Synchronous Design and Verification of Critical ... - Semantic Scholar

Synchronous Design and Verification of Critical Embedded Systems using SCADE and Esterel Gérard Berry Chief Scientist

www.esterel-technologies.com [email protected] © Esterel Technologies 2007

G. Berry, ADA 2007 - 1

Esterel Technologies - Industries Served

Esterel Studio™

SCADE Suite™

SCADE Drive™

Specification-to-RTL of hardware IP designs

De-facto Standard for Safety-critical avionics embedded software

Safety-critical automotive embedded software

• rigorous & unambiguous executable specifications

• DO-178B Level A certified systems

• code generator certified by TUV - IEC 61508 standard

• automatically-generated efficient RTL / C code

• automatically-generated C code

© Esterel Technologies 2007


Applications and Constraints flight-control, engines, brakes, fuel, power, climate safety-critical => certification trajectory, attitude, image, telecom mission-critical => very high quality

telephone, audio, TV, DVD, games business critical => time-to market + quality pacemakers, diabet control, robot surgeons life-critical => TBD (!)



SCADE Suite in Aerospace & Defense Applications EUROCOPTER – EC145

•

More than 50 companies using SCADE for • Flight control systems • Power management • Reconfiguration management • Autopilots • Engine control systems • Braking systems

Dassault Aviation - Rafale

• Fuel management Dassault Aviation – Falcon 7X

• Cockpit display and alarm management

AIRBUS – A340-600 & A380

Aeroengines by Snecma ©Snecma/Studio Pons

US Air Force - F16



SCADE Suite in the A380 Anti Ice Control Unit

Flight Control Primary & Secondary Commands

Flight Warning System

• SCADE = Airbus corporate standard for all new airplanes developments – – – – – – – – –

Flight Control system Flight Warning system Electrical Load Management system Anti Icing system Braking and Steering system Cockpit Display system Part of ATSU (Board / Ground comms) FADEC (Engine Control) EIS2 : Specification GUI Cockpit: – PFD : Primary Flight Display – ND : Navigation Display – EWD : Engine Warning Display – SD : System Display

Braking & Steering Control Unit



SCADE Suite in the 787

Landing Gear System Braking System

• SCADE is present in the following Boeing 787 systems: – Landing Gear System (Smiths Aerospace) – Braking System (Messier Bugatti)



SCADE in Automotive & Land Systems Applications • Automotive & 2-Wheelers: – – – – – – –

Airbags Braking Systems, ABS & ESP Steering Chassis & Suspension Systems Restraining systems Engine regulation X-By-Wire applications

BMW motorcycles

AUDI - A8

Mercedes – Class S

• Heavy Duty Land systems: – – – – – – –

Cranes Tractors Tanks Earth Moving Machines Trucks Construction equipment Mining machines, etc…



SCADE in Rail Transportation Applications • • • • • • • •

Interlocking systems control Signaling Ground stations Automatic Train Operations Train Control Systems Critical Graphics Displays Level Crossings Safe Platforms

Ansaldo - EUROSTAR

RATP - Paris Subway (Meteor line)

Interlockings and operation control systems © Esterel Technologies 2007

Automatic train control systems G. Berry, ADA 2007 - 8

SCADE Nuclear I&C Applications •

Reactor Protection Systems: – Reactor limitation system (1E) – Trip processing & Emergency shutdown (1E) – Safety actuation (1E)

•

Nuclear Instrumentation Systems: – – – – –

•

Power measurement system Neutron detectors (1E) Pressurizer heating controllers Neutron instrumentation systems (1E) Boron meters

Other Safety Systems – – – –

Safety valve control system Rod control systems Diesel sequencing system (1E) Rod position instrumentation systems



The Esterel Consortium In 2001 Esterel Technologies formed a consortium of leading Semiconductor companies Early adopters of Esterel Studio™ Best practice sharing about project

use and design flow integration

Collaborative specification of the

main product features and roadmap

Attended by academic partners for

scientific advise

Attended by Esterel Studio offer

partners

Support to the IEEE standardization

process of the Esterel language


G. Berry, ADA 2007 - 10

Esterel Application Targets •

Bus interfaces and peripheral controllers – – – –

•

Processor modeling and synthesis – – – – – –

•

Bus bridges Serial ATA Flash cards Video controllers Instruction Set Architecture Complex instruction and data cache Arbiters On-chip power management DMA Interrupt control

