11Fall 2015, arz1 CPE555A: Real-Time Embedded Systems Lecture 11 Ali Zaringhalam Stevens Institute of Technology

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 2 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 2 Outline Extended FSM Non-deterministic FSM Hierarchical FSM Transition Types

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 3 Example Reference: Claudius Ptolemaeus, Editor: Introduction to Embedded Systems, High water-mark:22 Low water-mark: 18

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 4 Thermostat Model Temperature increase per unit time as a result of heating. Temperature decrease per unit time when heater is not on. Model parameters Output: heats or cools the environment. Input: ambient temperature of environment.

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 5 Other Issues How do you drive the thermostat model? Modeling input side How do you test it? Viewing the response/output

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 6 Driver, Input & Output Drives scheduling by generating a periodic timing signal. All model components react to the periodic signal Models temperature behavior in the environment. Displays temperature. Displays heating/cooling response

Fall 2015, arz Modeling Temperature Behavior CS555A – Real-Time Embedded Systems Stevens Institute of Technology 7

Fall 2015, arz Default Transition A default transition is enabled if No non-default transition is enabled There is either no guard or the guard evaluates to true When is the default transition enabled? CS555A – Real-Time Embedded Systems Stevens Institute of Technology 8 Alternatively we can define a ordinary transition with guard = ! ( up & !down) which is the complement of the (up & !down) transition. A default transition has a lower priority than an ordinary transition. It is like the default case in the switch/case statement in C. If the guard in both an ordinary and the default transitions evaluate to TRUE, the ordinary transition wins and is taken.

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 9 Default is when T< heatOffThreshold Default is when T> heatOnThreshold Default Transition Example

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 10 Formal Description States: (0, 1) s(0) = cooling s(1)=heating InitialState= 0 Input: temperature T Output: heatOn -> { present, absent } heatOff -> {present, absent) Update(s, T) Update(0, T) = (1, heatOn) if T<=18 Update(1, T) = ( 0, heatOff) if T>=22

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 11 Garage Counter Example The notation here is a bit awkward because the parameter M may be large

Fall 2015, arz Extended State Machine Extended State machine augments the FSM model with variables that can be read or written What is the size of the state space? The count variable is incremented only AFTER guard has been evaluated and output generated

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 13 Number of States For an Extended State Machine with n discrete states (bubbles) m variables each with p possible values Number of states = nxp m In general an Extended State Machine may not be a Finite State machine Example: An extended variable is a real number

Fall 2015, arz Notation for Extended FSM Make explicit declarations of variables, inputs and outputs set action may alter variables of extended FSM The actions on variables are taken only AFTER guard has been evaluated and output generated CS555A – Real-Time Embedded Systems Stevens Institute of Technology 14

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 15 FSM Structure FSM consists of a set of states and transitions One initial state Any number of final states (0-N) Guard expressions gating transitions Any number of output actions Any number of set actions for extended variables

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 16 FSM Operation - 1 Firing phase operations Read inputs Evaluate guards on outgoing transitions of the current state Choose a transition whose guard evaluates to true Execute the output actions on the chosen transition, if any

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 17 FSM Operation - 2 Post-fire operations Execute the set actions of the chosen transition, which determines the values of extended variables Change the current state to the destination of the chosen transition

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 18 Deterministic FSM A state machine is said to be deterministic if, for each state, there is at most one transition enabled by each input value. The update function is a 1-1 mapping

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 19 Non-Deterministic FSM If for each state, more than one transition is enabled by an input value, the FSM is said to be non-deterministic The update function is 1-many mapping In the heating state both red transitions fire on any input. The update function of a non- deterministic FSM has a 1-many mapping between (state, inputs) -> (state, output) It is useful to think of it as a multi-valued function

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 20 Example: Non-Deterministic FSM

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 21 Non-Deterministic FSM Model In a nondeterministic FSM, if more than one transition is enabled and they are all marked nondeterministic, then one is chosen in the fire phase based on some environment criteria. In this model the SDF director picks a transition at random. The selection criteria is not a part of the FSM specification which only models that both transitions are possible.

