Embed Size (px)
Citation preview
Daniel Kästner
AbsInt GmbH
2012
Lecture 4
Finite Automata and Safe State Machines (SSM)
Initialization Analysis
Is this node well initialized?
2
node init1() returns (out: int)
let
out = 1 + pre( 1 -> (pre(out)));
tel
What does this node do?
node init2() returns (out: int)
let
out = 1 + (1 -> pre(1 -> pre(out)));
tel
Initialization Error
out = (2,2,3,3,4,4,…)
Initialization Analysis
𝑑𝑒𝑙𝑎𝑦 𝑐 = 0 ∀ constants 𝑐
𝑑𝑒𝑙𝑎𝑦 𝑋 =
0, 𝑖𝑓 𝑋 is a signal 𝜌𝑖 , 𝑖𝑓 𝑋 is input parameter 𝑋𝑖
𝑑𝑒𝑙𝑎𝑦 𝐸 , 𝑖𝑓 𝑋 is local variable or output variable defined by 𝑋 = 𝐸
𝑑𝑒𝑙𝑎𝑦 𝑋 ∘ 𝑌 = 𝑑𝑒𝑙𝑎𝑦 𝑋 ⊔ 𝑑𝑒𝑙𝑎𝑦 𝑌 for combinatorial operators ∘
𝑑𝑒𝑙𝑎𝑦 𝑝𝑟𝑒 𝐸 = 1
𝑑𝑒𝑙𝑎𝑦 𝑋 → 𝑌 = 𝑑𝑒𝑙𝑎𝑦 𝑋
𝑑𝑒𝑙𝑎𝑦 𝑖𝑓 𝐸1 𝑡ℎ𝑒𝑛 𝐸2 𝑒𝑙𝑠𝑒 𝐸3 = 𝑑𝑒𝑙𝑎𝑦 𝐸1 ⊔ 𝑑𝑒𝑙𝑎𝑦 𝐸1 ⊔ 𝑑𝑒𝑙𝑎𝑦 𝐸3
𝑑𝑒𝑙𝑎𝑦 𝑐𝑎𝑠𝑒 𝐸1 𝑜𝑓 𝐸2…𝐸𝑘 = 𝑑𝑒𝑙𝑎𝑦 𝐸1 ⊔⋯⊔ 𝑑𝑒𝑙𝑎𝑦(𝐸𝑘)
3
Initialization Analysis
𝑑𝑒𝑙𝑎𝑦(𝑓𝑏𝑦 𝐸1; 𝑑; 𝐸2) = 𝑑𝑒𝑙𝑎𝑦(𝐸1) ⊔ 𝑑𝑒𝑙𝑎𝑦(𝐸2) Note that this is different from the → operator.
𝑑𝑒𝑙𝑎𝑦 𝐸1 𝑤ℎ𝑒𝑛 𝐸2 = 𝑑𝑒𝑙𝑎𝑦(𝐸1) ⊔ 𝑑𝑒𝑙𝑎𝑦(𝐸2)
𝑑𝑒𝑙𝑎𝑦 𝑚𝑒𝑟𝑔𝑒 ℎ; 𝐸1, … , 𝐸𝑘 = 𝑑𝑒𝑙𝑎𝑦 ℎ ⊔ 𝑑𝑒𝑙𝑎𝑦 𝐸1 …⊔ 𝑑𝑒𝑙𝑎𝑦 𝐸𝑘
𝑑𝑒𝑙𝑎𝑦 𝑙𝑎𝑠𝑡 ′𝑋 = 𝑑𝑒𝑙𝑎𝑦 𝑋 , if a last−value has been declared for X1 , otherwise
4
Initialization Analysis
𝑑𝑐𝑜𝑛𝑠𝑁 𝐸1 → 𝐸2, 𝐶𝑁 = 𝐶𝑁 ∪ 𝑑𝑐𝑜𝑛𝑠𝑁 𝐸1 ∪ 𝑑𝑐𝑜𝑛𝑠
𝑁 𝐸2
𝑑𝑐𝑜𝑛𝑠𝑁 𝑓𝑏𝑦 𝐸1; 𝑑; 𝐸2 , 𝐶𝑁 = 𝐶𝑁 ∪ 𝑑𝑒𝑙𝑎𝑦 𝐸1 = 0
∪ 𝑑𝑒𝑙𝑎𝑦 𝐸2 = 0
𝑑𝑐𝑜𝑛𝑠𝑁 𝐸1 𝑤ℎ𝑒𝑛 𝐸2, 𝐶𝑁 = 𝐶𝑁 ∪ 𝑑𝑒𝑙𝑎𝑦 𝐸2 = 0
𝑑𝑐𝑜𝑛𝑠𝑁 𝑚𝑒𝑟𝑔𝑒 ℎ; 𝐸1 𝑤ℎ𝑒𝑛 𝐵1, … , 𝐸𝑘𝑤ℎ𝑒𝑛 𝐵𝑘 , 𝐶𝑁
= 𝐶𝑁 ∪ 𝑑𝑒𝑙𝑎𝑦 ℎ = 0 ∪ 𝑑𝑒𝑙𝑎𝑦 𝐸1 = 0 ∪⋯ ∪ 𝑑𝑒𝑙𝑎𝑦 𝐸𝑘 = 0
𝑑𝑐𝑜𝑛𝑠𝑁 𝑙𝑎𝑠𝑡 ′𝑋, 𝐶𝑁 = 𝐶𝑁 ∪ 𝑑𝑒𝑙𝑎𝑦 𝑋 = 0
𝑑𝑐𝑜𝑛𝑠𝑁 𝑝𝑟𝑒 𝐸, 𝐶𝑁 = 𝐶𝑁 ∪ 𝑑𝑒𝑙𝑎𝑦 𝐸 = 0
5
