CPE555A: Real-Time Embedded Systems Lecture 12 Ali Zaringhalam Stevens Institute of Technology Spring 2016, arz 1 1

Outline Termination Transition Asynchronous cascade FSM CS555A – Real-Time Embedded Systems Stevens Institute of Technology CS555A – Real-Time Embedded Systems Stevens Institute of Technology 2

Simplifying FSM Description We can use default, immediate and non-deterministic behavior to simplify FSM modeling CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Three Solutions Brute-force deterministic solution Simplified non-deterministic solution with default and immediate transitions Solution with termination transition CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Brute Force Solution CS555A – Real-Time Embedded Systems Stevens Institute of Technology

A Better Solution CS555A – Real-Time Embedded Systems Why make these transitions non-deterministic? CS555A – Real-Time Embedded Systems Stevens Institute of Technology

The refinement of a state is another nested FSM. The outer FSM is in state B if the refinement of B is in either C or D. Hierarchy supports code reuse Existing FSM can be nested into a higher-level FSM CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Termination Transition A termination transition is a transition that is enabled only when the refinements of the current state reach a final state. Note that a state can have more than one refinement CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Example 6.12 Transition is both: A preemptive transition A reset transition Termination transition is taken when both of the following happen: Refinement A transitions to doneA Refinement B transitions to doneB Two refinements for the same actor. CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Concurrent Composition Two or more FSMs react Synchronous composition: FSMs react simultaneously Asynchronous composition: FSMs react independently CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Side-By-Side Synchronous Composition If the composition is synchronous, then both A and B react simultaneously. If the composition is synchronous, then both A and B react simultaneously. CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Flattening the Composition Equivalent Flat FSM CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Side-By-Side Asynchronous Composition Component FSMs react independently Semantics 1: a reaction of C is a reaction of one of A or B, where the choice is nondeterministic. A and B don’t react simultaneously Semantics 2:A reaction of C is a reaction of A, B, or both A and B, where the choice is nondeterministic. Optionally neither A nor B may react CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Example CS555A – Real-Time Embedded Systems Semantics 1 CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Cascade Composition Output ports of A are connected to the input ports of B Type checking: the outputs of A must be in the set of acceptable inputs to B. CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Synchronous Cascade If the composition is synchronous, then both A and B react. But the reaction of A precedes the reaction of A. So the output of A is available as input into B. Programming analogy is a program which calls A. A in turn calls B on the stack and passes its output parameters as input. The SDF Director implements synchronous cascade of actors Actors may be FSMs CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Example: Synchronous Cascade When a is present A outputs b & self-transitions B outputs c and self-transition FSM remains in state (s1, s3) When a is absent, b is also absent (s1, s3) transition to (s2, s4) Both A and B react together If they didn’t, one could go thru (s2, s3) on the way from (s1, s3) to (s2, s4) (s1, s4) and (s2, s3) are unreachable from the init state. CS555A – Real-Time Embedded Systems Stevens Institute of Technology 17

Example: Synchronous Cascade CS555A – Real-Time Embedded Systems Stevens Institute of Technology 18

Traffic Light Extended FSM What happens 60 seconds go by and there is no pedestrian? Model is time-triggered Assumes one reaction per second. Default transition Guard: true Action: none Initial state. Re-init count=0. CS555A – Real-Time Embedded Systems Stevens Institute of Technology 19

Pedestrian Light FSM The pedR & pedG signals control the pedestrian light signal sigR from the traffic light FSM The light stays green for 55 seconds, then goes red Cycle repeats after receiving sigR CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Composition of two FSMs sigR from traffic light FSM feeds the pedestrian FSM CS555A – Real-Time Embedded Systems Stevens Institute of Technology 21

State Enumeration State = (Traffic light state, pedestrian light state): there are 8 distinct states: (red, red) (red, green) (yellow, red) (yellow, green) (green, red) (green , green) (pending, red) (pending, green) 61 distinct values for count variable 56 distinct values for pcount variable 8x61x56 distinct states How may are reachable? State combinations in red font are not safe and must be made unreachable by design What guarantees that this state is not reached? CS555A – Real-Time Embedded Systems Stevens Institute of Technology 22

