Abstract-The CAST-32A provides some guidelines to help certify multi-core-based systems in the avionics domain. One major requirement is to compute all the potential interference and to provide adequate mitigation means. In this paper, we compare two approaches to identify the interference: the initiator-target and the PHYLOG models. The latter is more compact and efficient, despite also covering all of the problematic conflictual situations.
I. INTRODUCTION
The last decade has seen the emergence of multi-core processors, i.e. chips integrating several cores linked by a shared interconnect. Although these architectures have been shown to provide huge gains in performance, they have severe lapses in time predictability [20] , [21] , one of the key elements of certification expectations.
A. Identification of potential interference
Aeronautic certification authorities, in association with industrial manufacturers, have published the Multi-Core Certification Review Item (MCP-CRI) [2] (also published as the CAST-32A position paper [1] ), in order to provide a set of guidances for software planning and verification on multi-core chips.
Due to resource sharing, couplings exist at the platform level. These can cause interference between applications, which, in turn, may lead to unexpected delays, and even the alteration or loss of data. These three issues are not acceptable in the aeronautics domain and must thus be avoided. In terms of certification, this entails a four steps process: First, the applicant must identify all interference channels. In the CAST-32A terminology, an interference channel is a platform property that may cause interference between independent applications. Second, the applicant must classify the interference as either acceptable, tolerable, or unacceptable. Third, for each unacceptable interference, they must provide a mean of mitigation to prevent the system from having catastrophic behaviors. In that context, mitigation signifies that some mechanisms have been proposed to forbid unacceptable interference or reduce their effect to acceptable or tolerable levels. For example, if a resource being accessed in parallel by more than two requesters would lead to a non-acceptable delay, mitigation could take the form of a run-time mechanism that sequentializes the access. Fourth and final, the applicant must argue why the means of mitigation are adequate and why unacceptable interference will never occur during aircraft operations.
This requirement is called resource usage 3 in the CAST-32A. In the sequel, we will only focus on this particular objective and, more precisely, on the identification of interference.
B. Objectives and contribution
To the best of our knowledge, few works have proposed solutions for resource usage 3. Researchers from Thales have proposed the Initiator-Target Model [8] , [13] , [17] , [18] to help identify the interference channels on multicore chips. Their model is very simple, but suffers from a combinatorial explosion.
PHYLOG is a French project (2016-2020), funded by the French civil aeronautic agency (DGAC), which aims at offering a model-based and software-aided certification framework for aeronautics systems based on multi/manycore architectures. In [5] , we have defined the premises of the PHYLOG model, presented the notions of interference channels and transactions, and shown an automated process to find the interference channels through the use of WEIRD [6] .
The objective of this paper is to compare and link the initiator-target and PHYLOG models. For that purpose, we start with a formal definition of the initiator-target model (see section II). We then refine and formalize our former definition of interference channels (see section III). We then show that our representation is more compact than the initiator-target model despite remaining as expressive. Indeed, our interference channels are the representative elements of the equivalence classes of an equivalence relation (see section IV). All our formalization and computation are supported by implementations made in IDP [10] (see section V), used as a replacement for WEIRD [6] .
II. THE INITIATOR-TARGET MODEL
The initiator-target model has been introduced in [8] and reused in [13] , [17] , and [18] . The goal was to provide a theoretical view for the identification of the interference 98 channels (called performance contentions in [8] ) that can occur in a multi-core processor.
A. Overview
According to their definition, a multi-core is composed of three types of components: is a test class composed of three single test classes running in parallel.
B. Formalization
Let us now introduce a set-based formalization of the initiator-target model.
Definition 1 (Initiator-target model):
In the initiatortarget model, an architecture P is defined by P = (C, →) where 
An interference channel is a test class composed of 2 or more single test classes.
Definition 4: Let P = (C, →) be an architecture. Let us note T C P ∞ the set of test classes and T C P n those of size n:
Proposition 1 (Total number of test classes [8] ) : The number of all possible test classes of P is:
Example 3: Let us once again consider the architecture P 1 shown in Figure 1 : n SI = 2, n NSI = 2, n T = 4, →= {(cpu 1 ,bus), (cpu 2 ,bus), (dma 1 , bus), (dma 2 ,bus), (bus,mem 1 ), (bus,mem 2 ), (bus,L3), (bus,pcie)}. Applying equation 1 yields:
meaning that the interference analysis may need up to 7224 test classes to be analyzed on this architecture. Aeronautic certification standards require the assessment of the worst case execution time (WCET) for the critical software functions running on the cores of the processor. As stated in the introduction, interference may strongly affect this execution time. It is up to the designer to characterize the severity of each interference with respect to the execution time of each software function, and, at the end, to show that all the unacceptable interference (i.e., the ones that induce too high WCETs) are properly mitigated by appropriate means (e.g., arbiters, time-triggered execution schemes, etc.). In the case of the (rather small) architecture P 1 , such an assessment requires the investigation of the 7224 test classes.
