1 / 41

Lecture 11 : Part I: Zones Part II: TTAs

Lecture 11 : Part I: Zones Part II: TTAs. CS5270, P.S. Thiagarajan. Zones. A more compact representation. Of equivalence classes of valuations. Can be efficiently represented as Difference Bounded Matrices (edge weighted directed graphs). DBMs admit a canonical representation .

benita
Télécharger la présentation

Lecture 11 : Part I: Zones Part II: TTAs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 11 :Part I: ZonesPart II: TTAs CS5270, P.S. Thiagarajan

  2. Zones • A more compact representation. • Of equivalence classes of valuations. • Can be efficiently represented as Difference Bounded Matrices (edge weighted directed graphs). • DBMs admit a canonical representation. • DBMs can be manipulated efficiently.

  3. Why not regions? • The number of regions can be very large: • Exponential in the number of clocks AND in the size of the maximal constants appearing in the clock constraints. • Practical verification becomes infeasible.

  4. An Example y x

  5. 0-dimensional regions: 12 y x

  6. 1-dimensional regions: 23 y x

  7. 2-dimensional regions: 12 y x

  8. Total number of regions: 47 y x

  9. One Zone: (2 ≤ x ≤ 5)  (2 ≤ y ≤ 4) y x

  10. Zones • A zone is a clock constraint of a particular form. • Z::= x  c | x – y  c | 1  2 •   {<, ≤, >,  } • c is a natural number. • Every region is a zone (exercise!).

  11. Zone Automaton • Every TTA has an associated Zone automaton ZTTA. • This can be constructed effectively. • But this does not do too much for us. • Savings occur when we construct the Zone automaton on the fly to check reachability properties.

  12. The Basic Algorithm. Symbolic Reachability Analysis Algorithm: PASSED = ; WAIT = {(s0, D0)} While WAIT  do take (s, D) from WAIT If s = sf then return ‘YES” if D is not a subset of D’ for every (s, D’) in PASSED then add (s, D) to PASSED. For all (s1, D1) so that (s, D) ----> (s1, D1), add (s1, D1) to WAIT. end for. end if end while

  13. The Zone transition relation • (s, D) ----> (s, D  I(s) ) • D = {V +  | V  D} • D is a zone. • From D we can compute D. • (s, D) ---> (s’, D’) if there is a transition (s, g, X, s’) in TTS such that: • D’ = RX(D  g)  I(s’) • RX(D) = {RX(V) | V  D} • RX(V) (y) = 0 if y  X, V(y) otherwise. • RX(D) is a zone. • D’ is non-empty. • D’ is a zone and can be computed from D.

  14. Termination • To ensure termination: • Remove constraints of the form x < m , x ≤ m, x – y < m and x – y ≤ m if m > Cx. • Replace x > m and x  m with x > Cx if m > Cx. • Replace y – x > m and y – x  m with y –x > Cx and y – x  Cx when m > Cx.

  15. Zone operations • We need to compute D. • Given D1 and D2, we need to compute D1  D2. • Given D and D’ we need to be able to check if D is a subset of D’. • We must be able check if D is empty.

  16. Zone representation. • A zone can be represented as a DBM: • Difference Bounded Matrix. • Invent a new clock variable x0 (which will always be 0). • All basic constraints will be of the form xi – xj < m or xi – xj≤ m where m is an integer (positive or negative).

  17. Zone Representation • x2 < 3 becomes x2 – x0 < 3. • X5 7 becomes x0 – x5≤ -7. • X2 – x5 > 8 becomes x5 –x2 < -8.

  18. The Matrix Representation. x_0 x_1 x_2 . . . x_j x_n x_0 x_1 x_2 . .x_i . x_n xi – xj≤ 2 (2, 1)

  19. The Matrix Representation. x0 x1 x2 . . . xj xn x0 x1 x2 . .xi . xn xi – xj< 2 (2, 0)

  20. The Matrix Representation. x0 x1 x2 . . . x3 (0, 3) x0 x1 x2 . .x3 . ∞ (0, -4) (0, 10) (0, 2) (0, 5) (0, 2)

  21. The Graph Representation (k, 1) (k, 0) x y x y y – x ≤ k y – x < k

  22. The Graph Representation 10 X1 X2 -4 2 3 2 X3 X0 5

  23. Closed Representations • Two different zones (DBMs) can represent the same set of valuations. • (y – x ≤ 3, x = 2, y = 4) (y –x = 2, x =2, y = 4) • A zone is closed if no constraint can be strengthened without reducing the set of associated valuations. • Two closed zones are equivalent iff they are identical. • So it is good to get closed zones.

  24. Closed Zones. • Take the graph of the zone. • Remove all redundant edges. • The edge from x to y with weight k is redundant if there is a path from x to y whose weight is less than or equal to k. • Using a shortest path algorithm, the closed zone version can be computed in O(n3) time.

