Formal Model-Based Development

of Network-on-Chip Systems

Leonidas Tsiopoulos

Åbo Akademi University Department of Information Technologies

Joukahaisenkatu 3-5 A, 20520 Turku, Finland

2010

Supervised by Professor Kaisa Sere Department of Information Technologies Åbo Akademi University Joukahaisenkatu 3-5 A, FI-20520 Turku Finland Reviewed by Professor Jüri Vain Department of Computer Science Tallinn University of Technology Raja 15, 12618 Tallinn Estonia Senior Researcher, Ph.D. Pasi Liljeberg Department of Information Technology University of Turku FI-20014, Turku Finland

Opponent Professor Jüri Vain Department of Computer Science Tallinn University of Technology Raja 15, 12618 Tallinn Estonia ISBN 978-952-12-2438-6 Painosalama Oy – Turku, Finland 2010

i

Abstract Advances in technology allow us to have thousands of computational and storage modules communicating with each other on a single electronic chip. Well defined intercommunication schemes for such Systems–on–Chip are fundamental for handling the increasing complexity. So called bus–based and bus matrix–based communication frameworks for Systems–on–Chip face immense pressure of the increasing size and complexity, unable to offer the scalability required. The Network–on–Chip communication paradigm for Systems–on–Chip has been introduced to answer the given challenges offering very high communication bandwidth and network scalability through its generally regular structure.

The communication between the modules of a System–on–Chip is generally categorised as synchronous or asynchronous, with a recent shift towards Globally Asynchronous Locally Synchronous Systems–on–Chip. In such systems each module can be synchronised to a private local clock but their intercommunication is established asynchronously, relying on request and acknowledgement communication handshakes. This arrangement results in lower power consumption eliminating the need for a global clock distribution network with its undesirably long interconnect wires.

The application domain of Systems–on–Chip spans from home use electronics to large safety critical control and data transfer systems. One of the appropriate approaches for specifying reliable Systems–on–Chip, modelling the on–chip communication, as well as verifying their design is provided by formal methods. These methods are often accompanied by adequate tool support and are important for the development of complex Systems–on–Chip, from initial abstract specifications to implementations, because they help to avoid costly errors in the design and, thus, contribute to the reliability of such systems.

This thesis presents a formal model–based development framework, based on the B Action Systems formalism, to facilitate the use of formal methods for correct-by-construction Systems–on–Chip design. The framework consists of tool assisted methods for specification, instantiation and automatic verification of asynchronous Network–on–Chip routing schemes, automatic model–based testing of implementations of these routing schemes and model–based mapping of applications to Network–on–Chip platforms.

ii

iii

Sammandrag Teknologiska framsteg möjliggör oss att ha tusentals beräknings- och lagringsmoduler som kommunicerar med varandra på en enda elektronisk krets. Väldefinierade interna kommunikationsscheman för sådana Sytems-on-Chip är fundamentala för hanteringen av den ökade komplexiteten. Så kallade bussbaserade och buss-matrisbaserade kommunikationsstrukturer för Systems-on-Chip möter enorm press av den ökande storleken och komplexiteten och är oförmögna att erbjuda den skalbarhet som krävs. Network-on-Chip kommunikationsparadigmen för Systems-on-Chip har introducerats som svar på de givna utmaningarna och erbjuder väldigt hög kommunikationsbandbredd och nätverksskalbarhet genom sin allmänt regelbundna struktur.

Kommunikationen mellan modulerna i ett System-on-Chip är i allmänhet kategoriserat som synkront eller asynkront, med den senaste utvecklingen mot Globalt Asynkrona Lokalt Synkrona Systems-on-Chip. I sådana system kan varje modul vara synkroniserad med en privat lokal klocka men deras interkommunikation etableras asynkront. Denna förlitar sig på förfrågan- och bekräftelsehandskakningar för kommunikation. Detta arrangemang resulterar i lägre strömförbrukning samt eliminerar behovet för ett globalt klock-distributionsnätverk med dess oönskat långa sammankopplande ledningar.

Tillämpningsområdet för Systems-on-Chip sträcker sig från hemelektronik till stora säkerhetskritiska kontroll- och dataöverföringssystem. Ett av de ändamålsenliga tillvägagångssätten att specificera tillförlitliga Systems-on-Chip, modellera kommunikationen i kretsen samt verifiera dess design, erbjuds av formella metoder. Dessa metoder åtföljs ofta av adekvata verktygsstöd och är viktiga för utvecklingen av komplexa Systems-on-Chip, från initiala abstrakta specifikationer till implementationer, eftersom de hjälper till att undvika kostsamma fel i designen och således bidrar till pålitligheten av sådana system.

Denna avhandling presenterar ett formellt modellbaserat utvecklingsramverk, baserat på B Action Systems formalism, för att underlätta användandet av formella metoder för korrekt-genom-konstruktion uppbyggnad av Systems-on-Chip. Ramverket består av redskapsassisterade metoder för specifikation, instansering och automatisk verifiering av asynkrona Network-on-Chip ruttningsscheman, automatisk modellbaserad testning av implementationer av dessa ruttningsscheman och modellbaserad överföring av applikationer till Network-on-Chip plattformer.

iv

v

Acknowledgements It is a pleasure to be able to express my deepest gratitude to those who made this thesis possible. First of all, I would like to thank my supervisor Kaisa Sere for her guidance, support and belief on the importance of this work. I especially wish to thank Marina Waldén for introducing me to the formal methods world, for always having the time for discussions and for the continuous encouragement. I also wish to thank Juha Plosila for his never ending encouragement and for always having the time for discussions during critical periods of my doctoral studies.

I also wish to thank Professor Jüri Vain from Tallinn University of Technology and Ph.D. Pasi Liljeberg from University of Turku for reviewing the manuscript of my thesis and for providing valuable comments and suggestions for improvement. I am especially grateful to Jüri Vain for also agreeing to be my opponent at the public defence of the thesis.

I gratefully acknowledge the financial support that made my Ph.D. thesis possible. The work on the thesis has been funded by the Centre for Reliable Software Technology (CREST) and the Academy of Finland project DIJON (Distributed Jointly Operating Networks). I would also like to thank the administrative staff at the Department of Information Technologies for organising funding matters so that I never had to worry about them.

I wish to express my gratitude towards colleagues, administrative personnel, and technical staff in the Department of Information Technologies for providing technical and administrative support and meaningful discussions during all these years. Especially I would like to thank colleagues from the department for creating an inspiring working environment. In particular, I wish to thank Pontus Boström for always having the time for discussions, especially on details of the B Method. I would like to thank Professors Ralph-Johan Back and Johan Lilius for valuable discussions on invariants and composition. I wish to thank Luigia Petre for the good cooperation during the last years of my studies. I also wish to thank Mats Neovius, Marta Pl ska, Miko aj Olszewski, Qaisar Malik, Dubravka Ilic, Linas Laibinis, Patrick Sibelius, Ion Petre, Ivan Porres, Fredrik Degerlund, Anton Tarasyak, Johannes Eriksson and Torbjörn Lundkvist for the fruitful discussions on formal methods, life and everything in between them during these years. I would then like to thank all my co-authors Kaisa Sere, Marina Waldén, Juha Plosila, Manoranjan Satpathy and Luigia Petre. I have really learnt a lot from working with them.