Initialization Analysis
At the beginning of the evaluation of the body of a node N: 𝐶𝑁 = ∅.
All constraints in 𝐶𝑁 have to be simultaneously satisfied.
Expressions contained in constraints in 𝐶𝑁can be decomposed according to the structure of E yielding new simplified constraints. Example: 𝑑𝑒𝑙𝑎𝑦 𝑋 ∘ 𝑌 = 0 ⇔ 𝑑𝑒𝑙𝑎𝑦 𝑋 = 0 ∧ 𝑑𝑒𝑙𝑎𝑦 𝑌 = 0
After constraint simplification all constraints derived for input parameters are added to the node initialization type of N. The node initialization type is a function 𝜏1 ×⋯× 𝜏𝑚 → 𝜎1 ×⋯× 𝜎𝑛 where
𝜏𝑖 = 0, if input 𝑋𝑖 is constrained 𝜌𝑖 , if input 𝑋𝑖 is unconstrained
𝜎𝑖 = 𝑑𝑒𝑙𝑎𝑦 𝑌𝑖 for all output varibles 𝑌𝑖
6
Initialization Analysis
𝑑𝑒𝑙𝑎𝑦 𝑋1, … , 𝑋𝑛 = 𝑁 𝐸1, … , 𝐸𝑚 = 𝜎1 𝜌𝑖|𝑑𝑒𝑙𝑎𝑦 𝐸𝑖 , … , 𝜎𝑛 𝜌𝑖|𝑑𝑒𝑙𝑎𝑦 𝐸𝑖
𝑑𝑐𝑜𝑛𝑠𝑀 𝑁 𝐸1, … , 𝐸𝑚 , 𝐶𝑀 =
𝐶𝑀 ∪ 𝑑𝑒𝑙𝑎𝑦 𝐸𝑖 = 0 𝜏𝑖 = 0 in node initialization type of 𝑁 }
7
Initialization Analysis 8
function f(clock h: bool; y,z: int) returns (o1: int; o2: bool)
let
o1 = merge(h; y when h; z when not h);
o2 = (y>z);
tel
node N(clock h: bool; y,z: int) returns (o1: int; o2: bool)
let
o1,o2 = (1,true) -> f(h, pre y, pre z);
tel
Initialization Error: All the arguments of the merge operator must be well-initialized
9
SCADE: The Graphical Language
See SCADE Language Reference Manual.
Arithmetic Operators:
“+” “-” “*” intdiv realdiv mod ...
Example: y=c+d+e
10
SCADE: The Graphical Language
Logial Operators:
“or” “xor” “and” “not” ...
Some Comparison Operators:
Control Operators:
if ... then ... else ...
