Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Compositional Approach for System Design: Semantics of SystemC R.K. Shyamasundar IBM Research, India Research Lab. and Tata Institute of Fundamental.

Published byBennett Welch Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Compositional Approach for System Design: Semantics of SystemC R.K. Shyamasundar IBM Research, India Research Lab. and Tata Institute of Fundamental."— Presentation transcript:

1 1 Compositional Approach for System Design: Semantics of SystemC R.K. Shyamasundar IBM Research, India Research Lab. and Tata Institute of Fundamental Research (with F. Doucet, I. Krüeger and R Gupta UCSD)

2 2 Outline introduction compositional approach semantics anomalous behaviors assertional specification

3 3 Context High-level modeling and design of embedded systems  Build “complete” system models  Explore potential design space  Iterative/exhaustive process Platform-based design  A good solution that can be customized and configured  provides known communication architectures Processor I/O Mem Software IP Core Bus

4 4 Introduction System-level design languages (SystemC) has helped to increase the level of abstraction Provides a component-based design approach  Decompose systems into modules Challenge: verification of correctness of a component integration  Complexity of interactions A compositional design methodology is necessary  Analyze component by component

5 5 Component Composition Framework Structural specification  components, channels, events, shared variables, connections Behavioral specification  scenarios of observable event sequences Components implementations  SystemC modules Incremental approach to integration and verification

6 6 Example: Central Locking System The control system interacts with many components in the car Let us look at the specifications of interaction scenarios

7 7 Example: Central Locking System Scenario: observation of the interactions of many components (cross-cutting the architecture).

8 8 Example: Central Locking System

9 9 At any time of a crash, the doors should unlock! (the specification should be verified to imply this property)

10 10 Example: Central Locking System We “combine” all the scenarios to define the behavioral type of the controller Projection + composition + preemption Does the system work properly?

11 11 Component Type Let us have components types as 1. interface type  with classical types 2. behavioral type  set of all possible observable sequences at the interface observable events observable behavior o1o1 P1P1 P2P2 o2o2 i1i1 i2i2 i3i3 s1s1 s2s2 s3s3 srsr data types functions parameters f1f1 Components are SystemC blocks, or composition of SystemC blocks Internally, component behavior is whatever but it has to respect the “type contract”

12 12 How do we go about? Scenario: cross cutting behavior Component types: part which is local to a component  what can be observed at the interface of a component Semantics: clear unambiguous understanding of 1. scenario specification 2. IP block behaviors Verification of logical correctness  Compositional (modular) verification abstractions

13 13 Outline introduction compositional approach semantics anomalous behaviors assertional specification

14 14 SystemC Language C++ library to simulate concurrency Language: set of macros program =processes|| channels || variables || events process=( comms | ctrl flow | arithmetic)* comms = event.notify() | event.notify_delayed() | signal.read() | signal.write() | | channel. () | port.read() | port.write() | port. () ctrl flow = if (exp) then else | while (exp)

15 15 SystemC Example  structure: module ports process  communication channel events signals SC_MODULE(Counter) { sc_in clk; sc_out count; int value; SC_CTOR(Counter) { SC_PROCESS(proc); sensitive << clk; count=0; } void proc() { value++; count.write(value); wait(clk.default_event()) } }; Channels and signals are bound to ports SystemC program is a set of concurrent modules

16 16 SystemC Scheduler Synchronize with immediate events Synchronize with delta events Pick a process and react (may produce new events) Synchronize with timed events are there immediate events pending? are there delta events pending? are there delta timed pending? simulation done simulation start

17 17 Concurrency model: Two-level Timing Use of delta cycles to preserve deterministic behavior  Order events that happen within a given scheduling step  Event can be immediate, timed or at delta cycles Simulation correctness does not imply logical correctness due to  non-determinism  causality cycles Need to define formal semantics

18 18 Semantics With a set of concurrent processes P 1 ||…||P n a global reaction which is an alternating sequence of synchronization and reactions, observable as a sequence of environment and states E0σ1E2σ3E4σ5E6σ7…E0σ1E2σ3E4σ5E6σ7… 1.synchronize with the environment → I 2.reactive semantics (one process reacts) → 3.build next micro-environment → δ 4.build next macro-environment → T is defined with asynchronous synchronous global time

