Shu SHANG,Yuan-Ke GAN,Gang SHI,Sheng-Yuan WANG,Yuan DONG

DOI: https://doi.org/10.13328/j.cnki.jos.005213

2017-01-01

Abstract:Synchronous data-flow languages,such as Lustre,have been widely used in safety-critical industrial areas,such as airplanes,high-speed railways,and nuclear power plants.The safety of development tools themselves for these types of applications is highly required.In better solving the "miscompilation" problem,very successful progress has been made recently to implement the construction and verification of a conventional imperative language compiler,such as the CompCert C compiler,by using reliable-by-construction proof assistants.L2C is a trustworthy compiler developed based on such an approach,with an extended Lustre language as its source,and Clight,a C subset used in ComperCert,as its target.L2C is an industry-level synchronous data-flow language compiler developed by using the same technique.The paper focuses on the key translations of L2C and the main issues and experience in its design and implementation.

Gan Yuanke,Zhang Lingbo,Shi Gang,Wang Shengyuan,Dong Yuan,Zhang Zhihui,Wang Yanhai

DOI: https://doi.org/10.3969/j.issn.1000-386x.2014.05.001

2014-01-01

Abstract:Lustre is a synchronous data-flow language which is widely applied in nuclear power and aviation,all are in the areas with high credibility.The safety of the compiler will be significantly improved by applying the formal verification approach to implementing the translation from Lustre to C and proving its procedure.Because the Lustre program executes concurrently,the causality analysis and sequentialisation on it is necessary.In the paper,we implement a credible sorting procedure for Lustre program,which is completed by in the first formally defining the property of topological sorting and the Lustre semantics in associate layers with Coq tool,doing the causality analysis and sorting on Lustre program,then proving that a sorted Lustre program fulfils the property of topological sorting,and finally proving that any two Lustre programs both of which satisfying the property of topological sorting are semantically equivalent in execution.

Gang Shi,Yuanke Gan,Shu Shang,Shengyuan Wang,Yuan Dong,Pen-Chung Yew

DOI: https://doi.org/10.1109/icse-c.2017.83

2017-01-01

Abstract:Synchronous data-flow languages (SDFL), such as Lustre [1], is a concurrent language that has been widely used in safety-critical systems. Verified compilers for such languages are crucial in generating trustworthy object code. A good approach is to first translate a concurrent SDFL program to a sequential intermediate representation, such as a Clight [2] code, and then use an existing verified compiler such as CompCert [3] to produce executable object code for the target machine. A verified Sequentializer is crucial in such a verified compiler. It produces a sequential topological order among the program statements that preserve the program dependencies and the dynamic semantics of the original program. In this paper, we show such an approach for a SDFL language such as Lustre. The approach is general enough to be applicable to other SDFLs as well. It first gives a formal specification of the operational semantics, and proves its determinism property for a Lustre-like program. It then formally proves the equivalence of the original concurrent semantics and its target sequential semantics using the well-established proof assistant Coq ([4], [5]), and extracts the certified code for such a sequentializer by Coq.

Gang Shi,Yucheng Zhang,Shu Shang,Shengyuan Wang,Yuan Dong,Pen-Chung Yew

DOI: https://doi.org/10.1007/s11432-016-9270-0

2018-01-01

Science China Information Sciences

Abstract:>Multiple nested clocks is a major language feature in synchronous data-flow languages such as Lustre [1]. To build a formally verified compiler for such a language, it is a common practice to compile the source program to a C-like program first before compiling it to low-level machine-dependent code using a formally verified backend compiler

Timothy Bourke,Paul Jeanmaire,Basile Pesin,Marc Pouzet

DOI: https://doi.org/10.1145/3477041

2021-10-31

ACM Transactions on Embedded Computing Systems

Abstract:Dataflow languages allow the specification of reactive systems by mutually recursive stream equations, functions, and boolean activation conditions called clocks. Lustre and Scade are dataflow languages for programming embedded systems. Dataflow programs are compiled by a succession of passes. This article focuses on the normalization pass which rewrites programs into the simpler form required for code generation. Vélus is a compiler from a normalized form of Lustre to CompCert’s Clight language. Its specification in the Coq interactive theorem prover includes an end-to-end correctness proof that the values prescribed by the dataflow semantics of source programs are produced by executions of generated assembly code. We describe how to extend Vélus with a normalization pass and to allow subsampled node inputs and outputs. We propose semantic definitions for the unrestricted language, divide normalization into three steps to facilitate proofs, adapt the clock type system to handle richer node definitions, and extend the end-to-end correctness theorem to incorporate the new features. The proofs require reasoning about the relation between static clock annotations and the presence and absence of values in the dynamic semantics. The generalization of node inputs requires adding a compiler pass to ensure the initialization of variables passed in function calls.

