Towards A Formal Theory of On Chip Communications in the ACL2 Logic - - PowerPoint PPT Presentation

Towards A Formal Theory of On Chip Communications in the ACL2 Logic

Julien Schmaltz

Saarland University - Computer Science Department Saarbr¨ ucken, Germany

Dominique Borrione

TIMA Laboratory - VDS Group Grenoble, France

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 1/37

A Motivation Example

• eCall
• Automatic emergency call system
• A phone call is automatically emitted when

car sensors detect an accident

FlexRay Bus

Interface Interface Interface Interface Navigation

Phone

Sensors eCALL

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 2/37

FlexRay Bus

• Basic protocol
• Idle units send 1, to start send 0
• “Sync edges” at each byte (from 1 to 0)
• Deterministic scheduling
• Time is divided into rounds
• Each unit has one slot per round

FlexRay Bus

Interface Interface Interface Interface Navigation

Phone

Sensors eCALL (c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 3/37

Verification

• Proof of each component
• Proof of their interconnection

FlexRay Bus

Interface Interface Interface Interface Navigation

Phone

Sensors eCALL

OK OK OK OK OK

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 4/37

Global Objective

One model for all architectures

?

. . .

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 5/37

Contribution

A functional formalism for communications: GeNoC (Generic Network on Chip)

• Identifies the essential constituents and their

properties

• Formalizes the interactions between them
• Correctness of the system is a consequence of

the essential properties of the constituents

• Mechanized support in ACL2
• Encapsulation allows abstraction
• Functional instantiation generates proof
• bligations automatically

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 6/37

Outline

• Communication Principles
• GeNoC Definition and Correctness
• ACL2 Theorem/Removing Quantifiers
• Abstraction using Encapsulation
• Applications of GeNoC

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 7/37

A Unifying Model

Navigation eCALL Sensors Phone Interface Interface Interface Interface Communication Architecture

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 8/37

A Unifying Model

messages messages frames

Application Application Application Application Interface Interface Interface Interface Communication Architecture messages messages frames frames frames

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 8/37

Functional Modeling

Scheduling Routing

messages messages frames

Application Application Application Application

send recv send recv send recv send recv

Scheduling Routing

System = F(Routing, Scheduling, recv, send)

messages messages frames frames frames

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 9/37

Proof Obligations

Scheduling Routing

messages messages frames

Application Application Application Application

send recv recv send recv send recv

Scheduling Routing

send POi POi POs POi POr POi

messages messages frames frames frames

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 10/37

System Theorem

Scheduling Routing

messages messages frames

Application Application Application Application

send recv recv send recv send recv

Scheduling Routing

send POi POi POs POi POr POi

Thm ∼ messages reach their destination

messages messages frames frames frames

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 11/37

System Theorem

Scheduling Routing

messages messages frames

Application Application Application Application

send recv recv send recv send recv

Scheduling Routing

send POi POi POs POi POr POi

Thm ∼ messages reach their destination

messages messages frames frames frames

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 11/37

Outline

• Communication Principles
• GeNoC Definition and Correctness
• ACL2 Theorem/Removing Quantifiers
• Abstraction using Encapsulation
• Applications of GeNoC

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 12/37

Overall Modeling Principles

• Function GeNoC
• takes the list of pending communications
• returns the list of results and the list of

aborted communications

• Transactions
• A transaction represents a pending

communication, i.e. the intention of A of sending msg to B

• It is a 4-tuple (id A msg B)

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 13/37

Function GeNoC

Messages Messages

Routing Scheduling

Application

A

Application

B send recv

Interface A Interface B

Node A Node B

Frames Frames

send recv Results Aborted Missives Transactions

(id1 A msg1 B) (id2 D msg2 T) (id3 F msg3 E) (id4 R msg4 Z)

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 14/37

From transactions to missives

Messages Messages

Routing Scheduling

Application

A

Application

B send recv

Interface A Interface B

Node A Node B

Frames Frames

send recv Results Aborted Missives

(id1 A msg1 B)

Transactions

(id1 A msg1 B) (id2 D msg2 T) (id3 F msg3 E) (id4 R msg4 Z)

