

#### Formal Verification of CHP Specifications with CADP, Illustration on an Asynchronous Network-on-Chip



Gwen Salaün, Wendelin Serwe (INRIA / VASY) Yvain Thonnart, **Pascal Vivet** (CEA / LETI)



ASYNC'07 Symposium, Berkeley, USA

March 12th, 2007

# Outline of the Presentation



- Introduction
- Translation from CHP to LOTOS
- CADP toolbox overview
- Verification of ANOC protocol
- Conclusion & Future Work

# Context & Objective



Designing of complex asynchronous designs :

- existing tool support for : simulation and synthesis
- verification is needed!
  - => Translate CHP to LOTOS by using CADP toolbox





### CHP language



- Abstract descriptions of asynchronous circuits ?
  - Model asynchronous handshaking by asynchronous VLSI programming language seen as a Process Algebra
- Several existing languages :
  - High-level languages to describe processes communicating by message-passing along wires
  - CHP, Balsa, Haste/Tangram, Verilog channel extension, SystemC extensions, ...
- CHP (Communicating Hardware Processes):
  - Compilation to VLSI circuits [Martin-86]
  - Inspired by guarded commands and CSP
  - Tool support: TAST tools (TIMA Lab., Grenoble)
- Specific *Probe* operator :
  - Probe allows to observe a pending communication
  - Used to exploit low-level aspects of hardware implementation of communication channels







- Introduction
- Translation from CHP to LOTOS
- CADP toolbox overview
- Verification of ANOC protocol
- Conclusion & Future Work

# CHP to LOTOS translation principle



- CHP and LOTOS are based on CSP
- Main differences between CHP and LOTOS
  - looping guarded commands vs recursive processes
  - -symmetrical vs asymmetrical sequential composition
  - implicit vs explicit (exit/accept) variable passing
  - implicit vs explicit termination
  - -internal vs external choice
  - -p2p HW type vs multi-dir abstract typed channel
  - no LOTOS equivalent for CHP probe operation!
    - in CHP: probed channel ?
      - Corresponds to a shared variable/resource
    - in LOTOS: probed channel ?
      - Requires additional processes

### Let The Probe Operator : c#, c#V



- Used in the passive side only
- Boolean Operation:

C#V = { true if active side waits (for sending V) on c false otherwise

- Active side is blocked in case of a successful probe:
   Cannot change V before synchronisation / acknowledge
  - Cannot emit a different value on c
- Thus: Channels are "particular shared variables"
  - Written only by active side
  - Read only by passive side
  - Between two writes, a synchronisation is required



# Probe operator : Example



Two-way arbiter example :

- client 1: @[ c<sub>1</sub>!; loop ]
- client 2: @[ c<sub>2</sub>!; loop ]
- arbiter:

@@[  $c_1 \# \Rightarrow (c_1?, c!1)$ ; loop  $c_2 \# \Rightarrow (c_2?, c!2)$ ; loop ]





#### Interaction with client 1 only

#### **Definition of a SOS semantics for CHP :** => to garantee translation correctness

[IFM'05] G. Salaün, W. Serwe. Translating Hardware Process Algebras into Standard Process Algebras - Illustration with CHP and LOTOS. *Proc. of IFM'05*. LNCS 3771, Springer.



#### leti Channel translation



- Translation of a channel c :
  - Depends whether a probe occurs on c
  - Perform pre-processing before the translation task
    - This optimizes the generated state-graph

- Three cases:
  - Un-probed channels
  - Single probe in guards  $\implies$  simplified translation  $@[c_1 \# \Rightarrow (c_1?, c!1); loop ...$
- → direct translation

  - Probe in expression generic translation  $@[c_2 # and \neg (c_1 # true)) \Rightarrow (c!2, c_2?); loop ...$



Channel translation : for Un-Probed channel WINRIA

• For un-probed channels : Direct translation





Simplified grammar for guards:

- Guard ::= V | c# | c#V
- No probe in expressions V
- ⇒ Avoid additional channel process and gates





March 12th, 2007

# Let Translator CHP $\Rightarrow$ LOTOS



### Translation Schema



- Tool Implementation
  - code specialization for probes
    - (reduction up to a factor of 156)
  - 19,300 lines of SYNTAX, LOTOS NT, and C
  - test base of more than 500 CHP specifications

