440 likes | 567 Views
Introduction to Embedded Systems. Chapter 5: Composition of State Machines. Mark Winter 10/23/2014. Last time exam 1 – review started Chapter 5 Today chapter 5 – composition of state machines!. Composition of State Machines. Side-by-side composition Cascade composition
E N D
Introduction toEmbedded Systems • Chapter 5: Composition of State Machines Mark Winter 10/23/2014
Last time • exam 1 – review • started Chapter 5 • Today • chapter 5 – composition of state machines!
Composition of State Machines • Side-by-side composition • Cascade composition • Feedback composition
Side-by-Side Composition • A key question: When do these machines react? • Two possibilities: • Together (synchronous composition) • Independently (asynchronous composition)
Note that these two states are not reachable. Synchronous Composition • Synchronous composition
Asynchronous composition • using interleaving semantics Asynchronous Composition • Note that now all states are reachable.
Syntax vs. Semantics • Synchronous • or • Asynchronous • composition? • If asynchronous, does it allow simultaneous transitions in A & B?
Asynchronous composition is not synchronous composition with stuttering transitions. • Stuttering is a reaction where no output is produced and the state is not changed. • Synchronous composition • These two FSMs cannot stutter. • If they react, they change state.
Asynchronous composition is not synchronous composition with stuttering transitions. • Stuttering is a reaction where no output is produced and the state is not changed. • Asynchronous composition • with interleaving semantics • These two FSMs cannot stutter. • If they react, they change state.
Asynchronous Composition • M1 = (S1, I1, O1, U1, s10) and M2 = (S2, I2, O2, U2, s20) • M is the asynchronous composition of M1 and M2 • = (S1× S2, I1× I2, O1× O2, U, (s10, s20)) • where • U((s1, s2), (i1, i2)) = ((s1’, s2’), (o1, o2)) • and • (s1’, o1) = U1(s1, i1) AND s2’ = s2 & o2 is absent • OR (s2’, o2) = U2(s2, i2) AND s1’ = s1 & o1 is absent • (note interleaving semantics)
Cascade Composition • A • B • Output port(s) of A connected to input port(s) of B
Example: Pedestrian Light • This light stays green for 55 seconds, then goes red. Upon receiving a sigR input, it repeats the cycle.
Pedestrian Light with Car Light • sigY • sigG • sigR • sigR • pedG • What is the size of • the state space of the • composite machine? • pedR
Synchronous composition • unsafe states
Feedback Composition • More on this later… Very subtle.
Systematic exploration of concurrent behaviors • Use hierarchy (next lecture). • Construct the product automaton using synchronous or asynchronous composition as appropriate. • Specify criteria for correctness (we will use temporal logic). • Reason using the product FSM and the correctness criteria (use systematic, algorithmic techniques).
Recall program that does something for 2 seconds, then stops • volatile uint timerCount = 0; • void ISR(void) { • … disable interrupts • if(timerCount != 0) { • timerCount--; • } • … enable interrupts • } • int main(void) { • // initialization code • SysTickIntRegister(&ISR); • ... // other init • timerCount = 2000; • while(timerCount != 0) { • ... code to run for 2 seconds • } • } Is synchronous composition the right model for this? Is asynchronous composition (with interleaving semantics) the right model for this? Answer: no to both.
Position in the program is part of the state • volatile uint timerCount = 0; • void ISR(void) { • … disable interrupts • if(timerCount != 0) { • timerCount--; • } • … enable interrupts • } • int main(void) { • // initialization code • SysTickIntRegister(&ISR); • … // other init • timerCount = 2000; • while(timerCount != 0) { • … code to run for 2 seconds • } • … whatever comes next • } • D • A key question: Assuming interrupt occurs infinitely often, is position C always reached? • E • A • B • C
State machine model • volatile uint timerCount = 0; • void ISR(void) { • … disable interrupts • if(timerCount != 0) { • timerCount--; • } • … enable interrupts • } • int main(void) { • // initialization code • SysTickIntRegister(&ISR); • … // other init • timerCount = 2000; • while(timerCount != 0) { • … code to run for 2 seconds • } • … whatever comes next • } • D • E • A • B • C • Is asynchronous composition the right thing to do here?
