200 likes | 359 Vues
ABV in the space context: verification of correctness requirements. V.Lefftz (Astrium), L.Pierre (TIMA). Overview. Correctness properties for the Astrium case study - consideration in the SystemC platforms models TTP platform (Approximated Timed platform)
E N D
ABV in the space context: verification of correctness requirements V.Lefftz (Astrium), L.Pierre (TIMA)
Overview • Correctness properties for the Astrium case study - consideration in the SystemC platforms models • TTP platform (Approximated Timed platform) • Dual core platform (Architecture Exploration platform) • PSL formalization of the properties - generation of the associated ISIS monitors • Astrium Return of Experimentation Workshop - November 2011
TTP platform: Block diagram AMBA AHB based architecture with a processor and a HW convolution block. HW block is configured by the processor.Processing is interleaved and results are written either to a work memory or the “AHB” memory (its access can cause a split) Work Memory AHB Memory Leon (cpu) IRQ Memory ctrl AHB bus Conv block AHB Arbiter 3
TTP platform LEON PV LEON T Mem T Mem PV PV Router AHB Bus AHB Mem T AHB Mem PV Conv PV Conv T TLM PV TTP Target port Initiator port TLM interrupt 4
Correctness properties • P1: The processor does not start a new convolution processing before the completion of the previous one. • P2: No convolution processing must be started before both destination and source addresses have been programmed. • P3: The memory does not respond with two “splits” consecutively to the same master
PSL formalization • Illustration on the third property: P3: The memory does not respond with two "splits" consecutively to the same master • Auxiliary variables (defined in the "modeling layer", usingfunctions of the platform) • "Response with a split" ? • Boolean variable to store the status of the "split" field of the response • "To the same master" ? • Auxiliary variables to store the values of the previous and current masters Workshop - November 2011
PSL formalization • Where to observe? Observation? Workshop - November 2011
Complete assertion for ISIS • On the memory side unsigned int prev_master, master = 999; bool status_split; // true if a split has been issued prt_tlm_ttp::ttp_response<ttp_ahb::ahb_status> resp; prt_tlm_ttp::ttp_status<ttp_ahb::ahb_status> s; if (ahb_mem.transport_END()) { prev_master = master; master = ahb_mem.transport.p1.get_master_id(); resp = ahb_mem.transport.p0; s = resp.get_ttp_status(); status_split = (s.access_extension())->is_split(); } else status_split = false; assert always((ahb_mem.transport_END() && status_split) => next (next_event (ahb_mem.transport_END() && (master == prev_master)) (!status_split))); Workshop - November 2011
Complete assertion for ISIS • On the bus side unsigned int prev_master, master = 999; bool to_ahb; // true if the target is the AHB memory bool split; // true if a split has been issued prt_tlm_ttp::ttp_response<ttp_ahb::ahb_status> resp; prt_tlm_ttp::ttp_status<ttp_ahb::ahb_status> s; if (bus_initiator_port.do_transport_END()) { to_ahb = (bus_initiator_port.do_transport.p3 == 0); if (to_ahb) { prev_master = master; master = bus_initiator_port.do_transport.p1.get_master_id(); resp = bus_initiator_port.do_transport.p2; s = resp.get_ttp_status(); split = (s.access_extension())->is_split(); } } else { to_ahb = false; split = false; } assert always((bus_initiator_port.do_transport_END() && to_ahb&& split) => next (next_event (bus_initiator_port.do_transport_END() && to_ahb && (master == prev_master)) (!split))); Workshop - November 2011
Dual-Core Architecture • Image spectral-compression platform • Performs “subsampling” on incoming data packets • Subsampled packets are then transferred to an auxiliary processing unit which performs a 2D-FFT (using a co-processor) and data encoding Input 10N Subsampling 5N 2D-FFT 5N Encoding N Output
Processing platform Leon_a DMA_a DMA_b Leon_b Mem_a Mem_b FFT IO
