Components, Interfaces and Compositions: from SoCs to SOCs

Partha S. Roop University of Auckland

Organization o  Significance of components and

interfaces. o  Two recent frontiers – SoCs and SOCs. o  Key problems:

n  Component matching – refinement based and DES control based.

n  Component composition – converter / choreographer synthesis.

o  Conclusions.

Acknowledgements o  Forced Simulation is joint work with A. Sowmya

(UNSW), S. Ramesh (General Motors R&D) and the link to DES is with Robi Malik (Waikato).

o  Local module checking and converter synthesis is joint work with Roopak Sinha (Postdoc) and Samik Basu (Iowa State).

o  Web Services composition is joint work with Adeel Ali (PhD student), Ian Warren (Soft. Eng., Auckland) and Zeeshan Bhatti (PhD student)

I, Pencil o  “Simple? Yet, not a single person on the face of

this earth knows how to make me.” n  Making of lead (graphite + clay) n  Making of body (cedar + lacquer) n  Eraser (rubber + factice + …) n  Label (carbon + resin + …) n  Ferrule (brass + zinc + …)

“I, Pencil”, Leonard E. Read (1898-1983), published Dec 1958, issue of The Freeman.

Mass manufacturing

Structural assembly

Mechanical Assembly

Quality control

Electronics

……

…

A System-on-a-chip (SoC) Example

Source: R. Sinha, Automated Techniques for SoC Verification, PhD thesis, University of Auckland, 2008.

Consumer electronics revolution fuelled by SoCs

n  Compliance to strict safety standards [IEC 61508, DO 178]

[Paolieri et al 2011] Towards Functional-Safe Timing-Dependable Real-Time Architectures.

Embedded Systems Safety-critical concerns

Timing/Functionality requirements

7

Service Oriented Computing

Internet Service Composition Featuring The Future …!

Related work o  Abstract Interfaces [Parnas’77] o  OO methodologies and UML o  Formal techniques:

o  IO Automata o  Interface Automata o  Interface Theories o  Discrete controller synthesis o  Module checking o  Converter synthesis

Two key questions o  Question 1: specification matching /

component adaptation (the “what” question).

o  Question 2: component composition (the “how” question).

Specification Matching ‒ “Can a given device automatically be adapted to implement a new function?”

Two Answers: o  Forced Simulation o  Supervisory Control

First Question:

Coffee Brewer Example

Assume Given: Coffee Brewer device that can ▪ brew 4 or 8 cups of

coffee ▪ medium or strong

Device D

0

1 2 3

8cups strong ∧ 8cups default

4

strong

error

brew

5 6 7 8

10 9

brew brew brew

error error error

ready8m ready8s

ready4m ready4s

replenish

reset

Specification F

0

1

2

3

8cups

default

error

error

ready4m

ready8m

reset

Disabling and Forcing

Assume Given: Coffee Brewer device that can ▪ brew 4 or 8 cups of

coffee ▪ medium or strong

Device D

0

1 3

8cups strong ∧ 8cups default

strong

error

brew

5 7

10 9

brew

error

ready8m ready4m

replenish

reset

2 4

6 8

brew brew

error error ready8s

ready4s

û û

Specification F

0

1

2

3

8cups

default

error

error

ready4m

ready8m

reset

Disable Strength Switch

[brew]

ForceBrew Switch

[brew]

[replenish]

An Adapter for the Coffee Brewer

Adapter A

0/0

1/1 3/2

8cups default

reset 5/1 7/2

9/3 10/3 9/0

[brew] [brew]

error error

ready4m ready8m

[replenish] [reset]

Specification F

0

1

2

3

8cups

default

error

error

ready4m

ready8m

reset

Forced Composition

Let A be an adapter an D be a device. Define the forced composition A // D by

(qA, qD) → (qA, qD) ’ ’ τ (qA) →A (qA) ’

[α] (qD) →D (qD) ’

α

(qA, qD) → (qA, qD) ’ ’ σ (qA) →A (qA) ’

σ (qD) →D (qD) ’

σ

Specification Matching Problem

Let F be a specification and D be a device. We say that

A // D ≈ F

“D can implement the function F ”,

if there exists a well-formed and deterministic adapter A such that

Forced Simulation Solution

A // D ≈ F

Theorem There exists a well-formed and deterministic adapter A such that

if and only if

F ≲fsim D

Condition for the existence of A

'' and 'such that and q' exits there

,'such that ' all and allfor If.3

;' and 'such that

' exists e then ther, and for If.2

; somefor .1:

and between relation simulation forced a is

.*

D

*.

