Automatic synthesis and verification of asynchronous interface controllers Jordi CortadellaUniversitat Politècnica de Catalunya, Spain Michael KishinevskyIntel Corporation, USA Alex KondratyevTheseus Logic, USA Luciano LavagnoUniversità di Udine, Italy Enric PastorUniversitat Politècnica de Catalunya, Spain Marco A. PeñaUniversitat Politècnica de Catalunya, Spain Alexander YakovlevUniversity of Newcastle upon Tyne, UK

y- a+b+ x+y+ c+ c- a- b- x- x+y- y+x- a b x y c Specification (environment) Implementation (circuit)

Why and why not? Asynchronous circuits: robustness, modularity, less power consumption, low EMI, no clock skew and many other debatable advantages Designing correct async circuits is difficult (hazards, testing) Designing efficient async circuits is a nightmare (time comes into play) Design automation is crucial

How to make it asynchronous ?

Outline Synthesis flow with STGs –Specification –State graph and next-state functions –State encoding –Implementability conditions –Logic decomposition Synthesis with relative timing assumptions Formal verification of timed circuits

Specification (STG) State Graph SG with CSC Next-state functions Decomposed functions Gate netlist Reachability analysis State encoding Boolean minimization Logic decomposition Technology mapping Designflow

VME bus Device LDS LDTACK D DSr DSw DTACK VME Bus Controller Data Transceiver Bus DSr LDS LDTACK D DTACK Read Cycle

STG for the READ cycle LDS+LDTACK+D+DTACK+DSr-D- DTACK- LDS-LDTACK- DSr+ LDS LDTACK D DSr DTACK VME Bus Controller

Specification (STG) State Graph SG with CSC Next-state functions Decomposed functions Gate netlist Reachability analysis State encoding Boolean minimization Logic decomposition Technology mapping Designflow

Binary encoding of signals DSr+ DTACK- LDS- LDTACK- D- DSr-DTACK+ D+ LDTACK+ LDS+

State graph DSr+ DTACK- LDS- LDTACK- D- DSr-DTACK+ D+ LDTACK+ LDS (DSr, DTACK, LDTACK, LDS, D)

QR (LDS+) QR (LDS-) Excitation / Quiescent Regions ER (LDS+) ER (LDS-) LDS- LDS+ LDS-

Next-state function 0  1 LDS- LDS+ LDS- 1  0 0  0 1 

Karnaugh map for LDS DTACK DSr D LDTACK DTACK DSr D LDTACK LDS = 0 LDS = /1?

Specification (STG) State Graph SG with CSC Next-state functions Decomposed functions Gate netlist Reachability analysis State encoding Boolean minimization Logic decomposition Technology mapping Designflow

Concurrency reduction LDS- LDS+ LDS DSr+

Concurrency reduction LDS+LDTACK+D+DTACK+DSr-D- DTACK- LDS-LDTACK- DSr+

State encoding conflicts LDS- LDTACK- LDTACK+ LDS

Signal Insertion LDS- LDTACK- D- DSr- LDTACK+ LDS+ CSC- CSC

Specification (STG) State Graph SG with CSC Next-state functions Decomposed functions Gate netlist Reachability analysis State encoding Boolean minimization Logic decomposition Technology mapping Designflow

Complex-gate implementation

Implementability conditions Consistency + CSC + persistency There exists a speed-independent circuit that implements the behavior of the STG (under the assumption that ay Boolean function can be implemented with one complex gate)

Specification (STG) State Graph SG with CSC Next-state functions Decomposed functions Gate netlist Reachability analysis State encoding Boolean minimization Logic decomposition Technology mapping Designflow

No Hazards a b c x 0 abcx b a c

Decomposition May Lead to Hazards abcx b a c+ a b z c x

y- z-w- y+x+ z+ x- w y- y+ x- x+ w+ w- z+ z- w- z- y+ x+ Decomposition example

yz=1 yz= y- y+ x- x+ w+ w- z+ z- w- z- y+ x y- y+ x- x+ w+ w- z+ z- w- z- y+ x+ C C x y x y w z x y z y z w z w z y

s- s+ s- s=1 s= y+ x- w+ z+ z x+ w- z- y+ x y+ z C C x y x y w z x y z w z w z y s y-

z-w- y+x+ z+ x- w+ s- s+ s- s+ s- s=1 s= y+ x- w+ z+ z x+ w- z- y+ x y+ z y-

Adding timing assumptions LDS+LDTACK+D+DTACK+DSr-D- DTACK- LDS-LDTACK- DSr+ DTACK D DSr LDS LDTACK csc map

