This project is an international collaboration project. Although it is adminstratively attached to Inria Rocquencourt, the project is mostly run at East China Normal University, in Shanghai.
Cyber physical systems have become ubiquitous in our everyday life, ranging from simple sensors to complex systems such as consumer electronics, communication devices, process control, etc. Cyber physical systems consist of a network of heterogeneous devices. Each devices is itself composed of increasingly sophisticated hardware and software, and their development and reliability has become a key to economic success.. In the context of this project, we are particularly interested in systems that have a specific application running on dedicated hardware. Moreover we want to focus on devices that are meant to important safety constraints, such as those used in transportation industry, whether automotive, trains or aircrafts. This project is aiming at making research advances towards the development of safer and more reliable heterogeneous cyber physical systems in the selected target domain, and at reducing time to market for the development of such systems, considering both the application and the hardware parts.
The project assumes a Model Driven Engineering (MDE) approach, accompanied with Virtual Prototyping. Because a model is a formal abstraction, it is easier to apply formal methods to verify its properties. Model verification tools, reachability checks, deadlocks detection, theorem proving techniques, can be used on the models to prove system properties. However, in the end, the modeling tools usually cannot generate the entire embedded software. Proven software typically has to be integrated with libraries that are not proven. Also most applications do not run on bare hardware, but use a real time operating system that has not been certified either. Hence, in fine, it is not always clear that properties proven on the model are implemented on the final system and it is still necessary to use more traditional validation techniques. The project aims at building also executable models of the target embedded platform providing a virtual prototype of the platform. Virtual prototypes can run the application software, thus the software engineering team can develop and test the entire system.
Models also make it possible to generate conventional tests instead of manual coding. An advantage of the virtual prototyping approach is that the embedded application software can be run onto the virtual prototype and immediately tested with conventional tests.
Within the context described above, our project aims at addressing the challenges of embedded systems design with a new approach, combining modeling and formal methods, possibly code generation of application code and/or tests code, next run and validate the application code on a approximately timed virtual prototype in order to verify qualitative and quantitative, functional or non functional properties of the final system.
This approach requires the constructive combination of a virtual prototyping environment, surrounded by tools for the analysis of simulation models or simulation output, or analysis of the embedded software to make proofs of properties of the target system. We therefore need to connect modeling tools and formal methods tools with simulation tools running the real application code. We propose for that to work collaboratively towards a development platform that consists of a set of complementary components forming a tool chain in the development process, by associating technologies and tools developed both in Europe and China by three institutions, namely CWI in Netherlands, ECNU SEI in China and Inria in France.
One can distinguish two orthogonal research directions:
developing fast and powerful simulators that can simulate platforms and offer convenient interface to the users,
connected to specific tools, the goal of which is to verify required properties of the system.
The first action is mostly relevant to simulation research to accelerate or parallelize the simulation. The second is related to usage of formal methods, as adjunct tools to the previous one.
The development of complex embedded systems platforms requires putting together many hardware components, processor cores, application specific co-processors, bus architectures, peripherals, etc. The hardware platform of a project is seldom entirely new. In fact, in most cases, 80 percent of the hardware components are re-used from previous projects or simply are COTS (Commercial Off-The-Shelf) components. There is no need to simulate in great detail these already proven components, whereas there is a need to run fast simulation of the software using these components.
These requirements call for an integrated, modular simulation environment where already proven components can be simulated quickly, (possibly including real hardware in the loop), new components under design can be tested more thoroughly, and the software can be tested on the complete platform with reasonable speed.
Modularity and fast prototyping also have become important aspects of simulation frameworks, for investigating alternative designs with easier re-use and integration of third party components. The project aims at developing such a rapid prototyping, modular simulation platform, combining new hardware components modeling, verification techniques, fast software simulation for proven components, capable of running the real embedded software application without any change.
To fully simulate a complete hardware platform, one must simulate the processors and co-processors, together with the peripherals such as network controllers, graphics controllers, USB controllers, etc. A commonly used solution is the combination of some ISS (Instruction Set Simulator) connected to a Hardware Description Language (HDL) simulator, in a co-simulation environment such as , . Some communication and synchronization must be designed and maintained between the two using some inter-process communication (IPC), which slows down the process.
The idea we pursue is to combine hardware modeling and fast simulation into a fully integrated, software based simulation environment, which uses a single simulation loop thanks to Transaction Level Modeling (TLM) combined with a new ISS technology designed specifically to fit within the TLM environment.
The most challenging way to enhance simulation speed is to simulate the processors. Processor simulation is achieved with Instruction Set Simulation (ISS). There are several alternatives to achieve such simulation. In interpretive simulation, each instruction of the target program is fetched from memory, decoded, and executed. This method is flexible and easy to implement, but the simulation speed is slow as it wastes a lot of time in decoding. Interpretive simulation is used in Simplescalar . Another technique to implement a fast ISS is dynamic translation , which has been favored by many implementors , , , in the past decade.
