CS:4980FoundationsofEmbeddedSystems

Copyright 20014-16, Rajeev Alur and Cesare Tinelli. Created by Cesare Tinelli at the University of Iowa from notes originally developed by Rajeev Alur at the University of Pennsylvania. These notes are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

TimedModel

ModelsofReactiveComputationq Synchronousmodel

§ Componentsexecuteinasequenceofdiscreteroundsinlock-step§ Computationwithinaround:Executealltasksinanorderconsistent

withprecedenceconstraintsq Asynchronousmodel

§ Speedsatwhichdifferentcomponentsexecuteareindependent§ Computationwithinastep:Executeasingletaskthatisenabled

q Continuous-timemodelfordynamicalsystem§ Synchronous,butnowtimeevolvescontinuously§ Executionofsystem:Solutiontodifferentialequations

q Timedmodel§ Likeasynchronousforcommunicationofinformation§ Canrelyonglobaltimeforcoordination

ExampleTimedModel

clockx:=0off

press?–>x:=0dim bright

press?

(press&x>=1)?(press&x<=1)?

Initialstate: (mode=off,x=0)Timedtransition:(off,0)–0.5–>(off,0.5)Inputtransition: (off,0.5)–press?–> (dim,0)Timedtransition:(dim,0)–0.8–> (dim,0.8)Inputtransition: (dim,0.8)–press?–> (bright,0.8)Timedtransition:(dim,0.8)–1–> (dim,1.8)Inputtransition: (dim,1.8)–press?–> (off,1.8)

ExampleTimedModel

q Clockvariables§ Testsandupdatesinmode-switcheslikeothervariables§ New: Duringatimedtransitionofdurationd,thevalueof

clockvariablesincreasesbyanamountequaltodq Timingconstraint:Settingx to0 foroff–>dimandguardx<=1

fordim–>bright specifiesthattimingofthesetwotransitionsis<=1 apart

clockx:=0off

press?–>x:=0dim bright

press?

(press&x>=1)?(press&x<=1)?

Example:TimedBuffer

bool in bool out

q Bufferwithaboundeddelay

q Behavior:Inputreceivedonchannelinistransmittedonoutputchanneloutafteradelayofd,withLB<=d<=UB(i.e.weknowlowerandupperboundsonthisdelay)

ModelingTimedBuffer

clocky:=0

in?–>x:=in;y:=0

in?

q Modeindicateswhetherthebufferisfullornotq Statevariablex remembersthelastinputvaluewhenbufferisfullq Clockvariabley tracksthetimeelapsedsincebufferfilledupq Whenbufferisfull,inputeventsareignoredq Guardy>=1ensuresthatatleast1 timeunitelapsesinmodeFull

Howtoensurethatmode-switchfromFull toEmpty isexecutedbeforeclocky exceedstheupperbound1?

FullEmpty

y>=1–>out:=x

ClockInvariants

q Theconstrainty<=1associatedwithmodeFull isaclockinvariant

q Atimedtransitionofdurationd isallowedonlyiftheclockinvariantissatisfiedfortheentiredurationofthetransition§ (Full,x,0.8)–0.7–> (Full,x,1.5) allowed§ (Full,x,0.8)–1.4–> (Full,x,2.2) disallowed

q Clockinvariantstolimithowlongaprocessstaysinamode

clocky:=0

in?–>x:=in;y:=0

in?

Fully<=2

Empty

y>=1–>out:=x

ExamplewithTwoClocks

clockx,y:=0

in?–> x:=0

q Inputevent:inq Outputevents:out1,out2q Twoclockvariables:x,yq Astimepasses,bothclocksincrease(andatthesamerate)q Sampletimedtransitionsfromstate(mode,x,y)=(Wait2,0.8,0):

(Wait2,0.8,0)–0.3–>(Wait2,1.1,0.3)–0.72–>(Wait2,1.82,1.02)

Wait1x<=1

Idle

y>=1–> out2!

out1!; y:=0Wait2x<=2

TwoClockExample

q Clockx trackstimeelapsedsincethelastinputeventq Clocky trackstimeelapsedsincetheoutputeventq Whatisthebehaviorofthismodel?q Ifinputeventoccursattimet,theprocessissuesanoutputeventon

channelout1 attimet’ withintheinterval[t,t+1],andthenonchannelout2 attimet’’withintheinterval[t’+1,t+2]

clockx,y:=0

in?–> x:=0Wait1x<=1

Idle

y>=1–> out2!

out1!; y:=0Wait2x<=2

ExampleSpecification

q ConsideratimedprocesswithInput:eventx Output:eventy, eventz

q Desiredbehavior§ Foreachinput,producebothoutputevents§ Timedelaybetweenx? andy! isintheinterval[2,4]§ Timedelaybetweenx? andz! isintheinterval[3,5]§ Ignorelaterinputsreceivedintheseintervals