œ



- Introduction
- Translation from CHP to LOTOS
- CADP toolbox overview
- Verification of ANOC protocol
- Conclusion & Future Work

# CADP : Key Concepts



- CADP takes roots in concurrency theory
- Process algebra
  - Modular value-passing languages
  - Equivalences (Bisimulation)
  - Compositionality
- Explicit-state verification
  - As opposed to symbolic methods (BDDs, etc.)
  - Action-based models (Labeled Transition Systems)
  - µ-calculus, temporal logics
  - Model checking + Equivalence checking

### http://www.inrialpes.fr/vasy/cadp

(Google: CADP Toolbox)

# CADP : Toolbox Architecture





March 12th, 2007



- Introduction
- Translation from CHP to LOTOS
- CADP toolbox overview
- Verification of ANOC protocol
  - ANOC presentation
  - state space generation techniques
  - -verification techniques
- Conclusion & Future Work



leti Asynchronous Network-on-Chip Architecture **WINRIA** 

- ANOC architecture
  - 2D-mesh based
  - Provide Quality-of-Service
  - Implemented in QDI logic
- ANOC network protocol •
  - Packet Switching
  - Source Routing
- ANOC Communication node
  - Composed of :
    - 5 input controllers
    - 5 output controllers
  - Handle Virtual Channel policy





### ANOC Node Input Controller



- For each node input :
  - Routes flits of a packet to the corresponding output
  - direction determined by the header flit
  - 4 possible directions
  - 2 virtual channels
- Complex arrangement of 14 Asynchronous Processes





# Lett Verification Approach: Overview



- Simplifications on the CHP level
- Compositional state space generation
- Verification of properties
  - absence of deadlocks
  - correct stimulus-response protocol
  - NOC data integrity
  - NOC data routing
- Simplified via SVL scripts



# Simplifications on the CHP level

- Data Independence
  - fix part of the flits
  - reduction from  $10^{25}$  down to 5 \*  $10^{16}$  states
- Traffic Generator

- 33
   32
   31
   30
   29
   2
   1
   0

   BOP
   EOP
   flit id
   fixed sequence
   flit id
- emulate a "realistic environment"
- check correctness ("observer" processes)
- Verification Scenarios
  - cut a large verification into several smaller ones
  - several sequences of inputs
  - a generic SVL script for all scenarios



# Compositional State Space Generation **WINKIA**

- Principle: "Divide and conquer"
- Alternate the steps of
  - generation
  - hiding internal transitions
  - minimization
  - combination
- Order following the data path
  - Use inputs to restrict behaviors
  - Use SVL scripts (41 steps to generate the state graph)
- Results
  - The SVL script generates in about 4' the corresponding LTS
    - 1300 states, 3116 transitions
  - Largest intermediate LTS observed :
    - 295 000 states, 812 000 transitions



# Verified Properties: Deadlocks



- Deadlock freedom:
  - check for states without successor
- Infinite Occurrence:
  - check for cyclic behavior
- no issue detected



#### no issue detected









- Observer processes:
  - Compare responses with the expected results
  - Use special error channels
- Check for absence of error signals
- no issue detected

Let Verified Properties: NOC Data Routing



- NoC DATA routing : expresses as a µ-calculus formula : [true\* . on\_channel(0) . to\_dest(1)] <(no\_Data0\_toD())\* . 'Data0\_to1'> true
- CHP model check: a routing issue is detected
  - Tool generate a counter example :
    - Occurs if a new packet is admitted in the input controller before last flit of the previous packet was routed
- NoC node design ?
  - correct in simulation on Verilog netlist: no routing error
- So ... a real routing issue ?
  - due to CHP model under-specification:
    - CHP model does not account for handshake expansion
    - asynchronous processes actually have a ½ capacity (half-buffers)
  - If we explicit in the CHP model the real design slack, *corresponding* to the chosen HSE reshuffling, the routing issue is fixed.



# Conclusion



- Translation of CHP into LOTOS
  - Formal definition (including a SOS semantics)
  - Implementation of a translator tool
- Verification strategy using CADP toolbox :
  - Compositional state graph generation
  - Verification of various properties
- Case studies on CHP models of :
  - Asynchronous DES
  - ANOC communication node
    - Verification revealed a routing issue in the CHP model due to absence of the real system slack modeling

=> Positive feedback from realistic case studies