FSM Flattening CS555A – Real-Time Embedded Systems Stevens Institute of Technology 23

CS555A – Real-Time Embedded Systems Stevens Institute of Technology 24 What guarantees that this state is not reached? This area is identical to previous slide. CS555A – Real-Time Embedded Systems Stevens Institute of Technology 24

Model Checking When is a design correct? “A design without specification cannot be right or wrong. It can only be surprising” A design is correct when it meets its requirement specifications in its operating environment In general running a few tests is not enough to ensure compliance with requirements Many real-time systems are deployed in safety-critical applications where meting the requirements is critical CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Specification & Verification Specification: a precise statement of the design objectives and system behavior Mathematical specification in a model Typically English in published specs Verification: does the system behave according to specification in the operating environment? CS555A – Real-Time Embedded Systems Stevens Institute of Technology 26

CS555A – Real-Time Embedded Systems Stevens Institute of Technology 27

CS555A – Real-Time Embedded Systems Stevens Institute of Technology 28

Example & Issues Consider the traffic light problem discussed earlier Show that the FSM model guarantees that pedestrians are allowed to cross only when the traffic light is red Two issues: How do you express this property? How do you prove it? CS555A – Real-Time Embedded Systems Stevens Institute of Technology

CS555A – Real-Time Embedded Systems Stevens Institute of Technology 30

CS555A – Real-Time Embedded Systems Stevens Institute of Technology 31 The composition step derives a closed system from the FSM models of S and E. The behavior of the System S and Environment E are represented by interacting FSMs. Counterexample provides a trace where the property F is violated. CS555A – Real-Time Embedded Systems Stevens Institute of Technology 31

General Composition Side-by-side and cascade compositions can be combined Feedback loops may also be allowed CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Asynchronous Compositions In asynchronous compositions, FSMs representing actors react independently Communication between actors is through exchange of messages Rate of message production and message consumption may not be the same Buffers are required to absorb differences in production/consumption rates CS555A – Real-Time Embedded Systems Stevens Institute of Technology 33 33

Firing Function & Firing Rule Firing function F maps a finite set of the inputs to outputs It can do this…. Firing rule f is the specification for triggering the firing function (e.g., the number of tokens) But it will only do this…. CS555A – Real-Time Embedded Systems Stevens Institute of Technology 34 34

Issues In Asynchronous Compositions Buffer overflow Can the actors continue to execute indefinitely with limited number of buffers? Deadlock Are there enough input tokens to satisfy the firing rule? For a general network of FSMs, these questions are undecidable The Synchronous Dataflow (SDF) model puts constraints on FSM to address this CS555A – Real-Time Embedded Systems Stevens Institute of Technology 35 35

The SDF Model SDF constraint: On firing, each FSM consumes a fixed number of tokens and fires a fixed number of tokens Balance equation If qA*M=qB*N Where qA and qB are the rates at which A and B fire respectively Then a schedule with bounded buffers is possible CS555A – Real-Time Embedded Systems Stevens Institute of Technology 36 36

Example CS555A – Real-Time Embedded Systems Stevens Institute of Technology 37 37

Example CS555A – Real-Time Embedded Systems Stevens Institute of Technology 38 38

Example qA=qB 2qA=qC qB=qC qA = qB = qC= 0 C consumes 2 tokens per transition but receives three tokens. qA=qB 2qA=qC qB=qC qA = qB = qC= 0 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 39 39

Observations A model that has no non-zero solution is referred to as “inconsistent” If a model is inconsistent, it does not have an unbounded execution with bounded buffers If a model is consistent, it can operate with a bounded buffer But there is no guarantee of unbounded execution (i.e., executing indefinitely) There could be deadlock CS555A – Real-Time Embedded Systems Stevens Institute of Technology 40 40

Example CS555A – Real-Time Embedded Systems Stevens Institute of Technology 41 41