Embed Size (px)
Citation preview
Components, Interfaces and Compositions: from SoCs to SOCs
Partha S. Roop University of Auckland
Organization o Significance of components and
interfaces. o Two recent frontiers – SoCs and SOCs. o Key problems:
n Component matching – refinement based and DES control based.
n Component composition – converter / choreographer synthesis.
o Conclusions.
Acknowledgements o Forced Simulation is joint work with A. Sowmya
(UNSW), S. Ramesh (General Motors R&D) and the link to DES is with Robi Malik (Waikato).
o Local module checking and converter synthesis is joint work with Roopak Sinha (Postdoc) and Samik Basu (Iowa State).
o Web Services composition is joint work with Adeel Ali (PhD student), Ian Warren (Soft. Eng., Auckland) and Zeeshan Bhatti (PhD student)
I, Pencil o “Simple? Yet, not a single person on the face of
this earth knows how to make me.” n Making of lead (graphite + clay) n Making of body (cedar + lacquer) n Eraser (rubber + factice + …) n Label (carbon + resin + …) n Ferrule (brass + zinc + …)
“I, Pencil”, Leonard E. Read (1898-1983), published Dec 1958, issue of The Freeman.
Mass manufacturing
Structural assembly
Mechanical Assembly
Quality control
Electronics
……
…
A System-on-a-chip (SoC) Example
Source: R. Sinha, Automated Techniques for SoC Verification, PhD thesis, University of Auckland, 2008.
Consumer electronics revolution fuelled by SoCs
n Compliance to strict safety standards [IEC 61508, DO 178]
[Paolieri et al 2011] Towards Functional-Safe Timing-Dependable Real-Time Architectures.
Embedded Systems Safety-critical concerns
Timing/Functionality requirements
7
Service Oriented Computing
Internet Service Composition Featuring The Future …!
Related work o Abstract Interfaces [Parnas’77] o OO methodologies and UML o Formal techniques:
o IO Automata o Interface Automata o Interface Theories o Discrete controller synthesis o Module checking o Converter synthesis
Two key questions o Question 1: specification matching /
component adaptation (the “what” question).
o Question 2: component composition (the “how” question).
Specification Matching ‒ “Can a given device automatically be adapted to implement a new function?”
Two Answers: o Forced Simulation o Supervisory Control
First Question:
Coffee Brewer Example
Assume Given: Coffee Brewer device that can ▪ brew 4 or 8 cups of
coffee ▪ medium or strong
Device D
0
1 2 3
8cups strong ∧ 8cups default
4
strong
error
brew
5 6 7 8
10 9
brew brew brew
error error error
ready8m ready8s
ready4m ready4s
replenish
reset
Specification F
0
1
2
3
8cups
default
error
error
ready4m
ready8m
reset
Disabling and Forcing
Assume Given: Coffee Brewer device that can ▪ brew 4 or 8 cups of
coffee ▪ medium or strong
Device D
0
1 3
8cups strong ∧ 8cups default
strong
error
brew
5 7
10 9
brew
error
ready8m ready4m
replenish
reset
2 4
6 8
brew brew
error error ready8s
ready4s
û û
Specification F
0
1
2
3
8cups
default
error
error
ready4m
ready8m
reset
Disable Strength Switch
[brew]
ForceBrew Switch
[brew]
[replenish]
An Adapter for the Coffee Brewer
Adapter A
0/0
1/1 3/2
8cups default
reset 5/1 7/2
9/3 10/3 9/0
[brew] [brew]
error error
ready4m ready8m
[replenish] [reset]
Specification F
0
1
2
3
8cups
default
error
error
ready4m
ready8m
reset
Forced Composition
Let A be an adapter an D be a device. Define the forced composition A // D by
(qA, qD) → (qA, qD) ’ ’ τ (qA) →A (qA) ’
[α] (qD) →D (qD) ’
α
(qA, qD) → (qA, qD) ’ ’ σ (qA) →A (qA) ’
σ (qD) →D (qD) ’
σ
Specification Matching Problem
Let F be a specification and D be a device. We say that
A // D ≈ F
“D can implement the function F ”,
if there exists a well-formed and deterministic adapter A such that
Forced Simulation Solution
A // D ≈ F
Theorem There exists a well-formed and deterministic adapter A such that
if and only if
F ≲fsim D
Condition for the existence of A
'' and 'such that and q' exits there
,'such that ' all and allfor If.3
;' and 'such that
' exists e then ther, and for If.2
; somefor .1:
and between relation simulation forced a is
.*
D
*.