There are many ways of translating binary code into cached data, which each come at a price, with different trade-offs between the translation time and the obtained speed up on cache execution. Also, simulation speed-ups usually don't come for free: most of time there is a trade-off between accuracy and speed. There are two well known variants of the dynamic translation technology: the target code is translated either directly into machine code for the simulation host, or into an intermediate representation, independent from the host machine, that makes it possible to execute the code with faster speed. A challenge in the development of high performance simulators is to maintain simultaneously fast speed and simulation accuracy. In the Tempo project, we expect to develop a dynamic translation technology satisfying the following additional objectives:
provide different levels of translation with different degrees of accuracy so that users can choose between accurate and slow (for debugging) or less accurate but fast simulation.
to take advantage of multi-processor simulation hosts to parallelize the simulation;
to define intermediate representations of programs that optimize the simulation speed and possibly provide a more convenient format for studying properties of the simulated programs.
Another objective of the Tempo simulation is to extract information from the simulated applications in order to prove system properties. One can use model based tools to generate tests that can be run on the simulator to check whether the test fails or not on the real application. The project is considering an approach as illustrated in Figure
Thus, it is also a goal of Tempo activities to use such formal methods tools to detect failures, either by generating tests, or by using formal methods tools to analyze the results of simulation sessions.
Since last decade, we have witnessed rapid development in embedded system domain. More and more state-of-the-art embedded systems adopt the heterogeneous multi-processor platform rather than the platform with single core. To achieve better quality and performance, the design paradigm shift from simple control system to complex heterogeneous Cyber-Physical Systems (CPS) is gaining more interests. Increasing complexity coupled with time-to-market pressure create a critical need to validate heterogeneous embedded system designs. The functional validation is thus widely acknowledged as a major bottleneck in embedded system design. To guarantee the reliability of heterogeneous embedded systems, up to 70% of the overall design time and resources are spent on functional validation.
From the verification point of view, the major objective of this project is to reduce the overall validation efforts in the top-down design flow of embedded system design using the high-level specifications. In this project, we plan to address the following three major problems:
Formal modeling of high-level specifications. We want to investigate how to model heterogeneous systems with multiple models of computation (MoC) and how to extract the formal models from system-level specifications to enable automated analysis.
Efficient validation of system-level specifications with minimum effort. The idea here is to investigate the automated directed test generation from high-level specification validation and explore various approaches and techniques to further reduce the directed test generation time (eliminate redudant tests).
Consistency checking between different abstraction layers. We also want to explore the possibility of reusing high-level validation efforts for low-level implementation validation as well as to check the consistency between different abstraction layers.
In conclusion, this project targets to improve the effectiveness and efficiency of functional validation of heterogeneous embedded systems. We believe that our approaches can not only enhance the reliability of heterogeneous embedded systems, but also reduce the time-to-market.
The overall project is geared towards the development of complex heterogeneous cyber physical systems that require high reliability such as nuclear power, energy distribution, industry automation and transportation, where formal verification methods are necessary.
Simulation is relevant to most areas where complex embedded systems are used, not only to the semiconductor industry for System-on-Chip modeling, but also to any application where a complex hardware platform must be assembled to run the application software. It has applications for example in industry automation, digital TV, telecommunications and transportation.
Manual testing is tedious. Automated testing makes it possible to increase test coverage while also minimizing the amount of redundancy created by manual testing.
We have continued to work on the SimSoC virtual prototyping framework distributed by Inria. Because of issues in the design of the Power Architecture simulator, we did a redesign of the Power simulator and a new implementation, so that we can simulate in the future both the Power Classic and Power Extended architectures in both 32 bits or 64 bits. We also contributed new extensions as described below.
The project was created.
Existing fast simulators such as SimSoC are Loosely Timed. They evaluate the time taken by instructions executed based on an average model. Typically, the clock value is increased by a constant K every N instructions. This is sufficient to test application software with time-outs or to synchronize multicore applications, but it cannot provide a reasonable performance estimate of the embedded software.
To obtain precise parformance estimate, a common practice is to run the software on Cycle Accurate simulators, which provides a performance measure absolutely correct, but take a very long time. This is becoming a bottleneck. In fact, in many cases the software developers need some performance estimate, but do not require cycle precision. The idea of “Approximately Timed” simulation is to provide a fast simulation that can be used by software developers, and yet provide performance estimate. The goal of approximately timed simulation is to provide estimates that are within a small margin error from the real hardware, but at a simulation speed that is an order of magnitude faster than a cycle accurate one.
It is possible to maintain fast simulation, (though slower than Loosely Timed) whereas predicting reasonably accurate performance. The challenge is to come up with an abstract model of the processor that does not simulate the processor at cycle level but simulate enough to measure elapsed time with good precision. The approach is the following: a modern processor in nominal mode executes at least one instruction per clock cycle. If it does not do so, it is because there is a delay, whether a cache miss, a pipe line stall, etc. If one can simulate enough of the system so that the cause of the delays can be reproduced in the simulation and the delays evaluated, although the details of the system are not reproduced exactly, then the delays estimate may be accurate enough to provide an acceptable margin error. Moreover some of these computation can be done only once, not for each iteration of a loop.