*00

*

Ds

FDDD

FFFFDF

Ds

FDD

DDDs

F

Ds

F

DF

qRqqqsQqqQqqRq

qRqqqQqsqRq

sqRqprovided

DFQQR

⎯→⎯Σ∈∈

⎯→⎯∈Σ∈

⎯→⎯

∈Σ∈Σ∈

Σ∈

Σ××⊆

σ

σε

σ

σ

σ

σ

Start states must be related!

states related by a forcing sequence! Directly related!

Example α

R = {(f0, d0, α), (f0, d1, ε), (f2, d2, ε)} !

d0

d1

d2

α

α β α

f0

f1

β

Function F

ε!

ε!Device D

Another Solution

α

d0

d1

d2

α

α β α

f0

f1

β

Function F

ε!

Device D

ε!

R = {(f0, d0, ε), (f0, d1, α), (f2, d2, ε)} !

Supervisory Control Problem

Let F be a specification and P be a plant. We say that

L(S || P) = L(F)

“F can be achieved by control of P ”

if there exists a supervisor S such that “F is controllable with respect to P ”

Creating a Plant from the Device

Assume Given: Coffee Brewer device that can ▪ brew 4 or 8 cups of

coffee ▪ medium or strong

0

1 2 3

8cups

strong ∧ 8cups default

4

strong

error

brew

5 6 7 8

10 9

brew brew brew

error error error

ready8m ready8s

ready4m ready4s

replenish

reset

[8cups]

[strong ∧ 8cups] [default]

[strong]

[brew] [brew] [brew] [brew]

[replenish]

[reset]

Device D Plant [D]

A // D = (A || [D]) \ [Σ]

Least Restrictive vs. Well-Formed

Device D

0

1

2

α

α β

Function F

α 0

1

β

Adapter Afsim,1

0

1

2

[α]

α β

Adapter Afsim,2

0

1

2

α

[α] β

Adapter Asupcon

00

10

21

α

[α] β

20

11

01

α

[α]

[α]

[α]

[β]

[β]

Comparison and Summary Feature Forced simulation Supervisory control

Relationship between A and F

A // D ≈ F L(A // D) ⊆ L(F)

Well-formedness guaranteed requires additional steps

Forced cycles not possible may occur

Nonblocking guaranteed can be guaranteed

Uniqueness solutions weakly bisimilar

unique least restrictive solution

Controllability not considered handled

Complexity O(|QF||QD|2|Σ|) O(|QF|2|QD|2|Σ|)

Second Question:

n  Composition ‒Design and develop systems

from multiple independently developed components

n  How to effectively address protocol-mismatches during composition?

Answer:

Relationship to convertibility verification.

Motivation o  Reuse Methodology Manual for System-on-a-Chip Designs by

Keating and Bricaud, Springer 2002 (3rd edition)

n  “verifying functionality and timing at the system-level is probably the most difficult and important aspect of SoC design. .. For many teams, verification takes 50%-80% of the overall design effort"

n  "the low-level interfaces do not work; for example, a handshake signal inverted”

Suggested design flow 1.

Specification

2. BehaviouralModel

3. Refine & Test

4. Hardware/SoftwarePartitioning

5. Hardwarearchitecture model

5. Prototypesoftware

Co!simulation6.

specification specification

Block n SpecBlock 1 Spec

Initial Requirements(Boiler Plates)

Interfaces

Interfaces

Initial IPInterfaces

Existing IPs

7. Software (SW)7. Hardware (HW)

and protocol compatibity checking

System Level FormalVerification

8.

SW IP

HW IP

Requirements and Specification

System

Solution Mechanism o  Converter-based protocol conversion

n  Develop a converter: acts as a mediator between two components with mismatched protocols

Protocol P1

Goal: Compose P1 and P2 to realize the Specification

Protocol P2

Specification

Solution Mechanism o  Converter-based protocol conversion

n  Develop a converter: acts as a mediator between two components with mismatched protocols

Protocol P1

Goal: Compose P1 and P2 to realize the Specification

Protocol P2

Specification

Solution Mechanism o  Converter-based protocol conversion

n  Develop a converter: acts as a mediator between two components with mismatched protocols

Protocol P1 Protocol P2

Specification

Solution: Converter addresses mismatches

Converter

Set-top box

Video decoder

PAL/NTSC Encoder

Key control

Challenges: •  Multi-clock •  Differing data-widths •  Control signals mismatch

Idles  

s0  

COut8  

s1  valid/.

