# CS:4980 <br> Foundations of Embedded Systems 

## Timed Model

## Part II

Copyright 2014-20, Rajeev Alur and Cesare Tinelli.
Created by Cesare Tinelli at the University of Iowa from notes originally developed by Rajeev Alur at the University of Pennsy/vania. These notes are copyrighted materials and may not be used in other course settings outside of the University of lowa in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

## Timed Model

Timed model is sometimes called the semi-synchronous model (mix of asynchronous and synchronous)

Definitions/concepts that carry over naturally from those models:

- Executions of a timed process
- Transition system associated with a timed process
- Safety/liveness requirements

Distributed coordination problems: how can we exploit the knowledge of timing delays to design protocols?

## Recall: Asynchronous Execution Model

| nat $x:=0 ; y:=0$ |
| :--- |
| $A_{x}: x:=x+1$ |
| $A_{y}: y:=y+1$ |



- Tasks $A_{x}$ and $A_{y}$ execute in an arbitrary order
- For every possible choice of numbers $m$ and $n$, the state $(m, n)$ is reachable
- Fairness assumptions can be used to rule out executions where one of the tasks is ignored forever (although this does not affect the set of reachable states)


## Timed Increments

$1 \leq u \rightarrow x:=x+1 ; u:=0$

$1 \leq v \rightarrow y:=y+1 ; v:=0$

[. Task $A_{x}$ increments $x$, and this takes between 1 to 2 time units

- Task $A_{y}$ increments $y$, and this also takes between 1 to 2 time units

T Tasks execute in parallel, asynchronously, but timing introduces loose coordination (since all clocks advance in unison)

Which states are reachable? What is the relationship between m and n so that the state $(\mathrm{m}, \mathrm{n})$ is reachable?

## Recall: Shared Memory Asynchronous Processes



Processes P1 and P2 communicate by reading/writing shared variables
Each shared variable can be modeled as an asynchronous process

- State of each such process is the value of corresponding variable
- In implementation, shared memory can be a separate subsystem
[ Read and write channel between each process and each shared variable
- To write $x$, P1 synchronizes with $x$ on $x$.write1 channel
- To read $\mathrm{x}, \mathrm{P} 2$ synchronizes with x on x .read2 channel


## Shared Memory Programs with Atomic Registers

AtomicReg nat $x:=0$

Process P1


Declaration of shared variables

+ code for each process

Key restriction: Each statement either

- changes local variables,
- reads a single shared var, or
- writes a single shared var

Execution model: execute one step of one of the processes

What if we knew lower and upper bounds on how long a read or a write takes? Could we solve coordination problems better?

## Mutual Exclusion Problem



Safety: processes should not both be in critical section simultaneously (can be formalized using invariants)

Deadlock freedom: if any process is trying to enter, then some process should be able to enter

## Mutual Exclusion: Incorrect Solution

AtomicReg $\{0,1,2\}$ Turn := 0

Process P1


Process P2 Turn :=0 What was the problem?


$$
\text { Turn := } 0
$$

## Timing-based Mutual Exclusion

1. Before entering critical section, read the shared variable Turn
2. If Turn $\neq 0$ then go to Step 1 and try again
3. If Turn $=0$ then set Turn to your ID

Problem: Proceeding directly to critical section (the other process may also have concurrently read Turn to be 0 , and updated Turn)

Solution: Delay and wait till you are sure that concurrent writes are finished
4. Read Turn again: if Turn equals your own ID then proceed to critical section; otherwise, go to Step 1 and try again
5. When done with critical section, set Turn back to 0

## Fisher's Mutual Exclusion Protocol

## AtomicReg nat Turn := 0

$$
\text { mylD } \in\{1,2,3, \ldots\}
$$



Wait for at least $\Delta_{2}$ time units, and read Turn again

Does this work? Why?

## Properties of Timed Fisher's Protocol

$\square$ If $\Delta_{2}>\Delta_{1}$, the algorithm satisfies:

1. Mutual exclusion (two processes cannot be in critical section simultaneously)
2. Deadlock freedom (if a process wants to enter critical section then some process will enter critical section)
$\square$ Protocol works for arbitrarily many processes, not just 2
In contrast, in the asynchronous model, mutual exclusion protocol for $N$ processes is lot more complex than Peterson's algorithm

Exercise 1: Does the protocol satisfy the stronger property of starvation freedom (if a process wants to enter critical section then it eventually will)?