In our work, we are considering only the processor model and we rely upon TLM interface to the interconnect for peripheral access to provides us with timing delays. We estimate the performance by using static analysis of the application control flow graph combined with a minimum of dynamic computation in order to maintain a reasonable simulation speed. We have developed such a fast Approximately Timed ISS, that does not fully simulate the hardware, yet provides good precision estimates, and does not use stastistical methods. Our approach consists in developing a higher abstraction model of the processor (than the CA models) that still executes instructions using fast SystemC/TLM code, but in parallel maintains some architecture state to measure the delays introduces by cache misses and pipe line stalls, although the pipe line is not really simulated. This work will be published in 2015 in volume 68 of the WIT Transactions on Information and Communication Technologies (ISBN 978-1-78466-054-3) .
Developing a simulator for a complete processor represents a lot of work when it is manual coding, and it is error-prone. Several efforts have been made to generate partly or entirely simulators. The dominant approach in the past years has been to use a high level description language of the processor and to generate code with the language compiler, such as LISA , MIMOLA , EXPRESSION-ADL . But still, the architecture is described manually into the high level language. It is interesting to explore new architectures, but has the same issues as manual coding for simulation of commercial off-the-shelf processors such as ARM an Power architectures. Of course this approach only makes sense if the vendor has at least some semi-formal description of the architecture, which is not the case for Intel, but is the case for ARM, PowerPC and SH.
In order to automatically generate simulators from the vendor specification, we have initiated a new approach: generating the simulator from the specification of the hardware vendor as available from their web site as .pdf document. After a relatively successful initiative using ad-hoc tools, we wanted to pursue this work in a more robust and industrial context, using XML to generate an XML model of the instruction set from the vendor specification in .pdf, formalize some XML model transformations and finally generate directly the simulator code in C++. In addition, we wanted the translator to be architecture independent, not making any assumption during the translation process. However, this work is hitting difficult issues due to the fact that the vendor specification is incomplete and we have to do more manual architecture specific complements to the specification that we anticipated, which seriously weakens the project objective.
Under the increasing complexity together with the time-to-market pressure, functional validation is becoming a major bottleneck of smart applications running on mobile platforms (e.g., Android, iOS).Unlike traditional software, smartphone applications are reactive and GUI (Graphical User Interface) intensive. The execution of smartphone applications heavily relies on the interactions with users. Manual GUI testing is extremely slow and unacceptably expensive in practice. However, the lack of formal models of user behaviors in the design phase hinders the automation of GUI testing (i.e., test case generation and test evaluation). While thorough test efforts are required to ensure the consistency between user behavior specifications and GUI implementations, few of existing testing approaches can automatically utilize the design phase information to test complex smartphone applications. Based on UML activity diagrams, we propose an automated GUI testing framework called ADAutomation, which supports user behavior modeling, GUI test case generation, and post-test analysis and debugging. The experiments using two industrial smartphone virtual prototypes demonstrate that our approach can not only drastically reduce overall testing time, but also showed to improve the quality of designs.
SAT-based Bounded Model Checking (BMC) is promising for automated generation of directed tests. Due to the state space explosion problem, SAT-based BMC is unsuitable to handle complex properties with large SAT instances or large bounds. In this work, we propose a framework to automatically scale down the SAT falsification complexity by utilizing the decision ordering based learning from decomposed sub-properties. Our framework makes three important contributions: i) it proposes learning-oriented decomposition techniques for complex property falsification, ii) it proposes an efficient approach to accelerate the complex property falsification using the learning from decomposed sub-properties, and iii) it combines the advantages of both property decomposition and property clustering to reduce the overall test generation time. The experimental results using both software and hardware benchmarks demonstrate the effectiveness of our framework.
The TEMPO project belongs to the LIAMA laboratory in China. The project is hosted by East China Normal University Software Engineering Institute.
The projects is run in collaboration with East China Normal University Software Engineering Institute and Netherlands CWI.
The project is run within the context of China LIAMA laboratory.
Vania Joloboff was invited for a short stay at Academia Sinica in Taipei Taiwan, in October 2014.
Vania Joloboff jointly organized with ECNU staff the LIAMA Open Day in Shanghai in July 2014
Vania Joloboff jointly organized and chaired a session at the LIAMA Workshop for collaboration between Europe and China in May 2014.
Mingsong Chen was invited to served as a Session Chair of the conference SERE 2015.
Vania Joloboff is program committee member of DATE conference workshop on Model Implementation Fidelity.
Mingsong Chen served as a Program Committee member of International Conference on VLSI Design.
Mingsong Chen served as a Program Committee member of the conference SAC 2015.
Mingsong Chen served as a Program Committee member of the conference DATE 2015.
Mingsong Chen was a reviewer for the conferences VLSID 2015, SAC 2015, DATE 2015, DAC 2015.
Mingsong Chen serves as an associate editor of Journal of Circuits, Systems and Computers.
Virtual Prototyping
Vania Joloboff : Virtual Prototyping, ECNU SEI
Master Students
Mingsong Cheng and Vania Joloboff started supervision of several Master and PhD. students at East China Normal University.
Vania Joloboff was jury member of PhD defence for Yanwen Chen, a double PhD degree of East China Normal University and University of Nice.