./done

invalid/.

(a)  IR  Sender  PS  

Idlet  

t0  

KeyIn32  

t1  

ready/. ¬keyok/ stop

¬ ready/.

keyok/ start

IR  Buffer  

32-­‐bits  

(b)  Control  PT  

Off  

u0  

SigOut8  

u2  SigRd8  

u1  

start/.

true/.

true/.

stop/.

(c)  Video  Decoder  PU  

SaEelite  signal  input  (8-­‐bits)  

AV  Output  signal  (8-­‐bits)  

start   stop  

Wait  

u0  

SigOut8  

v2  On  

SigRd8  

v1  

pkt/.

pal/. ntsc/.

pkt/.

PAL-­‐out  (to  TV)  

(d)  PAL/NTSC  Encoder  PU  

SoC

Converter

Converter

(Uncontrollable Inputs)

Key control

Video decoder

PAL/NTSC Encoder

How about service composition?

Item Service

GeoIP Service

(localhost)

Country Service

CountryName

Currency Service CurencyCode

Calculator Service rate

Multiplied Amount

Click for Demo

Composition Framework

*.wsdl

*.wsdl

*.wsdl

WSD

L to

LTS

G

ener

ator

User Guided Data Connections

Parallel

Composition

Goa

l Spe

cific

atio

n

LTS encapsulated

service models

Composite Service

Related Work Approach Model Spec Multiple

Protocols Algorithm UE Buffering Data Multi-

clock

Avnit et al.’08

SPA nil no refinement no yes limited yes

D’Silva et al.’04

SPA Nil no Refinement no yes limited yes

Passerone et al.’02

LTS LTS no Game-theoretic

no yes no no

Kumar et al.’97

LTS LTS no Supervisory Control

yes no no no

Tivoli et al.’08

LTS Nil Yes Coverability-analysis

yes yes no yes

Our Approach

LTS CTL yes Model checking

yes yes yes yes

Approach

Input Services Data Behaviour Composition

Algorithm Type Auto Model

Model Flow Sem-antic

Struc-tural

Model Spec

Mitra et al. Syntactic - - - - - i/o automata

i/o automaton

Tabled-Logic Programming

ASTRO Syntactic

- DataNet + - - STS EAGLE Planning based Model Checking

Berardi et al. Syntactic

- - - - - FSM DPDL Satisfiability of DPDL

Lecue et al. Semantic - Schema Graph

+ + + - - -

Proposed Syntactic

+ Schema Graph

+ + + LTS CTL Tableau based Model Checking

Related Work – Service Composition

Types of Protocol Mismatch o  Control-signal mismatch o  Data mismatch o  Clock mismatch

Protocol Model

t1 t0

b’

a’

s0

s1

b a

T

primed: input signal unprimed: output signal

KS = (AP, S, s0, Σ, R, L) AP: atomic propositions, S: set of states, s0 2 S: start state, Σ: transition labels, R: Transitions, L: labels states to propositions.

T’

T

Handshake Producer

Serial Consumer

Ref: Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin

Passerone, Luca de Alfaro, Thomas A. Henzinger and Alberto L. Sangiovanni-Vincentelli, ICCAD’02

Protocol Model Composition

t1 t0

b’

a’

s0

s1

b a

T

primed: input signal unprimed: output signal

T’

T s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’

bb’

ba’ ab’

bT’ aT’

TT’

TT’

Ref: Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin

Passerone, Luca de Alfaro, Thomas A. Henzinger and Alberto L. Sangiovanni-Vincentelli, ICCAD’02

Specification Language o  CTL Syntax Φ ! tt | P | ¬P | Φ Ç Φ | AX/EXΦ | AG/EGΦ | A(Φ U Ψ)

| E(Φ U Ψ)

All/some successors satisfy Φ

All/some reachable states satisfy Φ

Along all paths Φ is satisfied until Ψ

Along some path Φ is satisfied until Ψ

Protocol Model Properties

Input cannot be made before corresponding output: 1.  AG[s0,t0 ) AX¬(¬s1,t1)] 2.  AG[s1,t1 ) AX¬(¬s0,t0)] (s0,t0): for a action (s1,t1): for b action

s0

s1

b a

T

T

t1 t0

b’

a’