Processors

DSP Core

DMA

System bus Power Mgt

SRAM

Memory Controller

Arbitration

Bridge

Communication IPs – Radio – Fast serial links (UART, Aurora) – Bluetooth / Ethernet Controller


Glue Logic

Peripheral bus

Video IP

UART

SDCard I/F

G. Berry, ADA 2007 - 11

Messages to Users 1. Specification of dynamics cannot be accurate when written on static paper 2. Animated executable specifications key to reuse, inter-teams communication, what-if studies, etc 3. Once such specs are available, why recoding? 4. Any safe model-based spec-to-implementation path must be based on formal methods and tools - hierarchical behavior description - languages with formal semantics - formal compiling algorithms - formal verification techniques

5. Formal verification is a design tool usable at all design steps, not only in validation phase © Esterel Technologies 2007

G. Berry, ADA 2007 - 12

A short history of synchrony


G. Berry, ADA 2007 - 13

A short history of synchrony • 1982-1985 : first ideas, languages, and semantics Esterel : Berry – Marmorat - Rigault, Sophia-Antipolis Lustre : Caspi – Halbwachs, Grenoble Signal : Benveniste – Le Guernic, Rennes


G. Berry, ADA 2007 - 13



Computer Science Control Theory

G. Berry, ADA 2007 - 13


Computer Science Control Theory

•1985-1998 : more languages, semantics, compiling & verification SyncCharts (André), Reactive C (Boussinot), TCC (Saraswat), etc. causality analysis (Berry, Gonthier, Shiple) links to dataflow (Ptolemy), to hardware (Vuillemin), etc. formal optimization & verification techniques (Madre & Coudert, Touati) First industrialization of Esterel by ILOG for Dassault Aviation / Thales Formal verification (BDDs) on landing gear, Displays, etc in 1991 Creation of SCADE by Verilog for Schneider and Airbus © Esterel Technologies 2007

G. Berry, ADA 2007 - 13

• 1998 –2001 : more research, maturation, industrial projects S. Edwards, Synopsys Shyamasundar, TIFR, Ramesh, IIT Mumbai Saraswat, Xerox K. Schneider, Karlsruhe / KaisersLautern ...

applications: avionics, nuclear plant safety, telecom, robotics, etc.

• 2001-2007 : industrial expansion Development of Esterel v7 for hardware circuit design Creation of the Esterel Consortium Massive usage of SCADE in certified avionics embedded systems Growing usage of SCADE in railways and automotive industries


G. Berry, ADA 2007 - 14

• 1998 –2001 : more research, maturation, industrial projects S. Edwards, Synopsys Shyamasundar, TIFR, Ramesh, IIT Mumbai Saraswat, Xerox K. Schneider, Karlsruhe / KaisersLautern ...

applications: avionics, nuclear plant safety, telecom, robotics, etc.

• 2001-2007 : industrial expansion Development of Esterel v7 for hardware circuit design Creation of the Esterel Consortium Massive usage of SCADE in certified avionics embedded systems Growing usage of SCADE in railways and automotive industries

Still few researchers working on this key subject!


G. Berry, ADA 2007 - 14

Global Coordination © Esterel Technologies 2007

G. Berry, ADA 2007 - 15

Automatic toll

Air Con

Radio

Light control

Alarm detection Panel

Engine control

Sleep detector GPS

Gearbox

Airbags Clutch Direction

Radar ABS

Supension Global Coordination © Esterel Technologies 2007

G. Berry, ADA 2007 - 15

Automatic toll

Air Con

Radio

Light control


Engine control

Sleep detector GPS

Gearbox


Radar ABS


G. Berry, ADA 2007 - 15

How to avoid or control bugs? • Traditional : better verification by fancier simulation • Next step : better design better and more reusable specifications simpler computation models, formalisms, semantics reduce architect / designer distance reduce hardware / software distance

