Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

Similar presentations


Presentation on theme: "1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General."— Presentation transcript:

1 1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General Motors

2 2 Simulink  Simulink is MathWorks’ package for model-based design.  A de-facto industry standard for the design of control software  Automotive industry  Avionics  Medical devices ...  Automatic embedded code generation with Real-Time Workshop  Multiple embedded targets  Multiple optimization options

3 3 Simulink block diagram Inputs Outputs States

4 4 Automatic code generation void example_model_initialize(void) { UnitDelay_DSTATE = UnitDelay_X0; } void example_model_step(void) { double rtb_UnitDelay; if (Control >= Switch_Threshold) { rtb_UnitDelay = Constant_Value; } else { rtb_UnitDelay = In2; } UnitDelay_DSTATE += rtb_UnitDelay; rtb_UnitDelay = UnitDelay_DSTATE; Out1 = rtb_UnitDelay; } ?  Translation Validation: p rove that the model is implemented correctly.

5 5 Translation Validation Source program Target program Mapping Input Output State Translation validation engine ?  Technique for formally establishing the semantic equivalence of a source and a target of a code generator.

6 6 Previous work on translation validation  From synchronous languages:  DC+  C Pnueli, Siegel and Singerman (1998) / Translation Validation Pnueli, Strichman and Siegel (1998)/ Translation Validation: From DC+ to C  Scade-Lustre  C  C to binary:  An optimizing C compiler Zuck, Pnueli, Fang and B. Goldberg / VOC: A Methodology for the Translation Validation of Optimizing Compilers...  gcc optimizations Necula / Translation Validation for an Optimizing Compiler

7 7 Translation validation Translation Validation Verifying code generator  Applied separately to each translation  Applied once  For synchronous languages (in practice) decidable  In general undecidable  Sensitive to changes in the target code format  Sensitive to changes in the compiler  freezes the development

8 8 Symulink Code Generation Example  Synchronous system computations can be represented symbolically with an initial state predicate and a transition function. void example_model_initialize(void) { UnitDelay_state = UnitDelay_X0; } void example_model_step(void) { double local_UnitDelay; if (Control >= Switch_Threshold) { local_UnitDelay = Constant; } else { local_UnitDelay = In2; } UnitDelay_state += local_UnitDelay; local_UnitDelay = UnitDelay_state; Out1 = local_UnitDelay; } /*UnitDelay_X0 = 0*/ /*Switch_Threshold = 0*/ /*Constant = 0*/

9 9 Verification Condition  Need to prove: Equal input stream  Equal output stream.  The proof is based on induction.

10 10 Definitions  For transition system M  init(M) initial-state predicate over M’s state variables  TR(M) transition relation over M’s inputs, outputs, current and next state variables.  var(M) the variables defining M state(M) set of state variables inp(M) set of input variables out(M) set of output variables  For transition systems S and T map: var(S)  var(T) maps their inputs, outputs and state variables. disjoint

11 11 The Verification Condition 1. The initial states of the target are legitimate initial states in the source. 2. Equality between source and target outputs is propagated through program computation equal inputs equal state equal next stateequal outputs

12 12 Source transition relation (and (= m_Constant' 0 ) (= m_Sum' (+ m_Switch ‘ m_Unit_Delay') ) (= m_Switch ‘ (if (>= m_Control ‘ 0 ) m_Constant ‘ m_In2 ‘ ) ) (= m_Unit_Delay_state' m_Sum ‘ ) (= m_Unit_Delay' m_Unit_Delay_state ) (= m_Out1' m_Sum ‘ ) ) Yices format

13 13 Invariants  Variables in synchronous systems are volatile  In C global variables preserve their values between steps if (cond) mode = 1; else { mode = 0; } if (cond && mode == 0) mode = 1; if (!cond && mode == 1) mode = 0; ?  The unreachable executions are eliminated by the invariant mode == 0 mode = 1 Simulink side C side

14 14 Uninterpreted functions  In some cases we abstract arithmetical functions with uninterpreted functions.  Example:

15 15 Uninterpreted functions  Uninterpreted functions can be too abstract  We occasionally use partially interpreted functions  Example: consider a transformation such as a ¢ b à b ¢ a  Enforce commutativity:

16 16 Implementation  Source side: The Matlab script language  Target side: CTool, CPP, C++  Verification: Yices

17 17 Experiments  “rtwdemo_fuelsys” – a fuel injection controller that is distributed with Matlab.  ~100 blocks  The generated step function has ~250 loc  The generated verification condition: 790 lines in Yices format  Solving time: sec.  When injecting errors solving time is:.... ~ 10 sec.

18 18 Well, thank you

19 Simulink Step Semantics

20 20 (= Constant_Value__0 0) (= local_UnitDelay__1 (if (/= 0 (if (>= Control__0 Switch_Threshold__0) 1 0 ) ) Constant_Value__0 local_UnitDelay__0 ) (= local_UnitDelay__2 (if (not (/= 0 (if (>= Control__0 Switch_Threshold__0) 1 0 ) ) ) In2__0 local_UnitDelay__1 ) (= UnitDelay_state__1 (+ UnitDelay_state__0 local_UnitDelay__2)) (= local_UnitDelay__3 UnitDelay_state__1) (= Out1__1 local_UnitDelay__3) ) Target transition relation void example_model_step(void) { double local_UnitDelay; if (Control >= Switch_Threshold) { local_UnitDelay = Constant_Value; } else { local_UnitDelay = In2; } UnitDelay_state += local_UnitDelay; local_UnitDelay = UnitDelay_state; Out1 = local_UnitDelay; } ( and (= Switch_Threshold__0 0) (= UnitDelay_X0__0 0) Yices format / Static Single Assignment

21 21 (= m_Control' Control__0 ) (= m_In2 ‘ In2__0 ) (= m_Unit_Delay_state UnitDelay_state__0) void example_model_step(void) { double local_UnitDelay; if (Control >= Switch_Threshold) { local_UnitDelay = Constant_Value; } else { local_UnitDelay = In2; } UnitDelay_state += local_UnitDelay; local_UnitDelay = UnitDelay_state; Out1 = local_UnitDelay; } Induction Step Example (= m_Unit_Delay_state ‘ UnitDelay_state__1 ) (= m_Out1 ‘ Out1__1 ) equal inputs equal state equal next stateequal outputs

22 22 Tool: Translation Validation for Simulink (TVS)  Applies translation validation to the RealTime Workshop code generator.  Fully automated  Supports a large subset of the Simulink library  Easily extendable

23 23 TVS structure Simulink model (model.mdl) Model Transition Relation generator (Matlab script) Model Transition Relation Variable Mapping Verification Condition Generator C program C Transition relation Generator C variables list (SSA numeration) C Transition Relation Decision Procedure (Yices) Equivalent Not Equivalent Real-time Workshop code generator TVS

24 24 Source transition relation  Iterate over all model blocks  For each block create transition relation  Block located in enabled subsystem get a special treatment States when enabling Outputs when enabling Mapping

25 25 Target transition relation and SSA  Static Single Assignment if (v) a = b; else a = c; d = a; if ( v0) a0 = b0; else a1 = c0; a2 = v0 ? a0 : a1; d1 = a2; a0 = b0 a1 = c0 (v0 == 0)  a2 = a0 (v0 != 0)  a2 = a1 d0 = a2 a = b; b = b +1; c = b; a0 = b0 b1 = b0 + 1 c0 = b1 a = b b = b + 1 c = b


Download ppt "1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General."

Similar presentations


Ads by Google