computer science, software engineering, hardware & architecture

Yu-ping Lian,Yan Han,Ming-xu Huo,Jin-long Chen,Yan Zhang

DOI: https://doi.org/10.1631/jzus.a0720123

2008-01-01

Abstract:Considering the increasing use of information technology with established standards, such as TCP/IP and XML in modern industrial automation, we present a high cost performance solution with FPGA (field programmable gate array) implementation of a novel reliable real-time data transfer system based on EPA (Ethernet for plant automation) protocol and IEEE 1588 standard. This combination can provide more predictable and real-time communication between automation equipments and precise synchronization between devices. The designed EPA system has been verified on Xilinx Spartan3 XC3S1500 and it consumed 75% of the total slices. The experimental results show that the novel industrial control system achieves high synchronization precision and provides a 1.59-μs standard deviation between the master device and the slave ones. Such a real-time data transfer system is an excellent candidate for automation equipments which require precise synchronization based on Ethernet at a comparatively low price.

Sahil Bhatia,Jie Qiu,Niranjan Hasabnis,Sanjit A. Seshia,Alvin Cheung

2024-06-05

Abstract:Domain-specific languages (DSLs) are integral to various software workflows. Such languages offer domain-specific optimizations and abstractions that improve code readability and maintainability. However, leveraging these languages requires developers to rewrite existing code using the specific DSL's API. While large language models (LLMs) have shown some success in automatic code transpilation, none of them provide any functional correctness guarantees on the transpiled code. Another approach for automating this task is verified lifting, which relies on program synthesis to find programs in the target language that are functionally equivalent to the source language program. While several verified lifting tools have been developed for various application domains, they are specialized for specific source-target languages or require significant expertise in domain knowledge to make the search efficient. In this paper, leveraging recent advances in LLMs, we propose an LLM-based approach (LLMLift) to building verified lifting tools. We use the LLM's capabilities to reason about programs to translate a given program into its corresponding equivalent in the target language. Additionally, we use LLMs to generate proofs for functional equivalence. We develop lifting-based compilers for {\em four different} DSLs targeting different application domains. Our approach not only outperforms previous symbolic-based tools in both the number of benchmarks transpiled and transpilation time, but also requires significantly less effort to build.

Programming Languages

N. Halbwachs,P. Caspi,P. Raymond,D. Pilaud

DOI: https://doi.org/10.1109/5.97300

IF: 20.6

1991-01-01

Proceedings of the IEEE

Abstract:The authors describe LUSTRE, a data flow synchronous language designed for programming reactive systems-such as automatic control and monitoring systems-as well as for describing hardware. The data flow aspect of LUSTRE makes it very close to usual description tools in these domains (block-diagrams, networks of operators, dynamical sample-systems, etc.), and its synchronous interpretation makes it well suited for handling time in programs. Moreover, this synchronous interpretation allows it to be compiled into an efficient sequential program. The LUSTRE formalism is very similar to temporal logics. This allows the language to be used for both writing programs and expressing program properties, which results in an original program verification methodology.<>

engineering, electrical & electronic

Hasan Ferit Eniser,Hanliang Zhang,Cristina David,Meng Wang,Maria Christakis,Brandon Paulsen,Joey Dodds,Daniel Kroening

2024-05-21

Abstract:Large language models (LLMs) show promise in code translation - the task of translating code written in one programming language to another language - due to their ability to write code in most programming languages. However, LLM's effectiveness on translating real-world code remains largely unstudied. In this work, we perform the first substantial study on LLM-based translation to Rust by assessing the ability of five state-of-the-art LLMs, GPT4, Claude 3, Claude 2.1, Gemini Pro, and Mixtral. We conduct our study on code extracted from real-world open source projects. To enable our study, we develop FLOURINE, an end-to-end code translation tool that uses differential fuzzing to check if a Rust translation is I/O equivalent to the original source program, eliminating the need for pre-existing test cases. As part of our investigation, we assess both the LLM's ability to produce an initially successful translation, as well as their capacity to fix a previously generated buggy one. If the original and the translated programs are not I/O equivalent, we apply a set of automated feedback strategies, including feedback to the LLM with counterexamples. Our results show that the most successful LLM can translate 47% of our benchmarks, and also provides insights into next steps for improvements.

