Verifying a Lustre Compiler Part 2

Size: px

Start display at page:

Download "Verifying a Lustre Compiler Part 2"

Abraham Cannon
6 years ago
Views:

1 Verifying a Lustre Compiler Part 2 Lélio Brun PARKAS (Inria - ENS) Timothy Bourke, Pierre-Évariste Dagand, Xavier Leroy, Marc Pouzet, Lionel Rieg SYNCHRON 2016 December 7, 2016 Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

2 Introduction Context (normalized) elaboration / scheduling check parsing Unannotated Lustre elaboration Lustre normalization N-Lustre scheduling SN-Lustre dataflow imperative fusion optimization translation Verified Lustre compiler several passes intermediary imperative language: Obc Obc Clight Obc generation Clight compilation Assembly printing Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

3 Introduction Context (normalized) elaboration / scheduling check parsing Unannotated Lustre elaboration Lustre normalization N-Lustre scheduling SN-Lustre dataflow imperative fusion optimization translation Verified Lustre compiler several passes intermediary imperative language: Obc Obc Clight Contribution implementation and correctness proof in Coq Obc generation Clight compilation Assembly printing Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

4 Obc Syntax Obc: Abstract Syntax e := expression x (local variable) state(x) (state variable) c (constant) e (unary operator) e e (binary operator) s := statement x := e (update) state(x) := e (state update) if e then s else s (conditional) x := c(i).m( e ) (method call) s; s (composition) skip (do nothing) cls := declaration class c { (class) memory x ty instance i c m( x ty ) returns ( x ty ) [var x ty ] { s } } Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

5 Obc Syntax Example node rect (d: int ) returns (y: int ) var py: int ; let y = py + d; py = 0 fby y; tel node integrator (a: int ) returns (v, x: int ) let v = rect (a); x = rect (v); tel node excess (max, a: int ) returns (e: bool ; x: int ) var v: int ; let (v, x) = integrator (a); e = v > max ; tel class rect { memory py: int ; reset () { state (py) := 0 } step (d: int ) returns (y: int ) { y := state (py) + d; state (py) := y } } class integrator { instance v, x: rect ; reset () { rect (v). reset (); rect (x). reset () } step (a: int ) returns (v, x: int ) { v := rect (v). step (a); x := rect (x). step (v) } } class excess { instance vx: integrator ; reset () { integrator (vx). reset () } step (max, a: int ) returns (e: bool, x: int ) var v: int { v, x := integrator (vx). step (a); e := v > max } } Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

6 Obc Semantics State and memory model menv venv ident val { memories : ident val menv instances : ident menv instances(v) instances(vx) instances(x) memories(py) memories(py) Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

7 Obc Semantics Statements rules me, ve exp e v p, me, ve st x := e me, ve {x v} me, ve exp e v p, me, ve st state(x) := e update_mem(me, x, v), ve... Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

8 TranslGeneration of Clight Clight CompCert s frontend language block memory model 2 types of variables: local and temporaries 2 semantics variants: parameters as local variables or as temporaries 2 semantics: small and big step small step: continuations big step: state (e, le, m) e local variables environment : ident block int le temporaries environment : ident val m memory : block int byte Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

9 TranslGeneration of Clight Generation function Obc class Clight structure Obc method void-returning Clight function state: pointer self multiple outputs: pointer out Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

10 TranslGeneration of Clight Example class rect { memory py : int ; [...] } class integrator { instance v, x: rect ; [...] } class excess { instance vx: integrator ; [...] struct rect { int py; }; struct integrator { struct rect v; struct rect x; }; struct excess { struct integrator vx; }; [...] step (max, a: int ) returns (e: bool, x: int ) var v: int { v, x := integrator (vx). step (a); e := v > max } } struct excess_step { _Bool e; int x; }; void excess_step ( struct excess *self, struct excess_step *out, int max, int a) { struct integrator_step vx_step ; register int v; integrator_step (&(* self ).vx, &vx_step, a); v = vx_step.v; (* out ).x = sx_step.x; (* out ).e = v > max ; } Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