• Mandatory: better tooling synthesis from high-level descriptions formal property verification / program equivalence certified libraries


G. Berry, ADA 2007 - 16

Embedded Modules Anatomy • CC : continuous control, signal processing differential equations, digital filtering specs and simulation with Matlab / Scilab

• FSM : finite state machines (automata) discrete control, protocols, security, displays, etc. flat or hierarchical FSMs

• Calc : heavy calculations navigation, encryption, image processing C + libraries

• Web : HMI, audio / video user interaction / audio / vidéo data flow networks, Java © Esterel Technologies 2007

G. Berry, ADA 2007 - 17

Automatic toll

Air Con

Radio

Light control


Engine control

Sleep detector GPS

Gearbox


Radar ABS


G. Berry, ADA 2007 - 18

FSM

CC+FSM

FSM

CC + FSM

CC+FSM FSM

CC+Calc+FSM

Calc+FSM Calc+FSM

CC+Calc+FSM

CC+FSM CC+FSM CC+FSM

Calc CC+FSM

CC+FSM Global Coordination : Calc+CC+FSM © Esterel Technologies 2007

G. Berry, ADA 2007 - 19

Key Computation Principles • Concurrency is fundamental implicit in CC, audio / video, protocols, etc. also mandatory for Web and Calc

• Determinism is fundamental implicit for CC and FSM who would drive a non-deterministic car? can be relaxed for Web, infotainment, etc.

• Physical distribution becomes fundamental separation of functions, links between them redundancy for fault-tolerance global time needed for distributed control © Esterel Technologies 2007

G. Berry, ADA 2007 - 20

Q P

R

Concurrency : the compositionality principle © Esterel Technologies 2007

G. Berry, ADA 2007 - 21

Q P

R


G. Berry, ADA 2007 - 21

Q P

R


G. Berry, ADA 2007 - 21

Q P

R


G. Berry, ADA 2007 - 21

Q R

P P||Q


G. Berry, ADA 2007 - 21

Q R

P P||Q


G. Berry, ADA 2007 - 21

d t

Q

P

t’ t’’

R

P||Q


G. Berry, ADA 2007 - 22

d t

Q

P

t’ t’’

R

P||Q

t’’ = t + d + t’


G. Berry, ADA 2007 - 22

d t

Q

P

t’ t’’

R

P||Q

t’’ = t + d + t’ t’’ ~ t ~ d ~ t’ © Esterel Technologies 2007

G. Berry, ADA 2007 - 22

d t

Q

P

t’ t’’

R

P||Q

t’’ = t + d + t’ t’’ ~ t ~ d ~ t’ t~t+t © Esterel Technologies 2007

G. Berry, ADA 2007 - 22

Only 3 solutions : • t arbitrary

asynchrony

•t=0

synchrony

• t predictable

vibration


G. Berry, ADA 2007 - 23

Arbitrary Delay : Brownian Motion H+

Cl

_

H+

_ HCL Cl

H+

Cl

_

HCL H+

HCL

Chemical reaction _ + H + Cl


Internet routing

HCL

G. Berry, ADA 2007 - 24

Arbitrary Delay : Brownian Motion H+

Cl

_

H+

_ HCL Cl

H+

Cl

_

HCL H+

HCL

Chemical reaction _ + H + Cl

Internet routing

HCL

Models : Kahn networks, CSP / ADA,..., π-calculus, CHAM, Join-Calculus, Ambients, © Esterel Technologies 2007

G. Berry, ADA 2007 - 24

Kahn Networks

nodes = deterministic programs arrows = infinite fifos

• result-deterministic (independent of computation order) • easy semantics by flow equations • heavily used in streaming applications (audio, TV)


G. Berry, ADA 2007 - 25

Zero delay example: Newtonian Mechanics

Concurrency + Determinism Calculations are feasible © Esterel Technologies 2007

G. Berry, ADA 2007 - 26

The Esterel Runner

abort run Slowly when 100 Meter ;