Exercise 2: If $\Delta_{2} \leq \Delta_{1}$ does mutual exclusion hold? How about deadlock freedom?

## Timed Communication

Suppose a sender wants to transmit a sequence of bits to a receiver connected by a communication bus

Natural strategy: Divide time into slots, and in each slot transmit a bit using low/high voltage values to encode 0/1

Manchester encoding: 0 encoded as a falling edge, and 1 encoded as a rising edge


## Timed Communication Challenges



Sender and receiver know the duration of each time slot, but ...

1. When idle, the voltage is set to low. So receiver doesn't know when the communication begins
2. Receiver cannot reliably detect falling edges
3. Sender and receiver clocks are synchronized imperfectly due to drift (when a clock x is 1 , actual elapsed time is in interval $[1-\varepsilon, 1+\varepsilon]$ )

Addressing the challenges:

1. All messages start with 1 and end with 00
2. Processes use timing information to transmit 0 s
3. We use constraints like $x \leq 1+\varepsilon$ instead of $x \leq 1$, and $1-\varepsilon \leq x$ instead of $1 \leq x$

## Audio Control Protocol



Protocol developed by Philips to reliably transmit messages in presence of imperfect clocks

Design logic for receiver to map measured delays between successive raising edges to sequence of bits

Verification: Prove that message transmission is reliable for a given drift rate $\varepsilon$

Optimization: Find the largest drift rate that the protocol tolerates

## Audio Control System



## Sender Process



Receiver Process $\downarrow \rightarrow$ คْ


## Execution Example



| Time | Event | x | Sender | Queue $m$ | y | Receiver | Queue out |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| 0 |  |  | B | 00110100 |  | Idle | null |
| 2.07 | $u p$ | 2.07 | D | 0110100 |  | Last1 | 1 |
| 5.97 | down | 3.9 | F | 110100 | 3.9 | Last1 | 1 |
| 7.97 | $u p$ | 2 | G | 110100 | 5.9 | Last0 | 10 |
| 9.92 | down | 1.95 | E | 10100 | 1.95 | Last0 | 10 |
| 14.08 | $u p$ | 4.16 | C | 0100 | 6.11 | Last1 | 1001 |
| 16.1 | down | 2.02 | B | 0100 | 2.02 | Last1 | 1001 |
| 18 | $u p$ | 1.9 | D | 100 | 3.92 | Last1 | 10011 |
| 22.05 | down | 4.05 | E | 00 | 4.05 | Last1 | 10011 |
| 25.91 | $u p$ | 3.86 | D | 0 | 7.91 | Last1 | 1001101 |
| 30.01 | down | 4.1 | F | null | 4.1 | Last1 | 1001101 |
| 32.11 | $u p$ | 2.1 | G | null | 6.2 | Last0 | 10011010 |
| 34.16 | down | 2.05 | H | null | 2.05 | Last0 | 10011010 |
| 38.29 |  | 4.13 | A | null | 6.18 | Last0 | 10011010 |
| 39.39 |  | 1.1 | A | null | 7.28 | Idle | 100110100 |

## Timing Analysis


$\square$ How to adapt algorithms for searching through the state-space of a model in presence of clock variables and timing constraints?
$\square$ Application: Formal analysis of timing-based coordination and communication protocols
$\square$ Must handle the space of clock valuations symbolically!
$\square$ Popular model checker: Uppaal

## Timing Analysis Example



## Timed Automata

Motivation: When is exact analysis of timing constraints feasible?

