1. 1 Advanced Embedded Systems Lecture 3 Specification Languages

2. 2 Advanced Embedded Systems 1. StateCharts Was introduced in 1987 by David Harel; Is based on the shared memory concept of communication; State diagrams are a classical method for describing the behavior of finite state machines (FSM); an ex.: Short description:  Circles indicate states;  At any time a deterministic FSM can only be in one of its states;  Edges indicate transitions and edge labels mean events;  If an event happens, the FSM will go to the state pointed by the edge;  A FSM may also generate output;

3. 3 Advanced Embedded Systems StateCharts is a language for describing complex systems; for that, the hierarchy concept was introduced by means of super – states; A super – state is a state comprising other states; states included in super – states are called sub – states; A StateCharts example ( a hierarchical form of the precedent ex.): Super – state S contains states A, B, C, D and E; if FSM is in state Z and receives input m, it will pass to state A; if FSM is in state S (meaning state A, B, C, D or E) and receives input k, it will pass to state Z; sub – states of S can also be super – states;

4. 4 Advanced Embedded Systems Each state which is not composed of other states is called basic state; for each basic state S, the super – states containing S are called ancestor states; The FSM of figure can be in only one of the sub – states of super – state S at any time; these super – states are called OR – super – states; The figure shows that a compact representation of exception can be obtained using the hierarchy concept; StateCharts allows a hierarchical description of systems; The description can be represented by a tree:  The root of the tree corresponds to the system as a whole;  All inner nodes correspond to hierarchical descriptions (super – nodes);  The leaves of the hierarchy are non hierarchical descriptions; Until now, a transition was explicitly represented by an edge, thus showing all the internal structure; no change can be further made; If the internal structure must be hidden more mechanisms are necessary for indicating the next state;

5. 5 Advanced Embedded Systems Default state mechanism: it indicates, in super – states, the particular sub – state that will be entered if the super – state is entered; History mechanism: with it, it is possible to return to the last sub – state that was active before a super – state was left;

6. 6 Advanced Embedded Systems The two mechanisms can be combined, as it is shown in the precedent figure; The behavior of the FSM is: if it is in state Z and receives input m, it will enter state A if this is the first entrance in S and the last state that it was in for any other entrance; An application of this combined mechanism is the behavior of FSM in case of an exception; k can be an exception and input m will be used for returning to the state before the exception was generated; states A, …, E can view state Z as a procedure which can be called; after executing the procedure, the return to the calling state will be done; Specification techniques must also be able to describe concurrency; For that, a second class of super – states, the AND – super – states, are provided by StateCharts; Super – states S are called AND – super – states if the system containing S will be in all of the sub – states of S whenever it is in S;

7. 7 Advanced Embedded Systems An example with AND – super – states is in the next figure: An answering machine performs two tasks concurrently: it monitors the line for incoming calls and the keys for user input; In fig. the corresponding states are Lwait and Kwait; incoming calls are processed in state Lproc and the response to pressed keys is generated in state Kproc; It is assumed that the on/ off switch, generating events key – off and key – on, is decoded separately and pushing it does not result in entering Kproc; if this switch is pushed, both the line and the key monitoring states will be left and reentered only when the machine is switched on; default states Lwait and Kwait are entered;

8. 8 Advanced Embedded Systems StateCharts provide timers; they are necessary for modeling time; the symbol is shown in next figure: After the system has been in the state containing the timer, for the specified period, a time – out will occur and the system will leave the specified state; Timers can be used hierarchically; an ex.: to describe the behavior of state Lproc; fig. shows a possible behavior of that state: State Lproc is terminated when the caller hangs up; but if the callee hangs up first, the phone will be dead until the caller also hangs up;

9. 9 Advanced Embedded Systems FSM can also generate outputs; For that, edge labels are used; the general form is: “event [condition]/ reaction”; all three parts are optional; The reaction part describes the reaction of the FSM to a state transition; reactions can be generation of events or assignments to variables; The condition part means a test of the values of variables or a test of the current state of the system; The event part refers to a test of current events; events are generated internally or externally; internal events are generated as a result of some transition and are described in reaction parts; external events are usually described in the model environment; Examples:  off – key [not in Lproc]/ on:= 0; it shows event test, condition test for a state and variable assignment; the assignment is done if the event has occurred and the condition is true;

10. 10 Advanced Embedded Systems  [on = 1], condition test for a variable value; The semantics of edge labels can be explained in the context of the semantics of StateCharts; In an implementation of StateCharts (called StateMate), a StateChart description is executed in steps; each step has 3 phases:  Phase 1: the effect of external changes on conditions and events is evaluated; it includes the evaluation of functions which depend on external events; there are no state changes in this phase; phase 1 is not needed in simple cases;  Phase 2: the set of transitions that should be made in the current step is calculated; variable assignments are evaluated but the new values are assigned only to temporary variables;  Phase 3: state transitions are executed and variables obtain new values; The separation into phases 2 and 3 is important in order to guarantee a deterministic and reproducible behavior of StateCharts models; next figure shows an example for this behavior:

