[Title of Invention]

COMPUTER IMPLEMENTED METHOD, COMPUTER PROGRAM PRODUCT, COMPUTER-READABLE STORAGE MEDIUM, AND SYSTEM [Technical Field] [0001]

The present disclosure relates to computer program development and relates more specifically to a method and system for proving an absence of difference in the respective behaviors of a first dataflow program and a second dataflow program.

[Background Art]

[0002]

The whole life of a software requires source code upgrade: first during its development, but also after its deployment to fix bugs, provide new features or more important evolutions.

[0003]

When upgrading a software’s source code, one needs to ensure that the source code modifications do not impact more the behavior of the software than what is expected. Usually, this is verified by regression testing, by replaying all functional and non-functional tests previously written and successfully passed on the previous version of the software. Regression testing helps discovering some source code upgrades which may alter the desired behavior of the software. [0004]

However, if regression testing gives a first hint to the developer, it may be difficult for the developer to detect efficiently the actual impact of the source code upgrade on the whole software.

[0005]

Change impact analysis intends to solve that issue to identify which part of the software may have a different behavior after modification during source code upgrade. This provides two main benefits: (1) it helps developers to better understand the actual impact of the change on the software, meaning that they can better anticipate some possible bugs and (2) it may speed-up development since replaying regression tests may consume a large amount of time.

[0006]

In the field of change impact analysis, dependency-based methods identify changes by comparing elements at the same granularity level, e.g. at the design level or at the source code level, by analyzing their syntax. We focus herein on source code level dependency-based approaches, that detect or analyze changes on the real final source code program.

[0007]

For instance, one approach is based on difference semantics, which provides a formal semantics for difference between two source code programs, allowing the user to reason on its properties.

[0008]

For instance, NPL 1 proposes to reason on two programs written in the Boogie intermediate language, which has front-ends for various languages like C or Java. The principle of their approach is to use satisfiability modulo theories, SMT, solvers like Z3 to modularly prove the equivalence between the two programs. This approach applies to traditional programming languages such as C or Java and is not adequate for e.g. dataflow programming languages, especially for memory blocks.

[0009]

Dataflow programming languages correspond to a programming paradigm in which programs are seen as series of connections and boxes corresponding to data movements and transformations. In contrast with programs written in traditional programming languages such as C or Java, dataflow programs are parallel by construction, making them particularly adequate to model physical systems or hardware, mainly for embedded applications. Graphical programming environments offer a natural framework to implement dataflow programs. Among them, we can cite SCADE®, a dataflow programming language with a formal semantics, based on the Lustre synchronous language, and Simulink®, a Matlab® graphical dataflow programming environment to model and simulate dynamical systems.

[0010]

As in any conventional programming languages, it is important to distinguish syntactic and semantics changes. As soon as two programs differ in their implementations, there is a syntactic change between them. It does not necessarily mean that they have different behaviors. We say that there is a semantic change between two programs when they differ on their behavior, i.e. when on the same input values, they differ on their output values. In the present disclosure, the goal is therefore to verify whether two syntactically different dataflow programs differ in their respective behaviors (i.e. whether they are semantically different).

[0011]

Figure 1 represents schematically two Simulink® dataflow programs (models) which are syntactically different but semantically equivalent. More specifically, part a) of figure 1 represents a first dataflow program implementing a function f , and part b) of figure 1 represents a second dataflow program implementing a function g, wherein both functions f and g model a Boolean clock with a period T = 2.

[0012]

The prior art solutions are not able to automatically detect semantic differences between dataflow programs such as represented in figure 1. In particular, source code level dependency-based approaches are dedicated to traditional languages like C or Java.

[Citation List]

[Non Patent Literature]

[0013]

[NPL 1]

Lahiri, S. K., Hawblitzel, C., Kawaguchi, M., Rebelo, H.: “Symdiff: A language-agnostic semantic diff tool for imperative programs”, In International Conference on Computer Aided Verification, pages 712-717, Springer, 2012. [Summary of Invention] [0014]

The present disclosure aims at improving the situation. In particular, the present disclosure aims at overcoming at least some of the limitations of the prior art discussed above, by proposing a solution enabling automatically and formally proving the absence of semantic (behavior) differences between syntactically different dataflow programs.

