translation validation n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Translation Validation PowerPoint Presentation
Download Presentation
Translation Validation

Loading in 2 Seconds...

play fullscreen
1 / 26

Translation Validation - PowerPoint PPT Presentation


  • 148 Views
  • Uploaded on

Translation Validation. A.Pnueli M.Siegel E.Singerman. Motivation. Prove that high level specification is correctly implemented in low level code. Verifying compiler is not feasible. Development freezing. Solution: Translation Validation. Translation Validation.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Translation Validation' - harley


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
translation validation

Translation Validation

A.Pnueli

M.Siegel

E.Singerman

motivation
Motivation
  • Prove that high level specification is correctly implemented in low level code.
    • Verifying compiler is not feasible.
    • Development freezing.

Solution: Translation Validation

translation validation1
Translation Validation

After each compiler run verify that the target code produced on this run correctly implements the source code.

necessary ingredients
Necessary Ingredients
  • A common semantic framework.
  • Notion of “correct implementation”.
  • A proof method.
  • Automation of the proof method.
example
Example

logical DEC_iterate()

{

l0: h1C = TRUE;

l1: h2C = ZNC <= 1;

l2: if (h2C)

l2.1: read(FBC);

l3: if (h2C)

l3.1: NC = FBC;

else

l3.2: NC = ZNC - 1;

l4: write(NC);

l5: ZNC = NC;

return TRUE;

}

process DEC =

( ? integer FB

! integer N )

( | N := FB default (ZN-1)

| ZN := N $ init 1

| FB ^= when (ZN <= 1)

|)

where

integer ZN init 1 ;

end

slide6

FB :  N : ZN : 1

FB : 3 N : 3 ZN : 1

FB :  N : 2 ZN : 3

FB :  N : 1 ZN : 2

FB : 5 N : 5 ZN : 1

FB :  N : 4 ZN : 5

FB : * N : * ZN : 1 h1 : * h2 : * pc : l0

FB : * N : * ZN : 1 h1 : t h2 : t pc : l2

FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3

FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1

FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5

FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0

FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2

FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3

FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2

FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5

common semantic framework
Common Semantic Framework

Synchronous Transition System

S = (V,O,Θ, ρ)

  • V a set of state variables
  • O  V a set of observable variables
  • Θ an initial condition characterizing the initial states of the system
  • ρ a transition relation, relating a state to its possible successors
slide8

process DEC =

( ? integer FB

! integer N )

( | N := FB default (ZN-1)

| ZN := N $ 1

| FB ^= when (ZN <= 1)

|)

where

integer ZN init 1 ;

end

V = {FB,N,ZN,m.ZN}

Θ = (FB =  N =  ZN =  m.ZN = 1)

N’ = if FB’  then FB’ else ZN’ -1

 m.ZN’ = if N’  then N’ else m.ZN

 ZN’ = if N’  then m.ZN else 

 ZN’  1  FB’ 

 =

slide9

V = {FBC,NC,ZNC,h1C,h2C}

Θ = (ZNC = 1  pc = l0)

(pc=l0 h1’C=T  pc’=l1  pres_but(pc.h1c))

 (pc=l1  h2’C=(ZNC 1)  pc’=l2 pres_but(pc,h2C))

 (pc=l2 h2C  pc’=l2.1 pres_but(pc))

 (pc=l2h2C pc’=l3 pres_but(pc))

 (pc=l2.1 pc’=l3 pres_but(pc,FBC))

 (pc=l3 h2C pc’=l3.1 pres_but(pc))

 (pc=l3h2C pc’=l3.2 pres_but(pc))

 (pc=l3.1 N’C=FBC pc’=l4 pres_but(pc,NC))

 (pc=l3.2 N’C=ZNC–1  pc’=l4 pres_but(pc,NC))

 (pc=l4 pc’=l5 pres_but(pc))

 (pc=l5 ZN’C=NC pc’=l0 pres_but(pc,ZNC))

C=

logical DEC_iterate()

{

l0: h1 = TRUE;

l1: h2 = ZN <= 1;

l2: if (h2)

l2.1: read(FB);

l3: if (h2)

l3.1: N = FB;

else

l3.2: N = ZN - 1;

l4: write(N);

l5: ZN = N;

return TRUE;

}

sts computation
STS computation

Let A = (V,O,Θ, ρ)

  • s[v] – a value state s assigns to each variable vV.
  • σ: s0,s1… - A computation

s0|= Θ

(si,si+1) |= ρiN

  • ||A|| - the set of computations of A.
defining refinement
Defining Refinement

OAOC

A = (VA,OA,ΘA, ρA)

C = (VC,OC,ΘC, ρC)

Clocked interface mapping:

I: C OA

xOA, sC. I(s)[x]=s[x] or I(s)[x]=

Definition: C refines A if there exists a clocked interface mapping I from C to A such that I(||C||)||A||O.

proving refinement
Proving Refinement

Clocked refinement mapping from C to A:

f: C A

xOA, sC. f(s)[x]=s[x] or f(s)[x]=

Theorem: C refines A if there exists a clocked refinement mapping f: C A such that

  • sC . s|= ΘC f(s) |= ΘA
  • s,s’ Cr . (s,s’)|= ρC (f(s),f(s’))|= ρA

Such f called inductive.

proof rule
Proof Rule
  • : VA (VC) sA  ā(sC)

For  - state formula over VA:

ā(sC)|=  iff sC|= []

For assertion inv and substitution  : VA E(VC)

R1. ΘC inv inv holds initially

R2. inv  ρC inv` inv is propagated

R3. ΘC  ΘA[] Initiation

R4. inv  ρC  ρA[] Propagation

R5. inv (v[] = v  v[] = ) vOA

C refines A

translation validation from signal to c

Translation Validation: from Signal to C

A.Pnueli

O.Shtrichman

M.Siegel

observation functions and correct implementation
Observation Functions and Correct Implementation

A = (VA,ΘA,A,OA) C = (VC,ΘC,C,OC)

  • OA, OC – observation functions
  • Given  : s0, s1, …, - O(s0),O(s1), …, is observation of STS.
  • Obs(A) is the set of A observations.