11 Semantics preservation Obc : (me, ve) ; Clight : (e, le, m) me 1, ve 1 st s me 2, ve 2 match_states e 1, le 1, m 1 Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

12 Semantics preservation Obc : (me, ve) ; Clight : (e, le, m) match_states me 1, ve 1 st s me 2, ve 2 match_states e 1, le 1, m 1 Clight s s e 1, le 2, m 2 Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

13 Separation logic Consequences of CompCert s memory model: aliasing (overlapping) alignment permissions sizes Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

14 Separation logic Consequences of CompCert s memory model: aliasing (overlapping) alignment permissions sizes Solution use a separation logic formalism Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

15 Separation logic in CompCert { mfoot : block int P predicate P :, m P (mpred P) m mpred : memory P conjonction m P Q pure formula m pure (P) Q P m Q Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

16 Separation logic in CompCert { mfoot : block int P predicate P :, m P (mpred P) m mpred : memory P conjonction m P Q pure formula m pure (P) Q P m Q mfoot = λ b ofs. mfoot P b ofs mfoot Q b ofs P Q = mpred = λ m. mpred P m mpred Q m disjoint(mfoot P) (mfoot Q) Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

17 States correspondence Obc : (me, ve) ; Clight : (e, le, m) match_states = Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

18 States correspondence Obc : (me, ve) ; Clight : (e, le, m) match_states = pure (le(self) = (b s, ofs)) pure (le(out) = (b o, 0)) pure (ge(f_c) = co out ) self pointer out pointer output structure Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

19 States correspondence Obc : (me, ve) ; Clight : (e, le, m) match_states = pure (le(self) = (b s, ofs)) pure (le(out) = (b o, 0)) pure (ge(f_c) = co out ) pure (wt_env ve m) pure (wt_mem me p c) Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

20 States correspondence Obc : (me, ve) ; Clight : (e, le, m) match_states = pure (le(self) = (b s, ofs)) pure (le(out) = (b o, 0)) pure (ge(f_c) = co out ) pure (wt_env ve m) pure (wt_mem me p c) staterep p c me b s ofs memory me structure pointed by self Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

21 States correspondence Obc : (me, ve) ; Clight : (e, le, m) match_states = pure (le(self) = (b s, ofs)) pure (le(out) = (b o, 0)) pure (ge(f_c) = co out ) pure (wt_env ve m) pure (wt_mem me p c) staterep p c me b s ofs blockrep ve co out b o output variables of m fields of co out pointed by out Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

22 States correspondence Obc : (me, ve) ; Clight : (e, le, m) match_states = pure (le(self) = (b s, ofs)) pure (le(out) = (b o, 0)) pure (ge(f_c) = co out ) pure (wt_env ve m) pure (wt_mem me p c) staterep p c me b s ofs blockrep ve co out b o varsrep m ve le parameters and local variables temporaries Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

23 States correspondence Obc : (me, ve) ; Clight : (e, le, m) match_states = pure (le(self) = (b s, ofs)) pure (le(out) = (b o, 0)) pure (ge(f_c) = co out ) pure (wt_env ve m) pure (wt_mem me p c) staterep p c me b s ofs blockrep ve co out b o varsrep m ve le subrep_range e subcalls output structures allocation Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

24 Staterep on the example menv instances(vx) excess integrator vx rect v int py instances(v) memories(py) instances(x) memories(py) rect x int py Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

25 Staterep on the example menv instances(vx) excess integrator vx rect v int py instances(v) memories(py) instances(x) memories(py) rect x int py staterep excess menv b s ofs Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

26 Staterep on the example menv instances(vx) excess integrator vx rect v int py instances(v) memories(py) instances(x) memories(py) rect x int py staterep integrator menv.instances(vx) b s (ofs + δ excess vx ) Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

27 Staterep on the example menv instances(vx) excess integrator vx rect v int py instances(v) memories(py) instances(x) memories(py) rect x int py staterep rect menv.instances(vx).instances(v) b s (ofs + δ excess vx + δ integrator v ) Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