[0015]

For this purpose, and according to a first aspect, the present disclosure relates to a computer implemented method for proving an absence of difference in the respective behaviors of a first dataflow program and a second dataflow program, the first dataflow program and the second dataflow program having a same set of input variables, a same set of output variables and respective sets of internal variables, the first dataflow program and the second dataflow program having an initialization phase and an execution phase relative to execution steps after the initialization phase, wherein the internal variables correspond to variables for which the values are memorized from one execution step to another, said method comprising: parsing the first dataflow program and the second dataflow program to produce respectively a first mathematical representation and a second mathematical representation, receiving an induction relation linking the values of the set of internal variables of the first dataflow program with the values of the set of internal variables of the second dataflow program, setting an initial sequent based on the first mathematical representation and the second mathematical representation, said initial sequent defining that the values of the set of output variables of the first and second dataflow program are identical, iteratively applying a predetermined set of deduction rules to the initial sequent until irreducible sequents are obtained, each deduction rule converting a sequent into at least one other sequent, wherein the set of deduction rules comprises an induction deduction rule which is applied and converts a sequent into a first sequent relative to the initialization phase, referred to as initialization root sequent, and a sequent relative to the execution phase, referred to as execution root sequent, which includes as hypothesis the induction relation and the fact that the values of the set of output variables of the first and second dataflow program are identical at the previous execution step, applying a decision procedure to each irreducible sequent.

[0016]

Basically, the first dataflow program and the second dataflow program (wherein the second dataflow program may for instance be an upgrade of the first dataflow program) have the same behavior if they provide at each execution step the same output variables’ values when subjected to the same input variables’ values. Hence for a same sequence of input variables’ values, the first dataflow program and the second dataflow program should provide the same sequence of output variables’ values. In other words, the first and second dataflow programs should yield the same execution traces, wherein an execution trace corresponds to a sequence of the successive states of the variables of the dataflow programs, associated to the successive execution steps.

[0017]

However, such execution traces are typically infinite, such that it is not possible to formally prove an absence of difference between the respective behaviors of the first and second dataflow programs by directly comparing all possible execution traces produced by the first and second dataflow programs. [0018]

A dataflow program typically comprises internal variables which are persistent, i.e. for which the values are memorized from one execution step to another. Hence, during an execution step, the behavior of the dataflow program depends on the values of these internal variables at the end of the previous execution step, and these values may be updated during the current execution step (and memorized for the next execution step, etc.). Such internal variables may also be referred to as memory blocks in the sequel. In the present disclosure, it is therefore assumed that there exists an induction relation R which links the values of the set of internal variables of the first dataflow program with the values of the set of internal variables of the second dataflow program, and that this induction relation R holds from one execution step to another. This induction relation R is not proved and is received as an input of the method. For instance, the induction relation R may be established by a developer. Hence, the induction relation R can be used to synchronize the values of the internal variables of the first and second dataflow programs, such as to be able to consider virtually any execution step of any execution trace without having to fully execute a whole execution trace.

[0019]

Based on this induction relation R , the proposed method then tries proving formally the absence of behavior difference by induction. The proposed method therefore distinguishes an initialization phase, during which the values of the internal variables are typically initialized, and an execution phase, during which the induction relation Ji enables to synchronize the values of the internal variables of the first and second dataflow programs.

