This action might not be possible to undo. Are you sure you want to continue?
Marcel Pockrandt Technische Universit¨ at Berlin Berlin, Germany email@example.com Paula Herber International Computer Science Institute Berkeley, California, USA firstname.lastname@example.org Sabine Glesner Technische Universit¨ at Berlin Berlin, Germany email@example.com
Abstract—Transaction Level Modeling (TLM) is gaining more and more importance to quickly evaluate design alternatives in multimedia systems and other mixed HW/SW systems. However, the comprehensive and automated veriﬁcation of TLM models is still a difﬁcult challenge. In previous work, we presented an approach for model checking of SystemC/TLM designs based on a transformation into U PPAAL timed automata. In this paper, we present an optimized version of our previously proposed transformation, and show its effectiveness with experimental results from an industrial case study. The key idea is to generate a U PPAAL model that is especially tailored for being model checked. This signiﬁcantly reduces the semantic state space and makes model checking considerably faster and less memory-consuming. We demonstrate this by comparing the veriﬁcation times of both versions for our previously used case study, and by presenting results from a new and larger case study, namely a TLM implementation of the AMBA Advanced High-performance Bus (AHB). The AMBA bus is one of the most popular on-chip bus architectures in IP-based embedded SoCs, and it is used in many multimedia applications. The case study shows that with the proposed optimizations, our approach is applicable for industrial real world examples. The detection of a serious bug, namely a deadlock situation in a certain scenario, and also the veriﬁcation of some important safety, liveness, and timing properties provide evidence for the usefulness of our approach.
I. I NTRODUCTION SystemC/TLM ,  is widely used for modeling and simulation in HW/SW co-design. Its main advantages lie in early platform development, fast simulation and evaluation of different design alternatives, and in its ﬂexible integration with pure hardware description languages such as VHDL or Verilog. The highest relevance for design-space exploration and rapid prototyping have transaction level models, which provide enough details for architecture evaluation but are much faster to simulate than bit- and cycle-accurate models. However, while TLM models are well-suited for architecture evaluation and rapid prototyping, they are difﬁcult to verify. In particular, formal veriﬁcation and automated testing are typically not supported by TLM design frameworks. For example, for SystemC/TLM, there exist a powerful simulation environment and many tools to ease development with graphical interfaces and static analysis tools, but not even the semantics of SystemC/TLM is deﬁned formally in ,
. There exist some approaches to formalize the semantics of SystemC, e. g., , , , , , but they are mostly either limited to the synthesizable subset of SystemC, or they require a tedious manual formalization of a given design. In contrast to purely synchronous hardware design languages, SystemC/TLM supports concurrent processes, dynamic sensitivity and timing, and abstract communication. State-of-the-art formal hardware veriﬁcation techniques are thus not applicable as well. In previous work, we have presented an approach to overcome these problems by formalizing the semantics of SystemC/TLM with the help of U PPAAL timed automata , . U PPAAL timed automata  have the advantage that their semantics is formally well-deﬁned, and that they come with the U PPAAL tool suite. The U PPAAL tool suite provides means to animate and simulate timed automata models, and, most importantly for us, also a model checker that enables the fully-automatic veriﬁcation of safety, liveness, and timing properties. In , we presented an approach to automatically transform a given SystemC design into a U PPAAL timed automata model, which instantaneously enables the application of the U PPAAL model checker. This approach was extended in  for the TLM 2.0 standard. We showed the applicability of this approach with two small case studies, namely a loosely-timed model that uses a blocking transport and an approximately-timed model that uses a 4-phase non-blocking transport. In this paper, we present a novel and highly optimized version of our transformation from SystemC/TLM into U P PAAL timed automata. In contrast to our previously proposed approach, we do not aim at a transformation which is as close as possible to the implementation of the TLM core interfaces. Instead, we focus on efﬁciency issues, with the general aim of enhancing the scalability of model checking of the resulting timed automata model. The main challenge when formalizing the semantics of the TLM core interfaces is the payload event queue (PEQ), which is used to maintain a queue of SystemC event notiﬁcations, where each notiﬁcation is associated with a transaction object. This mechanism is used for non-blocking communications, where the communication method immediately returns but a
978-1-4577-2122-9/11/$26.00 ©2011 IEEE
