Applications of Program analysis in Model-Based Design

Transcription

1 Applications of Program analysis in Model-Based Design Prahlad Sampath 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks, Inc. Other product or brand names are trademarks or registered trademarks of their respective holders The MathWorks, Inc. 1

2 Outline Model-Based Design overview and role of program analysis (20 mins) Data flow analysis (20 mins) Abstract interpretation (20 mins) Software model checking (20 mins) 2

3 Model-Based Design Overview 3

4 Model-Based Design Design activities Specification, prototyping (at different levels of fidelity), design space exploration, codegeneration, verification Use of appropriate abstractions for modelling from algorithms to systems Graphical languages where appropriate Textual languages where appropriate Provide a framework where these can be combined and analysed Analysis is the corner stone of Model-Based Design Different levels of adoption of Model-Based Design will use different kinds of analysis 4

5 ሶ ሶ Simulink Workflow Dynamical System Graphically model the system in Simulink Simulink Block Diagram Compilation: Convert from graphical model to some internal representation Compiled Information (CI) X = [x c, x d ] x c = f c (X, U, t) x d n + 1 = f d (X, U, t) y = g(x, U, t) X(t 0 ) = X 0 Execution Phase Analyze Results Present the solution (logging, scopes) Simulate CI X = [xc, xd] x c = f(x, u 1, u 2, t) x d n + 1 = g(x, u 1, u 2, t) y = h(x, u 1, u 2, t) X(t 0 ) = X 0 Solver Info t n + 1 = 5

6 Modelling Formalisms Linear systems (ODEs) >>sldemo_bounce_two_integrators 6

7 Modelling Formalisms Linear systems (ODEs) >>sldemo_bounce_two_integrators 7

8 Modelling Formalisms Linear systems (ODEs) >>sldemo_bounce_two_integrators 8

9 Modelling Formalisms Linear systems (ODEs) Hierarchical state machines >>sldemo_fuelsys 9

10 Modelling Formalisms Linear systems (ODEs) Hierarchical state machines >>sldemo_fuelsys 10

11 Modelling Formalisms Linear systems (ODEs) Hierarchical state machines Tabular specifications >>ex_stt_boiler 11

12 Modelling Formalisms Linear systems (ODEs) Hierarchical state machines Tabular specifications Hybrid automata >>sf_bounce 12

13 Modelling Formalisms Linear systems (ODEs) Hierarchical state machines Tabular specifications Hybrid automata >>sf_bounce 13

14 Modelling Formalisms Linear systems (ODEs) Hierarchical state machines Tabular specifications Hybrid automata Differential algebraic system (acausal models for physical systems) 14

15 Modelling Formalisms Linear systems (ODEs) Hierarchical state machines Tabular specifications Hybrid automata Differential algebraic system (acausal models for physical systems) 15

16 Modelling Formalisms Linear systems (ODEs) Hierarchical state machines Tabular specifications Hybrid automata Differential algebraic system (acausal models for physical systems) Discrete event systems Procedural code 16

17 Model-Based Design Hardware Hardware connectivity Real time simulation 17

18 Model-Based Design Hardware Hardware connectivity Real time simulation 18

19 Model-Based Design Hardware Hardware connectivity Real time simulation 19

20 Model-Based Design Hardware Hardware connectivity Real time simulation 20

21 Model-Based Design Code generation Programming Code generation Design optimizations Verification 21

22 Model-Based Design Code generation Programming Code generation Design optimizations Verification 22

23 Model-Based Design Code generation Programming Code generation Design optimizations Verification 23

24 Model-Based Design Code generation Programming Code generation Design optimizations Verification 24

25 Model-Based Design Code generation Programming Code generation Design optimizations Verification 25

26 Model-Based Design Code generation Programming Code generation Design optimizations Verification Data-type design 26

27 Model-Based Design Code generation Programming Code generation Design optimizations Verification Data-type design Systematic verification Coverage analysis Detect run-time error Property proving 27

28 Where does Program Analysis fit into this picture? Techniques for reasoning about behaviour Spanning many programming paradigms Well developed abstraction techniques Abstraction vs. approximation! Scalable algorithms Algorithms that scale to millions of lines of code Active area of research New techniques and algorithms 28

29 Four properties for a tool Automaticity Is the tool press-button or does it require user interaction? Soundness Are results trustable? Completeness Will the tool find all my bugs? Scalability How does the tool react to large programs? 29

