HAL Id: hal-00542156
https://hal.archives-ouvertes.fr/hal-00542156
Submitted on 1 Dec 2010
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires
Polychrony for Formal Refinement-Checking in a System-Level Design Methodology
Jean-Pierre Talpin, Paul Le Guernic, Sandeep Shukla, R.K. Gupta, Frédéric Doucet
To cite this version:
Jean-Pierre Talpin, Paul Le Guernic, Sandeep Shukla, R.K. Gupta, Frédéric Doucet. Polychrony for
Formal Refinement-Checking in a System-Level Design Methodology. Third International Conference
on Application of Concurrency to System Design (ACSD ’03), Jun 2003, Guimarães, Portugal. pp.9-
19. �hal-00542156�
Design Methodology
Jean-Pierre Talpin 1
,PaulLe Guerni 1
, Sandeep KumarShukla 2
,
Rajesh Gupta 3
,Frederi Douet 3
1
Inria/Irisa, 2
Virgina Teh, 3
UC San Diego
Abstrat
Theprodutivitygapinurredbytherisingomplex-
ity of system-on-hip design have neessitated newer
design paradigms to be introdued based on system-
leveldesign languages. Agatingfatorsfor widespread
adoption of these new paradigms is a lak of formal
tool support of renement based design. A system
level representation may be rened manually (in ab-
sene of adequate behavioral synthesis algorithms and
tools) to obtain an implementation, but proving that
the lowerlevel representation preservesthe orretness
provedathigher level models isstill anunsolved prob-
lem. Weaddress the issueof formalrenementproofs
between design abstration levels using the onepts
of polyhronous design. Renement of synhronous
high-level designs into globally asynhronous and lo-
ally synhronous arhitetures is formally supported
in this methodology. The polyhronous (i.e. multi-
loked) model of the Signal design language oers
formal support for the apture of behavioral abstra-
tionsfor both very high-level systemdesriptions (e.g.
SystemC/SpeC)andbehavioral-levelIpomponents
(e.g. Vhdl). Its platform, Polyhrony, provides
models andmethods for a rapid, renement-based, in-
tegration andaformal onformane-heking of Gals
hardware/software arhitetures. Wedemonstratesthe
eetivenessofourapproahbytheexperimental,om-
parative, asestudyofaneven-parityhekerdesignin
SpeC.It highlights thebenetsof the formalmodels,
methods and tools provided in Polyhrony, in rep-
resentingfuntional,arhitetural,ommuniationand
implementationabstrationsofthedesign,andthesu-
essive renements.
1 Introdution
Risingomplexities andperformanesofintegrated
iruits and systems, shortening time-to-market de-
mands for eletroni equipments, growing installed
bases of intelletualproperty,requirementsforadapt-
ingexisting Ipswith newservies,allstresshigh-level
design as aprominentresearh topi and all for the
development of appropriatemethodologial solutions.
Inthisaim,systemdesignbasedontheso-alled\syn-
hronoushypothesis"onsists of abstrating the non-
funtionalimplementationdetailsofasystemawayand
let onebenet from afoused reasoningonthe logis
behind the instants at whih the system funtionali-
ties should beseured. From this point of view, syn-
hronousdesignmodels[13℄andlanguages[5℄provide
intuitive models for integrated iruits. This aÆnity
explains the ease of generating synhronous iruits
andverifytheirfuntionalitiesusingompilersandre-
lated toolsthatimplementthisapproah.
Intoday'smulti-Giga-hertzSoCdesigns, thelok
periodissosmallthatlokingarossthehipinasyn-
hronousmannerisahallenge. HenenewerSoCde-
signsneedtobegloballyasynhronousandloallysyn-
hronous(Gals). Therelationalmodel ofthe Poly-
hrony 1
designplatform[13℄goesbeyondthedomain
of purelysynhronousiruitstoembraetheontext
of arhiteturesonsisting ofsynhronousiruitsand
desynhronizationprotools: Galsarhitetures. The
uniquefeaturesofthismodelaretoprovidethenotion
ofpolyhrony: theapabilitytodesribemulti-loked
(orpartiallyloked)iruitsandsystems;andtosup-
portformaldesignrenement,fromtheearlystagesof
requirements speiation, to the later stages of syn-
thesisanddeployment,andbyusingformalveriation
tehniques.
Inpratie,amulti-lokedsystemdesriptionisof-
ten the representation or the abstration of an asyn-
hronoussystemorofaGalsarhiteture. Insystem-
leveldesign,theasynhronousimplementationofasys-
tem isobtainedthroughtherenementof itsdesrip-
tion toward hardware-software o-design. However,
1
Availablefromhttp://www.irisa.fr/espre sso /Pol yhr ony.
and nohoieon amaster lokis madeatthe arhi-
teturallevel. Asommuniationand implementation
layersare reahed, however,multiple loksmight be
a way of life. In the polyhronous model of ompu-
tation (MoC),oneanatually designasystem with
partiallyorderedloksandreneittoobtainmaster-
lokedomponentsintegrated within amulti-loked
arhiteture,whilepreservingthefuntionalproperties
of theoriginal high-leveldesign, thanksto the formal
veriationmethodologyprovidedbytheformaltheory
(modelandtheorems)ofpolyhronoussignals.
Inthepresentartile,weputthepriniples ofpoly-
hronousdesigntoworkintheontextoftheemerging
high-levellanguagessuhasSystemC/SpeC[11,19,
20℄bystudyingtherenementofahigh-levelspeia-
tion, the even-parityheker(Ep) towardits imple-
mentationOurgoalistoderiveautomatiallyveriable
onditions on speiations under whih renement-
baseddesignpriniples work. Inother words,weseek
towardtoolsandmethodologiestoallowtotakeahigh-
levelSystemC/SpeCspeiationandtoreneitin
asemanti-preservingmannerintoaGalsimplemen-
tation. We fous on a simplease study to illustrate
our methodology and we show how the speiation
of the Ep in SpeC an be rened toward a Gals
implementationwiththehelpofPolyhrony.
