Formal Validation and Verification of Networks-on-Chips: Status and Perspective by Schmaltz, J. et al.
PDF hosted at the Radboud Repository of the Radboud University
Nijmegen
 
 
 
 
The following full text is a preprint version which may differ from the publisher's version.
 
 
For additional information about this publication click this link.
http://hdl.handle.net/2066/83502
 
 
 
Please be advised that this information was generated on 2017-12-06 and may be subject to
change.
Formal Validation and Verification of
Networks-on-Chips: Status and Perspective
(Draft Paper)
Julien Schmaltz2,1, Freek Verbeek1,2, and Tom van den Broek1 !
1 Radboud University Nijmegen
Institute for Computing and Information Sciences
PO Box 9010 6500GL Nijmegen, The Netherlands
2 Open University of the Netherlands
School of Computer Science
PO Box 6401DL Heerlen, The Netherlands
Email: Julien.Schmaltz@ou.nl
Abstract. Increasing the performance of computing system today means
more parallelism. Systems are becoming multi-cores. The on-chip inter-
connect is a complex infrastructure having a crucial impact on the sys-
tem global performance and functionality. In this draft paper we present
recent results and work-in-progress towards a general compositional ap-
proach for the validation and verification of networks-on-chips. In par-
ticular, we discuss temporal abstractions, a refinement theorem between
two architectures described at the same temporal abstraction, and two
properties – namely deadlock and evacuation – proven on a model defined
at a more abstract temporal layer.
1 Introduction
Increasing the performance of modern electronic systems means increasing par-
allelism [4]. Several processing and memory cores are integrated on a single die
forming so-called Multi-Processors Systems-on-Chips (MPSoC). Platform based
design [12] is a popular approach that provides designers with a generic ar-
chitecture allowing the construction of new MPSoCs by assembling pre-designed
components. The latter are often highly parametric descriptions at a high-level of
abstraction. Abstractions and the interconnect become central issues in modern
MPSoCs design. With the increase of the number of interconnected cores, com-
plex on-chip networks are replacing buses [5, 1]. As for processing elements, the
formal guarantee of their correct behavior will become mandatory. Our ultimate
goal is to provide a formal methodology supporting the abstract specification
of NoCs and the proof that an implementation – eventually described at the
Register Transfer Level (RTL) – conforms to it. To this end we are developing
! This research is supported by NWO/EW project Formal Validation of Deadlock
Avoidance Mechanisms (FVDAM) under grant no. 612.064.811.
1
models and proof methods that constitute the Generic NoC (GeNoC) design and
verification approach [8, 3].
GeNoC provides (1) a network model to specify the main characteristics
of a NoC (e.g., topology, routing); (2) architectural models defining interac-
tion schemes of the constituents; (3) correctness theorems for these architectural
models; and (4) sufficient constraints – or proof obligations – on the constituents
from which the proof of the correctness theorems follows. GeNoC is generic in
the sense that the constituents are not given any specific definition but only
characterized by their proof obligations. The validation of a particular NoC re-
duces to (1) giving a concrete definition to the constituents and (2) discharging
the corresponding instantiated constraints. GeNoC has been implemented in the
logic of the ACL2 theorem proving system [7] and applied to several case-studies,
e.g., the HERMES [2] and Spidergon [3] designs.
In this draft paper, we present a compositional approach for the design and
validation of NoCs. The focus is on the extension of the GeNoC approach with
refinement theorems between architectures and an explicit notion of time and
corresponding temporal abstractions. Note that this paper presents more the
direction we are following and not a final result.
Section 2 presents this global approach and introduces three temporal ab-
stractions. The lowest one is detailed in Section 3 that discusses two architectures
and a refinement theorem between them. We only give an overview of this work.
More details can be found in two recent publications [10, 11]. Section 4 considers
the next more abstract temporal layer. It focuses on two global properties that
guarantee the absence of deadlock and evacuation, i.e., all injected messages
leave the network. We present the essential aspects related to these two prop-
erties. More details can be found in a recent publication [14]. Finally, Section 5
relates Sections 3 and 4 to the approach described in Section 2. It also concludes
this paper with our current perspectives and future work.