only a few approaches directly target SystemC-TLM designs.0 solution for the AMBA AHB released by Carbon Design Systems 1 in February 2011. do not model the non-deterministic scheduler and cannot cope with primitive channels. In Section IV.  proposed program transformations from SystemC into equivalent state machines. To demonstrate the practical applicability of our approach. R ELATED W ORK There have been several approaches to provide a formal semantics for SystemC. They do not support the TLM 2. Besides. the scheduler and complex interactions between processes are not considered and the formal model has to be speciﬁed manually. In . which is based on a transformation from SystemC to heterogeneous parallel input/output machines (HPIOM). as built from modules. The purpose of their work is to provide a precise description of the SystemC scheduler. Salem  presented a denotational semantics for the SystemC scheduler and for SystemC processes. we reduce the number of clocks and variables. we present an alternative formalization that only requires two automata. The most important optimization of our new approach is that we model the PEQ in a more abstract way.  proposed a mapping from SystemC to PROMELA. SystemCFL does not take dynamic sensitivity into account. Habibi et al. However. This introduces a huge overhead because interactions between subnets can only be modeled by introducing additional subnets. Zhang et al. a deﬁnition of the simulation semantics based on abstract state machines is given by M¨ uller et al. and considers only simple communications. In .  present an approach for formal veriﬁcation of SystemC designs using Binary Decision Diagrams (BDDs) and bounded model checking. However. With that. and compare the veriﬁcation times. bounded model checking is used on untimed SystemC designs.0 standard. the authors propose a translation from SystemC/TLM into LOTOS. . we present experimental results for the approximately-timed model that uses a 4-phase non-blocking transport. they are not able to cope with dynamic sensitivity or timing. for example. in this paper. Though this approach works on the abstraction level of TLM models.further action on the transaction object is typically scheduled for later execution. To show the effect of our optimizations. processes and channels. However. Große et al. In contrast to our approach. the timing behavior is heavily over-approximated. 67 . The postponed execution of actions on transaction objects is difﬁcult to model in the semantics of U PPAAL timed automata if there are multiple concurrent notiﬁcations. In . For example. but they only handle SystemC designs at an abstract level.carbonipexchange. we summarize related work. Traulsen et al. we present experimental results in Section VI and conclude in Section VII. which is consistent with the SystemC/TLM reference implementation that uses as many methods and processes. To the best of our knowledge. In . the translation has to be done manually and they also do not support the TLM 2. Similarly. In Section V. The approach is similar to ours in that it also provides an executable formal semantics and an automatic transformation. time is not explicitly considered there.0 standard core interfaces. In . The concept of channels is neglected. a toolbox for the analysis of transactional SystemC designs is proposed. and they use the veriﬁcation toolbox CADP to import C Code into the LOTOS model. In . we review our formal semantics for SystemC/TLM as presented in . and consequently reduce the size of each semantic state and the overall semantic state space signiﬁcantly. which we also used in . Additionally. but only for a synchronous subset. namely the TLM 2. However. However. but only for the synthesizable subset. time 1 http://www. and the transformation can only be performed manually. we describe our optimized version for the formalization of the TLM 2. it does not handle any kind of interaction between processes.  introduced the formalism of SystemC waiting-state automata. However. which makes the models difﬁcult to verify. the approach is limited to the modeling of delta-cycles. Furthermore. In these approaches. Karlsson et al. is not covered and therefore cannot be veriﬁed with this approach. In particular. the state machine models do not reﬂect the structure of the underlying SystemC designs. This approach is very expressive and captures a large share of SystemC and C++ constructs. we use a simple live variable analysis to temporarily reset all unused variables in order to make it possible for the model checker to detect and use symmetries in the model. we presented a formalization of the PEQ using four different timed automata. However. which is based on process algebras and deﬁnes the semantics of SystemC processes by means of structural operational semantics style deduction rules. the authors propose to transform SystemC-TLM models into communicating state machines. . certain aspects of the SystemC semantics are disregarded.com/ is ignored. we brieﬂy introduce SystemC and U PPAAL timed automata. the overriding of pending notiﬁcations. A tool to automatically transform SystemC to SystemCFL is presented by Man in . and the transformation is performed manually. we applied it to a new and signiﬁcantly larger design. Finally. the system design itself. The rest of this paper is structured as follows: In Section II.  and Ruf . but focus on STMicroelectronics’ TAC implementation (Transaction Accurate Communication Channel).0 standard. Those SystemC waiting-state automata are supposed to allow a formal representation of SystemC designs at the delta-cycle level.  verify SystemC designs using a petrinet based representation. In Section III. II. Man presented the formal language SystemCFL . they target the TLM concepts on an abstract level and do not capture the precise semantics of the TLM transport mechanisms or sockets.