2 An informal introdution to Signal
InSignal, aproessP onsistsoftheomposition
ofsimultaneousequationsoversignals. Asignalx2X
desribesapossiblyinniteowofdisretely-timedval-
ues v 2 V. An equation x = fy denotes a relation
between a sequene of operandsy and asequene of
results x by a proess f 2 F. Synhronous omposi-
tionP jjQonsistsofonsideringasimultaneoussolu-
tion of the equations P and Q at any time. Signal
requires three primitive proesses: pre, to referene
thepreviousvalueofasignalintime; when,tosample
a signal; and default, to deterministially merge two
signals(and provides, e.g. negation not,equality eq,
et).
P::=x =fy jP jjQjP=x
f 2F fprevjv2Vg[fwhen;default;:::g
The equation x = prevy initially denes x by v and
then bythe previousvalueof y in time (tagst
1
;t
2
;t
3
denoteinstants).
y:(t
1
;v
1 )(t
2
;v
2 )(t
3
;v
3 ):::
prevy:(t
1
;v) (t
2
;v
1 )(t
3
;v
2 ):::
true.
y:(t
1
;v
1 )(t
2
;v
2 )(t
3
;v
3
) :::
z: (t
2
;tt) (t
3
;ff)(t
4
;tt):::
ywhen z: (t
2
;v
2
) :::
Theequationx =y defaultz denesx byy when y is
presentandbyz otherwise.
y: (t
2
;v
2 )(t
3
;v
3 ) :::
z:(t
1
;v
1
) (t
3
;w
3 ):::
ydefaultz:(t
1
;v
1 )(t
2
;v
2 )(t
3
;v
3 ) :::
We exemplify the equational/relational design model
of Signal by onsidering thedenition of a ounting
proess: Count. Itaeptsaninputeventresetandde-
liverstheintegeroutputval. Aloalounter,initialized
to 0,storesthepreviousvalueofval(equationounter
:=pre0val). Whentheeventresetours,valisreset
to 0(i.e. (0 when reset)). Otherwise, ounter is in-
remented(i.e.(ounter + 1)). TheativityofCount
isgovernedbythelokofitsoutputval,whihdiers
from thatofitsinputreset: Countismulti-loked.
proessCount= (?eventreset!integerval)
(j ounter:=pre0val
j val:=(0whenreset)default(ounter+1)
j) where integerounter;end;
3 A model of polyhronous signals
Starting fromthemodeloftagged signalsofLeeet
al. [12, 6℄, we give the tagged model of polyhronous
signals[13℄fortheformalstudyofprotoolproperties.
Weonsider aset ofbooleanandintegervaluesv 2V
torepresenttheoperandsandresultsofomputations.
A tag t 2 T, denotes an instant. The dense set T
is equipped with apartial order relation to denote
synhronizationandausalrelations. ThesubsetT
Tofagivenproessishosentobeasemi-lattie(T;
;0). AhainC2C isatotallyorderedsubsetofT.
t
1
=t
3 n
t1<t2
z }| {
x
tt
x
ff
x
tt
x
0
x
1
x
0
x
1
x
0
x
tt
x
tt
x
tt
o
t
3 67t
4
Figure 2. A behavior
bas a map from names
to partially ordered tags and values
[[x:=prevy℄℄=
b2Bj
x;y
tags(b(x))=tags(b(y))=C2Cn;;b(x)(min (C))=v
8t2Cnmin(C);b(x)(t)=b(y)(pred
C (t))
[f0j
x;y g
[[x:=ywhenz℄℄=
b2Bj
x;y;z
tags(b(x))=ft2tags(b(y))\tags(b(z))jb(z)(t)=ttg
8t2tags(b(x));b(x)(t)=b(y)(t)
[[x:=ydefaultz℄℄=
fb2Bj
x;y;z
tags(b(y))[tags(b(y))=tags(b(x))=C2C
8t2C ;b(x)(t)=ift2tags(b(y))thenb(y)(t)elseb(z)(t)
Figure 1. Denotation of elementary
Signalequations
Denition1 (events, signalsand behaviors) An
event e 2 E = T V relates a tag and a value. A
signal s 2 S = T * V is a partial funtion relating
a hain of tags to a set of values. We write tags(s)
for the domainof s. A behaviorb2B=X *S isa
partial funtion from signal names x 2 X to signals
s2S.
Wewrite vars(b)for thedomainofb andtags(b)=
[
x2vars(b)
tags(b(x)) for its tags. Hene, the informal
sentene\xispresentatt inb"isformallydened by
t2tags(b(x)). Wewritebj
X
fortheprojetionofabe-
haviorb onaset X X ofnames(i.e. vars(bj
X )=X
and 8x 2 X;bj
X
(x) = b(x)) and b
=X
for its omple-
mentary of bj
vars (b)nX
. A proess p2 P = P(B) is a
set of behaviorsthat have thesame domain X (writ-
ten vars(p)). Synhronousomposition pjjq is dened
by the set of behaviors that extend abehavior b 2 p
by the restrition
=vars (p)
of a behavior 2 q if the
projetionsofb andonvars(p)\vars(q)areequal.
pjjq=
b[
(b;)2pq;
bj
vars(p)\vars (q)
=j
vars (p)\vars(q)
Salability isakeyoneptforengineeringsystems
andreusingomponentsinasmoothdesignproess. A
formal support for allowingtime salability in design
is given in our model by the so-alled streth-losure
property. The intuitionbehindthis relationisto on-
sider a signalas an elasti with ordered marks on it
(tags). If it is strethed, marks remain in the same
(relativeandpartial)orderbuthavemorespae(time)
betweeneah other. Thesameholds foraset ofelas-
tis: abehavior. If elastisare equallystrethed, the
partial orderbetweenmarksis unhanged. Strething
isapartial-orderrelationwhihgivesrisetoanequiv-
alenerelationbetweenbehaviors: lokequivalene.
