



# Towards Automatic Program Specification Using SME Models

Communicating Process Architectures 2018 - Technische Universität Dresden

#### Alberte Thegler, Mads Ohm Larsen, Konnoth Skovhodo

Kenneth Skovhede, and Brian Vinter

Niels Bohr Institute, University of Copenhagen, Denmark



#### Picture?



4th June 1996



4th June 1996

Total failure on launch



4th June 1996

Total failure on launch

Converting a 64-bit floating point number to signed 16-bit integer.



4th June 1996

Total failure on launch

Converting a 64-bit floating point number to signed 16-bit integer.

Overflow caused the self-destruct mechanism in both primary and backup computer



4th June 1996

Total failure on launch

Converting a 64-bit floating point number to signed 16-bit integer.

Overflow caused the self-destruct mechanism in both primary and backup computer

No people where harmed



#### Picture?



25th February 1991 in the Persian Gulf war



25th February 1991 in the Persian Gulf war

A Patriot missile failed to intercept an incomming "Scud".



25th February 1991 in the Persian Gulf war

A Patriot missile failed to intercept an incomming "Scud".

Conversion of time since last boot from an integer to a real number was performed using a 24 bit register.



25th February 1991 in the Persian Gulf war

A Patriot missile failed to intercept an incomming "Scud".

Conversion of time since last boot from an integer to a real number was performed using a 24 bit register.

The patriot missile missed the Scud which struck a U.S Army barracks, killing 28 soldiers.



# Why should we verify hardware?

Because, as these examples have shown, the risk of not verifying can be devestating.

Loss of milions of money

Loss of human life



### What have we done?

A transpiler which transpiles SMEIL code to  $CSP_M$  in order to verify SME models with FDR4





### How do we use SME?

The SME model builds on the CSP algebra and therefore all SME models have a corresponding CSP model.



#### How do we use SME?

The SME model builds on the CSP algebra and therefore all SME models have a corresponding CSP model.

We transpile not only the SME network, but also all the SME processes and their content.



## How do we use SME?

The SME model builds on the CSP algebra and therefore all SME models have a corresponding CSP model.

We transpile not only the SME network, but also all the SME processes and their content.

We can translate SME sequentially which simplifies the transpilation.



## How do we use SMEIL?

Introduced by Truls Asheim in the previous presentation



## How do we use SMEIL?

Introduced by Truls Asheim in the previous presentation

We transpile from SMEIL to  $CSP_M$ And then verify it in FDR4



## How do we use SMEIL?

Introduced by Truls Asheim in the previous presentation

We transpile from SMEIL to  $CSP_M$ And then verify it in FDR4

The transpiler currently only works with pure SMEIL programs







Figure. Digital clock with six seven segment displays, displaying 12:34:56.





Figure. Digital clock with six seven segment displays, displaying 12:34:56.

Seconds since midnight





Figure. Digital clock with six seven segment displays, displaying 12:34:56.

## Seconds since midnight

Arithmetics calculate hours, minutes and seconds respectively





Figure. Digital clock with six seven segment displays, displaying 12:34:56.

Seconds since midnight

Arithmetics calculate hours, minutes and seconds respectively

Two seven segment displays pr. time process





Figure. SMEIL network for a seven segment display clock. Each SMEIL process is represented by a cicle with a letter corresponding to the processes Input, Hours, Minutes and Seconds respectively.



One seven segment display can only display the numbers 0-9.

4 bits can represent 0-15, which is more than needed.



One seven segment display can only display the numbers 0-9.

4 bits can represent 0-15, which is more than needed.

We can verify that the values communicated to all the seven segment displays does not exceed the expected values.



One seven segment display can only display the numbers 0-9.

4 bits can represent 0-15, which is more than needed.

We can verify that the values communicated to all the seven segment displays does not exceed the expected values.

In this case we can restrict the assertions further. Hours will never be more than 24, etc.



One seven segment display can only display the numbers 0-9.

4 bits can represent 0-15, which is more than needed.

We can verify that the values communicated to all the seven segment displays does not exceed the expected values.

In this case we can restrict the assertions further. Hours will never be more than 24, etc.