Definition: C refines A if Obs(C)  Obs(A)

choosing observation
Choosing Observation

process MUX =

( ? integer FB

! integer N )

( | N := FB default (ZN-1)

| ZN := N $ init 1

| FB ^= when (ZN <= 1)

|)

where

integer ZN init 1 ;

end

OCFB: if rd.FBC then FBC else 

OCN : if wr.NC then NC else 

  • OA = (FB,N)
  • OC = (OCFB,OCN)

logical MUX_iterate()

{

rd.FBC=F; wr.NC=F;

l0: h1C = TRUE;

l1: h2C = ZNC <= 1;

l2: if (h2C){

l2.1: read(FBC);

rd>FBC=T;

}

l3: if (h2C)

l3.1: NC = FBC;

else

l3.2: NC = ZNC - 1;

l4: write(NC);

wr.NC=T;

l5: ZNC = NC;

return TRUE;

}

logical MUX_iterate()

{

l0: h1C = TRUE;

l1: h2C = ZNC <= 1;

l2: if (h2C)

l2.1: read(FBC);

l3: if (h2C)

l3.1: NC = FBC;

else

l3.2: NC = ZNC - 1;

l4: write(NC);

l5: ZNC = NC;

return TRUE;

}

slide18

FB :  N : ZN : 1

FB : 3 N : 3 ZN : 1

FB :  N : 2 ZN : 3

FB :  N : 1 ZN : 2

FB : 5 N : 5 ZN : 1

FB :  N : 4 ZN : 5

FB : * N : * ZN : 1 h1 : * h2 : * pc : l0

FB : * N : * ZN : 1 h1 : t h2 : t pc : l2

FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3

FB : 3 N : * ZN : 1 h1 : t h2 : t pc : l3.1

FB : 3 N : 3 ZN : 1 h1 : t h2 : t pc : l5

FB : 3 N : 3 ZN : 3 h1 : t h2 : t pc : l0

FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l2

FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3

FB : 3 N : 3 ZN : 3 h1 : t h2 : f pc : l3.2

FB : 3 N : 2 ZN : 3 h1 : t h2 : f pc : l5

composite sts
Composite STS
  • V : {FBC,NC,ZNC,h1C,h2C,rd.FBC,wr.NC}
  • Θ : ZNC = 1  pc = l0
      • (h1’C=T)
      • (h2’C=(ZNC 1))
      • (h2’C(N’C=FBC)
      • (h2’C(FB’C=FBC N’C=ZNC–1))
      • (ZN’C=N’C)
      • (rd.FB’C=h2’C)
      • (wr.N’C=T)
  • OCFB: if rd.FBC then FBC else 
  • OCN : if wr.NC then NC else 
  • Compose the transition relations of the individual statements inside the loop’s body.
    • no nested loops

C :

composite sts1
Composite STS
  • V : {FBC,NC,ZNC,h1C,h2C}
  • Θ : ZNC = 1  pc = l0
      • (h1’C=T)
      • (h2’C=(ZNC 1))
      • (h2’C(N’C=FBC)
      • (h2’C(FB’C=FBC N’C=ZNC–1))
      • (ZN’C=N’C)
  • OCFB: if h2C then FBC else 
  • OCN : NC

C :

rule ref
Rule Ref.

Establish by induction that, for every C:s0C,s1C,… there exists A:s0A,s1A,… such that sjA=(sjC) and their observations are equal.

For an abstraction mapping VA = (VC)

R1. ΘC VA = (VC) ΘA Initiation

R2. VA = (VC)  C V’A = (V’C)  A Propagation

R3. VA = (VC)  OA=OC Compatibility with observations

C refines A

construction of the mapping
Construction of the Mapping 

For vVA, v(Vc) – the value of v in sA related to sC.

  • For v  IO, v(Vc) = OCv(VC)
  • For each register flow

m.r = rC ’m.r = r’C

  • For each Register or Local variable

v’ = eqv  ’v = eqv(determinate programs)

W1. ΘC  rR(m.r = rC)  vIORL(v = )  ΘA

W2. rR(m.r = rC  m.r’ = r’C)  C 

vIO( v’ = (OCv)’ )  vRL(v’ = eqv)

 A

example1

FB = 

 N = 

 ZN = 

 m.ZN= 1

FB = 

 N = 

 ZN = 

m.ZN = ZNC

 FB’ = if h2’C then FB’ else 

 N’ = N’C

 m.ZN’ = ZN’C

 ZN’ = if N’   then m.ZN else 

Example

U1. ZNC = 1  m.ZN = ZNc  

U2. C   A

example2

m.ZN = ZNC

 FB’ = if h2’C then FB’ else 

 N’ = N’C

 m.ZN’ = ZN’C

 ZN’ = if N’   then m.ZN else 

m.ZN = ZNC

 FB’ = if h2’C then FB’ else 

 N’ = N’C

 m.ZN’ = ZN’C

 ZN’ = ZNC

Example

U2. C   A

U2. C   A