Software Engineering

Zhengyao Lin,Joshua Gancher,Bryan Parno

2024-04-12

Abstract:Coarse-grained reconfigurable arrays (CGRAs) have gained attention in recent years due to their promising power efficiency compared to traditional von Neumann architectures. To program these architectures using ordinary languages such as C, a dataflow compiler must transform the original sequential, imperative program into an equivalent dataflow graph, composed of dataflow operators running in parallel. This transformation is challenging since the asynchronous nature of dataflow graphs allows out-of-order execution of operators, leading to behaviors not present in the original imperative programs. We address this challenge by developing a translation validation technique for dataflow compilers to ensure that the dataflow program has the same behavior as the original imperative program on all possible inputs and schedules of execution. We apply this method to a state-of-the-art dataflow compiler targeting the RipTide CGRA architecture. Our tool uncovers 8 compiler bugs where the compiler outputs incorrect dataflow graphs, including a data race that is otherwise hard to discover via testing. After repairing these bugs, our tool verifies the correct compilation of all programs in the RipTide benchmark suite.

Programming Languages,Hardware Architecture

Aidan Z.H. Yang,Yoshiki Takashima,Brandon Paulsen,Josiah Dodds,Daniel Kroening

2024-05-25

Abstract:Rust is a programming language that combines memory safety and low-level control, providing C-like performance while guaranteeing the absence of undefined behaviors by default. Rust's growing popularity has prompted research on safe and correct transpiling of existing code-bases to Rust. Existing work falls into two categories: rule-based and large language model (LLM)-based. While rule-based approaches can theoretically produce correct transpilations that maintain input-output equivalence to the original, they often yield unreadable Rust code that uses unsafe subsets of the Rust language. On the other hand, while LLM-based approaches typically produce more readable, maintainable, and safe code, they do not provide any guarantees about correctness. In this work, we present VERT, a tool that can produce readable Rust transpilations with formal guarantees of correctness. VERT's only requirement is that there is Web Assembly compiler for the source language, which is true for most major languages. VERT first uses the Web Assembly compiler to obtain an oracle Rust program. In parallel, VERT uses an LLM to generate a readable candidate Rust program. This candidate is verified against the oracle, and if verification fails, we regenerate a new candidate transpilation until verification succeeds. We evaluate VERT by transpiling a suite of 1,394 programs taken from competitive programming style benchmarks. Combining Anthropic's Claude-2 and VERT increases Rust transpilations passing property-based testing from 31% to 54% and bounded model-checking from 1% to 42% compared to using Claude alone. In addition, we evaluate VERT's ability to generate non-trivial safe Rust on programs taken from real-world C projects that make significant use of pointers. Our results provide insights into the limitations of LLMs to write safe Rust.

Programming Languages,Software Engineering

Yanzhao Wang,Fei Xie

2024-02-01

Abstract:This paper presents a framework that integrates Large Language Models (LLMs) into translation validation, targeting LLVM compiler transformations where formal verification tools fall short. Our framework first utilizes existing formal verification tools for translation validation. In this work, we use Alive2, a well-known tool in LLVM compiler verification, as an example. When formal verification tools are unable to confirm a transformation's soundness, our framework employs fine-tuned LLMs for prediction. It then applies fuzzing to transformations predicted as potentially unsound by the LLMs due to return values or memory inconsistencies, aiming to find counterexamples. In cases where transformations are unsound for other reasons or sound, or if no counterexamples emerge, the framework directly reports these outcomes without further fuzzing. This methodology has shown effectiveness in complex application such as deep-learning accelerator designs, where traditional formal verification tools struggle.

Programming Languages,Software Engineering

Matthew T. Dearing,Yiheng Tao,Xingfu Wu,Zhiling Lan,Valerie Taylor

2024-07-01

Abstract:This paper addresses the problem of providing a novel approach to sourcing significant training data for LLMs focused on science and engineering. In particular, a crucial challenge is sourcing parallel scientific codes in the ranges of millions to billions of codes. To tackle this problem, we propose an automated pipeline framework, called LASSI, designed to translate between parallel programming languages by bootstrapping existing closed- or open-source LLMs. LASSI incorporates autonomous enhancement through self-correcting loops where errors encountered during compilation and execution of generated code are fed back to the LLM through guided prompting for debugging and refactoring. We highlight the bi-directional translation of existing GPU benchmarks between OpenMP target offload and CUDA to validate LASSI. The results of evaluating LASSI with different application codes across four LLMs demonstrate the effectiveness of LASSI for generating executable parallel codes, with 80% of OpenMP to CUDA translations and 85% of CUDA to OpenMP translations producing the expected output. We also observe approximately 78% of OpenMP to CUDA translations and 62% of CUDA to OpenMP translations execute within 10% of or at a faster runtime than the original benchmark code in the same language.