and request? and ack! denote sending and receiving on channels. The main goal of the TLM standard  is to provide interoperability between different transaction level models. The general idea is to use transactions as an abstraction for bit-accurate hardware data types.it can neither handle the OSCI TLM 2.0 IPs by synthesizing RTL IP models from them and applying RTL model checkers to the model. which make it possible that the processing of a transaction is postponed for later execution. This enables simulations on different abstraction levels. and an event-driven simulation kernel. 3) The generic payload can be used to represent arbitrary transaction objects 4) The base protocol is a set of rules on how to use the TLM core interfaces to achieve maximal interoperability. 1) The core interfaces implement standard blocking and non-blocking transport mechanisms. A timed automaton is a set of locations connected by directed edges. and urgent and committed locations. as they rely on hardware synthesis to construct the IP from the TLM model. We will use this for the binding mechanism in our transformation. 2) Sockets are used to connect initiator and target modules. Urgent and committed locations are used to model locations where no time may pass. The initial location is denoted by ◦ . Two types of clock constraints are used to model time-dependent behavior: Invariants are assigned to locations and enforce progress by restricting the time the automaton can stay in this location. respectively. However. The execution order of these processes is chosen non-deterministically. which comprises the TLM core interfaces. It is implemented as a C++ class library. B. The U PPAAL template mechanism can be used to instantiate timed automata with different variables. It allows modeling and executing of both hardware and software on various levels of abstraction. leaving a committed location has priority over non-committed locations. simulation. and fast simulation of HW/SW systems. A small example U PPAAL timed automaton is shown in Figure 1. The U PPAAL modeling language extends timed automata by bounded integer variables. A SystemC design is a set of communicating processes. triggered by events and interacting through channels. Recently. Binary channels enable a blocking synchronization between two processes. C.  presented an approach for model checking TLM 2. An important advantage of this approach is that they can verify whether existing TLM assertions hold in the synthesized IP. Bounded integer variables are manipulated with a C like action language. TLM models often use one of the following two coding styles: Loosely-timed models are typically expected to use the blocking transport interface and temporal decoupling. SystemC SystemC  is a system level design language and a framework for HW/SW co-simulation. U PPAAL Timed Automata Timed automata  are ﬁnite-state machines extended by clocks. whereas broadcast channels enable non-blocking synchronization between one sender and arbitrarily many receivers.and cycle accurate bus protocols. sockets. The clock variable x is ﬁrst set to zero and then used in two clock constraints: the invariant 68 . Like typical hardware description languages. It is possible to declare local or global variables. SystemC also introduces an integer-valued time model with arbitrary time resolution. Furthermore. III. Modules and channels are used to represent structural information. it is also possible to instantiate an automaton with parameter p in a way that p is replaced by a global variable (operations on p will then be applied to the global variable). In particular. SystemC supports the notion of delta-cycles. Approximately-timed models are more accurate. and they are typically expected to use the non-blocking transport interface and the payload event queues. trading off accuracy and simulation speed. and veriﬁcation of networks of timed automata. the separation between protocol and functionality presented there is very interesting. Guards are assigned to edges and enable progress only if they evaluate to true. which are executed with an interleaving semantics and synchronize on channels. The design ﬂow usually starts with approximately timed transaction-level models that are reﬁned to time-accurate models of hardware and software components. performance analysis. The core of the TLM standard is the interoperability layer. which impose a partial order on parallel processes. It controls the simulation time and the execution of processes and handles event notiﬁcations and updates primitive channels. Global variables can be used to pass values between processes in a network of timed automata. The execution of a SystemC design is controlled by the SystemC scheduler. the whole model checking approach is restricted to the synthesizable subset of SystemC. Networks of timed automata are used to model concurrent processes. The TLM Standard Transaction Level Modeling (TLM) is mainly used for early platform evaluation. a generic payload and a base protocol. Also. binary and broadcast channels. which are transmitted between different modules by abstract function calls rather than pin.0 standard nor any timed SystemC construct. P RELIMINARIES A. a template mechanism. Bombieri et al. U PPAAL  is a tool suite for modeling. which provides the language elements for the description of both hardware and software.
The ﬁrst restriction should hardly narrow the applicability of the approach. we have presented a formal semantics for the TLM standard core interfaces (i. whose parameters the transaction object and a delay. e. we developed predeﬁned timed automata models of the SystemC scheduler. The principle of a PEQ is shown in Figure 3. and that socket binding only takes place before elaboration time. Scheduler Representation of SystemC designs in U PPAAL x <= maxtime denotes that the corresponding location must be left before x becomes greater than maxtime. A transaction object is inserted by calling a notify function. Process automata are used to encapsulate these methods and care for the interactions with event objects. as dynamic object and process creation are rarely used in SystemC designs. The symbols ∪ and c depict urgent and committed locations. B. SystemC-TLM Semantics In . To formalize the execution semantics of SystemC. namely the payload event queue (PEQ). we presented four timed automata to capture the semantics of a PEQ: One automaton implementing a time- Primitive Channels Figure 2. When the delay expires. The transformation of the TLM core interfaces was more challenging as it requires additional semantical constructs. SystemC Semantics In . the scheduler. and we presented a set of timed automata models that precisely capture the semantics of the TLM core interfaces. processes. 5) The number of concurrent non-blocking transport requests must be bound by a statically determinable maximum. In . a PEQ is able to manage a time-ordered list of transaction objects. To achieve this.. and primitive channels. the transformation scales well even for large SystemC designs. Figure 2 shows how we represent SystemC designs in U PPAAL. Furthermore. the transformation of sockets only requires to determine which methods are bound to a socket and then use a standard call-return semantics. For example. we adopted the formalization we presented in  for sockets and transactions. for the transformation of a given SystemC design. interactions between processes. It can handle all relevant SystemC language elements. This means that we have to impose the following additional restrictions on a given SystemC/TLM design: 3) We require that sockets are created statically. The purpose of PEQs is to enable the independent implementation of the delays of different communication phases in the target and the initiator. The interactions are modeled using U PPAAL channels. a predeﬁned callback function peq_cb is called on the transaction object and handles its further processing. and to invoke the callback method at the correct times and in the correct order. i. events and other SystemC constructs 69 . F ORMAL S EMANTICS OF S YSTEM C/TLM A. The transformation preserves the (informally deﬁned) behavioral semantics and the structure of a given SystemC design and can be applied fully automatically. 2) Only bounded integer variables are supported.request? x=0 ack! value = f(t) Figure 1. As a consequence. we achieve a compositional transformation. 4) The instantiation of the generic payload with a concrete transaction type has to consist only of (possibly multiple) bounded integers. these models can be instantiated arbitrarily often. If these restrictions are met. To this end. With that. x <= maxtime x >= mintime Example Timed Automaton Processes methods request update notify wait Events activate delta delay deactivate update end update start advance time such as primitive channels . It only requires two restrictions: 1) We cannot handle dynamic process or object creation. including process execution. IV. it is necessary to keep track of a set of concurrent notiﬁcations. as most data types used in SystemC designs can be converted to bounded integers. we deﬁne their formal semantics through our timed automata models. dynamic sensitivity and timing behavior. and the guard x >= mintime enables the corresponding edge at mintime. The formalization of sockets and the generic payload requires some restrictions on the set of input designs because some of their characteristics can generally not be transformed into an equivalent timed automata representation. e. and the events trigger the processes over a wait channel if they are notiﬁed. As the semantics of the SystemC elements is only informally deﬁned in . we transform each module separately and compose the system in a ﬁnal instantiation and binding phase. blocking and nonblocking transport) by mapping them to an equivalent U P PAAL timed automata representation.. To capture the semantics of the PEQ. Each method is mapped to a single timed automata template. the processes notify events using notify. we have presented a formal semantics for SystemC by deﬁning a transformation from SystemC into U PPAAL timed automata. The second restriction is also acceptable.
