Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 540 Principles of Embedded Computation Spring 2016 Instructor: Rajeev Alur

Published byDelilah Day Modified over 8 years ago

Similar presentations

Presentation on theme: "CIS 540 Principles of Embedded Computation Spring 2016 Instructor: Rajeev Alur"— Presentation transcript:

1 CIS 540 Principles of Embedded Computation Spring 2016 http://www.seas.upenn.edu/~cis540/ Instructor: Rajeev Alur alur@cis.upenn.edu

2 Timed Increments  Task A x increments x, and this takes between 1 to 2 time units  Task A y increments y, and this also takes between 1 to 2 time units  Two tasks execute in parallel, asynchronously, but timing introduces loose coordination  Which states are reachable? What is the co-relationship between m and n so that the state (x=m, y=n) is reachable? clock u :=0 nat x :=1 u >= 1  x:=x+1; u:=0 u <= 2 clock v :=0 nat y :=1 v >= 1  y:=y+1; v:=0 v <= 2 CIS 540 Spring 2016; Lecture April 20 Task A x Task A y

3 Mutual Exclusion Problem  Safety Requirement: Both processes should not be in critical section simultaneously (can be formalized using invariants)  Absence of deadlocks: If a process is trying to enter, then some process should be able to enter Process P1 Entry Code Critical Section To be designed Process P2 Entry Code Critical Section CIS 540 Spring 2016; Lecture April 20

4 Mutual Exclusion: Attempted Solution AtomicReg {0, 1, 2} Turn := 0 What’s the bug? Process P1 IdleTry1 Turn=0 ? Crit else Turn := 0 Try2 Turn : = 1 Process P2 Idle Try1 Turn=0 ? Crit else Turn := 0 Try2 Turn : = 2 CIS 540 Spring 2016; Lecture April 20

5 Timing-based Mutual Exclusion 1.When a process wants to enter critical section, it reads the shared variable Turn 2.If Turn != 0 then try again (goto step 1) 3.If Turn = 0 then set Turn to your ID 4.Proceeding directly to critical section is a problem (since the other process may also have concurrently read Turn to be 0, and updating Turn to its own ID) 5.Solution: Delay and wait till you are sure that concurrent writes are finished 6.Read Turn again: if Turn equals your own ID then proceed to critical section, if not goto step 1 and try again 7.When done with critical section, set Turn back to 0 CIS 540 Spring 2016; Lecture April 20

6 Fisher’s Protocol for Mutual Exclusion AtomicReg Turn := 0 Idle nat y, clock x Test y:=Turn Set Delay y=0  Turn := myID y != 0 ? ; x:=0 x<=  1 Timing assumption: Takes at most  1 to write Check x>=  2  y:=Turn x:=0 Crit y = myID? y!=myID? Turn := 0 Why does it work ? Wait for at least  2 time, and read Turn again CIS 540 Spring 2016; Lecture April 20

7 Properties of Fisher’s Protocol  Assuming  2 >  1, the algorithm satisfies:  Mutual exclusion: Two processes cannot be in critical section simultaneously  Deadlock freedom: If a process wants to enter critical section then some process will enter critical section  Protocol works for arbitrarily many processes (not just 2)  Note: In the asynchronous model, mutual exclusion protocol for N processes is lot more complex than Peterson’s algorithm  Does the protocol satisfy the stronger property of starvation freedom: If a process wants to enter critical section then it eventually will ?  If  2 <=  1 then does mutual exclusion hold? Does deadlock freedom hold? CIS 540 Spring 2016; Lecture April 20

8 Timed Communication  Suppose a sender wants to transmit a sequence of bits to a receiver connected by a communication bus  Natural strategy: Divide time into slots, and in each slot transmit a bit using high/low voltage values to encode 0/1  Manchester encoding: Value 0 encoded as a falling edge, and value 1 encoded as a rising edge CIS 540 Spring 2016; Lecture April 20

9 Timed Communication Challenges  Sender and receiver know the duration of each time slot, but…  Receiver does not know when the communication begins  When idle, the voltage is set to low  Receiver can reliably detect only falling edges  Sender and receiver clocks measure time only imperfectly due to skew  When a clock x equals 1, actual time elapsed is in interval [1- ,1+  ]  In our model, clocks are perfect, but we can capture this error by changing a test x = 1 to x >= 1-  CIS 540 Spring 2016; Lecture April 20

10 Audio Control Protocol  Protocol developed by Philips to reliably transmit messages in presence of imperfect clocks  Design logic for receiver to map measured delays between successive falling edges to sequence of bits  Verification: Prove that message transmission is reliable for a given skew rate   Optimization: Find the largest skew value that the protocol tolerates  See section 7.2.1 for Sender and Receiver processes CIS 540 Spring 2016; Lecture April 20

11 Implantable Pacemaker Modeling CIS 540 Spring 2016; Lecture April 20

12 Timing Analysis Timed Model Requirement yes/proof no/bug Model Checker  How to adapt algorithms for searching through the state-space of a model in presence of clock variables and timing constraints?  Application: Formal analysis of timing-based coordination and communication protocols  Must handle the space of clock valuations symbolically!  Popular model checker: Uppaal CIS 540 Spring 2016; Lecture April 20

13 Timing Analysis Example y:=0 x<=2 x > 1 y = 3 Infeasible Path ! x:=0 CIS 540 Spring 2016; Lecture April 20

14 Timed Automata  Motivation: When is exact analysis of timing constraints possible?  A timed process TP is a timed automaton if for every clock variable x  Assignments to x in the description of TP are of the form x:=0  An atomic expression involving x in the description of TP (in clock- invariants or in guards) must of the form “x~ k”, where k is a constant and ~ is a comparison operation (=,, =)  In such a model, one can express constant lower and upper bounds on timing delays  Closed under parallel composition: If TP1 and TP2 are timed automata then TP1 | TP2 is also a timed automaton  Finite-state timed automaton: A timed automaton where all variables other than clock variables have finite types (e.g. Boolean, enumerated)  State-space is still infinite due to clock variables, but verification is solvable exactly CIS 540 Spring 2016; Lecture April 20