11
SCADE: The Graphical Language
Example:
y,z=if b then (y1,z1) else (y2,z2)
12
SCADE: The Graphical Language
Temporal Operators
Example: o1,o2,o3 = (i1,i2,i3) when c
13
Finite Automata
14
Finite Automata
Non-deterministic finite automaton (NFA): M = (, Q, , q0, F) where
: finite alphabet
Q: finite set of states
q0 Q: initial state
F Q: final states
M is called a deterministic finite automaton, if is a partial function
QQ }){(
QQ :
15
Simple State Transition Diagram
Used to represent a finite automaton
Nodes: states
q0 has special entry mark
Final states are doubly circled
An edge from p to q is labelled by a if
Example: integer and real constants:
),,( qap
16
M = (, Q, , q0, F)
For q Q, w *: (q,w) is a configuration.
Binary step relation ⊢ on configurations:
𝑞, 𝑎𝑤 ⊢𝑀 𝑝,𝑤 iff 𝑞, 𝑎, 𝑝 𝜖Δ: 𝑄 × Σ → 𝑄
Reflexive transitive closure of ⊢𝑀 is denoted by ⊢𝑀∗
Language accepted by M:
𝐿 𝑀 = 𝑤 ∈ Σ∗ ∃𝑞𝑓 ∈ 𝐹: (𝑞0, 𝑤) ⊢𝑀
∗ (𝑞𝑓, 𝜖)}
Language Accepted by an Automaton
17
Regular Languages / Expressions
Let be an alphabet. The regular languages are defined inductively over by:
, {} are regular languages over
Forall a , {a} is a regular language
If R1 and R2 are regular languages over , then also R1R2, R1R2, R1*.
Regular expressions over are defined by:
is a regular expression and describes the language
is a regular expression and describes the language {}
a (for a ) is a regular expression and denotes {a}
(r1|r2) is a regular expression over and denotes R1R2
(r1r2) is a regular expression over and denotes R1R2
(r1)* is a regular expression over and denotes R1*.
18
Regular Expressions and FA
For every regular language R, there exists an NFA M, such that L(M)=R.
Constructive Proof (Subset Construction):
A regular language is defined by a regular expression r
Construct an NFA with one final state, qf and the transition
Decompose r and develop the NFA according to the following rules -> until only transitions under single characters and remain.
19
Example: a(a|0)*
q0 q1 q2 q3 p a
a
0
>
20
Nondeterminism
Sources of nondeterminism:
1|}),,(|{| qaqq
– many transitions may be possible under the same character in a given state
– -moves (next character is not read) may compete with non- -moves
DFA:
– No -transition
– At most one transition from every state under a given character, ie for every q Q, a :
21
NFA → DFA
Let M=(, Q, , q0, F) be an NFA and let q Q. The set of successor states of q, 𝜀𝑆𝑆 𝑞 , is
𝜀𝑆𝑆 𝑞 = {𝑝| 𝑞, 𝜀 ⊢𝑀∗ 𝑝, 𝜀 }
or the set of all states p, including q, for which there exists an -path from q to p in the transition diagram for M.
We extend SS to sets of states S Q:
𝜀𝑆𝑆 𝑆 = 𝜀𝑆𝑆(𝑞)
𝑞∈𝑆
22
NFA → DFA
If a language L is accepted by a NFA then there is also a DFA accepting L.
Let M=(, Q, , q0, F) be an NFA. The DFA associated with M, M'=(, Q', , q0', F') is defined by:
Q′ ⊆ ℘ 𝑄
q0' = SS(q0)
Thus, the successor state of S under a character a in M' is obtained by combining the successor states of all states q S under a and adding the successor states.
}|{' FSQSF
aSqpaqpSSaS for })for ),,(|({),(
23
Algorithm NFA->DFA
q'0:= SS(q0); Q':={q0'};
marked(q0'):=false; :=;
while SQ' and marked(S)=false do
marked(S):=true;
foreach a do
T:= SS({pQ| (q,a,p) and q S});
if TQ'
Q':=Q' {T}; // new state
marked(T):=false
:= {(S,a)T}; // new transition
od
od
24
Example: a(a|0)*
q0 q1 q2 q3 p a
a
0
q0' q1' q2' a
a
0
a
0
a
0
0
25
DFA Minimization
After NFA->DFA the DFA need not have minimal size, ie minimal number of states and transitions.
p and q are undistinguishable, iff for all words w both (q,w) and (p,w) lead by ⊢𝑀
∗ into either F' or Q'-F'.