G. Berry, ADA 2007 - 27

The Esterel Runner

abort run Slowly when 100 Meter ; abort every Step do run Jump || run Breathe end every when 15 Second ;


G. Berry, ADA 2007 - 27

The Esterel Runner

abort run Slowly when 100 Meter ; abort every Step do run Jump || run Breathe end every when 15 Second ; run FullSpeed


G. Berry, ADA 2007 - 27

The Esterel Runner loop abort run Slowly when 100 Meter ; abort every Step do run Jump || run Breathe end every when 15 Second ; run FullSpeed each Lap


G. Berry, ADA 2007 - 27

The Esterel Runner abort loop abort run Slowly when 100 Meter ; abort every Step do run Jump || run Breathe end every when 15 Second ; run FullSpeed each Lap when 4 Lap


G. Berry, ADA 2007 - 27

The Esterel Runner every Morning do abort loop abort run Slowly when 100 Meter ; abort every Step do run Jump || run Breathe end every when 15 Second ; run FullSpeed each Lap when 4 Lap end every


G. Berry, ADA 2007 - 27

The Esterel Runner trap HeartAttack in every Morning do abort loop abort run Slowly when 100 Meter ; abort every Step do run Jump || run Breathe || run CheckHeart end every when 15 Second ; exit HeartAttack run FullSpeed each Lap when 4 Lap end every handle HeartAttack fo run RushToHospital end trap © Esterel Technologies 2007

G. Berry, ADA 2007 - 27

predictable time = vibration

Nothing can illustrate vibration better than Bianca Castafiore, Hergé's famous prima donna. See [1] for details. The power of her voice forcibly shakes the microphone and the ears of the poor spectators. [1] King's Ottokar Sceptre, Hergé, page 29, last drawing.

propagation of light, sound, electrons, program counter... © Esterel Technologies 2007

G. Berry, ADA 2007 - 28

Full Abstraction Bianca Castafiore singing for the King Muskar XII in Klow, Syldavia. King's Ottokar Sceptre, page 38, first drawing. Although the speed of sounds is finite, it is fast enough to look infinite. Full abstraction!

If room is small enough, predictable delay implements zero-delay Specify with zero-delay Implement with predictable delay Control room size © Esterel Technologies 2007

G. Berry, ADA 2007 - 29

Software Synchronous Systems Cycle based read inputs compute reaction produce outputs

Synchronous = 0-delay = within the same cycle propagate control propagate signals No interference between I/O and computation Room size control = Worst Case Execution Time (AbsInt) © Esterel Technologies 2007

G. Berry, ADA 2007 - 30

Concurrency = Cycle Fusion input X, Z; output Y, T; Y = X+1; T=Z / 2


input Y; output Z; Z = Y * 3;

G. Berry, ADA 2007 - 31



Y Z


G. Berry, ADA 2007 - 31


Y Z


input X; output T; local Y, Z; Y = X+1; Z = Y * 3; T=Z / 2;


G. Berry, ADA 2007 - 31


Y Z


input X; output T; local Y, Z; Y = X+1; Z = Y * 3; T=Z / 2; Safe deterministic global variable sharing No context-switching cost, makes WCET easier © Esterel Technologies 2007

G. Berry, ADA 2007 - 31

Lustre = Synchronous Kahn Networks A simple counter Count (0) = 0  Count (t − 1) + 1, if Event (t ) = true  ∀t > 0, Count (t ) = Count (t − 1), otherwise  

Count = 0 -> (if Event then pre(Count)+1 else pre(Count))