T’

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’

bb’

ba’ ab’

bT’ aT’

TT’

TT’

Ref: Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin

Passerone, Luca de Alfaro, Thomas A. Henzinger and Alberto L. Sangiovanni-Vincentelli, ICCAD’02

Protocol Model Properties

Input cannot be made before corresponding output: 1.  AG[s0,t0 ) AX¬(¬s1,t1)] 2.  AG[s1,t1 ) AX¬(¬s0,t0)] Output of b/a is not allowed before a/b is received: 1.  AG[s1,t0 ) AX¬(s0t0)] 2.  AG[s0,t1 ) AX¬(s1t1)]

s0

s1

b a

T

T

t1 t0

b’

a’

T’

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’

bb’

ba’ ab’

bT’ aT’

TT’

TT’

Ref: Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin

Passerone, Luca de Alfaro, Thomas A. Henzinger and Alberto L. Sangiovanni-Vincentelli, ICCAD’02

Protocol Model Properties

Input cannot be made before corresponding output: 1.  AG[s0,t0 ) AX¬(¬s1,t1)] 2.  AG[s1,t1 ) AX¬(¬s0,t0)] Output of b/a is not allowed before a/b is received: 1.  AG[s1,t0 ) AX¬(s0t0)] 2.  AG[s0,t1 ) AX¬(s1t1)]

s0

s1

b a

T

T

t1 t0

b’

a’

T’

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’

bb’

ba’ ab’

bT’ aT’

TT’

TT’

Ref: Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin

Passerone, Luca de Alfaro, Thomas A. Henzinger and Alberto L. Sangiovanni-Vincentelli, ICCAD’02

Lock-Step Composition o  Converter-based solution

n  Protocol-models move if and only if the converter allows that move

n  Converter cannot block any outputs

o  Let ci be composed with (si, ti) then (si,ti) ! (sj, tj) is allowed if and only if ci

can move on (a’)

a

Protocol P1 Protocol P2 Converter

Converter Synthesis

(s,t)//c ² Φ

(s1,t1)//c1 ² Φ1 (s2,t2)//c2 ²Φ2 … (sk,tk)//ck²Φk

•  The antecedent holds if and only if the consequents hold •  Local, top-down approach similar to tableau-based CTL model checking

Tableau Rules

(s,t)//c ² Ψ

9 π µ Π:8 σ2π: (sσ,tσ)//cσ² ΨAX

Ψ  only contains formulas of the form AXΦ 1.  Identify the set of possible transitions from (s,t): Π 2.  Enable a subset of possible transitions using converter: c! cσ 3.  All enabled transition leads to states satisfying Φ’s

ΨAX = {Φ | AXΦ 2 Ψ} Π  = {σ | (s,t) ! (sσ,tσ)} cσ: c ! cσ and D(σ,σ’)

σ

σ’

Enabled transition set must include all possible output transitions. Also, resulting machine has to be responsive to T input.

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[s0t0)AX¬(¬s1,t1)], AG[s1t1)AX¬(¬s0,t0)], AG[s1t0)AX¬(s0t0)] }

c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }

s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

s0t1//c1 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

s1t0//c3 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

s1t1//c2 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }

s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

c0’

T’ T

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }

s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

c0’

T’ T

s0t0//c0’ ² {AG[Φ1], AG[Φ2], AG[Φ3] }

Same formula state pair

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

c0 Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }

s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

T’ T

s0t0//c0’ ² {AG[Φ1], AG[Φ2], AG[Φ3] }

Same formula state pair

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }

s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] } SUCCESS T in producer allowed

s0t1//c1 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

c0 T’ T

s1t0//c3 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

s1t1//c2 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }

s0t1//c1 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

c0 T’ T

c1 T’a

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }

s0t1//c1 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

c0 T’ T

c1 T’a

FAIL

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }

s0t1//c1 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] } FAIL T in producer blocked

c0 T’ T

s1t0//c3 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

s1t1//c2 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

c1 T’a

TT’

s0t0//c0’ ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] } SUCCESS T in producer allowed

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }

s1t1//c2 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

c0 T’ T

c1

c2

T’a

a’a

TT’

