Automatic synthesis and verification of asynchronous interface controllers Jordi...

Automatic synthesis and verification of asynchronous

interface controllers

Jordi Cortadella Universitat Politècnica de Catalunya, Spain

Michael Kishinevsky Intel Corporation, USA

Alex Kondratyev Theseus Logic, USA

Luciano Lavagno Università di Udine, Italy

Enric Pastor Universitat Politècnica de Catalunya, Spain

Marco A. Peña Universitat Politècnica de Catalunya, Spain

Alexander Yakovlev University of Newcastle upon Tyne, UK

y-

a+ b+

x+ y+

c+

c-

a-

b-

x-

x+ y-

y+x-

a

b

xy

c

Specification(environment)

Implementation(circuit)

Why and why not?

• Asynchronous circuits: robustness, modularity, less power consumption, low EMI, no clock skew and many other debatable advantages

• Designing correct async circuits is difficult(hazards, testing)

• Designing efficient async circuits is a nightmare (time comes into play)

• Design automation is crucial

How to make it asynchronous ?

Outline

• Synthesis flow with STGs– Specification– State graph and next-state functions– State encoding– Implementability conditions– Logic decomposition

• Synthesis with relative timing assumptions

• Formal verification of timed circuits

Specification(STG)

State Graph

SG withCSC

Next-state functions

Decomposed functions

Gate netlist

Reachability analysis

State encoding

Boolean minimization

Logic decomposition

Technology mapping

DesignDesignflowflow

VME bus

DeviceLDS

LDTACK

D

DSr

DSw

DTACK

VME BusController

DataTransceiver

BusDSr

LDS

LDTACK

D

DTACK

Read Cycle

STG for the READ cycle

LDS+ LDTACK+ D+ DTACK+ DSr- D-

DTACK-

LDS-LDTACK-

DSr+

LDS

LDTACK

D

DSr

DTACK

VME BusController

Specification(STG)

State Graph

SG withCSC



Gate netlist


State encoding


Logic decomposition

Technology mapping


Binary encoding of signals

DSr+

DSr+

DSr+

DTACK-

DTACK-

DTACK-

LDS-LDS-LDS-

LDTACK- LDTACK- LDTACK-

D-

DSr-DTACK+

D+

LDTACK+

LDS+

State graph

DSr+

DSr+

DSr+

DTACK-

DTACK-

DTACK-

LDS-LDS-LDS-

LDTACK- LDTACK- LDTACK-

D-

DSr-DTACK+

D+

LDTACK+

LDS+

10000

10010

10110 01110

01100

0011010110

(DSr , DTACK , LDTACK , LDS , D)

QR (LDS+)QR (LDS+)

QR (LDS-)QR (LDS-)

Excitation / Quiescent Regions

ER (LDS+)ER (LDS+)

ER (LDS-)ER (LDS-)

LDS-LDS-

LDS+

LDS-

Next-state function

0 1

LDS-LDS-

LDS+

LDS-

1 0

0 0

1 1

1011010110

Karnaugh map for LDS

DTACKDSrD

LDTACK 00 01 11 10

00

01

11

10

DTACKDSrD

LDTACK 00 01 11 10

00

01

11

10

LDS = 0 LDS = 1

0 1-0

0 0 0 0 0 0/1?

1

111

-

-

-

---

- - - -

-

- ---

- - -

Specification(STG)

State Graph

SG withCSC



Gate netlist


State encoding


Logic decomposition

Technology mapping


Concurrency reduction

LDS-LDS-

LDS+

LDS-

1011010110

DSr+

DSr+

DSr+

Concurrency reduction


DTACK-

LDS-LDTACK-

DSr+

State encoding conflicts

LDS-

LDTACK-

LDTACK+

LDS+

10110

10110

Signal Insertion

LDS-

LDTACK-

D-

DSr-

LDTACK+

LDS+

CSC-

CSC+

101101

101100

Specification(STG)

State Graph

SG withCSC



Gate netlist


State encoding


Logic decomposition

Technology mapping


Complex-gate implementation

)(csccsc

csc

csc

LDTACKDSr

LDTACKD

DDTACK

DLDS

Implementability conditions

• Consistency + CSC + persistency

• There exists a speed-independent circuit that implements the behavior of the STG

(under the assumption that ay Boolean function can be implemented with one complex gate)