This is particularly important to ensure that all possible interleavings of concurrent processes are considered. ti tj dequeue() ) Payload Event Queue (PEQ) Figure 3. which also reduces the amount of used variables and eliminates the computational overhead. we do not need to keep track of the differences between all clocks. In particular. we need to embed the PEQ automata properly into the rest of the SystemC semantics.. for example. a PEQ behaves 70 . e. e. because the whole timed automaton representing a method or process is only reset to its initial state if all its local variables are reset too. Second. Note that symmetry detection can. dj) tj tj = xj + dj ti < tj ≤ tk tk .or over-approximate the behavior of the TLM core interfaces. the values of all data variables. we formalize the PEQ semantics using only two automata. In our optimized transformation.or over-approximation). 2) Reduce the number of reachable symbolic states by. In this array.xj notify( . the callback method must be invoked exactly at the time where the delay expires. Saving the global clock. enqueue() PEQ t0 peq cb( t0 t1 . i. variables or clocks. ordered list. In our optimized version of the TLM core interface formalization. which was previously used for comparisons. the most effective optimization is a reduction in the number of clocks because the model checking effort is exponential in the number of clocks. A semantic state of a U PPAAL timed automata model comprises the set of current locations. reducing the number of clocks or the range of variables.. We used the difference between the delay stored in a queue element and its elapsed clock to achieve a time-ordering on PEQ elements in the timed automaton that implements the timeordered list. our previously proposed formalization of the PEQ required n · k + 1 clocks in the global elapsed array. The key idea of our optimization is an encoding of payload event queues that is better suited for model checking. However. The requirements are as follows: 1) For each PEQ entry. n for each PEQ instance and one for a global clock which is used for comparisons.. the size of the array was determined by the maximal number of concurrent nonblocking transport requests of a given design... 6) When invoking the callback method. We perform this reduction without loss of information... The use of a separate process for each transaction object may sound as if producing an overhead at ﬁrst. yields an additional advantage. it is important to correctly capture the interactions with the SystemC scheduler. and the clock zone computed from the values of all clock variables. In the optimized transformation. it must always be immediately accepted. the U PPAAL model checker can cope much better with processes than with data structures. we manage the timing for each transaction object in the PEQ locally in a separate process. the notify function the PEQ provides). for example. and one for the PEQ event. 3) A PEQ notiﬁcation must never be blocked. and to release PEQ event notiﬁcations if the clock reaches the delay.. To be able to keep track of a set of timed event notiﬁcations. Merging the PEQ mechanism into only two automata poses two difﬁculties: First. our optimized version does not under. 5) A timed automaton with a local clock must also synchronize on advancetime as a receiver. V. Furthermore. 2) All PEQ entries must be processed in the correct order. one for fetching events from the queue and invoking the callback function. This is in particular helpful for local variables. This is necessary to ensure that the scheduler starts a new delta-cycle. However. which must be explored during model checking. we made use of all three potential optimization angles. 3) Make it easier for the model checker to detect symmetries in the model. 4) A timed automaton with a local clock must send the scheduler an advancetime signal whenever its local clock expires. the optimized version has no need for sorting the queued events. one modeling the interface of the PEQ (i. i. This is necessary to ensure that whenever a new delta-cycle is started by the scheduler. e. e. To reduce the semantic state space which is explored by the model checker. we used one entry for each (possible) PEQ element. we introduced a global clock array elapsed. which run independently from each other. without losing or adding any behavior (i. In particular. by using local clocks. there are basically three possibilities: 1) Reduce a single semantic state by reducing the number of locations. With a maximum number of n concurrent PEQ notiﬁcations and k PEQs in use. we don’t want to perform any under. we want to faithfully respect the PEQ semantics. all actions that should take place at the same time are executed in the same deltacycle. be eased by resetting unused variables. O PTIMIZED T RANSFORMATION The main goal of the optimized version of our transformation of the TLM core interfaces into U PPAAL timed automata is to reduce the semantic state space.
