Page 1
Processes, interfaces and Processes, interfaces and platforms.platforms.Embedded software modeling in Embedded software modeling in Metropolis.Metropolis.
Luciano LavagnoLuciano Lavagno
Politecnico di TorinoPolitecnico di Torino
EMSOFT 2002, CASES 2002EMSOFT 2002, CASES 2002
Grenoble, FranceGrenoble, France
Page 2
Metropolis Project: main participantsMetropolis Project: main participants
Cadence Berkeley Labs Cadence Berkeley Labs (USA): (USA): methodologiesmethodologies, , modelingmodeling, , formal formal methodsmethods
UC BerkeleyUC Berkeley (USA): (USA): methodologiesmethodologies, , modelingmodeling, , formal methodsformal methods Politecnico di TorinoPolitecnico di Torino (Italy): (Italy): modelingmodeling, , formal methodsformal methods Universitat Politecnica de CatalunyaUniversitat Politecnica de Catalunya (Spain): (Spain): modelingmodeling, , formal methodsformal methods Philips ResearchPhilips Research (Netherlands): (Netherlands): methodologiesmethodologies (multi-media) (multi-media) NokiaNokia (USA, Finland): (USA, Finland): methodologiesmethodologies (wireless communication) (wireless communication) BWRCBWRC (USA): (USA): methodologiesmethodologies (wireless communication) (wireless communication) BMWBMW (USA): (USA): methodologiesmethodologies (fault-tolerant automotive controls) (fault-tolerant automotive controls) IntelIntel (USA): (USA): methodologiesmethodologies (microprocessors) (microprocessors) STMicroelectronicsSTMicroelectronics (France, Italy): (France, Italy): methodologiesmethodologies (wireless platforms) (wireless platforms)
etropolis
Page 3
Metropolis FrameworkMetropolis Framework
Infrastructure
• Metropolis meta-model
- language
- modeling mechanisms• Meta-model compiler
Meta-model Library
• Models of computation
Meta-model Library
• Architecture platforms
Tools
Simulator QSS PIG STARS SPIN …
Application-specific methodologies
Multi-media, wireless communication, mechanical controls, processors
Page 4
Design MethodologyDesign Methodology
Balance between reusability and optimalityBalance between reusability and optimality orthogonalize design concerns as much as possibleorthogonalize design concerns as much as possible
optimize the final implementation as much as necessaryoptimize the final implementation as much as necessary
RefineOptimize
Implementationof System
Functional& Non-func.Constraints
FunctionComponent
LibraryMPEG
decodePES
parser VSRCI$ D$
CPU UART RTOS
ArchitectureComponent
Library
demux PESparser
MPEGdecode HSRC VSRC
ImageJuggler
MPEGdecode
Control
SystemFunction
Model
SystemArchitecture
Model
BCU
HWassist MEM
I$ D$
CPU UARTINT
RTOS APIdriver
Map
Page 5
Metropolis meta-modelMetropolis meta-model
• Computation : f : X Z
• Communication : state evaluation and manipulation
• Coordination : constraints over concurrent actions
- process : generates a sequence of events
- medium : defines states and methods
- quantity : annotation of each event (time, energy, memory, …)
- logic : relates events and quantities, defines axioms on quantities
- quantity-manager : algorithm to realize annotation subject to relational constraints
Concurrent specification with a formal execution semantics:
Key difference with respect to Ptolemy, UML, SystemC, …!!!
Concurrent specification with a formal execution semantics:
Page 6
Meta-model : function netlistMeta-model : function netlist
process P{
port reader X;
port writer Y;
thread(){
while(true){
...
z = f(X.read());
Y.write(z);
}}}
medium M implements reader, writer{
int storage;
int n, space;
void write(int z){
await(space>0; writer ; writer)
n=1; space=0; storage=z;
}
word read(){ ... }
}
interface reader extends Port{
update int read();
eval int n();
}
interface writer extends Port{
update void write(int i);
eval int space();
}
MP1X Y P2X Y
Env1 Env2
MyFncNetlist
R
I
F A
M
Page 7
Meta-model: execution semanticsMeta-model: execution semantics
Processes take actions. statements and some expressions, e.g.
y = z+port.f(), port.f(), i < 10, …
An execution of a given netlist is a sequence of vectors of events. event : the beginning of an action, e.g. B(port.f()),
the end of an action, e.g. E(port.f()),
null (no-op) N the i-th component of a vector is an event of the i-th process synchronous trace-based semantics time and other quantities elapse and actions are executed in states no assumption on atomicity whatsoever (unless explicitly modeled)
An execution is feasible if it satisfies all coordination constraints, and it is accepted by all action automata defining meta-model semantics
Page 8
Meta-model: architecture componentsMeta-model: architecture componentsAn architecture component specifies services, i.e.