Example

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’

Tb’

aa’ bb’ ba’

ab’ bT’ aT’

TT’

s0t0//c0 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

Φ1 = s0t0) AX¬(¬s1,t1) Φ2 = s1t1) AX¬(¬s0,t0) Φ3 = s1t0) AX¬(s0t0)

s0t0//c0 ² {AXAG[Φ1], Φ1, AXAG[Φ2], Φ2, AXAG[Φ3], Φ3 }

s0t0//c0 ² {AXAG[Φ1], AX¬(¬s1,t1), AXAG[Φ2], AXAG[Φ3] }

s1t1//c2 ² {AG[Φ1], ¬(¬s1,t1), AG[Φ2], AG[Φ3] }

c0 T’ T

c1

c2

T’a

a’a

s1t1//c2 ² {AG[Φ1], AG[Φ2], AG[Φ3] }

TT’

Example

s0

s1

b a

T

T

t1 t0

b’

a’

T’

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’ Tb’

aa’

bb’

ba’ ab’

bT’ aT’

TT’

TT’

c0 T’ b

c3

b’a a’ b a’ T

T’ T

T’ T

c34

Converter

Example

s0

s1

b a

T

T

t1 t0

b’

a’

T’

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’ Tb’

aa’

bb’

ba’ ab’

bT’ aT’

TT’

TT’

c0 T’ b

c3

b’a a’ b a’ T

T’ T

T’ T

c34

Converter

Example

s0

s1

b a

T

T

t1 t0

b’

a’

T’

s0 t0

s0 t1

Ta’

Tb’

s1 t0

s1 t1

Ta’ Tb’

aa’

bb’

ba’ ab’

bT’ aT’

TT’

TT’

c0 T’ b

c3

b’a a’ b a’ T

T’ T

T’ T

c34

Converter

Types of Protocol Mismatch o  Control mismatches o  Data Mismatches o  Clock mismatch

Conclusion o  Two key problems

n  Component selection / matching n  Component composition n  Both problems solved in the context of SoCs

and SOC. n  Key issues considered:

o  Control mismatches o  Data-width / types o  Clock

n  Future work: Incremental design

References o  Roop, Sowmya and Ramesh, “Forced Simulation – A Technique for Automating

Component Reuse in Embedded Systems”, ACM-TODAES, October 2001. o  Robi Malik and Partha Roop, "Adaptive Techniques for Specification Matching in

Embedded Systems: A Comparative Study", IFM 2005. o  Partha S. Roop, Arcot Sowmya, S. Ramesh, K-time forced Simulation: A Formal

Verification Technique for IP Reuse. ICCD 2002: 50-55. o  Roopak Sinha, Partha S Roop and Samik Basu and Zoran Salcic, "A Module

Checking based Converter Synthesis Approach for SOCs", VLSI Design 2008. o  Roopak Sinha, Partha S. Roop, Samik Basu, “SoC Design Approach Using

Convertibility Verification”, EURASIP J. Emb. Sys. 2008. o  Roopak Sinha, Partha S Roop and Samik Basu and Zoran Salcic, “Multi-clock Soc

design using protocol conversion”, DATE 2009. o  Roopak Sinha, Partha S Roop and Samik Basu and Zoran Salcic, ”Correct-by-

construction multi-component SoC design” DATE 2012. o  Zachary J. Oster, Syed Adeel Ali, Ganesh Ram Santhanam, Samik Basu, Partha S.

Roop: A Service Composition Framework Based on Goal-Oriented Requirements Engineering, Model Checking, and Qualitative Preference Analysis. ICSOC 2012: 283-297

o  Syed Adeel Ali, Partha S. Roop, Ian Warren,: Web Service Choreography: Unanimous handling of Control and Data. International Journal of Software and Informatics (To Appear).

Additional slides o  The following slides discuss tableau

construction to deal with data-width mismatches in SoCs followed by data-type mismatches in SOCs.

Complexity

o  |I| is the size of the set of all counter valuations: n  For 1 counter C with range [0,R], there are

R+3 valuations (R+1 valid values, 2 invalid) n  For n counters where each counter Ci’s

range is [0,Ri], |I| = (R1+3)x...x(Rn+3).

Complexity

o  |S| is the size of the synchronous parallel composition of all IPs.

o  |Ψ| is the size of the formula set Ψ. o  |E| is the size of the set of signals that

can be buffered by the converter.