11. 11 Advanced Embedded Systems Due to the separation in 2 phases, temporary variables, say a’ and b’, will memorize new values for a and b; in the final phase, temporary variables are copied into the user defined variables: phase 2: a’ := b; b’ := a; phase 3: a := a’; b := b’; The consequence is that the 2 variables will be swapped each time an event e happens; this is similar, in hardware, with two cross – connected registers:

12. 12 Advanced Embedded Systems Without the separation into 2 phases, the result would depend on the sequence in which the assignments are performed or, in hardware, on the delays on the 2 registers; The separation in phases is typical for languages that reflect the operation of synchronous hardware; The 3 phases are executed for each step; steps are executed each time events or variables have changed; The set of all values of variables, together with the set of events generated, and the current time, is defined as the status of a StateCharts model; after executing the third phase, a new status is obtained; The visibility of events is limited to the step following the one in which they are generated; Thus events behave like single bit values which are stored in permanently enabled registers at one clock and have effect on the values stored at the next clock; their life is limited;

13. 13 Advanced Embedded Systems In contrast, variables have a value until a reassignation takes place; New values of variables are visible to all parts of the model from the step following the step in which the assignment was made; it means StateCharts semantics implies that new values of variables are propagated to all parts of the model between 2 steps; this is a broadcast mechanism for updates on variables; In case of distributed systems it will be very difficult to update all variables between two steps and that is why StateCharts is not appropriate for modeling distributed systems; Advantages and disadvantages of StateCharts:  It is appropriate to modeling local systems;  Capability of nesting hierarchies at different levels combined with the existence of AND and OR – states;  There are commercial tools based on StateCharts: StateMate, BetterState; they provide a complete path from StateCharts specifications to hardware; some of the tools can translate StateCharts descriptions in equivalent C or VHDL programs;

14. 14 Advanced Embedded Systems  Frequently low efficiency for the automatic translation;  Does not include descriptions of non – functional behavior;  It is not object oriented;  Cannot describe hardware structures. 2. General language characteristics The languages can be compared through some characteristics:  The use of non – standard I/ O devices;  Synchronism or asynchronism;  Process concepts;  Synchronization and communication;  Timing specification; The use of non – standard I/ O devices  Some languages can directly control the I/ O devices, e.g. ADA, assembler; all I/ O operations can be programmed and also memories can be directly accessed, through the addresses;  StateCharts do not support direct access to I/ O devices but commercial implementations have this feature.

15. 15 Advanced Embedded Systems Synchronims and asynchronism  In some languages based on FSMs (ADA, Java) the order in which executable processes are executed is not specified (they are non – deterministic); this can affect the result and negative consequences can arise;  The non – determinism is avoided with synchronous languages;  They describe concurrently operating automata showing that if automata are in parallel, the transition of the product means the simultaneous transitions of all the parts in parallel;  It is similar with considering a single global clock for all the parts and at each pulse, all inputs are considered and transitions are made to the new states; a fast broadcast mechanism is necessary for all parts;  This is an idealistic view of concurrency but has the advantage of guaranteeing a deterministic behavior;  In the general model of FSMs, each FSM has its own clock; restriction;  Because of the single clock model, synchronous languages are difficult to use in distributed systems;  Examples of synchronous languages: Esterel, StateCharts

16. 16 Advanced Embedded Systems Process concepts  The process concepts in programming languages can be compared according to: Static or dynamic number of processes: a static number of processes simplifies the implementation and is enough if each process models a hardware block and there is no dynamically change of the hardware; Nested or at the same level processes:  Nested:process { process { }}}  Same level:process { process { Process creation: there are different techniques: process declaration in the source code, through the fork and join mechanism and also through explicit process creation calls;  The StateCharts has static processes, nested and process creation results from an elaboration of the source code;

17. 17 Advanced Embedded Systems Synchronization and communication:  2 communication paradigms: shared memory and message passing;  Shared memory: All variables can be accessed from all processes; requires physically common memory; can be fast; Reads to the shared memory can be free but for writing exclusive access to the memory must be guaranteed; segments of code for which exclusive access must be guaranteed are called critical sections; There are several mechanisms for guaranteeing exclusive access to resources: semaphores, monitors, conditional critical regions etc.  Message passing: Is slower than shared memory; does not requires physically common memory There are 3 techniques for implementation:  Asynchronous message passing, also called non – blocking communication;  Synchronous message passing, also called blocking communication or rendez – vous communication;  Extended rendez – vous or remote invocation: the transmitter is allowed to send the message only after an acknowledgement from the receiver;

