A verified compiler for Handel-C

The recent popularity of Field Programmable Gate Array (FPGA) technology has made the synthesis of Hardware Description Language (HDL) programs into FPGAs a very attractive topic for research. In particular, the correctness in the synthesis of an FPGA programming file from a source HDL program has gained significant relevance in the context of safety or mission-critical systems. The results presented here are part of a research project aiming at producing a verified compiler for the Handel-C language. Handel-C is a high level HDL based on the syntax of the C language extended with constructs to deal with parallel behaviour and process communications based on CSP. Given the complexity of designing a provably correct compiler for a language like Handel-C, we have adopted the algebraic approach to compilation as it offers an elegant solution to this problem. The idea behind algebraic compilation is to create a sound reasoning framework in which the a formal model of the source Handel-C program can be embedded and refined into a formal abstraction of the target hardware. As the algebraic rules used to compile the program are proven to preserve the semantics, the correctness of the entire compilation process (i.e., semantic equivalence between source and target programs) can be argued by construction, considering each programming construct in isolation, rather than trying to assert the correctness of the compilation in a single step. Regarding hardware synthesis, the algebraic approach has already been applied to subsets of Occam and Verilog. Our work builds on some ideas from these works but focuses on the more complex timing model imposed by Handel-C. Moreover, our work covers features like shared variables, multi-way communications and priorities which, to our knowledge, have never been addressed within the framework of algebraic compilation. Finally, one characteristic of the algebraic approach is that the basic reduction laws in the reasoning framework are postulated as axioms. As an invalid axiom would allow us to prove invalid results (up to the extent of being able to prove a false theorem) we are also concerned about the consistency of the basic postulates in our theory. We addressed this by providing denotational semantics for Handel-C and its reasoning extensions in the context of the Unifying Theories of Programming (UTP). Our UTP denotational semantics not only provided a model for our theory (hence, proving its consistency) but also allowed us to prove all the axioms in the compilation framework.

[1]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[2]  Jim Woodcock,et al.  Using Z - specification, refinement, and proof , 1996, Prentice Hall international series in computer science.

[3]  Susan Stepney,et al.  A demonstrably correct compiler , 2005, Formal Aspects of Computing.

[4]  Augusto Sampaio,et al.  A Normal Form Reduction Strategy for Hardware/Software Partitioning , 1997, FME.

[5]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[6]  Jim Woodcock,et al.  The Semantics of Circus , 2002, ZB.

[7]  Kees G. W. Goossens Reasoning about VHDL using operational and observational semantics , 1995, CHARME.

[8]  Gordon J. Pace,et al.  An embedded language framework for hardware compilation , 2002 .

[9]  Ulrich Hoffmann Compiler implementation verification through rigorous syntactical code inspection , 1998 .

[10]  Rocco De Nicola,et al.  Testing Equivalences for Processes , 1984, Theor. Comput. Sci..

[11]  Augusto Sampaio,et al.  A Constructive Approach to Hardware/Software Partitioning , 2004, Formal Methods Syst. Des..

[12]  Marcel Erné,et al.  A Primer on Galois Connections , 1993 .

[13]  Augusto Sampaio,et al.  Algebraic derivation of an operational semantics , 2000, Proof, Language, and Interaction.

[14]  Jifeng He,et al.  An Approach to the Specification and Verification of a Hardware Compilation Scheme , 2001, The Journal of Supercomputing.

[15]  Nancy G. Leveson,et al.  An investigation of the Therac-25 accidents , 1993, Computer.

[16]  David Gelperin,et al.  The growth of software testing , 1988, CACM.

[17]  C. A. R. Hoare,et al.  The Laws of Occam Programming , 1988, Theor. Comput. Sci..

[18]  Augusto Sampaio,et al.  Formal Bytecode Generation for a ROOL Virtual Machine , 2001 .

[19]  Boris Beizer,et al.  Software testing techniques (2. ed.) , 1990 .

[20]  Jim Woodcock,et al.  prialt in Handel-C: an operational semantics , 2004, International Journal on Software Tools for Technology Transfer.

[21]  Augusto Sampaio,et al.  Automation of a Normal Form Reduction Strategy for Object-oriented Programming , 2002 .

[22]  Peter J. Ashenden,et al.  The Designer's Guide to VHDL , 1995 .

[23]  Stefan Berghofer,et al.  Extracting a formally verified, fully executable compiler from a proof assistant , 2004, COCV@ETAPS.

[24]  Augusto Sampaio,et al.  Algebraic reasoning for object-oriented programming , 2004, Sci. Comput. Program..

[25]  Carlos Delgado Kloos,et al.  Clean formal semantics for VHDL , 1994, Proceedings of European Design and Test Conference EDAC-ETC-EUROASIC.

[26]  Susan Stepney,et al.  High integrity compilation - a case study , 1993 .

