Formal Methods for

System IntegrationMichael Fourman

InformaticsThe University of Edinburgh

Outline

System Integration Behaviour and abstraction Case study

– specification– design– implementation

Summary

System Integration

Specification Abstract Design Concrete Implementation

RFP

speech

ROM

DSPFPGA

custom

Synchronous Behaviour

Signal– sequence of values

– m( t )

Behaviour– relation imposed between

signals at ports

– D(c, p, q)

D

q

c

p

forall t. if c t then q t = F( p t ) else q t = G( p t )

Specification and Design

Specification– relation required between signals at ports

Design– Relating behaviour to specification

Implementation (x) Specification (x)

Abstraction

Relating levels of description – i : concreteSignals -> abstractSignal

The design taskImplementation (x) Specification (i x)

Data Abstraction

Egintegers binary representation

state state encoding

Simple case– f : concreteData -> abstractData– (interpretation x) t = f (x t)– Implementation (x) Specification (f o x)

Temporal Abstraction

Eg– micro-instructions– slowdown

Sampling as a Temporal Abstraction– s : abstractTime -> concreteTime

– (interpretation x) t = x (s t)– Implementation (x) Specification (x o s)

Synchronous Behaviour

Sampling– p when sD

s

d q

c

p

D(c when s, p when s, q when d) /\ ...

Stopclock

User-level Specification– 10 Hz clock– Display– Start/Stop button– Reset button

Stopclock

Implementation– 1MHz clock– Seven segment display

• digits need not all change on same cycle

– Buttons assumed synchronised at 1MHz • but may be pressed at any point in the 1Hz period.

Specifying the Stopclock

Stopclock(reset, stst,display) =

exists run.forall t.

display 0 = {tens = 0, secs = 0, tenths = 0}

/\ display (t+1) =

if (reset t) then {tens = 0, secs = 0, tenths = 0}

else if (run t) then (nextTime (display t))

else (display t)

...

Specifying the Stopclock

… /\ run 0 = false /\ run (t+1) = if (reset t) then false else if (stst t) then (not (run t)) else (run t)

Top-level partitioning

data and control

reset

stst runControl Data

Control Specification

Control(reset, stst, run) =

forall t.

run 0 = false

/\ run (t+1) =

if (reset t) then false

else if (stst t) then (not (run t))

else (run t)

Data Specification

Data ( reset, run, display ) =

forall t.

display 0 = {tens = 0, secs = 0, tenths = 0}

/\ display (t+1) =

if (reset t) then {tens = 0, secs = 0, tenths = 0}

else if (run t) then (nextTime (display t))

else (display t)

Abstract Hardware

6 10 10

reset

stst

run

Refinement of Control Logic to RT level abstract signals implemented by

sampling concrete signals

ideastst = STST when (rise tick)

reset = RESET when (rise tick)

run = RUN when (rise tick)

tick

latch

RESET

STST

RUN

rise tick

Abstraction for the reset button

Definitionreset n = exists t.

Timeof (rise tick) n <= t

/\ t < Timeof (rise tick) (n+1)

/\ resetButton t

Implementation

TheoremresetGlue (resetButton, rise tick, RESET) =>

reset n = (RESET when (rise tick)) (n+1)

Abstraction for the reset button

rise tick

resetButton

RESET

Implementation

TheoremststGlue (rise ststButton, rise tick, STST) =>

stst n = (STST when (rise tick)) (n+1)

Abstraction for start-stop button

rise ststButton

rise tick STST

RTL control logic

TheoremControlImp ( tick, ststButton, resetButton, RESET, RUN ) =>

forall n. reset n = (RESET when (rise tick)) (n+1)

/\ stst n = (STST when (rise tick)) (n+1)

latch

resetButton

tick

ststButton

RESET RUN

latch

resetButton

tick

ststButton

RESET RUN

6 10 10Final Design

Summary

Specification– declarative, high-level

Design– creative and abstract

Implementation– automated (in future)