verified compilation of the modular reset finally
play

VERIFIED COMPILATION OF THE MODULAR RESET, FINALLY Timothy Bourke - PowerPoint PPT Presentation

VERIFIED COMPILATION OF THE MODULAR RESET, FINALLY Timothy Bourke 1,2 Llio Brun 1,2 Marc Pouzet 3,2,1 PARKAS SYNCHRON19 November 28, 2019 1 Inria Paris 2 DI ENS PSL University 3 Sorbonne University THE PROBLEM Adding the modular


  1. var y rs r rs exp e es r reset f es xs var x xs Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys var x xs Modular reset eqn x (restart f every y )( e ) r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs ⊢ ⊢ eqn x = f ( e ) ⊢ 7/22

  2. var y rs r rs exp e es r reset f es xs var x xs Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys Modular reset eqn x (restart f every y )( e ) r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ 7/22

  3. Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys var y rs r rs exp e es r reset f es xs var x xs r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset eqn x = (restart f every y )( e ) ⊢ 7/22

  4. Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys var y rs r rs r reset f es xs r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset exp e ⇓ es var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ 7/22

  5. Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys r rs r reset f es xs r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset var y ⇓ rs ⊢ exp e ⇓ es var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ 7/22

  6. Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys r reset f es xs r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset var y ⇓ rs r = bools-of rs ⊢ exp e ⇓ es var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ 7/22

  7. Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys r reset f xs ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset var y ⇓ rs r = bools-of rs ⊢ exp e ⇓ es r ⊢ reset f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ 7/22

  8. Use of an universally quantifjed relation as a constraint: k k k node f r xs r ys FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset var y ⇓ rs r = bools-of rs ⊢ exp e ⇓ es r ⊢ reset f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ r ⊢ reset f ( xs ) ⇓ ys 7/22

  9. FORMAL SEMANTICS Node application exp e ⇓ es node f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ ⊢ eqn x = f ( e ) ⊢ Modular reset var y ⇓ rs r = bools-of rs ⊢ exp e ⇓ es r ⊢ reset f ( es ) ⇓ xs var x ⇓ xs ⊢ ⊢ eqn x = (restart f every y )( e ) ⊢ Use of an universally quantifjed relation as a constraint: node f (mask k r xs ) ⇓ mask k ∀ k , ⊢ r ys r ⊢ reset f ( xs ) ⇓ ys 7/22

  10. • validated parsing ( menhir --coq ) • elaboration to get clock and type information • i-translation to Stc code • scheduling of Stc code • s-translation to Obc code • fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments Implemented in Coq and (some) OCaml optimization initialization Obc generation Clight compilation CompCert Assembly printing 8/22

  11. • elaboration to get clock and type information • i-translation to Stc code • scheduling of Stc code • s-translation to Obc code • fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc generation Clight compilation CompCert Assembly printing 8/22

  12. • i-translation to Stc code • scheduling of Stc code • s-translation to Obc code • fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information generation Clight compilation CompCert Assembly printing 8/22

  13. • scheduling of Stc code • s-translation to Obc code • fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation Clight compilation CompCert Assembly printing 8/22

  14. • s-translation to Obc code • fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [BL09] [JPL12] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight compilation CompCert Assembly printing 8/22

  15. • fusion optimization of conditionals • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight • s-translation to Obc code compilation CompCert Assembly printing 8/22

  16. • initialization of variable arguments • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight • s-translation to Obc code compilation • fusion optimization of conditionals CompCert Assembly printing 8/22

  17. • Generation of Clight code • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight • s-translation to Obc code compilation • fusion optimization of conditionals CompCert • initialization of variable arguments Assembly printing 8/22

  18. • Rely on CompCert for compilation [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight • s-translation to Obc code compilation • fusion optimization of conditionals CompCert • initialization of variable arguments Assembly • Generation of Clight code printing 8/22

  19. [Bou+17] [Ler09] [JPL12] [BL09] VÉLUS: A VERIFIED LUSTRE COMPILER scheduling datafmow parsing elaboration i-translation Unannotated transition system NLustre Stc Lustre imperative s-translation fusion arguments • validated parsing ( menhir --coq ) optimization initialization Obc • elaboration to get clock and type information • i-translation to Stc code generation • scheduling of Stc code Clight • s-translation to Obc code compilation • fusion optimization of conditionals CompCert • initialization of variable arguments Assembly • Generation of Clight code printing • Rely on CompCert for compilation 8/22

  20. SYNTACTIC GRANULARITY reset: schedulable separate construct SEMANTIC GRANULARITY transient states WHY STC? Two issues: 9/22