15 Timing Analysis Example x>=3  y:=0 A x<=5 (y >= 6)? (x = 7)? Which of the modes D, E, F are reachable ? x,y:=0(y >= 2)? B x<=7 C x<=8 (x <= 4)? D E F Requires propagation of the reachable combinations of x and y symbolically CIS 540 Spring 2016; Lecture April 20

16 Timing Analysis Example A x 1, x 2 :=0 Initial set of clock-valuations: x 1 = 0 & x 2 = 0 Clock-zone: Uniform representation of constraints that arise during analysis Constraints of two types: 1. Lower/upper bound on value of a clock variable 2. Lower/upper bound on difference of two clock variables Clock-zone R 0 0 <= x 1 <= 0 0 <= x 2 <= 0 0 <= x 1 -x 2 <= 0 CIS 540 Spring 2016; Lecture April 20

17 Timing Analysis Example A x 1 <= 5 Starting from a state in R 0, as time elapses, which clock-valuations are reachable ? Clock-zone R 0 0 <= x 1 <= 0 0 <= x 2 <= 0 0 <= x 1 -x 2 <= 0 During a timed transition, values of all clocks increase. How are the constraints impacted? What’s the effect of clock-invariant ? Step 1: Compute effect of timed transitions ignoring clock-invariants Constraints on individual clocks: Change upper bound to Infty Constraints on differences between clock values: unchanged (why?) Clock-zone R’ 0 0 <= x 1 <= Infty 0 <= x 2 <= Infty 0 <= x 1 – x 2 <= 0 CIS 540 Spring 2016; Lecture April 20

18 Timing Analysis Example A x 1 <= 5 Desired clock-zone R 1 : Set of clock-valuations reachable while in mode A Intersection of constraints in R’ 0 and the clock-invariant Canonicalization: Tighten all bounds to reflect implied constraints Each lower bound should be as high as possible Each upper bound should be as low as possible Clock-zone R’ 0 0 <= x 1 <= Infty 0 <= x 2 <= Infty 0 <= x 1 -x 2 <= 0 Clock-zone R” 0 0 <= x 1 <= 5 0 <= x 2 <= Infty 0 <= x 1 -x 2 <= 0 Clock-zone R 1 0 <= x 1 <= 5 0 <= x 2 <= 5 0 <= x 1 -x 2 <= 0 CIS 540 Spring 2016; Lecture April 20

19 Timing Analysis Example A x 1 <= 5 Desired clock-zone R 2 : What are set of clock-valuations upon entry to B ? Step 1: Intersect guard 3 <= x 1 with the clock-zone R 1 Clock-zone R 1 0 <= x 1 <= 5 0 <= x 2 <= 5 0 <= x 1 -x 2 <= 0 x 1 >=3  x 2 :=0 B 3 <= x 1 <= 5 0 <= x 2 <= 5 0 <= x 1 -x 2 <= 0 Step 2: Canonicalize by tightening constraints 3 <= x 1 <= 5 3 <= x 2 <= 5 0 <= x 1 -x 2 <= 0 Step 3: Capture the effect of assignment x 2 := 0 Bounds on x 2 change, and so do bounds on x 1 -x 2 Clock-zone R 2 3 <= x 1 <= 5 0 <= x 2 <= 0 3 <= x 1 -x 2 <= 5 Step 4: Canonicalize. In this case, constraints are already as tight as possible CIS 540 Spring 2016; Lecture April 20

20 Timing Analysis Example B x 1 <= 7 Starting from a state in R 0, as time elapses, which clock-valuations are reachable ? Clock-zone R 2 3 <= x 1 <= 5 0 <= x 2 <= 0 3 <= x 1 -x 2 <= 5 Step 1: Set upper bounds on individual clock values to Infty 3 <= x 1 <= Infty 0 <= x 2 <= Infty 3 <= x 1 -x 2 <= 5 Step 2: Intersect with the clock-invariant x 1 <= 7 3 <= x 1 <= 7 0 <= x 2 <= Infty 3 <= x 1 -x 2 <= 5 Step 3: Canonicalize by tightening all the bounds What is a good data structure to represent clock-zones? What are algorithms for operations such as intersection, canonicalization? Clock-zone R 3 3 <= x 1 <= 7 0 <= x 2 <= 4 3 <= x 1 -x 2 <= 5 CIS 540 Spring 2016; Lecture April 20

Download ppt "CIS 540 Principles of Embedded Computation Spring 2016 Instructor: Rajeev Alur"

Similar presentations

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.

Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.
Timed Automata.

Timed Automata.
Multiprocessor Synchronization Algorithms (20225241) Lecturer: Danny Hendler The Mutual Exclusion problem.

Multiprocessor Synchronization Algorithms ( ) Lecturer: Danny Hendler The Mutual Exclusion problem.
Chair of Software Engineering Concurrent Object-Oriented Programming Prof. Dr. Bertrand Meyer Lecture 4: Mutual Exclusion.

Chair of Software Engineering Concurrent Object-Oriented Programming Prof. Dr. Bertrand Meyer Lecture 4: Mutual Exclusion.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ 85287 Dr. Yann-Hang Lee

CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ Dr. Yann-Hang Lee
Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented.

Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Concurrency.

Concurrency.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

Similar presentations

Ads by Google