Section: New Results

Formal Verification of Synchronous Dataflow Program Transformations Toward Certified Compilers

Participants : Van-Chan Ngo, Jean-Pierre Talpin, Thierry Gautier, Paul Le Guernic, Loïc Besnard.

Translation validation [49] , [48] is a technique that attempts to verify that program transformations preserve the program semantics. A compiler generally involves several phases during its compilation process. For instance, the Signal compiler [2] , [8] , in its first two phases, calculates the clock information, makes Boolean abstraction, and makes static scheduling. The final phase is the executable code generation. One can try to prove globally that the input program and its final transformed program have the same semantics. However, we believe that a better approach consists in separating the concerns and proving for each phase the preservation of different kinds of semantic properties. In the case of the Signal compiler, the preservation of the semantics can be decomposed into the preservation of clock semantics, data dependence, and value-equivalence of variables.

 

Translation Validation for Clock and SDGs Transformations. This work focuses on proving the preservation of clock semantics in the first two phases of the Signal compiler. In order to do that we encode the clock semantics and data dependence as clock models and synchronous dependence graphs (SDGs). Then we show that a transformation is correct if and only if there exist refinements between clock models, and between SDGs, written as $\Phi \left(P_2\right){⊑}_{clk}\Phi \left(P_1\right)$ and $SDG\left(P_2\right){⊑}_{dep}SDG\left(P_1\right)$ [15] . We delegate the checking of the preservation to a SMT-solver [38] , [54] .

 

Translation Validation of Polychronous Dataflow Specifications: from Signal to C using Synchronous Dataflow Value-Graphs. In this work, we build a validator for the synchronous dataflow compiler of Signal. This validator tries to match the value-graph [53] of each output of the original program and its transformed counterpart. That ensures that every output of the original program and its counterpart in the transformed program have the same value whenever they are present. Our validator does not require any instrumentation and modification of the compiler, nor any rewriting of the source program.

The Signal program and its generated C program have been represented in the same shared synchronous dataflow value-graph (SDVG), in which the nodes for the same structures (variables, constants, operators) have been shared. For instance, the values of input signals and their corresponding variables in the generated C code are represented by the same nodes in the shared graph. Then, the shared graph is transformed following predefined rules to show that all output signal values in the Signal program and their counterparts in the generated C code are rooted at the same subgraph.

Consider the following process, where $IR\left(P\right)$ is the compiled code of the program $P$ and TV(SDVG(P,IR(P))) is true when all output signal values in $P$ and their counterparts in $IR\left(P\right)$ are the same:

if (Cp(P) is Error) then output Error; else

if (($\Phi$(IR(P)) ${⊑}_{clk}\Phi$(P)) and (SDG(IR(P)) ${⊑}_{dep}$ SDG(P)) and (TV(SDVG(P,IR(P))))) then output IR(P); else output Error.

This will provide formal guarantee as strong as that provided by a formally certified compiler w.r.t. the clock semantics and the data dependence in case the validator is certified formally.

 

Implementation and Experiments. At a high level, our tool SigCert [47] developed in OCaml checks the correctness of the compilation of the Polychrony Signal compiler w.r.t clock semantics, data dependence, and value-equivalence as shown in Figure 8 .