Definition: A timed process TP is a timed automaton if for every clock variable x ,

1. assignments to $x$ in the description of TP are of the form $x:=0$
2. atomic expressions involving $\times$ (in clock-invariants or in guards) are of the form

$$
x \bowtie k
$$

where $k$ is a constant and $\bowtie \in\{=, \leq,>,<, \geq\}$
(can express only constant lower/upper bounds on timing delays)

## Timed Automata

Properties: Closed under parallel composition: If TP1 and TP2 are timed automata then TP1 | TP2 is also a timed automaton

A time automaton is finite-state if all its variables other than clocks have finite types (e.g. Boolean, enumerated)

Note: State space is still infinite due to the clock variables, but verification of safety properties is decidable

## Timing Analysis Example



Requires propagation of the reachable combinations of $x$ and $y$ symbolically

## Timing Analysis Example

Clock-zone $\mathrm{R}_{0}$
$0 \leq x_{1} \leq 0$
$0 \leq x_{2} \leq 0$
$0 \leq x_{1}-x_{2} \leq 0$


Initial set of clock-valuations: $x_{1}=0 \wedge x_{2}=0$
Clock-zone: Uniform representation of constraints that arise during analysis
Constraints of two types:

1. Lower/upper bound on value of a clock variable
2. Lower/upper bound on difference of two clock variables

## Timing Analysis Example

| Clock-zone $R_{0}$ | Clock-zone $R_{0}^{\prime}$ |
| :--- | :--- |
| $0 \leq x_{1} \leq 0$ | $0 \leq x_{1} \leq$ Infty |
| $0 \leq x_{2} \leq 0$ | $0 \leq x_{2} \leq$ Infty |
| $0 \leq x_{1}-x_{2} \leq 0$ | $0 \leq x_{1}-x_{2} \leq 0$ |

Starting from a state in $\mathrm{R}_{0}$, as time elapses, which clock-valuations are reachable ?
During a timed transition, values of all clocks increase.
How are the constraints impacted? What's the effect of clock-invariant?

Step 1: Compute effect of timed transitions ignoring clock-invariants Constraints on individual clocks: Change upper bound to Infty Constraints on differences between clock values: unchanged (why?)

## Timing Analysis Example

| Clock-zone $\mathrm{R}_{0}^{\prime}$ | Clock-zone $\mathrm{R}^{\prime \prime}{ }_{0}$ | Clock-zone $\mathrm{R}_{1}$ |
| :--- | :--- | :--- |
| $0 \leq \mathrm{x}_{1} \leq$ Infty | $0 \leq \mathrm{x}_{1} \leq 5$ | $0 \leq \mathrm{x}_{1} \leq 5$ |
| $0 \leq \mathrm{x}_{2} \leq$ Infty | $0 \leq \mathrm{x}_{2} \leq$ Infty | $0 \leq \mathrm{x}_{2} \leq 5$ |
| $0 \leq \mathrm{x}_{1}-\mathrm{x}_{2} \leq 0$ | $0 \leq \mathrm{x}_{1}-\mathrm{x}_{2} \leq 0$ | $0 \leq \mathrm{x}_{1}-\mathrm{x}_{2} \leq 0$ |



Desired clock-zone $R_{1}$ : Set of clock-valuations reachable while in mode A Intersection of constraints in $\mathrm{R}_{0}$ and the clock-invariant

Canonicalization: Tighten all bounds to reflect implied constraints
Each lower bound should be as high as possible Each upper bound should be as low as possible

## Timing Analysis Example

| Clock-zone $R_{1}$ |  |  | Clock-zone $R_{2}$ |
| :--- | :--- | :--- | :--- |
| $0 \leq x_{1} \leq 5$ | $3 \leq x_{1} \leq 5$ | $3 \leq x_{1} \leq 5$ | $3 \leq x_{1} \leq 5$ |
| $0 \leq x_{2} \leq 5$ | $0 \leq x_{2} \leq 5$ | $3 \leq x_{2} \leq 5$ | $0 \leq x_{2} \leq 0$ |
| $0 \leq x_{1}-x_{2} \leq 0$ | $0 \leq x_{1}-x_{2} \leq 0$ | $0 \leq x_{1}-x_{2} \leq 0$ | $3 \leq x_{1}-x_{2} \leq 5$ |
|  |  |  |  |

Desired clock-zone $R_{2}$ : What are set of clock-valuations upon entry to $B$ ?
Step 1: Intersect guard $3 \leq x_{1}$ with the clock-zone $R_{1}$
Step 2: Canonicalize by tightening constraints
Step 3: Capture the effect of assignment $x_{2}:=0$
Bounds on $x_{2}$ change, and so do bounds on $x_{1}-x_{2}$
Step 4: Canonicalize. In this case, constraints are already as tight as possible