[0020]

The proposed method proves the absence of behavior difference by using sequent calculation. An initial sequent is defined by using a first mathematical representation and a second mathematical representation, which represent the mathematical computations/equations performed by respectively the first dataflow program and the second dataflow program. This initial sequent basically states that the values of the set of output variables of the first and second dataflow programs are identical, by using the first and second mathematical representations. Then, predetermined deduction rules are applied iteratively until irreducible sequents are obtained (i.e. on which no further deduction rule can be applied). In particular, an induction deduction rule is applied once to produce an initialization root sequent (relative to the initialization phase) and an execution root sequent (relative to the execution phase, which assumes as hypothesis the induction relation Ji). Accordingly, some of the irreducible sequents will be based on the initialization root sequent and some of the irreducible sequents will be based on the execution root sequent. The absence of behavior difference is evaluated by applying an automatic decision procedure to the irreducible sequents, by trying to prove inter alia the absence of behavior difference for the initialization phase (sequents based on the initialization root sequent) and for the execution phase (sequents based on the execution root sequent).

[0021]

If all irreducible sequents are considered satisfiable, then the absence of behavior difference is proved. In turn, if one of the irreducible sequents is not satisfiable, then the absence of behavior difference is not proved and the first and second dataflow programs are considered to exhibit semantic differences. [0022]

In specific embodiments, the proving method can further comprise one or more of the following optional features, considered either alone or in any technically possible combination.

[0023]

In specific embodiments, the set of deduction rules comprises at least one initialization-specific deduction rule, which is applicable only on the initialization root sequent or on a sequent deduced from the initialization root sequent, and at least one execution-specific deduction rule, which is applicable only on the execution root sequent or on a sequent deduced from the execution root sequent. [0024]

In specific embodiments, the first dataflow program and the second dataflow program are in a textual programming language.

[0025]

In specific embodiments, the first dataflow program and the second dataflow program are in a visual programming language and are converted into a textual programming language before parsing.

[0026]

In specific embodiments, the absence of difference in the behaviors of the first and second dataflow programs is proved when each irreducible sequent is proved to be satisfiable by a decision procedure.

[0027]

In specific embodiments, when an irreducible sequent cannot be proved to be satisfiable by a decision procedure, said decision procedure returns a witness state of the non-satisfiability of said irreducible sequent, said witness state including values of the set of input variables and values of the respective sets of internal variables of the first and second dataflow programs, which satisfy the induction relation, for which the values of the set of output variables are not identical for the first and second dataflow program.

[0028]

In specific embodiments, each decision procedure is an automatic theorem prover, for instance a satisfiability modulo theories, SMT, solver.

[0029]

According to a second aspect, the present disclosure relates to a computer program product comprising instructions which, when executed by at least one processor, configure said at least one processor to carry out a method according to any one of the embodiments of the present disclosure. [0030]

According to a third aspect, the present disclosure relates to a computer- readable storage medium comprising instructions which, when executed by at least one processor, configure said at least one processor to carry out a method according to any one of the embodiments of the present disclosure. [0031]

According to a fourth aspect, the present disclosure relates to a system for proving an absence of difference in the respective behaviors of a first dataflow program and a second dataflow program, the first dataflow program and the second dataflow program having a same set of input variables, a same set of output variables and respective sets of internal variables, the first dataflow program and the second dataflow program having an initialization phase and an execution phase relative to execution steps after the initialization phase, wherein the internal variables correspond to variables for which the values are memorized from one execution step to another, said system comprising at least one processor and at least one memory, wherein the at least one processor is configured to carry out a method according to any one of the embodiments of the present disclosure. [0032] Hence, the present disclosure addresses the automatic and formal verification of semantic changes absence between syntactically different dataflow programs. Thanks to the proposed solution, there is no need of maintaining a database of non-regression tests to get a good coverage, while exhaustiveness of the proposed solution is guaranteed. The proposed solution is fully automatic, and the user does not need to provide the verification system with an ad hoc definition of absence of change for the considered dataflow programs. Instead, we propose a definition of absence of semantic change sufficiently generic to handle any dataflow program.

[0033]

The invention will be better understood upon reading the following description, given as an example that is in no way limiting, and made in reference to the figures.

[Brief Description of Drawings]

[0034]

[Fig. l]

Figure 1 represents schematical representations of examples of two syntactically different dataflow programs which are semantically identical. [Fig. 2]

Figure 2 represents a diagram representing the main steps of an exemplary embodiment of a method for proving an absence of difference in the behaviors of two dataflow programs.

