC =

( ? integer FB ! integer N )

( | N := FB default (ZN-1) | ZN := N $ init 1 | FB ^= when (ZN <= 1) |)

where integer ZN init 1 ;

end

logical DEC_iterate() {l0: h1C = TRUE;

l1: h2C = ZNC <= 1;

l2: if (h2C)

l2.1: read(FBC);

l3: if (h2C)

l3.1: NC = FBC;

elsel3.2: NC = ZNC - 1;

l4: write(NC);

l5: ZNC = NC;

return TRUE;}

FB : 3 N : 3 ZN : 1

FB : N : 2 ZN : 3

FB : N : 1 ZN : 2

FB : 5 N : 5 ZN : 1

FB : N : 4 ZN : 5

…

FB : * N : * ZN : 1 h1 : * h2 : * pc : l0

FB : * N : * ZN : 1 h1 : t h2 : t pc : l2

FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3

FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1

FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5

FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0

…FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2

FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3

FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2

FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5

FB : N : ZN : 1

…

Common Semantic Framework

Synchronous Transition SystemS = (V,O,Θ, ρ)

– V a set of state variables– O V a set of observable variables – Θ an initial condition characterizing the

initial states of the system– ρ a transition relation, relating a state

to its possible successors

process DEC = ( ? integer FB ! integer N )

( | N := FB default (ZN-1) | ZN := N $ 1 | FB ^= when (ZN <= 1) |)

where integer ZN init 1 ;

end V = {FB,N,ZN,m.ZN}Θ = (FB = N = ZN = m.ZN = 1)

N’ = if FB’ then FB’ else ZN’ -1 m.ZN’ = if N’ then N’ else m.ZN ZN’ = if N’ then m.ZN else ZN’ 1 FB’

=

logical DEC_iterate() {l0: h1 = TRUE;l1: h2 = ZN <= 1;l2: if (h2)l2.1:

read(FB);l3: if (h2)l3.1: N = FB;

elsel3.2: N = ZN - 1;l4: write(N);l5: ZN = N;

return TRUE;}

V = {FBC,NC,ZNC,h1C,h2C}

Θ = (ZNC = 1 pc = l0)

(pc=l0 h1’C=T pc’=l1 pres_but(pc.h1c))

(pc=l1 h2’C=(ZNC 1) pc’=l2 pres_but(pc,h2C))

(pc=l2 h2C pc’=l2.1 pres_but(pc))

(pc=l2 h2C pc’=l3 pres_but(pc))

(pc=l2.1 pc’=l3 pres_but(pc,FBC))

(pc=l3 h2C pc’=l3.1 pres_but(pc))

(pc=l3 h2C pc’=l3.2 pres_but(pc))

(pc=l3.1 N’C=FBC pc’=l4 pres_but(pc,NC))

(pc=l3.2 N’C=ZNC–1 pc’=l4 pres_but(pc,NC))

(pc=l4 pc’=l5 pres_but(pc))

(pc=l5 ZN’C=NC pc’=l0 pres_but(pc,ZNC))

C=

Let A = (V,O,Θ, ρ)• s[v] – a value state s assigns to

each variable vV.

• σ: s0,s1… - A computation

s0 |= Θ

(si,si+1) |= ρ iN

• ||A|| - the set of computations of A.

STS computation

A = (VA,OA,ΘA, ρA)

C = (VC,OC,ΘC, ρC)

Clocked interface mapping:I: C O

A

xOA, sC. I(s)[x]=s[x] or I(s)[x]=

Definition: C refines A if there exists a clocked interface mapping I from C to A such that I(||C||)||A||O.

Defining Refinement

OAOC

Proving RefinementClocked refinement mapping from C to A:

f: C A

xOA, sC. f(s)[x]=s[x] or f(s)[x]=

Theorem: C refines A if there exists a clocked refinement mapping f: C A such that

sC . s|= ΘC f(s) |= ΘA

s,s’ Cr . (s,s’)|= ρC (f(s),f(s’))|= ρA

Such f called inductive.

Proof Rule

: VA (VC) sA ā(sC)

For - state formula over VA:

ā(sC)|= iff sC|= []

For assertion inv and substitution : VA E(VC)

R1. ΘC inv inv holds initially

R2. inv ρC inv` inv is propagated

R3. ΘC ΘA[] Initiation

R4. inv ρC ρA[] Propagation

R5. inv (v[] = v v[] = ) vOA

C refines A

Translation Validation: Translation Validation: from Signal to Cfrom Signal to C

Translation Validation: Translation Validation: from Signal to Cfrom Signal to C

A.PnueliA.PnueliO.ShtrichmanO.Shtrichman

M.SiegelM.Siegel

Observation Functions and Correct Implementation

A = (VA,ΘA,A,OA) C = (VC,ΘC,C,OC)

• OA, OC – observation functions

• Given : s0, s1, …, - O(s0),O(s1), …, is observation of STS.