19 19 Rules for Parallel Composition Synchronize processes with the events in the environment Select one process which is ready to react and fire it

20 20 Rules for Parallel Composition Build next macro-environment: timed events to current events Build next micro-environment: delta events to current events

21 21 Structured Operational Semantics For every syntactic SystemC statement stmt, a clean rule to derive observational behavior: where  E I is the triggering environment  E O is the output environment  b denotes if the statement terminates in the current instant  σ: denotes the state (values assigned to the variables) The rules are used to produce a transition system whose language is the all observable sequences

22 22 SOS Rules for Event Communication If e not in environment, wait for next instant pause until the next environment wait for the next event e If e is in the environment, reduction terminates e in the next environment Produces a behavior of the form : E I σ E O

23 23 SOS Rules for Sequential Composition P 1 blocks, the whole sequential composition blocks Changes the state σ into σ’ Produces a behavior of the form: E I σ 1 σ 2 σ 3 σ 4 σ 5 E O

24 24 Example Process definition Module definition clk in1 in2 sum diff

25 25 Example assumptions commitment

26 26 Example: clk sum diff prod quot

27 27 Example clk sum diff clk in1 in2 sum diff Automata collaped with sequential rule and with process loop: Assemble the interface behaviors of the SystemC blocks: prod quot delta events assumptions

28 28 Outline introduction compositional approach semantics anomalous behaviors  non-determinism  causality cycles assertional specification

29 29 Nondeterministic Behavior For an input trace, it can be possible to observe different output traces  can cause synchronization problems  missed events, different values, etc Possible causes: 1. mix of concurrency with shared variables 2. mix of concurrency with immediate event notification 3. non-deterministic software models with immediate event notifications 4. un-initialized signals/variables Scheduler-dependent behavior  not observable in a simulation model

30 30 Nondeterministic Behavior SC_MODULE(M1) { sc_event e; int data; SC_CTOR(M) { SC_THREAD(a); SC_THREAD(b); } void a() { data=1; e.notify() } void b() { wait(e) } }; SC_MODULE(M2) { sc_event e; SC_CTOR(M) { SC_THREAD(a); SC_THREAD(b); } void a() { wait(10,SC_NS) e.notify(); } void b() { wait(10, SC_NS); wait(e); } }; event notification can be missed depending of which process gets scheduled first at some arbitrary stepat the initial step

31 31 Scheduler Dependency sc_event e; SC_MODULE(M1) { SC_CTOR(M1) { SC_THREAD(a); } void a() { e.notify() } }; SC_MODULE(M2) { SC_CTOR(M2) { SC_THREAD(b); } void b() { wait(e); sc_stop(); } }; int sc_main() { M1 m1(‘’m1’’); M2 m2(‘’m2’’); sc_start(10); return 1; } This runs to completion and execute the sc_stop statement

32 32 Scheduler Dependency sc_event e; SC_MODULE(M1) { SC_CTOR(M1) { SC_THREAD(a); } void a() { e.notify() } }; SC_MODULE(M2) { SC_CTOR(M2) { SC_THREAD(b); } void b() { wait(e); sc_stop(); } }; int sc_main() { M1 m1(‘’m1’’); M2 m2(‘’m2’’); sc_start(10); return 1; } inverting the instantiation order makes M2 miss e and block forever int sc_main() { M2 m2(‘’m2’’); M1 m1(‘’m1’’); sc_start(10); return 1; } Structural specification has side effects!!!