Denition2 (lok equivalene) Formally, a be-
havior is a strething of b, written b , i
vars(b) =vars() and there exists a bijetion f on T
that isstritly monotoni(8tt 0
;t<t 0
,f(t)<f(t 0
)),
inreasing (8t;t f(t)) and satises tags((x)) =
f(tags(b(x))) for all x 2 vars(b) and b(x)(t) =
(x)(f(t)) for all x 2 vars(b) and all t 2 tags(b(x)).
The behaviors b and are streth-equivalent, written
b7,ithereexistsabehaviords.t.dbandd.
Both relations extend to proesses. A proess p is
streth-losedi for allb 2p, 7b ) 2p. A non-
empty, streth-losed proess p admits a set of strit
behaviors(astritbehavioristhe-minimumofa7-
equivalene lass), written (p)
7
, s.t. (p)
7
p(for all
b2p,thereisaunique2(p)
7
s.t.7b).
Distribution To model asynhrony, we onsider a
weaker relation whih disards synhronization rela-
tionsandallowsforomparingbehaviorsw.r.t.these-
quenes ofvaluessignalshold. Therelaxation relation
allowstoindividuallystreththesignalsofabehavior.
Relaxation is apartial-order relationthat denes the
ow-equivalenerelation.
Denition 3(ow equivalene) A behavior is a
relaxationofb,written bv,ivars(b)=vars()and
for all x 2vars(b), b
jx
jx
. Two behaviors are ow-
equivalent i their signals hold the samevalues in the
sameorder. Thebehaviorsb andareow-equivalent,
written b , i there exists a behavior d s.t. dv b
anddv.
The-equivalenelassesofaproesspadmitstrit
behaviors, written (p)
. We use relaxation to dene
the meaning of asynhronous omposition p k q (we
noteX =vars(P),Y =vars(Q)andI =X\Y).
pkq=
d
9b2p;d
jXnY 7b
jXnY
; bj
I vdj
I
92q;d
jYnX 7
jYnX
; j
I vdj
I
Denotation of Signal in the model of poly-
hrony The model of polyhrony provides a purely
relationaldenotationofSignal(gure1),onsistingof
thefuntion[[℄℄thatassoiatesaSignalproesstothe
setofitspossiblebehaviors. Notiethatthesemantis
of Signal is losed in the struture of polyhronous
signals, in that, whenever a proess P (network Q)
behavioral
desription
SpeC/SystemC
design
Signalapture Signalapture
Polyhrony
-
-
6
6 analysis
abstration
transformation
distribution
ode
generation ontrol
synthesis
veriation
simulation
Figure 3. Polychrony for high-level system design
hasa behaviorb, writtenb 2[[P℄℄, then it admitsany
strethingb(relaxationwb)ofb,i.e.2[[P℄℄.
Polyhronous design properties The model of
polyhronous signals allows to dene formal proper-
tiesthat areessentialfortheomponent-baseddesign
ofGalsarhitetures[13℄.
Controllability or input-endohrony is a key design
property. A proess is input-endohronous i, given
anexternal(asynhronous)stimulationofitsinputsI,
it reonstruts a unique synhronous behavior (up to
streth-equivalene). Endohronydenotes thelassof
proessesthatareinsensitiveto(internaland)external
propagationdelays.
Denition4 (ontrolability) A proess p is en-
dohronousonitsinputsignals I i8b;2p;(bj
I )
=
(j
I )
)b
7 .
Flow-equivaleneoerstherightriterionforhek-
ing the renement of a high-level system speia-
tion with distributed ommuniation protools or-
ret. For instane, it is onsidered in [4℄ for the
renement-baseddesign of theLtta protool in Sig-
nal. Flow-invariane is the property that ensures
that the renement of a funtional speiation pjjq
by an asynhronous implementation p k q preserves
ow-equivalene. Formally,
Denition5 (ow-invariane) p and q are ow-
invariant i, for all b 2 pjjq, for all 2 p k q,
(bj
I )
= (j
I )
implies b for I the input signals
of pjjq.
InSignal,Galsarhiteturesaremodeledasendo-
isohronously ommuniating endohronous ompo-
nents. Wesaythat twoendohronousproessespand
q are endo-isohronous i(pj
I )jj(qj
I
) is endohronous
(with I = vars(p) \ vars(q)). Endo-isohrony im-
pliesow-invarianeandisdiretlyamenableto stati
veriation by the Signal ompiler using its lok
resolution and ontrol synthesis engine [1℄. Auto-
mated tehniques of distribution using protool syn-
thesistehniquesareimplementedinthePolyhrony
platform [2℄: endo-isohronousdistributiononsists of
a ausality-aware exhange (dupliation) of boolean
loksamonginteratingomponents.
Notie that the properties of ontrollability and
ow-invariane introdued in [13℄, onsidered in the
presentstudy, implythepreviouslystudiedproperties
ofIO-endohronyandisohronyof[3℄(aproessisIO-
endohronousi8b;2p;b )b
7
andtwopro-
esses areisohronousi theirsynhronousand asyn-
hronousompositionshavethesametraes). Whereas
IO-endohronyand isohrony allow non-deterministi
(in theaimof modelingdistributed reativesystems),
input-endohronyandow-invarianeimplydetermin-
ism(embeddedsystemsandSoCarhiteturesarethe
target).
Hene,ontrollabilityandow-invarianeoerspre-
ise, aurate, behavioral-level renement heking
onditionstoharaterizeprotoolsynthesis,whileIO-
endohrony and isohrony state global, proess-level,
relationbetweensynhronyandasynhrony.