*00
*
Ds
FDDD
FFFFDF
Ds
FDD
DDDs
F
Ds
F
DF
qRqqqsQqqQqqRq
qRqqqQqsqRq
sqRqprovided
DFQQR
⎯→⎯Σ∈∈
⎯→⎯∈Σ∈
⎯→⎯
∈Σ∈Σ∈
Σ∈
Σ××⊆
σ
σε
σ
σ
σ
σ
Start states must be related!
states related by a forcing sequence! Directly related!
Example α
R = {(f0, d0, α), (f0, d1, ε), (f2, d2, ε)} !
d0
d1
d2
α
α β α
f0
f1
β
Function F
ε!
ε!Device D
Another Solution
α
d0
d1
d2
α
α β α
f0
f1
β
Function F
ε!
Device D
ε!
R = {(f0, d0, ε), (f0, d1, α), (f2, d2, ε)} !
Supervisory Control Problem
Let F be a specification and P be a plant. We say that
L(S || P) = L(F)
“F can be achieved by control of P ”
if there exists a supervisor S such that “F is controllable with respect to P ”
Creating a Plant from the Device
Assume Given: Coffee Brewer device that can ▪ brew 4 or 8 cups of
coffee ▪ medium or strong
0
1 2 3
8cups
strong ∧ 8cups default
4
strong
error
brew
5 6 7 8
10 9
brew brew brew
error error error
ready8m ready8s
ready4m ready4s
replenish
reset
[8cups]
[strong ∧ 8cups] [default]
[strong]
[brew] [brew] [brew] [brew]
[replenish]
[reset]
Device D Plant [D]
A // D = (A || [D]) \ [Σ]
Least Restrictive vs. Well-Formed
Device D
0
1
2
α
α β
Function F
α 0
1
β
Adapter Afsim,1
0
1
2
[α]
α β
Adapter Afsim,2
0
1
2
α
[α] β
Adapter Asupcon
00
10
21
α
[α] β
20
11
01
α
[α]
[α]
[α]
[β]
[β]
Comparison and Summary Feature Forced simulation Supervisory control
Relationship between A and F
A // D ≈ F L(A // D) ⊆ L(F)
Well-formedness guaranteed requires additional steps
Forced cycles not possible may occur
Nonblocking guaranteed can be guaranteed
Uniqueness solutions weakly bisimilar
unique least restrictive solution
Controllability not considered handled
Complexity O(|QF||QD|2|Σ|) O(|QF|2|QD|2|Σ|)
Second Question:
n Composition ‒Design and develop systems
from multiple independently developed components
n How to effectively address protocol-mismatches during composition?
Answer:
Relationship to convertibility verification.
Motivation o Reuse Methodology Manual for System-on-a-Chip Designs by
Keating and Bricaud, Springer 2002 (3rd edition)
n “verifying functionality and timing at the system-level is probably the most difficult and important aspect of SoC design. .. For many teams, verification takes 50%-80% of the overall design effort"
n "the low-level interfaces do not work; for example, a handshake signal inverted”
Suggested design flow 1.
Specification
2. BehaviouralModel
3. Refine & Test
4. Hardware/SoftwarePartitioning
5. Hardwarearchitecture model
5. Prototypesoftware
Co!simulation6.
specification specification
Block n SpecBlock 1 Spec
Initial Requirements(Boiler Plates)
Interfaces
Interfaces
Initial IPInterfaces
Existing IPs
7. Software (SW)7. Hardware (HW)
and protocol compatibity checking
System Level FormalVerification
8.