[Fig. 3]

Figure 3 represents an example of generic syntax of a dataflow textual programming language.

[Fig. 4]

Figure 4 represents an example of semantic rules for expressions.

[Fig. 5] Figure 5 represents an example of semantic rules for equations.

[Fig. 6]

Figure 6 represents an example of deduction rules for the analysis of the absence of difference between the behaviors of dataflow programs.

[Fig. 7]

Figure 7 represents an example of a general structure of a proof tree obtained when applying the deduction rules.

[Fig. 8]

Figure 8 represents an example of proof tree obtained when applying the deduction rules to the dataflow programs in figure 1.

[Description of Embodiments]

[0035]

In these figures, references identical from one figure to another designate identical or analogous elements. For reasons of clarity, the elements shown are not to scale, unless explicitly stated otherwise.

[0036]

Also, the order of steps represented in these figures is provided only for illustration purposes and is not meant to limit the present disclosure which may be applied with the same steps executed in a different order.

[0037]

Figure 2 represents schematically the main steps of a method 20 for proving an absence of difference in the respective behaviors of a first dataflow program and a second dataflow program.

[0038]

The proving method 20 is carried out by a computer system (not represented in the figures). In preferred embodiments, the computer system comprises one or more processors (which may belong to a same computer or to different computers) and one or more memories (which may belong to a same computer or to different computers). The one or more processors may include for instance a central processing unit (CPU), a digital signal processor (DSP), a field- programmable gate array (FPGA), an application specific integrated circuit (ASIC), etc. The one or more memories may include any type of computer readable volatile and non-volatile memories (magnetic hard disk, solid-state disk, optical disk, electronic memory, etc.). The one or more memories may store a computer program product, in the form of a set of program-code instructions to be executed by the one or more processors in order to implement all or part of the steps of the proving method 20. In other words, the computer system comprises a set of means configured by software (specific computer program product) and/or by hardware (CPU, FPGA, ASIC, etc.) to implement the steps of the proving method 20.

[0039]

In the present disclosure, we want to compare the behaviors of a first dataflow program and a second dataflow program. These first and second dataflow programs have a same set of input variables, a same set of output variables (strictly identical or identical up to a bijective application) and respective sets of internal variables. These first and second dataflow programs conventionally have an initialization phase and an execution phase which is relative to execution steps after the initialization phase. Also, the internal variables correspond to variables for which the values are memorized and used from one execution step to another (i.e. memory blocks).

[0040]

The present disclosure applies to dataflow programs in source code. The present disclosure is not limited to a specific dataflow programming language and can be applied to any dataflow programming language, including any type of visual (graphical) or textual dataflow programming language.

[0041] In preferred embodiments, the first and second dataflow programs to be compared are provided in a textual programming language. If the first and second dataflow programs are initially in a visual programming language, the proving method 20 may comprise a prior step of converting the first and second dataflow programs into a textual programming language. In the sequel, we consider in a non-limitative manner that the first and second dataflow programs are in textual programming language.

[0042]

In the present disclosure, we consider a generic textual programming language for which we provide hereinbelow the considered generic syntax, that will serve as basis for the analysis of the behavior difference of the dataflow programs. Hence, we consider in a non-limitative manner that the first and second dataflow programs are provided using the generic syntax of the proposed generic textual programming language. However, the present disclosure can be applied to any textual programming language grammar. In particular, existing dataflow programming environments such as SCADE® or Matlab Simulink®, despite using a graphical dataflow programming environment, are configured to provide the dataflow programs in textual programming language, using respective syntaxes. The present disclosure can be applied using any of these syntaxes, either directly or indirectly by converting beforehand said syntaxes into the generic syntax considered herein in a non-limitative manner.

[0043]

Generic syntax of the textual dataflow programming language

Textual dataflow programs are made of equational descriptions and may be based on the generic syntax represented in figure 3. Any dataflow program may be expressed using this generic syntax.

