1 / 18

Translation Validation: From Simulink to C

Translation Validation: From Simulink to C. Michael Ryabtsev Ofer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General Motors. Simulink. Simulink is MathWorks’ package for model-based design .

dawn-sanford
Download Presentation

Translation Validation: From Simulink to C

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Translation Validation:From Simulink to C Michael Ryabtsev Ofer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General Motors

  2. Simulink • Simulink is MathWorks’ package for model-based design. • A de-facto industry standard for the design of control software • Automotive industry • Avionics • Medical devices • ... • Automatic embedded code generation with Real-Time Workshop • Multiple embedded targets • Multiple optimization options

  3. Simulink block diagram Outputs Inputs States

  4. ? Automatic code generation void example_model_initialize(void) { UnitDelay_DSTATE = UnitDelay_X0; } void example_model_step(void) { double rtb_UnitDelay; if (Control >= Switch_Threshold) { rtb_UnitDelay = Constant_Value; } else { rtb_UnitDelay = In2; } UnitDelay_DSTATE += rtb_UnitDelay; rtb_UnitDelay = UnitDelay_DSTATE; Out1 = rtb_UnitDelay; } • Translation Validation: prove that the model is implemented correctly.

  5. ? Translation Validation • Technique for formally establishing the semantic equivalence of a source and a target of a code generator. • Mapping • Input • Output • State Target program Source program Translation validation engine

  6. Previous work on translation validation • From synchronous languages: • DC+  C • Pnueli, Siegel and Singerman (1998) / Translation Validation • Pnueli, Strichman and Siegel (1998)/ Translation Validation: From DC+ to C • Scade-Lustre  C • C to binary: • An optimizing C compiler • Zuck, Pnueli, Fang and B. Goldberg / VOC: A Methodology for the Translation Validation of Optimizing Compilers • ... • gcc optimizations • Necula / Translation Validation for an Optimizing Compiler

  7. Translation validation

  8. Symulink Code Generation Example • Synchronous system computations can be represented symbolically with an initial state predicate and a transition function. void example_model_initialize(void) { UnitDelay_state = UnitDelay_X0; } void example_model_step(void) { double local_UnitDelay; if (Control >= Switch_Threshold) { local_UnitDelay = Constant; } else { local_UnitDelay = In2; } UnitDelay_state += local_UnitDelay; local_UnitDelay = UnitDelay_state; Out1 = local_UnitDelay; } /*UnitDelay_X0 = 0*/ /*Switch_Threshold = 0*/ /*Constant = 0*/

  9. Verification Condition • Need to prove: Equal input stream  Equal output stream. • The proof is based on induction.

  10. Definitions • For transition system M • init(M)initial-state predicate over M’s state variables • TR(M) transition relation over M’s inputs, outputs, current and next state variables. • var(M) the variables defining M • state(M) set of state variables • inp(M) set of input variables • out(M) set of output variables • For transition systems S and T map: var(S)  var(T) maps their inputs, outputs and state variables. disjoint

  11. The Verification Condition • The initial states of the target are legitimate initial states in the source. • Equality between source and target outputs is propagated through program computation equal state equal inputs equal next state equal outputs

  12. Source transition relation Yices format (and (= m_Constant' 0 ) (= m_Sum' (+ m_Switch‘ m_Unit_Delay')) (= m_Switch‘(if (>= m_Control‘ 0 ) m_Constant‘ m_In2‘)) (= m_Unit_Delay_state' m_Sum‘) (= m_Unit_Delay' m_Unit_Delay_state ) (= m_Out1' m_Sum‘) )

  13. ? Invariants • Variables in synchronous systems are volatile • In C global variables preserve their values between steps if (cond) mode = 1; else { mode = 0; } if (cond && mode == 0) mode = 1; if (!cond && mode == 1) mode = 0; C side Simulink side • The unreachable executions are eliminated by the invariant mode == 0 mode = 1

  14. Uninterpreted functions • In some cases we abstract arithmetical functions with uninterpreted functions. • Example:

  15. Uninterpreted functions • Uninterpreted functions can be too abstract • We occasionally use partially interpreted functions • Example: consider a transformation such as a¢bÃb¢a • Enforce commutativity:

  16. Implementation • Source side: The Matlab script language • Target side: CTool, CPP, C++ • Verification: Yices

  17. Experiments • “rtwdemo_fuelsys” – a fuel injection controller that is distributed with Matlab. • ~100 blocks • The generated step function has ~250 loc • The generated verification condition: 790 lines in Yices format • Solving time: .... 1 sec. • When injecting errors solving time is: .... ~ 10 sec.

  18. Well, thank you

More Related