18. 18 Advanced Embedded Systems Timing specification: 4 types of specifications concerning the time:  Measurement of elapsed time: shows how much time has elapsed from the last call; timers are needed;  Delay of processes: for a specified time;  Timeouts specification: limit the time a process can stay in a certain state;  Deadlines and schedules: methods must exist for specifying them;  StateCharts includes only timeouts specification. 3. SDL As opposite to StateCharts, SDL was designed for distributed applications and is based on asynchronous message passing; it models distributed systems; It is a graphical and textual specification language; It was standardized by ITU in 1980 and updated several times;

19. 19 Advanced Embedded Systems Processes are the basic elements of SDL; processes represent extended finite state machines; extensions include operations on data; next fig. shows the symbols used in the graphical form of SDL: Next fig. shows a state diagram and its representation in SDL:

20. 20 Advanced Embedded Systems Variables can be declared locally for processes; SDL contains programming language elements such as procedures; procedure calls; can also be represented graphically; In general, SDL descriptions will consist of a set of interacting processes or FSMs; processes can send signals to other processes; Interprocess communication is described based on FIFO queues associated with each process; signals sent to a particular process will be placed in its corresponding FIFO queue; this is the implementation of the asynchronous message passing concept;

21. 21 Advanced Embedded Systems A process fetch the next available entry from the FIFO queue and compares it with its inputs described for the current state; if it matches, the corresponding state transition takes place and an output is generated; if not, it is ignored; FIFO queues are conceptually thought as being infinite, meaning the overflow is not considered; in reality, however, their length can be only finite so when implementing the specifications safe upper bounds of the FIFO queues must be provided; Process interaction diagrams are used for visualizing the processes which are communicating; signals are sent and received on channels; in SDL, “signal” means an input or output of an automata;

22. 22 Advanced Embedded Systems The destination of a signal can be indicated in 3 ways:  Through process identifiers: by using identifiers of recipient processes in the graphical output symbol (fig., left); OFFSPRING identifies a child process generated dynamically by a process;  Explicitly: by indicating the channel name (fig., right); Sw1 is the name of a channel;  Implicitly: by signal names; in the fig., signal B will implicitly always communicate via channel Sw1; Processes cannot be nested but can be grouped hierarchically into blocks; blocks at the higher level are called systems, blocks at the lowest level are called process interaction diagrams; Next fig. shows the hierarchy modeled by the following block diagrams; the system is the root and the process interaction diagrams are the leaves;

23. 23 Advanced Embedded Systems  The highest level in the hierarchy:  The hierarchy model:

24. 24 Advanced Embedded Systems In order to model time, SDL contain timers; a timer can be declared locally for processes; SET and RESET primitives set, respectively, reset a timer; Fig. shows the use of a timer T; timer T is set to the current time plus p, during the transition from state D to state E; when transition from E to A takes place, a timer of p time units is active; if signal f arrived after the p time units have elapsed, a transition to state A is executed without generating output signal v;

25. 25 Advanced Embedded Systems Application: description of protocol stacks in a computer network; The network: The description of the protocols: Each layer describes communication at a more abstract level; The behavior of each layer is typically modeled as a finite state machine; the detailed description of a FSM depends on the network protocol; usually it comprises checking and handling errors and transfers of information blocks;

26. 26 Advanced Embedded Systems Advantages and disadvantages:  Appropriate for distributed applications;  Because the order in which FSMs are reading inputs is unknown, SDL is not deterministic;  Commercial tools, also for connecting to MSCs and UML;  Implementation requires bound for the maximum length of the FIFO queues; it may be difficult to compute;  Timer approach is adequate only for soft deadlines;  Limited way of using hierarchies;  Limited programming language support;  No description for non – functional properties. 4. Message Sequence Charts Provide a graphical way for describing schedules; Uses one dimension for time (usual the vertical dimension) and the other for geographical distribution;

27. 27 Advanced Embedded Systems MSCs is just adequate for visualizing schedules of trains and busses; the example refers to trains between Amsterdam, Cologne, Brussels and Paris; Aachen is an intermediate stop between Cologne and Brussels; Vertical segments mean times spent at stations; for one of the trains there is a timing overlap; Advantages and disadvantages:  Appropriate for representing schedules;  Few information about synchronization (overlap in Brussels happens coincidentally or a synchronization is desired for connecting trains ?)  Deviations from the presented schedules can hardly be included.