Capturing high-level design using polyhrony
Although system-level design languagessuh as Sys-
temC, SpeC orSystem Veriloghavebeen intro-
dued as a way to raise the level of abstration and
there byhandlingdesignorretnessat ahigherlevel,
thereisnotmuhresearhliteraturethatanprovere-
nement betweenabstration levels to be orretness
preserving. Weproposeaprogramanalysis-basedrep-
resentation of system-levelmodels at various abstra-
tion levelsin Signal, andthen apply theanalysis on
theseSignalmodels. Thiswillprovideuswithateh-
nique to formally establish orretness of renements
of higherlevelrepresentationof designsto lowerlevel
implementation.
ineventistart,outeventidone)f
voidmain(void)f
unsignedintidata,iount;
while(1)fwait(istart);
idata=data;iount=0;
while(idata!=0)fiount+=data&1;
idata>>=1;
g
oount=iount;
notify(idone);ggg;
ineventStart,outeventDone,...)f
voidmain(void)f
while(1) fwait(Start);
data=In;
notify(istart);
wait(idone);
Out=oount&1;
notify(Done);ggg;
Figure 4. Specification-level design of the
Epin
SpeCInthis paper,wedonotdisuss theompilationof
these system level languages in Signal, beause for
ompilation, weneed to x the semantis of the lan-
guage,whihisnotproperlydoneyet. However,thatis
apartofourongoingeort. However,hereweassume
a semantis, and manually translatethe SpeC ode
intoSignal ode,andapplyourmethodology.
Inthe polyhronousdesignparadigm, onean give
afuntional-levelspeiationofasystemintermsof
relationsandpartially-orderedloks. Arenement,at
thearhiteture-level,onsistsofisolating themaster-
lok of omponents and of integrating them within
multi-lokedarhitetures,whilepreservingthefun-
tional properties of theoriginal design, thanks to the
formal veriation of ow-invariane. The main ben-
et of onsidering the model of polyhronous signals
for high-level C-like design languages lies in the for-
malsemantisbakbone/platformitprovides,onwhih
veriation and optimization tehniques an then be
pluggedin.
Ourapproah toapplyingthePolyhronymodel
tohigh-levelGalsarhiteturesmodelinginC-likede-
signlanguages(gure3)onsistsofautomatiallysyn-
thesizing or apturing the behavioral abstration or
modelofaSpeCdesignasaSignal proess. Other
formalisms,suhasinterfaeautomataoralgebraould
be used. What matters is to hoose a formalism in
whih deiding propertiesaboutmodels (equivalene,
bisimulation,et)isdeidable.
4 A asestudy: theevenparityheker
The polyhronous model of the Signal de-
sign language oers formal support for the ap-
ture of behavioral abstrations for both very high-
levelsystemdesriptions(e.g.SystemC/SpeC) and
behavioral-levelIp omponents(e.g. Vhdl). Its plat-
form, Polyhrony, provides formal methods for
a rapid, renement-based, integration and a formal
onformane-hekingof Gals hardware/softwarear-
hitetures. Wefous onaase study thatillustrates
our methodology byshowing how thespeiation of
theEp in SpeC anbe renedtowardaGalsim-
plementation with thehelp ofthe tool Polyhrony,
showingin what respets andat whihritial design
stagesformalmethods matterforengineeringsuhar-
hitetures. TheEponsistsofthreefuntionalunits
(gure5): anIOinterfaeproess,aneventestproess
and amain ones ounting proess (grayelements are
SpeC-spei).
ones even
IO
-
-
data oount
In Out istart
idone
-
start
done
-
Figure 5. Functional architecture of the
EpSpeiation-leveldesigninSpeC Thebehavior
ones in SpeC (gure 4) determines the parity of an
input data reeived along data. Upon reeipt of the
startnotiation,itrepeatedlyshiftsthedatauntilitis
0ed. Theoutputountiountissentalongoountand
donenotied. Thebehavioreven performs themirror
notiations and outputs the nal parityhek along
theOut.
Synhronization mehanisms betweenthreadsan
easily bemodeledin Signal. SupposewehaveN ele-
mentary threads(i.e.ritialsetions)ommuniating
vialoks. Let us identifyeah ofthem by asymboli
datum. Anotiationonsistsofsettingaloktotrue
uponrequest ofthenotier. A waiting proess heks
whether thelokhasbeennotiedat thepreviousin-
!integerOut;booleanistart,idone)
(j ::=waitfistartg(tik)
jidata := (datadefaultrshift(preInitDataidata))when
jiount := ((pre0iount)+xand(idata,1))when
joount := iountwhenidata=0when
defaultpre0oountwhentik
j notifyfidoneg(whenwhenidata=0)
j)where integeridata,iount;event;
data;boolean start,istart,done,idone)
(j1 ::=waitfstartg(tik)
jdata := Inwhen1defaultpreInitDatadatawhentik
j notifyfistartg(when1)
j2 ::=waitfidoneg(tik)
jOut := xand(oountwhen2,1)=1
j notifyfdoneg(when2)
j)where event1,2end;
Figure 6. Corresponding model of the specification-layer in
Signalstant and is available at its own request. If so, the
event aquired is present and the lok beomes false.
The model of wait/notify makesuse of partial equa-
tions. InSignal, apartialequationx::=f(y)when
partially denes x by f(y) at thelok. Composed
to x ::= f(z)whend, it is equivalent to the equation
x:=f(y)whendefaultf(z)whenditheexlusionof
the loks and d, denoted by the onstraint ^#d,
an be heked satisable by the lok resolution en-
gineof the ompiler(meaningthat the assignmentto
x is deterministi). We note x := ffg(y) for a all
to aSignal proessofmodule f thattakesthestati
parameters.
proessnotify=fbooleanlokg(?eventrequest!)