Asynchronous composition • A • C • This has transitions that will not occur in practice, such as A,D to B,D. Interrupts have priority over application code. • B
Modeling an interrupt controller FSM model of a single interrupt handler in an interrupt controller:
Modeling an interrupt controller • int main(void) { • // initialization code • SysTickIntRegister(&ISR); • … // other init • timerCount = 2000; • while(timerCount != 0) { • … code to run for 2 seconds • } • } • Note that states can share refinements. • volatile uint timerCount = 0; • void ISR(void) { • … disable interrupts • if(timerCount != 0) { • timerCount--; • } • … enable interrupts • }
Hierarchical State Machines OR state (being B means being in C or D) Reaction: First, the refinement of the current state (if any) reacts. Then the top-level machine reacts. If both produce outputs, they are required to not conflict. The two steps are part of the same reaction. refinement
Hierarchical State Machines simultaneous transitions Example trace: Simultaneous transitions can produce multiple outputs. These are required to not conflict.
Hierarchical State Machines history transition Example trace: A history transition implies that when a state with a refinement is left, it is nonetheless necessary to remember the state of the refinement.
Flattening the state machine (assuming history transitions): A history transition implies that when a state with a refinement is left, it is nonetheless necessary to remember the state of the refinement. Hence A,C and A,D.
Hierarchical State Machines with Reset Transitions A reset transition always initializes the refinement of the destination state to its initial state. reset transition Example trace: A reset transition implies that when a state with a refinement is left, you can forget the state of the refinement.
Flattening the state machine (assuming reset transitions): A reset transition implies that when a state with a refinement is left, it is not necessary to remember the state of the refinement. Hence there are fewer states.
Preemptive Transitions A preemptive transition specifies that the guard should be evaluated before the current state refinement reacts, and if it is true, then the current state should not react.
Modeling an interrupt controller int main(void) { // initialization code SysTickIntRegister(&ISR); … // other init timerCount = 2000; while(timerCount != 0) { … code to run for 2 seconds } } Note that states can share refinements. volatile uint timerCount = 0; void ISR(void) { … disable interrupts if(timerCount != 0) { timerCount--; } … enable interrupts }
A D B E C Simplified interrupt controller • This abstraction assumes that an interrupt is always handled immediately upon being asserted: int main(void) { // initialization code SysTickIntRegister(&ISR); … // other init timerCount = 2000; while(timerCount != 0) { … code to run for 2 seconds } } volatile uint timerCount = 0; void ISR(void) { … disable interrupts if(timerCount != 0) { timerCount--; } … enable interrupts }
Hierarchical interrupt controller • This model assumes further that interrupts are disabled in the ISR: A key question: Assuming interrupt occurs infinitely often, is state C always reached?
Hierarchical interrupt controller • This model assumes interrupts are disabled in the ISR: Reset, preemptive transition History transition
Hierarchical composition to model interrupts History transition results in product state space, but hierarchy reduces the number of transitions compared to asynchronous composition. Examining this composition machine, it is clear that C is not necessarily reached if the interrupt occurs infinitely often. If assert is present on every reaction, C is never reached.
What if interrupts are not disabled? A key question: Assuming interrupt occurs infinitely often, is state C always reached? Answer: NO! Counterexample: each time timerCount = 1, get more than one nested interrupt. Trace in upper machine: idle, D, E, D2, E2, D2, E, D, …
Communicating FSMs • In the ISR, example our FSM models of the main program and the ISR communicate via shared variables and the FSMs are composed asynchronously. • We call this model of computation threads. • There are better alternatives for concurrent composition.
Hierarchical FSMs + Synchronous Composition: Statecharts [Harel 87] • Modeling with • Hierarchy (OR states) • Synchronous composition (AND states) • Broadcast (for communication) Example due to Reinhard von Hanxleden
Summary • Composition enables building complex systems from simpler ones. • Hierarchical FSMs enable compact representations of complex behaviors. • Both forms of composition can be converted to single flat FSMs, but the resulting FSMs are quite complex and difficult to analyze by hand. • Algorithmic techniques are needed (e.g., model checking, the inventors of which won the 2009 Turing Award).
HW 4 – due beginning of class 10/28 • - Read Chapter 5 of Lee & Seshia • Do problem 5.2 • Finish Lab 3!
Instructor Contact Information • Andrew R. Cohen • Associate Prof. • Department of Electrical and Computer Engineering • Drexel University • 3120 – 40 Market St., Suite 110 • Philadelphia, PA 19104 • office phone: (215) 571 – 4358 • http://bioimage.coe.drexel.edu/courses • acohen@coe.drexel.edu