G. Berry, ADA 2007 - 32

CC

SCADE

FSM


G. Berry, ADA 2007 - 33

CC

SCADE Certified compiler to C Formal verification engine

FSM


G. Berry, ADA 2007 - 33

Data flow

Existing Capabilities


G. Berry, ADA 2007 - 34

Data flow


Hierarchical State Machines


G. Berry, ADA 2007 - 34

Data flow


SCADE Display Modeler

Hierarchical State Machines


G. Berry, ADA 2007 - 34

Scade 6 : Data - Control Flow Unification

SCADE 5 Pure Control Flow into Pure Data Flow © Esterel Technologies 2007

G. Berry, ADA 2007 - 35

Scade 6 : Data - Control Flow Unification Freely mixable in hierarchy

SCADE 5 Pure Control Flow into Pure Data Flow © Esterel Technologies 2007

SCADE 6 Unified Data Flow & Control Flow G. Berry, ADA 2007 - 35

A Typical Application: Cockpit Display IA4C_SYSTEM_OUT

2

grabFirst Display Position

LOG

CENTER

SUR

HUD

A

L_Display _Format

Default

( not (IA4C)) ( IA4C) IA4C_SY STEM_OFF

HUDL_OK OUTER_DISPLAY_CONTROLLER

HUD_DISPLAY_CONTROLLER

OL_OK SideStruct

SUR

IL_Format

L_Display _Format

Lef t

LL_OK OL_FORMAT CENTER_DISPLAY_CONTROLLER ( ( Display Position Display Position = HUD) ( = OUTER) Display Position ( init= CENTER) Display Position = INNER) (

INNER_DISPLAY _CONTROLLER

1

Display Side

grabSide

Lef t

1

SidedInnerDisplay

HUDR_OK OR_OK SideStruct IR_Format

Display Position ( = LOWER) Display Position = THIRD)

SomeFormat

Right

OR_FORMAT

LOWER_DISPLAY_CONTROLLER

L_Display _Format

L_Display _Format

Right

LR_OK

2

Display Side THIRDCM_DISPLAY _CONTROLLER

2

SidedLowerDisplay HUDL_OK

IgnoreCount

grabSide

2

SomeFormat

HUDR_OK PFDMaxFrom

TD L_Display _Format


L_Display _Format

L_Display _Format

G. Berry, ADA 2007 - 36

Synchronous Semantics • Ensures every data is produced exactly once • Additional checks – no access to undefined data – no race condition (combinational cycle) => deterministic scheduling-independent result – no recursion in node calls => static memory allocation, bounded stack

Checked by the qualified code generator as a prerequisite to code generation © Esterel Technologies 2007

G. Berry, ADA 2007 - 37

Textual

Requirements

Architecture Design Capture

Algorithm Design Capture

SCADE Gateway for

Project

SCADE RM Gateway Simulink Gateway

Debugging & Simulation

Simulator

Configuration Management

SCCI Gateway

Verification

Design Verifier

Validation

Management

Certified Software Model Factory Model Test Reporter

Formal Verification

Coverage

Automatic Design Documentation

Editor

Model Coverage Analysis

KCG

Pre-qualified for

compilers

Code Generation DO-178B Qualified

Compiler Verification Kit

INTEGRITY-178B

IEC 61508 & EN 50128 Certified

Object Code Verification Prover Plug-In Plug is a trademark of Prover Technology AB in Sweden, the United States and other countries


RTOS Wrapper

Integration On Target

G. Berry, ADA 2007 - 38

System Requirements Textual

Requirements



SCADE Gateway for

Project



Simulator


SCCI Gateway

Verification

Design Verifier

Validation

Management


Formal Verification

Coverage


Editor


KCG

Pre-qualified for

compilers



INTEGRITY-178B




RTOS Wrapper


G. Berry, ADA 2007 - 38


Requirements



SCADE Gateway for

Project



Simulator


SCCI Gateway

Verification &

Design Verifier

Validation

Management


Formal Verification

Coverage


Editor


KCG

Pre-qualified for

compilers



INTEGRITY-178B




RTOS Wrapper


G. Berry, ADA 2007 - 38


Requirements



SCADE Gateway for

Project



Simulator


SCCI Gateway

Verification &

Design Verifier

Validation

Management


Formal Verification

Coverage


Editor


KCG

Pre-qualified for

compilers



INTEGRITY-178B




RTOS Wrapper


G. Berry, ADA 2007 - 38


Requirements



SCADE Gateway for

Project



Simulator


SCCI Gateway

Verification &

Design Verifier

Validation

Management


Formal Verification

Coverage


Editor


KCG

Pre-qualified for

compilers



INTEGRITY-178B




RTOS Wrapper


G. Berry, ADA 2007 - 38

Code Generation with KCG • KCG is the qualifiable C code generator – developed with a DO-178B Level A process – certification authorities certified that “KCG can fly” and qualified it as a development tool => no need to unit-test the generated C code