[0044]

Dataflow programs are made of sets of identifiers (for input, internal and output variables) and of sets of equations that correspond to relations between expressions (themselves built from the variables) that must be satisfied by the system at any time. Among expressions, two constructions are rather unusual to traditional (non-dataflow) programming languages: “folio wed-by” ( Expression —> Expression) and “pre” ( pre Expression ) that are used to describe memory blocks (used to store values of internal variables from one execution step to another). The “pre” constructor describes a temporal delay while the “folio wed-by” arrow serves an initialization phase. For instance, if we consider z = 0 — > pre x, then this means that the value of z is equal to 0 at initialization and then, for each subsequent iteration, it takes the value x at the previous iteration. Table 1 below describes the evolution of z according to the evolution of x:

[0045]

[Table 1]

[0046]

The generic syntax represented in figure 3 (or any dataflow programming language syntax) is richer than what is actually required to describe and to conduct the absence of behavior difference analysis.

[0047]

Accordingly, in some embodiments, and as illustrated by figure 2, the proving method 20 comprises a step S20 of parsing the first and second dataflow programs. Such a parsing step S20 is conventionally implemented in compilation methods and aims herein at producing a mathematical representation for each of the first and second dataflow programs. Hence, the parsing step S20 produces inter alia a first mathematical representation for the first dataflow program and a second mathematical representation for the second dataflow program. These first and second mathematical representations represent the mathematical computations/equations performed by respectively the first dataflow program and the second dataflow program on the input and internal variables to produce the output variables.

[0048]

For instance, the parsing step S20 may use an abstract syntax to produce the first and second mathematical representations. We provide hereinbelow an example of abstract syntax that may be used during the parsing step S20. However, the present disclosure is not limited to a specific type of abstract syntax and the choice of a specific abstract syntax corresponds to a specific embodiment of the present disclosure. [0049]

Abstract syntax

The non-limitative abstract syntax proposed herein is made of two layers: expressions and equations sets.

[0050]

We denote by J, O and L the sets of input, output and internal variables identifiers, respectively. We assume that J and O are disjoint, and that J and L are disjoint. O and L are not necessarily disjoint. The set of internal variables L includes the variables which are stored in memory blocks. We note D _Ʇ the domains on which the variables can be valuated, and more precisely D _Ʇ = D UꞱ where D is any usual domain of programming languages (e.g., bool, int, float, etc.) and Ʇ corresponds to the unknown valuation. We define the type of expressions of a dataflow program as indicated in the following definition. [0051]

Definition 1 (Abstract Syntax): Assuming that v ∈ J (0 U L), we define any equation e as: if e then e else e pre e wherein: [0052]

Then, we define the sequence of equations of a dataflow program as ε (v = e) ^N such that a dataflow program is finally defined as a tuple:

P = {J, O,L, ε)

[0053]

Note that, we use the usual functional programming list notation to define such sequences of equations, i.e., ε is the empty sequence and (v = e) :: ε is the concatenation of the equation v = e to the sequence of equations ε .

[0054]

Semantics for behavior difference analysis

Now, let us describe our behavior difference analysis semantics. The semantics of a dataflow program is based on the construction of an execution trace whose elements are valuations over its variables. We build execution traces of a dataflow program P by iterating (execution steps) the evaluation of the equations set ε. The obtained execution trace is an infinite state sequence defined by the function σ : N → O U L → D _Ʇ that corresponds to the valuation of output and internal variables through the execution. The notation σ _i corresponds to the i ^th state of the sequence, i.e., the valuation σ (i) : O U L → D _Ʇ . Additionally, undefined states are noted σ _Ʇ which is the undefined valuation such that Ɐv ∈ O U L, σ _Ʇ (V) =Ʇ . A finite execution trace of length n + 1 , is the infinite sequence of states starting by σ ₀ --- (σ _n and followed by σ _Ʇ σ _Ʇ .... Intuitively, after executing n execution steps of the program, the only built states are states from 0 to n. The tail of the execution trace is undefined. The valuation on the input variables is the function giving the value of an input variable at a given execution step, it corresponds to the values of the input variables through the execution trace of the dataflow program. For an ordered sequence of equations ε (see more details about equations ordering hereinafter), states σ _i are incrementally obtained from the input values q and the previous state σ _i-1 (if any) by evaluating each equation and updating the new state accordingly. Initially, the evaluation of the state is undefined for any index, i.e., Ɐi σ _i = σ _Ʇ . This execution trace is denoted ω.