2 A Compositional Approach
2.1 The Compositional Model
The compositional model is pictured in Fig.1. It is composed of four parts: (1)
the NoC constituents; (2) the NoC Architectures; (3) the NoC Theorems; and
(4) the User Input.
The NoC Constituents are the essentials parts common to any network. The
routing algorithm computes for each message its next hop according to its current
position an its destination. The scheduling policy handles the data flow. It decides
if a message can progress to its next hop. The data link layer is responsible for the
exchange of data between the current and the next position. The injection method
controls access to the network. The last elemens of the constituents are the
characteristic parameters, e.g., topology, buffer size, message length. Note that
these parameters are most of the times left symbolic for a parametric analysis.
All the constituents are generic. They are not given any concrete definition. Each
one of them is constrained by a set of proof obligations.
2
Fig. 1. Compositional Model
TheNoC Architectures represent different ways of combining the constituents.
One architecture could compute complete routes from source to destination be-
fore sending messages (source routing) while in another one routes are computed
hop-by-hop (distributed routing). We will give more details about these two ex-
amples later (Section 3).
The NoC Theorems are global properties of one architecture or a refinement
theorem between two distinct ones. Our model has currently three global prop-
erties and one refinement theorem. Global properties express (a) functional cor-
rectness, i.e., all messages that reach a destination reach the expected destination
without modification of their content; (b) deadlock-freedom; and (c) evacuation,
i.e., all messages eventually leave the network. The refinement theorem relates a
source routing architecture to a distributed routing one. All these theorems are
direct consequences of the proof obligations and do not depend on the particular
definition of the constituents. Therefore they hold for all particular definitions
satisfying the proof obligations.
This suggests the following methodology and defines the user input. First
one should give a concrete definition to the constituents. For instance, an XY-
routing algorithm in a 2D-mesh with packet switching as scheduling policy and
where all messages are injected at time 0. Then the corresponding instances of
the proof obligations are automatically generated. After discharging all of them
it automatically follows that the corresponding instances of all architectures
3
Fig. 2. Temporal Abstractions
satisfy the corresponding instances of all theorems. At the end the User Input
consists in (1) giving a definition to the constiutents and (2) discharging the
corresponding proof obligations. The rest is fully automatic.
2.2 Temporal Abstractions
We consider the temporal abstractions shown in Figure 2. Each layer depends
on the definition of an atomic action. In the most abstract one, in one time unit,
a message will traverse the complete network from its source to its destination.
A first refinement of this abstraction restricts the time step to at most one
hop. Finally, the lowest layer makes the internal structure of a node visible, in
particular, the router component. The application of the function representing
the router defines the time unit. In this paper, we discuss the lowest layers. The
next Section details the lowest layer in Figure 2. In Section 4 we detail its first
abstraction. More information about the most abstract layer can be found in the
original GeNoC paper [8].
3 Refinements at the Lowest Temporal Layer
This section details the compositional model viewed at the level of a router. It
defines the NoC constituents of that layer and two architectures. It then shows
a refinement theorem between them.
4
Port
Buffer
Data Input
StatusFieldackRx
Rx
Data
IdAdress PortName Direction
Port
Buffer
Data Output
StatusFieldackTx
Tx
Data
IdAdress PortName Direction
Input Stage
Routing Control
Flow Control
Output Stage
Fig. 3. A router and its ports
3.1 NoC Constituents
We assume a generic architecture composed of an arbitrary – but finite – number
of nodes and a finite number of connections between any two nodes. Each node is
uniquely identified by its position. A node includes a local memory and a router.
A router is defined by a set of ports and four functions: input and output units,
routing control, and flow control (see Fig. 3). All nodes are identical.