30 Comparison of formal methods properties Automaticity Scalability Soundness Completeness Abstract Interpretation Dynamic test Formal proof (Hoare) Model Checking 30

31 It s all about the Workflow! 31

32 Data Flow Analysis 32

33 A Refresher Infer flows in programs Reason about program statements System of equations that capture the flow across statements in a program Algorithms well suited for program graphs Basis for compiler optimizations s1 e1 c1 s2 s3 j1 x1 33

34 A Refresher Infer flows in programs Reason about program statements System of equations that capture the flow across statements in a program Algorithms well suited for program graphs Basis for compiler optimizations Generate a set of equations Over a lattice domain Solution calculated by using fixpoint iteration entry s1 = exit e1 entry c1 = entry e1 exit j1 exit c1 = entry c1 kill c1 gen(c1) entry j1 = exit s3 exit s3 34

35 A Refresher Infer flows in programs Reason about program statements System of equations that capture the flow across statements in a program Algorithms well suited for program graphs Basis for compiler optimizations Generate a set of equations Over a lattice domain Solution calculated by using fixpoint iteration Forward vs. Backward analysis Context sensitivity Flow sensitivity Inter vs. Intra procedural analysis 35

36 Applications of data-flow analysis Compiler optimizations Expression folding Variable reuse (RAM) Constant folding Strength reduction 36

37 Applications of data-flow analysis Compiler optimizations Expression folding Variable reuse (RAM) Constant folding Strength reduction 37

38 Applications of data-flow analysis Compiler optimizations Expression folding Variable reuse (RAM) Constant folding Strength reduction 38

39 Applications of data-flow analysis Compiler optimizations Expression folding Variable reuse (RAM) Constant folding Strength reduction Parallelization GPU Coder 39

40 Deploy with GPU Coder ~20 Fps (K40c) Alexnet ~30 Fps (Tegra X1) Vehicle Detection ~66 Fps (Tegra X1) ~130 Fps (K40c) People detection Lane detection 40

41 Debugging Workflow Problem: 41

42 Debugging Workflow Problem: You have a large model, with an error. How should you go about localizing the error? 42

43 Debugging Workflow Problem: You have a large model, with an error. How should you go about localizing the error? Localize the behaviour over time Simulate the model Insert break-points Visualize signals/outputs 43

44 Debugging Workflow Problem: You have a large model, with an error. How should you go about localizing the error? Localize the behaviour over time Simulate the model Insert break-points Visualize signals/outputs Localize the behaviour over space Dependency analysis of model 44

45 Debugging Workflow Problem: You have a large model, with an error. How should you go about localizing the error? Localize the behaviour over time Simulate the model Insert break-points Visualize signals/outputs Localize the behaviour over space Dependency analysis of model Extract and simplify 45

46 Debugging Workflow Problem: You have a large model, with an error. How should you go about localizing the error? Localize the behaviour over time Simulate the model Insert break-points Visualize signals/outputs Localize the behaviour over space Dependency analysis of model Extract and simplify Google search: simulink model slicer youtube 46

47 Slicing Models to Reduce Complexity 47

48 Abstract Interpretation 48

49 Prove that no division by zero occurs here 49

50 Prove that no division by zero occurs here Clearly testing is not practicable Too many unknown 50

51 Prove that no division by zero occurs here Clearly testing is not practicable Too many unknown Philosophy of AI to prove correctness: You don t need the exact value of current_out to prove abscence of ZDIV Having a less precise information e.g. current_out >= 0.2 is sufficient 51

52 Formalization of the concrete semantics of the program States of the program 52

53 Formalization of the concrete semantics of the program States of the program x=1 current_out=? in=? i=? 53

54 Formalization of the concrete semantics of the program States of the program x=1 current_out=0 in=1.6 i=17 54

55 Formalization of the concrete semantics of the program Traces semantics Infinite state machine that simulates program execution 55

56 Formalization of the concrete semantics of the program Traces semantics Infinite state machine that simulates program execution 56

57 Formalization of the concrete semantics of the program Traces semantics Infinite state machine that simulates program execution 57

58 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 58

59 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 59

60 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 60

61 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 61

62 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 62

63 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 63

64 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 64

65 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 65

66 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 66

67 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 67

68 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 68

69 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 69

70 Formalization of the collecting semantics of the program Invariants semantics Interate until no new states are reached 70