[0055]

To define the semantics (behavior) of a dataflow program, we provide semantics rules for expressions. Their objective is to provide a new valuation for variables involved in expressions from a current valuation (execution step) and the valuation over input variables. Valuations have the shape where e is an expression of the dataflow programming language (see Definition 1). An example of semantics rules for expressions is provided in figure 4.

[0056]

Then, we define the semantics of equations sets of dataflow programs. For that purpose, we first need to sequence equations according to their dependency order. Following the dependency order ensures that any equation can be evaluated as soon as all its dependencies have been evaluated. For instance, the dataflow equation can be evaluated only if the value of y is known, i.e., the equation has been evaluated first.

[0057]

According to this, we use a dependency relation < such that for a variable y on which x depends, we have y < x. Intuitively, it means that we need the valuation of y to be able to evaluate x. In the following, we assume that the set ε of equations is ordered as a sequence such that Ɐi,x _i < x _i+1 . [0058]

Assuming that σ is an execution trace of length n, i.e., obtained after n executions for the ordered set of equations ε over the input sequence the execution trace of length n + 1 is inductively defined as The evaluation of consecutive equations is defined in figure 5.

[0059]

Definition 2 (Dataflow program semantics):

Let be a dataflow program. Assuming the input valuation the execution trace σ ^P built by executing P against is defined as the sequence of states such that = for all i.

[0060]

Definition 3 (Internal state semantics of dataflow program):

Let P = {J, O, L, ε} be a dataflow program. Assuming the input valuation the execution trace of states is the restriction of σ ^P to the internal variables L which is defined as

[0061]

Based on the above definitions and conventions, we now detail how the proving method 20 verifies the absence of difference between the respective behaviors of the first and second dataflow program.

[0062]

Definition 4:

Let us denote by f and g the first and second dataflow programs sharing the same set of inputs 7. Let us assume that there exists a bijective application p - O ^f O ^g between respective output variables sets O ^f and O ^g of f and g. It should be noted that, in the present disclosure, f and g are said to have the same set of output variables identifiers, which is to be understood as either 0 ^f being strictly identical to 0 ⁹ , or 0? being identical to 0 ⁹ up to a bijective application We say that said dataflow programs f and g are semantically equivalent (i.e. absence of difference in their respective behaviors) if they return the same values for the output variables given the same values for the input variables, here defined by the valuation [0063]

Let be the type of truth values (Boolean values). Let σ ^f and σ ^g be the valuations associated to the dataflow programs f and g with inputs valuation The absence of behavior difference between the two dataflow programs is characterized by the following properties:

[0064]

Hence, R , denoted herein “induction relation”, links the values of the internal variables of f with the values of the internal variables of g, and holds for the subsequent execution step (i + 1) provided it holds for the current execution step i . This induction relation R is not proved in the present disclosure and is received as an input of the proving method 20, during a step S21. [0065]

As illustrated by figure 2, the proving method 20 comprises a step S22 of setting an initial sequent based on the first mathematical representation and the second mathematical representation of respectively the dataflow programs f and g. Said initial sequent, further detailed hereinbelow, basically defines that the values of the output variables of the dataflow programs f and g are identical. [0066] Then, the proving method 20 comprises an iterated step S23 of applying a predetermined set of deduction rules to the initial sequent, wherein each deduction rule converts a sequent into at least one other sequent, until irreducible sequents are obtained. The deduction rules are further detailed hereinbelow.

[0067]

As illustrated by figure 2, the proving method 20 comprises a step S24 applying a decision procedure to each irreducible sequent obtained by iteratively applying the deduction rules. In preferred embodiments, each decision procedure is an automatic theorem prover, for instance a SMT solver.