  21. SEMANTIC GRANULARITY transient states WHY STC? Two issues: SYNTACTIC GRANULARITY reset: schedulable separate construct 9/22

  22. WHY STC? Two issues: SYNTACTIC GRANULARITY reset: schedulable separate construct SEMANTIC GRANULARITY transient states 9/22

  23. Problem with fusion optimization: x, ax = (restart ins every r)(x0, u); y, ay = (restart ins every r)(y0, v); Schedule node applications and resets separately FIRST ISSUE: NAIVE COMPILATION NLustre Obc x, a = (restart ins every r)(x0, u); if ck_r { if r { ins(i).reset() } }; x, a := ins(i).step(x0, u) 10/22

  24. Schedule node applications and resets separately FIRST ISSUE: NAIVE COMPILATION NLustre Obc x, a = (restart ins every r)(x0, u); if ck_r { if r { ins(i).reset() } }; x, a := ins(i).step(x0, u) Problem with fusion optimization: if ck_r { x, ax = (restart ins every r)(x0, u); if r { ins(i).reset() } y, ay = (restart ins every r)(y0, v); }; x, ax := ins(i).step(x0, u); if ck_r { if r { ins(j).reset() } }; y, ay := ins(j).step(y0, v) 10/22

  25. Schedule node applications and resets separately FIRST ISSUE: NAIVE COMPILATION NLustre Obc x, a = (restart ins every r)(x0, u); if ck_r { if r { ins(i).reset() } }; x, a := ins(i).step(x0, u) Problem with fusion optimization: if ck_r { x, ax = (restart ins every r)(x0, u); if r { y, ay = (restart ins every r)(y0, v); ins(i).reset(); ins(j).reset() } }; x, ax := ins(i).step(x0, u); y, ay := ins(j).step(y0, v) 10/22

  26. FIRST ISSUE: NAIVE COMPILATION NLustre Obc x, a = (restart ins every r)(x0, u); if ck_r { if r { ins(i).reset() } }; x, a := ins(i).step(x0, u) Problem with fusion optimization: if ck_r { x, ax = (restart ins every r)(x0, u); if r { y, ay = (restart ins every r)(y0, v); ins(i).reset(); ins(j).reset() } }; x, ax := ins(i).step(x0, u); y, ay := ins(j).step(y0, v) → Schedule node applications and resets separately 10/22

  27. SECOND ISSUE: PROOF OF CORRECTNESS NLustre “easy”: ∃ M V ω × V ω too weak for NLustre induction “hard” M V ω × M ω × V ω Obc x i v M’ S × V → S × V 11/22

  28. SECOND ISSUE: PROOF OF CORRECTNESS NLustre “easy”: ∃ M V ω × V ω too weak for NLustre induction “hard” M V ω × M ω × V ω Obc x i v M’ S × V → S × V 11/22

  29. SECOND ISSUE: PROOF OF CORRECTNESS NLustre “easy”: ∃ M V ω × V ω too weak for NLustre induction “hard” M V ω × M ω × V ω Obc x i v M’ S × V → S × V 11/22

  30. SECOND ISSUE: PROOF OF CORRECTNESS NLustre “easy”: ∃ M V ω × V ω too weak for NLustre induction “hard” M V ω × M ω × V ω Obc x i v M’ S × V → S × V 11/22

  31. • The “easy” proof can be done • The “hard” one failed SECOND ISSUE: PROOF OF CORRECTNESS What about the reset? • Similar semantics in the memory model 11/22

  32. • The “hard” one failed SECOND ISSUE: PROOF OF CORRECTNESS What about the reset? • Similar semantics in the memory model • The “easy” proof can be done 11/22

  33. SECOND ISSUE: PROOF OF CORRECTNESS What about the reset? • Similar semantics in the memory model • The “easy” proof can be done • The “hard” one failed 11/22

  34. • Reset as a separate construct • Explicit state, as in the memory model of NLustre • Transient states scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization STC: SYNCHRONOUS TRANSITION CODE Propose a new intermediate language • Declarative, like NLustre 12/22

  35. • Explicit state, as in the memory model of NLustre • Transient states scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization STC: SYNCHRONOUS TRANSITION CODE Propose a new intermediate language • Declarative, like NLustre • Reset as a separate construct 12/22

  36. • Transient states scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization STC: SYNCHRONOUS TRANSITION CODE Propose a new intermediate language • Declarative, like NLustre • Reset as a separate construct • Explicit state, as in the memory model of NLustre 12/22

