Upload
veronica-shaw
View
218
Download
0
Embed Size (px)
Citation preview
11Fall 2015, arz 1
CPE555A:Real-Time Embedded Systems
Lecture 11Ali Zaringhalam
Stevens Institute of Technology
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 2
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 2
Outline
Extended FSM Non-deterministic FSM Hierarchical FSM Transition Types
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 3
ExampleReference: Claudius Ptolemaeus, Editor: Introduction to Embedded Systems, http://ptolemy.eecs.berkeley.edu/index.htm
• High water-mark:22• Low water-mark: 18
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 4
Thermostat Model
Temperature increase per unit time as a result of heating.
Temperature decrease per unit time when heater is not on.
Model parameters
Output: heats or coolsthe environment.Input: ambient temperature
of environment.
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 5
Other Issues
How do you drive the thermostat model? Modeling input side
How do you test it? Viewing the response/output
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 6
Driver, Input & Output
Drives scheduling by generating a periodic timing signal. All model components react to the periodic signal
Models temperature behavior in the environment.
Displays temperature.
Displays heating/cooling response
Fall 2015, arz
Modeling Temperature Behavior
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 7
Fall 2015, arz
Default Transition
A default transition is enabled if No non-default transition is enabled There is either no guard or the guard
evaluates to true When is the default transition
enabled?CS555A – Real-Time Embedded SystemsStevens Institute of Technology 8
Alternatively we can define a ordinary transition with guard = ! ( up & !down) which is the complement of the (up & !down) transition.
• A default transition has a lower priority than an ordinary transition. It is like the default case in the switch/case statement in C.
• If the guard in both an ordinary and the default transitions evaluate to TRUE, the ordinary transition wins and is taken.
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 9
Default is when T< heatOffThreshold
Default is when T> heatOnThreshold
Default Transition Example
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 10
Formal Description
States: (0, 1) s(0) = cooling s(1)=heating
InitialState= 0 Input: temperature T Output:
heatOn -> { present, absent } heatOff -> {present, absent)
Update(s, T) Update(0, T) = (1, heatOn) if T<=18 Update(1, T) = ( 0, heatOff) if T>=22
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 11
Garage Counter Example
The notation here is a bit awkward because the parameter M may be large
Fall 2015, arz
Extended State Machine
Extended State machine augments the FSM model with variables that can be read or written
What is the size of the state space?
The count variable is incremented only AFTER guard has been evaluated and output generated
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 13
Number of States
For an Extended State Machine with n discrete states (bubbles) m variables each with p possible
values Number of states = nxpm
In general an Extended State Machine may not be a Finite State machine Example:
An extended variable is a real number
Fall 2015, arz
Notation for Extended FSM
Make explicit declarations of variables, inputs and outputs
• set action may alter variables of extended FSM
• The actions on variables are taken only AFTER guard has been evaluated and output generated
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 14
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 15
FSM Structure
FSM consists of a set of states and transitions One initial state Any number of final states (0-N) Guard expressions gating transitions Any number of output actions Any number of set actions for
extended variables
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 16
FSM Operation - 1
Firing phase operations Read inputs Evaluate guards on outgoing
transitions of the current state Choose a transition whose guard
evaluates to true Execute the output actions on the
chosen transition, if any
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 17
FSM Operation - 2
Post-fire operations Execute the set actions of the chosen
transition, which determines the values of extended variables
Change the current state to the destination of the chosen transition
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 18
Deterministic FSM
A state machine is said to be deterministic if, for each state, there is at most one transition enabled by each input value. The update function is a 1-1 mapping
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 19
Non-Deterministic FSM If for each state, more than one
transition is enabled by an input value, the FSM is said to be non-deterministic
The update function is 1-many mapping
In the heating state both red transitions fire on any input.
• The update function of a non-deterministic FSM has a 1-many mapping between (state, inputs) -> (state, output)
• It is useful to think of it as a multi-valued function
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 20
Example: Non-Deterministic FSM
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 21
Non-Deterministic FSM Model
• In a nondeterministic FSM, if more than one transition is enabled and they are all marked
nondeterministic, then one is chosen in the fire phase based on some environment criteria. In this model the SDF director picks a transition at random.• The selection criteria is not a part of the
FSM specification which only models that both transitions are possible.
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 22
Example
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 23
Traffic Light Extended FSM• Model is time-
triggered• Assumes one
reaction per second.