There is a large number of people outside the academic world, in Greece and in Finland, who I am forever thankful to for their support and encouragement. Thanks to my parents-in-law, Reijo and Eija Tiensuu, as well as to all my relatives and friends, who have supported me and given their love.

My parents, Katerina and Thomas Tsiopoulos – thank you for all your love, support and for letting me choose my own paths in life. Your encouragement to leave and study abroad at a young age opened up new horizons in my life and

vi

offered me the opportunity to finally achieve something special. I owe you more than words can ever describe. My brother, Vagelis Tsiopoulos – you have been a greater support than you might ever think and you have been always in my mind.

Above all, I want to thank my wife Mervi whose endless love and support during all these years gave me the strength to make this work an actual thesis, and my son Tomas for bringing great happiness to my life. Turku, May 2010 Leonidas Tsiopoulos

vii

List of Original Publications

This thesis is based on the following five publications. Paper 1 Leonidas Tsiopoulos, Kaisa Sere and Juha Plosila. Modeling

Communication in Multi–Processor Systems–on–Chip using Modular Connectors. Special issue on Formal Modeling, Development, and Analysis of Communication Intensive Embedded Systems. International Journal of Embedded and Real-Time Communication Systems, April-June 2010, Vol. 1, No. 2, pp. 23–44.

Paper 2 Leonidas Tsiopoulos and Marina Waldén. Formal Development of

NoC Systems in B. Nordic Journal of Computing, Vol. 13, No. 1–2, pp. 127–145, 2006.

Paper 3 Leonidas Tsiopoulos and Manoranjan Satpathy. Model Based

Testing of a Network–on–Chip Component. Electronic Notes in Theoretical Computer Science (ENTCS), Volume 253, Issue 2 (October 2009), Pages: 101–116.

Paper 4 Leonidas Tsiopoulos. Towards Dependable Placement of NoC

Resources. Extended abstract in Proceedings of Nordic workshop and doctoral symposium on Dependability and Security (NODES ’09), Linköping University Electronic Press, ISSN (online): 1650–3740, pp. 1–9, 2009.

Paper 5 Leonidas Tsiopoulos, Luigia Petre and Kaisa Sere. Model–Based

Analysis of Pipelined Applications for Mapping to NoC Platforms. Under review since March 26th, 2010, for the Special Issue on Network-on-Chip Architectures and Design Methodologies. Elsevier Embedded Hardware Design (MICPRO) Journal.

viii

ix

Contents

I Research Summary 1 1 Introduction 3

1.1 Network–on–Chip Systems and Formal Methods . . . . . . . . 3 1.2 Contributions and Overview of the Thesis . . . . . . . . . . . . . . 5

2 Problem Analysis 9

2.1 Problem Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2 Identifying the Limits for this Thesis Work . . . . . . . . . . . . .10

2.2.1 Formal NoC Architecture Development . . . . . . . . . . . . . . . . 12 2.2.1.1 Formal NoC Architecture Specification . . . . . . . . . . . . . . 12 2.2.1.2 Formal Analysis of NoC Traffic. . . . . . . . . . . . . . . . . . . . . 13

2.2.2 Formal NoC Design Validation . . . . . . . . . . . . . . . . . . . . . . . 14 2.2.3 Formal Application Communication Analysis . . . . . . . . . . . 14

2.3 Goals and Success Criteria . . . . . . . . . . . . . . . . . . . . . . . . . .15 3 Overview of the Papers 17 4 Discussion 21 5 Conclusions 25 II Original Publications 35

x

xi

List of Figures

1 A regular 2D mesh NoC ………………………………………….........4 2 Relationships between the different parts of the proposed formal NoC

system development framework………………………………………7 3 (a) Formal verification at later NoC development phases, (b) formal–

based development of NoCs…………………………………………10 4 General NoC design process…………………………………………..11 5 (a) Initial specification of decomposition–based approach, (b) Initial

specification of component–based approach………………………...13

xii

xiii

List of Abbreviations SoC Systems–on–Chip NoC Network–on–Chip GALS Globally Asynchronous Locally Synchronous MBT Model–Based Testing MBA Model–Based Analysis MBM Model–Based Mapping HDL Hardware Description Languages TLM Transaction Level Modelling MoC Model of Computation KPN Kahn Process Networks EDA Electronic Design Automation

1

Part I

Research Summary

3

Chapter 1

Introduction This thesis presents work on the formal model–based development of Systems–on–Chip (SoC) with Network–on–Chip (NoC) as their intercommunication paradigm. This chapter gives a short introduction of the subject this thesis work is applied to, together with an overview of the thesis. 1.1 Network–on–Chip Systems and Formal Methods Advances in technology allow us to have thousands of computational and storage modules communicating with each other on a single electronic chip. Well defined intercommunication schemes are fundamental for handling the increasing complexity of such systems. Several manufacturers introduced so called bus–based SoC communication frameworks in order to deal with the complexity. A common feature of these frameworks is that there is a bus to which master modules, such as processor cores and DSPs, must connect in order to access slave modules such as memories. In these architectures the bus is a shared communication resource with the masters competing for the access to the slaves, since only one master at a time can be granted access to the bus. Because the bus is a shared resource, it can become overloaded quickly, especially when several master modules are connected to it [37]. Such products are the AMBA 2 AHB bus [2] and IBM’s CoreConnect [30].

In order to overcome the issue of overloading the single bus, bus matrix–based architectures [44] appeared consisting of several parallel buses to offer the bandwidth required for complex SoCs. The main drawback of this approach is that every master is connected to every slave in the system, resulting in a very large number of buses. Approaches for creating a partial bus matrix for a given application have been proposed [47], in order to reduce complexity and power consumption as well as increase efficiency. One such commercial product is the Open Core Protocol [46].

During the same time, the NoC communication paradigm [19, 28] for SoCs has been introduced offering very high communication bandwidth and network

4

scalability through its generally regular structure. A simplified 2D mesh NoC topology is illustrated in Figure 1. The black dots represent the NoC routers and the white squares represent computation modules as well as storage elements connected to their corresponding routers through network interfaces. The interfaces are represented by the grey squares within the white squares. The routers are responsible for the intercommunication of the modules and the storage elements. Recently the idea of stacking several 2D NoC layers on top of each other has been put forward [31] in order to offer the basis for an even more flexible and efficient communication architecture.

Figure 1. A regular 2D mesh NoC. Depending on the requirements and priorities of a given application (high

communication bandwidth, latency, reduced power consumption, etc) a system designer can choose a suitable communication scheme out of the aforementioned ones, or an integration of them.

SoCs are likely to be used in many important applications, from home use electronics to large safety critical control and data transfer systems [34]. One of the appropriate approaches for specifying reliable SoCs, modelling the on–chip communication, as well as verifying their design is provided by formal methods. Such formal methods of concurrent programming are Action Systems [4], Communicating Sequential Processes [29], Lustre [16], Signal [7] and Esterel [8], all of them being applied to the design of SoCs. These methods are often accompanied by adequate tool support and are important for the development of complex SoCs, from initial abstract specifications to implementations, because they help to avoid costly errors in the design and, thus, contribute to the reliability of such systems.

