Towards a Coq-verified compiler from Esterel to circuits: 2 years later Lionel R ieg Yale University Synchron 2016 December 5th, 2016 1/20
Objective: prove the compilation scheme for Esterel ◮ Esterel ◮ Synchronous dataflow language ◮ Control-oriented, imperative-flavored unlike Lustre ◮ Verified compilation to circuit ◮ Draft book by Gérard B erry [The Constructive Semantics of Pure Esterel] ◮ Modular compilation ◮ Same spirit as Compcert: semantics is refined/preserved by compilation ◮ Restrictions ◮ Compilation toward digital circuits only ◮ No data, only Pure Esterel v.5 ◮ No reincarnation, left for future work 2/20
Syntax of Kernel Esterel (instructions) p , q := 0 nothing 1 pause s ?? await (immediate) s ! s emit s s ? p , q if s then p else q end s ⊃ p suspend p when s p ; q p ; q p | q p || q p ∗ loop p end exit T k k k � 2 k is the level { p } trap T in p end ↑ p p \ s signal s in p end + macros: halt := 1 ∗ await s := { ( s ? 2 , 1 ) ∗} abort p when s := { ( s ? 2 , 1 ) ∗ | ( ↑ p ; 2 ) } 3/20
Hello world in Esterel: ABRO Idea: ◮ as soon as both A and B are received, emit O ◮ reinitialize when R is received halt := loop pause end abort p when s := trap T in loop ( if s then exit T else pause end ) end || (p ; exit T) 4/20
Hello world in Esterel: ABRO Idea: ◮ as soon as both A and B are received, emit O ◮ reinitialize when R is received ( await A || await B) ; emit O ; halt halt := loop pause end abort p when s := trap T in loop ( if s then exit T else pause end ) end || (p ; exit T) 4/20
Hello world in Esterel: ABRO Idea: ◮ as soon as both A and B are received, emit O ◮ reinitialize when R is received abort ( await A || await B) ; emit O ; halt when R halt := loop pause end abort p when s := trap T in loop ( if s then exit T else pause end ) end || (p ; exit T) 4/20
Hello world in Esterel: ABRO Idea: ◮ as soon as both A and B are received, emit O ◮ reinitialize when R is received loop abort ( await A || await B) ; emit O ; halt when R end halt := loop pause end abort p when s := trap T in loop ( if s then exit T else pause end ) end || (p ; exit T) 4/20
Semantics of an Esterel Program At each instant, either: E ′ , k p ′ with: ◮ One (macro-)step p − − − − → E ◮ Inputs E ◮ Outputs E ′ ◮ A return code k 0 = done, 1 = pending, 2+ = exceptions ◮ Several microsteps ◮ No E ′ and k : they can be read from p ′ ◮ No Can/Must functions 5/20
Semantics of an Esterel Program At each instant, either: E ′ , k p ′ with: ◮ One (macro-)step p − − − − → E ◮ Inputs E ◮ Outputs E ′ ◮ A return code k 0 = done, 1 = pending, 2+ = exceptions ◮ Several microsteps ◮ No E ′ and k : they can be read from p ′ ◮ No Can/Must functions Some remarks: ◮ E and E ′ are maps from declared signals to {− , ⊥ , + } ◮ Instantaneous communication: E ′ ⊆ E � Not compositional if not done carefully 5/20
Global diagram of semantics Constructive Semantics State Semantics Microstep Semantics Circuit Semantics 6/20
Global diagram of semantics Constructive Semantics State Semantics Microstep Semantics Circuit Semantics 6/20
Constructive Semantics ◮ Rewrite the program ◮ Erase dead code & only keep active parts ◮ Duplicate loop bodies loop p end ≡ p ; loop p end ◮ Use Can/Must for local signals ◮ s + if s must be emitted ◮ s − if s cannot be emitted ◮ Avoid causality problems & non-determinism forbid “ if s then emit s else nothing end ” ◮ Usual style of programming language semantics � convenient for high-level reasoning about programs E ′ , k s + ∈ E p ′ p ֒ − − − − → ◮ The if-then rule: E E ′ , k p ′ s ? p , q ֒ − − − − → E 7/20
Execution of ABRO loop abort ( await A || await B ) ; emit O ; halt when R end 8/20
Execution of ABRO loop abort ( await A || await B ) ; emit O ; halt when R end { B } 8/20
Execution of ABRO abort ( await A || await B ); emit O ; halt when R ; loop abort ( await A || await B ) ; emit O ; halt when R end { B } 8/20
Execution of ABRO abort ( await A || nothing ); emit O ; halt when R ; loop abort ( await A || await B ) ; emit O ; halt when R end { B } 8/20
Execution of ABRO abort ( await A || nothing ); emit O ; halt when R ; loop abort ( await A || await B ) ; emit O ; halt when R end { B } = ⇒ { A , 8/20
Execution of ABRO abort ( nothing || nothing ); emit O ; halt when R ; loop abort ( await A || await B ) ; emit O ; halt when R end { B } = ⇒ { A , 8/20