[0068]

If all irreducible sequents are considered satisfiable, then the absence of behavior difference is proved between the first and second dataflow programs f and g. If one of the dataflow programs is an upgrade of the other one, then this means that the upgrade has not introduced any semantical change.

[0069]

In turn, if one of the irreducible sequents is not satisfiable, then the absence of behavior difference is not proved and the first and second dataflow programs f and g may exhibit semantic differences.

[0070]

In preferred embodiments, when an irreducible sequent cannot be proved to be satisfiable by a decision procedure, said decision procedure returns a witness state of the non-satisfiability of said irreducible sequent, said witness state including values of the input variables and values of the internal variables of the first and second dataflow programs f and g, which satisfy the induction relation R , for which the values of the output variables are not identical for the first and second dataflow programs. Such a witness state may be useful for the developer to understand the reasons of the semantic difference between the first and second dataflow programs f and g. [0071]

We now provide details on the sequents calculation carried out by the proving method 20, and on the set of deduction rules used.

[0072]

In order to define the deduction rules for the analysis of the behavior difference, let us first identify the syntax of formulae used in these deduction rules. Formulae are first-order logic predicates valued on expressions of our abstract syntax (see Definition 1) and any relations between these expressions.

[0073]

Definition 5 (Formula):

A formula F is defined as follows: wherein e is an expression as defined in Definition 1.

[0074]

For instance, x > 3 ᶺ x = y + z => Ɐt. t + x > 42 is a well-formed formula in our formalism.

[0075]

In our deduction system, sequents have the structure where is a set of well-formed formula (used as hypothesis), e and e' are expressions as defined in Definition 1. It means that, for all 0 ≤ j < n, e _j is equal to e'j holds when the formula is satisfied. As our system targets dataflow programs including memory blocks, inductive reasoning is mandatory and some sequents might be valid only for the initialization phase or execution phase of the induction. Therefore, we distinguish three situations: means that the sequent is valid when no induction has been performed yet (by applying an induction deduction rule detailed hereinbelow), means that the sequent is valid for the initialization phase of the induction and means that the sequent is valid for the execution phase of the induction (i.e. the execution steps after the initialization phase). When the sequent is valid for any situation, we use the notation.

[0076]

Deduction rules for change impact analysis have the following shape: wherein πi are proof derivations and □ ∈ {*, init, step}.

[0077]

For the sake of genericity, we use the context notion in deduction rules. A context is an expression surrounding some target expression. It is useful to isolate a subexpression in some expression on which we focus our reasoning. For instance, focusing on the subexpression x + y of 0 → pre(x + y) is done by abstracting the surrounding expression as a context E.

[0078]

Definition 6 (Context):

A context E[] is an expression containing one hole, noted [], exactly. wherein e, and o are respectively an expression, a binary operator and a unary operator as defined in the abstract syntax.

[0079]

The deduction rules for behavior difference analysis are provided in figure 6. Note that the labels of some deduction rules shown in figure 6 are terminated by “L” (for instance Pre-Binary-L, FBY-Init-L, etc.) meaning that they correspond to left-wise versions of the deduction rule. Right-wise versions of the rules also exist. For instance, the FBY-Init-R and FBY-Step-R deduction rules are defined as:

[0080]

As illustrated by figure 6, the deduction rules comprise an induction deduction rule, denoted by (Induction) in figure 6, which converts a sequent into a first sequent relative to the initialization phase of the first and second dataflow programs, referred to as initialization root sequent, and a sequent relative to the execution phase of the first and second dataflow programs after initialization, referred to as execution root sequent. The execution root sequent includes as hypothesis the induction relation R and the fact that the values of the set of output variables of the first and second dataflow programs f and g are identical at the previous execution step. The induction relation R is used to describe a state synchronization relation between the states of both dataflow programs f and g. It is necessary when programs have internal states (variables), otherwise the proof cannot be achieved. The idea of the synchronization is to describe how both systems can evolve in parallel such that we may be able to conclude that their respective output variable values match perfectly.