71 Formalization of the abstract semantics of the program Properties semantics Loss of expressivity Finite state machine that over-approximates program execution 71

72 Formalization of the abstract semantics of the program Properties semantics Loss of expressivity X>=0 current_out<=0 in>=0 i>=0 Finite state machine that over-approximates program execution 72

73 Formalization of the abstract semantics of the program Properties semantics Loss of expressivity X>=0 current_out<=0 in>=0 i>=0 Finite state machine that over-approximates program execution X<0 current_out>=0 in<=0 i>0 73

74 Formalization of the abstract semantics of the program Properties semantics Fixpoint computation Finite state machine that over-approximates program execution 74

75 Formalization of the abstract semantics of the program Properties semantics Fixpoint computation Finite state machine that over-approximates program execution 75

76 Formalization of the abstract semantics of the program Properties semantics Fixpoint computation Finite state machine that over-approximates program execution 76

77 Formalization of the abstract semantics of the program Properties semantics Fixpoint computation Finite state machine that over-approximates program execution 77

78 Formalization of the abstract semantics of the program Properties semantics Fixpoint computation Finite state machine that over-approximates program execution Interate until no new states are reached 78

79 Formalization of the abstract semantics of the program Properties semantics Fixpoint computation Finite state machine that over-approximates program execution Interate until no new states are reached Abstract properties represent infinitely many states 79

80 Formalization of the abstract semantics of the program Properties semantics Fixpoint computation False alarm Finite state machine that over-approximates program execution Interate until no new states are reached Abstract properties represent infinitely many states 80

81 Applications of Abstract Interpretation Analysis of C Code Code prover Bug finder 81

82 Code Prover Performs abstract invariants computation on C/C++/ADA programs With pointers With floating points With function calls With multi-tasking Zero False Positives Computes many properties on program variables Ranges (interval domains) with holes Multiplicity (both integer and floating point) Linear relations between program variables e.g. 3x 2y + 4z 32 y + 3z t 1 82

83 Simple color code for presenting the information 83

84 Bug Finder Bug Finder uses abstract interpretation techniques to find bugs Does not claim to be exhaustive Cannot prove abscence of bugs May find a broader set of bugs Some are hard to deal with in Code Prover Few False Positives 84

85 Applications of Abstract Interpretation Analysis of C Code Code prover Bug finder Analysis of code generated from models Opportunities for using model semantics to improve precision of code-based analysis 85

86 Applications of Abstract Interpretation Analysis of C Code Code prover Bug finder Analysis of code generated from models Opportunities for using model semantics to improve precision of code-based analysis Analysis of Models 86

87 Applications of Abstract Interpretation Analysis of C Code Code prover Bug finder Analysis of code generated from models Opportunities for using model semantics to improve precision of code-based analysis Analysis of Models 87

88 Detailed design Data-type design From Specification to Code High level design focuses on maximum flexibility in design space exploration Use doubles Let Simulink choose appropriate data-types Code generation focuses on designs that are quite precisely specified and optimised Cost of computation Cost of memory Precision requirements 88

89 Data type design Start with MATLAB algorithm (uses doubles) 89

90 Data type design Start with MATLAB algorithm (uses doubles) Convert all computations to use fixed-point calculations 90

91 Data type design Start with MATLAB algorithm (uses doubles) 91

92 Data type design Start with MATLAB algorithm (uses doubles) Execute test-bench with sample inputs 92

93 Data type design Start with MATLAB algorithm (uses doubles) Execute test-bench with sample inputs Instrument MATLAB to monitor min/max for each variable 93

94 Data type design Start with MATLAB algorithm (uses doubles) Execute test-bench with sample inputs Instrument MATLAB to monitor min/max for each variable Propose fixpoint types based on observed ranges 94

95 Data type design Start with MATLAB algorithm (uses doubles) Execute test-bench with sample inputs Instrument MATLAB to monitor min/max for each variable Propose fixpoint types based on observed ranges 95

96 Data type design Start with MATLAB algorithm (uses doubles) Execute test-bench with sample inputs Instrument MATLAB to monitor min/max for each variable Propose fixpoint types based on observed ranges Change algorithm to use the proposed types 96

97 Data type design Start with MATLAB algorithm (uses doubles) Execute test-bench with sample inputs Instrument MATLAB to monitor min/max for each variable Propose fixpoint types based on observed ranges Change algorithm to use the proposed types Verify behaviour on test-bench 97