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 15/37

From transactions to missives

Messages Messages

Routing Scheduling

Application

A

Application

B send recv

Interface A Interface B

Node A Node B

Frames Frames

send recv Results Aborted Missives

(id1 A frm1 B)

Missives

(id1 A frm1 B) (id2 D frm2 T) (id3 F frm3 E) (id4 R frm4 Z)

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 15/37

Routing Algorithm

Messages Messages

Routing Scheduling

Application

A

Application

B send recv

Interface A Interface B

Node A Node B

Frames Frames

send recv Results Aborted Missives

(id1 frm1 Routes1) (id2 frm2 Routes2) (id3 frm3 Routes3) (id4 frm4 Routes4) (id1 frm1 Routes1)

Travels

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 16/37

Scheduling Policy

Messages Messages

Routing Scheduling

Application

A

Application

B send recv

Interface A Interface B

Node A Node B

Frames Frames

send recv Results Aborted Missives

Scheduled

(id1 frm1 Routes1) (id3 frm3 Routes3) (id2 frm2 Routes2) (id4 frm4 Routes4)

Delayed

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 17/37

Results

Messages Messages

Routing Scheduling

Application

A

Application

B send recv

Interface A Interface B

Node A Node B

Frames Frames

send recv recv Results Aborted Missives

(id2 frm2 Routes2) (id4 frm4 Routes4)

Delayed

(id1 B msg1) (id3 E msg3)

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 18/37

Aborted Missives

Messages Messages

Routing Scheduling

Application

A

Application

B send recv

Interface A Interface B

Node A Node B

Frames Frames

send recv recv Results Aborted Missives

(id1 B msg1) (id3 E msg3) (id2 D frm2 T) (id4 R frm4 Z)

Missives

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 19/37

Aborted Missives

Messages Messages

Routing Scheduling

Application

A

Application

B send recv

Interface A Interface B

Node A Node B

Frames Frames

send recv recv Results Aborted Missives

(id1 B msg1) (id3 E msg3) (id4 R frm4 Z) (id2 T msg2)

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 19/37

Correctness Criterion

Messages Messages

Routing Scheduling

Application

A

Application

B send recv

Interface A Interface B

Node A Node B

Frames Frames

send recv recv Results Aborted Missives Transactions

(id1 A msg1 B) (id2 D msg2 T) (id3 F msg3 E) (id4 R msg4 Z) (id1 B msg1) (id3 E msg3) (id4 R frm4 Z) (id2 T msg2)

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 20/37

Termination

Function GeNoC is a recursive function and must be proved to terminate because:

• it is a prerequisite for mechanized reasoning

(here ACL2)

• it is necessary to ensure liveness

To ensure the termination, we associate to every node a finite number of attempts. At every recursive call of GeNoC, every node with a pending transaction consumes one attempt.

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 21/37

Formal Definition

From a list of transactions, T , the set of nodes NodeSet and a list of attempt numbers att, function GeNoC produces:

• The list R of results
• The list A for aborted missives

GeNoC : DT × GenNodeSet × AttLst → DR × DM (T , NodeSet, att) → (R, A)

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 22/37

Correctness Criterion

∀res ∈ R, ∃!trans ∈ T ,

• Id R(res) = Id T (trans)

∧ MsgR(res) = MsgT (trans) ∧ DestR(res) = DestT (trans) For any result res, there exists a unique transaction trans such that trans and res have the same identifier, message, and destination.

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 23/37

Correctness Criterion

∀res ∈ R, ∃!trans ∈ T ,

• Id R(res) = Id T (trans)

∧ MsgR(res) = MsgT (trans) ∧ DestR(res) = DestT (trans)

• Typical formula scheme
• Always check for Id equality
• In ACL2, the idea is filtering according to Id’s

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 23/37

Outline

• Communication Principles
• GeNoC Definition and Correctness
• ACL2 Theorem/Removing Quantifiers
• Abstraction using Encapsulation
• Applications of GeNoC

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 24/37

ACL2 Correctness Predicate

(defun genoc-thm (R T /Rids) (and (equal (R-msgs R) (T-msgs T /Rids)) (equal (R-dests R) (T-dests T /Rids))))

• T /Rids = T filtered according to the ids of R
• Check that the messages and the destinations
• f T /Rids and R are equal.

