# Translation Validation for Clock Transformations in a Synchronous Compiler

Van-Chan Ngo Jean-Pierre Talpin Thierry Gautier Paul Le Guernic

INRIA Rennes, France





Our translation validationbased verifier checks the correctness of program transformations w.r.t clock semantics in the synchronous data-flow compiler, Signal.

# Agenda

- Introduction
  - Motivation
  - Related work
  - Approach
- Clock semantics preservation
  - Clock model
  - Translation validation for clock transformations

- Detected bugs
- Conclusion

```
Motivation: Bug 15549
```

```
int lt(_Bool b, unsigned char c) {
   return b < c;
}
int main() {
   if (!lt(1,'a')
        abort();
}</pre>
```

- GCC compiles **b** < **c** into (**b** == 0) & (**c** != 0)
- Program always aborts

=> Compilers always might have some bugs

## Development of critical software



- Safety requirements have to be implemented correctly
- Formal verification is applied at source level (static analysis, model checking, theorem proving)
- The guarantees are obtained at source program might be broken due to the compiler bugs

=> Raise awareness about the importance of **compiler verification** in critical software development

## Related work on compiler verification

- SuperTest: test and validation suite
- DO-178: certification standards
- Astrée: a static analyzer
- Static analysis of Signal programs for efficient code generation (Gamatié et al.)
- Translation validation for optimizing compiler (Berkeley, US)
- CompCert: a certified C compiler (Inria, France)
- Verified LLVM compiler (Harvard, US)

# Compiler verification

#### Testing-based approach

- Test and validation suite to verify compilers
- Test suite to qualify the compiler's output

#### Formal method-based approach

- Formal verification of compilers
- Formal verification of compiler's output
- Translation validation to check the correctness of the compilation

#### Translation validation



- Takes the source and compiled programs as input
- Checks that the source program semantics is preserved in the compiled program

#### Translation validation: Main components

#### Model builder

- Defines common semantics
- Captures the semantics of the source and compiled programs

#### Analyzer

- Formalizes the notion of "correct translation"
- Provides an automated proof method
- Generates a proof scripts or a counter-example

#### Translation validation: Features

- Avoiding redoing the proof with changes of compiler
- Independence of how the compiler works
- Less to prove (in general, the validator is much more simple than the compiler)
- Verification process is fully automated

# Signal compiler



- Syntax and type checking
- Clock analysis
- Data dependency analysis
- Executable code generation



# A method to formally verify the Signal compiler w.r.t clock semantics such that:

- light weight
- scalable: deals with 500K lines of code of the implementation
- modularity



- Adopt translation validation approach
- Prove the correctness of each phase w.r.t the data structure carrying the semantics relevant to that phase
- Decompose the preservation of the semantics into the preservation of clock semantics, data dependency, and value-equivalence

## Formally verified Signal compiler



# Signal language

- Signal x: sequences x(t), t ∈ N of typed values (⊥ is absence)
- Clock  $C_x$  of x: instants at which  $x(t) \neq \bot$
- Process: set of equations representing relations between signals
- Parallelism: processes run concurrently
- Example:  $y := x + 1, \forall t \in C_y, y(t) = x(t) + 1$
- Other languages: Esterel, Lustre, Scade, ...

#### Primitive operators

- Stepwise functions:  $y := f(x_1, ..., x_n)$  $\forall t \in C_y, y(t) = f(x_1(t), ..., x_n(t)), C_y = C_{x_1} = ... = C_{x_n}$
- Delay: y := x\$1 init a

 $y(t_0) = a, \forall t \in C_x \land t > t_0, y(t) = x(t^-), C_y = C_x$ 

• Merge: y := x default z

y(t) = x(t) if  $t \in C_x, y(t) = z(t)$  if  $t \in C_z \setminus C_x$ ,  $C_y = C_x \cup C_z$ 

#### Primitive operators

• Sampling: y := x when b

 $\forall t \in C_x \cap C_b \wedge b(t) = true, y(t) = x(t), C_y = C_x \cap [b]$ 

• Composition:  $P_1|P_2$ 

Denotes the parallel composition of two processes

• Restriction: P where x

Specifies that x as a local signal to P

#### Example

```
process DEC=
(? integer FB;! integer N) /* IO signals */
(| FB ^= when (ZN <= 1)
    | N := FB default (ZN-1) /* equations */
    | ZN := N$1 init 1 /* order does not matter */
    |)
where integer ZN end; /* local signals */</pre>
```

- Emits a sequence of values FB, FB 1, ..., 1
- Execution traces



#### Preservation of clock semantics



#### Common semantics: Clock model

Encodes the clock

$$\phi(b := b_1 \text{ and } b_2) = \widehat{(b \Leftrightarrow \hat{b_1} \Leftrightarrow \hat{b_2})} \land \widehat{(b \Rightarrow (b \Leftrightarrow \hat{b_1} \land \hat{b_2}))}$$



Encodes the value

$$\phi(e := e_1 + e_2) = (\widehat{e} \Leftrightarrow \widehat{v_+^i} \Leftrightarrow \widehat{e_1} \Leftrightarrow \widehat{e_2}) \land (\widehat{e} \Rightarrow (\widetilde{e} = v_+^i))$$

n

i=1

 $\Phi(P) = \bigwedge \phi(eq_i)$ 

Clock model of P

#### Clock model of DEC

 $FB \ = when (ZN <= 1)$ ZN := N init 1 N := FB default (ZN - 1)