• Obs(A) is the set of A observations.

Definition: C refines A if Obs(C) Obs(A)

Adaptation to Signal compilation

process MUX = ( ? integer FB ! integer N )

( | N := FB default (ZN-1) | ZN := N $ init 1 | FB ^= when (ZN <= 1) |)

where integer ZN init 1 ;

end

Choosing Observation

• OA = (FB,N)

• OC = (OCFB,OC

N)

logical MUX_iterate()

{

l0: h1C = TRUE;

l1: h2C = ZNC <= 1;

l2: if (h2C)

l2.1: read(FBC);

l3: if (h2C)

l3.1: NC = FBC;

else

l3.2: NC = ZNC - 1;

l4: write(NC);

l5: ZNC = NC;

return TRUE;

}

logical MUX_iterate() { rd.FBC=F; wr.NC=F;

l0: h1C = TRUE;

l1: h2C = ZNC <= 1;

l2: if (h2C){

l2.1: read(FBC);

rd>FBC=T;

}l3: if (h2C)

l3.1: NC = FBC;

elsel3.2: NC = ZNC - 1;

l4: write(NC);

wr.NC=T;

l5: ZNC = NC;

return TRUE;}

OCFB: if rd.FBC then FBC else

OCN : if wr.NC then NC else

FB : 3 N : 3 ZN : 1

FB : N : 2 ZN : 3

FB : N : 1 ZN : 2

FB : 5 N : 5 ZN : 1

FB : N : 4 ZN : 5

…

FB : * N : * ZN : 1 h1 : * h2 : * pc : l0

FB : * N : * ZN : 1 h1 : t h2 : t pc : l2

FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3

FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1

FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5

FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0

…FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2

FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3

FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2

FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5

FB : N : ZN : 1

Composite STS• Compose the transition relations of the individual

statements inside the loop’s body.– no nested loops

V : {FBC,NC,ZNC,h1C,h2C,rd.FBC,wr.NC}

Θ : ZNC = 1 pc = l0

(h1’C=T)

(h2’C=(ZNC 1))

(h2’C(N’C=FBC)

(h2’C(FB’C=FBC N’C=ZNC–1))

(ZN’C=N’C)

(rd.FB’C=h2’C)

(wr.N’C=T)

OCFB: if rd.FBC then FBC else

OCN : if wr.NC then NC else

C :

Composite STS

V : {FBC,NC,ZNC,h1C,h2C}

Θ : ZNC = 1 pc = l0

(h1’C=T)

(h2’C=(ZNC 1))

(h2’C(N’C=FBC)

(h2’C(FB’C=FBC N’C=ZNC–1))

(ZN’C=N’C)

OCFB: if h2C then FBC else

OCN : NC

C :

For an abstraction mapping VA = (VC)

R1. ΘC VA = (VC) ΘA Initiation

R2. VA = (VC) C V’A = (V’C) A Propagation

R3. VA = (VC) OA=OC Compatibility with observations

C refines A

Rule Ref.

Establish by induction that, for every C:s0C,s1

C,… there exists A:s0

A,s1A,… such that sj

A=(sjC) and

their observations are equal.

Construction of the Mapping For vVA, v(Vc) – the value of v in sA related to sC.

• For v IO, v(Vc) = OCv(VC)

• For each register flowm.r = rC ’m.r = r’C

• For each Register or Local variablev’ = eqv ’v = eqv (determinate programs)

W1. ΘC rR(m.r = rC) vIORL(v = ) ΘA

W2. rR(m.r = rC m.r’ = r’C) C

vIO( v’ = (OCv)’ ) vRL(v’ = eqv)

A

Theorem: If verification conditions W1 and W2 are valid, then C refines A.

Example

U1. ZNC = 1 m.ZN = ZNc FB = N = ZN =

FB = N = ZN = m.ZN= 1

U2. C A

m.ZN = ZNC

FB’ = if h2’C then FB’ else N’ = N’C

m.ZN’ = ZN’C

ZN’ = if N’ then m.ZN else

Example

U2. C A

m.ZN = ZNC

FB’ = if h2’C then FB’ else N’ = N’C

m.ZN’ = ZN’C

ZN’ = if N’ then m.ZN else

U2. C A

m.ZN = ZNC

FB’ = if h2’C then FB’ else N’ = N’C

m.ZN’ = ZN’C

ZN’ = ZNC

The End