DefinitionofTimedProcessq AtimedprocessTP consistsof

1. AnasynchronousprocessP,wheresomeofthestatevariablescanbeoftypeclock (rangingnon-negativereals)

2. AclockinvariantCI,aBooleanexpressionoverP’sstatevariables

q Inputs,outputs,states,initialstates,internalactions,inputactions,andoutputactionsexactlyasintheasynchronousmodel

q Notation:Forastates andtimet,lets+t denotethestatesuchthat§ (s+t)(x)=s(x)+t foreveryclockvariablex,and§ (s+t)(y)=s(y)foreverynon-clockvariabley

q Timedactions:Givenastates andatimed>0,s–d–>s+d isatransitionofdurationd aslongasthestates+t satisfiesinvariantCIforallt in[0,d]Note: Ifaclock-invariantisaconvexconstraintthenitissufficienttocheckthattheend-statess ands+d satisfyCI

CompositionofProcesses

bool in boolout1

q Howtoconstructtimedprocesscorrespondingtothecompositionofthetwoprocesses?

q Whatarethepossiblebehaviorsofthecompositeprocess?

boolout2

TimedBuf1

TimedBuf2

CompositionofTimedProcesses

clocky1:=0

in?–> x1:=in;y1:=0

in?

Fully1<=UB1Empty

y1>=LB1–> out1:=x1TimedBuf1

clocky2:=0

in?–> x2:=in;y2:=0

in?

Fully2<=UB2

Empty

y2>=LB2–> out2:=x2TimedBuf2

Thecompositeprocesshasfourmodes:(Empty,Empty),(Empty,Full),(Full,Empty),(Full,Full),

CompositionofTimedProcesses

(mode=EF=>y2<=UB2)&(mode=FF=>y1<=UB1&y2<=UB2)&(mode=FE=>y1<=UB1)

CompositionofProcesses

q IfUB1<LB2thenout1 guaranteedtooccurbeforeout2§ Implicitcoordinationbasedonboundsondelays

q Isitpossibletoobservetwoout1eventswithoutaninterveningout2event?§ Dependsonrelativemagnitudesofbounds(needtiminganalysis!)

bool in boolout1

boolout2

TimedBuf1

TimedBuf2

DefinitionofParallelCompositionq ConsidertimedprocessesTP1 =(P1,CI1)andTP2 =(P2,CI2)

q WhenistheparallelcompositionTP1 |TP2 defined?§ ExactlywhentheasynchronousparallelcompositionP1 |P2

isdefined(thatis,whentheoutputsofthetwoaredisjoint)

q TP1|TP2=(P1 |P2,CI1 &CI2)§ AsynchronouscompositionofP1andP2 definestheinternal,

inputandoutputactionsofthecomposite§ Conjunctionoftheclock-invariantsdefinestheclock-

invariantofthecomposite

q Consequence:Thecompositeprocesscanallowatimedactionofdurationd exactlywhenboth TP1 andTP2 canwaitfortimed

BlockDiagrams

q Componentscanbetimedprocessesnow§ Operation:instantiation(input/outputvariablerenaming),parallel

composition,andvariablehiding

q Astepofthecompositesystemiseither1. Aninternalstepofoneofcomponents2. Acommunication(input/output)stepinvolvingrelevantsender

andreceivers3. Atimedstepinvolvingallthecomponents

TimedModel

q Timedmodelissometimescalledthesemi-synchronousmodel(mixofasynchronousandsynchronous)

q Definitions/conceptsthatcarryovernaturallyfromthosemodels:§ Executionsofatimedprocess§ Transitionsystemassociatedwithatimedprocess§ Safety/liveness requirements

q Distributedcoordinationproblems:howcanweexploittheknowledgeoftimingdelaystodesignprotocols?

Recall:SharedMemoryAsynchronousProcesses

q ProcessesP1andP2communicatebyreading/writingsharedvariables

q Eachsharedvariablecanbemodeledasanasynchronousprocess§ Stateofeachsuchprocessisthevalueofcorrespondingvariable§ Inimplementation,sharedmemorycanbeaseparatesubsystem

q Readandwritechannelbetweeneachprocessandeachsharedvariable§ Towritex,P1synchronizeswithxonx.write1channel§ Toreadx,P2synchronizeswithx onx.read2channel

x.write1

P1

x

y

P2y.write1

y.read2

y.write2

x.read2

x.write2

y.read1

x.read1

SharedMemoryProgramswithAtomicRegisters

AtomicReg nat x:=0

ProcessP1

nat y1:=0

y1:=x

x:=y1+1

ProcessP2

nat y2:=0

y2:=x

x:=y2+1

Declarationofsharedvariables+codeforeachprocess

Keyrestriction:Eachstatementofaprocesseither

changeslocalvariables,readsasinglesharedvar,orwritesasinglesharedvar

Executionmodel:executeonestepofoneoftheprocesses

Whatifweknewlowerandupperboundsonhowlongareadorawritetakes?Couldwesolvecoordinationproblemsbetter?

AsynchronousExecutionModel

nat x:=0;y:=0

Ax:x:=x+1

Ay:y:=y+1

q TasksAx andAy executeinanarbitraryorder

q Foreverypossiblechoiceofnumbersm andn,thestate(m,n)isreachable

q Recall:Fairnessassumptionscanbeusedtoruleoutexecutionswhereoneofthetasksisignoredforever(althoughthisdoesnotaffectthesetofreachablestates)

q Whatifweknowhowlongeachoftheseincrementstake?