In the original implementation.. this is ensured by a dedicated SystemC process that fetches transaction objects from the queue and invokes the callback function.) and (5. the parameters trans and phase are passed by-reference. peq_fetch#ctrl? m_peq_notify_ctrl! m_peq_notify_param_trans = tran. one where the automaton synchronizes on advancetime as a sender. There. Furthermore. i. it starts a local clock c by resetting it to zero. their values must be copied into local variables within the notify automaton and back to the nb_transport automaton when the execution of notify is ﬁnished. the global variables are used to connect the parameters. e. e. the waiting location is left as soon as c == delay. for a given PEQ instance. the waiting location is left if the deltadelay signal occurs. The second automaton invokes the callback method and passes the transaction object on to it. Our formalization faithfully respects the semantics of the PEQ implementation in the TLM 2. Finally. Note that we have two transitions here. The peq_notify automata synchronize themselves with the scheduler through the broadcast channels advancetime and deltadelay. Then. peq_notify#param#trans and m_peq_notify#param#trans are bound to the same global variable. when the delay expired and the transaction is to be processed. i. have a look at Figure 6 and Figure 7. g.0 implementation.. that the requirements (4.. Then. which is sent by the scheduler whenever a new delta-cycle is started. The splitting between the two automata ensures that the notify automaton can receive a new notiﬁcation as soon as the callback method is invoked.. peq_fetch invokes the callback method peq_cb.. Timed Automaton for Callback Invocation . it continues execution immediately. For example. m_peq_notify_param_phase = phase. it increments the variable readyprocs to inform the scheduler that an additional process is ready to execute.. For a better understanding of the interactions between the two PEQ automata and the rest of the U PPAAL model. This ensures that all automata whose delay expires at the same time synchronize on the same advancetime signal. The nb_transport method invokes a peq_notify automaton in a non-blocking fashion. The automaton in Figure 4 receives incoming notiﬁcations. i. which ensures that this is a one-aone communication and that another peq_notify automaton is non-deterministically chosen for each PEQ entry. A schematic of the interconnections between the different automata is given in Figure 8. Figure 6. the automaton in Figure 4 starts to behave like a standard SystemC process that was triggered by an event. Figure 6 shows how an nb_transport function uses the interface of the PEQ (notify) to enqueue a transaction object together with an associated delay. it yields control to the second automaton shown in Figure 5. and the given delay in a local delay variable.. e. PEQ entries that expire at the same time are processed in a deterministic order. The sorting algorithm inserts those elements at the last 71 .. Timed Automaton of an nb_transport Function as a standard SystemC process. In the reference implementation. The two U PPAAL timed automata that precisely capture the semantics of the PEQ mechanism and also meet these requirements are shown in Figure 4 and 5. Note that the four automata are connected by instantiating their parameters with the same global variables. i. which is sent by the scheduler to start processes in arbitrary order. Figure 7 shows how a callback function receives a transaction object from the PEQ by storing its values into local variables. After leaving the waiting location. m_peq_notify_param_t = delay peq_cb#ctrl! peq_cb#param#tran = peq_fetch#param#tran. it changes to a location with an invariant c <= delay. and one where it synchronizes as a receiver. stores the transaction object (its payload and its phase) in the local variables payload and phase. e. If the delay is greater than zero. In this case. and they invoke peq_fetch through a binary channel if their delay expires. If the given delay is a zero delay.. it waits until the delay expires. peq_cb#param#phase = peq_fetch#param#phase peq_cb#ctrl? deactivate! readyprocs-Figure 5. which optionally may invoke another call to nb_transport. A binary channel is used for all control channels. peq_notify#ctrl in Figure 4 is instantiated with the same global channel as m_peq_notify#ctrl in Figure 6. it informs the scheduler that the process has terminated by sending deactivate and decrementing readyprocs. the transaction object is to be processed without a timed delay during the next delta-cycle.. For every PEQ we have to create one instance of the callback invocation automata and n instances of the notify automaton for a maximum number of n concurrent PEQ notiﬁcations. e.) are met.0 standard with only one exception: in the TLM 2. Similarly. i. When the callback method returns. and waits for the activate signal.. e.
