A Formal Model of Clock Domain Crossing and Automated Verification of Time-Triggered Hardware

Morin-Allory

Lecture Notes in Electrical Engineering

et al. 2016

The context of this research is the design of large circuits, assembling IP's and blocks coming from various design teams, each with their own clock. As an example, circuits for games or set top box applications easily include in excess of 25 blocks. To guarantee low power consumption, the clock of a block is set at the lowest frequency compatible with the block needed execution time. Thus, all the clocks have their own speed, and there is no guarantee that clock cycles are multiple of a basic master clock, nor that two clocks are phased.Each block constitutes a clock domain, and any two clock domains are considered mutually asynchronous: the design is globally asynchronous locally synchronous (GALS). Clock domain crossing (CDC) is the transmission of information between two clock domains. A synchronizing module (called synchronizer hereafter) is needed to connect a source signal, output of a flip-flop in a transmitter domain, to the input of a destination flip-flop in a receiver domain, because the sampling by the receiver clock may happen before the input signal has reached its correct stable value. It is therefore essential to guarantee the correctness of the communication protocol and the synchronization between the modules [4].One technique consists in implementing monitors in the design, which perform online checking and correction during the circuit operation [10,11]. The drawback

Section: Cdc Design Methodsmentioning

confidence: 96%

Enabler-Based Synchronizer Model for Clock Domain Crossing Static Verification

Morin-Allory

Lecture Notes in Electrical Engineering

et al. 2016

FM 2009: Formal Methods

“…Theorem provers have been frequently and successfully applied for the analysis of clock synchronization protocols, see for instance [26,27]. An interesting research challenge is to synthesize (or prove the correctness of) the parameter constraints for the Chess protocol fully automatically.…”

Section: Conclusion and Related Workmentioning

confidence: 99%

Analysis of a Clock Synchronization Protocol for Wireless Sensor Networks

Heidarian

Schmaltz

Vaandrager

2009

Self Cite

Abstract. The Dutch company Chess develops a wireless sensor network (WSN) platform using an epidemic communication model. One of the greatest challenges in the design is to find suitable mechanisms for clock synchronization. In this paper, we study a proposed clock synchronization protocol for the Chess platform. First, we model the protocol as a network of timed automata and verify various instances using the Uppaal model checker. Next, we present a full parametric analysis of the protocol for the special case of cliques (networks with full connectivity), that is, we give constraints on the parameters that are both necessary and sufficient for correctness. These results have been checked using the proof assistant Isabelle. Finally, we present a negative result for the special case of line topologies: for any instantiation of the parameters, the protocol will eventually fail if the network grows.

“…Because time-triggered systems can make hard real-time guarantees and possess fault-tolerance properties, they are being developed for next-generation fly-by-wire and drive-by-wire systems; some noteworthy examples include Honeywell's SAFEbus, TTTech's Time-Triggered Architecture (TTA), NASA's SPIDER, and FlexRay, being designed by an industrial consortium [Rus01]. Recent work is particularly focusing on how to model and verify these systems end-to-end-from the distributed fault-tolerant protocols to the hardware [Pik07, KP06,Sch07]. Our contribution is a simple way to verify the physical-layer of the distributed systems.…”

Section: Future Workmentioning

confidence: 99%

Automated verification and refinement for physical-layer protocols

Brown

Pike

2011

Form. Asp. Comput.

Abstract. This paper demonstrates how to use a satisfiability modulo theories (SMT) solver together with a bounded model checker to verify properties of real-time physical layer protocols. The method is first used to verify the Biphase Mark protocol, a protocol that has been verified numerous times previously, allowing for a comparison of results. The techniques are extended to the 8N1 protocol used in universal asynchronous receiver transmitters (UARTs). We then demonstrate the use of temporal refinement to link a finite state specification of 8N1 with its real-time implementation. This refinement relationship relieves a significant disadvantage of SMT approaches-their inability to scale to large problems. Finally, capturing the impact of metastability on timing requirements is a key issue in modeling physical-layer protocols. Rather than model metastability directly, a contribution of our models is treating its effect as a constraint on non-determinism.