1 / 20

ABV in the space context: verification of correctness requirements

ABV in the space context: verification of correctness requirements. V.Lefftz (Astrium), L.Pierre (TIMA). Overview. Correctness properties for the Astrium case study - consideration in the SystemC platforms models TTP platform (Approximated Timed platform)

starbuck
Download Presentation

ABV in the space context: verification of correctness requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ABV in the space context: verification of correctness requirements V.Lefftz (Astrium), L.Pierre (TIMA)

  2. Overview • Correctness properties for the Astrium case study - consideration in the SystemC platforms models • TTP platform (Approximated Timed platform) • Dual core platform (Architecture Exploration platform) • PSL formalization of the properties - generation of the associated ISIS monitors • Astrium Return of Experimentation Workshop - November 2011

  3. TTP platform: Block diagram AMBA AHB based architecture with a processor and a HW convolution block. HW block is configured by the processor.Processing is interleaved and results are written either to a work memory or the “AHB” memory (its access can cause a split) Work Memory AHB Memory Leon (cpu) IRQ Memory ctrl AHB bus Conv block AHB Arbiter 3

  4. TTP platform LEON PV LEON T Mem T Mem PV PV Router AHB Bus AHB Mem T AHB Mem PV Conv PV Conv T TLM PV TTP Target port Initiator port TLM interrupt 4

  5. Correctness properties • P1: The processor does not start a new convolution processing before the completion of the previous one. • P2: No convolution processing must be started before both destination and source addresses have been programmed. • P3: The memory does not respond with two “splits” consecutively to the same master

  6. PSL formalization • Illustration on the third property: P3: The memory does not respond with two "splits" consecutively to the same master • Auxiliary variables (defined in the "modeling layer", usingfunctions of the platform) • "Response with a split" ? • Boolean variable to store the status of the "split" field of the response • "To the same master" ? • Auxiliary variables to store the values of the previous and current masters Workshop - November 2011

  7. PSL formalization • Where to observe? Observation? Workshop - November 2011

  8. Complete assertion for ISIS • On the memory side unsigned int prev_master, master = 999; bool status_split; // true if a split has been issued prt_tlm_ttp::ttp_response<ttp_ahb::ahb_status> resp; prt_tlm_ttp::ttp_status<ttp_ahb::ahb_status> s; if (ahb_mem.transport_END()) { prev_master = master; master = ahb_mem.transport.p1.get_master_id(); resp = ahb_mem.transport.p0; s = resp.get_ttp_status(); status_split = (s.access_extension())->is_split(); } else status_split = false; assert always((ahb_mem.transport_END() && status_split) => next (next_event (ahb_mem.transport_END() && (master == prev_master)) (!status_split))); Workshop - November 2011

  9. Complete assertion for ISIS • On the bus side unsigned int prev_master, master = 999; bool to_ahb; // true if the target is the AHB memory bool split; // true if a split has been issued prt_tlm_ttp::ttp_response<ttp_ahb::ahb_status> resp; prt_tlm_ttp::ttp_status<ttp_ahb::ahb_status> s; if (bus_initiator_port.do_transport_END()) { to_ahb = (bus_initiator_port.do_transport.p3 == 0); if (to_ahb) { prev_master = master; master = bus_initiator_port.do_transport.p1.get_master_id(); resp = bus_initiator_port.do_transport.p2; s = resp.get_ttp_status(); split = (s.access_extension())->is_split(); } } else { to_ahb = false; split = false; } assert always((bus_initiator_port.do_transport_END() && to_ahb&& split) => next (next_event (bus_initiator_port.do_transport_END() && to_ahb && (master == prev_master)) (!split))); Workshop - November 2011

  10. Dual-Core Architecture • Image spectral-compression platform • Performs “subsampling” on incoming data packets • Subsampled packets are then transferred to an auxiliary processing unit which performs a 2D-FFT (using a co-processor) and data encoding Input 10N Subsampling 5N 2D-FFT 5N Encoding N Output