  37. scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization STC: SYNCHRONOUS TRANSITION CODE Propose a new intermediate language • Declarative, like NLustre • Reset as a separate construct • Explicit state, as in the memory model of NLustre • Transient states 12/22

  38. STC: SYNCHRONOUS TRANSITION CODE Propose a new intermediate language • Declarative, like NLustre • Reset as a separate construct • Explicit state, as in the memory model of NLustre • Transient states scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization 12/22

  39. NLUSTRE STC scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization 13/22

  40. NLUSTRE STC system euler { init i = true, px = 0.; node euler(x0, u: double) returns (x: double); transition (x0, u: double) var i: bool, px: double; returns (x: double) let { i = true fby false; next i = false; x = if i then x0 else px; x = if i then x0 else px; px = 0.0 fby (x + 0.1 * u); next px = x + 0.1 * u; tel } } 13/22

  41. NLUSTRE STC system euler { init i = true, px = 0.; node euler(x0, u: double) returns (x: double); transition (x0, u: double) var i: bool, px: double; returns (x: double) let { i = true fby false; next i = false; x = if i then x0 else px; x = if i then x0 else px; px = 0.0 fby (x + 0.1 * u); next px = x + 0.1 * u; tel } } 13/22

  42. NLUSTRE STC system euler { init i = true, px = 0.; node euler(x0, u: double) returns (x: double); transition (x0, u: double) var i: bool, px: double; returns (x: double) let { i = true fby false; next i = false; x = if i then x0 else px; x = if i then x0 else px; px = 0.0 fby (x + 0.1 * u); next px = x + 0.1 * u; tel } } 13/22

  43. NLUSTRE STC system ins { init k = 0, px = 0.; node ins(gps, xv: double) sub xe: euler; returns (x: double, alarm: bool) var k: int, px: double, transition (gps, xv: double) xe: double whenot alarm; returns (x: double, alarm: bool) let var xe: double whenot alarm; k = 0 fby k + 1; { alarm = (k ≥ 50); next k = k + 1; xe = euler(gps whenot alarm, alarm = (k ≥ 50); xv whenot alarm); xe = euler<xe,0>(gps whenot alarm, x = merge alarm (px when alarm) xe; xv whenot alarm); px = 0. fby x; x = merge alarm (px when alarm) xe; tel next px = x; } } 13/22

  44. NLUSTRE STC system ins { init k = 0, px = 0.; node ins(gps, xv: double) sub xe: euler; returns (x: double, alarm: bool) var k: int, px: double, transition (gps, xv: double) xe: double whenot alarm; returns (x: double, alarm: bool) let var xe: double whenot alarm; k = 0 fby k + 1; { alarm = (k ≥ 50); next k = k + 1; xe = euler(gps whenot alarm, alarm = (k ≥ 50); xv whenot alarm); xe = euler<xe,0>(gps whenot alarm, x = merge alarm (px when alarm) xe; xv whenot alarm); px = 0. fby x; x = merge alarm (px when alarm) xe; tel next px = x; } } 13/22

  45. NLUSTRE STC system driver { sub x: ins, y: ins; node driver(x0, y0, u, v: double, transition (x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool; var ax, ay: bool; let { x, ax = (restart ins every r)(x0, u); x, ax = ins<x,1>(x0, u); y, ay = (restart ins every r)(y0, v); reset ins<x> every (. on r); tel y, ay = ins<y,1>(y0, v); reset ins<y> every (. on r); } } 13/22

  46. NLUSTRE STC system driver { sub x: ins, y: ins; node driver(x0, y0, u, v: double, transition (x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool; var ax, ay: bool; let { x, ax = (restart ins every r)(x0, u); x, ax = ins<x,1>(x0, u); y, ay = (restart ins every r)(y0, v); reset ins<x> every (. on r); tel y, ay = ins<y,1>(y0, v); reset ins<y> every (. on r); } } 13/22

  47. NLUSTRE STC system driver { sub x: ins, y: ins; node driver(x0, y0, u, v: double, transition (x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool; var ax, ay: bool; let { x, ax = (restart ins every r)(x0, u); x, ax = ins<x,1>(x0, u); y, ay = (restart ins every r)(y0, v); reset ins<x> every (. on r); tel y, ay = ins<y,1>(y0, v); reset ins<y> every (. on r); } } 13/22

