correct-by-construction asynchronous implementation of modular synchronous specifications
DESCRIPTION
Correct-by-construction asynchronous implementation of modular synchronous specifications. Jacky Potop Benoît Caillaud Albert Benveniste. IRISA, France. Outline. Motivation: Asynchronous implementation of synchronous specifications GALS architectures Desired implementation Formal model - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/1.jpg)
Correct-by-construction asynchronous implementation of
modular synchronous specifications
Jacky PotopBenoît CaillaudAlbert Benveniste
IRISA, France
![Page 2: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/2.jpg)
Outline
• Motivation: Asynchronous implementation of synchronous specifications– GALS architectures– Desired implementation
• Formal model– Correctness
• Correctness criteria– Microstep weak endochrony– Microstep weak isochrony
• Conclusion
![Page 3: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/3.jpg)
Synchrony, asynchrony, GALS
• Synchronous specification– Global clock specification, verification– Popular, efficient tools for system design
(digital circuits, safety-critical systems)
• Distributed implementation– Distributed software, complex digital circuits (SoC),
heterogenous systems– Loosely-connected components (asynchronous FIFOs...)
• GALS architectures = good implementation model– Synchronous components, asynchronous communication– Problem: preserve the semantic coherency between a
synchronous specification and its GALS implementation
![Page 4: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/4.jpg)
What we want
1. Take a modular synchronous specification
IP1 IP2
clock
![Page 5: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/5.jpg)
What we want
1. Take a modular synchronous specification
2. Replace comm. with asynchronous FIFOs, wrappers
3. Preserve:• Functionality• Correctness
• No “extra” traces• No deadlocks
(Kahn processes)
IP1 IP2
Delay-insensitive component
IP1
AFSM
![Page 6: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/6.jpg)
Previous work
• Latency-insensitive systems– Carloni & Sangiovanni-Vincentelli (1999) – Goal: independence from communication delays– Global synchrony: system speed = slowest component
speed• Endo/isochronous systems
– Benveniste, Caillaud, Le Guernic (1999) • Version: Generalized latency-insensitive circuits (Singh,
Theobald, 2003)
– Goals: • minimize communication• maximize concurrency, independence between system
components
– Results work only for 2 components!
![Page 7: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/7.jpg)
Previous work
• Weakly endo/isochronous systems – Potop, Caillaud, Benveniste (2004) – Goals:
• further minimize communication by exploiting intra-component concurrency
• Compositionality– Synchronous Mazurkiewicz traces– Does not handle causality and communication
deadlocks
• This work: microstep weakly endo/iso systems– Goal: take into account causality and composition
through read/write mechanisms.
![Page 8: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/8.jpg)
Our approach
• Define a model and criteria insuring that:– Creating delay-insensitive wrappers that preserve the
semantics is possible without adding new signals– Connecting through FIFOs the resulting components
produces a semantics-preserving, deadlock-free GALS implementation
• Make given components satisfy the criteria:– Possible solutions
• Encode (part of) the “absent” events (Carloni et al.)• Add new signals• Decide that none is necessary due to environment constraints
• Efficient sw/hw implementation– Sync./async. synthesis techniques, GALS-specific
communication schemes, etc.
![Page 9: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/9.jpg)
The model: basic definitions
• The basics: (incomplete) automata = (S,s0,V,), SL(V)S, L(V)=
– Composition by synchronized product:
– Renaming operator:
• Labels Finite traces:
Vv
v )D(
0 1A=1 B= D=
0
1
A=1 B= C=3 2
A=1 B=7 C=3
= 0,0A=1 B= C=3 D=
1,2
1[D/C] : 0 1A=1 B= C=
A=1 B= C=3 A=1 C=3 A=1 C=3 A=1 B=7 C=3
A=1 C=3 ; B=2 ; ; A=1 C=3 – A=1 = C=3
A=1 C=3 ; B=2 ; ; A=1 C=3 ; B=2 ; ; A=2;
![Page 10: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/10.jpg)
The model: basic definitions
• Generalized concurrent transition systems(GCTS)– Void transitions:– Prefix closure:
• Example:
s s
s s’r
q r s s’’q s’r-q
0 1A=1 B=7
3
2A=1
B=7 A=1
B=7
![Page 11: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/11.jpg)
The model: I/O transition systems
• Point-to-point communication:– Broad/Multicast can be simulated…– Communication channels: c = (!c,?c) D!c=D?c=Dc
– Dissociate emission from reception!