(jlok::=truewhenrequestj);
proesswait =fbooleanlokg(?eventrequest!eventak)
(jak ::=whenrequestwhenprefalselok
jlok::=falsewhenakj);
A systematitranslation of a speiation-level be-
havior in Signal (for instane that of the thread
ones, gure6) onsists, rst,of deomposing thesyn-
tatistrutureoftheSpeCprogramintoaninterme-
diaterepresentationthatrenderstheimperativestru-
ture of the original program together with its most
harateristi features (use of loks, interrupts, et).
Inthisstruture,eahthread onsistsofasequeneof
bloks (ritial setions) delimited by wait and notify
synhronizationstatements.
Arelatedwork,reportedin[16℄,onsistsofaPoly-
hrony plugin whih translatesmulti-threaded real-
timeJavaprogramsinSignal. Inthistool,theJvm
real-time runtime system is modeled using the Ar-
inlibraryofSignal [9℄. Thislibrarygivesageneri
modelofreal-timeoperatingsystemsApisinSignal.
Thetranslatorallowsforentirelymodelingthebehav-
iorofamulti-threadedreal-timeJavaomponentand
toreuseandreongureitspakageofreal-timethread
lassesaordingtoagiventargetarhiteture.
Withinsuhbloks,basiontrolstruturesarethen
enoded. A method all or a basi operation, e.g.
x =y+1withy delared asint y=n,is enoded by
anequation,e.g.eitherx=preny+1when(wheny
referenesavalueomputedduring theprevioustran-
sitioninthisblok)orx=y+1when(ifithasalready
beenomputedinthesametransition),onditionedby
an ativation lok . A onditional statement, e.g.
ifxthenPelseQ, is enoded by onstrainingthe lok
of P by x and that of Q by notx. While loops are
enodedbyover-sampling. Interruptsarerenderedby
events. An interruptonditionstheativationlokof
subsequentequationsintheontrolowgraph;ifites-
apesthesopeofthemethod inwhihit israised,it
beomesan outputsignal ofthe proessthat enodes
themethodinordertopropagateintheontextofuse
ofthat method.
Inthespeiation-layerofthebehaviorones,there
is only oneritial setion, delimited by await and a
notify. It isenodedmuhlikethepolyhronousspe-
iation of the previous setion, with the notieable
additionofthewait-notifyprotoolandthesimulation
shedulingtik. The proess is ativated when it ob-
tains the lok on istart. Then, at its own rate (now
onditioned by the lok ), it determines the ount.
Whenitisnished,itsendsthenotiation.
A polyhronous modelofthe EPC Byontrast,
thepolyhronousdesign-layerofSignalouldstartat
amuhhigherdesignabstration-level,withoutmaking
anyimpliit(simulation)arhiteturehoies. Byon-
trast, at the SpeC speiation-level, the system is
alreadydistributedintoasetofbehaviors(i.e.threads)
whihinteratviasharedvariablesandwaitandnotify
synhronizationmehanisms.
AtthepolyhronousdesignlayeroftheEpinSig-
nal,weputtheseimplementationdetailsountillater
renementstages and fous onits mostharateristi
threads,onesandeven(gure7). Theproessoneson-
sists of aniterativeomputation of the parity, imple-
mentedusingover-sampling: aloalsignalidata,reset
uponreeipt ofaninputdata, isiterativelysannedto
ountthenumberofbitssetto1(signaliount). When
proessones= (?integerdata!integeroount) %booleanistart,idone %
(jidata :=datadefaultrshift(preInitDataidata) %istart^=data %
jiount :=(pre0iount)+xand(idata,1) %idone^=oount %
joount :=iountwhenidata=0
j)where integeridata,iountend;
proesseven= (?integerIn,oount !booleanOut,data)%booleanstart,istart,done,idone %
(jdata :=In %istart^=In^=start %
jOut :=(xand(oount,1)=1) %oount^=done ^=idone %
j);
funtionrshift=(?i1!i2) spe(ji1^=i2j) pragmasCCODE"&i2=&i1>>1" endpragmas;
funtionxand=(?i1,i2!i3)spe(ji1^=i2^=i3j)pragmasCCODE"&i3=&i1&&i2" endpragmas;
Figure 7. Polychronous model of the
Ep-core
nished(i.e. whenidatais 0), iountis returnedalong
theoutputsignaloount. Auxiliarynotiationsignals
of the original SpeC speiation of the Ep, (e.g.
start,done), appear behindommentsastheyarenot
neessaryatthislevelofspeiation. Notiethatthe
proess ones is endohronous. The onsumerproess
evensimplyreadstheountsentalongtheoountsig-
nalandhekswhether itiseven. Thefuntionsrshift
andxandareavailablefromanexternalClibrary. They
areembeddedinSignalusinginterfaespeiations.
Validation of the polyhrony-to-speiation
design renement Chekingthatthespeiation-
leveldesign of the Ep is aorret renement of the
polyhronousSignal speiation amounts to hek-
ingthatthesetwodesignsareow-invarianttothein-
trodutionof thewait-notifyprotool(gure 8,abox
standsforaregister).
ones even
-
-
data oount
istart idone
+
ones even
wait
notify
- -
-
-
data oount
istart idone
Figure 8. Refinement of the polychronous model by the specification model
Thevalidationofthisdesignrenementamountsto
proving that, for all behaviors b and of the poly-
hronous and speiation layers of the Ep, noted
P
ones and S
ones
, ow equivalene of the input signal
In,i.e. bj
In j
In
impliesowequivaleneofthesignal
Out, i.e. bj
Out j
Out .
(1):8b2[[P
ones
℄℄; 82[[S
ones
℄℄; bj
In j
In )bj
Out j
Out
However,thepolyhronousmodeloftheEponlydif-
fers from the speiation layer by the introdution
of await-notifyprotool,whih implements ageneri
synhronizationshemeP of thepolyhronousmodel.