[0081]

The execution root sequent is the root of the branches of the execution phase of the induction and corresponds in figure 6 to the sequent From this execution root sequent (i.e. in any branch composed of sequents deduced directly or indirectly from the execution root sequent), only sequents with can be used.

[0082]

The initialization root sequent is the root of the branches of the initialization phase of induction and corresponds on figure 6 to the sequent From this initialization root sequent (i.e. in any branch composed of sequents deduced directly or indirectly from the initialization root sequent), only sequents with can be used.

[0083]

As illustrated by figure 6, the deduction rules comprise an initializationspecific deduction rule, denoted by (FBY-Init-L) (and its right-wise version) which is applicable only on the initialization root sequent or on a sequent deduced directly or indirectly from the initialization root sequent. Also, the deduction rules comprise an execution-specific deduction rule, denoted by (FBY-Step-L) (and its right- wise version) which is applicable only on the execution root sequent or on a sequent deduced directly or indirectly from the execution root sequent.

[0084]

Considering the first and second dataflow programs f and g , the absence of behavior difference between them is stated by the initial sequent where Oj ∈ 0 ^f and o'j ∈ O ^g are all the output variable values of f and g respectively. In other words, said initial sequent defines that the values of the set of output variables of f and g are identical.

[0085]

Then applying during step S23 the deduction rules in figure 6 (and their right-wise versions) produces a proof tree (the general structure of which is illustrated by figure 7) terminated by irreducible sequents II _k , i.e., sequents on which the deduction rules cannot apply. In that case, the goal is free of any dataflow primitives, which means that the irreducible sequents are integer arithmetic statements. The proof is complete if and only if each irreducible sequent II _k is satisfiable. The satisfiability proof is left to some automatic decision procedures such as theorem provers, during step S24. For instance, SMT solvers are very suitable to check integer arithmetic statements.

[0086] Let us apply the proving method 20 to check the absence of behavior difference between the dataflow program f in part a) of figure 1 and the dataflow program g in part b) of figure 1. Using the generic syntax (figure 3) of our dataflow textual programming language, the example dataflow programs are as follows:

Node f(r: Bool) returns (b: Bool) { n: Int n = If r Then 0 Else (0 -> pre n + 1); b = n % 2 = 1;

}

Node g(r: Bool) returns (b': Bool) { b’ = If r Then 0 Else ( 0 -> pre (not b’));

}

[0087]

In this example, the dataflow program g may be an update (optimization) of the dataflow program f . They are supposed to output the same values, i.e. a clock signal (alternation of the values 1 and 0). The clock can be reinitialized thanks to the input parameter r.

[0088]

Then, we parse (step S20) these dataflow programs (source code) to produce their respective mathematical representations using the abstract syntax:

[0089]

More specifically, the mathematical representation for the dataflow program f corresponds to: n = if r then 0 else and the mathematical representation for the dataflow program g corresponds to:

[0090]

Note that the sets of output variables of f and g are in bijection, the bijective application being p such that p(b) = b' . Also, in this example, the set of internal variables and the set of output variables are the same for the dataflow program g, and consist in the variable b' .

[0091]

Table 2 provides execution traces for the dataflow programs f and g. The function i gives the sequence of input values for r.

[0092]

[Table 2]

[0093]

We can see that execution traces seem very similar.

[0094]

In order to prove the absence of semantic change between the two dataflow programs, we iteratively apply (step S23) the deduction rules illustrated in figure 6 (and their right- wise versions). The resulting proof tree is represented in figure 8, wherein the proof tree in part b) of figure 8 corresponds to the branch II in part a) of figure 8.

[0095]

In the non-limitative example illustrated by figure 8, the irreducible sequents are processed by SMT solvers (step S24). Note that an induction deduction rule appears in the reasoning to handle memory blocks, relying on the induction relation R received at step S21. For the considered dataflow programs f and g, the induction relation is as follows:

R = ((pre n + 1 mod 2 = 0) = pre b')

[0096]

It is emphasized that the present disclosure is not limited to the above exemplary embodiments. Variants of the above exemplary embodiments are also within the scope of the present disclosure.