The communication between the modules of a SoC is generally categorised as synchronous or asynchronous, with a recent shift towards Globally Asynchronous Locally Synchronous (GALS) [17] SoCs. Within the synchronous scheme all the modules are synchronised to a global clock in order to achieve

5

their intercommunication. In GALS systems each module can be synchronised to a private local clock but their intercommunication is established asynchronously, relying on the request and acknowledgement communication handshakes and eliminating the need for a global system clock with its undesirably long interconnect wires.

The semi–conductor technology road–map [59] predicts that 20% of designs will utilise asynchronous communication handshakes in 2012, rising to 40% by 2020. Stevens et al. [61] agree on this prediction, while positive results of synchronous chip redesigns utilising asynchronous communication handshakes further justify the above argument [10, 62]. Moreover, Stevens et al. [61] argue, too, that formal verification will move from niche technology to one that is fundamental to the design flow.

This thesis work focuses on the formal model–based development of GALS SoCs. For the rest of this thesis by NoC systems we mean GALS SoCs which incorporate the NoC communication paradigm. 1.2 Contributions and Overview of the Thesis This thesis is organised as a collection of five papers presenting work on formal NoC system development, together with an introductory part providing the context of this work. The organisation of the rest of this introductory part is as follows: In Chapter 2 we present a problem analysis, constructing the setting as well as identifying the limits for this thesis work based on discussion on the current related work on formal methods for NoC system development. Within the same chapter we list the goals and success criteria for our formal framework. Chapter 3 gives an overview of the papers included in this thesis. Chapter 4 discusses the results obtained in accordance to the goals and success criteria listed at the end of Chapter 2. Finally, concluding remarks and future work is presented in Chapter 5.

In the following, we list the main contributions of our formal development framework together with references to the papers where these are described. The model–based development framework presented in this thesis facilitates the use of formal methods for “correct-by-construction” NoC system development by providing tool assisted methods for:

o component–based specification and modelling of modular,

hierarchical and asynchronous NoC communication models, called connectors, distinguishing between push and pull data models. Described in: Paper 1.

o hierarchical instantiation of modular push data communication

models for asynchronous NoC routing schemes focusing on the

6

automatic verification of the models as well as giving a general formal modelling framework within a tool supported environment. Described in: Paper 2.

o automatic Model–Based Testing of implementations of

hierarchical and asynchronous NoC routing schemes. Described in: Paper 3.

o Model–Based Analysis of NoC routing schemes for assisting the

efficient mapping of applications to NoC platforms as well as for facilitating the evaluation of NoC platforms. Described in: Paper 4.

o Model–Based Analysis of pipelined applications for their

mapping to NoC platforms. Described in: Paper 5.

Figure 2 illustrates the relationships between the different parts of our framework. There are three main parts; 1) specification, modelling and instantiation of NoC routing schemes, 2) Model–Based Testing (MBT) of implementable NoC routing schemes and 3) Model–Based Mapping (MBM) of pipelined applications to NoC platforms. For the instantiation of NoC routing schemes, modular models of communication connectors are used. Thereafter, the instantiated routing scheme is the input for MBT of implementable specifications of this routing scheme. The Model–Based Analysis (MBA) of the instantiated routing scheme is one of the two parts of the process to facilitate the MBM of applications to NoC platforms. The second part of the process for MBM of applications to NoC platforms consists of MBA of pipelined applications.

The formal NoC development framework presented in this thesis is based on an extension of the B Method [1], namely B Actions Systems [63, 64]. The B Method is a formal specification language with adequate tool support which has been applied successfully for the development of major safety critical systems in Europe [38]. Action Systems is a state–based formalism [4] based on a guarded command language introduced by Dijkstra [21]. The B Action Systems was created in order to be able to reason about parallel and distributed systems within the B Method. Therefore, the tool support available for the B Method can be used to verify and analyse models in B Action Systems. Moreover, the Action Systems formalism has been already applied to the development of both synchronous [58] and asynchronous [50] SoC designs, hence, the tool assisted B Action Systems formalism constitutes a good basis for the NoC development framework presented in this thesis. Details on the semantics of Action Systems and B Action Systems can be found in the attached papers 1, 2, 3 and 5.

7

Figure 2. Relationships between the different parts of the proposed formal NoC system development framework.

Formal Model–Based Development of NoC Systems

Formal Models for NoC Routing Schemes

Specification & Modelling of Modular NoC Communication Connectors

Instantiation of Automatically Verifiable NoC Routing Schemes

Model-Based Testing of Implementable NoC Routing Schemes

Formal Models Implementations

Model-Based Mapping of Pipelined Applications to NoC Platforms

Model-Based Analysis of NoC Routing Schemes

Model-Based Analysis of Pipelined Applications

9

Chapter 2

Problem Analysis This chapter presents the result of the problem analysis. Sections 2.1 and 2.2 outline the problem to be solved in this thesis, i.e. describing the need our research is supposed to meet. Section 2.3 transforms this overall outline into a set of goals and success criteria that our research should fulfil. 2.1 Problem Specification During the last two decades, there has been applied a vast amount of work on automating the process of electronic system design with rather sophisticated development frameworks and accompanied Hardware Description Languages (HDL) as well as industrial scale tools. Such languages are SystemC [23] and Haste [25]; the first applied to the design of synchronous systems while the latter is dedicated to the design of asynchronous systems. Using such tools a designer can program rather abstract specifications of hardware systems at Transaction Level Modelling (TLM) where hardware implementable communication mechanisms are hidden and modelled at a higher level of abstraction. The programs can then be simply compiled before a series of commands can be applied to automatically synthesize electronic hardware employing simulation for verification and validation purposes.

Allowing specifications to be compiled without being first formally verified has lead to incorrect designs [35]. Such design errors can be exposed with the application of formal verification techniques on the informal specifications. This has lead to an increasing adoption of formal methods to facilitate the verification of informal specifications of electronic systems [60] at the later design phases and before the final physical synthesis to silicon. In the presence of errors, redesigns are required before the intended product can again be formally verified, resulting in major costs and increased “time–to–market”. Moreover, inadequacies have been found from commercial specifications of bus–based communication protocols [56].

10

In order to avoid time consuming system redesigns several works have been presented proposing the use of formal methods for the specification of electronic systems already during the first design phases. Upon verification of correctness of the intended functionality of the system, the HDL description can then be generated in conformance to the formal specification, and, consequently, can be transformed to silicon. The work presented in this thesis falls into this category. Figure 3(a) presents the generally followed approach to integrate formal verification at later design phases to verify informal specifications, while Figure 3(b) illustrates the proposed approach, supported by this thesis work, to start the system development with high level formal specifications. Figure 3(b) is further discussed in Chapter 4.

Figure 3. (a) Formal verification at later NoC development phases, (b) formal–based development of NoCs.

2.2 Identifying the Limits for this Thesis Work The greater scalability offered by NoC architectures compared to the scalability offered by bus–based and bus matrix–based architectures, helps to avoid congestion of the communications between the NoC modules as the total number of these modules on a single chip is continuously increasing. Nonetheless, the design of efficient NoC architectures is not an easy task. In order to create efficient NoC systems several design phases need to be interactivelly performed. Generally, the NoC system design process consists of the phases shown in Figure 4 (taken with permission from [41]).