  11. Processing platform Leon_a DMA_a DMA_b Leon_b Mem_a Mem_b FFT IO

  12. Processing platform (cont’d) • IO module generates an interrupt causing DMA_a to transfer the input packet of size 10N to Mem_a • At the end of the transfer, Leon_a subsamples the data and writes the result to Mem_a (10N->5N) • Leon_a configures DMA_b to transfer the result to Mem_b (5N->5N) • At the end of the transfer, Leon_b configures the FFT module to perform a 2D-FFT (5N->5N) • Leon_b encodes the result (5N->N) and programs DMA_b to send the result to the IO module (N->N)

  13. Correctness properties • P1: during every transfer, DMA_a must not be reconfigured before the end of the transfer • P2: same property for DMA_b (but DMA_b can be configured both by Leon_a and Leon_b processors) • P3: each incoming data packet must have a corresponding output packet (i.e., no packet is lost inside the processing platform) • P4: same as property 1 for the FFT module • P5: a data packet must be read before the IO module generates a new interrupt (i.e., data are not lost in the IO port) Workshop - November 2011

  14. PSL formalization • Illustration on the third property: P3: each incoming data packet must have a corresponding output packet • More precise statement: each block transferred by DMA_a from the IO module into Mem_a (input) will eventually be transferred by DMA_b from Mem_b to the IO module (output) Requires the use of the ISIS "new" construct Workshop - November 2011

  15. PSL "Modeling layer" • Used to store the values that are read by DMA_a and written by DMA_b if (dma_a.read_block_END() && dma_a.read_block.p1 == io_module_address){ read_data_ptr = dma_a.read_block.p2; read_value = read_data_ptr[0] + (read_data_ptr[1] << 8) + (read_data_ptr[2] << 16) + (read_data_ptr[3] << 24); } if (dma_b.write_block_CALL() && dma_b.write_block.p1 == io_module_address){ write_data_ptr = dma_b.write_block.p2; write_value = write_data_ptr[0] + (write_data_ptr[1] << 8) + (write_data_ptr[2] << 16) + (write_data_ptr[3] << 24); } Workshop - November 2011

  16. Complete assertion for ISIS unsigned char *write_data_ptr, *read_data_ptr; unsigned int write_value, read_value; if (dma_a.read_block_END() && dma_a.read_block.p1 == io_module_address){ read_data_ptr = dma_a.read_block.p2; read_value = read_data_ptr[0] + (read_data_ptr[1] << 8) + (read_data_ptr[2] << 16) + (read_data_ptr[3] << 24);} if (dma_b.write_block_CALL() && dma_b.write_block.p1 == io_module_address){ write_data_ptr = dma_b.write_block.p2; write_value = write_data_ptr[0] + (write_data_ptr[1] << 8) + (write_data_ptr[2] << 16) + (write_data_ptr[3] << 24);} assert always((dma_a.read_block_END() && dma_a.read_block.p1 == io_module_address) =>NEW(true ? x:unsigned int = read_value) (eventually!(dma_b.write_block_CALL() && dma_b.write_block.p1 == io_module_address &&x== write_value))); Workshop - November 2011

  17. Astrium’s REX 17 • Good expressivity of PSL • High added-value of modelling layer to handle the context • Moderate time overhead induced by monitoring (5-8%) • The property checkers will provide a valuable help for non-regression testing • Careful (natural language) expression of the requirements • Specify at TLM interfaces • Disambiguate the properties, in particular the meaning of communication actions (verbs  transaction sequence), and specify your preferred observation points (method name and parameters identification • Use of a macro-language to relax the coupling between modelling rules and the properties

  18. Future works • Define and implement the macro-language • Linked with the development of the abstraction layer above TLM providing some observation (hook) facilities • Expression of functional dependencies between properties • Properties refinement from System/TLM to RTL • Usage extension: • Embed the monitors into flight HW • Synthesize a supervisor • Mitigate radiation effect at architecture level

  19. Thank you ? ? ? Any questions ? Workshop - November 2011

  20. ISIS monitors P1 to P5 SystemC instrumented platform XML configuration files PSL assertions Monitors + observation mechanism SystemC platform ISIS Simulation Workshop - November 2011

More Related