• Evidences provided to users – qualification kit – verifiable, traceable, and safe code – C compiler verification kit


G. Berry, ADA 2007 - 39

Generated Code Properties – – – – – – – – –

Small C subset Portable (compiler, target and OS independent) Structured (by function or by blocks) Readable, traceable (names/annotations propagation ) Safe static memory allocation No pointer arithmetic No recursion, no loop Bounded execution time Size and / or speed optimizations Easy static analysis (Astrée)


G. Berry, ADA 2007 - 40

Hardware Synchrony: the RTL model REQ

OK

TRY

PASS GO

GET_TOKEN

PASS_TOKEN OK = REQ and GO PASS = not REQ and GO GO = TRY or GET_TOKEN PASS_TOKEN = reg(GET_TOKEN)

Room size control = timing closure © Esterel Technologies 2007

G. Berry, ADA 2007 - 41

Esterel v7 (Berry – Kishinevsky)

text + graphics, concurrency + sequencing clear semantics © Esterel Technologies 2007

G. Berry, ADA 2007 - 42

The Esterel Studio Usage Model

formal, readable, animated specs


G. Berry, ADA 2007 - 43

The Esterel Studio Usage Model



simulation

visualization-based virtual prototypes

G. Berry, ADA 2007 - 43

The Esterel Studio Usage Model formal verification



simulation


G. Berry, ADA 2007 - 43



full and faithful doumentation


simulation


certified software code / hardware circuit G. Berry, ADA 2007 - 43



full and faithful doumentation


simulation


certified software code / hardware circuit G. Berry, ADA 2007 - 43

Design Specification Capture Design Functional Spec

Architecture

Verification Requirements

Editor

Project Structure

Architecture Diagram (2007)

Project Management

IDE

DUT

Player Executable Specification Exporter

Design Verification

Simulator Design Verifier

Model Reporter

Automatic Documentation


Editor

Sequential Equivalence Checker

Formal Verification

Code & Testbench Generators

Sequential Equivalence check

Optimized for synthesis .sc

SystemC © Esterel Technologies 2007

DFT-ready SystemC & RTL flow integration

.vhd

RTL Synthesis G. Berry, ADA 2007 - 44

components dimensioning communication

Word, Excel, Visio System C

Micro-Architecture

concurrency pipeline resource sharing

Word, Visio

RTL design

gates, clocks registers, RAMs critical path

VHDL, Verilog

circuits

cells, clock trees area, speed

Verilog + ...

Architecture

DFT (test)

testability scan insertion

Place&Route Masks Chips © Esterel Technologies 2007

G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

DFT (test)



G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

DFT (test)



G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

DFT (test)



G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

DFT (test)



G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

DFT (test)


Place&Route $ 1,000,000 Masks Chips © Esterel Technologies 2007

G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

Esterel

DFT (test)



G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

Esterel

DFT (test)



G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

Esterel

DFT (test)



G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

Esterel

DFT (test)



G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

Esterel

DFT (test)



G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

Esterel

DFT (test)



G. Berry, ADA 2007 - 45



Micro-Architecture


Word, Visio

RTL design


VHDL, Verilog

circuits


Verilog + ...