One of the main design phases involves modelling and optimising in a stepwise manner the target application to be mapped to a NoC platform. A good and structured model for an application helps find a good mapping. Moreover, the communication analysis of the application is very important, being the last

Translator Informal HDL Specifications

Simulations

Formal Verification

Synthesis

Translator

Formal Specifications

Simulations

HDL Specifications

Synthesis

Conformance Checking

(a) (b)

11

step before the output of the analysis forms one of the three inputs to the application mapping phase. The application mapping phase is an iterative step based on further analysis of the mapped application.

Figure 4. General NoC design process.

Another main design phase involves the modelling, analysis and

optimisation of the NoC communication architecture. Based on system requirements one can determine a suitable NoC topology which affects largely the chosen routing algorithms and flow control schemes. In turn, the topology, the routing algorithms and flow control scheme form the second input to the application mapping phase. The third input to this mapping phase is formed by the identified general design goals and constraints.

The last NoC system design phase involves the NoC design validation and synthesis to silicon. It has arguably been the most expensive and time consuming NoC design phase. As it was argued in the previous section, there has been a trend to spread NoC testing and verification to the other two main NoC design phases to address various issues early on and reduce redesign costs.

The discussed NoC design phases correspond generally to the literature on NoC design. Clearly, it is out of scope for this thesis to cover all of these design phases with their sub–processes and their interactions in a formal development manner with adequate tool support for specification, verification and analysis. The purpose of this section is to define the limits for this thesis work by discussing the research on formal methods applied to the different phases of the NoC design process shown in Figure 4. Special emphasis is given to identify

Communication Paradigm Application M

odelling & Optim

ization

Design goals &

constraints

Code P

artitioning

Communication Infrastructure

NoC Architecture Analysis and Optimization

Application Communication Analysis

Mapping / Scheduling

Analysis & Optimization

NoC Design Validation and Synthesis

NoC Testing

NoC Verification

Component Instantiation

Communication Component Library

Sim

ulation | Prototyping

Physical Synthesis & Tape-out

12

frameworks addressing a combination of different design phases with adequate tool support as well as focusing on asynchronous systems.

2.2.1 Formal NoC Architecture Development In this section we identify two main subsections: 1) the formal specification of the NoC architecture and 2) the formal analysis of the NoC traffic at a high abstraction level. These subsections correspond mainly to the blocks named Communication Infrastructure and Communication Paradigm in Figure 4. 2.2.1.1 Formal NoC Architecture Specification Several synchronous formalisms exist for the formal specification of NoC systems. Signal [7], Lustre [16] and Esterel [8] are such formalisms. These approaches rely on the synchronous hypothesis in which a discrete sequence of events with deterministic concurrency characterises the behaviours of a system. These formalisms have adequate tool support for verification as well as established integration with mainstream HDLs. These facts have been the basis for further extension of these formalisms to capture asynchronous behaviour required in GALS NoC systems. Signal has been applied to modelling globally asynchronous designs in synchronous networks [43] while Esterel has been extended to model multiple clock domains [9]. Furthermore, Halbwachs and Baghdadi [24] introduced several extensions in order to avoid the limitations of the perfect synchrony hypothesis, in which outputs are produced synchronously with the inputs, as well as to find means to model sporadic activation and non-determinism, main characteristics in GALS systems. These extensions add significant overhead to the specifications. Moreover, the rigorous system development through correctness preserving refinement steps is supported only in Signal. Refinement is a built-in feature of Action Systems, too, through the rigorous Refinement Calculus paradigm [5]. In addition, Action Systems have been adequate to model both synchronous and asynchronous systems, hence, this formalism offers a good basis for current and future GALS system development.

In general, Action Systems have been applied to model on–chip communication architectures, and more recently NoC systems, in a top–down approach applying refinement techniques to decompose an abstract system into a more detailed group of systems. For example, Plosila et al. [51] decomposed a network of NoC switches after several refinement steps on the interfaces of computation and storage units of a possible NoC system.

For the work in this thesis we follow a component–based specification approach in which we build larger systems out of simple abstract subsystems. A separation of concerns is, thus, allowed between the specification of the computation and storage units on a NoC system and the specification of the actual network being responsible for the data propagation between these units. The separation of concerns between computation and communication network

13

aids system adaptability, reusability and modularity which are important artefacts in NoC system design. These artefacts help to efficiently tackle changes of system requirements which result to restructuring of specifications, as well as they provide means for creation of alternative NoC system architectures. Moreover, because of the aforementioned separation of concerns, there is possibility for different kinds of formal analysis at an early development stage, i.e., analysis of NoC traffic and analysis of pipelined applications to be mapped to NoC platforms. Figure 5 illustrates the mentioned difference between the two specification styles. We note that stepwise refinement can be applied to both specification styles.

Figure 5. (a) Initial specification of decomposition–based approach, (b) Initial specification of component–based approach.

Several other related works on NoC architecture specification can be found in the attached papers 1 and 2. 2.2.1.2 Formal Analysis of NoC Traffic The work related to this section corresponds to the same blocks in Figure 4 as the work related to the previous section, as well as to the block named Analysis and Optimisation in the same figure, assuming an application is mapped to a NoC platform and further analysis can be performed.

As it was stressed in the previous sections there is a need for application of formal methods to the indentified three main NoC design phases illustrated in Figure 4. The formal models should, thus, allow simulations and performance analysis before system realisations. As an example, Jantsch presented a Model of Computation (MoC) for the Nostrum mesh NoC for performance evaluation [32] at an abstract level, though it remained unclear which tool was used to run the simulations.

Generally, Petri Nets [20] have been used to model and simulate traffic in NoC systems. Pelz and Tusch [48] presented formal models for multicast traffic in NoC architectures. They formalised multistage interconnection networks with semantics inspired by the high–level version of the Petri box algebra which allows one to represent concurrent communication systems in a compositional way. A prototype toolkit is being developed to allow the evaluation of various measures in question for NoC traffic. Blume et al. [11] modelled NoC

(a) (b)

14

architectures by means of deterministic and stochastic Petri Nets. Tools for informal frameworks were used to simulate various traffic scenarios.

As far as we know, there have not been presented methods based on the available formalisms with adequate tool support to specify asynchronous NoC systems at a high level of abstraction, verify their design as well as offer the possibility for NoC traffic analysis and simulation within the same formal development environment in order to avoid time consuming simulations at later and informal design steps. 2.2.2 Formal NoC Design Validation This section includes works on formal methods for NoC testing and NoC verification techniques before the final synthesis of the system. These two subjects correspond to the blocks named NoC Testing and NoC Verification in Figure 4. As mentioned previously, such important design steps need to be elaborated already at earlier design phases than the one shown in Figure 4 in order to avoid costly redesigns. Most of the work presented on these two very important design steps tackles verification of informal descriptions by translating them to formal specifications, as it was mentioned in section 2.1. Several results on this subject can be found in the literature [13, 14, 15, 22, 26, 27, 33, 36, 49, 57].

Borrione’s GeNoC framework [12] is a formal metamodel for reasoning about network specifications and provides generic formal proofs and obligations for specific implemented systems such as the Spidergon NoC from STMicroelectronics [18]. Because it is a metamodel, detailed behaviour cannot be specified. Reasoning is based on properties in order to prove safety correctness statements about an overall network architecture. This work steps out of the usual formal verification scene for NoC systems and approaches the generally identified need to employ verification at early stages of the NoC design process. 2.2.3 Formal Application Communication Analysis This section relates to the block named Application Communication Analysis in Figure 4. As it is argued in section 2.1, it is a very important design phase. Several works on application mapping to NoC platforms can be found in the attached papers 4 and 5. These works are mainly based on either graph theory to characterize and analyse the interactions between the units of an application, or on algorithmic solutions. Simulation with tools of informal frameworks is then applied to evaluate the proposed mappings.