Undistinguishable states can be merged.
26
DFA Minimization
Input: DFA M=(, Q, , q0, F)
Output: DFA Mmin=(, Qmin, min, q0min, Fmin) with L(M)=L(Mmin) and Qmin minimal.
Iteratively refine a partition of the set of states where each set S in the partition consists of states so far undistinguishable.
Start with the partition ={F, Q-F}
Refine the current by splitting sets S into S1, S2 if there exist q1, q2 S such that
(q1,a) S1
(q2,a) S2
S1 S2
Merge sets of undistinguishable states into a single state.
27
Algorithm minDFA := {F, Q-F}
do changed := false
':= ;
foreach K in do
if n > 1 then changed := true fi
od
:= ';
until not changed;
Qmin= - (Dead Unreachable);
q0min: Class of containing q0
Fmin: Classes containing an element of F
min(K,a)=K' if (q,a)=p with a and pK' for one (ie for all) qK
KDead, if K is not final state and contains only transitions to itself
K Unreachable, if there is no path from the initial state to K
'),(:' and
thatsuch maximal with}}{{}){'(:'
1
1
iii
ni
i
inii
KaqKKqaKK
KKK
28
Example: a(a|0)*
{q0'} {q1',q2'} a
a
0
q0' q1' q2' a
a
0
a
0
a
0
0
29
Mealy Automata
Mealy automata are finite-state machines that act as transducers, or translators, taking a string on an input alphabet and producing a string of equal length on an output alphabet.
A machine in state qj, after reading symbol sigma k writes symbol k; the output symbol depends on the state just reached and the corresponding input symbol.
A Mealy automaton is a six-tuple ME=(Q, , , , , q0) where
Q is a finite set of states
is a finite input alphabet
is a finite output alphabet
: Q -> Q is the transition function
: Q -> is the output function
q0 is the initial state
30
Moore Automata
Moore automata are finite-state machines that act as transducers, or translators, taking a string on an input alphabet and producing a string of equal length on an output alphabet.
Symbols are output after the transition to a new state is completed; output symbol depends only on the state just reached.
A Moore automaton is a six-tuple MO=(Q, , , , , q0) where
Q is a finite set of states
is a finite input alphabet
is a finite output alphabet
: Q -> Q is the transition function
: Q -> is the output function
q0 is the initial state
31
Model-based Software Development
Application Model
in SCADE (data
flow + SSM)
Worst-Case Execution Time
Analysis
Stack Usage Analysis
System-level
Schedulability
Analysis Generator
Compiler
void Task (void)
{
variable++;
function();
next++:
if (next)
do this;
terminate()
}
C-Code Binary Code Runtime Error Analysis
System Model
(tasks, interrupts,
buses, …)
SymTA/S
Astrée
aiT
StackAnalyzer
SCADE Suite
32
Model-based Software Development
SyncCharts/SSM as
Enhancement to FSA
Application Model
in SCADE (data
flow + SSM)
33
Model-based Software Development
Automata Minimization Generator
void Task (void)
{
variable++;
function();
next++:
if (next)
do this;
terminate()
}
C-Code
Application Model
in SCADE (data
flow + SSM)
34
Compilation of SCADE Programs
Two alternatives:
Single-loop Code
Automaton Code
Single-loop code
produce an infinite loop whose body implements the computations of each basic cycle of the node.
Expand all nodes and functions.
Sort the statements according to data dependences (acyclicity ensures that ordering exists)
If needed, introduce new variables for pre expressions.
Execute the code in an infinite loop
The resulting code will be suboptimal:
The choice of a good evaluation order is difficult.
All equations are computed in each step.
