Abv in the space context verification of correctness requirements
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

ABV in the space context: verification of correctness requirements PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on
  • Presentation posted in: General

ABV in the space context: verification of correctness requirements. V.Lefftz (Astrium), L.Pierre (TIMA). Overview. Correctness properties for the Astrium case study - consideration in the SystemC platforms models TTP platform (Approximated Timed platform)

Download Presentation

ABV in the space context: verification of correctness requirements

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Abv in the space context verification of correctness requirements

ABV in the space context: verification of correctness requirements

V.Lefftz (Astrium), L.Pierre (TIMA)


Overview

Overview

  • Correctness properties for the Astrium case study - consideration in the SystemC platforms models

    • TTP platform (Approximated Timed platform)

    • Dual core platform (Architecture Exploration platform)

  • PSL formalization of the properties - generation of the associated ISIS monitors

  • Astrium Return of Experimentation

Workshop - November 2011


Ttp platform block diagram

TTP platform: Block diagram

AMBA AHB based architecture with a processor and a HW convolution block.

HW block is configured by the processor.Processing is interleaved and results are written either to a work memory or the “AHB” memory (its access can cause a split)

Work

Memory

AHB

Memory

Leon

(cpu)

IRQ

Memory ctrl

AHB bus

Conv

block

AHB

Arbiter

3


Ttp platform

TTP platform

LEON

PV

LEON

T

Mem

T

Mem

PV

PV

Router

AHB

Bus

AHB

Mem

T

AHB

Mem

PV

Conv

PV

Conv

T

TLM PV

TTP

Target port

Initiator port

TLM interrupt

4


Correctness properties

Correctness properties

  • P1: The processor does not start a new convolution processing before the completion of the previous one.

  • P2: No convolution processing must be started before both destination and source addresses have been programmed.

  • P3: The memory does not respond with two “splits” consecutively to the same master


Psl formalization

PSL formalization

  • Illustration on the third property:

    P3: The memory does not respond with two "splits" consecutively to the same master

  • Auxiliary variables (defined in the "modeling layer", usingfunctions of the platform)

    • "Response with a split" ?

      • Boolean variable to store the status of the "split" field of the response

    • "To the same master" ?

      • Auxiliary variables to store the values of the previous and current masters

Workshop - November 2011


Psl formalization1

PSL formalization

  • Where to observe?

Observation?

Workshop - November 2011


Complete assertion for isis

Complete assertion for ISIS

  • On the memory side

unsigned int prev_master, master = 999;

bool status_split; // true if a split has been issued

prt_tlm_ttp::ttp_response<ttp_ahb::ahb_status> resp;

prt_tlm_ttp::ttp_status<ttp_ahb::ahb_status> s;

if (ahb_mem.transport_END()) {

prev_master = master;

master = ahb_mem.transport.p1.get_master_id();

resp = ahb_mem.transport.p0;

s = resp.get_ttp_status();

status_split = (s.access_extension())->is_split();

}

else status_split = false;

assert always((ahb_mem.transport_END() && status_split)

=> next (next_event (ahb_mem.transport_END()

&& (master == prev_master))

(!status_split)));

Workshop - November 2011


Complete assertion for isis1

Complete assertion for ISIS

  • On the bus side

unsigned int prev_master, master = 999;

bool to_ahb; // true if the target is the AHB memory

bool split; // true if a split has been issued

prt_tlm_ttp::ttp_response<ttp_ahb::ahb_status> resp;

prt_tlm_ttp::ttp_status<ttp_ahb::ahb_status> s;

if (bus_initiator_port.do_transport_END()) {

to_ahb = (bus_initiator_port.do_transport.p3 == 0);

if (to_ahb) {

prev_master = master;

master = bus_initiator_port.do_transport.p1.get_master_id();

resp = bus_initiator_port.do_transport.p2;

s = resp.get_ttp_status();

split = (s.access_extension())->is_split(); }

} else { to_ahb = false; split = false; }

assert always((bus_initiator_port.do_transport_END() && to_ahb&& split)

=> next (next_event (bus_initiator_port.do_transport_END()

&& to_ahb && (master == prev_master))

(!split)));

Workshop - November 2011


Dual core architecture

Dual-Core Architecture

  • Image spectral-compression platform

    • Performs “subsampling” on incoming data packets

    • Subsampled packets are then transferred to an auxiliary processing unit which performs a 2D-FFT (using a co-processor) and data encoding

Input

10N

Subsampling

5N

2D-FFT

5N

Encoding

N

Output


Processing platform

Processing platform

Leon_a

DMA_a

DMA_b

Leon_b

Mem_a

Mem_b

FFT

IO


Processing platform cont d

Processing platform (cont’d)