Additional works on efficient application mapping can be found in the NoC literature. For example, Nejad et al. [45] proposed an approach to map applications modelled as Kahn Process Networks (KPN) to NoC platforms. The

15

KPN is one of the most popular MoC for streaming applications. KPN models are created from informal C programs and consequently they are translated to SystemC models for consequent simulation and evaluation.

A vast amount of work has been performed for the formal modelling and optimisation (through stepwise refinement) of applications (see for example [52]). Although, to the best of our knowledge, there has not been presented an approach to formally analyse and evaluate the communications between subsystems of an application with tool support, within the same formal development environment tackling the aforementioned NoC design steps in the previous sub–sections.

2.3 Goals and Success Criteria The overall goal of this thesis is to contribute to the discussion on how formal methods can be used for the “correct–by–construction” development of complex NoC systems. Based on the above analysis we conclude that there is a need for a framework operating at a higher level of abstraction that may be used by users of formal methods in complex NoC system development. Users of state of the art informal methods and Electronic Design Automation (EDA) tools for NoC design should be able to use the framework, too, in order to avoid costly redesigns because of errors at the later design phases, as well as to avoid time consuming lower level simulations. This conclusion is justified, too, by the general argument of Martin and Baily [40], stating that most of the tools and languages being used for verification were intended to be used for low level implementation verification and have not received the necessary extensions and modification to support higher levels of abstraction. The framework illustrated in this thesis is constructed by presenting work on the three sub-parts of the formal model–based NoC development process discussed in section 1.2, namely, specification, modelling and instantiation of NoC routing schemes, MBT of implementable NoC routing schemes and MBM of applications to NoC platforms.

In particular, users of formal methods in electronic system design as well as users of EDA tools who are interested in exploiting and using formal methods in their design process need:

Formal specification language with adequate tool support for creating

“correct–by–construction” models.

Methodological guidelines for creating as well as implementing specifications of modular formal models.

Formal analysis methods for evaluating and simulating formal models with an accompanied tool at higher level of abstraction avoiding time consuming lower level simulations.

16

Specifically, in addition to the above, the users of NoC system design tools need:

Automatic transformation of the specifications of formal models to TLM descriptions of HDLs.

Automatic testing of the TLM descriptions of HDLs against their corresponding formal models.

In the absence of automatic transformation of formal models to TLM descriptions, the designer should at least be assisted with:

Templates to create the implementations in a form closely related to the form of the formal models.

In order to verify that the framework presented in this thesis provides the needed foundation, based on the above analysis we also formulate a set of success criteria for such a foundation.

The formal framework should

o be adequate to handle specifications of complex behaviours.

o be compositional, i.e.

the meaning of a component should be completely determined by the specification of its sub-components and their distribution, the composition operators used and the additional logic in the component.

o offer the possibility for correctness preserving stepwise refinement.

o be conservative, i.e. based on existing theory and existing capabilities of its available tools.

o be useful without thorough knowledge of the formal language.

o be easily integrated to state of the art informal frameworks. A discussion on the results obtained for this thesis work in accordance to the goals and success criteria listed above is given in Chapter 4.

17

Chapter 3

Overview of the Papers The main results of this thesis work are documented in the five papers found in part II. In this chapter we list the publication details of each paper, together with a description of its main research contributions. The contribution of the author of this thesis for each paper is specified, too. Paper 1: Leonidas Tsiopoulos, Kaisa Sere and Juha Plosila. Modeling Communication in Multi–Processor Systems–on–Chip using Modular Connectors. Special issue on Formal Modeling, Development, and Analysis of Communication Intensive Embedded Systems. International Journal of Embedded and Real-Time Communication Systems, April-June 2010, Vol. 1, No. 2, pp. 23–44. This paper presents a new compositional approach for the formal specification of asynchronous, hierarchical and modular communication infrastructures, called connectors, within the Action Systems formalism to assist the development of complex Multi–Processor Systems–on–Chip (to be distributed on a NoC platform). These connectors are composed out of distributed abstract channel components. Moreover, for the reasons mentioned in section 2.2.1.1, a clear separation of concerns between the actual network responsible for the actual communication and the interconnected units is present already from the initial specification steps. Another separation of concerns exists for the specification of dedicated push type connectors used for propagating data from processors to other processors and to memory units, and for the specification of dedicated pull type connectors used for requesting data. Author’s contribution: The main author, responsible for approximately 40% of the work (capturing main ideas and constructing the models). Paper 2: Leonidas Tsiopoulos and Marina Waldén. Formal Development of NoC Systems in B. Nordic Journal of Computing, Vol. 13, No. 1–2, pp. 127–145, 2006.

18

This paper presents a general formal specification framework for NoC architectures with the mechanised tool support available for the B Method. It is the first approach to specify NoC systems within the B Method. It extends the main idea of paper 1 (an earlier version of it) by transforming one of the push connectors modelled with Action Systems into a B Action Systems model and develops as a case study a 2D mesh NoC routing scheme considering general requirements for efficient NoC routing. A special emphasis is given to the efficient use of structuring mechanisms for the construction of the hierarchical model in order to achieve 100% automatic verification. Author’s contribution: The main author and initiator of the idea to create the NoC routing model as a B Action System in order to have tool support. I was responsible for approximately 60% of the work. Paper 3: Leonidas Tsiopoulos and Manoranjan Satpathy. Model Based Testing of a Network–on–Chip Component. Electronic Notes in Theoretical Computer Science (ENTCS), Volume 253, Issue 2 (October 2009), Pages: 101–116. This paper uses the case study of paper 2 and discusses the problem of model–based test case generation within the B Method and its associated model checking and animating tool ProB [39], and that of automatic testing of a possible implementable TLM specification of an asynchronous NoC routing scheme. The important contribution of this work is that we first considered hierarchical models for test case generation and automatic testing with the tools available for the B Method, whereas previous approaches considered only flat B models. Also, we highlight the issue due to non–determinism in asynchronous and hierarchical models, as well as, we argue that our approach can be applied to testing implementable TLM models in more than one specific HDL. Author’s contribution: One of the two main authors and the initiator for the work in this paper. Paper 4: Leonidas Tsiopoulos. Towards Dependable Placement of NoC Resources. Extended abstract in Proceedings of Nordic workshop and doctoral symposium on Dependability and Security (NODES ’09), Linköping University Electronic Press, ISSN (online): 1650–3740, pp. 1–9, 2009. This paper uses a renamed version (to better characterize router coordinates) of the formal model of papers 1 and 2 and presents how the tool ProB can execute the model and generate various NoC traffic scenarios in order to facilitate the process of identifying an efficient application mapping to a NoC platform. This is the first approach within ProB, and the B Method in general, to generate NoC traffic scenarios for NoC platform evaluation already at the formal specification level and avoid simulations with tools in informal frameworks.