98 Data type design Start with MATLAB algorithm (uses doubles) 98

99 Data type design Start with MATLAB algorithm (uses doubles) Propose fixed-point types based on Abstract Interpretation 99

100 Data type design Start with MATLAB algorithm (uses doubles) Propose fixed-point types based on Abstract Interpretation 100

101 Data type design Start with MATLAB algorithm (uses doubles) Propose fixed-point types based on Abstract Interpretation Change algorithm to use the proposed types 101

102 Data type design Start with MATLAB algorithm (uses doubles) Propose fixed-point types based on Abstract Interpretation Change algorithm to use the proposed types Verify behaviour on test-bench 102

103 Software Model Checking 103

104 Model Checking Start with a model Various forms of state machines/transition systems Represents a system Add a property Various forms of logic temporal, modal etc. Represents a property Algorithms to check the satisfiability/validity of the property on the model 104

105 Software Model Checking Model is software Complex control-flow Functions/procedures Data-structures, pointers Libraries 105

106 Software Model Checking Model is software Complex control-flow Functions/procedures Data-structures, pointers Libraries Some properties can also be encoded in the software ASSERT statements 106

107 Software Model Checking Model is software Complex control-flow Functions/procedures Data-structures, pointers Libraries Some properties can also be encoded in the software ASSERT statements Prove that the ASSERT statements cannot be hit or provide evidence of reachability 107

108 Model-Based Software Model Checking Model is the software (is the model)! 108

109 Model-Based Software Model Checking Model is the software (is the model)! Discrete state Simulink diagrams 109

110 Model-Based Software Model Checking Model is the software (is the model)! Discrete state Simulink diagrams Stateflow 110

111 Model-Based Software Model Checking Model is the software (is the model)! Discrete state Simulink diagrams Stateflow Tabular notations 111

112 Model-Based Software Model Checking Model is the software (is the model)! Discrete state Simulink diagrams Stateflow Tabular notations Integrators, Lookup tables, 112

113 Model-Based Software Model Checking Model is the software (is the model)! Discrete state Simulink diagrams Stateflow Tabular notations Integrators, Lookup tables, Signals, Triggers, Function calls, Subsystems, Reference Models 113

114 Model-Based Software Model Checking Model is the software (is the model)! Discrete state Simulink diagrams Stateflow Tabular notations Integrators, Lookup tables, Signals, Triggers, Function calls, Subsystems, Reference Models Arrays of signals, Buses (structures) of signals 114

115 Model-Based Software Model Checking Model is the software (is the model)! Discrete state Simulink diagrams Stateflow Tabular notations Integrators, Lookup tables, Signals, Triggers, Function calls, Subsystems, Reference Models Arrays of signals, Buses (structures) of signals MATLAB code 115

116 Model-Based Software Model Checking Model is the software (is the model!) 116

117 Model-Based Software Model Checking Model is the software (is the model!) Property is also modelled Assertion blocks Assumption blocks 117

118 Model-Based Software Model Checking Model is the software (is the model!) Property is also modelled Assertion blocks Assumption blocks 118

119 Model-Based Software Model Checking Model is the software (is the model!) Property is also modelled Assertion blocks Assumption blocks Special statements in MATLAB code 119

120 Model-Based Software Model Checking Model is the software (is the model!) Property is also modelled Assertion blocks Assumption blocks Special statements in MATLAB code 120

121 Model-Based Software Model Checking Model is the software (is the model!) Property is also modelled Assertion blocks Assumption blocks Special statements in MATLAB code Prove properties valid 121

122 Model-Based Software Model Checking Model is the software (is the model!) Property is also modelled Assertion blocks Assumption blocks Special statements in MATLAB code Prove properties valid Provide evidence of invalidity 122

123 Run-time Error Check Counter-example 123

124 Test Generation Analysis 124

125 Property Proving Functional verification and witness generation for safety properties Check for bounded depth validation or for full guarantees Counter-example 125

126 It s all about the Workflow! 126

127 Opportunities at MathWorks Bangalore Teams working on multiple areas of MATLAB and Simulink IN-SLVnV team Simulink Design Verifier Simulink Solvers and Execution Engine HDL Code Generation and optimizations Simulink Model Advisor Simulink Test Simulink Coder and optimizations MATLAB Coder and optimizations Masters with some industry experience or PhD Passion for developing software 127