Download presentation

Presentation is loading. Please wait.

Published byDenise Talcott Modified about 1 year ago

1
1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General Motors

2
2 Simulink Simulink is MathWorks’ package for model-based design. A de-facto industry standard for the design of control software Automotive industry Avionics Medical devices ... Automatic embedded code generation with Real-Time Workshop Multiple embedded targets Multiple optimization options

3
3 Simulink block diagram Inputs Outputs States

4
4 Automatic code generation void example_model_initialize(void) { UnitDelay_DSTATE = UnitDelay_X0; } void example_model_step(void) { double rtb_UnitDelay; if (Control >= Switch_Threshold) { rtb_UnitDelay = Constant_Value; } else { rtb_UnitDelay = In2; } UnitDelay_DSTATE += rtb_UnitDelay; rtb_UnitDelay = UnitDelay_DSTATE; Out1 = rtb_UnitDelay; } ? Translation Validation: p rove that the model is implemented correctly.

5
5 Translation Validation Source program Target program Mapping Input Output State Translation validation engine ? Technique for formally establishing the semantic equivalence of a source and a target of a code generator.

6
6 Previous work on translation validation From synchronous languages: DC+ C Pnueli, Siegel and Singerman (1998) / Translation Validation Pnueli, Strichman and Siegel (1998)/ Translation Validation: From DC+ to C Scade-Lustre C C to binary: An optimizing C compiler Zuck, Pnueli, Fang and B. Goldberg / VOC: A Methodology for the Translation Validation of Optimizing Compilers... gcc optimizations Necula / Translation Validation for an Optimizing Compiler

7
7 Translation validation Translation Validation Verifying code generator Applied separately to each translation Applied once For synchronous languages (in practice) decidable In general undecidable Sensitive to changes in the target code format Sensitive to changes in the compiler freezes the development

8
8 Symulink Code Generation Example Synchronous system computations can be represented symbolically with an initial state predicate and a transition function. void example_model_initialize(void) { UnitDelay_state = UnitDelay_X0; } void example_model_step(void) { double local_UnitDelay; if (Control >= Switch_Threshold) { local_UnitDelay = Constant; } else { local_UnitDelay = In2; } UnitDelay_state += local_UnitDelay; local_UnitDelay = UnitDelay_state; Out1 = local_UnitDelay; } /*UnitDelay_X0 = 0*/ /*Switch_Threshold = 0*/ /*Constant = 0*/

9
9 Verification Condition Need to prove: Equal input stream Equal output stream. The proof is based on induction.

10
10 Definitions For transition system M init(M) initial-state predicate over M’s state variables TR(M) transition relation over M’s inputs, outputs, current and next state variables. var(M) the variables defining M state(M) set of state variables inp(M) set of input variables out(M) set of output variables For transition systems S and T map: var(S) var(T) maps their inputs, outputs and state variables. disjoint

11
11 The Verification Condition 1. The initial states of the target are legitimate initial states in the source. 2. Equality between source and target outputs is propagated through program computation equal inputs equal state equal next stateequal outputs

12
12 Source transition relation (and (= m_Constant' 0 ) (= m_Sum' (+ m_Switch ‘ m_Unit_Delay') ) (= m_Switch ‘ (if (>= m_Control ‘ 0 ) m_Constant ‘ m_In2 ‘ ) ) (= m_Unit_Delay_state' m_Sum ‘ ) (= m_Unit_Delay' m_Unit_Delay_state ) (= m_Out1' m_Sum ‘ ) ) Yices format

13
13 Invariants Variables in synchronous systems are volatile In C global variables preserve their values between steps if (cond) mode = 1; else { mode = 0; } if (cond && mode == 0) mode = 1; if (!cond && mode == 1) mode = 0; ? The unreachable executions are eliminated by the invariant mode == 0 mode = 1 Simulink side C side

14
14 Uninterpreted functions In some cases we abstract arithmetical functions with uninterpreted functions. Example:

15
15 Uninterpreted functions Uninterpreted functions can be too abstract We occasionally use partially interpreted functions Example: consider a transformation such as a ¢ b Ã b ¢ a Enforce commutativity:

16
16 Implementation Source side: The Matlab script language Target side: CTool, CPP, C++ Verification: Yices

17
17 Experiments “rtwdemo_fuelsys” – a fuel injection controller that is distributed with Matlab. ~100 blocks The generated step function has ~250 loc The generated verification condition: 790 lines in Yices format Solving time: sec. When injecting errors solving time is:.... ~ 10 sec.

18
18 Well, thank you

19
Simulink Step Semantics

20
20 (= Constant_Value__0 0) (= local_UnitDelay__1 (if (/= 0 (if (>= Control__0 Switch_Threshold__0) 1 0 ) ) Constant_Value__0 local_UnitDelay__0 ) (= local_UnitDelay__2 (if (not (/= 0 (if (>= Control__0 Switch_Threshold__0) 1 0 ) ) ) In2__0 local_UnitDelay__1 ) (= UnitDelay_state__1 (+ UnitDelay_state__0 local_UnitDelay__2)) (= local_UnitDelay__3 UnitDelay_state__1) (= Out1__1 local_UnitDelay__3) ) Target transition relation void example_model_step(void) { double local_UnitDelay; if (Control >= Switch_Threshold) { local_UnitDelay = Constant_Value; } else { local_UnitDelay = In2; } UnitDelay_state += local_UnitDelay; local_UnitDelay = UnitDelay_state; Out1 = local_UnitDelay; } ( and (= Switch_Threshold__0 0) (= UnitDelay_X0__0 0) Yices format / Static Single Assignment

21
21 (= m_Control' Control__0 ) (= m_In2 ‘ In2__0 ) (= m_Unit_Delay_state UnitDelay_state__0) void example_model_step(void) { double local_UnitDelay; if (Control >= Switch_Threshold) { local_UnitDelay = Constant_Value; } else { local_UnitDelay = In2; } UnitDelay_state += local_UnitDelay; local_UnitDelay = UnitDelay_state; Out1 = local_UnitDelay; } Induction Step Example (= m_Unit_Delay_state ‘ UnitDelay_state__1 ) (= m_Out1 ‘ Out1__1 ) equal inputs equal state equal next stateequal outputs

22
22 Tool: Translation Validation for Simulink (TVS) Applies translation validation to the RealTime Workshop code generator. Fully automated Supports a large subset of the Simulink library Easily extendable

23
23 TVS structure Simulink model (model.mdl) Model Transition Relation generator (Matlab script) Model Transition Relation Variable Mapping Verification Condition Generator C program C Transition relation Generator C variables list (SSA numeration) C Transition Relation Decision Procedure (Yices) Equivalent Not Equivalent Real-time Workshop code generator TVS

24
24 Source transition relation Iterate over all model blocks For each block create transition relation Block located in enabled subsystem get a special treatment States when enabling Outputs when enabling Mapping

25
25 Target transition relation and SSA Static Single Assignment if (v) a = b; else a = c; d = a; if ( v0) a0 = b0; else a1 = c0; a2 = v0 ? a0 : a1; d1 = a2; a0 = b0 a1 = c0 (v0 == 0) a2 = a0 (v0 != 0) a2 = a1 d0 = a2 a = b; b = b +1; c = b; a0 = b0 b1 = b0 + 1 c0 = b1 a = b b = b + 1 c = b

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google