diff options
| author | Yann Herklotz <git@yannherklotz.com> | 2020-11-18 11:37:40 +0000 |
|---|---|---|
| committer | Yann Herklotz <git@yannherklotz.com> | 2020-11-18 11:37:40 +0000 |
| commit | 13924d40f0e7e0d7abeec2febc84930324018a6f (patch) | |
| tree | f64902ce1de6343b74f30260bbae47eb55ff9e90 /proof.tex | |
| parent | a39760b961cce7d8ad4d0e7774f3ef06c4eb9af2 (diff) | |
| download | oopsla21_fvhls-13924d40f0e7e0d7abeec2febc84930324018a6f.tar.gz oopsla21_fvhls-13924d40f0e7e0d7abeec2febc84930324018a6f.zip | |
Fix comments in algorithm section
Diffstat (limited to 'proof.tex')
| -rw-r--r-- | proof.tex | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -83,6 +83,10 @@ Firstly, as the input representation is a map, all the keys of the map will be u However, the proof of uniqueness of the keys only works if the translation function is \emph{injective}, meaning that the function will result in distinct outputs for all possible inputs. Otherwise, the proof of uniqueness of the keys for the input would not translate to a uniqueness of possible case expression matches in the output. However, in our case the translation function is actually not injective, even though it might at first seem like it, because the state is stored as an integer, whereas the map is addressable by any positive number. This means that if the positive number is greater than the maximum value that can be stored in the integer, the overflow would result in the wrong states being accessed. To make the function injective, we therefore have to prove that the input positive number is never greater than $2^{32}-1$ so that the uniqueness property also holds for the output. +The translation from maps to case statements is done by turning each node of the tree into a case expression with the statments in each being the same. The main difficulty for the proof is that a structure that can be directly accessed is transformed into an inductive structure where a certain number of constructors need to be called to get to the correct case. The proof of the translation from maps to case statements follows by induction over the list of elements in the map and the fact that each key in this list will be unique. In addition to that, the statement that is currently being evaluated is guaranteed by the correctness of the list of elements to be in that list. The latter fact therefore eliminates the base case, as an empty list does not contain the element we know is in the list. The other two cases follow by the fact that either the key is equal to the evaluated value of the case expression, or it isn't. In the first case we can then evaluate the statement and get the state after the case expression, as the uniqueness of the key tells us that the key cannot show up in the list anymore. In the other case we can just apply the inductive hypothesis and remove the current case from the case statement, as it did not match. + +Another problem with the representation of the state as an actual register is that we have to make sure that the state does not overflow. Currently, the state register will always be 32 bits, meaning the maximum number of states can only be $2^{32} - 1$. We therefore have to prove that the state value will never go over that value. This means that during the translation we have to check for each state that it can fit into an integer. \JW{So I guess this means that Vericert will refuse to compile a program with 5 million instructions? If so, might be worth making that explicit, and maybe even making `Size of state register' one of your Key Challenges?} + \subsection{Deterministic Semantics} Finally, to prove the backward simulation given the forward simulation, it has to be shown that if we generate hardware with a specific behaviour, that it is the only possible program with that behaviour. This only has to be performed for the final intermediate language, which is Verilog, so that the backward simulation holds for the whole chain from Clight to Verilog. |