Ports, topology and state The main elements of a port are the data and con-
trol signals, and internal buffers (Fig. 3). A port is a tuple 〈addr , stat , data, buff 〉,
where addr is a unique address, stat stores the values of the control signals and
other state components of a port, data denotes the values of the data signals,
and buff represents the value of the buffers associated with the port. An address
is a tuple 〈coor , pid , dir 〉, where coor is the unique identifier of the node the
port belongs to, pid is the name of the port (e.g., west, south), and dir is the
direction, i.e., ’i’ for an input port or ’o’ for an output port. The topology is
a list where each element is a pair of port addresses (pi, pj), which means that
port pi is connected to port pj . A node is defined as the set of ports, where the
address of each port p is the same. These ports define the state of the node. The
set of all ports of a network defines the state of the network.
Input and output units These two functions define the low level protocols
(e.g., handshake) which use the control signals to transfer the content of the
data signals to the internal buffers in case of an input port, or to transfer the
content of the buffers to the data signals in case of an output port.
Routing control This function applies the routing logic (e.g., dimension order
routing [6]) to one or more ports of a node. It returns a list of routed ports,
5
i.e., ports together with routing information. The only function that needs to be
instantiated is function routing-logicwhich implements the routing algorithm.
Flow control This function implements the switching technique, e.g., packet,
circuit, or wormhole. In case of conflict, this function also resolves priorities.
Function flowcontrol extracts from the routed ports the messages that are ready
to be transmitted. The core function that needs to be instantiated is function
switch-ports which effectively schedules messages. Those scheduled messages are
moved to the output ports computed by the routing control function.
Global definition All these functions form function router (Figure 4), which
updates a node state. Note that a node is equipped with a memory which is avail-
able to each port and each function. Argument nstmem represents that memory.
To simplify the presentation, we assume that such a memory element is given as
input argument of any function that accesses it. This argument is not explicitly
mentioned any further.
router (nst,nstmem) :
let (nst nstmem) be
RouteControl ((ProcessInputs nst), nstmem))
in
let (nst nstmem) be
Flowcontrol(nst,nstmem) in
return (ProcessOutputs nst), nstmem
Fig. 4. Function router
3.2 Architecture Template
Function GeNoC t (Figure 5) is the core of the architecture template for our low-
est temporal abstraction. It works as a simulator which applies function router
to each node. Each recursive call defines a simulation step. Input argument simL
defines the length of the simulation. Function GeNoC t takes as additional ar-
guments the set of messages to be sent (m), the current state of the network
(ntkst), an accumulator of messages that have reached their destination (arr,
initially empty), the current simulation step (z, initially 0), and the topology
(topo). It returns the list of arrived messages, the list of delayed messages, and
the state of the network at the end of the simulation.
Function depart controls message injection. According to an architecture-
dependent criterion, it determines which messages can be in the network. These
messages have either already left their source or depart inserts them in the
local input port of their source node. Function depart returns a list of updated
nodes (dep) and a list of delayed messages (del). Function step-ntk (see below)
6
GeNoC_t(m, ntkst, arr, z, topo, simL) :
if simL = 0 return arr,m,ntkst
else
let (dep, del) be
depart(ntkst, m, z)
in
let newntkst be
step-ntk(dep, topo)
in
GeNoC_t(del,newntkst, add(z,arr), z + 1,topo, simL-1)
Fig. 5. Architecture Template
applies function router to each node. This produces a list of updated nodes.
Those messages that are at their destination are extracted from this new state
and appended to accumulator arr. The next recursive call processes the delayed
messages, the updated nodes, and time is incremented by 1.
Function step-ntk (Figure 7) is defined by two architecture dependent func-
tions. Function step-ntk-arch (Figure 6) encapsulates the representation of the
router on which the architecture is based. Function updateNeighbours simu-
lates the transfer of data from output data signals to input data signals, e.g.,
simulate the wires between the nodes. It accomodates for particular details of
one architecture.
