Transcript Diapositive 1 - SoCKET Project

V.Lefftz (Astrium), L.Pierre (TIMA)
Workshop - November 2011 - Toulouse
Overview
 Correctness properties for the Astrium case study -
consideration in the SystemC platforms models
 TTP platform (Approximated Timed platform)
 Dual core platform (Architecture Exploration platform)
 PSL formalization of the properties - generation of
the associated ISIS monitors
 Astrium Return of Experimentation
Workshop - November 2011
2
TTP platform: Block diagram
Work
AHB
Memory Memory
 AMBA AHB based
architecture with a processor
and a HW convolution block.
IRQ
Leon
(cpu)
Memory ctrl
 HW block is configured by
the processor.
Processing is interleaved
and results are written either
to a work memory or the
“AHB” memory (its access
can cause a split)
AHB bus
Conv
block
AHB
Arbiter
3
TTP platform
LEON
PV
LEON
T
PV
Router
Conv
PV
AHB
Bus
Conv
T
TLM PV
TLM interrupt
TTP
Initiator port
Mem
T
Mem
PV
AHB
Mem
T
AHB
Mem
PV
Target port
4
Correctness properties
 P1: The processor does not start a new convolution
processing before the completion of the previous
one.
 P2: No convolution processing must be started
before both destination and source addresses have
been programmed.
 P3: The memory does not respond with two “splits”
consecutively to the same master
PSL formalization
 Illustration on the third property:
P3: The memory does not respond with two "splits"
consecutively to the same master
 Auxiliary variables (defined in the "modeling layer",
using functions of the platform)
 "Response with a split" ?
 Boolean variable to store the status of the "split" field of the
response
 "To the same master" ?
 Auxiliary variables to store the values of the previous and
current masters
Workshop - November 2011
6
PSL formalization
 Where to observe?
Observation?
Workshop - November 2011
7
Complete assertion for ISIS
 On the memory side
unsigned int prev_master, master = 999;
bool status_split;
// true if a split has been issued
prt_tlm_ttp::ttp_response<ttp_ahb::ahb_status> resp;
prt_tlm_ttp::ttp_status<ttp_ahb::ahb_status> s;
if (ahb_mem.transport_END()) {
prev_master = master;
master = ahb_mem.transport.p1.get_master_id();
resp = ahb_mem.transport.p0;
s = resp.get_ttp_status();
status_split = (s.access_extension())->is_split();
}
else status_split = false;
assert always((ahb_mem.transport_END() && status_split)
=> next (next_event (ahb_mem.transport_END()
&& (master == prev_master))
(!status_split)));
Workshop - November 2011
8
Complete assertion for ISIS
 On the bus side
unsigned int prev_master, master = 999;
bool to_ahb;
// true if the target is the AHB memory
bool split;
// true if a split has been issued
prt_tlm_ttp::ttp_response<ttp_ahb::ahb_status> resp;
prt_tlm_ttp::ttp_status<ttp_ahb::ahb_status> s;
if (bus_initiator_port.do_transport_END()) {
to_ahb = (bus_initiator_port.do_transport.p3 == 0);
if (to_ahb) {
prev_master = master;
master = bus_initiator_port.do_transport.p1.get_master_id();
resp = bus_initiator_port.do_transport.p2;
s = resp.get_ttp_status();
split = (s.access_extension())->is_split(); }
} else { to_ahb = false; split = false; }
assert always((bus_initiator_port.do_transport_END() && to_ahb && split)
=> next (next_event (bus_initiator_port.do_transport_END()
&& to_ahb && (master == prev_master))
(!split)));
Workshop - November 2011
9
Dual-Core Architecture
 Image spectral-compression platform
Input
 Performs “subsampling” on incoming
data packets
10N
Subsampling
5N
2D-FFT
 Subsampled packets are then
transferred to an auxiliary processing
unit which performs a 2D-FFT (using a
co-processor) and data encoding
5N
Encoding
N
Output
Processing platform
Leon_a
DMA_a
Mem_a
IO
DMA_b
Leon_b
Mem_b
FFT
Processing platform (cont’d)
 IO module generates an interrupt causing DMA_a to
transfer the input packet of size 10N to Mem_a
 At the end of the transfer, Leon_a subsamples the