  48. SCHEDULING scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization 14/22

  49. SCHEDULING system driver { system driver { sub x: ins, y: ins; sub x: ins, y: ins; transition (x0, y0, u, v: double, transition (x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool; var ax, ay: bool; { { x, ax = ins<x,1>(x0, u); reset ins<x> every (. on r); reset ins<x> every (. on r); reset ins<y> every (. on r); y, ay = ins<y,1>(y0, v); x, ax = ins<x,1>(x0, u); reset ins<y> every (. on r); y, ay = ins<y,1>(y0, v); } } } } 14/22

  50. STC OBC scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization 15/22

  51. STC OBC class euler { state i: bool, px: double; system euler { init i = true, px = 0.; step(x0, u: double) returns (x: double) transition (x0, u: double) { returns (x: double) if state (i) { x := x0 } { else { x := state (px) }; x = if i then x0 else px; state (i) := false; next i = false; state (px) := x + 0.1 * u next px = x + 0.1 * u; } } } reset() { state (i) := true; state (px) := 0. } } 15/22

  52. STC OBC class euler { state i: bool, px: double; system euler { init i = true, px = 0.; step(x0, u: double) returns (x: double) transition (x0, u: double) { returns (x: double) if state (i) { x := x0 } { else { x := state (px) }; x = if i then x0 else px; state (i) := false; next i = false; state (px) := x + 0.1 * u next px = x + 0.1 * u; } } } reset() { state (i) := true; state (px) := 0. } } 15/22

  53. STC OBC class euler { state i: bool, px: double; system euler { init i = true, px = 0.; step(x0, u: double) returns (x: double) transition (x0, u: double) { returns (x: double) if state (i) { x := x0 } { else { x := state (px) }; x = if i then x0 else px; state (i) := false; next i = false; state (px) := x + 0.1 * u next px = x + 0.1 * u; } } } reset() { state (i) := true; state (px) := 0. } } 15/22

  54. STC OBC class ins { state k: int, px: double; instance xe: euler; system ins { init k = 0, px = 0.; step(gps, xv: double) sub xe: euler; returns (x: double, alarm: bool) var xe: double transition (gps, xv: double) { returns (x: double, alarm: bool) alarm := state (k) ≥ 50; var xe: double whenot alarm; state (k) := state (k) + 1; { if alarm { } alarm = (k ≥ 50); else { xe := euler(xe).step(gps, xv) }; next k = k + 1; if alarm { x := state (px) } xe = euler<xe,0>(gps whenot alarm, else { x := xe }; xv whenot alarm); state (px) := x x = merge alarm (px when alarm) xe; } next px = x; } reset() { state (k) := 0; } state (px) := 0.; euler(xe).reset() } } 15/22

  55. STC OBC class ins { state k: int, px: double; instance xe: euler; system ins { init k = 0, px = 0.; step(gps, xv: double) sub xe: euler; returns (x: double, alarm: bool) var xe: double transition (gps, xv: double) { returns (x: double, alarm: bool) alarm := state (k) ≥ 50; var xe: double whenot alarm; state (k) := state (k) + 1; { if alarm { } alarm = (k ≥ 50); else { xe := euler(xe).step(gps, xv) }; next k = k + 1; if alarm { x := state (px) } xe = euler<xe,0>(gps whenot alarm, else { x := xe }; xv whenot alarm); state (px) := x x = merge alarm (px when alarm) xe; } next px = x; } reset() { state (k) := 0; } state (px) := 0.; euler(xe).reset() } } 15/22

  56. STC OBC class driver { instance x: ins, y: ins; system driver { sub x: ins, y: ins; step(x0, y0, u, v: double, r: bool) transition (x0, y0, u, v: double, returns (x, y: double) r: bool) var ax, ay: bool returns (x, y: double) { var ax, ay: bool; if r { ins(x).reset() }; { if r { ins(y).reset() }; reset ins<x> every (. on r); x, ax := ins(x).step(x0, u); reset ins<y> every (. on r); y, ay := ins(y).step(y0, v) x, ax = ins<x,1>(x0, u); } y, ay = ins<y,1>(y0, v); } reset() { ins(x).reset(); } ins(y).reset() } } 15/22

  57. FUSION OPTIMIZATION scheduling fusion optimization i-translation s-translation NLustre Stc Obc arguments initialization 16/22

  58. FUSION OPTIMIZATION class ins { class ins { state k: int, px: double; state k: int, px: double; instance xe: euler; instance xe: euler; step(gps, xv: double) step(gps, xv: double) returns (x: double, alarm: bool) returns (x: double, alarm: bool) var xe: double var xe: double { { alarm := state (k) ≥ 50; alarm := state (k) ≥ 50; state (k) := state (k) + 1; state (k) := state (k) + 1; if alarm { x := state (px) } if alarm { } else { else { xe := euler(xe).step(gps, xv) }; xe := euler(xe).step(gps, xv); if alarm { x := state (px) } x := xe else { x := xe }; }; state (px) := x state (px) := x } } reset() { state (k) := 0; reset() { state (k) := 0; state (px) := 0.; state (px) := 0.; euler(xe).reset() } euler(xe).reset() } } } 16/22