note that the local clocks in each notify automaton now run independently from each other. Note that in the notify automaton. all possible interleavings are considered during model checking. c <= delay delay != 0 advancetime? delay == 0 deltadelay? c == delay delay != 0 && c == delay advancetime! readyprocs++ Timed Automaton for PEQ Notiﬁcations ctrl? tran = param#tran. We modiﬁed the example such that we can use it with different numbers of concurrent non-blocking transport requests.. This is achieved on the one hand by a reduction of the number of semantic states and on the other hand by a reduction of the size of each semantic state enabling the exploration of more states in a shorter period of time. In contrast to that. namely the TLM 2. Veriﬁcation times are averaged over 10 runs. payload = data#empty activate? Figure 4. our formalization processes PEQ entries that expire at the same time in non-deterministic order. they will always also be correct in the SystemC-TLM design because we only check additional behavior. where no speciﬁc order of simultaneously expiring entries is deﬁned. // process transaction object VI. This is a slight over-approximation of the PEQ semantics used in the TLM reference implementation.0 standard.0 solution for the AMBA AHB released by Carbon Design Systems in February 2011. if safety properties are proved to be correct on our model. peq cb peq cb#ctrl peq fetch delta delay Interconnections in the Timed Automata Model possible position. Table I shows the veriﬁcation time needed with one (NB1) to ﬁve (NB5) concurrent requests in each the producer and the consumer for both transformations. This ensures that the model checker can detect and use symmetries in the model. Non-Blocking Transport One example used in  is an approximately-timed model. delay = peq_notify#param#delay. Timed Automaton of a Callback Method nb transport peq notify#ctrl peq fetch#ctrl peq notify advance time Scheduler Figure 8.. c=0 peq_fetch#ctrl! peq_fetch#param#tran = payload. E XPERIMENTAL R ESULTS To evaluate the practical applicability and the performance of our approach. we also used an enhanced version of a case study presented in  with both the unoptimized and the optimized transformation. where a producer and a consumer communicate through a communication protocol with 4 phases. we reset all variables before returning to the initial location. phase = 0. peq_fetch#param#phase = phase. 72 .4 GHz CPU with 4 GB Ram running a Linux operating system. Note that the unoptimized transformation leads to an out of memory exception in the U PPAAL model checker when more than 2 concurrent requests occurred ( ). as well as the number of states explored during model checking. Figure 7. in order to analyze the performance gain. It can be seen that the optimized transformation reduces the veriﬁcation times drastically. The example consists of 145 lines of code and contains one process. As a consequence the processing order is ﬁrst in ﬁrst out for simultaneously expiring entries. delay = 0. i. Both together enable the veriﬁcation of systems with more concurrent non-blocking transport requests. phase = peq_notify#param#phase.peq_notify#ctrl? payload = peq_notify#param#trans. e. Furthermore. phase = param#phase ctrl! .. Furthermore. using the non-blocking transport including PEQs. we have implemented the optimized transformation and applied it to an industrial case study. All experiments were run on a machine with an Intel Pentium 3. To give a better impression of the effect of our optimizations. but it corresponds to the TLM 2. We applied both our unoptimized and our optimized transformation to this modiﬁed example and used the U PPAAL model checker to verify deadlock freedom. A.
This provides a case study which enables us to determine the practical applicability and the performance of our approach.com width of the transfer. These signals provide information on the address. AMBA AHB uses separate read and write buses to move data from slave to the master and the other way around. The timing and arbitration of the AMBA AHB are described in . The architecture of the design is shown in Figure 9. and the processes use all kinds of sensitivity.. The most intrusive modiﬁcations had been done because we can only cope with bounded integers. direction and 2 http://www. The modiﬁed implementation consists of about 1800 lines of code and can be used with a varying numbers of masters and slaves. AMBA AHB The Advanced Microcontroller Bus Architecture (AMBA) Bus is an on-a-chip bus introduced by ARM Ltd2 in 1996.953 0:01 460 0:01 92. we used a TLM 2.862 0:01 3. e. Many high performance SoCs in a wide area of applications are currently using the AMBA AHB. protocol phases. as well as an indication if the transfer forms part of a burst.. The arbiter collects all bus requests and sends a grant signal to one master.arm. we had to modify the original design.NB1 UNOPTIMIZED NB2 50:05 7. i. split transactions and a bus width of up to 128 bits. 3 for the bus itself and 1 for each slave) communicate through both blocking and non-blocking transfers. The slave components receive transactions and read or write from/to memory. we only sent and requested constant data over the bus. We applied our transformation to the modiﬁed design and veriﬁed liveness and safety properties using the U PPAAL 73 .0 implementation of the AMBA AHB provided by Carbon Design Systems. as the AMBA AHB Protocol does not depend on the content of the data which is transferred. respectively. functional properties that can be veriﬁed on the modiﬁed design are also satisﬁed in the original model. with the correct timing. An AMBA AHB transfer starts with a bus request asserted by a bus master. Due to the restrictions of our approach mentioned in Section IV. The granted bus master then drives the address and control signals.532 47:54 66. The master to ahb module splits the given transaction into AMBA conform transfers and sends those over the bus according to the AMBA AHB protocol speciﬁcation. a payload event queue with concurrent entries is used. The AMBA advanced high performance bus (AHB) protocol was introduced in 1999 and features burst transfers.789 0:29 1. e. i.0 AMBA AHB Design B. it covers all of the most important SystemC/TLM constructs: a number of concurrent SystemC processes (2 for each master. static. Most of these modiﬁcations can be considered minor ones like the change from dynamic to static process instantiation or the static binding of sockets. AHB S2: ahb mem Architecture of the TLM 2. Due to this restriction we had to simplify the transaction object and to remove the whole dynamic memory management used in the original design. and timed sensitivity.062.0 implementation of the AMBA AHB provided by Carbon Design Systems implements this by multiple clocked nonblocking transports for each transfer. For our experiments. Furthermore. dynamic. and transfer types. Furthermore.278 CPU time # states Table I M ODEL C HECKING R ESULTS FOR N ON -B LOCKING T RANSPORT TLM2 M1: tlm2 master init sock slave sock TLM2 M2: tlm2 master init sock slave sock b transport AHB M1: AHB M2: master to ahb master to ahb master sock slave sock master sock nb transport fw/bw AHB Bus master sock nb transport fw/bw slave sock slave sock AHB S1: ahb mem Figure 9. As all those changes do not inﬂuence the control logic or functionality of the AMBA AHB.359. Every transfer consists of an address and control cycle and one or more cycles for the data. The design implements an arbiter and a decoder as speciﬁed in . The AMBA AHB is a synchronous clocked bus. as the original design consists of a ﬁxed number of processes and the binding of sockets is unchanged during the elaboration time. The TLM 2. The tlm2 master initiates communications by sending read or write transactions via a blocking transport to the master to ahb module.234 NB3 NB4 NB5 CPU time # states OPTIMIZED 16:47 1.