## Timing Analysis Example

Clock-zone $\mathrm{R}_{2}$ $3 \leq x_{1} \leq 5$
$0 \leq x_{2} \leq 0$
$3 \leq x_{1}-x_{2} \leq 5$

Clock-zone $\mathrm{R}_{3}$
$3 \leq x_{1} \leq$ Infty $\quad 3 \leq x_{1} \leq 7$
$3 \leq x_{1} \leq 7$
$0 \leq x_{2} \leq$ Infty $\quad 0 \leq x_{2} \leq$ Infty
$0 \leq x_{2} \leq 4$
$3 \leq x_{1}-x_{2} \leq 5 \quad 3 \leq x_{1}-x_{2} \leq 5$
$3 \leq x_{1}-x_{2} \leq 5$

B
$x_{1} \leq 7$
Starting from a state in $\mathrm{R}_{2}$, as time elapses, which clock-valuations are reachable ?
Step 1: Set upper bounds on individual clock values to Infty
Step 2: Intersect with the clock-invariant $x_{1} \leq 7$
Step 3: Canonicalize by tightening all the bounds
What is a good data structure to represent clock-zones? What are algorithms for operations such as intersection, canonicalization?

## DBM Representation of Constraints

$$
\begin{array}{lll}
3 \leq x_{1} \leq 7 & 3 \leq x_{1}-x_{0} \leq 7 & x_{1}-x_{0} \leq 7 \\
0 \leq x_{2} \leq \text { Infty } & 0 \leq x_{2}-x_{0} \leq \text { Infty } & x_{0}-x_{1} \leq-3 \\
3 \leq x_{1}-x_{2} \leq 5 & 3 \leq x_{1}-x_{2} \leq 5 & x_{2}-x_{0} \leq \text { Infty } \\
& & x_{0}-x_{2} \leq 0 \\
& & x_{1}-x_{2} \leq 5 \\
& x_{2}-x_{1} \leq-3
\end{array}
$$

|  | X0 | X1 | X2 |
| :---: | :---: | :---: | :---: |
| X0 | 0 | -3 | 0 |
| X1 | 7 | 0 | 5 |
| X2 | Infty | -3 | 0 |

## Difference Bounds Matrix

- Data structure for representing constraints, where each constraint expresses a bound on difference of values of two variables
- Suppose clocks are named $x_{1}, x_{2}, \ldots x_{m}$
$\square$ Let us introduce a dummy clock $x_{0}$ that is always 0 . Then instead of the constraint $\mathrm{L} \leq \mathrm{X}_{\mathrm{i}} \leq \mathrm{U}$, we have $\mathrm{L} \leq \mathrm{x}_{\mathrm{i}}-\mathrm{x}_{0} \leq \mathrm{U}$
- Lower bound constraint $L \leq x_{i}-x_{j}$ can be rewritten as upper bound constraint $\mathrm{x}_{\mathrm{j}}-\mathrm{x}_{\mathrm{i}} \leq-\mathrm{L}$
$\square$ DBM $R$ is $(m+1) x(m+1)$ matrix representing
for $0 \leq i \leq m$, for $0 \leq j \leq m, x_{i}-x_{j} \leq R[i, j]$
$\square$ Diagonal entries should be 0 : $x_{i}-x_{j} \leq 0$
There is a one-to-one correspondence between DBMs and clockzones
Entries of DBM: Integers plus a special symbol Infty (to represent absence of a bound)


## Timing Analysis Example



Intersection of $R_{5}$ and $x_{2} \geq 6$ unsatisfiable; means mode $D$ not reachable Intersection of $R_{5}$ and $x_{1} \leq 4$ unsatisfiable; means mode E not reachable Intersection of $\mathrm{R}_{5}$ and $\mathrm{x}_{1}=7$ satisfiable; means mode F is reachable

## Credits

Notes based on Chapter 7 of
Principles of Cyber-Physical Systems
by Rajeev Alur
MIT Press, 2015