• what it can do
• how much it costs
: interfaces
: quantities, annotation, logic of constraints
medium Bus implements BusMasterService …{
port BusArbiterService Arb;
port MemService Mem; …
update void busRead(String dest, int size) {
if(dest== … ) Mem.memRead(size);
[[Arb.request(B(busRead));
GTime.request(B(memRead),
BUSCLKCYCLE +
GTime.annotation(B(busRead)));
]]
}
…
scheduler BusArbiter extends Quantity
implements BusArbiterService {
update void request(event e){ … }
update void resolve() { //schedule }
}
interface BusMasterService extends Port {
update void busRead(String dest, int size);
update void busWrite(String dest, int size);
}
interface BusArbiterService extends Port {
update void request(event e);
update void resolve();
}
BusArbiterBus
R
I
F A
M
Page 9
Meta-model: architecture netlist Meta-model: architecture netlist
Bus
ArbiterBus
Mem
Cpu OsSched
MyArchNetlist
…
…
…
Master
CPU + OS
Slave
Mem
Arbiter
Architecture netlist specifies configurations of architecture components.
Each constructor
- instantiates arch. components,
- connects them,
- takes as input mapping processes.
R
I
F A
M
Page 10
Meta-model: mapping processesMeta-model: mapping processes
process P{
port reader X;
port writer Y;
thread(){
while(true){
...
z = f(X.read());
Y.write(z);
}}
int f (int n) {
int i;
for (i = 0; i < n; i++) {
…
}}
process MapP{
port CpuService Cpu;
void readCpu(){
Cpu.exec(2); Cpu.cpuRead();
}
void mapf(){Cpu.exec(12*n); } …
}
thread(){
while(true){
await {
(true; ; ;) readCpu();
(true; ; ;) mapf();
(true; ; ;) readWrite();
}}}
B(P, X.read) <=> B(MapP, readCpu); E(P, X.read) <=> E(MapP, readCpu);
B(P, f) <=> B(MapP, mapf); E(P, f) <=> E(MapP, mapf);…
Function process Mapping process
R
I
F A
M
Page 11
Meta-model: mapping netlistMeta-model: mapping netlist
Bus
ArbiterBus
Mem
Cpu OsSched
MyArchNetlist
mP1 mP2mP1 mP2
MyFncNetlist
MP1 P2
Env1 Env2
B(P1, M.write) <=> B(mP1, mP1.writeCpu); E(P1, M.write) <=> E(mP1, mP1.writeCpu);
B(P1, P1.f) <=> B(mP1, mP1.mapf); E(P1, P1.f) <=> E(mP1, mP1.mapf);
B(P2, M.read) <=> B(P2, mP2.readCpu); E(P2, M.read) <=> E(mP2, mP2.readCpu);
B(P2, P2.f) <=> B(mP2, mP2.mapf); E(P2, P2.f) <=> E(mP2, mP2.mapf);
MyMapNetlist
Bus
ArbiterBus
Mem
Cpu OsSched
MyArchNetlist…
……
R
I
F A
M
Page 12
Meta-model: platformsMeta-model: platforms
interface MyService extends Port { int myService(int d); }
medium AbsM implements MyService{ int myService(int d) { … }}
B(thisthread, AbsM.myService) <=> B(P1, M.read);
E(thisthread, AbsM.myService) <=> E(P2, M.write);refine(AbsM, MyMapNetlist);
MyArchNetlistMyFncNetlist MP1 P2
B(P1, M.write) <=> B(mP1, mP1.writeCpu); B(P1, P1.f) <=> B(mP1, mP1.mapf); E(P1, P1.f) <=> E(mP1, )B(P2, M.read) <=> B(P2, mP2.readCpu); E(P2, P2.f) <=> E(mP2, mP2.mapf);
MyMapNetlist1
MyArchNetlistMyFncNetlist MP1 P2
B(P1, M.write) <=> B(mP1, mP1.writeCpu); B(P1, P1.f) <=> B(mP1, mP1.mapf); E(P1, P1.f) <=> E(mP1, )B(P2, M.read) <=> B(P2, mP2.readCpu); E(P2, P2.f) <=> E(mP2, mP2.mapf);
MyMapNetlist1
B(…) <=> B(…);
E(…) <=> E(…);refine(AbsM, MyMapNetlist1)
MyArchNetlistMyFncNetlist
MP1 P2
B(P1, M.write) <=> B(mP1, mP1.writeCpu); B(P1, P1.f) <=> B(mP1, mP1.mapf); E(P1, P1.f) <=> E(mP1, )B(P2, M.read) <=> B(P2, mP2.readCpu); E(P2, P2.f) <=> E(mP2, mP2.mapf);
MyMapNetlist2
M
B(…) <=> B(…);
E(…) <=> E(…);
refine(AbsM, MyMapNetlist2)
A set of mapping netlists, together with constraints on event mappings, constitutes a platform (constrained set of possible implementations) with a given interface.
