Forges: Synthesizing Verified Generators

Kestrel InstitutePIs: Cordell Green, John AntonCSs: Lindsay Errington, Doug Smith, Alessandro Coglio, Stephen Westfold, Jim McDonald

Objective: synthesize model-based generators!

Produce generators quicker!Produce generators that are verified!

Overview

Stateflowmeta-model

Cmeta-model

Stateflowmodel

Ccode

Generator

MetaGenerator

designknowledge

translationspecification

Problem Theory(D|I R|O)

generate-and-test

Constraint Satisfaction(R = set of maps) Global Structure

(R = set + recursive partition)global searchbinary search

backtrackbranch-and-bound

Local Structure(R = set + relation)

local searchhill climbing

simulated annealingtabu search

Local Structure(R = set + relation)genetic algorithms

Local Poset Structure(R = set + partial order)

Local Semilattice Structure(R = semilattice)

GS-CSP(R = recursively partitioned

set of maps)

GS-Horn-CSP(Horn-like Constraints)constraint propagation

Monotone Deflationary

Functionfixed point iteration

IntegerLinear

Programming0-1 methods

LinearProgramming

simplex methodinterior pointprimal dual

Network Flowspecialized simplex

Ford-Fulkerson

TransportationNW algorithm

Assignment ProblemHungarian method

Divide-and

-Conquerdivide-and-conquer

Problem ReductionGenerators

dynamic programmingbranch-and-boundgame tree search

ComplementReduction

sieves

Problem ReductionStructure

Taxonomy of Algorithm Theories

What’s a meta-model?

A language specification! Static semantics

What are well formed programs in the language

Dynamic semantics How programs behave

Elements of a Static Semantics

Abstract syntaxCharacterization of well-formed terms Type theoryVanderbilt has a static-semantics UML meta-model for StateflowWe translate UML into specifications in logic

Stateflow static semantics

sort Event, State, Transition, Action, …op src : Transition Stateop dst : Transition State

op event : Transition Eventop action : Transition Action

op children : State Or [State] | And [State] | None

op parent : State State

Static semantics (cont’d)

op active : State Bool

active(s) parent(s) ≠ undef active(parent(s))

“the ancestors of an active state are active”

Dynamic Semantics

Many formalisms to choose from Denotational, axiomatic, … Action Semantics (Mosses) Structural Operational Semantics (Plotkin) Natural Semantics (Kahn) (used in Centaur)

Our choice: Abstract State Machines (ASMs) aka

Evolving Algebras (Gurevich)

What are Abstract State Machines?

Algebraic theories. Sorts, operators, axioms

Rules for conditionally rewriting theories. if b then f(t1,…,tn) := t

ASM Example

sort Nodeop left : Node Nodeop right : Node Nodeop node : Node

if left(node) undef then left(node) := left(left(node)) right(node) := right(left(node))

Why ASMs?

ASMs support: abstraction refinement composition

Comprehensible To be shared with other MoBIES

participants.

Stateflow dynamic semantics

Stateflow is event driven

a/b b

entry: f(); entry: g();

Dynamic semantics (cont’d)

Event handling can be pre-empted Need a stack!

sort Frame = Exec Action | EndTrans Transition | …sort Stack = [Frame]op stack : Stack

startTrans(s : State, t : Transition) = active(s) := false stack := (Exec action(t)) :: (EndTrans t) :: (tail

stack)

Verifiability: when is the translation correct?

Conventional notion: Program p denotes a function or

relation [p] Translation correct when the denotation

is preserved: [p] = [trans(p)]

Conventional notion doesn’t work: Stateflow diagrams are reactive – not

functional – they may never terminate!

Bisimulation!

A run of a machine on a program p is a sequence of states.We observe only the events.p and trans(p) are equivalent when we observe the same behaviourFormally we define a bisimulation relation between the states of p and trans(p)

Bisimulation

… and vice versa

p

Stateflow

trans(p)

C

q

e

q’

e

Bisimulation

What we won’t do: Exhibit the bisimulation relation

What we will do: Ensure that the translation

preserves bisimulation

StatusMeta-modeling

Translation theories – getting started

Stateflow C SMV SSAT Notes

Static With help

from Vanderbilt

Dynamic

40% - -

Anticipate help fromMoBIES

partipants

Conclusions

Produce generators quicker! By reuse of language meta-models By capturing and exploiting design

knowledge

Produce generators that are verified! Translation preserves bisumulation

Tasks ahead

Completion of meta-modelsValidation of meta-modelsAbstraction of design theories