Upload
benita
View
29
Download
0
Embed Size (px)
DESCRIPTION
Lecture 11 : Part I: Zones Part II: TTAs. CS5270, P.S. Thiagarajan. Zones. A more compact representation. Of equivalence classes of valuations. Can be efficiently represented as Difference Bounded Matrices (edge weighted directed graphs). DBMs admit a canonical representation . - PowerPoint PPT Presentation
Citation preview
Lecture 11 :Part I: ZonesPart II: TTAs
CS5270, P.S. Thiagarajan
Zones
• A more compact representation.– Of equivalence classes of valuations.
• Can be efficiently represented as Difference Bounded Matrices (edge weighted directed graphs).
• DBMs admit a canonical representation.
• DBMs can be manipulated efficiently.
Why not regions?
• The number of regions can be very large:– Exponential in the number of clocks AND in
the size of the maximal constants appearing in the clock constraints.
– Practical verification becomes infeasible.
An Example
x
y
x
y
0-dimensional regions: 12
x
y
1-dimensional regions: 23
x
y
2-dimensional regions: 12
x
y
Total number of regions: 47
x
y
One Zone:
(2 ≤ x ≤ 5) (2 ≤ y ≤ 4)
Zones
• A zone is a clock constraint of a particular form.
• Z::= x c | x – y c | 1 2
{<, ≤, >, }• c is a natural number.
• Every region is a zone (exercise!).
Zone Automaton
• Every TTA has an associated Zone automaton ZTTA.
• This can be constructed effectively.
• But this does not do too much for us.
• Savings occur when we construct the Zone automaton on the fly to check reachability properties.
The Basic Algorithm.
Symbolic Reachability Analysis Algorithm:PASSED = ; WAIT = {(s0, D0)}While WAIT do take (s, D) from WAIT If s = sf then return ‘YES” if D is not a subset of D’ for every (s, D’) in PASSED then
add (s, D) to PASSED. For all (s1, D1) so that (s, D) ----> (s1, D1), add (s1, D1) to WAIT. end for. end ifend while
The Zone transition relation
• (s, D) ----> (s, D I(s) )– D = {V + | V D}– D is a zone.– From D we can compute D.
• (s, D) ---> (s’, D’) if there is a transition (s, g, X, s’) in TTS such that:– D’ = RX(D g) I(s’)– RX(D) = {RX(V) | V D}
• RX(V) (y) = 0 if y X, V(y) otherwise.
– RX(D) is a zone.– D’ is non-empty.
• D’ is a zone and can be computed from D.
Termination
• To ensure termination:– Remove constraints of the form x < m , x ≤ m,
x – y < m and x – y ≤ m if m > Cx.
– Replace x > m and x m with x > Cx if m > Cx.
– Replace y – x > m and y – x m with y –x > Cx and y – x Cx when m > Cx.
Zone operations
• We need to compute D.• Given D1 and D2, we need to compute
D1 D2.
• Given D and D’ we need to be able to check if D is a subset of D’.
• We must be able check if D is empty.
Zone representation.
• A zone can be represented as a DBM:– Difference Bounded Matrix.
• Invent a new clock variable x0 (which will always be 0).
• All basic constraints will be of the form
xi – xj < m or xi – xj ≤ m where m is an integer (positive or negative).
Zone Representation
• x2 < 3 becomes x2 – x0 < 3.
• X5 7 becomes x0 – x5 ≤ -7.
• X2 – x5 > 8 becomes x5 –x2 < -8.
The Matrix Representation.
x_0
x_1
x_2
.
.x_i
.
x_n
x_0 x_1 x_2 . . . x_j x_n
(2, 1)
xi – xj ≤ 2
The Matrix Representation.
x0
x1
x2
.
.xi
.
xn
x0 x1 x2 . . . xj xn
(2, 0)
xi – xj < 2
The Matrix Representation.
x0
x1
x2
.
.x3
.
x0 x1 x2 . . . x3
(0, 3)
(0, 5) (0, 2)
(0, 10) (0, 2)
(0, -4) ∞
The Graph Representation
x y(k, 1)
y – x ≤ k
x y(k, 0)
y – x < k
The Graph Representation
X1 X2
X0X3
32
-4
10
2
5
Closed Representations
• Two different zones (DBMs) can represent the same set of valuations.– (y – x ≤ 3, x = 2, y = 4) (y –x = 2, x =2, y = 4)
• A zone is closed if no constraint can be strengthened without reducing the set of associated valuations.
• Two closed zones are equivalent iff they are identical.
• So it is good to get closed zones.
Closed Zones.
• Take the graph of the zone.
• Remove all redundant edges.– The edge from x to y with weight k is
redundant if there is a path from x to y whose weight is less than or equal to k.
• Using a shortest path algorithm, the closed zone version can be computed in O(n3) time.
Closed Zones
• If D is closed then D is a subset of D’ iff for every constraint x – y ≤ m’ in D’ there is a constraint x – y ≤ m in D with m ≤ m’.