R
I
F A
M
R
I
F A
M
Page 13
Meta-model: recursive platformsMeta-model: recursive platforms
S
N N'
B(Q2, S.cdx) <=> B(Q2, mQ2.excCpu); E(Q2, M.cdx) <=> E(mQ2, mQ2.excCpu);
B(Q2, Q2.f) <=> B(mQ2, mQ2.mapf); E(Q2, P2.f) <=> E(mQ2, mQ2.mapf);
MyArchNetlistMyFncNetlist MP1 P2
B(P1, M.write) <=> B(mP1, mP1.writeCpu); B(P1, P1.f) <=> B(mP1, mP1.mapf); E(P1, P1.f) <=> E(mP1, )B(P2, M.read) <=> B(P2, mP2.readCpu); E(P2, P2.f) <=> E(mP2, mP2.mapf);
RTOSNetlist
MyArchNetlist
MyFncNetlist
MP1 P2B(P2, M.read) <=> B(P2, mP2.readCpu); E(P2, P2.f) <=> E(mP2, mP2.mapf);
M
RTOS
Page 14
Meta-model: summaryMeta-model: summary
• Concurrent specification with a formal execution semantics
• Feasible executions of a netlist: sequences of event vectors
• Quantities can be defined and annotated with events, e.g.
time, energy, memory, ...
• Concurrent events can be coordinated in terms of quantities:
- logic can be used to define the coordination,
- algorithms can be used to implement the coordination.
• The mechanism of event coordination wrt quantities plays a key role:
- architecture modeling as service with cost,
- mapping coordinates executions of functional and architecture netlists,
- refinement with event coordination provides a platform.
Page 15
Metropolis FrameworkMetropolis Framework
Infrastructure
• Metropolis meta-model
- language
- modeling mechanisms• Meta-model compiler
Meta-model Library
• Models of computation
Meta-model Library
• Architecture platforms
Tools
Simulator QSS PIG STARS SPIN …
Application-specific methodologies
Multi-media, wireless communication, mechanical controls, processors
Page 16
Metropolis infrastructure architectureMetropolis infrastructure architecture
Meta model compiler
Verification tool
Verification tool
Front end
Meta model language
Simulator tool
...Back end1
Abstract syntax trees
Back end2 Back endNBack end3
Synthesis tool
Language1 Language2 Languagen
Translator1 Translator2 Translatorn...
Page 17
Metropolis infrastructure statusMetropolis infrastructure status
Meta model compiler
SpinPrometheus
Front end
Meta model language
SystemCSimulator
...Back end1
Abstract syntax trees
Back end2 Back endNBack end3
Symbolic HW
scheduler
Simulink Esterel/Lustre UML
Translator1 Translator2 Translatorn...
Page 18
Deriving other formal models from the meta-modelDeriving other formal models from the meta-model
Example: Petri nets
await(X.n()>=2; X.reader; X.reader)
for(i=0; i<2; i++) x[i]=X.read();
reader_unlock
reader_lockX.n()
2
2
i=0;
i<2?
x[i]=X.read();i++;
end of await
Formal methods on Petri nets:
• analyze the schedulability
• analyze upper bounds of storage sizes
• synthesize schedules
Restrictions:
•condition inside await is conjunctive
•specific medium type (FIFO) is used
Page 19
Example: quasi-static schedulingExample: quasi-static scheduling
1 Specify a network of processesSpecify a network of processes
2 Translate to the Petri net modelTranslate to the Petri net model
3 Find a “schedule” on the Petri netFind a “schedule” on the Petri net
4 Translate the schedule to a set of tasks Translate the schedule to a set of tasks
(processes)(processes)
Page 20
Metropolis SummaryMetropolis Summary
• Metropolis meta-model:
- concurrent specification for functions, architecture, and mappings
- libraries of models of computation, libraries of platforms
• Metropolis design environment:
- meta-model compiler to provide an API to browse designs,
- backend tools to analyze designs and produce appropriate models,
- easy to incorporate simulation, verification, and synthesis tools