Software Engineering,Artificial Intelligence,Distributed, Parallel, and Cluster Computing,Programming Languages

Roberto Metere,Andreas Lindner,Roberto Guanciale

DOI: https://doi.org/10.1007/978-3-319-70848-5_13

2018-07-27

Abstract:In order to handle the complexity and heterogeneity of mod- ern instruction set architectures, analysis platforms share a common design, the adoption of hardware-independent intermediate representa- tions. The usage of these platforms to verify systems down to binary-level is appealing due to the high degree of automation they provide. How- ever, it introduces the need for trusting the correctness of the translation from binary code to intermediate language. Achieving a high degree of trust is challenging since this transpilation must handle (i) all the side effects of the instructions, (ii) multiple instruction encoding (e.g. ARM Thumb), and (iii) variable instruction length (e.g. Intel). We overcome these problems by formally modeling one of such intermediate languages in the interactive theorem prover HOL4 and by implementing a proof- producing transpiler. This tool translates ARMv8 programs to the in- termediate language and generates a HOL4 proof that demonstrates the correctness of the translation in the form of a simulation theorem. We also show how the transpiler theorems can be used to transfer properties verified on the intermediate language to the binary code.

Programming Languages

Hanru Jiang,Hongjin Liang,Siyang Xiao,Junpeng Zha,Xinyu Feng

DOI: https://doi.org/10.1145/3314221.3314595

2019-01-01

Abstract:Certified separate compilation is important for establishing end-to-end guarantees for certified systems consisting of multiple program modules. There has been much work building certified compilers for sequential programs. In this paper, we propose a language-independent framework consisting of the key semantics components and lemmas that bridge the verification gap between the compilers for sequential programs and those for (race-free) concurrent programs, so that the existing verification work for the former can be reused. One of the key contributions of the framework is a novel footprint-preserving compositional simulation as the compilation correctness criterion. The framework also provides a new mechanism to support confined benign races which are usually found in efficient implementations of synchronization primitives. With our framework, we develop CASCompCert, which extends CompCert for certified separate compilation of race-free concurrent Clight programs. It also allows linking of concurrent Clight modules with x86-TSO implementations of synchronization primitives containing benign races. All our work has been implemented in the Coq proof assistant.

Céline Bellanger,Pierre-Loïc Garoche,Matthieu Martel,Célia Picard

DOI: https://doi.org/10.4204/EPTCS.395.14

2023-11-16

Abstract:Signal Temporal Logic (STL) is a convenient formalism to express bounded horizon properties of autonomous critical systems. STL extends LTL to real-valued signals and associates a non-singleton bound interval to each temporal operators. In this work we provide a rigorous encoding of non-nested discrete-time STL formulas into Lustre synchronous observers. Our encoding provides a three-valued online semantics for the observers and therefore enables both the verification of the property and the search of counter-examples. A key contribution of this work is an instrumented proof of the validity of the implementation. Each node is proved correct with respect to the original STL semantics. All the experiments are automated with the Kind2 model-checker and the Z3 SMT solver.

Logic in Computer Science

Yanzhao Wang,Fei Xie,Zhenkun Yang,Pasquale Cocchini,Jin Yang

DOI: https://doi.org/10.1142/s021819402450030x

IF: 1.007

2024-07-20

International Journal of Software Engineering and Knowledge Engineering

Abstract:International Journal of Software Engineering and Knowledge Engineering, Ahead of Print. This paper introduces an innovative translation validation framework designed for MLIR-based compilers, which has garnered considerable prominence in fields such as machine learning, high-performance computing and hardware design. Despite rigorous testing, compilers based on MLIR might still induce incorrect results and undefined behaviors, necessitating verification work. Our framework first takes a pair of MLIR programs as inputs and check their function signature's compatibility before encoding them into SMT expressions. Then it uses the Z3 SMT solver to check whether the target program refines the source program. Our framework transcends the dialect limitations of past solutions, thereby providing validation support to a wider range of MLIR-based compilers. We demonstrate its effectiveness through evaluations on prominent open-source MLIR-based compilers, where we identified bugs and undefined behaviors. We further demonstrate the capability of this framework by validating two practical deep-learning accelerator designs.

