ABV in the space context: verification of correctness requirements

Workshop - November 2011 - Toulouse

V.Lefftz (Astrium), L.Pierre (TIMA)

Overview

Workshop - November 2011 2

Correctness properties for the Astrium case study - consideration in the SystemC platforms modelsTTP platform (Approximated Timed platform)Dual core platform (Architecture Exploration platform)

PSL formalization of the properties - generation of the associated ISIS monitors

Astrium Return of Experimentation

3

TTP platform: Block diagram

AMBA AHB based architecture with a processor and a HW convolution block.

HW block is configured by the processor.Processing is interleaved and results are written either to a work memory or the “AHB” memory (its access can cause a split)

AHB bus

Leon(cpu)

WorkMemory

AHBMemory

AHBArbiter

Convblock

IRQ

Memory ctrl

4

LEONPV

LEONT

ConvPV

ConvT

PVRouter

MemPV

Initiator port Target port

AHBBus

MemT

TLM PV

TLM interrupt

TTP

AHBMem

T

AHBMemPV

TTP platform

Correctness propertiesP1: The processor does not start a new convolution

processing before the completion of the previous one.

P2: No convolution processing must be started before both destination and source addresses have been programmed.

P3: The memory does not respond with two “splits” consecutively to the same master

PSL formalization


PSL formalizationWhere to observe?


Observation?

Complete assertion for ISISOn the memory side


unsigned int prev_master, master = 999;bool status_split; // true if a split has been issuedprt_tlm_ttp::ttp_response<ttp_ahb::ahb_status> resp;prt_tlm_ttp::ttp_status<ttp_ahb::ahb_status> s;

if (ahb_mem.transport_END()) { prev_master = master; master = ahb_mem.transport.p1.get_master_id(); resp = ahb_mem.transport.p0; s = resp.get_ttp_status(); status_split = (s.access_extension())->is_split();}else status_split = false;

assert always((ahb_mem.transport_END() && status_split) => next (next_event (ahb_mem.transport_END() && (master == prev_master)) (!status_split)));

Complete assertion for ISISOn the bus side


unsigned int prev_master, master = 999;bool to_ahb; // true if the target is the AHB memory bool split; // true if a split has been issuedprt_tlm_ttp::ttp_response<ttp_ahb::ahb_status> resp;prt_tlm_ttp::ttp_status<ttp_ahb::ahb_status> s;

if (bus_initiator_port.do_transport_END()) { to_ahb = (bus_initiator_port.do_transport.p3 == 0); if (to_ahb) { prev_master = master; master = bus_initiator_port.do_transport.p1.get_master_id(); resp = bus_initiator_port.do_transport.p2; s = resp.get_ttp_status(); split = (s.access_extension())->is_split(); }} else { to_ahb = false; split = false; }

assert always((bus_initiator_port.do_transport_END() && to_ahb && split) => next (next_event (bus_initiator_port.do_transport_END() && to_ahb && (master == prev_master)) (!split)));

Dual-Core ArchitectureImage spectral-compression platform

Performs “subsampling” on incoming data packets

Subsampled packets are then transferred to an auxiliary processing unit which performs a 2D-FFT (using a co-processor) and data encoding

Subsampling

Encoding

5N

10N

2D-FFT

5N

N

Input

Output

Processing platform

Mem_a

DMA_aLeon_a

Mem_b

Leon_bDMA_b

FFT

IO

Processing platform (cont’d)IO module generates an interrupt causing DMA_a to

transfer the input packet of size 10N to Mem_aAt the end of the transfer, Leon_a subsamples the

data and writes the result to Mem_a (10N->5N)Leon_a configures DMA_b to transfer the result to

Mem_b (5N->5N)At the end of the transfer, Leon_b configures the

FFT module to perform a 2D-FFT (5N->5N)Leon_b encodes the result (5N->N) and programs

DMA_b to send the result to the IO module (N->N)

Correctness propertiesP1: during every transfer, DMA_a must not be

reconfigured before the end of the transfer P2: same property for DMA_b (but DMA_b can be

configured both by Leon_a and Leon_b processors)P3: each incoming data packet must have a

corresponding output packet (i.e., no packet is lost inside the processing platform)

P4: same as property 1 for the FFT module P5: a data packet must be read before the IO module

generates a new interrupt (i.e., data are not lost in the IO port)


PSL formalizationIllustration on the third property:

P3: each incoming data packet must have a corresponding output packet

More precise statement:

each block transferred by DMA_a from the IO module into Mem_a (input) will eventually be transferred by DMA_b from Mem_b to the IO module (output)


Requires the use of the ISIS "new" construct

PSL "Modeling layer"Used to store the values that are read by DMA_a

and written by DMA_b


if (dma_a.read_block_END() && dma_a.read_block.p1 == io_module_address) { read_data_ptr = dma_a.read_block.p2; read_value = read_data_ptr[0] + (read_data_ptr[1] << 8) + (read_data_ptr[2] << 16) + (read_data_ptr[3] << 24);}

if (dma_b.write_block_CALL() && dma_b.write_block.p1 == io_module_address) { write_data_ptr = dma_b.write_block.p2; write_value = write_data_ptr[0] + (write_data_ptr[1] << 8) + (write_data_ptr[2] << 16) + (write_data_ptr[3] << 24);}

Complete assertion for ISIS


unsigned char *write_data_ptr, *read_data_ptr; unsigned int write_value, read_value;

if (dma_a.read_block_END() && dma_a.read_block.p1 == io_module_address) { read_data_ptr = dma_a.read_block.p2; read_value = read_data_ptr[0] + (read_data_ptr[1] << 8) + (read_data_ptr[2] << 16) + (read_data_ptr[3] << 24); }if (dma_b.write_block_CALL() && dma_b.write_block.p1 == io_module_address) { write_data_ptr = dma_b.write_block.p2; write_value = write_data_ptr[0] + (write_data_ptr[1] << 8) + (write_data_ptr[2] << 16) + (write_data_ptr[3] << 24); }

assert always((dma_a.read_block_END() && dma_a.read_block.p1 == io_module_address)

=> NEW(true ? x:unsigned int = read_value) (eventually!(dma_b.write_block_CALL()

&& dma_b.write_block.p1 == io_module_address && x == write_value)));

Astrium’s REX

17

Good expressivity of PSLHigh added-value of modelling layer to handle the contextModerate time overhead induced by monitoring (5-8%)The property checkers will provide a valuable help for non-

regression testingCareful (natural language) expression of the requirements

Specify at TLM interfaces Disambiguate the properties, in particular the meaning of

communication actions (verbs transaction sequence), and specify your preferred observation points (method name and parameters identification

Use of a macro-language to relax the coupling between modelling

rules and the properties

Future worksDefine and implement the macro-language

Linked with the development of the abstraction layer above TLM providing some observation (hook) facilities

Expression of functional dependencies between properties

Properties refinement from System/TLM to RTLUsage extension:

Embed the monitors into flight HW Synthesize a supervisorMitigate radiation effect at architecture level

Workshop - November 2011

Thank you

? ??

Any questions ?

ISIS monitors


ISISSystemC platform

P1 to P5

PSLassertions

Simulation

SystemCinstrumented platformXML configuration

filesMonitors +

observation mechanism

ABV in the space context: verification of correctness requirements

Documents

Transcript of ABV in the space context: verification of correctness requirements