functionality. An important advantage of SystemC was easy to understand the cause of the problem. were able to detect is a deadlock situation. the Furthermore. which is due to 1M1S. It would be interesting mation from SystemC/TLM into U PPAAL timed automata. verify some important safety. The authors like to thank Carbon Design Systems for we move away from a direct one-to-one transformation of providing the case study of the AMBA AHB. This variable was not reset in the original design. However. 2M2S). up to ﬁve concurrent notiﬁcations can easily M1#busrequest --> M1#busgranted be handled. We had to modify the original design by removing && M2. a few minutes. This design couldn’t be handled with the unoptimized number of bursts): version. 74 . and to reset variables to make it easier for the model checker to ACKNOWLEDGMENT detect and use symmetries in the model. half an hour for each property. The optimization does not sacriﬁce the correctness of the formal R. to 2 master and 2 slaves. a counter variable is used to store model checker. we have presented an optimized transforcomponents and the overall system. L. namely the TLM 4) as soon as a master is granted the bus. liveness. Furthermore. ization. we were able to the number of successful transfers before the split occurs. Alur and D..model checker. a real bug in the real design. After the defect removal. the implementation of the TLM core interfaces. The most serious bug we numbers of masters and slaves (from 1 master and 1 slave. is to reduce the number of clocks and variables. and by simplifying the transaction objects. With our new approach. To achieve this. is that it is possible to plug IP cores implemented in VHDL or Verilog into an overall system design. where a producer and a conA not deadlock sumer communicate through a communication protocol with 2) the bus is always only granted to ONE master at a 4 phases. time: We used a varying number of concurrent non-blocking A M1#busgranted + M2#busgranted <= 1 transports. R EFERENCES we capture their semantics in a more direct way. C ONCLUSION simulate and evaluate it altogether.isCommunicating imply x <= N dynamic memory management. the whole control logic. as it only has to be done once in the design ﬂow. With our approach. which is not negligible but This is a typical example which is both difﬁcult to detect acceptable. and timing Table II shows the results of the veriﬁcation with different of the design remained untouched. all split transactions besides the ﬁrst one failed. and to correct with simulation alone. With the help of the graphical visualization in U PPAAL and In future work. previously the main source for computational 3) a bus request is always eventually answered with a bus overhead and also the reason for out of memory problems if a grant: limit of two concurrent notiﬁcations was exceeded. This is shown by our experiments on 1) deadlock freedom: an approximately-timed model. which is not supported by where x is an extra clock. we veriﬁed Nevertheless. we have presented example. with respect to veriﬁcation. 1994. This is also be proved to be satisﬁed at the end of the veriﬁcation phase. The main idea behind the optimizations register transfer level rather than on transaction level.or under-approximation is performed. we plan to extend our approach to lower due to the structure preservation of our transformation. Dill. i. using the non-blocking transport including PEQs. A Theory of Timed Automata. For the U PPAAL model checker. which is reset whenever a our approach. However. As a The veriﬁcation effort for 2 masters and 2 slaves is less than consequence. and to VII. In case once we had the counter-example generated by the U PPAAL of a split transaction. 126:183–235. Our optimizations also enables the application M2#busrequest --> M2#busgranted of our approach to an industrial case study. different techniques are used for pure hardware In this paper. but can now be model checked with reasonable A M1.isCommunicating imply x <= N effort. e. All properties could a missing variable reset in one of the masters. Theoretical Computer Science. no over. which with an SMT solver to verify a reﬁned version of the AMBA provide evidence for the performance and for the usefulness AHB system where the masters and slaves are modeled on of the approach. it signiﬁcantly reduces the semantic state space the following four properties: and makes model checking considerably faster and less memory-consuming. and timing properties. it levels of abstraction. the generation of counter-examples only took generation of a counter example took only a few minutes. the communimodel of the AMBA AHB released by Carbon Design Syscation never takes more than N time units (for a ﬁxed tems. master is granted the bus. For the experimental evaluation. to investigate whether these different veriﬁcation techniques which is especially tailored for being model checked with can be integrated to achieve overall veriﬁcation results. The graphical animation in During the veriﬁcation we were able to detect a bug in the U PPAAL and the structure-preservation of our transformation original design which led to a deadlock situation when a made it very easy to understand the cause of this error transaction was split into several separate transfers. Instead. our model checking approach could be combined experimental results from an industrial case study.