computer science, artificial intelligence,engineering, electrical & electronic, software engineering

Hanliang Zhang,Cristina David,Meng Wang,Brandon Paulsen,Daniel Kroening

2024-12-11

Abstract:Large language models (LLMs) show promise in code translation due to their ability to generate idiomatic code. However, a significant limitation when using LLMs for code translation is scalability: existing works have shown a drop in translation success rates for code exceeding around 100 lines. We overcome this limitation by developing a modular approach to translation, where we partition the code into small code fragments which can be translated independently and semantically validated (that is, checking I/O equivalence). When this approach is applied naively, we discover that LLMs are unreliable when translating features of the source language that do not have a direct mapping to the target language, and that the LLM often gets stuck in repair loops when attempting to fix errors. To address these issues, we introduce two key concepts: (1) feature mapping, which integrates predefined translation rules with LLM-based translation to guide the LLM in navigating subtle language differences and producing semantically accurate code; and (2) type-compatibility, which facilitates localized checks at the function signature level to detect errors early, thereby narrowing the scope of potential repairs. We apply our approach to translating real-world Go codebases to Rust, demonstrating that we can consistently generate reliable Rust translations for projects up to 6,600 lines of code and 369 functions, with an average of 73% of functions successfully validated for I/O equivalence, considerably higher than any existing work.

Programming Languages,Software Engineering

Ali Reza Ibrahimzada,Kaiyao Ke,Mrigank Pawagi,Muhammad Salman Abid,Rangeet Pan,Saurabh Sinha,Reyhaneh Jabbarvand

2024-11-01

Abstract:Code translation transforms programs from one programming language (PL) to another. Several rule-based transpilers have been designed to automate code translation between different pairs of PLs. However, the rules can become obsolete as the PLs evolve and cannot generalize to other PLs. Recent studies have explored the automation of code translation using Large Language Models (LLMs). One key observation is that such techniques may work well for crafted benchmarks but fail to generalize to the scale and complexity of real-world projects with dependencies, custom types, PL-specific features, etc. We propose AlphaTrans, a neuro-symbolic approach to automate repository-level code translation. AlphaTrans translates both source and test code, and employs multiple levels of validation to ensure the translation preserves the functionality of the source program. To break down the problem for LLMs, AlphaTrans leverages program analysis to decompose the program into fragments and translates them in the reverse call order. We leveraged AlphaTrans to translate ten real-world open-source projects consisting of <836, 8575, 2719> classes, methods, and tests. AlphaTrans translated the entire repository of these projects consisting of 6899 source code fragments. 99.1% of the translated code fragments are syntactically correct, and AlphaTrans validates the translations' runtime behavior and functional correctness for 25.8%. On average, the integrated translation and validation take 36 hours to translate a project, showing its scalability in practice. For the syntactically or semantically incorrect translations, AlphaTrans generates a report including existing translation, stack trace, test errors, or assertion failures. We provided these artifacts to two developers to fix the translation bugs in four projects. They were able to fix the issues in 20.1 hours on average and achieve all passing tests.

Software Engineering,Machine Learning

Rishov Sarkar,Cong Hao

2023-04-22

Abstract:High-Level Synthesis allows hardware designers to create complex RTL designs using C/C++. The traditional HLS workflow involves iterations of C/C++ simulation for partial functional verification and HLS synthesis for coarse timing estimates. However, neither C/C++ simulation nor HLS synthesis estimates can account for complex behaviors like FIFO interactions and pipeline stalls, thereby obscuring problems like deadlocks and latency overheads. Such problems are revealed only through C/RTL co-simulation, which is typically orders of magnitude slower than either C/C++ simulation or HLS synthesis, far too slow to integrate into the edit-run development cycle. Addressing this, we propose LightningSim, a fast simulation tool for HLS that combines the speed of native C/C++ with the accuracy of C/RTL co-simulation. LightningSim directly operates on the LLVM intermediate representation (IR) code and accurately simulates a hardware design's dynamic behavior. First, it traces LLVM IR execution to capture the run-time information; second, it maps the static HLS scheduling information to the trace to simulate the dynamic behavior; third, it calculates stalls and deadlocks from inter-function interactions to get precise cycle counts. Evaluated on 33 benchmarks, LightningSim produces 99.9%-accurate timing estimates up to 95x faster than RTL simulation. Our code is publicly available on GitHub.

Performance,Hardware Architecture