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 22 Example

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 23 Traffic Light Extended FSM Model is time-triggered Assumes one reaction per second. Default transition Guard: true Action: increment count Re-init count=0. Initial state. What happens if 60 seconds go by and there is no pedestrian? The output signals (sigG/sigY/sigR) are used to drive the pedestrian light controller (see later slides)

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 24 Stuttering & Receptiveness A stuttering reaction is one where the inputs (other than the clock tick) and outputs are all absent and the machine does not change state. No progress is made and nothing changes In the “green” state, the FSM stutters after 60 seconds and no pedestrian arrival Receptiveness: in a receptive FSM, for each state, there is at least one transition possible on each input symbol Even in the stuttering “green” state, the FSM transitions when a pedestrian arrives So the FSM is receptive

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 25 Modeling the Environment With Non-Deterministic FSM This non-deterministic state machine can be used to model the environment for the pedestrian input/output interaction Initial state is “crossing” The initial state of the traffic light controller is “red” So there is consistency In the “none” state the guard on both transitions are enabled The model doesn’t say which is taken. It just says that both transitions are possible You can add your own recipe for deciding which transition is taken Typically one is picked at random based on some probability distribution In the “none” state there is no pedestrian present. At every clock tick, the model simulates the presence/absence of a pedestrian in a non- deterministic fashion. These inputs come from the traffic light controller FSM

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 26 Non-Deterministic FSM as a Specification Tool Modeling unknown aspects of the environment Example: pedestrian crossing event Hiding details in the specification of a system Example specification Transition Red -> Green -> Yellow -> Red in this order The model doesn’t say anything about timing Note that transitions other than in Green -> Yellow -> Red -> Green order are not allowed Requirement on the sequential behavior of the traffic light controller. Red => Green => Yellow => Red => Green =>…….. The actual traffic controller FSM we just saw meets this specification

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 27 Behaviors & Traces FSM behavior consists of a sequence of steps A trace is the record of inputs, outputs and states in a behavior A computation tree is a graphical representation of all possible traces FSMs are suitable for formal analysis of system behavior, such as reachability of unsafe states Is there a transition from yellow -> green? This can be verified with a verification tool against the specification.

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 28 Non-Deterministic Behavior For a fixed input sequence A deterministic FSM exhibits a single behavior A non-deterministic FSM exhibits a set of behaviors visualized as a computation tree

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 29 Counter Example 6.4

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 30 Counter Example 6.4 SDF: Synchronous Data Flow SDF orchestrates flow of data After final state is reached, the postfire action returns “false” and the director terminates execution of ALL actors (not just the one that moved to the final state) Model is similar to a “for” loop with a finite number of iterations. In each iteration, each actor in the flow sequence is invoked with data-in and data-out

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology Example 6.5

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 32 Example 6.5 SR: Synchronous Reactive Manages periodic events which may or may not be accompanied by data So FSM can react to absence of data as well After final state is reached, the postfire action returns “false” and the director terminates execution of this actor but continues to execute other actors Model is similar to a polling thread. Periodically, the input is polled and an action is taken depending on presence/absence of input When there is no data (i.e., input is absent), FSM can react as well The NonStrictDisplay displays “absent” when there is no input A normal display will display nothing Notice that unlike in the SDF case, there is no input into the FSMActor. The FSM fires each time there is a clock input from the SR director Both FSMActor & Display actors are fired in each cycle

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 33 Example 6.7

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 34 Example 6.7 With SR Director, actors respond to both presence and absence of input p_isPresent is supported by the environment for input p. True if there is a token at port p False only if: Reset_isPresent = True Reset=True

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 35 Simplification With Default Transitions Must separately test for Presence/absence of reset signal Value of the reset signal (0/1)

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 36 Immediate Transition If a state A has an immediate transition to another state B, then that transition will be taken in the same firing as a transition into state A if the guard on the immediate transition is true. The transition into and out of A will occur in the same firing A is called a transient state. Immediate transition. Transient state

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 37 Example 6.9 Immediate transition. Reset Final Reset No absent outout into display until termination

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 38 Simplifying FSM Description We can use default, immediate and non-deterministic behavior to simplify FSM modeling

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 39 Two Solutions Brute-force deterministic solution Simplified non-deterministic solution with default and immediate transitions

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 40 Brute Force Solution

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 41 A Better Solution Why make these transitions non- deterministic?