19

Author’s contribution: The sole author. Paper 5: Leonidas Tsiopoulos, Luigia Petre and Kaisa Sere. Model–Based Analysis of Pipelined Applications for Mapping to NoC Platforms. Under review since March 26th, 2010, for the Special Issue on Network-on-Chip Architectures and Design Methodologies. Elsevier Embedded Hardware Design (MICPRO) Journal. This paper presents a novel method employing executable formal specifications to assist the efficient mapping of pipelined applications to a NoC platform. A model of a pipelined asynchronous processor, with its subsystems specified with the B Action Systems formalism, serves as the case study. Communication analysis between the subsystems of the application is performed through animation with the tool ProB. Based on the results of the animation, as well as on further transformation of these results, a mapping of the application’s subsystems to a 2D mesh NoC platform is proposed. Author’s contribution: The main author, responsible for approximately 40% of the work (captured the idea of the proposed analysis and worked solely with the ProB tool).

21

Chapter 4

Discussion In this chapter we discuss the achieved results with respect to the goals and success criteria listed in section 2.3.

As documented in Chapter 2, we investigated existing methods and frameworks in order to evaluate to what extend these fulfilled our requirements for the formal framework. The main conclusion was that these methods and frameworks were either, not sufficient, or, they did not offer a combination of solutions to tackle several different NoC design phases, or, they had a different point of view relating to the approach illustrated by Figure 3(a) in section 2.1. New research was needed in order to create the required framework for model–based development of asynchronous NoC systems.

The innovation part of this thesis work has been to create the formal model–based development framework with well defined methods, consisting of specification, verification, testing and analysis methods as a response to the identified need for a framework with its own adequate tool support operating at all levels of the formal development process. A detailed description of the framework is given in the attached papers 1–5.

A framework which influenced our approach is Reo [3]. It is a recently introduced channel–based coordination model, where complex coordinators, called connectors, are compositionally built out of simpler ones. The connectors coordinate components and both the connectors and the components are distributed and mobile. However, they only rely on the functionality of the subsystems and their topological interconnection, while our framework allows us to add and verify additional functionality in the composed system for controlling the subsystems. This functionality can, for example, handle the prioritization of the subsystems. Recently Reo was used in conjunction with SystemC to model SoCs [55]. SystemC models specify the components to be interconnected and Reo models capture the connectors to be used for the interconnection. Both Reo and SystemC models are translated manually to constraint automata in order to be able to verify them. This method relates to Figure 3(a), too, as well as it further justifies our choice to incorporate a Reo

22

style of modelling from the initial formal development steps with adequate and automated verification facilities.

McEwan and Schneider [42] presented modelling and analysis of the AMBA synchronous bus architecture using ProB as the main tool. They stated that ProB is effective in supporting the construction of the formal model at the point it is being developed. We agree. Moreover, this work justifies further our choice to use ProB as the main tool to assist most of the methods this thesis presents. We envisage that in the future ProB, or specialised versions of it, will incrementally be consulted to assist the formal development and verification of NoC systems within various research groups.

For the evaluation of our framework we refer to the goals and success criteria identified in section 2.3. The goals are, in the most part, achieved. Fully automatic transformation (translation) of the formal models to TLM descriptions of HDLs is not offered. Instead, generation of templates to create the TLM descriptions in accordance to the corresponding formal model is offered. The semantics of a formal specification language in many cases differs from the semantics of a corresponding description in some HDL. This was noticed, for example, by Salaün et al. [57] where they presented fully automatic translation of HDL specifications, written as Communicating Hardware Processes, to the formal specification language LOTOS to have model checking facilities by using the toolkit CADP (Construction and Analysis of Distributed Processes). They noticed the semantics difference (on probes) and they tackled this issue with additional functionality in the translator. They argue that after several translations there have not been inconsistencies. We believe that a better way to address such issues, is to automatically model–based test the inputs and outputs of each operation of the TLM model against the inputs and outputs of the operations of the formal specification. Details on this can be found in paper 3.

With respect to the success criteria, our framework establishes most of them. Complex behaviours can be handled by (1) the modular, hierarchical and compositional approach for our models, (2) the adequate and well formed semantics of Action Systems, (3) the well defined methods, and (4) the adequate tool support. Moreover, stepwise refinement is an important tool to add details to a model preserving correctness. It is a built–in feature of both Action Systems and the B Method, thus, it can be easily applied in our framework. We note that refinement was not handled for the work in this thesis. It is exhaustively elaborated on several other research papers and thesis works [50–53, 58], and will be one of the main features of future versions of our framework.

Well defined methods and adequate tool support are the basis for any feasible integration of a formal framework with a state–of–the–art informal one. These foundations are present in our framework. Further work is needed in order to connect our framework to well established HDLs focusing on asynchronous system design such as Haste [25]. This requires mainly work on the adequate translation between the formal and HDL descriptions. The same testing

23

techniques, as presented in paper 3, can already be applied to check conformance between the two descriptions (refer to Figure 3(b)).

25

Chapter 5

Conclusions In this concluding chapter, we will summarize the main contributions and present some directions for future work.

The main contribution of this thesis is the presentation of new methods to facilitate the use of formal methods in the design of “correct-by-construction” NoC systems. Initially, as documented in sections 2.1 and 2.2, we investigated the current situation in the formal development of NoC systems and identified the need for a new artefact --- a formal design framework using an extension of the B Method, B Action Systems, with its adequate tool support for assisting the “correct-by-construction” model–based development of NoCs. As it would be too much to cover within the scope of one thesis all the design issues of NoCs, we identified three main categories for formal development of NoC systems as the artefacts to be created by this thesis work. These methods assist:

the formal modelling of modular communication infrastructures for

heterogeneous NoC systems,

the modelling with automatic verification of hierarchical NoC routing schemes,

the MBT of possible hierarchical TLM implementations of the formal models,

the simulation of NoC traffic at the formal specification level to facilitate the efficient mapping of applications to NoC platforms as well as assist the evaluation of NoC platforms,

the analysis of pipelined applications at the formal specification level for assisting the process of their final mapping to NoC platforms.

For the instantiation of NoC routing schemes, modular models of

communication infrastructures are used. Thereafter, the instantiated routing scheme is the input for MBT of implementable specifications of this routing scheme. The MBA through simulation of the traffic of the instantiated routing

26

scheme is one of the two parts of the process to facilitate the MBM of applications to NoC platforms. The second part of the process for MBM of applications to NoC platforms consists of MBA of an application. A detailed description of the framework is given in the attached papers 1 – 5. Specific conclusions for each method as well as directions of future research are drawn in the corresponding papers.

Based on the discussion in Chapter 4 we gain an overall perspective on future work divided into several directions. Stepwise refinement is a fundamental tool to add details to a model preserving correctness. It is a built–in feature of both Action Systems and the B Method, thus, it will be a main feature of our framework. Additional work is needed in order to integrate our formal framework with state–of–the–art HDLs. This requires mainly work on the adequate translation between the formal and HDL descriptions. The same testing techniques, as presented in paper 3, can be applied to check conformance between formal and HDL specifications, taking into account the testing facilities of each HDL. Furthermore, automated support for testing the generated application mapping (floorplan) in a HDL against the proposed mapping of our analysis method, presented in paper 5, will be of high interest.

27

Bibliography [1] Jean–Raymond Abrial. The B–Book: Assigning Programs to Meanings.