Page 21
Backup slides: Execution semanticsBackup slides: Execution semantics
A sequence of vectors of events is a legal behavior A sequence of vectors of events is a legal behavior
if itif it satisfies all constraintssatisfies all constraints
is accepted by all is accepted by all action automataaction automata one for each action of each processone for each action of each process
Page 22
B y=x+1
Action automataAction automata
y=x+1;y=x+1;B y=x+1 B x+1 E x+1 E y=x+1
y:=Vx+1
B x+1 E x+1 E y=x+1y:=any
c
c
c
c
* = write y* * *
B x+1 E x+1Vx+1 :=x+1
E x+1Vx+1 :=any
c
c
write x
y=x+1
x+1
Vx+1
yx
000
N
Page 23
Action automataAction automata
y=x+1;y=x+1;
y=x+1
x+1
Vx+1
yx
B y=x+1 B x+1 E x+1 E y=x+1y:=Vx+1
B x+1 E x+1 E y=x+1y:=any
c
c
c
c
* = write y* * *
B x+1 E x+1Vx+1 :=x+1
E x+1Vx+1 :=any
c
c
write x
000
B y=x+1 B x+1 NN N
Page 24
E x+1
100
Action automataAction automata
y=x+1;y=x+1;
y=x+1
x+1
Vx+1
yx
B y=x+1 B x+1 E x+1 E y=x+1y:=Vx+1
B x+1 E x+1 E y=x+1y:=any
c
c
c
c
* = write y* * *
B x+1 E x+1Vx+1 :=x+1
E x+1Vx+1 :=any
c
c
write x
000
B y=x+1 B x+1 NN N
Page 25
Action automataAction automata
y=x+1;y=x+1;
y=x+1
x+1
Vx+1
yx
B y=x+1 B x+1 E x+1 E y=x+1y:=Vx+1
B x+1 E x+1 E y=x+1y:=any
c
c
c
c
* = write y* * *
B x+1 E x+1Vx+1 :=x+1
E x+1Vx+1 :=any
c
c
write x
000
B y=x+1 B x+1 E x+1NN N E y=x+1
100
110
Page 26
B y=x+1
Action automataAction automata
y=x+1;y=x+1;
y=x+1
x+1
Vx+1
yx
B y=x+1 B x+1 E x+1 E y=x+1y:=Vx+1
B x+1 E x+1 E y=x+1y:=any
c
c
c
c
* = write y* * *
B x+1 E x+1Vx+1 :=x+1
E x+1Vx+1 :=any
c
c
write x
000
N
Page 27
Action automataAction automata
y=x+1;y=x+1;
y=x+1
x+1
Vx+1
yx
B y=x+1 B x+1 E x+1 E y=x+1y:=Vx+1
B x+1 E x+1 E y=x+1y:=any
c
c
c
c
* = write y* * *
B x+1 E x+1Vx+1 :=x+1
E x+1Vx+1 :=any
c
c
write x
000
B y=x+1 B x+1 NN
Page 28
Action automataAction automata
y=x+1;y=x+1;
y=x+1
x+1
Vx+1
yx
B y=x+1 B x+1 E x+1 E y=x+1y:=Vx+1
B x+1 E x+1 E y=x+1y:=any
c
c
c
c
* = write y* * *
B x+1 E x+1Vx+1 :=x+1
E x+1Vx+1 :=any
c
c
write x
000
B y=x+1 B x+1 NN N
Page 29
E x+1
500
Action automataAction automata
y=x+1;y=x+1;
y=x+1
x+1
Vx+1
yx
B y=x+1 B x+1 E x+1 E y=x+1y:=Vx+1
B x+1 E x+1 E y=x+1y:=any
c
c
c
c
* = write y* * *
B x+1 E x+1Vx+1 :=x+1
E x+1Vx+1 :=any
c
c
write x
000
B y=x+1 B x+1 NN N
Page 30
Action automataAction automata
y=x+1;y=x+1;
y=x+1
x+1
Vx+1
yx
B y=x+1 B x+1 E x+1 E y=x+1y:=Vx+1
B x+1 E x+1 E y=x+1y:=any
c
c
c
c
* = write y* * *
B x+1 E x+1Vx+1 :=x+1
E x+1Vx+1 :=any
c
c
write x
000
B y=x+1 B x+1 E x+1NN N E y=x+1
500
550
Page 31
Semantics of awaitSemantics of await
await {await { (X.n()>0;X.writer; X.writer) comp: z = f(X.read());(X.n()>0;X.writer; X.writer) comp: z = f(X.read()); (Y.space()>0;Y.reader;Y.reader) Y.write(z);(Y.space()>0;Y.reader;Y.reader) Y.write(z);}}
B await...c start Y.reader
E comp:...(true X.n()>0 active X.writer)/
B comp:...
(true Y.space()>0 active Y.reader) / B Y.write(z)
E Y.write(z)
start X.writer
cE await...
Page 32
Semantics summarySemantics summary
Processes run sequential code concurrently, each at its Processes run sequential code concurrently, each at its
own arbitrary paceown arbitrary pace
Read-Write and Write-Write hazards may cause Read-Write and Write-Write hazards may cause
unpredictable resultsunpredictable results
atomicity has to be explicitly specifiedatomicity has to be explicitly specified
Progress may block at synchronization pointsProgress may block at synchronization points
awaitsawaits
function calls and labels to which awaits or LTL function calls and labels to which awaits or LTL constraints referconstraints refer