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 42 The refinement of a state is another nested FSM. The outer FSM is in state B if the refinement of B is in either C or D. Hierarchy supports code reuse Existing FSM can be nested into a higher-level FSM

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 43 FSM Flattening & Depth-First Semantics g2=true causes A-> B = { C | D} Two ways to exit C g1=true causes C->A g4=true causes C->D What happens if both g1=true and g4=true? Different semantics are possible and used in different FSM models Depth-first semantic: deepest refinement reacts first, followed by the container FSM Consider what happens when g1=true AND g4=true Note that when g4 = true AND g1 = true, C does NOT transition to D but both outputs a4 and a1 are generated. C->D followed by D->A are logically simultaneous. Initial state. Initial state of refinement. Will talk about significance of arrowhead shortly.

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 44 Order of Operations & Conflicts The innermost output a4 happens before a1 If they conflict the outer output overrides the inner output

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 45 Red originating circle in the arrow indicates preemptive transition. With preemptive transitions, the ambiguity of conflicting outputs goes away.

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 46 Full arrowhead indicates History transition

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 47 You must track all four possible states: (A,C), (A,D), (B,C) and (B,D).

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 48 Empty arrowhead indicates Reset transition

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 49 FSM Flattening & Depth-First Semantics g2=true causes A-> B = { C | D} Two ways to exit C g1=true causes C->A g4=true causes C->D What happens if both g1=true and g4=true? Different semantics are possible and used Depth-first semantic: deepest refinement reacts first, followed by the container FSM Consider what happens when g1=true AND g4=true Empty arrowhead indicates Reset transition With a reset transition, you do not have to track all four possible states: (A,C), (A,D), (B,C) and (B,D). Transition from A -> B will always start in C.

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 50 Ptolemy & Text Symbols In Ptolemy Full arrowhead stands for reset transition History transition is indicated by a H at the arrowhead Empty arrowhead indicates Reset transition Full arrowhead indicates History transition

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 51 Example 6.11

Fall 2015, arz Hierarchical Model - 1 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 52 The self transition from faulty back to itself is a history transition because its purpose is to only count iterations, not to interfere with the execution of the refinement which is to output heating/cooling rate.

Fall 2015, arz Hierarchical Model - 2 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 53

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 54 Termination Transition A termination transition is a transition that is enabled only when the refinements of the current state reach a final state. Note that a state can have more than one refinement

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 55 Example 6.12 Termination transition is taken when: Refinement A transitions to doneA Refinement B transitions to doneB Two refinements for the same actor. Transition is both: A preemptive transition A reset transition

Fall 2015, arz56 Concurrent Composition Two or more FSMs react Synchronous composition: FSMs react simultaneously Asynchronous composition: FSMs react independently CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Fall 2015, arz57 CS555A – Real-Time Embedded Systems Stevens Institute of Technology Side-By-Side Synchronous Composition If the composition is synchronous, then both A and B react simultaneously.

Fall 2015, arz58 CS555A – Real-Time Embedded Systems Stevens Institute of Technology Flattening the Composition Equivalent Flat FSM

Fall 2015, arz59 Side-By-Side Asynchronous Composition Component FSMs react independently Semantics 1: a reaction of C is a reaction of one of A or B, where the choice is nondeterministic. A and B don’t react simultaneously Semantics 2:A reaction of C is a reaction of A, B, or both A and B, where the choice is nondeterministic. Optionally neither A nor B may react CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Fall 2015, arz60 Example CS555A – Real-Time Embedded Systems Stevens Institute of Technology Semantics 1

Fall 2015, arz61 Cascade Composition Output ports of A are connected to the input ports of B Type checking: the outputs of A must be in the set of acceptable inputs to B. CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Fall 2015, arz62 CS555A – Real-Time Embedded Systems Stevens Institute of Technology Synchronous Cascade If the composition is synchronous, then both A and B react. But the reaction of A precedes the reaction of A. So the output of A is available as input into B. Programming analogy is a program which calls A. A in turn calls B on the stack and passes its output parameters as input. The SDF Director implements synchronous cascade of actors Actors may be FSMs

Fall 2015, arz63 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 63 Example: Synchronous Cascade When a is present A outputs b & self-transitions B outputs c and self-transition FSM remains in state (s1, s3) When a is absent, b is also absent (s1, s3) transition to (s2, s4) Both A and B react together If they didn’t, one could go thru (s2, s3) on the way from (s1, s3) to (s2, s4) (s1, s4) and (s2, s3) are unreachable from the init state.