  59. FUSION OPTIMIZATION class ins { class ins { state k: int, px: double; state k: int, px: double; instance xe: euler; instance xe: euler; step(gps, xv: double) step(gps, xv: double) returns (x: double, alarm: bool) returns (x: double, alarm: bool) var xe: double var xe: double { { alarm := state (k) ≥ 50; alarm := state (k) ≥ 50; state (k) := state (k) + 1; state (k) := state (k) + 1; if alarm { x := state (px) } if alarm { } else { else { xe := euler(xe).step(gps, xv) }; xe := euler(xe).step(gps, xv); if alarm { x := state (px) } x := xe else { x := xe }; }; state (px) := x state (px) := x } } reset() { state (k) := 0; reset() { state (k) := 0; state (px) := 0.; state (px) := 0.; euler(xe).reset() } euler(xe).reset() } } } 16/22

  60. FUSION OPTIMIZATION class driver { class driver { instance x: ins, y: ins; instance x: ins, y: ins; step(x0, y0, u, v: double, step(x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool var ax, ay: bool { { if r { if r { ins(x).reset() }; ins(x).reset(); if r { ins(y).reset() }; ins(y).reset() x, ax := ins(x).step(x0, u); }; y, ay := ins(y).step(y0, v) x, ax := ins(x).step(x0, u); } y, ay := ins(y).step(y0, v) } reset() { ins(x).reset(); ins(y).reset() } reset() { ins(x).reset(); } ins(y).reset() } } 16/22

  61. FUSION OPTIMIZATION class driver { class driver { instance x: ins, y: ins; instance x: ins, y: ins; step(x0, y0, u, v: double, step(x0, y0, u, v: double, r: bool) r: bool) returns (x, y: double) returns (x, y: double) var ax, ay: bool var ax, ay: bool { { if r { if r { ins(x).reset() }; ins(x).reset(); if r { ins(y).reset() }; ins(y).reset() x, ax := ins(x).step(x0, u); }; y, ay := ins(y).step(y0, v) x, ax := ins(x).step(x0, u); } y, ay := ins(y).step(y0, v) } reset() { ins(x).reset(); ins(y).reset() } reset() { ins(x).reset(); } ins(y).reset() } } 16/22

  62. • Declarative f f r T r F S S S S g g g reset S i I i S i S i I i S i initial initial STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } 17/22

  63. • Declarative f r F S S g S i I i S i initial STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f r = T S S ′ g g reset S [ i ] I [ i ] S ′ [ i ] initial 17/22

  64. • Declarative f r F S S g S i I i S i initial STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f r = T S S ′ g g reset S [ i ] I [ i ] S ′ [ i ] initial 17/22

  65. • Declarative f r F S S g S i I i S i initial STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f r = T S S ′ g g reset S [ i ] I [ i ] S ′ [ i ] initial 17/22

  66. • Declarative STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f f r = T r = F S S ′ S S ′ g g g reset S [ i ] I [ i ] S ′ [ i ] S [ i ] ∼ I [ i ] S ′ [ i ] ∼ ∼ initial initial 17/22

  67. • Declarative STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f f r = T r = F S S ′ S S ′ g g g reset S [ i ] I [ i ] S ′ [ i ] S [ i ] ∼ I [ i ] S ′ [ i ] ∼ ∼ initial initial 17/22

  68. • Declarative STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { reset g<i> every (. on r); y = g<i,1>(x); } } f f r = T r = F S S ′ S S ′ g g g reset S [ i ] I [ i ] S ′ [ i ] S [ i ] ∼ I [ i ] S ′ [ i ] ∼ ∼ initial initial 17/22

  69. STC FORMAL SEMANTICS: INTUITION system f { Transition system sub i: g; • Three states S , I and S ′ transition (x: int, r: bool) returns (y: int) • Transition constraints { y = g<i,1>(x); • Declarative reset g<i> every (. on r); } } f f r = T r = F S S ′ S S ′ g g g reset S [ i ] I [ i ] S ′ [ i ] S [ i ] ∼ I [ i ] S ′ [ i ] ∼ ∼ initial initial 17/22

Recommend


More recommend