28. 28 Advanced Embedded Systems 5. Petri nets A method for modeling causal dependencies; introduced in 1962; Do not assume global synchronization and therefore suited for modeling distributed systems; Key elements:  Conditions: are either satisfied or not satisfied;  Events: can happen or not;  Flow relation: describes the conditions that must be met before events can happen and it also describes the conditions that become true if events happen; Graphical notations for Petri nets use circles for conditions, boxes for events and arrows for flow relations; The example describes mutual exclusion for trains at a railroad track that must be used in both directions:  A token is used to prevent collisions; the token is symbolized by a condition in the center of the model;

29. 29 Advanced Embedded Systems  A filled circle indicate the condition is met, that is the track is available;  A filled circle shows, in this example, that a train wants to go to the right;  The two conditions necessary for event “train entering track from the left” are satisfied; there two conditions are called preconditions;  If the preconditions of an event are met, it can happen; as a result the token is no longer available and no train wants to enter the track;  The preconditions are no longer met and the filled circles disappear;

30. 30 Advanced Embedded Systems Now, there is a train going on that track from the left to the right and thus, the corresponding condition is met; A condition which is met after an event happened is a postcondition; An event can happen only if all its preconditions are satisfied; after the event happened the preconditions are not longer true and the postconditions become valid; arrows show which of the conditions are preconditions and postconditions; Continuing the example, a train leaving the track will return the token to the condition at the center of the model: Important advantages of Petri nets:  They can be the basis for formal proofs about system properties;  There are standardized ways of generating such proofs; For that, formal definitions for Petri nets must be developed;

31. 31 Advanced Embedded Systems Condition/ event nets: a class of Petri nets  N = (C, E, F) is called a net, iff the following holds: C (conditions) and E (events) are disjoint sets; F  (C  E)  (E  C) is a binary relation called flow relation.  Let N be a net and let x  (C  E):  x := {y | y F x} is called the set of preconditions; x  := {y | x F y} is called the set of postconditions;  Let (c,e)  C  E. (c,e) is called a loop iff cFe  eFc. N is called pure, if F does not contain any loops;  A net is simple if no two transitions, t 1 and t 2 have the same set of pre and postconditions;  Simple nets without isolated elements with some additional restrictions are called condition/ event nets;  They are a special case of bipartite graphs;

32. 32 Advanced Embedded Systems Place/ transition nets  For condition/ event nets, there is at most one token/ condition;  In many applications, more tokens/ condition are needed;  Nets with more tokens/ condition are called place/ transition nets; places correspond to conditions and transitions correspond to events;  The number of tokens/ place is called a marking; mathematically, a marking is a mapping of the set of places to the set of natural numbers extended by a special symbol, ω, meaning infinity;  (P, T, F, K, W, M 0 ) is called a place/ transition net iff: N = (P, T, F) is a net with places p  P and t  T; Mapping K : P → ( ℕ 0  {  }) \{0} indicates the capacity of places; Mapping W : F → ( ℕ 0 \{0}) indicates the weight of graph edges; Mapping M 0 : P → ℕ 0  {  } represents the initial marking of the places; ℕ 0 is the set of natural numbers plus 0;  Edge weight determines the number of tokens that are required before transitions can happen and the number of tokens that are generated if a certain transition takes place;

33. 33 Advanced Embedded Systems  Let M(p) a current marking of p  P and M’(p) a marking after a transition t  T took place;  The weight of edges belonging to preconditions: the number of tokens that are removed from places in the precondition set; the weight of edges belonging to the postcondition: the number of tokens that are added to the places in the postcondition set;  Formally, marking M’ is obtained according to the relations:  Transition t j affects the current marking:

34. 34 Advanced Embedded Systems Predicate/ transition nets  Condition/ event nets and place/ transition nets become very large for large examples; predicate/ transition nets allow a reduction of the size;  Example: the dining philosophers problem:  The model given by the condition/ event net:  Conditions t j = thinking states, e j = eating states, f j = available forks;

35. 35 Advanced Embedded Systems  The model with the predicate/ transition nets:  Tokens have an identity and can be distinguished;  In fig. 3 philosophers, p 1, p 2 and p 3, are distinguished and fork f 3 is identified;  Edges can be labeled with variables and functions; in the ex. variables are used for the distinguish the philosophers and functions l(x) and r(x) are used for identifying the left and right forks of philosopher x, respectively; the 2 forks form a precondition for transition u and are returned as a postcondition for transition v;  The model can be easily extended for more than 3 philosophers simply by adding tokens; the structure of the net must not be changed;

36. 36 Advanced Embedded Systems Advantages and disadvantages:  Powerful for modeling causal dependencies;  All decisions can be taken locally, by analyzing transitions and their pre and postconditions;  Appropriate for modeling geographically distributed systems;  There is a strong formalism allowing proofs of system properties;  Time is not modeled;  Standard Petri nets don’t include hierarchy and programming language elements;  It is difficult to represent data;  There are extended versions of Petri nets limiting the disadvantages;  Very popular due to the spread of distributed applications.