Heterogeneous Reactive System Modeling and CorrectbyConstruction Deployment

1
Heterogeneous Reactive System Modeling and
Correct-by-Construction Deployment

• Luca Carloni
• Alberto Sangiovanni-Vincentelli
• UC Berkeley
• with
• Albert Benveniste
• Irisa/Inria
• Paul Caspi
• Verimag

2
Heterogeneity in Embedded System Design

• Horizontal Heterogeneity
• System components described by different
  mathematical formalisms
• continuous/discrete, synchronous/asynchronous,
• to reflect their different nature
• analog/digital, hardware/software,
• Vertical Heterogeneity
• System components specified, optimized, and
  verified at different levels of abstraction in
  the path from specification to implementation
• vertical heterogeneity enables design by
  refinement within a single formal framework
• Important case deployment of synchronous design
  on distributed architecture (asynchronous,
  GALS,)

3
Heterogeneous Communication Systems and the
Notion of Time

• Strictly Synchronous
• single clock, events always present
• an intelligent sensor whose single clock triggers
  its activities of sampling, processing, writing
  on bus
• Synchronous
• several clocks trigger various components/subsyste
  ms which interact only at some synchronization
  points
• open systems where some components are active
  while others are silent (necessary multiple
  clocks and notion of event absence)
• Asynchronous
• no synchronization constraints
• p-2-p FIFO channels
• RTOS or busses in embedded distributed
  architectures

4
Synchronous Model

• Benefits
• orthogonalizing functionality and notion of time
• simplifying access to power of concurrency during
  functional specification
• enabling the use of formal methods for system
  validation and correct-by-construction
  synthesis
• Adoption
• pervasive in mathematics and engineering
• Discrete-Dynamic Control Systems, Digital IC
  Design
• foundation of synchronous languages
• Esterel, Lustre, Signal
• semantic shared by other popular formalisms
• Discrete-Time Part of Simulink, Harels
  Statecharts

5
Synchronous Model

• Pi synchronous process
• Ri set of all possible reactions of process Pi
• ? indicates non-terminating reactions

?
Pi ? Ri P1P2 ? (R1?R2)
?

• A synchronous process evolves according to an
  infinite sequence of successive atomic reactions
• The parallel composition of two processes is the
  conjunction of their reactions
• product of automata, FSM connection
• When composition is possible, we can reason
  formally on the properties of the composite
  system based on the properties of its components

6
Synchronous Assumption

• communication delay is negligible w.r.t.
  computation delay

• The system transitions between a reaction and the
  other instantaneously and the communication of
  the values from the outputs of a component to the
  inputs of another takes zero time

initialize state loop each tick read
inputs compute next state write outputs end loop
7
Distributed Nature of Implementations

• in (embedded) software
• applications have a distributed nature that badly
  matches the synchronous assumption
• real-time safety critical embedded systems in
  automotive electronics and avionics
• industrial plants, transportation networks (e.g.
  air traffic management), power supply networks
• sensor nets
• large variations in computation/communication
  times
• hard to maintain a global notion of time
• in hardware
• with DSM technologies the chip becomes a
  distributed system (due to modeling limitations)
• wire delays not negligible vs. transistor delays
• on-chip communication latency affected by too
  many phenomena (process variations, crosstalk,
  power supply variations), hard to estimate

8
Deep Sub-Micron Technologies Chips Become
Distributed Systems

• Local (scaled-length) wires
• span a fixed number of gates, scale well together
  with logic
• Global (fixed-length) wires
• span a fixed fraction of a die, do not scale

• Interconnect Latency
• hard to estimate because affected by many
  phenomena
• process variations, cross-talk, power-supply drop
  variations
• breaks the synchronous assumption
• that lies at the basis of design automation tool
  flows

9
Heterogeneous Architectures Electronics for the
Car
InformationSystems
Mobile Communications
Navigation
Telematics
Fault Tolerant
DAB
Access to WWW
MOSTFirewire
FireWall
Body Electronics
Light Module
Theft warning
AirConditioning
BodyFunctions
Door Module
CANLin
Fail Safe
GateWay
Body Electronics
ABS
CANTTCAN
EngineManagement
Shift by Wire
Driving and VehicleDynamic Functions
GateWay
Fault Functional
Steer by Wire
Brake by Wire
FlexRay

• Up to 70 Electronic Control Units (ECUs) in a
  modern car like a BMW Series 7
• Heterogeneous Communication Networks
• DSC (Dynamic Stability Control) contains ABS as
  one of 15 sub-functionalities

10
The Desynchronization Problem

• Given a synchronous specification, how to derive
  an efficient implementation on heterogeneous
  distributed architectures?
• correct-by-construction deployment of programs
  written in a synchronous reactive language onto
  GALS architectures
• synthesis of synchronous RTL netlists with
  asynchronous (or latency-insensitive) global
  communication schemes
• Motivation
• retain theoretical properties of synchronous
  design specification while deriving
  implementations where the constraints imposed by
  synchrony are relaxed
• avoid enforcing synchrony on distributed
  architectures whenever it is inefficient in terms
  of both size (memory, area,) and performance

11
Desynchronization Using Adapters
Removal of Synchronous Assumption
i
j
k

• Synchronous Computational Processes

12
Adaptors for GALS informal discussion
synch
asynch
synch
13
How to Preserve Semantics during Design
Refinement?
from specification to implementation
How to ensure that the two components do not see
the difference when moving from synchrony to GALS?
14
Special Case Strictly Synchronous Design
Specifications

• If the specification is known to be
  single-clocked (no event absence), then it is
  sufficient to realign the present events
• Closed Systems, Hardware Design, LIP

15
How to Recover the Absent Events of the
Synchronous Specification?
How to distinguish the absences in the
specification from the absences due to
communication delays?