Specification(STG)

State Graph

SG withCSC



Gate netlist


State encoding


Logic decomposition

Technology mapping


No Hazards

abc

x 0

abcx1000

1100

b+

0100

a-

0110

c+

1

1

0

0

1

1

0

1

0

1

0

0

Decomposition May Lead to Hazards

abcx1000

1100

b+

0100

a-

0110

c+

a

bz

cx

1

0

0

0

0

1000

11001100

0100

0110

1

1

0

0

0

1

1

1

0

0

0

1

1

0

0

0

1

1

1

1

0

1

0

1

0

y-

z- w-

y+ x+

z+

x-

w+

1001 1011

1000

1010

0001

0000 0101

0010 0100

0110 0111

0011

y-

y+

x-

x+w+

w-

z+

z-

w-

w-

z-

z-y+

y+

x+

x+

Decomposition example

yz=1yz=0

1001 1011

1000

1010

0001

0000 0101

0010 0100

0110 0111

0011

y-

y+

x-

x+w+

w-

z+

z-

w-

w-

z-

z-y+

y+

x+

x+

1001 1011

1000

1010

0001

0000 0101

0010 0100

0110 0111

0011

y-

y+

x-

x+w+

w-

z+

z-

w-

w-

z-

z-y+

y+

x+

x+

C

C

x

y

x

y

w

z

xyz

y

zw

z

w

z

y

s-

s+

s-

s-

s=1

s=0

1001 1011

1000

1010

0111

0011y+

x-

w+

z+

z-

0001

0000 0101

0010 0100

0110

x+

w-

w-

w-

z-

z-y+

y+

x+

x+

1001

1000

1010

y+

z-

0111

C

C

x

y

x

y

w

z

x

y

z

w

z

w

z

y

sy-

y-

z- w-

y+ x+

z+

x-

w+

s-

s+

s-

s+

s-

s-

s=1

s=0

1001 1011

1000

1010

0111

0011y+

x-

w+

z+

z-

0001

0000 0101

0010 0100

0110

x+

w-

w-

w-

z-

z-y+

y+

x+

x+

1001

1000

1010

y+

z-

0111

y-

Adding timing assumptions


DTACK-

LDS-LDTACK-

DSr+

DTACKD

DSr

LDS

LDTACK

csc

map

DTACKD

DSr

LDS

LDTACK

csc

map

DeviceLDS

LDTACK

D

DSr

DTACK

VME BusController

DataTransceiver

Bus



DTACK-

LDS-LDTACK-

DSr+

DTACKD

DSr

LDS

LDTACK

csc

map

LDTACK- before DSr+

FAST

SLOW


DTACKD

DSr

LDS

LDTACK

csc

map


DTACK-

LDS-LDTACK-

DSr+

LDTACK- before DSr+

State space domain

LDTACK- before DSr+

LDTACK-

DSr+

State space domain

LDTACK- before DSr+

LDTACK-

DSr+

Two more unreachable states

Boolean domain

DTACKDSrD

LDTACK 00 01 11 10

00

01

11

10

DTACKDSrD

LDTACK 00 01 11 10

00

01

11

10

LDS = 0 LDS = 1

0 1-0

0 0 0 0 0 0/1?

1

111

-

-

-

---

- - - -

-

- ---

- - -

Boolean domain

DTACKDSrD

LDTACK 00 01 11 10

00

01

11

10

DTACKDSrD

LDTACK 00 01 11 10

00

01

11

10

LDS = 0 LDS = 1

0 1-0

0 0 - 0 0 1

1

111

-

-

-

---

- - - -

-

- ---

- - -

One more DC vector for all signals One state conflict is removed

Netlist with one timing constraint


DTACK-

LDS-LDTACK-

DSr+

DTACKD

DSr

LDS

LDTACK

csc

map

Netlist with one timing constraint


DTACK-

LDS-LDTACK-

DSr+

DTACK D

DSr LDS

LDTACK

LDTACK- before DSr+

TIMING CONSTRAINT

Types of timing assumptions

• Environment slower (or faster) than the circuit

• Gate delay shorter than another gate delay

• Speculative enabling (events enabled beforethey must actually occur)

• Indistiguishable firing times of different events

• . . .