Function step-ntk-arch (Figure 6) takes as arguments a list of nodes to
be processed (ntslist) and the current network state (ntkst). It updates the
network state. For each node, it applies function router. Function ports-update
effectively updates the state of the nodes.
step-ntk-arch (ntslist, ntkst):
if ntslist = null return ntkst else
let newnst be router(ntslist[0]) in
let newntkst be
step-ntk-arch(ntslist[1..], ntkst) in
return ports-update(newntkst,newnst)
Fig. 6. Function step-ntk-arch
Function step-ntk extracts the node structures from the list of ports (func-
tion ports-nodelist). It then calls step-ntk-arch to actually simulate each
router. Finally, wires are updated by calling function updateNeighbours.
In summary, the architecture template has three architecture dependent func-
tions:
7
step-ntk(ntkst, topo):
let newntkst be
step-ntk-arch (ports-nodelist(ntkst), ntkst) in
updateNeighbours(newntkst,topo)
Fig. 7. Function step-ntk
– function depart specifying the criteria to access the network
– function router specifying the router of a given architecture
– function updateNeighbours specifying how wires must be updated
The architecture template suggests a distributed routing network. Packets
only contain information about their destination. At each intermediate step,
the Routing Control part of the router decides the next hop. In the following
subsection, we define a variation where routes are computed before injecting
packets into the network. A packet then contains its route as well.
3.3 Source Routing Architecture
The source routing architecture is defined by the following three functions:
depart-sr, router-sr, and updateNeighbours-sr. They define a refinement
of function GeNoC named GeNoC-sr and follow the templates given in Sec-
tion 3.2. Note that most of these functions are still generic. They are still not
given an explicit definition.
Function depart-sr According to an architecture-dependent criterion, it de-
termines which packets can be in the network. As the architecture is based on
source routing, function depart-sr computes for each packet a route from source
to destination and appends this route to the packet. Whenever the user criterion
is satisfied, it inserts this extended packet in the local input port of its source
node.
Function router-sr As shown in Figure 3, a router is composed of four parts.
The routing control part is the only part that is modified. The rest is kept
generic. The source routing control is defined by simply reading the next hop as
the first element of the route of each packet. No computation is necessary.
Function updateNeighbours-sr This function updates the wires of the nodes,
i.e., it simulates the transfer of data along wires. In addition it removes in each
packet the first element of its route.
3.4 Refinement Theorem
The theorem connecting the two models is shown in Figure 8. Function transform
simply removes all routes from extended packets. This theorem states that after
8
the application of function transform the lists of arrived packets, the lists of
packets still en route in the network, and the final network state produced by
GeNoC equals those produced by GeNoC-sr.
Theorem:
let (arr, m, ntkst) be
GeNoC(m, ntkst, arr, z, topo, simL) in
let (arr-sr, m-sr, ntkst-sr) be
GeNoC-sr(m, ntkst, arr, z, topo, simL) in
transform(arr-sr) = arr and
m-sr = m and
transform(ntkst-sr) = ntkst
Fig. 8. Equivalence theorem
The main proof obligation required to prove this theorem states that at each
intermediate step reading the pre-computed route must be equal to the route
computed in the distributed architecture. Details on these architectures and the
refinement theorem can be found in previous publications [9, 11].
4 Deadlock and Evacuation
This section details the compositional model viewed at a level where a time unit
is defined by one hop. We then introduce two global properties and their proof
obligations. The properties deal with deadlock freedom and evacuation.
4.1 Abstract Model and Architecture
A travel t is a data structure which stores the progress of sending a message
across a network. It is a triple < id, c, d > where id is a unique identifier for the
travel, c denotes the current location of the message, and d is the destination
port. T denotes the list of travels that is sent across the network.
To keep the list of travels well-formed, destinations have to be reachable from
their source. To this end, function s !R d returns true if s is reachable from
d. This function is application dependent and must be instantiated. It is quite
technical and not essential. We will therefore not detail it any further.
A state ST is a data structure which stores the current network state. The
state is defined as the list of all the ports of the network. Each port is associated
to the list of its buffers.
A configuration σ is a tuple <T, ST,A>, where T is a list of travels that are
sent across the network, ST is a network state and A is a list of arrived travels.
The travels T of configuration σ are denoted by σ.T . The set of all configurations
is denoted by Σ.