The mathing pattern S of the protool in the spei-
ation layeronsistsof the insertionofdelaysin the
transmissionofdatadue tothewait-notifytoggle.
P (data^=startjjidata:=datajjstart^=Injjdata:=In )
S
::=waitfstartg(lok)
j
j idata := datawhen
j j
notify fstartg(lok)
j
j data:=IndefaultpreInitDatadatawhenlok
Hene,provingequation (1) redues to showingthat
the renement of the polyhronous synhronization
shemeP by thewait-notifysynhronizationprotool
S preservesow-equivalene, asspeied by equation
(2). Indeed,notiethat(2)implies(1).
(2):8b2[[P℄℄; 82[[S℄℄; bj
In j
In )bj
idata j
idata
Inasimilarmannerasforlooselytime-triggeredarhi-
tetures, studied in [4℄, this property is amenable to
symboli model heking using the tool Sigali [15℄.
Veriation is implemented by speifying the orre-
sponding property in Signal (gure 10), simulating
the input Inand idata using, e.g.booleans(providing
the orresponding implementations of theparameters
xand, rshift and InitData) and by alulating that its
output (the invariant) never beomes false. A buer
isusedtoavoidalteringsynhronizingsignalsbetween
the models P and S. Flow-invarianemodulo buer
impliesow-invariane.
Arhiteture-layer design renement The en-
oding of the even-parity heker demonstrates the
unsignedintdata;event eReady,eAk;
boolready=false,ak=false;
voidsend(unsignedintIn) f
data=In;
ready=true;
notify(eReady);
while(!ak)wait(eAk);
ready=false;
notify(eReady);
while(ak)wait(eAk);g
unsignedintrev()f
unsignedintrdata;
while(!ready)wait(eReady);
rdata=data;
ak=true;
notify(eAk);
while(ready)wait(eReady);
ak=false;
notify(eAk);
returnrdata;g;
send rev
In - ready
-
eReady
-
data
-
ak
eAk
:ready
-
eReady
-
:ak
eAk
rdata -
Figure 9. Implementation of an architecture-level channel in
SpeCproessobserver =(?booleani!booleaninvariant)
(jinvariant:=buer(P(buer(i)))=buer(S(buer(i)))
j)whereproessbuer=(?booleani!booleano)
(jo:=Current(i)jAlternate(i,o)j)
proessCurrent=(?booleani!booleano)
(jo:=(iell^oinitfalse)when^oj)
proessAlternate=(?booleani,o!)
(ji^=whenop
jo^=whennotop
jop:=not(pretrueop)
j)wherebooleanop;
end;
lok
i 1 0 1
start
o 1 0 1 )
lok
i 1 0 1
start tt ff tt ff tt ff
o 1 0 1
Figure 10. Refinement-checking observer
apability of Signal to give a polyhronous model
of omponents for speiation-level SpeC designs.
Thislevelofabstration(polyhrony)allowsforabet-
ter deoupling of the speiation of the system un-
derdesignfrom earlyarhiteturemappinghoies. It
additionally allowsfor anoptimized reombinationof
behaviors. For instane, the Signal ompiler ould
mergethebehaviorsIOandevenusingitslokresolu-
tionengine. Inomparison,thetypialSpeCdesign-
owstartswiththeaptureofIp-bloksrepresentedas
funtions and then does an automati partitioning
aordingto an appropriateost funtion. After par-
titioning, 2-way handshake protools (or appropriate
hw-sw protools)areinsertedbetweenthefuntional
units.
ConsiderthearhiteturelayeroftheEp(gure9).
We nowhavetwobehaviors,onesand eventhat om-
muniateasynhronouslyviatheChMPhannel. Mod-
eling the arhiteture-layer renement of the Ep in
Signalonsistsofmodelingthedoublehandshakepro-
toolimplementedbythemethodssendandrevofthe
ChMP hannel, whih obeythe message sequene de-
pited on the right. The model of send and rev in
Signal (gure 11) is obtained in the very sameway
asforthebehaviorsevenandonesofthespeiation
level, exept that the ready and ak ags orrespond
tostatevariables(delaredatthesamelexiallevelas
send in theChMPmodule). Byinstallingthehannel
proess between produerand onsumer, we obtaina
desynhronization of the transmission between the In
andOut proesses(inadditionto adesynhronization
ofloks,obtainedinthespeiation-layer).
proesssend= (?integerIn;eventlok!)
(j1 :=when(eventIn)whenlok
jdata ::=Inwhen1
jready := truewhen1
defaultfalsewhen2whennot(prefalseak)
defaultprefalsereadywhenlok
j notifyfeReadyg(1)
j2 ::=waitfeAkg(whenprefalseakwhenlok)
j notifyfeReadyg(when2whennot(prefalseak))
j3 ::=waitfeAkg(whennot(prefalseak)whenlok)
j)where event1,2,3end;
proessrev = (?eventlok!integerrdata)
(j1 ::=waitfeReadyg(whennot(pretrueready)whenlok)
jrdata ::=preInitDatadatawhen1whenpretrueready
jak := truewhen1whenpretrueready
defaultfalsewhen2when(notpretrueready)
defaultprefalseakwhenlok
j notifyfeAkg(when1whenpretrueready)
j2 ::=waitfeReadyg(whenpretruereadywhenlok)
j notifyfeAkg(when2when(notpretrueready))
j)where event1,2end;
Figure 11. Model of the architecture-level channels in
SignalValidation of the speiation-to-arhiteture
renement ShowingthattherenementoftheEp
from the speiation level S
ones
to the arhiteture
level A
ones
(gure 12) is orret amounts to heking
ow-invarianebetweenthetwodesigns.
ones even
wait
notify
- -
-
-
data oount
istart idone
+
ones even
ChMP
send
rev wait
notify
-
-
-
-
data oount
istart idone
Figure 12. Refinement of the specification by an architecture layer
ItisamenabletosymbolimodelhekinginSigali
using the riterion (3) that, in a similar manner as
(1),statestheow-equivaleneofthespeiationand
arhiteturemodelsS
ones andA
ones .
