Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
CS:4980FoundationsofEmbeddedSystems
Copyright 20014-16, Rajeev Alur and Cesare Tinelli. Created by Cesare Tinelli at the University of Iowa from notes originally developed by Rajeev Alur at the University of Pennsylvania. These notes are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.
TimedModel
ModelsofReactiveComputationq Synchronousmodel
§ Componentsexecuteinasequenceofdiscreteroundsinlock-step§ Computationwithinaround:Executealltasksinanorderconsistent
withprecedenceconstraintsq Asynchronousmodel
§ Speedsatwhichdifferentcomponentsexecuteareindependent§ Computationwithinastep:Executeasingletaskthatisenabled
q Continuous-timemodelfordynamicalsystem§ Synchronous,butnowtimeevolvescontinuously§ Executionofsystem:Solutiontodifferentialequations
q Timedmodel§ Likeasynchronousforcommunicationofinformation§ Canrelyonglobaltimeforcoordination
ExampleTimedModel
clockx:=0off
press?–>x:=0dim bright
press?
(press&x>=1)?(press&x<=1)?
Initialstate: (mode=off,x=0)Timedtransition:(off,0)–0.5–>(off,0.5)Inputtransition: (off,0.5)–press?–> (dim,0)Timedtransition:(dim,0)–0.8–> (dim,0.8)Inputtransition: (dim,0.8)–press?–> (bright,0.8)Timedtransition:(dim,0.8)–1–> (dim,1.8)Inputtransition: (dim,1.8)–press?–> (off,1.8)
ExampleTimedModel
q Clockvariables§ Testsandupdatesinmode-switcheslikeothervariables§ New: Duringatimedtransitionofdurationd,thevalueof
clockvariablesincreasesbyanamountequaltodq Timingconstraint:Settingx to0 foroff–>dimandguardx<=1
fordim–>bright specifiesthattimingofthesetwotransitionsis<=1 apart
clockx:=0off
press?–>x:=0dim bright
press?
(press&x>=1)?(press&x<=1)?
Example:TimedBuffer
bool in bool out
q Bufferwithaboundeddelay
q Behavior:Inputreceivedonchannelinistransmittedonoutputchanneloutafteradelayofd,withLB<=d<=UB(i.e.weknowlowerandupperboundsonthisdelay)
ModelingTimedBuffer
clocky:=0
in?–>x:=in;y:=0
in?
q Modeindicateswhetherthebufferisfullornotq Statevariablex remembersthelastinputvaluewhenbufferisfullq Clockvariabley tracksthetimeelapsedsincebufferfilledupq Whenbufferisfull,inputeventsareignoredq Guardy>=1ensuresthatatleast1 timeunitelapsesinmodeFull
Howtoensurethatmode-switchfromFull toEmpty isexecutedbeforeclocky exceedstheupperbound1?
FullEmpty
y>=1–>out:=x
ClockInvariants
q Theconstrainty<=1associatedwithmodeFull isaclockinvariant
q Atimedtransitionofdurationd isallowedonlyiftheclockinvariantissatisfiedfortheentiredurationofthetransition§ (Full,x,0.8)–0.7–> (Full,x,1.5) allowed§ (Full,x,0.8)–1.4–> (Full,x,2.2) disallowed
q Clockinvariantstolimithowlongaprocessstaysinamode
clocky:=0
in?–>x:=in;y:=0
in?
Fully<=2
Empty
y>=1–>out:=x
ExamplewithTwoClocks
clockx,y:=0
in?–> x:=0
q Inputevent:inq Outputevents:out1,out2q Twoclockvariables:x,yq Astimepasses,bothclocksincrease(andatthesamerate)q Sampletimedtransitionsfromstate(mode,x,y)=(Wait2,0.8,0):
(Wait2,0.8,0)–0.3–>(Wait2,1.1,0.3)–0.72–>(Wait2,1.82,1.02)
Wait1x<=1
Idle
y>=1–> out2!
out1!; y:=0Wait2x<=2
TwoClockExample
q Clockx trackstimeelapsedsincethelastinputeventq Clocky trackstimeelapsedsincetheoutputeventq Whatisthebehaviorofthismodel?q Ifinputeventoccursattimet,theprocessissuesanoutputeventon
channelout1 attimet’ withintheinterval[t,t+1],andthenonchannelout2 attimet’’withintheinterval[t’+1,t+2]
clockx,y:=0
in?–> x:=0Wait1x<=1
Idle
y>=1–> out2!