Default transition• Guard: true• Action: increment
count
Re-init count=0.
Initial state.
What happens if 60 seconds go by and there is no pedestrian?
The output signals (sigG/sigY/sigR) are used to drive the pedestrian light controller (see later slides)
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 24
Stuttering & Receptiveness
A stuttering reaction is one where the inputs (other than the clock tick) and outputs are all absent and the machine does not change state. No progress is made and nothing changes
In the “green” state, the FSM stutters after 60 seconds and no pedestrian arrival
Receptiveness: in a receptive FSM, for each state, there is at least one transition possible on each input symbol
Even in the stuttering “green” state, the FSM transitions when a pedestrian arrives
So the FSM is receptive
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 25
Modeling the Environment With Non-Deterministic FSM
This non-deterministic state machine can be used to model the environment for the pedestrian input/output interaction
Initial state is “crossing” The initial state of the traffic light
controller is “red” So there is consistency
In the “none” state the guard on both transitions are enabled
The model doesn’t say which is taken. It just says that both transitions are possible
You can add your own recipe for deciding which transition is taken
Typically one is picked at random based on some probability distribution
• In the “none” state there is no pedestrian present.
• At every clock tick, the model simulates the presence/absence of a pedestrian in a non-deterministic fashion.
These inputs come from the traffic light controller FSM
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 26
Non-Deterministic FSM as a Specification Tool
Modeling unknown aspects of the environment
Example: pedestrian crossing event
Hiding details in the specification of a system
Example specification Transition Red -> Green -
> Yellow -> Red in this order
The model doesn’t say anything about timing
Note that transitions other than in Green -> Yellow -> Red -> Green order are not allowed
• Requirement on the sequential behavior of the traffic light controller.
• Red => Green => Yellow => Red => Green =>……..
• The actual traffic controller FSM we just saw meets this specification
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 27
Behaviors & Traces FSM behavior consists
of a sequence of steps
A trace is the record of inputs, outputs and states in a behavior
A computation tree is a graphical representation of all possible traces
FSMs are suitable for formal analysis of system behavior, such as reachability of unsafe states • Is there a transition from yellow ->
green?• This can be verified with a verification
tool against the specification.
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 28
Non-Deterministic Behavior
For a fixed input sequence A deterministic FSM exhibits a single
behavior
A non-deterministic FSM exhibits a set of behaviors visualized as a computation tree
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 29
Counter Example 6.4
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 30
Counter Example 6.4
• SDF: Synchronous Data Flow• SDF orchestrates flow of data • After final state is reached, the postfire action
returns “false” and the director terminates execution of ALL actors (not just the one that moved to the final state)
• Model is similar to a “for” loop with a finite number of iterations. In each iteration, each actor in the flow sequence is invoked with data-in and data-out
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology
Example 6.5
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 32
Example 6.5
• SR: Synchronous Reactive• Manages periodic events which may or may
not be accompanied by data• So FSM can react to absence of data as well• After final state is reached , the postfire action
returns “false” and the director terminates execution of this actor but continues to execute other actors
• Model is similar to a polling thread. Periodically, the input is polled and an action is taken depending on presence/absence of input
• When there is no data (i.e., input is absent), FSM can react as well
• The NonStrictDisplay displays “absent” when there is no input
• A normal display will display nothing
• Notice that unlike in the SDF case, there is no input into the FSMActor.
• The FSM fires each time there is a clock input from the SR director
• Both FSMActor & Display actors are fired in each cycle
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 33
Example 6.7
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 34
Example 6.7
With SR Director, actors respond to both presence and absence of input• p_isPresent is supported by
the environment for input p.• True if there is a token at
port p
False only if:• Reset_isPresent = True• Reset=True
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 35
Simplification With Default Transitions Must separately test for
• Presence/absence of reset signal• Value of the reset signal (0/1)
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 36
Immediate Transition
If a state A has an immediate transition to another state B, then that transition will be taken in the same firing as a transition into state A if the guard on the immediate transition is true. The transition into and out of A will occur in the same firing
A is called a transient state.
Immediate transition.
Transient state
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 37
Example 6.9
Immediate transition.
Reset
Final
Final
Reset
No absent outout into display until termination
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 38
Simplifying FSM DescriptionWe can use default, immediate and non-deterministic behavior to simplify FSM modeling
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 39
Two Solutions
Brute-force deterministic solution Simplified non-deterministic
solution with default and immediate transitions
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 40
Brute Force Solution
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 41
A Better SolutionWhy make these transitions non-deterministic?