Architecture

Esterel

DFT (test)



G. Berry, ADA 2007 - 45

Computer Science at Work


G. Berry, ADA 2007 - 46

Computer Science at Work 1. Language design & mathematical semantics Esterel: imperative, SOS semantics (residuals) constructive logic, proof networks Lustre/SCADE: declarative, functional, denotational semantics clock calculus = static type-check of dynamics


G. Berry, ADA 2007 - 46


2. Compiling Esterel: translation to circuits (hardware) translation to concurrent flow graphs (software) Lustre/SCADE: clock calculus to drive expression execution All: static scheduling of elementary actions


G. Berry, ADA 2007 - 46


2. Compiling Esterel: translation to circuits (hardware) translation to concurrent flow graphs (software) Lustre/SCADE: clock calculus to drive expression execution All: static scheduling of elementary actions

3. Formal Verification: properties and equivalence forward / backward reachable state space analysis (BDDs) SAT + numerical solving Abstract Interpretation (Astrée, Cousot) © Esterel Technologies 2007

G. Berry, ADA 2007 - 46

The Pure Esterel Kernel nothing pause emit S present S then p else q end suspend p when S p; q loop p end p || q trap T in p end exit T signal S in p end © Esterel Technologies 2007

G. Berry, ADA 2007 - 47

The Pure Esterel Kernel


0 1 !s s ? p, q s p p; q p* p|q {p} p k, k > 1 p\s U

nothing pause emit S present S then p else q end suspend p when S p; q loop p end p || q trap T in p end exit T signal S in p end

G. Berry, ADA 2007 - 47

The Behavioral Semantics completion code

emitted signals

E’ k p p’ E received signals

k © Esterel Technologies 2007

U

Broadcasting : E’

E

0 : termination 1 : waiting 2 : exiting one trap level 3 : exiting two trap levels G. Berry, ADA 2007 - 48

E’ k p E

p’

E’ k p;q E


k=0 p’;q

G. Berry, ADA 2007 - 49

E’ k p E

p’

E’ k p;q E E’ 0 p p’ E E’ U F’ l p;q E © Esterel Technologies 2007

k=0 p’;q

F’ l q E

q’

q’ G. Berry, ADA 2007 - 49

E’ k p E

p’

E’ k p* E


k=0 p’ ; p *

G. Berry, ADA 2007 - 50

E’ k p E

p’

E’ k p* E E’ k p E p|q © Esterel Technologies 2007

k=0 p’ ; p *

F’ l p’ q q’ E E’ U F’ max(k,l) p’ | q’ E G. Berry, ADA 2007 - 50

Basic syntax directed translation scheme Each statement p corresponds to a box: E

GO RES SUSP KILL

E'

p

SEL K0 K1 K2 ...

Exclusive relation: GO # RES # SUSP


– – – – – –

E and E’: signals received and emitted GO: start p (first cycle) RES: continue from the previous state SUSP: freeze for a cycle (keep registers) KILL : reset registers SEL: at least one register set = statement alive – Ki : 1-hot encoded completion code • K0: normal terminate • K1: pause for a cycle • K2,K3,… - exit enclosing traps

G. Berry, ADA 2007 - 51

Basic syntax directed translation scheme

E

GO RES SUSP KILL


E'

p

SEL K0 K1 K2 ...

– – – – – –

E and E’: signals received and emitted GO: start p (first cycle) RES: continue from the previous state SUSP: freeze for a cycle (keep registers) KILL : reset registers SEL: at least one register set = statement alive – Ki : 1-hot encoded completion code • K0: terminate • K1: pause for a cycle • K2,K3,… - exit enclosing traps

G. Berry, ADA 2007 - 52

E

E' E

GO

E'

GO

RES

SEL

RES

SEL

K0 P

SUSP KILL

SUSP

K1

KILL

K2 ... K0

K1 E

E'

GO

SEL

RES

K2

K0 Q

SUSP

K1

KILL

K2 ...

Circuit for sequencing P; Q © Esterel Technologies 2007

G. Berry, ADA 2007 - 53

E

E' SEL E

E'

GO

SEL

RES

K0

GO P SUSP

K1

KILL

K2

LEM L0 L1

K3

GO

...

RES

L2 L3

SUSP KILL

IN_KILL GO E

R0

E'

GO

SEL

RES

REM

K0 Q

SUSP

K1

KILL

K2

R1

S Y N C H R O N I Z E R

K0

K0

K1

K1

K2

K2

K3

K3

KILL

R2 R3

K3 ...