9
Function I : Σ #→ Σ represents the injection method. Given a configuration,
it decides which travels from T are ready for departure and injects these into
the network.
Function R : P × P #→ P represents the routing function of a switch. From
the current position and the destination it computes the next hop. We generalize
this function to apply to a configuration and to compute all hops from source to
destination. We then write R : Σ #→ Σ. It computes for each travel in σ.T the
route from its current location to the destination.
Function S : Σ #→ Σ represents the switching policy. It takes as parameter the
current configuration and computes the configuration after one switching step,
i.e., after each message that can make progression has advanced by at most one
hop. If a message arrives at its destination, the corresponding travel is removed
from T and added to A.
A deadlock-configuration is a configuration σ in which there exists no message
that can make progression. This is denoted by Ω(σ). An interconnection network
is deadlock-free if and only if there exists no deadlock-configuration.
4.2 Abstract Architecture Template
GeNoC takes as input argument an initial configuration, noted σ. The latter
contains the list of messages to be sent on the network (T), the current value
of the network state (ST), and the list of messages that have reached their
destination (A). Function GeNoC recursively applies the composition of the three
constituents to the initial configuration. The computation stops either when all
messages have reached their destination or when the current configuration is in
a deadlock. If the current configuration is not in deadlock, the switching policy
must decrease the termination measure. This proves GeNoC always terminates.
Function GeNoC is defined as follows:
GeNoC (σ) def=
σ iff σ.T = ∅σ iff Ω(R(I(σ)))GeNoC (S(R(I(σ)))) iff otherwise
4.3 Constraints for deadlock-freedom
Dally and Seitz [6] proposed a necessary and sufficient condition for deadlock-
free routing. They prove that a deterministic routing function is deadlock-free if
and only if it has no cycle in its channel dependency graph. We have formalized a
slightly different condition in GeNoC (See [13] for details). Dally and Seitz define
their function at the level of processing nodes. We define our routing function at
the level of ports. Let R : P×P #→ P be a routing function. The port dependency
graph is a graph with as vertices the ports of the interconnection network and
as edges the pairs of ports connected by the routing function.
Theorem 1. R is deadlock-free if and only there is no cycle in its port depen-
dency graph.
10
The proof of this necessary and sufficient condition is structured in such a way
that it only depends on a fixed set of constraints over the dependency graph, the
routing function, and the definition of reachable destination. Let ERdep represent
the edges of the port dependency graph. These constraints are the following:
∀s, d∀p ∈ R(s, d) · s !R d =⇒ (s, p) ∈ ERdep (1)
∀(po, p1) ∈ ERdep∃d · p0 !R d ∧ p1 ∈ R(p0, d) (2)
∀P ′ ⊆ P · ¬ cycledep(P ′) (3)
Constraint (1) states that each pair of ports connected byRmust be an edge. We
consider pairs resulting from reachable destinations only. Constraint (2) states
that for each edge (p0, p1) a reachable destination port must exist such that R
routes from p0 to p1. Constraint (3) states that there is no cycle in the port
dependency graph.
4.4 Constraints for evacuation
All messages evacuate the network if, when GeNoC terminates, the list of arrived
messages equals the list of messages that were sent. This defines the Evacuation
Theorem as follows:
Theorem 2. All messages eventually leave the network. Formally, we have the
following: GeNoC (σ).A = σ.T .
We assume all messages have been injected in the initial configuration. The
injection method does not inject any more messages:
I(σ) = σ (4)
Assuming Constraints (1) through (3) are satisfied, GeNoC terminates if
and only if all messages have evacuated the network. Hence, proving evacuation
reduces to proving termination of function GeNoC . To prove termination, we
define a termination measure, i.e., a value which decreases after each recursive
call. Proving evacuation reduces to instantiating a function µ(σ), which computes
a termination measure such that the following constraint holds:
σ.T -= ∅ ∧ ¬Ω(σ) =⇒ µ(S(R(σ))) < µ(σ) (5)
As long as there are messages in the network and there is no deadlock, the
measure provided by µ must decrease with each switching step.