C. Hypotheses
In the seminal paper, there was no specific rule about the reachability of a target by an initiator. Implicitly, the authors assumed that all targets were reachable by all initiators. Moreover, they did not make a distinction on the type of transactions (e.g. read or write). Finally, they assumed a unique path from any given initiator to any given target, which is not the case in many-cores. Most commercial multi-core processors satisfy these two hypotheses. Let us formalize them:
There is a unique path from an initiator to any non initiator component:
The reachability relation → satisfying Hyp2 is acyclic and defines a partial order
III. PHYLOG MODEL
In the PHYLOG project, we need to tackle the identification of all interference channels as in Brindejonc et al.'s approach.
A. Overview
We believe that the current initiator-target model is insufficient as is and that it must be enriched. 1) Brindejonc's approach is a black-box approach: it does not consider internal components. Two architectures with different topologies may be characterized by the same test classes, even when their interference differ. 2) Test classes do not necessarily lead to any actual interference between transactions. For instance, in the architecture P 2 depicted Figure 2 , the test class (cpu 1 mem 1 ) (pcie dma 1 L3) does not cause any contention as these transactions cross two different buses in parallel without interfering with each other. Many other test classes in P 2 are interferencefree as well.
3) Their approach is simple, but suffers from scalability issues: For a T4240 processor, composed of 12 cores (n SI = 12), 3 DMAs (n NSI = 3), 2 memory controllers, 1 PCIe, and 1 L3 cache used as SRAM memory (n T = 4), there are more than 10 12 test cases.
Ideally, the number of test classes to be explored should be as low as possible. We thus propose grouping them according to the interference they cause on the components.
B. Transaction model Definition 5 (Transaction): For an architecture P = (C, →), a transaction is a finite branching word of components
In the following, we will consider that the branching operator "+" is commutative. That is, 
. . a n (common prefix of the transaction, possibly empty).
guage of the transaction, i.e., the set of components involved),
nent of a word). According to hypothesis Hyp2, each tc is modeled by a unique transaction tr in the PHYLOG model. . . . (i 1 , t 1 ), . . . , phy(i m , t m , t m ) 
Definition 7 (Transactions associated to a single test class): When (i, t) ∈ SI × T , the associated PHYLOG transaction is defined as phy(i, t) = tr with hd(tr)
= i, tl(proj 1 (tr)) = t and proj 2 (tr)) = . When (i, t 1 , t 2 ) ∈ NSI × T × T ,= i · ((b 1 . . . b n ) + (c 1 . . . c m )) be a transaction in P . Then: 1) ∀j = k, b j = b k (ab m (a) tr = i · ((b 1 . . . bm)+ ). i b 1 c 1 . . . . . . b m c p (b) tr = i · ((b 1 . . . bm) + (c 1 . . . cp)) with ∀l, k, b l = c k . i a 1 . . . a n b 1 c 1 . . . . . . b m c p (c) tr = i · ((a 1 . . . an · b 1 . . . bm)+(a 1 . . . an · c 1 . . . cp)) with ∀l, k, b l = c k .
C. Test classes revisited -Truncated transactions
We define the PHYLOG test classes as the sets of truncated transactions where the interference-free parts of transactions are translated as the empty word .
Definition 10 (PHYLOG test class): A PHYLOG test class is a set of n transactions
where
with p ≤ n and a p ∈ shared(tc) and b p = a p and ∀k, b k ∈ shared(tc)
with p, l ≤ n and a p ∈ shared(tc) and b l ∈ shared(tc) 
D. Interference channel
We can now formally define the notion of interference channel. We distinguish two kinds of interference channels: the 1-interference channels which involve a single shared component, and the 2-interference channels which involve two shared components.