SW IP
HW IP
Requirements and Specification
System
Solution Mechanism o Converter-based protocol conversion
n Develop a converter: acts as a mediator between two components with mismatched protocols
Protocol P1
Goal: Compose P1 and P2 to realize the Specification
Protocol P2
Specification
Solution Mechanism o Converter-based protocol conversion
n Develop a converter: acts as a mediator between two components with mismatched protocols
Protocol P1
Goal: Compose P1 and P2 to realize the Specification
Protocol P2
Specification
Solution Mechanism o Converter-based protocol conversion
n Develop a converter: acts as a mediator between two components with mismatched protocols
Protocol P1 Protocol P2
Specification
Solution: Converter addresses mismatches
Converter
Set-top box
Video decoder
PAL/NTSC Encoder
Key control
Challenges: • Multi-clock • Differing data-widths • Control signals mismatch
Idles
s0
COut8
s1 valid/.
./done
invalid/.
(a) IR Sender PS
Idlet
t0
KeyIn32
t1
ready/. ¬keyok/ stop
¬ ready/.
keyok/ start
IR Buffer
32-‐bits
(b) Control PT
Off
u0
SigOut8
u2 SigRd8
u1
start/.
true/.
true/.
stop/.
(c) Video Decoder PU
SaEelite signal input (8-‐bits)
AV Output signal (8-‐bits)
start stop
Wait
u0
SigOut8
v2 On
SigRd8
v1
pkt/.
pal/. ntsc/.
pkt/.
PAL-‐out (to TV)
(d) PAL/NTSC Encoder PU
SoC
Converter
Converter
(Uncontrollable Inputs)
Key control
Video decoder
PAL/NTSC Encoder
How about service composition?
Item Service
GeoIP Service
(localhost)
Country Service
CountryName
Currency Service CurencyCode
Calculator Service rate
Multiplied Amount
Click for Demo
Composition Framework
*.wsdl
*.wsdl
*.wsdl
WSD
L to
LTS
G
ener
ator
User Guided Data Connections
Parallel
Composition
Goa
l Spe
cific
atio
n
LTS encapsulated
service models
Composite Service
Related Work Approach Model Spec Multiple
Protocols Algorithm UE Buffering Data Multi-
clock
Avnit et al.’08
SPA nil no refinement no yes limited yes
D’Silva et al.’04
SPA Nil no Refinement no yes limited yes
Passerone et al.’02
LTS LTS no Game-theoretic
no yes no no
Kumar et al.’97
LTS LTS no Supervisory Control
yes no no no
Tivoli et al.’08
LTS Nil Yes Coverability-analysis
yes yes no yes
Our Approach
LTS CTL yes Model checking
yes yes yes yes
Approach
Input Services Data Behaviour Composition
Algorithm Type Auto Model
Model Flow Sem-antic
Struc-tural
Model Spec
Mitra et al. Syntactic - - - - - i/o automata
i/o automaton
Tabled-Logic Programming
ASTRO Syntactic
- DataNet + - - STS EAGLE Planning based Model Checking
Berardi et al. Syntactic
- - - - - FSM DPDL Satisfiability of DPDL
Lecue et al. Semantic - Schema Graph
+ + + - - -
Proposed Syntactic
+ Schema Graph
+ + + LTS CTL Tableau based Model Checking
Related Work – Service Composition
Types of Protocol Mismatch o Control-signal mismatch o Data mismatch o Clock mismatch
Protocol Model
t1 t0
b’
a’
s0
s1
b a
T
primed: input signal unprimed: output signal
KS = (AP, S, s0, Σ, R, L) AP: atomic propositions, S: set of states, s0 2 S: start state, Σ: transition labels, R: Transitions, L: labels states to propositions.