data and writes the result to Mem_a (10N->5N)
 Leon_a configures DMA_b to transfer the result to
Mem_b (5N->5N)
 At the end of the transfer, Leon_b configures the
FFT module to perform a 2D-FFT (5N->5N)
 Leon_b encodes the result (5N->N) and programs
DMA_b to send the result to the IO module (N->N)
Correctness properties
 P1: during every transfer, DMA_a must not be
reconfigured before the end of the transfer
 P2: same property for DMA_b (but DMA_b can be
configured both by Leon_a and Leon_b processors)
 P3: each incoming data packet must have a
corresponding output packet (i.e., no packet is lost
inside the processing platform)
 P4: same as property 1 for the FFT module
 P5: a data packet must be read before the IO
module generates a new interrupt (i.e., data are not
lost in the IO port)
Workshop - November 2011
13
PSL formalization
 Illustration on the third property:
P3: each incoming data packet must have a
corresponding output packet
 More precise statement:
each block transferred by DMA_a from the IO
module into Mem_a (input) will eventually be
transferred by DMA_b from Mem_b to the IO module
(output)
Requires the use of the ISIS "new" construct
Workshop - November 2011
14
PSL "Modeling layer"
 Used to store the values that are read by DMA_a
and written by DMA_b
if (dma_a.read_block_END() &&
dma_a.read_block.p1 == io_module_address) {
read_data_ptr = dma_a.read_block.p2;
read_value = read_data_ptr[0] + (read_data_ptr[1] << 8)
+ (read_data_ptr[2] << 16) + (read_data_ptr[3] << 24);
}
if (dma_b.write_block_CALL() &&
dma_b.write_block.p1 == io_module_address) {
write_data_ptr = dma_b.write_block.p2;
write_value = write_data_ptr[0] + (write_data_ptr[1] << 8)
+ (write_data_ptr[2] << 16) + (write_data_ptr[3] << 24);
}
Workshop - November 2011
15
Complete assertion for ISIS
unsigned char *write_data_ptr, *read_data_ptr;
unsigned int write_value, read_value;
if (dma_a.read_block_END() &&
dma_a.read_block.p1 == io_module_address) {
read_data_ptr = dma_a.read_block.p2;
read_value = read_data_ptr[0] + (read_data_ptr[1] << 8)
+ (read_data_ptr[2] << 16) + (read_data_ptr[3] << 24); }
if (dma_b.write_block_CALL() &&
dma_b.write_block.p1 == io_module_address) {
write_data_ptr = dma_b.write_block.p2;
write_value = write_data_ptr[0] + (write_data_ptr[1] << 8)
+ (write_data_ptr[2] << 16) + (write_data_ptr[3] << 24); }
assert
always((dma_a.read_block_END() && dma_a.read_block.p1 == io_module_address)
=> NEW(true ? x:unsigned int = read_value)
(eventually!(dma_b.write_block_CALL()
&& dma_b.write_block.p1 == io_module_address
&& x == write_value)));
Workshop - November 2011
16
Astrium’s REX
 Good expressivity of PSL
 High added-value of modelling layer to handle the context
 Moderate time overhead induced by monitoring (5-8%)
 The property checkers will provide a valuable help for non-
regression testing
 Careful (natural language) expression of the requirements
 Specify at TLM interfaces
 Disambiguate the properties, in particular the meaning of
communication actions (verbs  transaction sequence), and
specify your preferred observation points (method name and
parameters identification
 Use of a macro-language to relax the coupling between modelling
rules and the properties
17
Future works
 Define and implement the macro-language
 Linked with the development of the abstraction layer
above TLM providing some observation (hook)
facilities
 Expression of functional dependencies between
properties
 Properties refinement from System/TLM to RTL
 Usage extension:
 Embed the monitors into flight HW
 Synthesize a supervisor
 Mitigate radiation effect at architecture level
Thank you
?
Any questions ?
Workshop - November 2011
ISIS monitors
P1 to P5
XML configuration
files
SystemC
instrumented platform
Monitors +
observation
mechanism
PSL
assertions
SystemC platform
ISIS
Simulation
Workshop - November 2011
20