Cambridge University Press, 1996. [2] AMBA (2005). Retrieved from: http://www.arm.com/products/solutions/amba2overview.html [3] Farhad Arbab and Farhad Mavaddat. Coordination through channel

composition. In Proceedings of Coordination Languages and Models, vol. 2315 of Lecture Notes in Computer Science, pp. 22–39, Springer, 2002.

[4] Ralf–Johan Back and Reino Kurki–Suonio. Decentralization of Process

Nets with Centralized Control. In Proceedings of the 2nd ACM SIGAST-SIGOPS Symposium on Principles of Distributed Computing, p. 131–142, 1983.

[5] Ralf–Johan Back and Joakim von Wright. Refinement Calculus: A

Systematic Introduction. Springer–Verlag, 1998. [6] Felice Balarin and Roberto Passerone. Functional Verification Methodology

Based on Formal Interface Specification and Transactor Generation. In Proceedings of Design, Automation & Test in Europe (DATE06), 2006.

[7] Albert Benveniste and Paul Le Guernic. Hybrid Dynamical Systems Theory

and the Signal Language. IEEE Transactions on Automatic Control, 35(5):535–546, 1990.

[8] Gérard Berry and Laurent Cosserat. The Esterel Synchronous Programming

Language and its Mathematical Semantics. In Seminar of Concurrency, Lecture Notes in Computer Science, vol. 197, Pages: 389–448, 1985.

[9] Gérard Berry and Ellen Sentovich. Multiclock Esterel. In Correct

Hardware Design and Verification Methods, Lecture Notes in Computer Science, vol. 2144, Pages: 110–125, 2001.

28

[10] Arjan Bink and Richard York. ARM996HS: The First Licensable, Clockless 32-Bit Processor Core. IEEE Micro, vol. 27, no. 2, pp. 58–68, Mar./Apr. 2007.

[11] H. Blume, T. von Sydow, D. Becker and T. G. Noll. Modeling NoC

Architectures by Means of Deterministic and Stochastic Petri Nets. Lecture Notes in Computer Science, vol. 3553, pp. 374–383, 2005.

[12] Dominique Borrione, Amr Helmy, Laurence Pierre and Julien Schmaltz. A

Formal Approach to the Verification of Networks on Chip. EURASIP Journal on Embedded Systems, Vol. 2009, Article No.: 2, 2009.

[13] Tayeb Bouhadiba, Florence Maraninchi and Giovanni Funchal. Formal

and Executable Contracts for Transactional-Level Modeling in SystemC. In Proceedings of the seventh ACM international conference on Embedded software EMSOFT’09, Pages: 97–106, 2009.

[14] Francesco Bruschi, Fabrizio Ferrandi and Donatella Sciuto. A Framework

for the Functional Verification of SystemC Models. International Journal of Parallel Computing, Vol. 33, No. 6, Pages: 667–695, December 2005.

[15] Thibaut Bultiaux, Stephane Guenot, Serge Hustin, Alexandre Blampey,

Joseph Bulone and Matthieu Moy. FUNCTIONAL VERIFICATION From the TLM Perspective. Book chapter, F. Ghenassia (ed.), Transaction Level Modeling with SystemC, pp. 153–206, Springer, 2005.

[16] Paul Caspi, Nicolas Halbwachs, Daniel Pilaud and Johan Plaice. Lustre: A

declarative language for programming synchronous systems. In Proceedings of the 14th Symposium on Principles of Programming Languages (POPL ’87), pages: 178–188, 1987.

[17] Daniel Marcos Chapiro. Globally–asynchronous locally–synchronous

systems. Ph.D. thesis, Stanford University, October 1984. [18] Marcello Coppola, Riccardo Locatelli, Giuseppe Maruccia, Lorem

Pieralisi and Alberto Scandurra. Spidergon: a novel on–chip communication network. In Proceedings of the International Symposium on System–on–Chip, pp. 1–15, 2004.

[19] William J. Dally and Brian Towles. Route packets, not wires: On–chip

interconnection networks. In Proceedings of the Design Automation Conference (DAC.01), pp. 681–689, 2001.

29

[20] Jörg Desel and Gabriel Juhás. "What is a Petri Net? Informal Answers for the Informed Reader", Hartmut Ehrig et al. (Eds.): Unifying Petri Nets, Lecture Notes in Computer Science, vol. 2128, pp. 1–25, 2001.

[21] Edsger W. Dijkstra. A Discipline of Programming. Prentice Hall Series in

Automatic Computation, Prentice Hall, 1976. [22] Hubert Garavel, Claude Helmstetter, Olivier Ponsini and Wendelin Serwe.

Verification of an Industrial SystemC/TLM Model Using LOTOS and CADP. In Proceedings of 7th ACM-IEEE International Conference on Formal Methods and Models for Codesign, 2009.

[23] Thorsten Grötker, Stan Liao, Grant Martin, Stuart Swan. System Design

with SystemC. Springer, 2002. [24] Nicolas Halbwachs and Siwar Baghdadi. Synchronous Modelling of

Asynchronous Systems. Lecture Notes in Computer Science, vol. 2491, pp. 240–251, 2002.

[25] Handshake Solutions. http://www.handshakesolutions.com/ [26] C. Helmstetter, F. Maraninchi and L. Maillet–Contoz. Full simulation

coverage for SystemC transaction-level models of systems-on-a-chip. In Formal Methods in System Design, vol. 35, Issue 2, pp. 152–189, 2009.

[27] Claude Helmstetter and Olivier Ponsini. A Comparison of Two

SystemC/TLM Semantics for Formal Verification. In Proc. of 6th ACM IEEE Conference on Formal Methods and Models for Co–Design (MEMOCODE 2008), 2008.

[28] A. Hemani, A. Jantch, S. Kumar, A. Postula, J. Öberg, M. Millberg, and

D. Lindqvist. Network on a Chip: An architecture for billion transistor era. In Proceedings of the IEEE NorChip Conference, 2000.

[29] C. A. R. Hoare. Communicating Sequential Processes. Prentice–Hall.

1985. [30] IBM. The CoreConnect Bus Architecture. http://www.chips.ibm.com/product/coreconnect/docs/crcon_wp.pdf [31] IBM Moves Moore’s Law into the Third-Dimension: http://www-03.ibm.com/press/us/en/pressrelease/21350.wss.

30

[32] Axel Jantsch. Models of Computation for Networks on Chip. In Proceedings of the Sixth International Conference on Application of Concurrency to System Design (ACSD’06), Pages: 165–178, 2006.

[33] Mohammad Reza Kakoee, M. H. Neishaburi and Siamak Mohammadi.

Graph based test case generation for TLM functional verification. Journal of Microprocessors and Microsystems, vol. 32, pp. 288–295, 2008.

[34] Iyad Al Khatib, Divide Bertozzi, Francesco Poletti, Luca Benini, Axel

Jantsch, Mohamed Bechara, Hasan Khalifeh, Mazen Hajjar, Rustam Nabiev, and Sven Jonsson. MPSoC ECG biochip: a multiprocessor system-on-chip for real-time human heart monitoring and analysis. In Proceedings of the Conference on Computing Frontiers, pp. 21–28, 2006.

