Section: New Software and Platforms

SigCert: translation validation from Signal to C

Participants : Van-Chan Ngo, Jean-Pierre Talpin, Thierry Gautier, Paul Le Guernic, Loïc Besnard.

Translation validation (Translation validation. Pnueli A., Siegel M., and Singerman E. In Proceedings of TACAS'98, 1998.) (Translation validation: From signal to c. M. Siegel A. Pnueli and E. Singeman. In Correct Sytem Design Recent Insights and Advances, 2000.) is a technique that attempts to verify that program transformations preserve the program semantics. It is obvious to prove globally that the source program and its final compiled program have the same semantics. However, we believe that a better approach is to separate concerns and prove each analysis and transformation stage separately with respect to ad-hoc data-structures to carry the semantic information relevant to that phase.

In the case of the Signal compiler [1] , [7] , the preservation of the semantics can be decomposed into the preservation of clock semantics at the clock calculation phase [15] and that of data dependencies at the static scheduling phase[16] , and, finally, value-equivalence of variables at the code generation phase[14] .

Translation Validation for Clock Transformations in a Synchronous Compiler. The clock semantics of the source and transformed programs are formally represented as clock models. A clock model is a first-order logic formula that characterizes the presence/absence status of all signals in a Signal program at a given instant. Given two clock models, a clock refinement between them is defined which expresses the semantic preservation of clock semantics[15] . A method to check the existence of clock refinement is defined as a satisfiability problem which can be automatically and efficiently proved by a SMT solver (Satisfiability modulo theories: An appetizer. L. de Moura and N. Bjorner. In Brazilian Symposium on Formal Methods, 2009.).

Precise Deadlock Detection for Polychronous Data-flow Specifications. Dependency graphs are a commonly used data structure to encode the streams of values in data-flow programs and play a central role in scheduling instructions during automated code generation from such specifications. We propose a precise and effective method that combines a structure of dependency graph and first order logic formulas to check whether multi-clocked data-flow specifications are deadlock-free before generating code from them. We represent the flow of values in the source programs by means of a dependency graph and attach first-order logic formulas to condition these dependencies. We use an SMT solver to effectively reason about the implied formulas and check deadlock freedom [16] .

Implementation and Experiments. At a high level, our prototype tool SigCert ([14] ) developed in OCaml could check the correctness of the compilation of Signal compiler w.r.t clock semantics, data dependence, and value-equivalence as given in Figure 3 . The individual modules designed in the context of this work are now being implemented and integrated in the open-source Polychrony toolset.