DTACK D DSr LDS LDTACK csc map Device LDS LDTACK D DSr DTACK VME Bus Controller Data Transceiver Bus

Adding timing assumptions LDS+LDTACK+D+DTACK+DSr-D- DTACK- LDS-LDTACK- DSr+ DTACK D DSr LDS LDTACK csc map LDTACK- before DSr+ FAST SLOW

Adding timing assumptions DTACK D DSr LDS LDTACK csc map LDS+LDTACK+D+DTACK+DSr-D- DTACK- LDS-LDTACK- DSr+ LDTACK- before DSr+

State space domain LDTACK- before DSr+ LDTACK- DSr+

State space domain LDTACK- before DSr+ LDTACK- DSr+

State space domain LDTACK- before DSr+ LDTACK- DSr+ Two more unreachable states

Boolean domain DTACK DSr D LDTACK DTACK DSr D LDTACK LDS = 0 LDS = /1?

Boolean domain DTACK DSr D LDTACK DTACK DSr D LDTACK LDS = 0 LDS = One more DC vector for all signalsOne state conflict is removed

Netlist with one timing constraint LDS+LDTACK+D+DTACK+DSr-D- DTACK- LDS-LDTACK- DSr+ DTACK D DSr LDS LDTACK csc map

Netlist with one timing constraint LDS+LDTACK+D+DTACK+DSr-D- DTACK- LDS-LDTACK- DSr+ DTACK D DSr LDS LDTACK LDTACK- before DSr+ TIMING CONSTRAINT

Types of timing assumptions Environment slower (or faster) than the circuit Gate delay shorter than another gate delay Speculative enabling (events enabled before they must actually occur) Indistiguishable firing times of different events...

Formal verification Implementability properties –Consistency, persistency, state coding … Behavioral properties (safeness, liveness) –Mutual exclusion, “ack” after “req”, … Equivalence checking –Circuit  Specification –Circuit < Specification

Property g must fire before d after having fired x x a a a b b b c c c c c g g g g b b d d y g

Verifying asynchronous circuits Internal signals cannot be abstracted out (many more state signals and states) If delays must be taken into account, each gate is a component with delay Verification with timed automata results unmanageable (BDDs do not work): Gate = counter + state signal We need clever strategies to do symbolic model checking

x a a b b b c c c c c g g d y Timed Transition System (Manna, Pnueli) Transition System Min/Max Delays  (a)  [1,2]  (b)  [1,2]  (c)  [2.5,3]  (g)  [0.5,0.5]  d,x,y 

{x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g x a a a b b b c c c c c g g g g b b d d y g

x a b c d g a a x x g b b c c d d g {x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g

x a b c d g [1,2] [2.5,3] [0.5,0.5] [0,  ) Maximum Time Separation (McMillan & Dill, 1992) max  (g) -  (d) longest min path for d slack for max path of g = -2

x a b c d g Maximum Time Separation (McMillan & Dill, 1992) max  (g) -  (d) = -2 From absolute to relative timing

x a a a b b b c c c c c g g g g b b d d y g x a b c g d

x a b b b c c c c g g g g b b d d y g a a c c c g g g d d y

x a b b c c c c g g g g b b d d g x a b c g d Timing analysis

x a b b c c c c g g d x a b c g d

x a b b c g g d b y a a c c c g g g d d y

x b a a c c c g g g d d x a b c g d

x b a c c c g d x a b c g d

x b a c g d a b c g g d y y b

x a b b b c g g d y a c g d y

Border of failure states Failure trace Event structure x a b c g d Timing analysis Composition

Failure trace Event structure Timing analysis x a b c g d Composition

r s t u w

r s t u w

i j k

i j k

i j k r s t u w x a b c g d Backannotation (sufficient timing constraints)

Conclusions An asynchronous circuit is a concurrent system with processes (gates) and communication (wires) The synthesis and formal verification of asynchronous control circuits can be totally automated The theory of concurrency is crucial to formalize automatic synthesis and verification methods Existing tools at academia: petrify, 3D, ATACS, Kronos, versify, etc. Industry starting to try: Intel, Theseus, Cogency, IBM,...