Automation and Test in Europe. 2006. Schellekens. 2007.751 2M2S 25:52 19:55 17:08 19:55 18:08 7. M. Fedeli. Monsuez. 2007. Formal veriﬁcation of SystemC Designs using a Petri-Net based Representation. Salem.  N. 2011. Peng. M. and S. pages 61– 66. 1666–2005. IEEE. J.152 2. 2005. Bombieri.  B. 2006. Le. J. In Design. pages 113 – 122. Gerlach. 2003. Tahar. AMBA3 AHB-Lite Protocol Speciﬁcation. Rosenstiel. Drechsler. Berlin. pages 76–81. pages 69–83. and V. W. An Approach for the Veriﬁcation of SystemC Designs Using AsmL. SystemC: Methodologies and Applications. M. Veriﬁcation of an industrial SystemC/TLM model using LOTOS and CADP.  D. pages 64–70. M. Drechsler. Model Checking SystemC Designs Using Timed Automata. Man. Forum on speciﬁcation and Design Languages. Behrmann. In Research in Microelectronics and Electronics. A SystemC/TLM semantics in Promela and its possible applications. pages 26–35.  A. TLM 2. Springer. Ruf. H. Model Checking on TLM-2. and L. P. pages 161 – 170.  A. In First International Workshop on Veriﬁcation and Evaluation of Computer and Communication Systems (VECoS 2007). Ltd.345 Veriﬁcation time (min:sec) 1M2S 2M1S 0:26 5:10 4:00 0:20 3:25 4:00 0:25 9:53 221. U. 2001. M¨ uller. In Formal Methods for the Design of Real-Time Systems. Lussy: A toolbox for the analysis of systems-on-a-chip at the transactional level. In Automated Technology for Veriﬁcation and Analysis. H. SystemC WaitingState Automata. 2004. Helmstetter. Zhang. The Simulation Semantics of SystemC. In International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS).  K.  A. Glesner. SC2SCFL: Automated SystemC to SystemCFL Translation.  A. Automation and Test in Europe. Kropf. In Great Lakes Symposium on VLSI.  Y. 2008. F. volume 1. Glesner.  IEEE Standards Association. LNCS 3185. Guarnieri. O.0 Reference Manual. IEEE Press. Springer. and B.  C. pages 97–126. Maraninchi. and W. In VLSI System on Chip Conference (VLSI-SoC). Ponsini. Moinudeen. LNCS 4595. In Design. Maraninchi:. 2009. and W. Formalizing TLM with Communicating State Machines. Springer. Traulsen. 2006. Habibi.009. In Embedded Computing Systems: Architectures. Rosenstiel. A. HW/SW CoVeriﬁcation of Embedded Systems using Bounded Model Checking. Moy. Kluwer Academic Publishers. Automation and Test in Europe (DATE). Fummi. Ruf. D. and S. In International Conference on Formal Methods and Models for Co-Design (MEMOCODE). 2010. Vedrine. Transforming SystemC Transaction Level Models into UPPAAL Timed Automata. In 14th Workshop on Model Checking Software (SPIN ’07). An Overview of SystemCFL. G.964. P. F. T. 2003. Proving Transaction and System-level Properties of Untimed SystemC TLM Designs.0 IPs through automatic TLM-to-RTL Synthesis. Karlsson.  Open SystemC Initiative (OSCI).  W. pages 1228– 1233. pages 131–136. pages 204–222. pages 34–45. IEEE Computer Society. K¨ uhne. Generating Finite State Machines from SystemC. Niemann and C. 2010. IEEE Press.  K. C. LNCS 4599. pages 46–55. and R. Haubelt. 75 . Automation and Test in Europe (DATE). 2006. and S. M. M¨ uller. and F. IEEE Computer Society. Maillet-Contoz. Herber. 2005. Tahar. Man. F. pages 145– 148. A Tutorial on U PPAAL. and K. ACM press. Moy. and Z. and M. chapter An ASM based SystemC Simulation Semantics. Eles.195 Table II M ODEL C HECKING R ESULTS FROM AMBA AHB  G. IEEE Computer Society. Formal Semantics of Synchronous SystemC. L. In Formal Methods and Models for Codesign. Cornet. In Formal Methods and Models for Codesign (MEMOCODE). 2006.  P.  D. In International Conference on Application of Concurrency to System Design (ACSD). W. Larsen. IEEE Std. Garavel. Habibi and S. 2005. Herber. and Simulation. David.  H.  M. Modeling. 2005. pages 10376–10381. ACM Press.  P. Pockrandt. Hoffmann. Boubekeur. Große. Mercaldi.  J. J.Property deadlock freedom only one master bus granted to M1 bus granted to M2 communication in time # states 1M1S 0:07 0:05 0:17 74.  D. In Design. and W. 2009. pages 43– 48. J. and R. Große. pages 200–236. Serwe. Fellmuth. IEEE Computer Society. LNCS 3707. In Design. Springer. 2007. Open SystemC Language Reference Manual. A. L.