5 Conclusion and Perspectives
We presented the compositional approach that we are currently developing. It is
based on a compositional model and temporal abstractions providing different
views of this model. We illustrated two of these abstraction layers. At the lowest
11
one, we presented two architectures and exposed a refinement theorem between
them. We discussed deadlock freedom and evacuation at a more abstract layer.
Our current work focuses on connecting these two layers such that proper-
ties proven for one layer are preserved in the other one. We are also considering
additional layers corresponding to further refinements of the time unit. For in-
stance, the time unit could be defined as the application of one of the four stages
of the router described in Figure 3. Further refinements would aim at a cycle
accurate model where a time unit coincides with a clock cycle. Our ultimate
goal is to extract sufficient constraints on the constituents from which it would
automatically follow that properties proven on the most abstract temporal layer
are preserved in the most concrete one.
References
1. L. Benini and G. De Micheli. Networks on Chips: A New SoC Paradigm. Computer,
35(1):70–78, 2002.
2. D. Borrione, A. Helmy, L. Pierre, and J. Schmaltz. Executable formal specification
and validation of NoC communication infrastructures. In Proceedings of the 21st
annual symposium on Integrated circuits and system design (SBCCI’08), pages
176–181, Gramado, Brazil, September 1–4 2008. ACM.
3. D. Borrione, A. Helmy, L. Pierre, and J. Schmaltz. A formal approach to the verifi-
cation of networks on chip. EURASIP Journal on Embedded Systems, 2009(Article
ID 548324):14 pages, 2009. doi:10.1155/2009/548324.
4. W. Dally. The end of denial architecture. Keynote at Design Automation Confer-
ence (DAC’09), 2009.
5. W. J. Dally and B. Towles. Route packets, not wires: on-chip interconnection
networks. In Proceedings of the Design Automation Conference, pages 684–689,
Las Vegas, NV, 2001.
6. W.J. Dally and C.L. Seitz. Deadlock-Free Message Routing in Multiprocessor
Interconnection Networks. IEEE Transactions on Computers, C-36(5):547–553,
May 1987.
7. J. Schmaltz and D. Borrione. Towards a Formal Theory of On Chip Communica-
tions in the ACL2 Logic. In Proceedings of the Sixth International Workshop on the
ACL2 Theorem Prover and its Applications, part of FloC’06, Seattle, Washington,
USA, August 14-15 2006. ACM.
8. J. Schmaltz and D. Borrione. A functional formalization of on chip communica-
tions. Formal Aspects of Computing, 20(3):239–348, 2008.
9. T. van den Broek. Towards the cross-layer verification of networks-on-chips. Mas-
ter’s thesis, Radboud University Nijmegen, The Netherlands, July 2009.
10. T. van den Broek and J. Schmaltz. A generic implementation model for the verifi-
cation of networks-on-chips. In S. Ray and D. Russinoff, editors, 8th Intl. Workshop
on the ACL2 Theorem Prover and Its Application, pages 130–134, Northeastern
Univ., Boston MA, USA, 2009. ACM.
11. T. van den Broek and J. Schmaltz. Towards formally verified networks-on-chips. In
A. Biere and C. Pixley, editors, 9th International Conference on Formal Methods
in Computer Aided Design (FMCAD’09), pages 184–187, Austing, Texas, USA,
November 15–18 2009. IEEE Computer Society.
12
12. J. van Meerbergen. Networks on chip: A communication-centric approach to
platform-based design. In PROGRESS White Papers 2006. STW, The Nether-
lands.
13. F. Verbeek and J. Schmaltz. Proof pearl: A formal proof of dally and seitz’
necessary and sufficient condition for deadlock-free routing in interconnection
networks. J. Autom. Reasoning, 2009. Submitted to publication.Available at:
http://www.cs.ru.nl/∼julien/Julien at Nijmegen/JAR09.html.
14. F. Verbeek and J. Schmaltz. Formal validation of networks-on-chips: Deadlock
and evacuation. In Design, Automation and Test Europe (DATE’10). ACM/IEEE,
March 2010. To Appear.
13
14