(x,y)

TimedIncrements

q TaskAx incrementsx,andthistakesbetween1 to2 timeunits

q TaskAy incrementsy,andthisalsotakesbetween1 to2 timeunitsq Twotasksexecuteinparallel,asynchronously,buttimingintroduces

loosecoordinationq Whichstatesarereachable?Whatistherelationshipbetweenmand

n sothatthestate(m,n)isreachable?

clocku:=0nat x:=0

u>=1–>x:=x+1;u:=0

u<=2

clockv:=0nat y:=0

v>=1–> y:=y+1;v:=0

v<=2

q Safetyrequirement:processesshouldnotbothbeincriticalsectionsimultaneously(canbeformalizedusinginvariants)

q Absenceofdeadlocks:ifanyprocessistryingtoenter,thensomeprocessshouldbeabletoenter

ProcessP1

EntryCode

CriticalSection

Tobedesigned

ProcessP2

EntryCode

CriticalSection

MutualExclusionProblem

MutualExclusion:IncorrectSolutionAtomicReg {0,1,2}Turn:=0

Whatistheproblem?

ProcessP1

Idle Try1Turn=0?

Crit

else

Turn:=0

Try2Turn:=1

ProcessP2

Idle Try1Turn=0?

Crit

else

Turn:=0

Try2Turn:=2

Timing-basedMutualExclusion

1. Beforeenteringcriticalsection,readthesharedvariableTurn2. IfTurn!=0thengotostep1andtryagain3. IfTurn=0thensetTurn toyourID

Proceedingdirectlytocriticalsectionisaproblem(sincetheotherprocessmayalsohaveconcurrentlyreadTurn tobe0,andupdatingTurn toitsownID).Solution:

4. Delayandwaittillyouaresurethatconcurrentwritesarefinished

5. ReadTurn again:ifTurn equalsyourownIDthenproceedtocriticalsection;otherwise,gotoStep1andtryagain

6. Whendonewithcriticalsection,setTurn backto0

Fisher’sMutualExclusionProtocol

AtomicReg Turn:=0

Idlenat y,clockx

Testy:=Turn Set

Delay

y=0–> Turn:=myID

y!=0?

;x:=0x<=Δ1

Timingassumption:writingTurn takesatmostΔ1

Checkx>=Δ2 –> y:=Turn x:=0

Crit

y=myID ?

y!=myID ?Turn:=0

Whydoesthiswork?

WaitforatleastΔ2 timeunits,andreadTurn again

PropertiesofTimedFisher’sProtocolq AssumingΔ2 >Δ1,thealgorithmsatisfies:

§ Mutualexclusion:Twoprocessescannotbeincriticalsectionsimultaneously

§ Deadlockfreedom:Ifaprocesswantstoentercriticalsectionthensomeprocesswillentercriticalsection

q Protocolworksforarbitrarilymanyprocesses(notjust2)§ Incontrast,intheasynchronousmodel,mutualexclusion

protocolforN processesislotmorecomplexthanPeterson’salgorithm

q Exercise:Doestheprotocolsatisfythestrongerpropertyofstarvationfreedom(ifaprocesswantstoentercriticalsectiontheniteventuallywill)?

q Exercise:IfΔ2 <=Δ1 doesmutualexclusionhold?Deadlockfreedom?

TimedCommunication

q Supposeasenderwantstotransmitasequenceofbitstoareceiverconnectedbyacommunicationbus

q Naturalstrategy:Dividetimeintoslots,andineachslottransmitabitusinghigh/lowvoltagevaluestoencode0/1

q Manchesterencoding:0 encodedasafallingedge,and1encodedasarisingedge

TimedCommunicationChallenges

q Senderandreceiverknowthedurationofeachtimeslot,but…q Receiverdoesnotknowwhenthecommunicationbegins

§ Whenidle,thevoltageissettolowq Receivercannot reliablydetectfallingedgesq Senderandreceiverclocksaresynchronizedimperfectlyduetodrift

§ Whenaclockx is1,actualelapsedtimeisininterval[1-ε,1+ε]§ Sinceinthetimedmodelclocksareconsideredtobeperfect,

wecancapturethiserrorbyusingx<=1+ε insteadofx<=1,and1-ε <=xinsteadof1<=x

q Addressingthechallenges:§ Allmessagesstartwith1 andendwith00§ Processesusetiminginformationtotransmit0s

AudioControlProtocol

q ProtocoldevelopedbyPhilipstoreliablytransmitmessagesinpresenceofimperfectclocks

q Designlogicforreceivertomapmeasureddelaysbetweensuccessiveraisingedgestosequenceofbits

q Verification:Provethatmessagetransmissionisreliableforagivendriftrateε

q Optimization:Findthelargestskewvaluethattheprotocoltolerates

AudioControlSystem

SenderProcess

ReceiverProcess

ExecutionExample

Credits

NotesbasedonChapter7of

PrinciplesofCyber-PhysicalSystemsbyRajeevAlurMITPress,2015