(3):8b2[[S
ones
℄℄; 82[[A
ones
℄℄; bj
In j
In )bj
Out j
Out
In the same manner as for the polyhrony-to-
speiationrenement, proving(3) redues to show-
ingthatthedesynhronizationprotoolintroduedby
the hannel module ChMP preservesow equivalene
between the original speiation layer and the nal
arhiteture layer. This amountsto showing that the
speiationmodelS isow-equivalenttothe proess
Ain thearhiteturemodel.
S(data:=(InwhendefaultpreInitDatadata)whenlok)
A(data:=rev (lok)jjsend(In;lok))
Showing that A is ow-equivalent to S is amenable
tosymbolimodelhekingbyspeifyingtheproperty
(4)inSignal(simulatingtheinputInandoutputdata
usingbooleans). ThetoolSigaliallowsto provethat
the orresponding invariantneverbeomes false. No-
tieagainthat (4)implies(3).
(4):8b2[[S℄℄; 82[[A℄℄; bj
In j
In )bj
data j
data
Communiation-layer design renement The
ommuniation layer of the Ep (gure 13) onsists
ofadata-typerenementoftheChMPhannelandof
theimplementationof theChMPasabus. Itonsists
of the deomposition of themethods send andreeive
intosub-proesses,allowingfortheisolationofthebus
readandwritemethods.
unsignedbit[31:0℄data;Signalready, ak;
voidwrite(unsignedbit[31:0℄wdata)f
ready.assign(1);
data=wdata;
ak.waitval(1);
ready.assign(0);
ak.waitval(0);g
unsignedbit[31:0℄read()f
unsignedbit[31:0℄rdata;
ready.waitval(1);
rdata=data;
ak.assign(1);
ready.waitval(0);
ak.assign(0);
returndata;g
Figure 13. Communication-level bus in
SpeCShowingthis renementorret(gure 14)redues
toprovingthatthemodelofthehannel'sChMPmeth-
ods send and rev are ow-equivalentto the methods
read and write of the bus model. The ontrol stru-
ture of the bus model in Signal is idential to that
of the hannel, exept for the implementation of the
input/output integersignalsasbit-vetors.
ones even
ChMP
send
rev wait
notify
-
-
-
-
data oount
istart idone
+
ones even
Bus
write
read wait
notify
-
-
-
-
data oount
istart idone
Figure 14. Refinement of an architecture-level channel by a communication-level bus
Rtl-layerdesignrenement TheRtllayerofthe
Ep (gure 15)onsists oftheintrodutionof amas-
ter loklkandofaresetsignalrsttogetherwiththe
onversionof the Ep ommuniation-layerspeia-
tion into nite-state mahine ode. This translation
loselyorrespondstheSignal's enodingof theEp
into bloks(ritialsetions).
In Signal, this renement(gure 16) orresponds
to an implementation-lok aurate, endohronous,
voidmain(void)f
unsignedbit[31:0℄data,oount;
enumstatefS0,S1,S2,S3gstate=S0;
while(1) f
wait(lk);
if(rst==1b)state=S0;
swith(state)f
aseS0:done=0b;
akistart=0b;
if(start ==1b)state=S1elsestate=S0;
break;
aseS1:akistart=1b;
data=inport;
.
.
.
oount=0;
state=S2;
break;
aseS2:oount=oount+data& 1;
data=data>>1;
if(data== 0)state=S3elsestate=S2;
break;
aseS3:outport=oount;
done=1b;
if(akidone ==1b)state=S0elsestate=S3;
break; gggg;
Figure 15.
Rtl-level implementation of the
Ep-core in
SpeCmodeloftheEp. TheRtlmodelan beregardedas
atemporalrenementof theSignal model, in whih
the master lok is strethed in suh a way asto al-
low for a single sentene of the SpeC design to be
simulatedatatime.
Towardanintegrationplatform Intheaimofau-
tomating theaboveproess within aversatileompo-
nentintegrationplatform,theuseofPolyhronyasa
renement-hekingtoolprovidestherequiredsupport
byusingontrollersynthesistehniques[14℄. Whereas
model-heking onsists of provinga property orret
w.r.t. the speiation of a system, ontrol synthesis
onsists of using this property as a ontrol objetive
and to automatially generateaoeriveproessthat
wrapsthe initial speiation soasto guaranteethat
theobjetiveisaninvariant. Tothisend,weaimatus-
ingPolyhronyasasemantiplatformfortheSys-
temCdesigntoolBalboa[17,8℄,byusingSignalas
an internal representation of behavioral type desrip-
tionsforSystemC omponents,allowingforaorret
byonstrutionomponent-baseddesignofhigh-level,
system-on-hipSystemC designs,and thesystemati
synthesisofinterfaeprotoolsbetweenomponents.
5 Related works
The (multi-loked) notion of ow-equivalene
relates to the (single-loked) notion of lateny-
equivalene of Carloni et al. [6℄. Two signals are
lateny-equivalenti they present the same valuesin
thesameorder. Flow-invarianeaststhepropertyof
ow-equivalenetothegeneralontextofdesignrene-
mentheking,whereasCarlonietal.onentratewith
lateny-equivaleneon theorret-by-onstrutionas-
semblyofexistingIPswithpre-denedelementarypro-
toolbriks.
Synhronous programming being a omputational
model whih is popular in hardware design, and
desynhronization being a tehnique to onvert that
omputational model into a more general, globally
asynhronous and loally synhronous omputational
model, suitable for system-on-hip design, one may
naturally onsider investigating further the links be-
tween these two models understood as Ptolemy do-
mains [18℄ and study the renement-based design of
GALSarhiteturesstartingfrompolyhronousspei-
ationsapturedfromheterogeneouselementaryom-
ponents.
