Section: New Results

Translation validation of Polychronous Equations with an iLTS Model-checker

Participants : Van-Chan Ngo, Jean-Pierre Talpin, Thierry Gautier, Paul Le Guernic, Loïc Besnard.

This work [16] , [18] , which is part of the VeriSync project, focuses on verifying the correctness of transformations on abstract clocks in the Signal compiler [8] . We propose to use model checking technique over Polynomial Dynamical Systems (PDS) with the Sigali model checker [39] .

Adopting the translation validation approach of [55] , [54] , we present an automated verification process to prove the correctness of a multi-clocked synchronous language compiler. Due to the very important role of abstract clocks and clock relations, we are interested in proving that abstract clocks and clock relations semantics of source programs are preserved during the compilation phases. Each individual transformation or optimization step of the compiler is followed by our verification process which proves the correctness of this step. The compiler will continue its work if and only if the correctness is proved positively. This approach avoids the disadvantage of proving in advance that the compiler always behaves correctly since every small change to the compiler requires reproving it.

Our verification framework uses polynomial dynamical systems (PDS) over a finite field, as common semantics for both source and transformed programs. We formalize the abstract clocks semantics of polychronous equations with the finite field modulo $p=3$ as a PDS [16] . For a signal $x$, if $x$ is boolean, we use the values $-1,0,+1$ to encode (respectively) the fact that it is present and false, absent, or present and true. Then, the abstract clock can be represented by $x^2$. If $x$ is non-boolean, we only encode the abstract clock by $x^2$, meaning that $x^2=0$ encodes $x$ is absent, $x^2=1$ encodes $x$ is present. An appropriate relation called refinement for PDSs is proposed to represent the correct transformation relation between the source and transformed programs. Then a dedicated checking procedure is proposed within Sigali to check the correct transformation relation. The checking procedure is based on the simulation techniques [30] . It is implemented as extension function of the Sigali model checker within the Polychrony toolset.

We have proposed an approach to prove the clock semantic preservation of the Signal compiler transformations until the generation code phase as well. The verification method applied to code generation phase addresses the formal verification of the generated C-code from a refined and optimized intermediate specification in which the compiler enforces logical timing constraints and in which the execution order of data-flow equations is completely scheduled. As a result, all individual transformations, optimizations, and code generation phases of the compiler are followed by a verification step which proves the correctness of transformations. The compiler continues if and only if correctness is proved and returns an error and a trace otherwise. The main idea is that the sequential C code is translated into the target synchronous program thanks to the intermediate SSA form, which is based on the work in [3] . In addition, if a refinement relation between two PDSs does not exist, our validator will find the set of states along with their associated events, which can be used to construct counterexamples in the transformed program [18] .