Introduction Preliminaries A Hoare Calculus for Quartz Conclusion A Hoare Calculus for the Verification of Synchronous Languages Manuel Gesell, Klaus Schneider http://es.cs.uni-kl.de Embedded Systems Group University of Kaiserslautern International Open Workshop on Synchronous Programming 2011 Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 1
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Table of Contents Introduction 1 Preliminaries 2 Quartz Hoare Calculus A Hoare Calculus for Quartz 3 Conclusion 4 Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 2
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Outline Introduction 1 Preliminaries 2 Quartz Hoare Calculus A Hoare Calculus for Quartz 3 Conclusion 4 Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 3
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion What is this Talk about? synchronous languages Quartz Hoare calculus synchronous tuple assignment form a Hoare calculus for Quartz Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 4
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Synchronous Model of Computation abstract time to sequence of reactions (instants) each variable has one value per instant inputs and outputs are read and produced for an instant coincides with clock-cycles of synchronous circuits gate delays mimic computation one value per wire for each clock cycle instants are a logical time-scale Synchronous Trace R 0 R 1 R 2 R 3 Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 5
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Synchronous Languages implement the synchronous model can be used for hardware and software data-flow oriented languages Lustre Signal control-flow oriented languages (imperative) Quartz developed in our working group Averest toolset Esterel Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 6
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Averest Averest Design Flow Transformation AIF Quartz Compilation HOL Module Verification SMV AIF . . . Linking Simulation Trace System C AIF Quartz Compilation SW Synthese Java Module SystemC HW Synthese VHDL Verilog http://www.averest.org Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 7
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Outline Introduction 1 Preliminaries 2 Quartz Hoare Calculus A Hoare Calculus for Quartz 3 Conclusion 4 Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 8
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Outline Introduction 1 Preliminaries 2 Quartz Hoare Calculus A Hoare Calculus for Quartz 3 Conclusion 4 Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 9
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Quartz Example module P1 ( nat ?i1,?i2,o1,o2) pause marks end of a step { nat x; i1 , i2 are inputs, o1 , o2 are loop { outputs, x is a local variable o1 = i1 + i2; x = i1; pause ; 1 2 3 4 5 o1 = o2 + i1 + x; o2 = i2; 1 2 3 4 5 i1 x = 2; 2 4 6 8 0 pause ; i2 if (i1 > 4) 1 2 2 4 2 x o1 = i1; o2 = i1 + o1; 3 8 8 12 7 o1 pause ; 0 4 11 11 0 } o2 } Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 10
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Quartz Statements assignments: x= α , next (x)= α end of step: pause conditional execution: if ( γ )... else ... loops: while ( γ ){ ... } , loop { ... } abortion: abort ... when ( γ ) various variants aborts execution when condition γ holds suspension: suspend ... when ( γ ) various variants suspens execution when condition γ holds concurrent execution: { ... } || { ... } . . . Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 11
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Causal Dependencies module P2( bool o) value for o holds for the whole step { both actions are executed according to their bool x; o = x; data dependencies x = true ; P2 is causally correct in sense of Quartz } module P3( bool o) if o= true is reached depends on o { o = true would lead to a valid execution of if (!o) pause ; the program o = true ; P3 is not causally correct in sense of Quartz } Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 12
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Outline Introduction 1 Preliminaries 2 Quartz Hoare Calculus A Hoare Calculus for Quartz 3 Conclusion 4 Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 13
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Why Hoare... model checking fully automatic suffers from state-space explosion problem enumerates all possible values interactive verification based on Hoare calculus interactive (semi-automatic) requires additional invariants allows abstraction from the size of data structures as well as the data-types itself An integration of model checking and interactive verification is desired. Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 14
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Hoare Calculus nothing : { Φ } nothing { Φ } assign : { [Φ] τ x } x = τ { Φ } { Φ 1 } S 1 { Φ 2 } { Φ 2 } S 2 { Φ 3 } sequence : { Φ 1 } S 1 ; S 2 { Φ 3 } { σ ∧ Φ } S 1 { Ψ } {¬ σ ∧ Φ } S 2 { Ψ } conditional : { Φ } if( σ ) S 1 else S 2 { Ψ } { σ ∧ Φ } S { Φ } loop : { Φ } while( σ ) S {¬ σ ∧ Φ } | = Φ 1 → Φ 2 { Φ 2 } S { Φ 3 } | = Φ 3 → Φ 4 weaken : { Φ 1 } S { Φ 4 } Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 15
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Hoare Calculus nothing : { Φ } nothing { Φ } assign : { [Φ] τ x } x = τ { Φ } { Φ 1 } S 1 { Φ 2 } { Φ 2 } S 2 { Φ 3 } sequence : { Φ 1 } S 1 ; S 2 { Φ 3 } { σ ∧ Φ } S 1 { Ψ } {¬ σ ∧ Φ } S 2 { Ψ } conditional : { Φ } if( σ ) S 1 else S 2 { Ψ } { σ ∧ Φ } S { Φ } loop : { Φ } while( σ ) S {¬ σ ∧ Φ } | = Φ 1 → Φ 2 { Φ 2 } S { Φ 3 } | = Φ 3 → Φ 4 weaken : { Φ 1 } S { Φ 4 } Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 15
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion A Hoare calculus for Quartz defining a Hoare calculus only requires the definition of a Hoare rule for each statement it is possible to synthesis a Quartz program to sequential code and then apply the classical Hoare calculus Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 16
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Outline Introduction 1 Preliminaries 2 Quartz Hoare Calculus A Hoare Calculus for Quartz 3 Conclusion 4 Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 17
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Problems Defining a Hoare Calculus for Quartz problems defining a Hoare calculus for Quartz on statement level inputs are read in each macro step ⇒ reaching a pause : update inputs and depended conditions each statement rule requires to regard many cases macro step must be identified all variable updates have to be done synchronously in case no assignment is done the default value must be used Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 18
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Problems Defining a Hoare Calculus - Many Cases { Φ } S 1 ; S 2 { Ψ } ⇒ case: inst ( S 1 ) ∧ inst ( S 2 ) case: ¬ inst ( S 1 ) ∧ inst ( S 2 ) case: inst ( S 1 ) ∧ ¬ inst ( S 2 ) case: ¬ inst ( S 1 ) ∧ ¬ inst ( S 2 ) even worse: { Φ } S 1 || S 2 { Ψ } Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 18
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Problems Defining a Hoare Calculus for Quartz problems defining a Hoare calculus for Quartz on statement level inputs are read in each macro step ⇒ reaching a pause : update inputs and depended conditions each statement rule requires to regard many cases macro step must be identified all variable updates have to be done synchronously in case no assignment is done the default value must be used Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 18
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Macro Step Behaviour Each variable in a macro step has a unique value. Either determined by an delayed assignment in the previous step, an immediate assignment in the current step or a type dependent default value Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 19
Introduction Preliminaries A Hoare Calculus for Quartz Conclusion Macro Step Behaviour P4 P5 P6 if (a) { if (a) { if (a) { x = 5; x = 5; x=5; y = true ; y = true ; y = true ; } else { } else { } else { y = false ; y = false ; y = false ; } } } if (!y) x = 3; if (!y & b) x = 3; pause ; pause ; pause ; Manuel Gesell A Hoare Calculus for the Verification of Sync. . . 20
Recommend
More recommend