Processing platform (cont’d) • IO module generates an interrupt causing DMA_a to transfer the input packet of size 10N to Mem_a • At the end of the transfer, Leon_a subsamples the data and writes the result to Mem_a (10N->5N) • Leon_a configures DMA_b to transfer the result to Mem_b (5N->5N) • At the end of the transfer, Leon_b configures the FFT module to perform a 2D-FFT (5N->5N) • Leon_b encodes the result (5N->N) and programs DMA_b to send the result to the IO module (N->N)
Correctness properties • P1: during every transfer, DMA_a must not be reconfigured before the end of the transfer • P2: same property for DMA_b (but DMA_b can be configured both by Leon_a and Leon_b processors) • P3: each incoming data packet must have a corresponding output packet (i.e., no packet is lost inside the processing platform) • P4: same as property 1 for the FFT module • P5: a data packet must be read before the IO module generates a new interrupt (i.e., data are not lost in the IO port) Workshop - November 2011
PSL formalization • Illustration on the third property: P3: each incoming data packet must have a corresponding output packet • More precise statement: each block transferred by DMA_a from the IO module into Mem_a (input) will eventually be transferred by DMA_b from Mem_b to the IO module (output) Requires the use of the ISIS "new" construct Workshop - November 2011
PSL "Modeling layer" • Used to store the values that are read by DMA_a and written by DMA_b if (dma_a.read_block_END() && dma_a.read_block.p1 == io_module_address){ read_data_ptr = dma_a.read_block.p2; read_value = read_data_ptr[0] + (read_data_ptr[1] << 8) + (read_data_ptr[2] << 16) + (read_data_ptr[3] << 24); } if (dma_b.write_block_CALL() && dma_b.write_block.p1 == io_module_address){ write_data_ptr = dma_b.write_block.p2; write_value = write_data_ptr[0] + (write_data_ptr[1] << 8) + (write_data_ptr[2] << 16) + (write_data_ptr[3] << 24); } Workshop - November 2011
Complete assertion for ISIS unsigned char *write_data_ptr, *read_data_ptr; unsigned int write_value, read_value; if (dma_a.read_block_END() && dma_a.read_block.p1 == io_module_address){ read_data_ptr = dma_a.read_block.p2; read_value = read_data_ptr[0] + (read_data_ptr[1] << 8) + (read_data_ptr[2] << 16) + (read_data_ptr[3] << 24);} if (dma_b.write_block_CALL() && dma_b.write_block.p1 == io_module_address){ write_data_ptr = dma_b.write_block.p2; write_value = write_data_ptr[0] + (write_data_ptr[1] << 8) + (write_data_ptr[2] << 16) + (write_data_ptr[3] << 24);} assert always((dma_a.read_block_END() && dma_a.read_block.p1 == io_module_address) =>NEW(true ? x:unsigned int = read_value) (eventually!(dma_b.write_block_CALL() && dma_b.write_block.p1 == io_module_address &&x== write_value))); Workshop - November 2011
Astrium’s REX 17 • Good expressivity of PSL • High added-value of modelling layer to handle the context • Moderate time overhead induced by monitoring (5-8%) • The property checkers will provide a valuable help for non-regression testing • Careful (natural language) expression of the requirements • Specify at TLM interfaces • Disambiguate the properties, in particular the meaning of communication actions (verbs transaction sequence), and specify your preferred observation points (method name and parameters identification • Use of a macro-language to relax the coupling between modelling rules and the properties
Future works • Define and implement the macro-language • Linked with the development of the abstraction layer above TLM providing some observation (hook) facilities • Expression of functional dependencies between properties • Properties refinement from System/TLM to RTL • Usage extension: • Embed the monitors into flight HW • Synthesize a supervisor • Mitigate radiation effect at architecture level
Thank you ? ? ? Any questions ? Workshop - November 2011
ISIS monitors P1 to P5 SystemC instrumented platform XML configuration files PSL assertions Monitors + observation mechanism SystemC platform ISIS Simulation Workshop - November 2011