out1!; y:=0Wait2x<=2
ExampleSpecification
q ConsideratimedprocesswithInput:eventx Output:eventy, eventz
q Desiredbehavior§ Foreachinput,producebothoutputevents§ Timedelaybetweenx? andy! isintheinterval[2,4]§ Timedelaybetweenx? andz! isintheinterval[3,5]§ Ignorelaterinputsreceivedintheseintervals
DefinitionofTimedProcessq AtimedprocessTP consistsof
1. AnasynchronousprocessP,wheresomeofthestatevariablescanbeoftypeclock (rangingnon-negativereals)
2. AclockinvariantCI,aBooleanexpressionoverP’sstatevariables
q Inputs,outputs,states,initialstates,internalactions,inputactions,andoutputactionsexactlyasintheasynchronousmodel
q Notation:Forastates andtimet,lets+t denotethestatesuchthat§ (s+t)(x)=s(x)+t foreveryclockvariablex,and§ (s+t)(y)=s(y)foreverynon-clockvariabley
q Timedactions:Givenastates andatimed>0,s–d–>s+d isatransitionofdurationd aslongasthestates+t satisfiesinvariantCIforallt in[0,d]Note: Ifaclock-invariantisaconvexconstraintthenitissufficienttocheckthattheend-statess ands+d satisfyCI
CompositionofProcesses
bool in boolout1
q Howtoconstructtimedprocesscorrespondingtothecompositionofthetwoprocesses?
q Whatarethepossiblebehaviorsofthecompositeprocess?
boolout2
TimedBuf1
TimedBuf2
CompositionofTimedProcesses
clocky1:=0
in?–> x1:=in;y1:=0
in?
Fully1<=UB1Empty
y1>=LB1–> out1:=x1TimedBuf1
clocky2:=0
in?–> x2:=in;y2:=0
in?
Fully2<=UB2
Empty
y2>=LB2–> out2:=x2TimedBuf2
Thecompositeprocesshasfourmodes:(Empty,Empty),(Empty,Full),(Full,Empty),(Full,Full),
CompositionofTimedProcesses
(mode=EF=>y2<=UB2)&(mode=FF=>y1<=UB1&y2<=UB2)&(mode=FE=>y1<=UB1)
CompositionofProcesses
q IfUB1<LB2thenout1 guaranteedtooccurbeforeout2§ Implicitcoordinationbasedonboundsondelays
q Isitpossibletoobservetwoout1eventswithoutaninterveningout2event?§ Dependsonrelativemagnitudesofbounds(needtiminganalysis!)
bool in boolout1
boolout2
TimedBuf1
TimedBuf2
DefinitionofParallelCompositionq ConsidertimedprocessesTP1 =(P1,CI1)andTP2 =(P2,CI2)
q WhenistheparallelcompositionTP1 |TP2 defined?§ ExactlywhentheasynchronousparallelcompositionP1 |P2
isdefined(thatis,whentheoutputsofthetwoaredisjoint)
q TP1|TP2=(P1 |P2,CI1 &CI2)§ AsynchronouscompositionofP1andP2 definestheinternal,
inputandoutputactionsofthecomposite§ Conjunctionoftheclock-invariantsdefinestheclock-
invariantofthecomposite
q Consequence:Thecompositeprocesscanallowatimedactionofdurationd exactlywhenboth TP1 andTP2 canwaitfortimed
BlockDiagrams
q Componentscanbetimedprocessesnow§ Operation:instantiation(input/outputvariablerenaming),parallel
composition,andvariablehiding
q Astepofthecompositesystemiseither1. Aninternalstepofoneofcomponents2. Acommunication(input/output)stepinvolvingrelevantsender
andreceivers3. Atimedstepinvolvingallthecomponents
TimedModel
q Timedmodelissometimescalledthesemi-synchronousmodel(mixofasynchronousandsynchronous)
q Definitions/conceptsthatcarryovernaturallyfromthosemodels:§ Executionsofatimedprocess§ Transitionsystemassociatedwithatimedprocess§ Safety/liveness requirements
q Distributedcoordinationproblems:howcanweexploittheknowledgeoftimingdelaystodesignprotocols?
Recall:SharedMemoryAsynchronousProcesses
q ProcessesP1andP2communicatebyreading/writingsharedvariables
q Eachsharedvariablecanbemodeledasanasynchronousprocess§ Stateofeachsuchprocessisthevalueofcorrespondingvariable§ Inimplementation,sharedmemorycanbeaseparatesubsystem
q Readandwritechannelbetweeneachprocessandeachsharedvariable§ Towritex,P1synchronizeswithxonx.write1channel§ Toreadx,P2synchronizeswithx onx.read2channel
x.write1
P1
x
y
P2y.write1
y.read2
y.write2
x.read2
x.write2
y.read1
x.read1
SharedMemoryProgramswithAtomicRegisters
AtomicReg nat x:=0
ProcessP1
nat y1:=0
y1:=x
x:=y1+1
ProcessP2
nat y2:=0
y2:=x
x:=y2+1
Declarationofsharedvariables+codeforeachprocess
Keyrestriction:Eachstatementofaprocesseither
changeslocalvariables,readsasinglesharedvar,orwritesasinglesharedvar
Executionmodel:executeonestepofoneoftheprocesses
Whatifweknewlowerandupperboundsonhowlongareadorawritetakes?Couldwesolvecoordinationproblemsbetter?
AsynchronousExecutionModel
nat x:=0;y:=0
Ax:x:=x+1
Ay:y:=y+1
q TasksAx andAy executeinanarbitraryorder
q Foreverypossiblechoiceofnumbersm andn,thestate(m,n)isreachable
q Recall:Fairnessassumptionscanbeusedtoruleoutexecutionswhereoneofthetasksisignoredforever(althoughthisdoesnotaffectthesetofreachablestates)
q Whatifweknowhowlongeachoftheseincrementstake?