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 25/37

ACL2 Theorem

(defthm GeNoC-is-correct (mv-let (R A) (GeNoC T NodeSet att) (declare (ignore A)) (implies (Tlstp T ) (GeNoC-thm R (filters T (R-ids R))))))

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 26/37

Proof Obligations

• Interfaces
• The composition recv ◦ send is an identity
• Routing (id A frm B) → (id frm Routes)
• Missive/Travel matching
• Same frame and identifier
• Routes effectively go from the correct origin

to the correct destination

• Scheduling
• Mutual exclusion between Scheduled and

Delayed

• No addition of new identifiers
• Preserve frames and route correctness

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 27/37

Proof of the theorem

• Routing correctness + preserved by scheduling
• → right destination
• No modification on frames
• → every result is obtained by recv ◦ send
• Interfaces correctness
• → received message = sent message
• Mutual exclusion between Scheduled and

Delayed + no new identifiers

• → cut the proof in two parts

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 28/37

Outline

• Communication Principles
• GeNoC Definition and Correctness
• ACL2 Theorem/Removing Quantifiers
• Abstraction using Encapsulation
• Applications of GeNoC

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 29/37

Encapsulation: Interfaces

• Function send builds a frame from a message:

((send ∗) ⇒ ∗)

• Function recv recovers a message from a frame:

((recv ∗) ⇒ ∗)

• Their composition is an identity:

(defthm InterfaceCorrectness

;; recv ◦ send(msg) = msg

(equal (recv (send msg)) msg))

• Some additional constraints

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 30/37

Interfaces Encapsulate Event

(encapsulate (((send ∗) ⇒ ∗) ((recv ∗) ⇒ ∗)) ;; local witnesses (local (defun send (msg) msg)) (local (defun recv (frm) frm)) ;; proof obligations (defthm InterfaceCorrectness (equal (recv (send msg)) msg)) (defthm send-nil (not (send nil))) (defthm send-not-nil (implies msg (send msg))))

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 31/37

Checking Compliance

(defthm check-instance-interface t ;; we prove true :rule-classes nil ;; no rule :hints (("GOAL" ;; we use InterfaceCorrectness ;; with recv flexray for recv ;; and send flexray for send :use (:functional-instance InterfaceCorrectness (recv recv flexray) (send send flexray)))))

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 32/37

Outline

• Communication Principles
• GeNoC Definition and Correctness
• ACL2 Theorem/Removing Quantifiers
• Abstraction using Encapsulation
• Applications of GeNoC

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 33/37

Applications of GeNoC

Messages Messages

Routing Scheduling

Application

A

Application

B send recv

Interface A Interface B

Frames Frames

Node A Node B send recv

• Octagon
• Bi-Φ-M
• Ethernet

OSI Layer 1 OSI Layer 2 Scheduling on networks

• Circuit switching
• Packet switching

Bus arbitration

• AMBA AHB arbiter

Deterministic routing

• XY algorithm
• Double Y channel

Adaptive routing

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 34/37

Conclusion

• A generic model: GeNoC
• Identifies the essential constituents and their

properties

• Formalizes the global property as a

consequence of proof obligations

• Its expression in ACL2
• 1864 lines, 71 functions and 119 theorems
• One fourth is dedicated to the modules
• Abstraction using encapsulation
• Automatic generation of proof obligations

using functional instantiation

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 35/37

Future Work

• Master/Slave protocols
• Deadlocks (structural and protocol level)
• Adding queues and channels
• wormhole routing in Hermes (TIMA,

Grenoble, France)

• Verified Distributed Stacks
• “Verisoft” Stack (O.S., compiler, assembly,

gates)

• Interconnected Stacks through a time

triggered FlexRay bus

• Show that FlexRay matches GeNoC !
• . . .

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 36/37

THANK YOU !!

(c) Julien Schmaltz, ACL2 2006, San Jos´ e August 15-16 – p. 37/37