  25. Closed Zones • If D is closed then D is a subset of D’ iff for every constraint x – y ≤ m’ in D’ there is a constraint x – y ≤ m in D with m ≤ m’. • If D is closed then D is non-empty iff there are no negative weight cycles in the graph. • The other operations can also be performed on the graphs efficiently.

  26. Introduction • TTP: • A real-time protocol for distributed systems. • high dependability • guaranteed timeliness • Application domains: • Automotive electronics • Fly-by-wire cockpits • Railway signaling systems

  27. Acknowledgements • The following slides have been assembled from many web sources. In particular: • H.Kopetz and G.Grünsteidl; Digest of Papers, FTCS-23. (IEEE CS 23rd Intl. Symp. on Fault-Tolerant Computing), Aug. 1993, pp.524 -533; Presented by Shruti Gorappa

  28. Features of the TTP • Fault-tolerance • Small overhead • Integrates numerous services • Predictable message transmission • Message acknowledgement in group communication • Clock synchronization • Membership • Rapid mode change • Redundancy management • Temporary blackout handling

  29. Assumptions • Fail-silence • Communication channels only have omission failures. • Nodes either deliver correct results or no results • Internal failures are detected and node turned off

  30. System Overview • FTU- single or replicated nodes • Replicated communication channels • The channel is a broadcast bus • Access is by TDMA driven by progression of global time • Local nodes time synchronized by TTP • Communication by rapid and periodic message exchanges

  31. TTP Design Rationale • Sparse time base • Messages are sent only at statically designated intervals • Inflexible compared to Event-triggered (ET) model, but easier to test • Use of apriori knowledge • All nodes are aware of when each node is scheduled to transmit • Sender node information need not be included in frame • Reduced overhead • Broadcast • Correctness of transmitted message can be concluded as soon as one receiver acknowledges message delivery (broadcast medium)

  32. Protocol Highlights • Bus access • A FTU will have one or two time slots depending on class of fault-tolerance • Time be different for each node depending on amount of data that it needs to send • Number of slots in a TDMA round given to an FTU may also be different • Membership Service • If a message from a sending node does not occur in designated interval, its membership is set to 0 in other nodes • Membership checked before transmission. A node is alive if • Its internal error detection mechanism has not indicated error • At least one of its transmitted frames has been correctly acknowledged.

  33. Protocol Highlights • Temporary blackout handling • Correlated failure of a number of nodes • Identified by sudden drop in membership • Nodes send I-messages and perform local emergency control • After membership has stabilized, mode changed to global emergency service

  34. Protocol Highlights Temporal encapsulation of nodes • Communication bandwidth assigned statically • Time base is sparse- every input can be observed and reproduced exactly • Testability • Easy to test the implementation in comparison to ET • Easy to simulate –finite number of execution scenarios • Uncontrolled interactions between nodes are prevented • Determinism- can replicate states of nodes

  35. Strengths • Can provide fault-tolerant real-time performance • Practical (MARS platform), efficient, and scalable • Can be implemented using available hardware, signalling mechanisms • Low overhead • High data rates, used in both twisted fiber and optical channels • Reusability, composability, and testability

  36. Weaknesses • The schedule is fixed so there is no bandwidth allocated for alarms and other spontaneous messages • All fault-tolerance mechanism is implemented at system level, this means that very little “freedom” is left for application specific implementations • Addition of nodes affects the existing system (although not the application)

  37. References • Kopetz, H., and Grunsteidl, G., "TTP - A time-triggered protocol for fault-tolerant real-time systems",  Digest of Papers., FTCS-23. (IEEE CS 23rd Int' Symp. on Fault-Tolerant Computing), Aug. 1993, pp.524 -533 • The Real-time Systems Research Group, Institut für Technische Informatik, Vienna University of Technologyhttp://www.vmars.tuwien.ac.at/projects/ttp/ttpmain.html • REAL-TIME COMMUNICATION- Evaluation of protocols for automotive systems, MICHAEL WAERN, http://www.md.kth.se/RTC/MSc-theses/RT-Com-Evaluation-Waern.pdf • CAN bus, http://www.can-cia.org/can/protocol/ • Time-triggered Technology, http://www.tttech.com/

  38. Event-triggered Vs. Time-Triggered • Interface to the external physical world: • Event-triggered. • Implementation architecture: • Time- triggered? • Predicatable • Composability. • How to integrate the two paradigms? • Interesting research opportunities!

  39. The Automotive Electronics Case • Current scene: • Current systems contain upto 70 ECUs (Electronic Control Units). • Each ECY is developed and acts independently; very little integration. • Communication: • Event-triggered • Slow; 500 Kbits/sec

  40. The Automotive Electronics Case • Next Generation: • Integrated architecture. • Distributed, safety-critical, real time. • Why? • Costs: • reduce the number of ECUs. • Reliability • Safety • Multiple use of sensors.

  41. Conclusion • Time-Triggered architectures and protocols are likely to become important. • Also related to synchronous programming languages: • Lustre, Signal, Esterel • There are also other timed models: • Timed Petri nets, …

More Related