[27]  Jim Woodcock,et al.  Unifying theories in ProofPower-Z , 2006, Formal Aspects of Computing.

[28]  Shari Lawrence Pfleeger,et al.  Investigating the Influence of Formal Methods , 1997, Computer.

[29]  Augusto Sampaio An Algebraic Approach to Compiler Design , 1993, AMAST Series in Computing.

[30]  James W. Thatcher,et al.  More on Advice on Structuring Compilers and Proving them Correct , 1979, Theor. Comput. Sci..

[31]  Thomas F. Melham,et al.  Formally Analyzed Dynamic Synthesis of Hardware , 2004, The Journal of Supercomputing.

[32]  Jim Woodcock,et al.  A Tutorial Introduction to Designs in Unifying Theories of Programming , 2004, IFM.

[33]  Peter D. Mosses Theory and Practice of Action Semantics , 1996 .

[34]  Jifeng He,et al.  Towards a Provably Correct Hardware Implementation of Occam , 1993, CHARME.

[35]  Jim Woodcock,et al.  A Denotational Semantics for Handel-C Hardware Compilation , 2007, ICFEM.

[36]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[37]  Axel Dold,et al.  A Mechanically Verified Compiling Specification for a Lisp Compiler , 2001, FSTTCS.

[38]  Jifeng He,et al.  A Provably Correct Hardware Implementation of Occam , 1992 .

[39]  Carlos Delgado Kloos,et al.  A simple denotational semantics, proof theory and a validation condition generator for unit-delay VHDL , 1995, Formal Methods Syst. Des..

[40]  Joseph A. Goguen,et al.  Initial Algebra Semantics and Continuous Algebras , 1977, J. ACM.

[41]  Jifeng He An Algebraic Approach to the VERILOG Programming , 2002, 10th Anniversary Colloquium of UNU/IIST.

[42]  Thorsten Grotker,et al.  System Design with SystemC , 2002 .

[43]  Jim Woodcock,et al.  A "Hardware Compiler" Semantics for Handel-C , 2006, MFCSIT.

[44]  Augusto Sampaio,et al.  A Strategy for Compiling Classes, Inheritance, and Dynamic Binding , 2003, FME.

[45]  Rance Cleaveland,et al.  Using formal specifications to support testing , 2009, CSUR.

[46]  Tobias Nipkow Verified Bytecode Verifiers , 2001, FoSSaCS.

[47]  Ana Cavalcanti,et al.  Mechanical reasoning about families of UTP theories , 2009, Sci. Comput. Program..

[48]  Jim Woodcock,et al.  A Theory of Pointers for the UTP , 2008, ICTAC.

[49]  Glenford J. Myers,et al.  Art of Software Testing , 1979 .

[50]  Thomas F. Melham Higher Order Logic and Hardware Verification , 1993, Cambridge Tracts in Theoretical Computer Science.

[51]  Richard J. Boulton,et al.  Experience with Embedding Hardware Description Languages in HOL , 1992, TPCD.

[52]  R. Salomon,et al.  Advantages of FPGA-based multiprocessor systems in industrial applications , 2005, 31st Annual Conference of IEEE Industrial Electronics Society, 2005. IECON 2005..

[53]  William D. Young,et al.  A mechanically verified code generator , 1989, Journal of Automated Reasoning.

[54]  J. Strother Moore,et al.  A mechanically verified language implementation , 1989, Journal of Automated Reasoning.

[55]  A. W. Roscoe Denotational Semantics for occam , 1984, Seminar on Concurrency.

[56]  James F. Davis The affordable application of formal methods to software engineering , 2005 .

[57]  Donald MacKenzie,et al.  Mechanizing Proof: Computing, Risk, and Trust , 2001 .

[58]  Wolfgang Polak,et al.  Compiler Specification and Verification , 1981 .

[59]  Augusto Sampaio,et al.  Normal form approach to compiler design , 1993, Acta Informatica.

[60]  Jim Woodcock,et al.  Semantic domains for Handel-C , 2003, MFCSIT.

[61]  Ricky W. Butler,et al.  The infeasibility of experimental quantification of life-critical software reliability , 1991 .

[62]  F. Lockwood Morris,et al.  Advice on structuring compilers and proving them correct , 1973, POPL.

[63]  Wolfgang Goerigk Towards Acceptability of Optimizations: An Extended View of Compiler Correctness , 2002, Electron. Notes Theor. Comput. Sci..

[64]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[65]  Ana Cavalcanti,et al.  A Weakest Precondition Semantics for Refinement of Object-Oriented Programs , 2000, IEEE Trans. Software Eng..

[66]  Gerhard Goos Compiler Verification and Compiler Architecture , 2002, Electron. Notes Theor. Comput. Sci..

[67]  Andrew Butterfield,et al.  A denotational semantics for Handel-C , 2011, Formal Aspects of Computing.