• generally, many possible realignments

16
Conservative Approach

• too conservative in presence of various-speed
  communication across components (clocks must be
  transmitted at fastest pace)

17
The Tagged-Signal Model Lee Sangiovanni 96

• Event
• a member of VxT
• V set of values
• T set of tags
• Signal
• a set of events
• Behavior
• a tuple of signals
• Process
• a set of behaviors
• System
• a composition of processes
• intersection of their behaviors

18
The Role of Tags

• Tag set T can be used to
• index reactions
• express causality
• represent (local, global) time
• model heterogeneous systems
• mixing synchronous ones, TN, and asynchronous
  ones, T.
• Tags can be tuples
• e.g., t (reaction, physical time, causality)
• (generalized) desynchronization consists in
  erasing some components of the tag yields
  mappings between tag sets, like ?, ?
• Time change ? any bijective strictly-increasing
  map ?T?T
• P is stuttering-invariant when for every behavior
  b?P and every time change ?
• b? ? P ? (d,t) ? b ? (d, ?(t)) ? b?
• Stuttering-invariance ? invariance under time
  change

t6
b
t2
t3
t7
19
Representing Desynchronization with Tags
t2
t3
t4
t5
t6

• Synchronous (TN)
• T, totally ordered, provides a global logical
  time basis
• behavior sequence of global reactions indexed by
  tags
• Composition unify pairs (value,tag)

t1
20
Strong Semantics and Weak Semantics

• Given P1(V1,T1), P2(V2,T2) and two
  non-decreasing surjective mappings ?T1 ? T, ?T2
  ? T, let T1T2 and consider two semantics
• -the Strong Semantics
• P1 P2 unify values all tags
• -the Weak Semantics
• P1 ?? P2 ignore ?(tags)
• ? is semantics-preserving when two behaviors that
  compose wrt. the strong semantics, compose also
  wrt. the weak one
• P1 P2 ? P1 ?? P2
• Define P?(V,T), the desynchronization of P

21
General Theorem on Semantics-Preserving
Deployment EMSOFT 03

• Given P1(V1,T1), P2(V2,T2) with T1T2 and let
  ?Ti ? T then

P1 P2 ? P1 ?? P2
(1) (2)
?i ? 1,2 Pi,? is in bijection with Pi (P1
P2)? (P1) ? (P2) ?

• Special Cases
• when P1 and P2 are synchronous processes and ??
• it provides sufficient conditions for GALS
  deployment
• latency-insensitive design Carloni et al. 99
• the theorem encompasses the result on
  compositionality of latency-insensitivity among
  patient processes

22
Endochrony Isochrony for GALS Benveniste et
al. 2000

• The conditions in the theorem are not effective
• because they involve (infinite) behaviors
• For GALS they are implied by endochrony and
  isochrony
• that are expressed in terms of transition-relation
  s
• and can be model-checked and synthesized
• for a given process P, adaptors can be derived
  and composed with P to guarantee each property by
  means of cheap additional signalling
• A process P is endochronous when
• when for each tag the presence/absence of event
  on all its signals can be inferred incrementally
  from the values carried by a subset of them
  (guaranteed to be present at this tag)
• Two processes P1,P2 are isochronous when
• at each tag, if there is a pair of shared signals
  that are present and agree on the event value
  then for each other pair of shared signals,
  either they are present and agree on their value
  or they are absent

23
Conclusion

• The problem given a synchronous specification,
  how to derive an efficient implementation on
  heterogeneous distributed architectures
• A mathematical framework for heterogeneous
  systems based on the tagged signal model
• Tag sets to capture reaction indices, physical
  time, causalities and their combination
• Desynchronizing ? erasing (part of) tags
• General theorem for semantics-preserving
  deployment
• goal generate adaptors for correct-by-constructio
  n deployment
• For further details
• A. Benveniste, L. Carloni, P. Caspi, A.
  Sangiovanni-Vincentelli, Heterogeneous Reactive
  System Modeling and Correct-by-Construction
  Deployment, EMSOFT 03

24
Heterogeneous Reactive System Modeling and
Correct-by-Construction Deployment

• Luca Carloni
• Alberto Sangiovanni-Vincentelli
• UC Berkeley
• with
• Albert Benveniste
• Irisa/Inria
• Paul Caspi
• Verimag