Formal verification

• Implementability properties– Consistency, persistency, state coding …

• Behavioral properties (safeness, liveness)– Mutual exclusion, “ack” after “req”, …

• Equivalence checking– Circuit Specification– Circuit < Specification

Property

• g must fire before d after having fired x

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

bd

dy

g

Verifying asynchronous circuits

• Internal signals cannot be abstracted out(many more state signals and states)

• If delays must be taken into account, each gate is a component with delay

• Verification with timed automata results unmanageable (BDDs do not work): Gate = counter + state signal

• We need clever strategies to do symbolic model checking

x

a

a

b

b

b

c

c

c

c

c

g

g

dy

Timed Transition System(Manna, Pnueli)

• Transition System• Min/Max Delays

(a) [1,2](b) [1,2](c) [2.5,3](g) [0.5,0.5]

d,x,y

{x}

{a,b}

{b,c,g}

{c,g}

{d,g}

{g}

Ø

x

a

b

c

d

g

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

bd

dy

g

x

a b

c

d

g

aa

xx

g

b

b

c

c

d

d

g

{x}

{a,b}

{b,c,g}

{c,g}

{d,g}

{g}

Ø

x

a

b

c

d

g

x

a b

c

d

g

[1,2] [1,2]

[2.5,3][0.5,0.5]

[0,)

[0,)

Maximum Time Separation (McMillan & Dill, 1992)

max (g) - (d)

0 0

0

02.5

3.5

longestmin path

for d-2

0

0

0

0

-1.5slack

for maxpath of g

= -2

x

a b

c

d

g

Maximum Time Separation (McMillan & Dill, 1992)

max (g) - (d) = -2

From absolute torelative timing

x

a

a

a

b

b

b

c

c

c

c

c

g

g

g

g

b

bd

dy

g

x

a b

cg

d

x

a b

b

b c

c

c

c

g

g

g

g

b

bd

dy

g

a

a

c

c

c

g

g

g

d

d

y

x

a

b

b c

c

c

c

g

g

g

g

b

bd

d

g

x

a b

cg

d

Timing analysis

x

a

b

b c

c

c

c

g

g

d

x

a b

cg

d

Timing analysis

x

a

b

b

c

g

g

d

b

y

a

a

c

c

c

g

g

g

d

d

y

x

b

a

a

c

c

c

g

g

g

d

d

x

a b

cg

d

x

b

ac

c

c

g

d

x

a b

cg

d

x

b

a

c

g

d

a

b

c

g

g

dy

y

b

x

a b

b

b

c

g

g

dy

a

c

g

d

y

Border of failure states• Failure trace

• Event structure

x

a b

cg

d

• Timing analysis• Composition

• Failure trace

• Event structure

• Timing analysis

x

a b

cg

d

• Composition

r

st

uw

i

j

k

i

j

k

r

st

uw

x

a b

cg

d

Backannotation (sufficient timing constraints)

circuit gates untimed fail constr correct CPUalloc-outbound 11 82 20 4 Y 2mp- forward-pkt 8 186 70 8 Y 5dff 6 225 164 6 N 3half 7 227 133 1 N 0chu133 9 288 204 2 N 1converta 12 408 244 9 N 18nowick 10 510 292 4 Y 3chu150 8 520 339 3 N 2sbuf-send-ctl 13 1592 1081 18 N 71rpdft 8 2612 1841 2 N 2tsend-bm 12 3880 299 3 N 46sbuf-send-pkt2 13 45544 4044 17 Y 155ram-read-sbuf 16 19328 17488 34 Y 667mr1 16 20912 11460 8 Y 417mr0 20 727304 642291 2 N 223trimos-send 24 2.1 E6 1.8 E6 1 N 127mmu 22 5.6 E6 5.2 E6 5 N 1046

Conclusions

• An asynchronous circuit is a concurrent system with processes (gates) and communication (wires)

• The synthesis and formal verification of asynchronous control circuits can be totally automated

• The theory of concurrency is crucial to formalize automatic synthesis and verification methods

• Existing tools at academia: petrify, 3D, ATACS, Kronos, versify, etc.

• Industry starting to try: Intel, Theseus, Cogency, IBM, ...

Automatic synthesis and verification of asynchronous interface controllers Jordi...

Documents

Transcript of Automatic synthesis and verification of asynchronous interface controllers Jordi...