[68]  Greg Nelson,et al.  A generalization of Dijkstra's calculus , 1989, ACM Trans. Program. Lang. Syst..

[69]  Peter J. Landin,et al.  PROGRAMS AND THEIR PROOFS: AN ALGEBRAIC APPROACH, , 1968 .

[70]  Wolfgang Goerigk,et al.  Towards Rigorous Compiler Implementation Verification , 1999, Collaboration between Human and Artificial Societies.

[71]  Mandayam K. Srivas,et al.  Hardware Verification Using PVS , 1997, Formal Hardware Verification.

[73]  Carroll Morgan,et al.  Programming from specifications , 1990, Prentice Hall International Series in computer science.

[74]  Ronald Morrison,et al.  Recursive descent compiling , 1981 .

[75]  Donald E. Thomas,et al.  The Verilog hardware description language (4th ed.) , 1998 .

[76]  Jim Woodcock,et al.  A Concurrent Language for Refinement , 2001, IWFM.

[77]  Jan A. Bergstra,et al.  Algebra of Communicating Processes with Abstraction , 1985, Theor. Comput. Sci..

[78]  Jim Woodcock,et al.  A Tutorial Introduction to CSP in Unifying Theories of Programming , 2004, PSSE.

[79]  Bart Demoen,et al.  Programming in Prolog. Using the ISO Standard. by William F. Clocksin, Christopher S. Mellish, Springer-Verlag, 2003, ISBN 3-540-00678-8, xiii+299 pages , 2005, Theory and Practice of Logic Programming.

[80]  George C. Necula,et al.  A certifying compiler for Java , 2000, PLDI '00.

[81]  Michael Anthony Smith,et al.  Unifying Theories of Objects , 2007, IFM.

[82]  Shengchao Qin,et al.  Hardware/Software Partitioning in Verilog , 2002, ICFEM.

[83]  Simon L. Peyton Jones,et al.  Report on the programming language Haskell: a non-strict, purely functional language version 1.2 , 1992, SIGP.

[84]  Harry Foster,et al.  Applied Formal Verification , 2005 .

[85]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[86]  He Jifeng,et al.  Refinement algebra proves correctness of compilation , 1992 .

[87]  A. Cavalcanti,et al.  A Refinement Strategy for the Compilation of Classes , Inheritance , and Dynamic Binding ? , 2003 .

[88]  Vinod G. Shelake,et al.  Unleash the System On Chip using FPGAs and Handel C , 2009 .

[89]  Robert S. Boyer,et al.  A verified code generator for a subset of gypsy , 1988 .

[90]  Susan Stepney Incremental development of a high integrity compiler: experience from an industrial development , 1998, Proceedings Third IEEE International High-Assurance Systems Engineering Symposium (Cat. No.98EX231).

[91]  Reiner W. Hartenstein,et al.  The microprocessor is no longer general purpose: why future reconfigurable platforms will win , 1997, 1997 Proceedings Second Annual IEEE International Conference on Innovative Systems in Silicon.

[92]  Ian Page,et al.  Compiling occam into Field-Programmable Gate Arrays , 2001 .

[93]  Augusto Sampaio,et al.  Towards provably correct hardware/software partitioning using OCCAM , 1994, Third International Workshop on Hardware/Software Codesign.

[94]  Gérard Le Lann,et al.  An analysis of the Ariane 5 flight 501 failure-a system engineering perspective , 1997, ECBS.

[95]  Michael Anthony Smith,et al.  Unifying Theories of Locations , 2008, UTP.

[96]  Jonathan P. Bowen From programs to object code and back again using logic programming: Compilation and decompilation , 1993, J. Softw. Maintenance Res. Pract..

[97]  Augusto Sampaio,et al.  An Algebraic Approach to Combining Processes in a Hardware/Software Partitioning Environment , 1998, AMAST.

[98]  Thomas Kropf Formal Hardware Verification: Methods and Systems in Comparison , 1997 .

[99]  Sabine Glesner,et al.  Verified Code Generation for Embedded Systems , 2002, COCV@ETAPS.

[100]  Brian A. Davey,et al.  An Introduction to Lattices and Order , 1989 .

[101]  Jifeng He,et al.  Integrating Time and Resource into Circus , 2005, Electron. Notes Theor. Comput. Sci..

[102]  Carlos Delgado Kloos,et al.  Proof theory and a validation condition generator for VHDL , 1994, EURO-DAC '94.

[103]  A.T. Abdel-Hamid,et al.  A tool converting finite state machine to VHDL , 2004, Canadian Conference on Electrical and Computer Engineering 2004 (IEEE Cat. No.04CH37513).

[104]  Alfred V. Aho,et al.  The Theory of Parsing, Translation, and Compiling , 1972 .

[105]  Egon Börger,et al.  Java and the Java Virtual Machine: Definition, Verification, Validation , 2001 .