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 42
• The refinement of a state is another nested FSM.
• The outer FSM is in state B if the refinement of B is in either C or D.
• Hierarchy supports code reuse• Existing FSM can be nested into
a higher-level FSM
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 43
FSM Flattening & Depth-First Semantics
g2=true causes A-> B = { C | D} Two ways to exit C
g1=true causes C->A g4=true causes C->D
What happens if both g1=true and g4=true? Different semantics are possible and used in different FSM models Depth-first semantic: deepest refinement reacts first, followed by
the container FSM Consider what happens when g1=true AND g4=true
• Note that when g4 = true AND g1 = true, C does NOT transition to D but both outputs a4 and a1 are generated.
• C->D followed by D->A are logically simultaneous.
Initial state.
Initial state of refinement.
Will talk about significance of arrowhead shortly.
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 44
Order of Operations & Conflicts
• The innermost output a4 happens before a1
• If they conflict the outer output overrides the inner output
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 45
Red originating circle in the arrow indicates preemptive transition.
With preemptive transitions, the ambiguity of conflicting outputs goes away.
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 46
Full arrowhead indicates History transition
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 47
You must track all four possible states: (A,C), (A,D), (B,C) and (B,D).
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 48
Empty arrowhead indicates Reset transition
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 49
FSM Flattening & Depth-First Semantics
g2=true causes A-> B = { C | D} Two ways to exit C
g1=true causes C->A g4=true causes C->D
What happens if both g1=true and g4=true? Different semantics are possible and used Depth-first semantic: deepest refinement reacts first, followed by
the container FSM Consider what happens when g1=true AND g4=true
Empty arrowhead indicates Reset transition
With a reset transition, you do not have to track all four possible states: (A,C), (A,D), (B,C) and (B,D). Transition from A -> B will always start in C.
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 50
Ptolemy & Text Symbols
In Ptolemy Full arrowhead stands for reset transition History transition is indicated by a H at the
arrowhead
Empty arrowhead indicates Reset transition
Full arrowhead indicates History transition
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 51
Example 6.11
Fall 2015, arz
Hierarchical Model - 1
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 52
The self transition from faulty back to itself is a history transition because its purpose is to only count iterations, not to interfere with the execution of the refinement which is to output heating/cooling rate.
Fall 2015, arz
Hierarchical Model - 2
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 53
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 54
Termination Transition• A termination transition is a
transition that is enabled only when the refinements of the current state reach a final state.
• Note that a state can have more than one refinement
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 55
Example 6.12
Termination transition is taken when:• Refinement A transitions to
doneA• Refinement B transitions to
doneB
Two refinements for the same actor.
Transition is both:• A preemptive transition• A reset transition
Fall 2015, arz 56
Concurrent Composition
Two or more FSMs react Synchronous composition: FSMs
react simultaneously Asynchronous composition: FSMs
react independentlyCS555A – Real-Time Embedded Systems
Stevens Institute of Technology
Fall 2015, arz 57
CS555A – Real-Time Embedded SystemsStevens Institute of Technology
Side-By-Side Synchronous Composition
If the composition is synchronous, then both A and B react simultaneously. If the composition is synchronous, then both A and B react simultaneously.
Fall 2015, arz 58
CS555A – Real-Time Embedded SystemsStevens Institute of Technology
Flattening the Composition
Equivalent Flat FSM
Fall 2015, arz 59
Side-By-Side Asynchronous Composition
Component FSMs react independently
Semantics 1: a reaction of C is a reaction of one of A or B, where the choice is nondeterministic.
A and B don’t react simultaneously
Semantics 2:A reaction of C is a reaction of A, B, or both A and B, where the choice is nondeterministic.
Optionally neither A nor B may react
CS555A – Real-Time Embedded SystemsStevens Institute of Technology
Fall 2015, arz 60
Example
CS555A – Real-Time Embedded SystemsStevens Institute of Technology
Semantics 1
Fall 2015, arz 61
Cascade Composition
Output ports of A are connected to the input ports of B
Type checking: the outputs of A must be in the set of acceptable inputs to B.
CS555A – Real-Time Embedded SystemsStevens Institute of Technology
Fall 2015, arz 62
CS555A – Real-Time Embedded SystemsStevens Institute of Technology
Synchronous Cascade If the composition is synchronous, then both A and B react.