28 Staterep on the example menv instances(vx) excess integrator vx rect v int py instances(v) memories(py) instances(x) memories(py) rect x int py staterep rect menv.instances(vx).instances(x) b s (ofs + δ excess vx + δ integrator x ) Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

29 Staterep on the example menv instances(vx) excess integrator vx rect v int py instances(v) memories(py) instances(x) memories(py) rect x int py contains int32s b s (ofs + δ excess vx + δ integrator v + δ rect py ) menv.instances(vx).instances(v).memories(py) Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

30 Staterep on the example menv instances(vx) excess integrator vx rect v int py instances(v) memories(py) instances(x) memories(py) rect x int py contains int32s b s (ofs + δ excess vx + δ integrator x + δ rect py ) menv.instances(vx).instances(x).memories(py) Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

31 Staterep staterep [ ] c me b s ofs = staterep (class k{... } :: p) c me b s ofs = staterep p c me b s ofs if k c staterep (class c{ x ty i k... } :: p) c me b s ofs = x ty contains ty b s (ofs + field_offset(x, x ty i k )) me.memories(x) i k staterep p l me.instances(k) b s (ofs + field_offset(i, x ty i k )) Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

32 Invariant preservation frame rule emulation : m P F hypotheses m, properties m P F proof structure : simultaneous inductions (function calls, function bodies) ; ; x := e ; x = e ; x := C.f σ (e) ; ; ; x := e skip C_f (σ, o, e) ; x = e Sskip x = o.y 1 x = o.y 2 Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

33 Invariant preservation frame rule emulation : m P F hypotheses m, properties m P F proof structure : simultaneous inductions (function calls, function bodies) ; ; x := e ; x = e ; x := C.f σ (e) ; ; ; x := e skip C_f (σ, o, e) ; x = e Sskip x = o.y 1 x = o.y 2 Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

34 Invariant preservation frame rule emulation : m P F hypotheses m, properties m P F proof structure : simultaneous inductions (function calls, function bodies) ; ; x := e ; x = e ; x := C.f σ (e) ; ; ; x := e skip C_f (σ, o, e) ; x = e Sskip x = o.y 1 x = o.y 2 Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

35 Invariant preservation frame rule emulation : m P F hypotheses m, properties m P F proof structure : simultaneous inductions (function calls, function bodies) ; ; x := e ; x = e ; x := C.f σ (e) ; specialized invariant ; ; x := e skip C_f (σ, o, e) ; x = e Sskip x = o.y 1 x = o.y 2 Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

36 Invariant preservation frame rule emulation : m P F hypotheses m, properties m P F proof structure : simultaneous inductions (function calls, function bodies) ; induction ; x := e ; x = e ; x := C.f σ (e) ; ; ; x := e skip C_f (σ, o, e) ; x = e Sskip x = o.y 1 x = o.y 2 Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

37 Proof case match_states me, ve st state(x) := a me, ve match_states e, le, m s ( self).x = a e e, le, m Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

38 Proof case me, ve st state(x) := a me, ve match_states match_states e, le, m s ( self).x = a e e, le, m le(self) = (b s, ofs)... e, le, m e self (b s, ofs) match_states field_offset(x,... ) = δ x staterep_field_offset e, le, m lv ( self).x b s, ofs + δ x Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

39 Proof case me, ve st state(x) := a me, ve match_states match_states e, le, m s ( self).x = a e e, le, m le(self) = (b s, ofs)... e, le, m e self (b s, ofs) match_states field_offset(x,... ) = δ x staterep_field_offset e, le, m lv ( self).x b s, ofs + δ x me, ve exp a v e, le, m e a e v expr_eval_simu Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

40 Proof case me, ve st state(x) := a me, ve match_states match_states e, le, m s ( self).x = a e e, le, m le(self) = (b s, ofs)... e, le, m e self (b s, ofs) match_states field_offset(x,... ) = δ x staterep_field_offset e, le, m lv ( self).x b s, ofs + δ x me, ve exp a v e, le, m e a e v expr_eval_simu match_states store(m, b s, ofs + δ x, v) = m match_states_assign_state Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