T’
T
Handshake Producer
Serial Consumer
Ref: Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin
Passerone, Luca de Alfaro, Thomas A. Henzinger and Alberto L. Sangiovanni-Vincentelli, ICCAD’02
Protocol Model Composition
t1 t0
b’
a’
s0
s1
b a
T
primed: input signal unprimed: output signal
T’
T s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’
bb’
ba’ ab’
bT’ aT’
TT’
TT’
Ref: Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin
Passerone, Luca de Alfaro, Thomas A. Henzinger and Alberto L. Sangiovanni-Vincentelli, ICCAD’02
Specification Language o CTL Syntax Φ ! tt | P | ¬P | Φ Ç Φ | AX/EXΦ | AG/EGΦ | A(Φ U Ψ)
| E(Φ U Ψ)
All/some successors satisfy Φ
All/some reachable states satisfy Φ
Along all paths Φ is satisfied until Ψ
Along some path Φ is satisfied until Ψ
Protocol Model Properties
Input cannot be made before corresponding output: 1. AG[s0,t0 ) AX¬(¬s1,t1)] 2. AG[s1,t1 ) AX¬(¬s0,t0)] (s0,t0): for a action (s1,t1): for b action
s0
s1
b a
T
T
t1 t0
b’
a’
T’
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’
bb’
ba’ ab’
bT’ aT’
TT’
TT’
Ref: Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin
Passerone, Luca de Alfaro, Thomas A. Henzinger and Alberto L. Sangiovanni-Vincentelli, ICCAD’02
Protocol Model Properties
Input cannot be made before corresponding output: 1. AG[s0,t0 ) AX¬(¬s1,t1)] 2. AG[s1,t1 ) AX¬(¬s0,t0)] Output of b/a is not allowed before a/b is received: 1. AG[s1,t0 ) AX¬(s0t0)] 2. AG[s0,t1 ) AX¬(s1t1)]
s0
s1
b a
T
T
t1 t0
b’
a’
T’
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’
bb’
ba’ ab’
bT’ aT’
TT’
TT’
Ref: Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin
Passerone, Luca de Alfaro, Thomas A. Henzinger and Alberto L. Sangiovanni-Vincentelli, ICCAD’02
Protocol Model Properties
Input cannot be made before corresponding output: 1. AG[s0,t0 ) AX¬(¬s1,t1)] 2. AG[s1,t1 ) AX¬(¬s0,t0)] Output of b/a is not allowed before a/b is received: 1. AG[s1,t0 ) AX¬(s0t0)] 2. AG[s0,t1 ) AX¬(s1t1)]
s0
s1
b a
T
T
t1 t0
b’
a’
T’
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’
bb’
ba’ ab’
bT’ aT’
TT’
TT’
Ref: Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin
Passerone, Luca de Alfaro, Thomas A. Henzinger and Alberto L. Sangiovanni-Vincentelli, ICCAD’02
Lock-Step Composition o Converter-based solution
n Protocol-models move if and only if the converter allows that move
n Converter cannot block any outputs
o Let ci be composed with (si, ti) then (si,ti) ! (sj, tj) is allowed if and only if ci
can move on (a’)
a
Protocol P1 Protocol P2 Converter
Converter Synthesis
(s,t)//c ² Φ
(s1,t1)//c1 ² Φ1 (s2,t2)//c2 ²Φ2 … (sk,tk)//ck²Φk
• The antecedent holds if and only if the consequents hold • Local, top-down approach similar to tableau-based CTL model checking
Tableau Rules
(s,t)//c ² Ψ
9 π µ Π:8 σ2π: (sσ,tσ)//cσ² ΨAX
Ψ only contains formulas of the form AXΦ 1. Identify the set of possible transitions from (s,t): Π 2. Enable a subset of possible transitions using converter: c! cσ 3. All enabled transition leads to states satisfying Φ’s
ΨAX = {Φ | AXΦ 2 Ψ} Π = {σ | (s,t) ! (sσ,tσ)} cσ: c ! cσ and D(σ,σ’)
σ
σ’
Enabled transition set must include all possible output transitions. Also, resulting machine has to be responsive to T input.