But the reaction of A precedes the reaction of A. So the output of A is available as input into B.
Programming analogy is a program which calls A. A in turn calls B on the stack and passes its output parameters as input.
The SDF Director implements synchronous cascade of actors Actors may be FSMs
Fall 2015, arz 63
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 63
Example: Synchronous Cascade
When a is present A outputs b & self-transitions B outputs c and self-transition FSM remains in state (s1, s3)
When a is absent, b is also absent (s1, s3) transition to (s2, s4)
Both A and B react together If they didn’t, one could go thru (s2,
s3) on the way from (s1, s3) to (s2, s4)
(s1, s4) and (s2, s3) are unreachable from the init state.
Fall 2015, arz 64
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 64
Example: Synchronous Cascade
Fall 2015, arz 65
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 65
Traffic Light Extended FSM• Model is time-
triggered• Assumes one
reaction per second.
Default transition• Guard: true• Action: none
Re-init count=0.
Initial state.
What happens 60 seconds go by and there is no pedestrian?
Fall 2015, arz 66
Pedestrian Light FSM
The pedR & pedG signals control the pedestrian light signal
sigR from the traffic light FSM The light stays green for 55 seconds, then goes red Cycle repeats after receiving sigR
CS555A – Real-Time Embedded SystemsStevens Institute of Technology
Fall 2015, arz 67
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 67
Composition of two FSMs
sigR from traffic light FSM feeds the pedestrian FSM
Fall 2015, arz 68
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 68
State Enumeration
State = (Traffic light state, pedestrian light state) (red, red) (red, green) (yellow, red) (yellow, green) (green, red) (green , green) (pending, red) (pending, green)
61 distinct values for count variable 56 distinct values for pcount variable 8x61x56 distinct states
How may are reachable?
What guarantees that this state is not reached?
State combinations in red font are not safe and must be made unreachable by design
Fall 2015, arz 69
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 69
FSM Flattening
Fall 2015, arz 70
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 70
What guarantees that this state is not reached?
This area is identical to previous slide.
Fall 2015, arz 71
General Composition
Side-by-side and cascade compositions can be combined
Feedback loops may also be allowed
Fall 2015, arz 72
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 72
Asynchronous Compositions
In asynchronous compositions, FSMs representing actors react independently
Communication between actors is through exchange of messages Rate of message production and message
consumption may not be the same Buffers are required to absorb differences
in production/consumption rates
72
Fall 2015, arz 73
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 73
Firing Function & Firing Rule
Firing function F maps a finite set of the inputs to outputs
It can do this….
Firing rule f is the specification for triggering the firing function (e.g., the number of tokens)
But it will only do this….
73
Fall 2015, arz 74
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 74
Issues In Asynchronous Compositions
Buffer overflow Can the actors continue to execute
indefinitely with limited number of buffers?
Deadlock Are there enough input tokens to satisfy
the firing rule? For a general network of FSMs, these
questions are undecidable The Synchronous Dataflow (SDF) model
puts constraints on FSM to address this
74
Fall 2015, arz 75
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 75
The SDF Model On firing, each FSM
consumes a fixed number of tokens and fires a fixed number of tokens
Balance equation If qA*M=qB*N Where qA* and qB are the
rates at which A and B fire respectively
Then a schedule with bounded buffers is possible
75
Fall 2015, arz 76
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 76
Example
76
Fall 2015, arz 77
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 77
Example
77
Fall 2015, arz 78
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 78
Example
78
qA=qB
2qA=qC
qB=qC
qA = qB = qC= 0
C consumes 2 tokens per transition but receives three tokens.
Fall 2015, arz 79
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 79
Observations
79
A model that has no non-zero solution is referred to as “inconsistent”
If a model is inconsistent, it does not have an unbounded execution with bounded buffers
If a models is consistent, it can operate with a bounded buffer
But there is no guarantee of unbounded execution (i.e., executing indefinitely) There could be deadlock
Fall 2015, arz 80
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 80
Example
80
Fall 2015, arz
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 81
Driver, Input & Output
Drives scheduling by generating a periodic timing signal. All model components react to the periodic signal
Models temperature behavior in the environment.
Displays temperature.
Displays heating/cooling response
Fall 2015, arz
Modeling Temperature Behavior
CS555A – Real-Time Embedded SystemsStevens Institute of Technology 82