1) 1-Interference channels: Definition 11 (1-Interference channel): For an architecture P = (C, →), a 1-interference channel is defined as
with c ∈ O ∪ T and
An interference channel ends with a shared component c. What happens after is irrelevant, as serialization occurs at that point and the transactions do not interfere with each other later on. We apply the same reasoning as in network calculus [16] when packets share a common path on several switches. This is known as the pay burst only once rule. Thus, interference only occurs on the first component shared by the n transactions. Note that this could be improved in several ways, such as by considering the component entailing the worst case delay instead of simply taking the first one, or by grouping successive components into a supercomponent. Example 6: Let us again consider the P 1 of Figure 1 . There is a unique 1-interference channel with 11 combinations of transactions capable of occurring on the bus: bus, 
Example 7: Let us consider P 2 of Figure 2 and let us focus on bus 1 (it is similar for bus 2 ). There are 28 combinations of transactions. The interesting parts are those featuring the dma. Either the second branch of the transaction reaches bus 1 , or it is pruned (and replaced by ). The notation dma 2 . (bus 1 + {bus 1 , }) 
2) 2-Interference channels: Focusing on 1-interference channels is unfortunately insufficient because of the double branches of transactions issued by non smart transactions. Indeed, those branches can conflict on two components: one per branch. Thus, two components can be accessed in parallel by all transactions. We must then define 2-interference channels.
There is no 3 or more-interference channels because the maximal number of branches per transaction is 2.
Definition 12 (2-Interference channel): For an architecture P = (C, →), a 2-interference channel is defined as
In P 2 , depicted in Figure 2 , there is a unique 2-interference channel occurring on the buses. Figure 5 . An execution scheme for architecture P 1 Example 10: There is no 2-interference channel in the P 1 architecture. This means that, with our approach, analyzing the severity of the interference caused by the 11 transactions listed in example 6 is sufficient, compared to the 7224 test classes of the initiator target model (see example 3). This reduction comes from a better modeling of the platform and from symmetry properties. The severity of the interference is evaluated with respect to the expected behavior of the software functions hosted by the platform. To illustrate this, let us consider the following time-triggered execution scheme depicted in figure 5: (1) cpu 1 (resp. cpu 2 ) hosts a software function F 1 (resp. F 2 ); (2) memory mem 1 (resp. mem 2 ) is dedicated to F 1 (resp. F 2 ), meaning that F 1 never tries to access mem 2 and, conversely, F 2 never tries to access mem 1 ; (3) dma 1 (resp. dma 2 ) manages input/output transfers of F 1 (resp. F 2 ); (4) input/output data are stored in L 3 ; (5) F 1 and F 2 are periodically scheduled in non-overlapping time windows; and (6) dma 1 (resp. dma 2 ) is only activated by F 1 (resp. F 2 ). Then, among the 11 transactions listed in example 6, only the second one ({cpu 1 .bus, dma 1 .(bus + bus)}) and the fifth one ({cpu 2 .bus, dma 2 .(bus + bus)}) can occur. The potential interference caused by the other nine transactions are avoided by the execution scheme. Therefore, to meet the certification requirements it is sufficient to evaluate the WCET of F 1 (resp. F 2 ) and the WCET of the dma 1 (resp. dma 2 ) transfers with the interference caused by the second (resp. fifth) transaction. These interference will be said to be acceptable if these WCETs are smaller than the corresponding time windows planned by the execution model. Otherwise, they will be said to be unacceptable.
IV. COMPARISON BETWEEN THE INITIATOR-TARGET MODEL AND PHYLOG MODEL
The PHYLOG model can be seen as the definition of equivalence classes for the initiator-target model. mem 1 ), (dma 1 , pcie, L3 )} is interference-free: no component is shared by the two transactions (rule 2 of the definition). However, {(cpu 1 , mem 1 ), (dma 2 , pcie, mem 2 )} is not interference-free, since bus 1 is shared by the two transactions.
Definition 13 (Interference-free test classes): Some test classes listed in T C
Let us note that a transaction, as depicted in Figure 3 , defines a partial order relation over the language for the transactions:
Definition 14: For an architecture P = (C, →) and a transaction tr = i · ((a 1 . . . a n · b 1 . . . b m ) + (a 1 . . . a n ·  c 1 . . . c p ) ), let us define the relation < tr over lg(tr) as:
< tr is the order generated by the oriented paths followed by the transaction.
Proposition 4: Let P = (C, →), < P is the partial order (see proposition 2), tc = {tr 1 , . . . , tr n } a PHYLOG test class, and S = shared(tc) the set of components shared by all the transactions tr i . Let min(S, < P ) = {α ∈ S | ∀β ∈ S, either α < P β or ¬(β < P α)} be the set of smallest components in S for < P . Then
• either min(S, < P ) = ∅, • or min(S, < P ) = {α} and ∀tr i , ∀β ∈ S, α < tri β (meaning α is the first component crossed by all tr i ), • or min(S, < P ) = {α, β} and ∀tr i , ∀γ ∈ S, α < tri γ ∨ β < tri γ (meaning α (resp. β) is the first crossed in some branches in which β (resp. α) is not involved, as b 1 and c 1 in Figure 4) . Proof: Let us consider tr 1 . . . , a m , b 1 . . . , b p , c 1 , . . . , c q }. Let us consider 5 cases:
Example 12: For P 2 and its {(dma 1 , mem 1 , pcie), (dma 2 , mem 2 , pcie)} test class, the associated transactions are 
Proposition 5: The relation ≡ is an equivalence relationship.