6 Conlusion
We haveput apolyhronous designmodel to work
fortherenementofahigh-leveleven-parityhekerin
SpeCfromtheearlystagesofitsfuntionalspeia-
tion to thelate stages of itshardware/softwareGals
implementation. Wehavedemonstrated theeetive-
nessofthisapproahbyshowinginwhat respetsand
atwhihritialdesignrenementstagesformalveri-
ationandvalidationsupportwasneeded,highlighting
thebenetsofusingthetoolPolyhronyinthatde-
sign hain. The novelty of integrating Polyhrony
in ahigh-leveldesigntool-hainliesintheformalsup-
port oered by the former to automate ritial and
omplexdesignveriationandvalidationstagesyield-
ingaorret-by-onstrutionsystemdesignandrene-
ment in the latter. Polyhronous design allows for
an earlyrequirementsapture andfora ompositional
andformally-hekedtransformationalrenements,au-
tomatingthemostdiÆultdesignstepstowardimple-
mentationusingeÆientlokresolutionandsynthesis
ones even
write
read wait
notify
-
-
-
-
data oount
istart
)
m
S0
-
m
S1 -
m
S3
?
m
S2
6
m
S0
-
m
S1 -
-
m
S3
?
m
S2
6
write
read wait
notify
-
-
-
-
data oount
istart
Figure 16. Refinement of the communication-level design by an
Rtl-level design
tehniques,implementedintheSignalompiler.
Referenes
[1℄ Amagbegnon, T.P.,Besnard, L.,Le Guer-
ni, P. \Implementation of the data-ow syn-
hronous language Signal". In Conferene on
Programming Language Design and Implementa-
tion.ACM Press,1995.
[2℄ Aubry, P. \Mises en oeuvre distribues de pro-
grammes synhrones" These de l'Universite de
Rennes1.Otober1997.
[3℄ Benveniste,A., CaillaudB., andLeGuer-
ni, P. \Compositionality in dataow syn-
hronouslanguages: speiationanddistributed
ode generation". In Information and Computa-
tion,v.163,pp.125-171.AademiPress,2000.
[4℄ Benveniste, A., Caspi, P., Le Guerni, P.,
Marhand,H.,Talpin,J.-P.,Tripakis,S.\A
protool forlooselytime-triggeredarhitetures".
In Embedded Software Conferene. Springer Ver-
lag,Otober2002.
[5℄ Berry, G., Gonthier, G.\The Esterelsyn-
hronous programminglanguage: design, seman-
tis, implementation". In Siene of Computer
Programming,v.19,1992.
[6℄ Carloni, L. P., MMillan, K. L.,
Sangiovanni-Vinentelli, A. L. \Lateny-
InsensitiveProtools".InProeedings ofthe 11th.
International Conferene on Computer-Aided
Veriation.Leture notesinomputersienev.
1633.SpringerVerlag,July 1999.
[7℄ G. De Miheli, E. Ernst, and W. Wolf
"Readings in Hardware/Software Co-Design".
MorganKaufmann,2001.
[8℄ F. Douet, M. Otsuka, R. Gupta and S.
Shukla "EÆient System Level Co-Design En-
vironmentusingSplitLevelProgramming".Teh-
nial Report01-34.UCIrvine,June2001.
[9℄ Gamati
e,A.,Gautier,T.Modelingofmodular
avionisarhitetures using thesynhronous lan-
guage.Inproeedingsofthe14th. EuromiroCon-
ferene on Real-Time Systems, work-in-progress
session.IeeePress,2002.
[10℄ P. Garg, S. Shukla, R. Gupta "EÆient Us-
age of Conurreny Models in an Objet Ori-
entedCo-DesignFramework".InDesignAutoma-
tionandTestinEurope.IeeePress,2001.
[11℄ D. Gajski, F. Vahid, S. Narayan, and J.
Gong. "Speiation and Design of Embedded
Systems".PrentieHall,1994.
[12℄ Lee, E.A., Sangiovanni-Vinentelli,A.\A
frameworkforomparingmodelsofomputation".
InIeeetransationsonomputer-aideddesign, v.
17,n. 12.IeeePress,Deember1998.
[13℄ LeGuerni,P.,Talpin,J.-P.,LeLann,J.-L.
Polyhronyforsystem design.In Journalof Cir-
uits, Systems and Computers. Speial Issue on
Appliation SpeiHardware Design.World Si-
enti,2002.
[14℄ Marhand,H.,Bournai,P.,LeBorgne,M.,
LeGuerni,P.SynthesisofDisrete-EventCon-
trollersbasedontheSignalEnvironment.InDis-
reteEvent Dynami System: Theory and Appli-
ations, v.10(4),pp.325{346,2000.
[15℄ H. Marhand, E. Rutten, M. Le Borgne,
M. Samaan.FormalVeriation ofSignal pro-
grams: Appliationto aPowerTransformerSta-
tion Controller. Siene of Computer Program-
ming,v.41(1),pp.85{104,2001.
[16℄ Talpin, J.-P., Le Dez, B., Gamati, A., Le
Guerni, P., Berner, D. Component-based
engineering of real-time JAVA appliations on a
polyhronous design platform. In Submitted for
publiation. Available asInriaresearh reportn.
4744,February2003.
[17℄ F. Douet, M. Otsuka, S. Shukla, and R.
Gupta. An environmentfor dynamiomponent
omposition foreÆiento-design.InDesign Au-
tomationandTestin Europe.IeeePress,2002.
[18℄ E. A. Lee. Overview of the Ptolemy projet.
Tehnial Memorandum M01/11. UC Berkeley,
2001.
[19℄ SpeC. http://www.spe.org,2003.
[20℄ SystemC.http://www.system.org,2003.