In general, we verify the values communicated on  $CSP_M$  channels



```
SMEIL code:
   proc seconds (in seconds in)
       bus seconds_out {first_digit: u3 range 0 to 5;
                         second_digit: u4 range 0 to 9; };
3
       var seconds: u6 range 1 to 59;
5
       var seconds_first_temp: u3 range 0 to 5;
       var seconds_second_temp: u4 range 0 to 9;
6
7
       seconds = seconds in.val % 60;
8
       seconds first temp = seconds / 10;
9
       seconds second temp = seconds % 10;
10
       seconds out.first digit = seconds first temp;
11
       seconds_out.second_digit = seconds_second_temp;
12
13
```



# The transpiling

SMEIL bus to CSP<sub>M</sub> channel



# The transpiling

SMEIL bus to CSP<sub>M</sub> channel

CSP<sub>M</sub> process structure



# The transpiling

SMEIL bus to CSP<sub>M</sub> channel

CSP<sub>M</sub> process structure

The monitor process



## SMEIL bus to CSP<sub>M</sub> channel



## SMEIL bus to CSP<sub>M</sub> channel

```
SMEIL code:

proc seconds (in seconds_in)
   bus seconds_out {first_digit: u3 range 0 to 5;
        second_digit: u4 range 0 to 9;};
```

```
CSP<sub>M</sub> code:

channel seconds_out_first_digit : {0..7}
channel seconds_out_second_digit : {0..15}
```



# CSP<sub>M</sub> process structure

```
SMEIL code:

proc seconds (in seconds_in)

;

seconds = seconds_in.val % 60;
seconds_first_temp = seconds / 10;
seconds_second_temp = seconds % 10;
seconds_out.first_digit = seconds_first_temp;
seconds_out.second_digit = seconds_second_temp;
}
```



# CSP<sub>M</sub> process structure

```
SMEIL code:

proc seconds (in seconds_in)

;

{
    seconds = seconds_in.val % 60;
    seconds_first_temp = seconds / 10;
    seconds_second_temp = seconds % 10;
    seconds_out.first_digit = seconds_first_temp;
    seconds_out.second_digit = seconds_second_temp;
}
```

#### CSPM code:

```
Seconds (seconds_in) =
let
seconds = seconds_in % 60
seconds_first_temp = seconds / 10
seconds_second_temp = seconds % 10
within
seconds_out_first_digit ! seconds_first_temp ->
seconds_out_second_digit ! seconds_second_temp ->
SKIP
```



# The monitor process

```
SMEIL code:

proc seconds (in seconds_in)
bus seconds_out {first_digit: u3 range 0 to 5;
second_digit: u4 range 0 to 9;};
```



# The monitor process

```
CSP<sub>M</sub> code:
```



# Seven segment display clock

```
CSP<sub>M</sub> code:
   channel seconds out first digit : {0..7}
1
   channel seconds_out_second_digit : {0..15}
   Seconds (seconds in) =
   let
        seconds = seconds in % 60
        seconds first temp = seconds / 10
        seconds second temp = seconds % 10
8
    within
9
        seconds_out_first_digit ! seconds_first temp ->
10
        seconds out second digit ! seconds second temp ->
11
        SKIP
12
13
   Seconds_out_first_digit_monitor(c) =
14
        c ? x \rightarrow if 0 <= x and x <= 5 then SKIP else STOP
15
16
    Seconds_out_second_digit_monitor(c) =
        c ? x \rightarrow if 0 \le x and x \le 9 then SKIP else STOP
18
19
   N seconds = clock out val ? variable ->
20
                 (Seconds (variable)
                   seconds out first digit
21
                Seconds out first digit monitor(seconds out first digit))
22
                   seconds out second digit 1
23
                Seconds out second digit monitor(seconds out second digit)
24
25
   assert SKIP [F= N seconds \ Events
```

# Results - time to verify in FDR4?

The seven segment example have been run on a Intel(R) Xeon(R) CPU E5-2698 v4 @ 2.20GHz.

The example were run x times and the average was measured.



With this system we can transpile hardware models to  $CSP_M$ .



With this system we can transpile hardware models to  $CSP_M$ .

Verify values on the  $CSP_M$  channels.



With this system we can transpile hardware models to  $CSP_M$ .

Verify values on the  $CSP_M$  channels.

Verify the original hardware model.



With this system we can transpile hardware models to  $CSP_M$ .

Verify values on the  $CSP_M$  channels.

Verify the original hardware model.

Extract specification.



### Future work

Hardware/software co-simulation



#### Future work

Hardware/software co-simulation

Creating more extensive examples to show the possibilities of the system



## Questions?

Thank you!

Feel free to ask anything.