• Clocks: 1… of domain Dclk={T}• I/O transition system:
– GCTS where all variables are channels or clocks– Example:
0
1
3
2
1!A=1!A=2
?R=3
12
4
?B
?R=4
![Page 12: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/12.jpg)
The model: synchronous systems
• Synchronous system: = (S,s0,V,,) I/O transition system, one clock, and satisfying:
1. Clock transitions:
2. Stuttering invariance:
3. Synchrony hypothesis:
• Example:
s0 s0
r()= T
r equals over Vs s’r
s s’ s’
s0 s1r1 r2 sn
rn…
ri supp(ri)supp(rj) = for all i j
0
13
21!A
?B
?R
1
1
![Page 13: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/13.jpg)
The model : composition
• Synchronous 1-place FIFO:
• Synchronous composition (on clock ) :
• Asynchronous FIFO:
• Asynchronous composition:
!c=x ?c=xSFIFO(c, ): for all xDc
1|2 = 1[1/] 2[2/] SFIFO(c1, ) … SFIFO(cn, )
1||2 = 1 2 AFIFO(c1) … AFIFO(cn)
!c=xn+1 ?c=x1AFIFO(c):
for all x1,…,xn,xn+1 Dc
c0 cx c1
x1…xn x1…xn+1 x2…xn
![Page 14: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/14.jpg)
The model : composition
1 2 1 2 1||2
!A
!B
!C
?C
?B?A
!A?A
!C
x
1
1
1
2
2
!A
!B
!C?C
?B?A
!A?A
!C
1|2
![Page 15: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/15.jpg)
Example
0
1
3
21!A
?B
?R
1
1 02 2 31?A !B2
2
21: 2:
0,0 1,0 1,1
3,0 3,1 3,33,2
1|2 : !A ?A
?R
?A
?R
!B
!A ?Aa0
!B ?Bb0
2
0,0 1,0 1,1
3,0 3,1 3,33,2
1||2 : 2,31,2 1,3!A ?A
?R
?A
?R
!B
2
2
?R ?R
!B ?B
1
221,2 ,12
1,2 ,12 1,2 ,12
1,2 ,12
A
?A
!A
B
?B
!B
![Page 16: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/16.jpg)
Example
0
1
3
21!A
?B
?R
1
1 02 2 31?A !B2
2
23: 2:
0,0 1,0 1,1
3,0 3,1 3,33,2
3|2 :
0,0 1,0 1,1
3,0 3,1 3,33,2
3||2 : 2,31,2 1,3!A
!A ?A
?A
?R
?R
?A
?A
?R
?R
!B
!B
2
2
?R ?R
!B ?B
1
2221,2 ,12
1,2 ,12 1,2 ,12
1,2 ,12
4?R
?B
1
4,3?B
4,3
?R
?B
1,2 ,12
![Page 17: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/17.jpg)
Correctness
• Some notations:
• Formal correctness criterion1||…||n is correct w.r.t. 1|…|n if
for all s RSS(1|…|n) and all Traces 1||…||n(s)
there exist Traces 1||…||n(s) and Traces 1|…|n(s)
such that and
• Intuition: every trace of 1||…||n can be completed to one that is equivalent to a synchronous trace
!A=1 ; 1; ?A=1 ; 2; !C=3 ; !A=1 ?A=1 ; 1 2; !C=3 ; 2;
!A=1 ; 1; 2; !C=3 ; !A=1 ?A=1 ; 1 2; !C=3 ; 2;
![Page 18: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/18.jpg)
Microstep weak endochrony
• Compositional delay-insensitivity criterion (signal absence information is not needed)
• Axioms (part 1):A1: DeterminismA2: In every state, non-clock transitions sharing no
common variable are independent
.
?A !B
!A=1
!A=2
?B
?R ?B
?R?B?R
![Page 19: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/19.jpg)
Microstep weak endochrony• Axioms (continued):
A1: DeterminismA2: In every state, non-clock transitions sharing no
common variable are independent A3: Non-contradictory reactions can be united
A4: Choice does not change with time
.
?B
?R
?B
?R ?B
?R
?R
?B
s0 sn…r1 rn
?V=x
Vsupp(ri)
s0
sn?V=y
?V=ys0
sn?V=x
![Page 20: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/20.jpg)
Example
0
1
3
21!A
?B
?R
1
11:
![Page 21: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/21.jpg)
Example
0
3’
2’1!A
?D=0
?D=1
11’:
1
3
21
?B
?R
![Page 22: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/22.jpg)
Example
0
3’
2’1!A
?D=0
?D=1
11’:
1
3
21
?B
?R0
1
3
21!A
?B
?R
1
13: 4?R
?B
1
![Page 23: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/23.jpg)
Microstep weak isochrony
• Semantics preservation criterion1,…,n are microstep weakly isochronous if
for all s RSS(1|…|n) and all Traces 1|…|n(s)
maximal and containing no clock transition, there exists Traces 1|…|n(s) non-void such that
and ; Traces 1|…|n(s)
![Page 24: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/24.jpg)
Example
0
2
1?A!B
2
2
4:
0
3’
2’1!A
?D=0
?D=1
11’:
1
3
21
?B
?R
32
!Y
![Page 25: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/25.jpg)
Example
0
2’
1?A
!B
24’:
0
3’
2’1!A
?D=0
?D=1
11’:
1
3
21
?B
?R
3’ !Y
22
32
!D=0
!D=1
![Page 26: Correct-by-construction asynchronous implementation of modular synchronous specifications](https://reader035.vdocument.in/reader035/viewer/2022070502/56814ab3550346895db7c640/html5/thumbnails/26.jpg)
Conclusion
• Decidable criteria for GALS implementation of synchronous specifications– Covers causality and read/write communication– Compositionality, concurrency
• Future: Synthesis– Make synchronous automata weakly endo/isochronous.
Optimality issues.– Heuristics for actual synchronous languages and
specifications. Scaling issues (large specifications).– GALS circuits using asynchronous logic– Deal with mode changing latency