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[s0t0)AX¬(¬s1,t1)], AG[s1t1)AX¬(¬s0,t0)], AG[s1t0)AX¬(s0t0)] }
c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }
s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
s0t1//c1 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
s1t0//c3 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
s1t1//c2 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }
s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
c0’
T’ T
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }
s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
c0’
T’ T
s0t0//c0’ ² {AG[Φ1], AG[Φ2], AG[Φ3] }
Same formula state pair
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }
s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
T’ T
s0t0//c0’ ² {AG[Φ1], AG[Φ2], AG[Φ3] }
Same formula state pair
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }
s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] } SUCCESS T in producer allowed
s0t1//c1 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
c0 T’ T
s1t0//c3 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
s1t1//c2 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }
s0t1//c1 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
c0 T’ T
c1 T’a
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }
s0t1//c1 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
c0 T’ T
c1 T’a
FAIL
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }
s0t1//c1 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] } FAIL T in producer blocked
c0 T’ T
s1t0//c3 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
s1t1//c2 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
c1 T’a
TT’
s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] } SUCCESS T in producer allowed
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }
s1t1//c2 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
c0 T’ T
c1
c2
T’a
a’a
TT’
Example
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’
Tb’
aa’ bb’ ba’
ab’ bT’ aT’
TT’
s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)
s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }
s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }
s1t1//c2 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }
c0 T’ T
c1
c2
T’a
a’a
s1t1//c2 ² {AG[Φ1], AG[Φ2], AG[Φ3] }
TT’
Example
s0
s1
b a
T
T
t1 t0
b’
a’
T’
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’ Tb’
aa’
bb’
ba’ ab’
bT’ aT’
TT’
TT’
c0 T’ b
c3
b’a a’ b a’ T
T’ T
T’ T
c34
Converter
Example
s0
s1
b a
T
T
t1 t0
b’
a’
T’
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’ Tb’
aa’
bb’
ba’ ab’
bT’ aT’
TT’
TT’
c0 T’ b
c3
b’a a’ b a’ T
T’ T
T’ T
c34
Converter
Example
s0
s1
b a
T
T
t1 t0
b’
a’
T’
s0 t0
s0 t1
Ta’
Tb’
s1 t0
s1 t1
Ta’ Tb’
aa’
bb’
ba’ ab’
bT’ aT’
TT’
TT’
c0 T’ b
c3
b’a a’ b a’ T
T’ T
T’ T
c34
Converter
Types of Protocol Mismatch o Control mismatches o Data Mismatches o Clock mismatch
Conclusion o Two key problems
n Component selection / matching n Component composition n Both problems solved in the context of SoCs
and SOC. n Key issues considered:
o Control mismatches o Data-width / types o Clock
n Future work: Incremental design
References o Roop, Sowmya and Ramesh, “Forced Simulation – A Technique for Automating
Component Reuse in Embedded Systems”, ACM-TODAES, October 2001. o Robi Malik and Partha Roop, "Adaptive Techniques for Specification Matching in
Embedded Systems: A Comparative Study", IFM 2005. o Partha S. Roop, Arcot Sowmya, S. Ramesh, K-time forced Simulation: A Formal
Verification Technique for IP Reuse. ICCD 2002: 50-55. o Roopak Sinha, Partha S Roop and Samik Basu and Zoran Salcic, "A Module
Checking based Converter Synthesis Approach for SOCs", VLSI Design 2008. o Roopak Sinha, Partha S. Roop, Samik Basu, “SoC Design Approach Using
Convertibility Verification”, EURASIP J. Emb. Sys. 2008. o Roopak Sinha, Partha S Roop and Samik Basu and Zoran Salcic, “Multi-clock Soc
design using protocol conversion”, DATE 2009. o Roopak Sinha, Partha S Roop and Samik Basu and Zoran Salcic, ”Correct-by-
construction multi-component SoC design” DATE 2012. o Zachary J. Oster, Syed Adeel Ali, Ganesh Ram Santhanam, Samik Basu, Partha S.
Roop: A Service Composition Framework Based on Goal-Oriented Requirements Engineering, Model Checking, and Qualitative Preference Analysis. ICSOC 2012: 283-297
o Syed Adeel Ali, Partha S. Roop, Ian Warren,: Web Service Choreography: Unanimous handling of Control and Data. International Journal of Software and Informatics (To Appear).
Additional slides o The following slides discuss tableau
construction to deal with data-width mismatches in SoCs followed by data-type mismatches in SOCs.
Complexity
o |I| is the size of the set of all counter valuations: n For 1 counter C with range [0,R], there are
R+3 valuations (R+1 valid values, 2 invalid) n For n counters where each counter Ci’s
range is [0,Ri], |I| = (R1+3)x...x(Rn+3).
Complexity
o |S| is the size of the synchronous parallel composition of all IPs.
o |Ψ| is the size of the formula set Ψ. o |E| is the size of the set of signals that
can be buffered by the converter.