41 Conclusion Summary size: translation: 300 loc separation: 2000 loc correctness: 3300 loc memory models correspondence: separation logic other source languages certified Lustre compilation Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

42 Conclusion Final lemma (normalized) elaboration / scheduling check parsing Unannotated Lustre elaboration Lustre normalization N-Lustre scheduling SN-Lustre dataflow imperative behavior_asm : wc_global G wt_global G wt_io G main ins outs sem_node G main ins outs compile G main = OK P ( t, program_behaves (Asm.semantics P) (Diverges t)) T, program_behaves (Asm.semantics P) (Reacts T ) bisim_io G main ins outs T translation fusion optimization Obc generation Clight compilation Assembly printing Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 19

43 Future Works complete the toolchain optimizations PhD: semantics, automata, reset Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 5

44 Other works synchronous languages, Lustre [Ben+03; Cas+87; Bie+08; Aug13; Aug+14; Bou+16] certified compilation: CompCert [BDL06; Ler09a; Ler09b] automatic proof of a compiler [CG15] denotational semantics [Chl07; BKV09; BH09] Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 5

45 References I [Ben+03] [Cas+87] [Bie+08] Albert Benveniste, Paul Caspi, Stephen A. Edwards, Paul Le Guernic, Nicolas Halbwachs, and Robert De Simone. The synchronous languages 12 years later. In: proceedings of the IEEE. Vol Jan. 2003, pp Paul Caspi, Nicolas Halbwachs, Daniel Pilaud, and John Alexander Plaice. LUSTRE: A declarative language for programming synchronous systems. In: POPL 87. ACM. Jan. 1987, pp Dariusz Biernacki, Jean-Louis Colaço, Grégoire Hamon, and Marc Pouzet. Clock-directed Modular Code Generation of Synchronous Data-flow Languages. In: ACM International Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES). Tucson, Arizona, June [Aug13] Cédric Auger. Compilation certifiée de SCADE/LUSTRE. PhD thesis. Orsay, France: Univ. Paris Sud 11, Apr [Aug+14] Cédric Auger, Jean-Louis Colaço, Grégoire Hamon, and Marc Pouzet. A Formalization and Proof of a Modular Lustre Code Generator. En préparation Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 5

46 References II [Bou+16] [BDL06] Timothy Bourke, Pierre-Évariste Dagand, Marc Pouzet, and Lionel Rieg. Verifying Clock-Directed Modular Code Generation for Lustre. En préparation Sandrine Blazy, Zaynah Dargaye, and Xavier Leroy. Formal verification of a C compiler front-end. In: FM 2006: Int. Symp. on Formal Methods volume 4085 de LNCS (2006), pp [Ler09a] Xavier Leroy. A formally verified compiler back-end. In: Journal of Automated Reasoning 43.4 (2009), pp [Ler09b] Xavier Leroy. Formal verification of a realistic compiler. In: Comms. ACM 52.7 (2009), pp [CG15] [Chl07] Martin Clochard and Léon Gondelman. Double WP : Vers une preuve automatique d un compilateur. In: Journées Francophones des Langages Applicatifs. INRIA. Jan Adam Chlipala. A certified type-preserving compiler from lambda calculus to assembly language. In: Programming Language Design and Implementation. ACM. 2007, pp Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 5

47 References III [BKV09] [BH09] Nick Benton, Andrew Kennedy, and Carsten Varming. Some domain theory and denotational semantics in Coq. In: Theorem Proving in Higher Order Logics. volume 5674 de LNCS. 2009, pp Nick Benton and Chung-Kil Hur. Biorthogonality, step-indexing and compiler correctness. In: International Conference on Functional Programming. ACM. 2009, pp Lélio Brun Verifying a Lustre Compiler Part 2 December 7, / 5

A Formally Verified Compiler for Lustre

A Formally Verified Compiler for Lustre Timothy Bourke 1,2 Lélio Brun 1,2 Pierre-Évariste Dagand 4,3,1 Xavier Leroy 1 Marc Pouzet 4,2,1 Lionel Rieg 5,6 1. Inria Paris 2. DI, École normale supérieure 3.