• If D is closed then D is non-empty iff there are no negative weight cycles in the graph.
• The other operations can also be performed on the graphs efficiently.
Introduction
• TTP:– A real-time protocol for distributed systems.
• high dependability • guaranteed timeliness
• Application domains: – Automotive electronics– Fly-by-wire cockpits– Railway signaling systems
Acknowledgements
• The following slides have been assembled from many web sources. In particular:
• H.Kopetz and G.Grünsteidl; Digest of Papers, FTCS-23. (IEEE CS 23rd Intl. Symp. on Fault-Tolerant Computing), Aug. 1993, pp.524 -533; Presented by Shruti Gorappa
Features of the TTP
• Fault-tolerance• Small overhead• Integrates numerous services
– Predictable message transmission– Message acknowledgement in group communication– Clock synchronization– Membership– Rapid mode change– Redundancy management– Temporary blackout handling
Assumptions
• Fail-silence– Communication channels only have omission
failures.– Nodes either deliver correct results or no
results • Internal failures are detected and node turned off
System Overview
• FTU- single or replicated nodes
• Replicated communication channels
• The channel is a broadcast bus
• Access is by TDMA driven by progression of global time
• Local nodes time synchronized by TTP
• Communication by rapid and periodic message exchanges
TTP Design Rationale
• Sparse time base– Messages are sent only at statically designated intervals– Inflexible compared to Event-triggered (ET) model, but easier to
test• Use of apriori knowledge
– All nodes are aware of when each node is scheduled to transmit– Sender node information need not be included in frame– Reduced overhead
• Broadcast– Correctness of transmitted message can be concluded as soon
as one receiver acknowledges message delivery (broadcast medium)
Protocol Highlights
• Bus access– A FTU will have one or two time slots depending on class of
fault-tolerance– Time be different for each node depending on amount of data
that it needs to send– Number of slots in a TDMA round given to an FTU may also be
different
• Membership Service– If a message from a sending node does not occur in designated
interval, its membership is set to 0 in other nodes– Membership checked before transmission. A node is alive if
• Its internal error detection mechanism has not indicated error• At least one of its transmitted frames has been correctly
acknowledged.
Protocol Highlights
• Temporary blackout handling– Correlated failure of a number of nodes – Identified by sudden drop in membership– Nodes send I-messages and perform local
emergency control– After membership has stabilized, mode
changed to global emergency service
Protocol Highlights
Temporal encapsulation of nodes– Communication bandwidth assigned statically– Time base is sparse- every input can be observed
and reproduced exactly
• Testability – Easy to test the implementation in comparison to ET– Easy to simulate –finite number of execution
scenarios• Uncontrolled interactions between nodes are prevented• Determinism- can replicate states of nodes
Strengths
• Can provide fault-tolerant real-time performance• Practical (MARS platform), efficient, and
scalable– Can be implemented using available hardware,
signalling mechanisms– Low overhead– High data rates, used in both twisted fiber and optical
channels
• Reusability, composability, and testability
Weaknesses
• The schedule is fixed so there is no bandwidth allocated for alarms and other spontaneous messages
• All fault-tolerance mechanism is implemented at system level, this means that very little “freedom” is left for application specific implementations
• Addition of nodes affects the existing system (although not the application)
References
• Kopetz, H., and Grunsteidl, G., "TTP - A time-triggered protocol for fault-tolerant real-time systems", Digest of Papers., FTCS-23. (IEEE CS 23rd Int' Symp. on Fault-Tolerant Computing), Aug. 1993, pp.524 -533
• The Real-time Systems Research Group, Institut für Technische Informatik, Vienna University of Technology http://www.vmars.tuwien.ac.at/projects/ttp/ttpmain.html
• REAL-TIME COMMUNICATION- Evaluation of protocols for automotive systems, MICHAEL WAERN, http://www.md.kth.se/RTC/MSc-theses/RT-Com-Evaluation-Waern.pdf
• CAN bus, http://www.can-cia.org/can/protocol/• Time-triggered Technology, http://www.tttech.com/
Event-triggered Vs. Time-Triggered
• Interface to the external physical world:– Event-triggered.
• Implementation architecture:– Time- triggered?– Predicatable– Composability.
• How to integrate the two paradigms?– Interesting research opportunities!
The Automotive Electronics Case
• Current scene:– Current systems contain upto 70 ECUs
(Electronic Control Units).– Each ECY is developed and acts
independently; very little integration.– Communication:
• Event-triggered• Slow; 500 Kbits/sec
The Automotive Electronics Case
• Next Generation:– Integrated architecture.– Distributed, safety-critical, real time.– Why?
• Costs: – reduce the number of ECUs.
• Reliability• Safety• Multiple use of sensors.
Conclusion
• Time-Triggered architectures and protocols are likely to become important.
• Also related to synchronous programming languages:– Lustre, Signal, Esterel
• There are also other timed models:– Timed Petri nets, …