Introducing Data Counters o P1 and P2 communicate using a 32-bit
data buffer. o P1 writes 16-bit data (DOut16) while P2
reads 32-bit data (DIn32).
Introducing Data Counters o Data mismatches are possible:
n P1 may write data when buffer is full (overflow).
n P2 may read data when buffer is empty (underflow).
o Converter must ensure that the above situations are avoided.
Introducing Data Counters o We introduce a data counter C, which
is used by the converter to keep track of the number of bits contained in the data buffer after each transition in the system. C is initialized to 0.
o Whenever a DOut16 is encountered, C is incremented by 16.
o Whenever a DIn32 is encountered, C is decremented by 32.
Introducing Data Counters o The following CTL specification is used to
ensure that counter remains within bounds
AG (0 ≤ C ≤ 32)
Processing Data Counters
Init DOut16 DOut16
C=0 C=16 C=32
Wait
C=32
DIn32
C=0
DOut16
C=48
STEP-4: CTL Specifications o AG EF DOut16, AG EF DIn32 : There must
always exist a reachable state in the system where P1 can write data (P2 can read data).
o AG AF (IdleS ∧ IdleT ∧ C=0): The protocols must always eventually reset to a state where the data buffer is empty.
STEP 5 – Model Checking o Given the protocol composition and a set
of properties, we can use tableau-construction as before to generate a converter.
Example
C0//s0t0ca0 ² {Φ1 , Φ2 , Φ3, Φ4}
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C = 0 Buf = {}
Example
C0//s0t0ca0 ² {Φ1 , Φ2 , Φ3, Φ4}
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C0//s0t0ca0 ² {(0 ≤ C ≤ 32), AX Φ1 , EF DOut16 , AX Φ2 , AX Φ3, EF DIn32, AX Φ4, AF (IdleS ∧ IdleT ∧ C=0)}
C = 0 Buf = {}
UNR tableau rule
Example
C0//s0t0ca0 ² {Φ1 , Φ2 , Φ3, Φ4}
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C0//s0t0ca0 ² {(0 ≤ C ≤ 32), AX Φ1 , EF DOut16 , AX Φ2 , AX Φ3, EF DIn32, AX Φ4, AF (IdleS ∧ IdleT ∧ C=0)}
C0//s0t0ca0 ² {AX Φ1 , DOut16 ∨ EXEF DOut16 , AX Φ2 , AX Φ3, DIn32 ∨ EXEF DIn32, AX Φ4, (IdleS ∧ IdleT ∧ C=0) ∨ AX AF (IdleS ∧ IdleT ∧ C=0)}
C = 0 Buf = {}
UNR tableau rule
Example
C0//s0t0ca0 ² {Φ1 , Φ2 , Φ3, Φ4}
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C0//s0t0ca0 ² {(0 ≤ C ≤ 32), AX Φ1 , EF DOut16 , AX Φ2 , AX Φ3, EF DIn32, AX Φ4, AF (IdleS ∧ IdleT ∧ C=0)}
C0//s0t0ca0 ² {AX Φ1 , DOut16 ∨ EXEF DOut16 , AX Φ2 , AX Φ3, DIn32 ∨ EX EF DIn32, AX Φ4, (IdleS ∧ IdleT ∧ C=0) ∨ AX AF (IdleS ∧ IdleT ∧ C=0)}
C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4, (IdleS ∧ IdleT ∧ C=0)}
C = 0 Buf = {}
OR tableau rule
Example
C0//s0t0ca0 ² {Φ1 , Φ2 , Φ3, Φ4}
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C0//s0t0ca0 ² {(0 ≤ C ≤ 32), AX Φ1 , EF DOut16 , AX Φ2 , AX Φ3, EF DIn32, AX Φ4, AF (IdleS ∧ IdleT ∧ C=0)}
C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4, (IdleS ∧ IdleT ∧ C=0)}
C0//s0t0ca0 ² {AX Φ1 , DOut16 ∨ EXEF DOut16 , AX Φ2 , AX Φ3, DIn32 ∨ EX EF DIn32, AX Φ4, (IdleS ∧ IdleT ∧ C=0) ∨ AX AF (IdleS ∧ IdleT ∧ C=0)}
C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}
C = 0 Buf = {}
Example
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}
C = 0 Buf = {}
ΨAX = {Φ1, Φ2, Φ3, Φ4} ΨEX = {EF DOut16 , EF DIn32}
Example
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}
C = 0 Buf = {}
ΨAX = {Φ1, Φ2, Φ3, Φ4} ΨEX = {EF DOut16 , EF DIn32} Π = {(s0,t0,ca1), (s0,t1,ca1)}
π µ Π = {(s0,t0,ca1), (s0,t1,ca1)}
Example
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}
C = 0 Buf = {}
ΨAX = {Φ1, Φ2, Φ3, Φ4} ΨEX = {EF DOut16 , EF DIn32} Π = {(s0,t0,ca1), (s0,t1,ca1)}
π µ Π = {(s0,t0,ca1), (s0,t1,ca1)} • Signal a is not present in buffers. • Transition to (s0,t1,ca1) will lead to counter value to become negative.