  • IO module generates an interrupt causing DMA_a to transfer the input packet of size 10N to Mem_a

  • At the end of the transfer, Leon_a subsamples the data and writes the result to Mem_a (10N->5N)

  • Leon_a configures DMA_b to transfer the result to Mem_b (5N->5N)

  • At the end of the transfer, Leon_b configures the FFT module to perform a 2D-FFT (5N->5N)

  • Leon_b encodes the result (5N->N) and programs DMA_b to send the result to the IO module (N->N)


Correctness properties1

Correctness properties

  • P1: during every transfer, DMA_a must not be reconfigured before the end of the transfer

  • P2: same property for DMA_b (but DMA_b can be configured both by Leon_a and Leon_b processors)

  • P3: each incoming data packet must have a corresponding output packet (i.e., no packet is lost inside the processing platform)

  • P4: same as property 1 for the FFT module

  • P5: a data packet must be read before the IO module generates a new interrupt (i.e., data are not lost in the IO port)

Workshop - November 2011


Psl formalization2

PSL formalization

  • Illustration on the third property:

    P3: each incoming data packet must have a corresponding output packet

  • More precise statement:

    each block transferred by DMA_a from the IO module into Mem_a (input) will eventually be transferred by DMA_b from Mem_b to the IO module (output)

Requires the use of the ISIS "new" construct

Workshop - November 2011


Psl modeling layer

PSL "Modeling layer"

  • Used to store the values that are read by DMA_a and written by DMA_b

if (dma_a.read_block_END() &&

dma_a.read_block.p1 == io_module_address){

read_data_ptr = dma_a.read_block.p2;

read_value = read_data_ptr[0] + (read_data_ptr[1] << 8)

+ (read_data_ptr[2] << 16) + (read_data_ptr[3] << 24);

}

if (dma_b.write_block_CALL() &&

dma_b.write_block.p1 == io_module_address){

write_data_ptr = dma_b.write_block.p2;

write_value = write_data_ptr[0] + (write_data_ptr[1] << 8)

+ (write_data_ptr[2] << 16) + (write_data_ptr[3] << 24);

}

Workshop - November 2011


Complete assertion for isis2

Complete assertion for ISIS

unsigned char *write_data_ptr, *read_data_ptr;

unsigned int write_value, read_value;

if (dma_a.read_block_END() &&

dma_a.read_block.p1 == io_module_address){

read_data_ptr = dma_a.read_block.p2;

read_value = read_data_ptr[0] + (read_data_ptr[1] << 8)

+ (read_data_ptr[2] << 16) + (read_data_ptr[3] << 24);}

if (dma_b.write_block_CALL() &&

dma_b.write_block.p1 == io_module_address){

write_data_ptr = dma_b.write_block.p2;

write_value = write_data_ptr[0] + (write_data_ptr[1] << 8)

+ (write_data_ptr[2] << 16) + (write_data_ptr[3] << 24);}

assert

always((dma_a.read_block_END() && dma_a.read_block.p1 == io_module_address)

=>NEW(true ? x:unsigned int = read_value)

(eventually!(dma_b.write_block_CALL()

&& dma_b.write_block.p1 == io_module_address

&&x== write_value)));

Workshop - November 2011


Astrium s rex

Astrium’s REX

17

  • Good expressivity of PSL

  • High added-value of modelling layer to handle the context

  • Moderate time overhead induced by monitoring (5-8%)

  • The property checkers will provide a valuable help for non-regression testing

  • Careful (natural language) expression of the requirements

    • Specify at TLM interfaces

    • Disambiguate the properties, in particular the meaning of communication actions (verbs  transaction sequence), and specify your preferred observation points (method name and parameters identification

    • Use of a macro-language to relax the coupling between modelling rules and the properties


Future works

Future works

  • Define and implement the macro-language

    • Linked with the development of the abstraction layer above TLM providing some observation (hook) facilities

  • Expression of functional dependencies between properties

  • Properties refinement from System/TLM to RTL

  • Usage extension:

    • Embed the monitors into flight HW

    • Synthesize a supervisor

    • Mitigate radiation effect at architecture level


Thank you

Thank you

?

?

?

Any questions ?

Workshop - November 2011


Isis monitors

ISIS monitors

P1 to P5

SystemC

instrumented platform

XML configuration

files

PSL

assertions

Monitors +

observation mechanism

SystemC platform

ISIS

Simulation

Workshop - November 2011


  • Login