(x,y)
TimedIncrements
q TaskAx incrementsx,andthistakesbetween1 to2 timeunits
q TaskAy incrementsy,andthisalsotakesbetween1 to2 timeunitsq Twotasksexecuteinparallel,asynchronously,buttimingintroduces
loosecoordinationq Whichstatesarereachable?Whatistherelationshipbetweenmand
n sothatthestate(m,n)isreachable?
clocku:=0nat x:=0
u>=1–>x:=x+1;u:=0
u<=2
clockv:=0nat y:=0
v>=1–> y:=y+1;v:=0
v<=2
q Safetyrequirement:processesshouldnotbothbeincriticalsectionsimultaneously(canbeformalizedusinginvariants)
q Absenceofdeadlocks:ifanyprocessistryingtoenter,thensomeprocessshouldbeabletoenter
ProcessP1
EntryCode
CriticalSection
Tobedesigned
ProcessP2
EntryCode
CriticalSection
MutualExclusionProblem
MutualExclusion:IncorrectSolutionAtomicReg {0,1,2}Turn:=0
Whatistheproblem?
ProcessP1
Idle Try1Turn=0?
Crit
else
Turn:=0
Try2Turn:=1
ProcessP2
Idle Try1Turn=0?
Crit
else
Turn:=0
Try2Turn:=2
Timing-basedMutualExclusion
1. Beforeenteringcriticalsection,readthesharedvariableTurn2. IfTurn!=0thengotostep1andtryagain3. IfTurn=0thensetTurn toyourID
Proceedingdirectlytocriticalsectionisaproblem(sincetheotherprocessmayalsohaveconcurrentlyreadTurn tobe0,andupdatingTurn toitsownID).Solution:
4. Delayandwaittillyouaresurethatconcurrentwritesarefinished
5. ReadTurn again:ifTurn equalsyourownIDthenproceedtocriticalsection;otherwise,gotoStep1andtryagain
6. Whendonewithcriticalsection,setTurn backto0
Fisher’sMutualExclusionProtocol
AtomicReg Turn:=0
Idlenat y,clockx
Testy:=Turn Set
Delay
y=0–> Turn:=myID
y!=0?
;x:=0x<=Δ1
Timingassumption:writingTurn takesatmostΔ1
Checkx>=Δ2 –> y:=Turn x:=0
Crit
y=myID ?
y!=myID ?Turn:=0
Whydoesthiswork?
WaitforatleastΔ2 timeunits,andreadTurn again
PropertiesofTimedFisher’sProtocolq AssumingΔ2 >Δ1,thealgorithmsatisfies:
§ Mutualexclusion:Twoprocessescannotbeincriticalsectionsimultaneously
§ Deadlockfreedom:Ifaprocesswantstoentercriticalsectionthensomeprocesswillentercriticalsection
q Protocolworksforarbitrarilymanyprocesses(notjust2)§ Incontrast,intheasynchronousmodel,mutualexclusion
protocolforN processesislotmorecomplexthanPeterson’salgorithm
q Exercise:Doestheprotocolsatisfythestrongerpropertyofstarvationfreedom(ifaprocesswantstoentercriticalsectiontheniteventuallywill)?
q Exercise:IfΔ2 <=Δ1 doesmutualexclusionhold?Deadlockfreedom?
TimedCommunication
q Supposeasenderwantstotransmitasequenceofbitstoareceiverconnectedbyacommunicationbus
q Naturalstrategy:Dividetimeintoslots,andineachslottransmitabitusinghigh/lowvoltagevaluestoencode0/1
q Manchesterencoding:0 encodedasafallingedge,and1encodedasarisingedge
TimedCommunicationChallenges
q Senderandreceiverknowthedurationofeachtimeslot,but…q Receiverdoesnotknowwhenthecommunicationbegins
§ Whenidle,thevoltageissettolowq Receivercannot reliablydetectfallingedgesq Senderandreceiverclocksaresynchronizedimperfectlyduetodrift
§ Whenaclockx is1,actualelapsedtimeisininterval[1-ε,1+ε]§ Sinceinthetimedmodelclocksareconsideredtobeperfect,
wecancapturethiserrorbyusingx<=1+ε insteadofx<=1,and1-ε <=xinsteadof1<=x
q Addressingthechallenges:§ Allmessagesstartwith1 andendwith00§ Processesusetiminginformationtotransmit0s
AudioControlProtocol
q ProtocoldevelopedbyPhilipstoreliablytransmitmessagesinpresenceofimperfectclocks
q Designlogicforreceivertomapmeasureddelaysbetweensuccessiveraisingedgestosequenceofbits
q Verification:Provethatmessagetransmissionisreliableforagivendriftrateε
q Optimization:Findthelargestskewvaluethattheprotocoltolerates
AudioControlSystem
SenderProcess
ReceiverProcess
ExecutionExample
Credits
NotesbasedonChapter7of
PrinciplesofCyber-PhysicalSystemsbyRajeevAlurMITPress,2015