Execution of ABRO abort emit O ; halt when R ; loop abort ( await A || await B ) ; emit O ; halt when R end { B } = ⇒ { A , 8/20
Execution of ABRO abort halt when R ; loop abort ( await A || await B ) ; emit O ; halt when R end { B } = ⇒ { A , O } 8/20
Execution of ABRO abort halt when R ; loop abort ( await A || await B ) ; emit O ; halt when R end { B } = ⇒ { A , O } = ⇒ { B } 8/20
Execution of ABRO abort halt when R ; loop abort ( await A || await B ) ; emit O ; halt when R end { B } = ⇒ { A , O } = ⇒ { B } = ⇒ { R } 8/20
Execution of ABRO loop abort ( await A || await B ) ; emit O ; halt when R end { B } = ⇒ { A , O } = ⇒ { B } = ⇒ { R } 8/20
Execution of ABRO abort ( await A || await B ); emit O ; halt when R ; loop abort ( await A || await B ) ; emit O ; halt when R end { B } = ⇒ { A , O } = ⇒ { B } = ⇒ { R } 8/20
Execution of ABRO abort ( await A || await B ); emit O ; halt when R ; loop abort ( await A || await B ) ; emit O ; halt when R end { B } = ⇒ { A , O } = ⇒ { B } = ⇒ { R } = ⇒ { A , B , 8/20
Execution of ABRO abort halt when R ; loop abort ( await A || await B ) ; emit O ; halt when R end { B } = ⇒ { A , O } = ⇒ { B } = ⇒ { R } = ⇒ { A , B , O } 8/20
Global diagram of semantics ⊕ closest to PL semantics Constructive ⊕ one small set of rules Semantics ⊖ modifies the program State Semantics Microstep Semantics Circuit Semantics 9/20
Global diagram of semantics ⊕ closest to PL semantics Constructive ⊕ one small set of rules Semantics ⊖ modifies the program State Semantics Microstep Semantics Circuit Semantics 9/20
State Semantics ◮ Evaluation as moving annotations on the source code ◮ The underlying program never changes ◮ Pointers indicate where the execution is � several pointers because of parallelism ◮ Close to circuits: activated pause = activated register ◮ Two types of programs: ◮ Inert program p ◮ State � p = program under evaluation ◮ Term p = either � p or p ◮ Two sets of rules: ◮ Start: program → term ◮ Resume: state → term 10/20
Constructive vs. State: the if-then Rule ◮ Constructive Semantics E ′ , k s + ∈ E p ′ p ֒ − − − − → E E ′ , k p ′ s ? p , q ֒ − − − − → E ◮ State Semantics ◮ Start rule E ′ , k s + ∈ E p − − − − − p ′ ։ s ֒ E E ′ , k s ? p , q s ? p ′ , q − − − − − ։ s ֒ E ◮ Resume rule E ′ , k � p ′ p − − − − − − ։ r ֒ E E ′ , k s ? � s ? p ′ , q p , q − − − − − − ֒ ։ r E 11/20
ABRO again Constructive Semantics State Semantics loop abort ( await A || await B ) ; loop emit O ; abort halt ( await A || await B ) ; when R emit O ; end halt when R end 12/20
ABRO again Constructive Semantics State Semantics loop abort ( await A || await B ) ; loop emit O ; abort halt ( await A || await B ) ; when R emit O ; end halt when R end { B } 12/20
ABRO again Constructive Semantics State Semantics abort ( await A || nothing ); emit O ; loop halt abort when R ; ( � await A || await B ) ; loop emit O ; abort halt ( await A || await B ) ; � when R emit O ; end halt when R end { B } 12/20
ABRO again Constructive Semantics State Semantics abort ( await A || nothing ); emit O ; loop halt abort when R ; ( � await A || await B ) ; loop emit O ; abort halt ( await A || await B ) ; � when R emit O ; end halt when R end { B } = ⇒ { A , O } 12/20
ABRO again Constructive Semantics State Semantics abort loop halt abort when R ; ( await A || await B ) ; loop emit O ; abort � halt ( await A || await B ) ; � when R emit O ; end halt when R end { B } = ⇒ { A , O } 12/20
ABRO again Constructive Semantics State Semantics abort loop halt abort when R ; ( await A || await B ) ; loop emit O ; abort � halt ( await A || await B ) ; � when R emit O ; end halt when R end { B } = ⇒ { A , O } = ⇒ { B } 12/20
ABRO again Constructive Semantics State Semantics loop abort ( await A || await B ) ; loop emit O ; abort halt ( await A || await B ) ; when R emit O ; end halt when R end { B } = ⇒ { A , O } = ⇒ { B } = ⇒ { R } 12/20
ABRO again Constructive Semantics State Semantics abort ( await A || await B ); emit O ; loop halt abort when R ; ( � � await A || await B ) ; loop emit O ; abort halt ( await A || await B ) ; � when R emit O ; end halt when R end { B } = ⇒ { A , O } = ⇒ { B } = ⇒ { R } 12/20
Recommend
More recommend
![Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j](https://c.sambuz.com/1033063/verified-cyber-physical-systems-s.jpg)