35
Example
node N(I:bool) returns (O:bool)
var X:bool;
let
O = false->pre(X) and I;
X = false->pre(I);
tel
init = true;
while (true) {
read(I);
if (init) then {
O=false; X=false; init=false;
PRE_I = I;
}
else {
O = X and I;
X = PRE_I;
PRE_I = I;
}
write (O);
}
Example 36
init = true;
while (true) {
read(I);
if (init) then {
O=false;
X=false;
init=false;
PRE_I = I;
}
else {
O = X and I;
X = PRE_I;
PRE_I = I;
}
write (O);
}
void N_reset(outC_N *outC)
{
outC->init = kcg_true;
}
void N(inC_N *inC, outC_N *outC)
{
if (outC->init) {
outC->O = kcg_false;
}
else {
outC->O = outC->X & inC->I;
}
if (outC->init) {
outC->X = kcg_false;
}
else {
outC->X = outC->rem_I;
}
outC->rem_I = inC->I;
outC->init = kcg_false;
}
37
Automata Code
Two observations:
In SCADE, imperative control structures are represented by conditional and temporal expressions.
If a conditional or temporal expression depends on a Boolean variable computed at previous cycles, specialized code could be generated for each value of the variable.
Automata Generation:
Choose a set of state variables:
Boolean expressions resulting from pre operators
Auxiliary variables like _init_C for a clock C to allow the evaluation of -> operators.
For each possible value of the state define a node associated with the sequential code that would be executed with the corresponding variable setting.
38
Automata Code
node EDGE(X:bool) returns (Y:bool)
let
Y = false->(X and not pre(X))
tel
Choose state variables init and pre(X).
In the initial state: init=true and pre(X)=nil.
Create a state S0 with the tuple init, pre(X):
S0[true,nil]:
init = true;
while (true) {
read(X);
if (init) then {
Y=false; init=false;
PRE_X = X;
}
else {
Y = X and not PRE_X;
PRE_X = X;
}
write (Y);
}
Single-Loop
S0-Code:
Y=false;
init pre(X)
39
Automata Code
node EDGE(X:bool) returns (Y:bool)
let
Y = false->(X and not pre(X))
tel
State variables: init, pre(X)
In the next step, init is false.
pre(X) must be set correctly for each value of X.
init = true;
while (true) {
read(X);
if (init) then {
Y=false; init=false;
PRE_X = X;
}
else {
Y = X and not PRE_X;
PRE_X = X;
}
write (Y);
}
Single-Loop
S0[true,nil]:
S1[false,true]
S2[false,false] X=false / Y:=false
X=true / Y:=false
S1-Code:
S2-Code:
Y = X and true = X;
Y = X and false = false;
40
Automata Code
node EDGE(X:bool) returns (Y:bool)
let
Y = false->(X and not pre(X))
tel
init is never true again, so control moves between S1 and S2.
Note: Behavior of automaton in S0 and S1 is the same.
init = true;
while (true) {
read(X);
if (init) then {
Y=false; init=false;
PRE_X = X;
}
else {
Y = X and not PRE_X;
PRE_X = X;
}
write (Y);
}
Single-Loop
S0[true,nil]:
S1[false,true]
S2[false,false] X / Y
X / Y
X / Y X / Y
X / Y
X / Y Y = X and true = X;
Y = X and false = false;
41
Improving Code Efficiency
Code generation is fast, but:
The generated automaton usually is not minimal.
Possible improvements:
Apply standard minimization algorithms (minDFA). However: whole automaton has to be constructed once, possibly involving exponential expansion of the code size.
Directly generate the minimal automaton, according to algorithm MinDFA => Demand-driven automata. But: compilation is slow.
42
Demand-Driven Automata
Equivalence class of states (see powerset construction):
Two states are equivalent as long they have not been shown to be different
Two states are different, if they produce different outputs or lead to states which already have been shown to be different, in response to the same input.
Algorithm:
1. Start with one equivalence class, containing the whole program.
2. Choose one equivalence class C and compute its outputs and successors. If this involves some unknown state information then split C into two states and compute for each predecessor to which of the two states it leads.
3. If new states have been added goto 2. Otherwise return.
43
Example: Demand-Driven Construction
Initially nothing is known
Must split class C to allow computation of outputs in subsequent steps
Compute outputs
C[nil,nil]
C0[(true,nil),(false,true)] C1[(false,false)]
X / Y
X / Y
X / Y
X / Y C0[(true,nil),(false,true)] C1[(false,false)]
init pre(X)