Fall 2015, arz64 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 64 Example: Synchronous Cascade

Fall 2015, arz65 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 65 Traffic Light Extended FSM Model is time-triggered Assumes one reaction per second. Default transition Guard: true Action: none Re-init count=0. Initial state. What happens 60 seconds go by and there is no pedestrian?

Fall 2015, arz66 Pedestrian Light FSM The pedR & pedG signals control the pedestrian light signal sigR from the traffic light FSM The light stays green for 55 seconds, then goes red Cycle repeats after receiving sigR CS555A – Real-Time Embedded Systems Stevens Institute of Technology

Fall 2015, arz67 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 67 Composition of two FSMs sigR from traffic light FSM feeds the pedestrian FSM

Fall 2015, arz68 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 68 State Enumeration State = (Traffic light state, pedestrian light state) (red, red) (red, green) (yellow, red) (yellow, green) (green, red) (green, green) (pending, red) (pending, green) 61 distinct values for count variable 56 distinct values for pcount variable 8x61x56 distinct states How may are reachable? What guarantees that this state is not reached? State combinations in red font are not safe and must be made unreachable by design

Fall 2015, arz69 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 69 FSM Flattening

Fall 2015, arz70 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 70 What guarantees that this state is not reached? This area is identical to previous slide.

Fall 2015, arz71 General Composition Side-by-side and cascade compositions can be combined Feedback loops may also be allowed

Fall 2015, arz72 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 72 Asynchronous Compositions In asynchronous compositions, FSMs representing actors react independently Communication between actors is through exchange of messages Rate of message production and message consumption may not be the same Buffers are required to absorb differences in production/consumption rates 72

Fall 2015, arz73 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 73 Firing Function & Firing Rule Firing function F maps a finite set of the inputs to outputs It can do this…. Firing rule f is the specification for triggering the firing function (e.g., the number of tokens) But it will only do this…. 73

Fall 2015, arz74 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 74 Issues In Asynchronous Compositions Buffer overflow Can the actors continue to execute indefinitely with limited number of buffers? Deadlock Are there enough input tokens to satisfy the firing rule? For a general network of FSMs, these questions are undecidable The Synchronous Dataflow (SDF) model puts constraints on FSM to address this 74

Fall 2015, arz75 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 75 The SDF Model On firing, each FSM consumes a fixed number of tokens and fires a fixed number of tokens Balance equation If q A *M=q B *N Where q A * and q B are the rates at which A and B fire respectively Then a schedule with bounded buffers is possible 75

Fall 2015, arz76 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 76 Example 76

Fall 2015, arz77 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 77 Example 77

Fall 2015, arz78 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 78 Example 78 q A =q B 2q A =q C q B =q C q A = q B = q C = 0 C consumes 2 tokens per transition but receives three tokens.

Fall 2015, arz79 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 79 Observations 79 A model that has no non-zero solution is referred to as “inconsistent” If a model is inconsistent, it does not have an unbounded execution with bounded buffers If a models is consistent, it can operate with a bounded buffer But there is no guarantee of unbounded execution (i.e., executing indefinitely) There could be deadlock

Fall 2015, arz80 CS555A – Real-Time Embedded Systems Stevens Institute of Technology 80 Example 80

Fall 2015, arz CS555A – Real-Time Embedded Systems Stevens Institute of Technology 81 Driver, Input & Output Drives scheduling by generating a periodic timing signal. All model components react to the periodic signal Models temperature behavior in the environment. Displays temperature. Displays heating/cooling response

Fall 2015, arz Modeling Temperature Behavior CS555A – Real-Time Embedded Systems Stevens Institute of Technology 82