[35] Kazuyoshi Kohno and Nobu Matsumoto. A new verification methodology

for complex pipeline behavior. In Proceedings of the 38th annual Design Automation Conference, pp. 816–821, 2001.

[36] Sudipta Kundu, Malay Ganai and Rajesh Gupta. Partial Order Reduction

for Scalable Testing of SystemC TLM Designs. In Proceedings of the 45th annual Design Automation Conference, Pages: 936–941, 2008.

[37] Kanishka Lahiri, Sujit Dey and Anand Raghunathan. Evaluation of the

traffic–performance characteristics of system–on–chip communication architectures. In Proceedings of 14th International Conference on VLSI Design, pp. 29–35, 2001.

[38] Thierry Lecomte. Safe and Reliable Metro Platform Screen Doors

Control/Command Systems. FM 2008: Formal Methods. Lecture Notes in Computer Science, vol. 5014/2008, pages: 430–434, Springer, 2008.

[39] Michael Leuschel, Michael Butler. ProB: A Model Checker for B. In

Proceedings of Formal Methods Europe (FME’03), Lecture Notes in Computer Science, vol. 2805, pp. 855–874, Springer, 2003.

[40] Grant Martin and Brian Baily. ESL Models and their Application:

Electronic System Level Design and Verification in Practice. Springer, 2010.

[41] Radu Marculescu, Umit Y. Ogras, Li-Shiuan Peh, Natalie Enright Jerger,

and Yatin Hoskote. Outstanding Research Problems in NoC Design: System, Microarchitecture, and Circuit Perspectives. Keynote Paper, IEEE Transactions on Computer–Aided Design of Integrated Circuits and Systems, Vol. 28, No. 1, January 2009.

31

[42] Alistair A. McEwan and Steve Schneider. Modelling and analysis of the

AMBA bus using CSP and B. Journal of Concurrency and Computation: Practice and Experience, 2009.

[43] Mohammad Reza Mousavi, Paul Le Guernic, Jean-Pierre Talpin, Sandeep

Kumar Shukla, and Twan Basten. Modelling and Validating Globally Asynchronous Design in Synchronous Frameworks. In Proceedings of the Conference on Design Automation and Test in Europe (DATE’04), IEEE Computer Society Press, Pages: 384–389, 2004.

[44] M. Nakajima et al. A 400MHz 32b embedded microprocessor core AM34–

1 with 4.0GB/s cross-bar switch for SoC. In Proceedings of International Solid State Circuits Conference, 2002.

[45] Askan Beyranvand Nejad, Kees Goosens, Johan Walters, and Bart

Kienhuis. Mapping KPN Models of Streaming Applications on a Network-on-Chip Platform. In Proceedings of 20th Annual Workshop on Circuits, Systems and Signal Processing, 2009.

[46] Open Core Protocol Specification. http://www.ocpip.org/socket/complete [47] Sudeep Pasricha, Mohamed Ben–Romdhane, and Nikil D. Dutt, BMSYN:

Bus matrix communication architecture synthesis for MPSoC. IEEE Transactions on Computer–Aided Design of Integrated Circuits and Systems, 26 (8), pp. 1454–1464, 2007.

[48] Elisabeth Pelz and Dietmar Tusch. Formal Models for Multicast Traffic in

Network on Chip Architectures with Compositional High-Level Petri Nets. In Proceedings of 28th International Conference on Applications and Theory of Petri Nets and Other Models of Concurrency (ICATPN 2007), Lecture Notes in Computer Science, vol. 4546, pp. 381–401, 2007.

[49] Laurence Pierre and Luca Ferro. A Tractable and Fast Method for

Monitoring SystemC TLM Specifications. IEEE Transactions on Computers, vol. 57, No. 10, October 2008.

[50] Juha Plosila. Self–timed Circuit Design – The Action Systems Approach.

Ph.D. Thesis, University of Turku, 1999. [51] Juha Plosila, Pasi Liljeberg and Jouni Isoaho. Modelling and Refinement

of an On-Chip Communication Architecture. In Proceedings of International Conference on Formal Engineering Methods (ICFEM 2005), Lecture Notes in Computer Science, vol. 3785, pp. 219–234, 2005.

32

[52] Juha Plosila and Tiberiu Seceleanu. An Asynchronous Linear Predictive

Analyzer. Turku Centre for Computer Science Technical Report No. 142, 1997.

[53] Juha Plosila and Kaisa Sere. Action Systems in Pipelined Processor

Design. In Proceedings of the 3rd International Symposium on Advanced Research in Asynchronous Circuits and Systems (ASYNC ’97), 1997.

[54] Basant Rajan and R. K. Shyamansundar. Multiclock Esterel: A reactive

Framework for Asynchronous Design. In Proceedings of the 14th IEEE International Parallel and Distributed Processing Symposium (IPDPS’00), Pages: 201–210, 2000.

[55] N. Razavi and M. Sirjani. Using Reo for Formal Specification and

Verification of System Designs. In Proceedings of 4th IEEE/ACM International Conference on Formal Methods and Models for Co–Design, pp. 113—122, 2006.

[56] Abhik Roychoudhury, Tulika Mitra and S. R. Karri. Using Formal

Techniques to Debug the AMBA System–on–Chip Bus Protocol. In Proceedings of the Conference on Design, Automation and Test in Europe, vol. 1, pp. 10828–10834, 2003.

[57] Gwen Salaün, Wendelin Serwe, Yvain Thonnart and Pascal Vivet. Formal

Verification of CHP Specifications with CADP – Illustration on an Asynchronous Network-on-Chip. In Proceedings of the 13th IEEE International Symposium on Asynchronous Circuits and Systems, pp. 73–82, 2007.

[58] Tiberiu Seceleanu. Systematic Design of Synchronous Digital Circuits.

Ph.D. Thesis, Åbo Akademi University, 2001. [59] Semiconductor Industry Association. The International Technology

Roadmap for Semiconductors 2005 edition. http://www.itrs.net/links/2005itrs/design2005.pdf , 2005.

[60] Alper Sen, Vijay K. Garg and Jacob A. Abraham, Jayanta Bhadra. Formal

Verification of a System–on–Chip Using Computation Slicing. In Proceedings of International Test Conference 2004 (ITC ’04), pp. 810–819, 2004.

[61] Kenneth S. Stevens, Daniel Gebhardt, Junbok You, Yang Xu, Vikas Vij,

Shomit Das and Krishnaji Desai. The Future of Formal Methods and

33

GALS Design. Electronic Notes in Theoretical Computer Science, vol. 245, pp. 115–134, 2009.

[62] Kenneth S. Stevens, Shai Rotem, Ran Ginosar, Peter Beerel, Chris J.

Myers, Kenneth Y. Yun, Rakefet Kol, Charles Dike and Marly Ronchen. An Asynchronous Instruction Length Decoder. IEEE Journal of Solid State Circuits, Vol. 36, pp. 56–66, 2001.

[63] Marina Waldén. Distributed Load Balancing. Chapter 7 In Program

Development by Refinement – Case Studies Using the B Method, E. Sekerinski, and K. Sere, Editors. Springer-Verlag, 255–300, 1998.

[64] Marina Waldén and Kaisa Sere. Reasoning about Action Systems Using

the B Method. Formal Methods in System Design, vol. 13, issue 1, pp. 5–35, 1998.

35

Part II

Original Publications