Proof: ≡ is reflexive. Indeed, let tc be a test class, min(shared (phy(tc)), < P ) is defined in a unique way.
≡ is symmetric, because we only handle sets. ≡ is transitive: if min(S 1 , < P ) = min(S 2 , < P ) and min(S 1 , < P ) = min(S 3 , < P ) then min(S 2 , < P ) = min(S 3 , < P ). Same for hd(tc i ).
Proposition 6: The PHYLOG interference channels are a representative of the ≡ relation classes. More precisely, let 1Interf2(x,i1,x1,x2,x3,x4,NULL,NULL,NULL, NULL,i2,z1,z2,z3,z4,z1,z2,z3,z4) <-Trans2(x,i1,x1,x2,x3,x4,i2,z1,z2,z3,z4).
¦ ¥ There is also one predicate per T R n 2 . The code for T R 2 2 is given below.
Code 7:
§ ¤ 2Interf2(x1,x2,i1,y1,y2,y3,y4,y5,y6, i2,z1,z2,z3,z4,z5,z6) <- (Trans2(x1,i1,y1,y2,y3,i2,z1,z2,z3) & Trans2(x2,i1,y4,y5,y6,i2,z4,z5,z6) & (x1 < x2)).
¦ ¥

C. Some results
IDP computes the predicates of the previous examples in less than a second. Increasing the number of smart initiators, non-smart initiators, targets, or intermediary components does not appear to increase the execution time. Even when modeling a Kalray MPPA [15] compute cluster, composed of 16 cores, 32 intermediary components, and 16 targets, resolution of those predicates (exposing a total of 1920 interference channels) is still completed in sub-second times.
To ensure their correctness, we have also used IDP to compute the ≡ relation classes of the aforementioned examples, and found them to be compliant with the propositions made in this paper.
VI. RELATED WORK
Interference analysis in multi-core processors has received significant attention in recent years. A first class of these works focuses on the impact of shared hardware resource contention on the execution time of software application hosted by the processor. For instance, [9] considers a multicore architecture composed of a single bus providing access to a shared memory, and it proposes a method to determine an upper bound on the number of bus requests that software tasks can generate in a given time interval. Both [7] and [11] focus on measurement techniques based on dedicated stressing benchmarks and hardware monitors to characterize the architecture and the shared resources that can cause interference between software applications.
A second class of works focuses on methods to avoid interference. For instance, [4] proposes a contention-free execution framework to execute automotive software application on many-core platforms. [19] proposed a similar approach which relies both on a development work-flow, and the use of an execution model defined as a set of rules to be followed by the designer and asserted through the runtime in order to enforce specific behaviors. Both [4] and [19] target a TDMA execution model, and use a Constraint Programming formulation to find an optimal time-triggered schedule on each core.
In order to tackle multi-core aeronautics certificationrelated issues, several projects have been funded. One of the first was MULCORS [12] , which clearly identified the need to change and adapt the current certification standard. Since then, several attempts at precisely defining such new recommendation have been done, such as the Multi-core Certification Review Item (MCP-CRI) [2] . In other parts of the MCP-CRI, [14] proposed definitions for interference channels, interference sources, and interference targets, and they proposed a process to reduce the number of interference. A more recent work proposed by [3] tried to adapt the MCP-CRI certification objectives to COST MCP architectures. For that purpose, they showed that the MCP-CRI objectives can be grouped into three high level principles: (1) determining the final configuration, (2) managing interference channels, and (3) verifying the use of shared resources. They showed, through a particular case study (the Freescale P4080 processor), that the second objective (managing interference channels) highly depends on detailed information about the behavior of the resources. And they showed that predicting interference on a COTS multi-core architecture is a very challenging task because of the amount of required information. A way to help the certification application to master the complexity of the architecture is then to use a formal model of the architecture and a formal analysis method to explore the set of interference channels. Such is the aim of our contribution.
VII. CONCLUSION
In this paper, we have formally defined the initiator-target model and compared it with the PHYLOG approach. Our representation requires more details on the internal of the platform but offers a more practical size description. Our work was supported with IDP tool.
In the future, we will apply our model to other multi-cores and extend our model to many-core platforms. We will also measure the gains of going deeper in the description of the architecture.