Circuit for P||Q © Esterel Technologies 2007

G. Berry, ADA 2007 - 54

LEM L0

R0 REM

L1

L2

L3

K0

K1

K2

R1

R2

R3

K3

KILL IN_KILL

The parallel synchronizer (a 2-adic arithmetic operator) © Esterel Technologies 2007

G. Berry, ADA 2007 - 55

Optimization: exploit hierarchy

1. Start with structural encoding implicit in design 2. carefully remove register redundancies (only if cheap) ⇒ good balance between logic and registers (with Touati, Toma, Sentovich) © Esterel Technologies 2007

G. Berry, ADA 2007 - 56

Conclusion • Synchrony is much simpler than asynchrony – manageable large-scale concurrency + sequencing – equally good for software and hardware

• Synchronous formal methods are used in industry – formal languages – formal compilation schemes – formal verification

• Computing on formal programs is the future – automatic / semi-manual property verification – compiler correctness proof


G. Berry, ADA 2007 - 57

Conclusion • Synchrony is much simpler than asynchrony – manageable large-scale concurrency + sequencing – equally good for software and hardware

• Synchronous formal methods are used in industry – formal languages – formal compilation schemes – formal verification

• Computing on formal programs is the future – automatic / semi-manual property verification – compiler correctness proof

Get Esterel Studio and SCADE they are free for teaching and academic usage © Esterel Technologies 2007

G. Berry, ADA 2007 - 57

Research Directions


G. Berry, ADA 2007 - 58

Research Directions • Scale verification techniques - improve SAT / numerical / Abstract interpretation engines - develop assume / guarantee verification - prove compilers correct: Schneider (HOL), Leroy (Coq)


G. Berry, ADA 2007 - 58


• Extend model to distributed systems (castles instead of rooms)


G. Berry, ADA 2007 - 58


• Extend model to distributed systems (castles instead of rooms) =>Add a controllable amount of asynchrony - timed-triggered networks (Kopetz, TTP, FlexRay) - distributed sampling / Nyquist theorem (Caspi) - N-synchronous Kahn Networks (Cohen, Duranton, Pouzet, etc.) - elastic circuits (Cortadella & Kishinevsky) - ... © Esterel Technologies 2007

G. Berry, ADA 2007 - 58

Distribution by Mutual Sampling


G. Berry, ADA 2007 - 59

Distribution by Mutual Sampling

• Works because of control theory stability results, not because of computer science ones (Caspi & al.) • Similar to multiclock hardware, but much simpler (no metastability issues)


G. Berry, ADA 2007 - 59

Synchronous Design and Verification of Critical ... - Semantic Scholar

Synchronous Design and Verification of Critical ... - Semantic Scholar

Suggest Documents

Design for Verification? - Semantic Scholar

Panel on Design for Verification - Semantic Scholar

Game Design Verification using Reinforcement ... - Semantic Scholar

A Case Study in Design and Verification of ... - Semantic Scholar

The Design and Verification of A High ... - Semantic Scholar

Efficient New Design and Verification of Sign-Digit ... - Semantic Scholar

Integrating Design and Formal Verification of Java ... - Semantic Scholar

Formal Design and Verification of Long-Running ... - Semantic Scholar

Verification of a Safety-Critical Railway Interlocking ... - Semantic Scholar

Validation and Verification - Semantic Scholar

Design exploration and verification platform, based ... - Semantic Scholar

Verification of Good Design Style of UML Models - Semantic Scholar

A critical analysis of the design, results and ... - Semantic Scholar

Challenges of Critical and Emancipatory Design ... - Semantic Scholar

Design verification of a super-scalar RISC ... - Semantic Scholar

Design of a Vision System for Identity Verification - Semantic Scholar

Verification Codes - Semantic Scholar

Specification and Verification of Concurrent ... - Semantic Scholar

MANAGEMENT AND VERIFICATION OF ... - Semantic Scholar

Verification and Validation of Multisegmented ... - Semantic Scholar

Specification and Verification of Model ... - Semantic Scholar

Specification and Seamless Verification of ... - Semantic Scholar

Specification and Verification of Concurrent ... - Semantic Scholar

Verification, Validation, and Confirmation of ... - Semantic Scholar