33 33 Detecting nondeterminism Has to be done during the synchronous composition  merge for delta events  merge for timed events Keep track of the  last environment E  last state σ  check if all derivations lead to same environment E’ same state σ’ a b c c b a b a c … (like an interference freedom test)

34 34 Causal Cycles A sequence of action that keeps retriggering itself Problem with delta timing :  infinite actions in a finite time Not always a problem  desirable in an untimed model  undesirable in a timed model (considered as a divergence) Cycles are not always triggered in simulation  could be a corner case condition of asynchronous logic  need to detect in verification

35 35 Example: SC_MODULE(M1) { sc_in e1; sc_in e3x; sc_out e3; sc_out e1x; SC_CTOR(M1) { SC_METHOD(p1); sensitive << e1 << e3x; } void p1() { if (!e3x.event()) e3.write(!e3.read()); e1x.write(!e1x.read()); } }; Checking for absence of event forms a cycle

36 36 Detecting causal cycles Makes sense only in timed models  using global explicit time A derivation that never gets to build the next timed environment  a cycle in the transition graph where no T transition is taken.  Can be done while constructing the graph if it goes back to a state already in the graph This step never taken

37 37 Current work on abstraction Abstraction of TLM models  abstract transactions as syntactic statements  establish interference freedom and cooperation tests transaction should not interfere with each other transaction should be abstracted as asynchronous tasks Compositional methodology 1. verification of bus 2. verification of components 3. deduction of system properties

38 38 Related Work Semantics of SystemC: difficult problem because of all its intricacies of two-level model ASML (Tahar/Mueler …)  integration of time and delta cycle models  difficult integration of asynchrony  no reactivity (deep embedding into ASML environment) Synchronous languages  formalization through Lustre (Maraninchi, Moy …) ignores delta cycle requirements  formalization through SIGNAL (Talpin) ignores delta cycle difficult integration with asynchrony Process algebras (Kam …)  ignores distinction of synchrony/asynchrony Verification approaches (Kroening …)  not geared towards arriving at simulation correctness

39 39 Summary and Ongoing Work A Framework for component composition Defined compositional semantics as supported in SystemC for enabling a component-based design approach Currently defining assertional spec. layer  Generation of automata (TS) for model checking  accompanying verification methodology for model checking Apply on TS, Predicate abstractions, solvers, for scalable verification …

Download ppt "1 Compositional Approach for System Design: Semantics of SystemC R.K. Shyamasundar IBM Research, India Research Lab. and Tata Institute of Fundamental."

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Copyright  2003 Dan Gajski and Lukai Cai 1 Transaction Level Modeling: An Overview Daniel Gajski Lukai Cai Center for Embedded Computer Systems University.

Copyright  2003 Dan Gajski and Lukai Cai 1 Transaction Level Modeling: An Overview Daniel Gajski Lukai Cai Center for Embedded Computer Systems University.
ECOE 560 Design Methodologies and Tools for Software/Hardware Systems Spring 2004 Serdar Taşıran.

ECOE 560 Design Methodologies and Tools for Software/Hardware Systems Spring 2004 Serdar Taşıran.
The cardiac pacemaker – SystemJ versus Safety Critical Java Heejong Park, Avinash Malik, Muhammad Nadeem, and Zoran Salcic. University of Auckland, NZ.

The cardiac pacemaker – SystemJ versus Safety Critical Java Heejong Park, Avinash Malik, Muhammad Nadeem, and Zoran Salcic. University of Auckland, NZ.
Hardware Description Language (HDL)

Hardware Description Language (HDL)
Lecture 8: Three-Level Architectures CS 344R: Robotics Benjamin Kuipers.

Lecture 8: Three-Level Architectures CS 344R: Robotics Benjamin Kuipers.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Analyzing and Verifying Esterel Programs Taisook Han 2009-12-19, Division of Computer Science, KAIST.

Analyzing and Verifying Esterel Programs Taisook Han , Division of Computer Science, KAIST.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
Event Driven Real-Time Programming CHESS Review University of California, Berkeley, USA May 10, 2004 Arkadeb Ghosal Joint work with Marco A. Sanvido, Christoph.

Event Driven Real-Time Programming CHESS Review University of California, Berkeley, USA May 10, 2004 Arkadeb Ghosal Joint work with Marco A. Sanvido, Christoph.
Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.

Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.
Synthesis of Embedded Software Using Free-Choice Petri Nets.

Synthesis of Embedded Software Using Free-Choice Petri Nets.
PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.

PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.
An Introduction to Input/Output Automata Qihua Wang.

An Introduction to Input/Output Automata Qihua Wang.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.

Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

Similar presentations

Ads by Google