Introducing Data Counters o  P1 and P2 communicate using a 32-bit

data buffer. o  P1 writes 16-bit data (DOut16) while P2

reads 32-bit data (DIn32).

Introducing Data Counters o  Data mismatches are possible:

n  P1 may write data when buffer is full (overflow).

n  P2 may read data when buffer is empty (underflow).

o  Converter must ensure that the above situations are avoided.

Introducing Data Counters o  We introduce a data counter C, which

is used by the converter to keep track of the number of bits contained in the data buffer after each transition in the system. C is initialized to 0.

o  Whenever a DOut16 is encountered, C is incremented by 16.

o  Whenever a DIn32 is encountered, C is decremented by 32.

Introducing Data Counters o  The following CTL specification is used to

ensure that counter remains within bounds

AG (0 ≤ C ≤ 32)

Processing Data Counters

Init DOut16 DOut16

C=0 C=16 C=32

Wait

C=32

DIn32

C=0

DOut16

C=48

STEP-4: CTL Specifications o  AG EF DOut16, AG EF DIn32 : There must

always exist a reachable state in the system where P1 can write data (P2 can read data).

o  AG AF (IdleS ∧ IdleT ∧ C=0): The protocols must always eventually reset to a state where the data buffer is empty.

STEP 5 – Model Checking o  Given the protocol composition and a set

of properties, we can use tableau-construction as before to generate a converter.

Example

C0//s0t0ca0 ² {Φ1 , Φ2 , Φ3, Φ4}

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C = 0 Buf = {}

Example

C0//s0t0ca0 ² {Φ1 , Φ2 , Φ3, Φ4}

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C0//s0t0ca0 ² {(0 ≤ C ≤ 32), AX Φ1 , EF DOut16 , AX Φ2 , AX Φ3, EF DIn32, AX Φ4, AF (IdleS ∧ IdleT ∧ C=0)}

C = 0 Buf = {}

UNR tableau rule

Example

C0//s0t0ca0 ² {Φ1 , Φ2 , Φ3, Φ4}

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C0//s0t0ca0 ² {(0 ≤ C ≤ 32), AX Φ1 , EF DOut16 , AX Φ2 , AX Φ3, EF DIn32, AX Φ4, AF (IdleS ∧ IdleT ∧ C=0)}

C0//s0t0ca0 ² {AX Φ1 , DOut16 ∨ EXEF DOut16 , AX Φ2 , AX Φ3, DIn32 ∨ EXEF DIn32, AX Φ4, (IdleS ∧ IdleT ∧ C=0) ∨ AX AF (IdleS ∧ IdleT ∧ C=0)}

C = 0 Buf = {}

UNR tableau rule

Example

C0//s0t0ca0 ² {Φ1 , Φ2 , Φ3, Φ4}

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C0//s0t0ca0 ² {(0 ≤ C ≤ 32), AX Φ1 , EF DOut16 , AX Φ2 , AX Φ3, EF DIn32, AX Φ4, AF (IdleS ∧ IdleT ∧ C=0)}

C0//s0t0ca0 ² {AX Φ1 , DOut16 ∨ EXEF DOut16 , AX Φ2 , AX Φ3, DIn32 ∨ EX EF DIn32, AX Φ4, (IdleS ∧ IdleT ∧ C=0) ∨ AX AF (IdleS ∧ IdleT ∧ C=0)}

C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4, (IdleS ∧ IdleT ∧ C=0)}

C = 0 Buf = {}

OR tableau rule

Example

C0//s0t0ca0 ² {Φ1 , Φ2 , Φ3, Φ4}

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C0//s0t0ca0 ² {(0 ≤ C ≤ 32), AX Φ1 , EF DOut16 , AX Φ2 , AX Φ3, EF DIn32, AX Φ4, AF (IdleS ∧ IdleT ∧ C=0)}

C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4, (IdleS ∧ IdleT ∧ C=0)}

C0//s0t0ca0 ² {AX Φ1 , DOut16 ∨ EXEF DOut16 , AX Φ2 , AX Φ3, DIn32 ∨ EX EF DIn32, AX Φ4, (IdleS ∧ IdleT ∧ C=0) ∨ AX AF (IdleS ∧ IdleT ∧ C=0)}