 $(FB \Leftrightarrow ZN1 \land ZN1)$  $\wedge (\widehat{ZN1} \Leftrightarrow v_{\leq \pm}^1 \Leftrightarrow \widehat{ZN}) \wedge (\widehat{ZN1} \Rightarrow (\widetilde{ZN1} = v_{\leq \pm}^1))$  $\wedge (\widetilde{ZN} \Leftrightarrow \widehat{N}) \wedge (\widetilde{ZN} \Rightarrow (\widetilde{ZN} = m.N \wedge m.N' = \widetilde{N}))$  $\wedge (m.N_0 = 1)$  $\wedge (\widehat{N} \Leftrightarrow \widehat{FB} \lor \widehat{ZN2}) \land (\widehat{N} \Rightarrow ((\widehat{FB} \land \widetilde{N} = \widetilde{FB})))$  $\vee (\neg FB \land N = ZN2)))$  $\wedge (\widehat{ZN2} \Leftrightarrow \widehat{v_{-}^{1}} \Leftrightarrow \widehat{ZN}) \wedge (\widehat{ZN2} \Rightarrow (\widetilde{ZN2} = \widehat{v_{-}^{1}}))$ 

#### Correct translation: Clock refinement

- Clock event: A clock event is an interpretation over X. The set of clock events denoted by  $\mathcal{E}c_X$
- Clock trace: A clock trace  $T_c : \mathbb{N} \longrightarrow \mathcal{E}c_X$  is a chain of clock events. The natural numbers represent the instants
- The concrete clock semantic of  $\Phi(P)$  is a set of clock trace denoted by  $\Gamma(\Phi(P))_{\backslash X}$
- Clock refinement:  $\Phi(C) \sqsubseteq_{clk} \Phi(A)$  on X iff  $\forall X.T_c.(X.T_c \in \Gamma(\Phi(C))_{\backslash X} \Rightarrow X.T_c \in \Gamma(\Phi(A))_{\backslash X})$

#### Proof method

- Define a variable mapping  $\widehat{X_A} \setminus \widehat{X_{IO}} = \alpha(\widehat{X_C} \setminus \widehat{X_{IO}})$
- Given  $\alpha$ , prove  $\Phi(C) \sqsubseteq_{clk} \Phi(A)$  on  $X_{IO}$

#### Premise

$$\widehat{X_A} \setminus \widehat{X_{IO}} = \alpha(\widehat{X_C} \setminus \widehat{X_{IO}})$$
  
$$\forall \widehat{I} \text{ over } \widehat{X_A} \cup \widehat{X_C}. (\widehat{I} \models \Phi(C) \Rightarrow \widehat{I} \models \Phi(A))$$

Conclusion

 $\Phi(C) \sqsubseteq_{clk} \Phi(A)$  on  $X_{IO}$ 

### Implementation with SMT



- Construct  $\Phi(A)$  and  $\Phi(C)$
- Establish  $(\Phi(C) \land \widehat{X_A} \setminus \widehat{X_{IO}} = \alpha(\widehat{X_C} \setminus \widehat{X_{IO}}) \Rightarrow \Phi(A))$
- Check the validity of  $\models (\Phi(C) \land \widehat{X_A} \setminus \widehat{X_{IO}} = \alpha(\widehat{X_C} \setminus \widehat{X_{IO}}) \Rightarrow \Phi(A))$

#### Detected bugs: Multiple constraints on a clock

```
// P.SIG
| x ^{=} when (y <= 9)
| x ^{=} when (y >= 1)
// P_BASIC_TRA.SIG
 CLK_x := when (y <=
   9)
| CLK := when (y >= 1)
| CLK_x ^= CLK
 CLK ^{=} XZX_24
// P_BOOL_TRA.SIG
| when Tick ^= C_z ^=
   C CLK
 when C_z ^= x ^= z
| C_z := y <= 9
 C_CLK := y >= 1
```

**Cause:** The synchronization between CLK and XZX\_24

- In P\_BASIC\_TRA, x might be absent when XZX\_24 is absent, which is not the case in P and P\_BOOL\_TRA
- XZX\_24 is introduced without declaration

#### **Detection:**

 $\Phi(P\_BOOL\_TRA) \not\sqsubseteq_{clk} \Phi(P\_BASIC\_TRA)$ 

### Detected bugs: XOR operator

```
// P.SIG
| b3 := (true xor true)
        and b1
// P_BASIC_TRA.SIG
...
| CLK_b1 := ^b1
| CLK_b1 ^= b1 ^= b3
| b3 := b1
...
```

Cause: wrong implementation of XOR operator

 In P\_BASIC\_TRA, true xor true is true

```
Detection:

\Phi(P\_BASIC\_TRA) \not\sqsubseteq_{clk} \Phi(P)
```

A method to formally verify the Signal compiler

- Adopts the translation validation
- Is light-weight, scalable, modular
- Separates the proof into three smaller and independent sub-proofs: clock semantic, data dependency, and value-equivalence preservations

#### Future work

- Fully implementation of the validator: benchmarks and integration into Polychrony toolset
- Use an SMT solver to reason on the rewrite rules in SDVG transformations

Thank you!