מצגת של PowerPoint
1
Translation Validation:
From Simulink to C
Michael Ryabtsev Ofer Strichman
Technion, Haifa, Israel
Acknowledgement: sponsored by a grant from General Motors
Simulink
2
Simulink is MathWorks’ package for model-based design .
A de-facto industry standard for the design of control software
Automotive industry
Avionics
Medical devices
...
Automatic embedded code generation with Real-Time Workshop
Multiple embedded targets
Multiple optimization options
3
Simulink block diagram
Inputs
Outputs
States
4
Automatic code generation
void example_model_initialize( void )
{
UnitDelay_DSTATE = UnitDelay_X0;
}
?
void example_model_step( void )
{ double rtb_UnitDelay; if (Control >= Switch_Threshold) { rtb_UnitDelay = Constant_Value;
} else { rtb_UnitDelay = In2;
}
UnitDelay_DSTATE += rtb_UnitDelay; rtb_UnitDelay = UnitDelay_DSTATE;
Out1 = rtb_UnitDelay;
}
Translation Validation: p rove that the model is implemented correctly.
5
Translation Validation
Technique for formally establishing the semantic equivalence of a source and a target of a code generator.
Mapping
Source program
•Input
•Output
•State
Target program
Translation validation engine
?
Previous work on translation validation
6
From synchronous languages:
DC+ C
Pnueli, Siegel and Singerman (1998) / Translation Validation
Pnueli, Strichman and Siegel (1998)/ Translation Validation: From DC+ to C
Scade-Lustre C
C to binary:
An optimizing C compiler
Zuck, Pnueli, Fang and B. Goldberg / VOC: A Methodology for the
Translation Validation of Optimizing Compilers
...
gcc optimizations
Necula / Translation Validation for an Optimizing Compiler
7
Translation validation
Verifying code generator
Translation Validation
Applied once
Applied separately to each translation
In general undecidable
Sensitive to changes in the compiler
freezes the development
For synchronous languages (in practice) decidable
Sensitive to changes in the target code format
Symulink Code Generation Example
8
Synchronous system computations can be represented symbolically with an initial state predicate and a transition function.
/*UnitDelay_X0 = 0*/
/*Switch_Threshold = 0*/
/*Constant = 0*/ void example_model_initialize( void )
{
UnitDelay_state = UnitDelay_X0;
} void example_model_step( void )
{ double local_UnitDelay; if (Control >= Switch_Threshold) { local_UnitDelay = Constant;
} else { local_UnitDelay = In2;
}
UnitDelay_state += local_UnitDelay; local_UnitDelay = UnitDelay_state;
Out1 = local_UnitDelay;
}
9
Verification Condition
Need to prove:
Equal input stream Equal output stream.
The proof is based on induction.
Definitions
10
For transition system M
init(M) initial-state predicate over M ’s state variables
TR(M) transition relation over M ’s inputs, outputs, current and next state variables.
var(M) the variables defining M
state(M) set of state variables inp(M) set of input variables
out(M) set of output variables disjoint
For transition systems S and T map: var(S) var(T) maps their inputs, outputs and state variables.
11
1.
The Verification Condition
The initial states of the target are legitimate initial states in the source.
2.
Equality between source and target outputs is propagated through program computation equal inputs equal state equal next state equal outputs
Source transition relation
12
Yices format
)
( and
( = m_Constant' 0 )
( = m_Sum' ( + m_Switch
‘ m_Unit_Delay' ) )
( = m_Switch
‘
( if ( >= m_Control
‘
0 ) m_Constant
‘ m_In2
‘
) )
( = m_Unit_Delay_state' m_Sum
‘
)
( = m_Unit_Delay' m_Unit_Delay_state )
( = m_Out1' m_Sum
‘
)
Invariants
13
Variables in synchronous systems are volatile
In C global variables preserve their values between steps
} if (cond) mode = 1; else { mode = 0;
Simulink side
?
if (cond && mode == 0) mode = 1; if (!cond && mode == 1) mode = 0;
C side
The unreachable executions are eliminated by the invariant
Uninterpreted functions
14
In some cases we abstract arithmetical functions with uninterpreted functions.
Example:
Uninterpreted functions
15
Uninterpreted functions can be too abstract
We occasionally use partially interpreted functions
Example: consider a transformation such as a ¢ b à b ¢ a
Enforce commutativity:
16
Implementation
Source side: The Matlab script language
Target side: CTool, CPP, C++
Verification: Yices
Experiments
17
“rtwdemo_fuelsys” – a fuel injection controller that is distributed with Matlab.
~100 blocks
The generated step function has ~250 loc
The generated verification condition: 790 lines in Yices format
Solving time: .... 1 sec.
When injecting errors solving time is: .... ~ 10 sec.
18