C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}

C = 0 Buf = {}

Example

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}

C = 0 Buf = {}

ΨAX = {Φ1, Φ2, Φ3, Φ4} ΨEX = {EF DOut16 , EF DIn32}

Example

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}

C = 0 Buf = {}

ΨAX = {Φ1, Φ2, Φ3, Φ4} ΨEX = {EF DOut16 , EF DIn32} Π = {(s0,t0,ca1), (s0,t1,ca1)}

π µ Π = {(s0,t0,ca1), (s0,t1,ca1)}

Example

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}

C = 0 Buf = {}

ΨAX = {Φ1, Φ2, Φ3, Φ4} ΨEX = {EF DOut16 , EF DIn32} Π = {(s0,t0,ca1), (s0,t1,ca1)}

π µ Π = {(s0,t0,ca1), (s0,t1,ca1)} • Signal a is not present in buffers. • Transition to (s0,t1,ca1) will lead to counter value to become negative.

Example

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}

C = 0 Buf = {}

ΨAX = {Φ1, Φ2, Φ3, Φ4} ΨEX = {EF DOut16 , EF DIn32} Π = {(s0,t0,ca1), (s0,t1,ca1)}

π µ Π = {(s0,t0,ca1)}

Example

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C0//s0t0ca0 ² {AX Φ1 , EXEF DOut16 , AX Φ2 , AX Φ3, EX EF DIn32, AX Φ4}

C = 0 Buf = {}

ΨAX = {Φ1, Φ2, Φ3, Φ4} ΨEX = {EF DOut16 , EF DIn32} Π = {(s0,t0,ca1), (s0,t1,ca1)} π µ Π = {(s0,t0,ca1)}

C1//s0t0ca1 ² {Φ1 , EF DOut16 , Φ2 , Φ3, EF DIn32, Φ4}

c1 C = 0 Buf = {}

T/.;.;.

Example

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C = 0 Buf = {}

C1//s0t0ca1 ² {Φ1 , EF DOut16 , Φ2 , Φ3, EF DIn32, Φ4}

c1 C = 0 Buf = {}

T/.;.;.

C1//s0t0ca1 ² {(0 ≤ C ≤ 32) , AXΦ1 , DOut16 ∨ EX EF DOut16 , AX Φ2 , EF DIn32 , AX Φ3, AF (IdleS ∧ IdleT ∧ C=0), AX Φ4}

Example

c0 Φ1 = AG (0 ≤ C ≤ 32) Φ2 = AG EF DOut16 Φ3 = AG EF DIn32 Φ4 = AG AF (IdleS ∧ IdleT ∧ C=0)

C = 0 Buf = {}

C1//s0t0ca1 ² {Φ1 , EF DOut16 , Φ2 , Φ3, EF DIn32, Φ4}

c1 C = 0 Buf = {}

T/.;.;.

C1//s0t0ca1 ² {(0 ≤ C ≤ 32) , AXΦ1 , DOut16 ∨ EX EF DOut16 , AX Φ2 , EF DIn32 , AX Φ3, AF (IdleS ∧ IdleT ∧ C=0), AX Φ4}

and so on....

A Too for SoC Composition

The currency converter revisited

Item Service

GeoIP Service

(localhost)

Country Service

CountryName

Currency Service CurencyCode

Calculator Service rate

Multiplied Amount

Click for Demo

Auto-FSM via WSDL

Country Service - http://www.webservicex.net/country.as

mx?WSDL

Currency Conv Example

GeoIP Service - http://www.webservicex.net/geoipservice.asmx?WSDL Calculator Service www.html2xml.nl/Services/Calculator/Version1/Calculator.asmx?WSDL Country Service - http://www.webservicex.net/country.asmx?WSDL Currency Service - http://www.webservicex.net/CurrencyConvertor.asmx?WSDL Item Service – localhost:80

Connect

Auto Connect

Connect

Auto+Manual Connect

Connect

Redundant Connections

Connect

Goal specifications o  The price must not be calculated until

destination country is known. o  Conversion should me made from

item’s currency to user’s currency. o  There must exist a path to a state where

the convertered rate can be obtained.

Specifying the Goal

Connect

GOAL: Obtain the converted rate CTL: EF(Label=calc.multiply)

Specifying the Goal

Connect

Constraint 1: The price must not be calculated until destination country is known. CTL: ~(Label=item.price)AU(Label=item.CountryToShip)