Example
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}
C = 0 Buf = {}
ΨAX = {Φ1, Φ2, Φ3, Φ4} ΨEX = {EF DOut16 , EF DIn32} Π = {(s0,t0,ca1), (s0,t1,ca1)}
π µ Π = {(s0,t0,ca1)}
Example
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}
C = 0 Buf = {}
ΨAX = {Φ1, Φ2, Φ3, Φ4} ΨEX = {EF DOut16 , EF DIn32} Π = {(s0,t0,ca1), (s0,t1,ca1)} π µ Π = {(s0,t0,ca1)}
C1//s0t0ca1 ² {Φ1 , EF DOut16 , Φ2 , Φ3, EF DIn32, Φ4}
c1 C = 0 Buf = {}
T/.;.;.
Example
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C = 0 Buf = {}
C1//s0t0ca1 ² {Φ1 , EF DOut16 , Φ2 , Φ3, EF DIn32, Φ4}
c1 C = 0 Buf = {}
T/.;.;.
C1//s0t0ca1 ² {(0 ≤ C ≤ 32) , AXΦ1 , DOut16 ∨ EX EF DOut16 , AX Φ2 , EF DIn32 , AX Φ3, AF (IdleS ∧ IdleT ∧ C=0), AX Φ4}
Example
c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)
C = 0 Buf = {}
C1//s0t0ca1 ² {Φ1 , EF DOut16 , Φ2 , Φ3, EF DIn32, Φ4}
c1 C = 0 Buf = {}
T/.;.;.
C1//s0t0ca1 ² {(0 ≤ C ≤ 32) , AXΦ1 , DOut16 ∨ EX EF DOut16 , AX Φ2 , EF DIn32 , AX Φ3, AF (IdleS ∧ IdleT ∧ C=0), AX Φ4}
and so on....
A Too for SoC Composition
The currency converter revisited
Item Service
GeoIP Service
(localhost)
Country Service
CountryName
Currency Service CurencyCode
Calculator Service rate
Multiplied Amount
Click for Demo
Auto-FSM via WSDL
Country Service - http://www.webservicex.net/country.as
mx?WSDL
Currency Conv Example
GeoIP Service - http://www.webservicex.net/geoipservice.asmx?WSDL Calculator Service www.html2xml.nl/Services/Calculator/Version1/Calculator.asmx?WSDL Country Service - http://www.webservicex.net/country.asmx?WSDL Currency Service - http://www.webservicex.net/CurrencyConvertor.asmx?WSDL Item Service – localhost:80
Connect
Auto Connect
Connect
Auto+Manual Connect
Connect
Redundant Connections
Connect
Goal specifications o The price must not be calculated until
destination country is known. o Conversion should me made from
item’s currency to user’s currency. o There must exist a path to a state where
the convertered rate can be obtained.
Specifying the Goal
Connect
GOAL: Obtain the converted rate CTL: EF(Label=calc.multiply)
Specifying the Goal
Connect
Constraint 1: The price must not be calculated until destination country is known. CTL: ~(Label=item.price)AU(Label=item.CountryToShip)
