Step Semantics for f FSM Sachoun Park 1 , Gihwon Kwon 1 , Soonhoi Ha - - PDF document

SLIDE 1

Step Semantics for fFSM

Sachoun Park1, Gihwon Kwon1, Soonhoi Ha2

1 Department of Computer Science, Kyonggi University

San 94-6, Yiui-Dong, Youngtong-Gu, Suwon-Si, Kyonggi-Do, Korea {sachem, khkwon}@kyonggi.ac.kr

2 Department of Computer Engineering, Seoul National University

Seoul, Korea, 151-742 {sha}@iris.snu.ac.kr

• Abstract. We developed the hardware and software codesign framework called

PeaCE(Ptolemy extension as a Codesign Environment). It allows to express both data flow and control flow which is described as the fFSM. The fFSM is a model for describing the control flow aspects in PeaCE, but due to lack of their formality, it has difficulties in verifying the specification. Thus we propose the step semantics for the model. As a result, some important bugs such as race condition, ambiguous transition, and circular transition can be formally detected in the model. Keywords – Step semantics, Formal verification, Statecharts, Flexible finite state machine

1 Introduction*

To make narrow the gap between design complexity and productivity of embedded systems, hardware/software codesign has been focused as a new design methodology. Various codesign procedures have been proposed, and formal models of computation for system specification by using "correct by construction" principle make ease design

• validation. The PeaCE[1] is the codesign environment to support complex embedded
• systems. The specification uses synchronous dataflow (SDF) model for computation

tasks, extended finite state machine (FSM) model for control tasks and task-level specification model for system level coordination of internal models (SDF and FSM). It gives automatic synthesis framework from the proposed specification with good results compared to hand-optimized code, and the automatic SW/HW synthesis from extended FSM model, called fFSM(flexible FSM), and automatic SW synthesis from task-model is developed. The synthesis framework generates architecture independent code which can be used for functional simulation, design space exploration, synthesis and verification steps by varying the definitions of APIs. The fFSM is another variant of Harel’s Statecharts, which supports concurrency, hierarchy and internal event as Statecharts does. Also it includes a global variable to express memory in FSM. This model is influenced from STATEMATE of i-logix inc.[2] and the Ptolemy[3] approaches. But the formal semantics for internal models

* This work was supported in part by IT Leading R&D Support Project funded by Ministry of

Information and Communication, Republic of Korea

SLIDE 2

is not defined explicitly. Especially, in the case of fFSM(flexible FSM), the absence of formal semantics causes the problem of confidence for simulation, correctness of code generation, and validation of a system specification. Since no formal semantics exit, unexpected behavior may occur after system built and also it dilute original purpose of codesign to produce complex embedded system cost-effectively In this paper, we define the step semantics for fFSM model, which becomes foundation about reliable code generation and formal verification. Step semantics or

• perational semantics of an fFSM defines how the model changes state from one

configuration to another on the reception of some events, while it at the same time executes actions consisting of emitting output and internal events and updating of global variables. In this field many works have proposed, but among these formal semantics, we turned our attention to Erich Mikk’s hierarchical automata[4] and Lind- Nielsen’s hierarchical state/event model. Hierarchical automata semantics was defined to formally express the STATEMATE semantics of Statecharts described by Harel and Naamad in 1996[5]. After he defined pure hierarchal automata which have no inter-level transition, he described EHA (extended hierarchical automata) to handle the inter-level transition. As the semantics

• f EHA was presented in the Kripke structure, three rules at EHA were applied to:

progress rule, stuttering rule, and composition rule. If any enabled transition is activated, sequential automaton takes progress rule. If an active sequential automaton does not have an enabled transition and the active state is a basic state then the automaton stutters and consumes events. And each automaton delegates its step to its sub-automata with respect to the composition rule. HSEM(Hierarchical State/Event Model)[6], the variant of Statecharts in IAR visualSTATE[7], is based on the Unified Modeling Language(UML) state diagram, where again the UML is based on Harel’s Statecharts. Although HSEM has its origin in Statecharts, its semantics is distinguishable. The behavior of the model described N flat parallel machines, where the N is the number of Or-states: serial and history states. Thus a configuration of HSEM consists of exactly one state per each Or-sate, so it may include inactive states. This method is able to perform compositional model checking which one of solution for state explosion problem. In this paper, the semantics of the fFSM model in PeaCE approach is defined by borrowing from EHA and HSEM semantics. In the next section, we show the formal model of fFSM and its informal restriction. In section 3, N flat parallel machine of fFSM, pFSM, is defined with its example. The definition of step semantics of pFMS is presented in section 4, and then we conclude the paper in section 5.

2 Formal definition of fFSM

In this section, we introduce definitions about fFSM in the thesis[8]. Definition 1 (Event) An event e is defined as (en, ev), where en is the name or symbol

• f the event and the associated set of allowed values will be denoted by eV, and ev ∈ eV

is the value of the event. Two special values ε and φ is defined for fFSM model. The value ε specifies an occurrence of an event not the value. The value φ indicates that the event doesn't have any value. Thus, the value φ becomes a member of every eV.

SLIDE 3

There are three different events: input event, output event and internal event. We can read a value from an input event, write a value to an output event and read(or write) a value from(or to) an internal event. Because internal event has both properties

• f input events and output events, internal events can be defined as an intersection of

input events and output events. Definition 2 shows definitions of event sets in fFSM model. Definition 2 (Event sets) I = {(in1, iV1), (in2, iV2)…}, O = {(on1, oV1), (on2, oV2)…}, and IT = I ∩ O are a finite set of input event names and of the corresponding finite sets of allowed values, a finite set of output event names and of the corresponding finite sets

• f allowed values, and the a finite set of internal events, respectively.

fFSM model supports hierarchical fFSM, concurrent fFSM and variable state. Each is defined by a state-set name, a corresponding finite set of allowed states and an initial state(or a value) as shown in definition 3. In a state set for hierarchical fFSM, a special value φ should be an element of xV to indicate an inactive state. Although variable state is defined as a state, it can be handled as a special event of which the value is preserved across time. We can read(or write) a value from (or to) a variable state similar to an internal event. Definition 3 (State sets and initial values) X={(xn1, xV1), (xn2, xV2)…} is a finite set

• f state-set names and of the corresponding finite sets of allowed states in the state-
• set. V⊂X is a finite set of variable state names and of the corresponding finite sets of

allowed states (or values). R ⊆ {(xn, xv)| (xn, xv) ∈ X, xv ∈ xV} is a set of initial states. There should exist only one (xn, xv)∈R for all (xn, xV). A transition connects two different states: one is a source state and the other is a target

• state. It has a guard condition and actions. The condition is a Boolean expression

composed of input events and variable states. An action assigns an expression composed of input events and variable states to an output event or a variable state. When the Boolean expression (the condition) of the transition meets, the expression

• f each action is evaluated and the result value is assigned to an output event or a

variable state. Definition 4 shows the definition of a transition set. A transition is executed from the current state f XI to the next f XO state when meeting a guard condition f G and performs actions f A. Definition 4 (Transition set) F ⊆ f XI × f G × f XO × f A

• i. f XI ∪ f XO ⊆ {(xn, xv)| (xn, xV) ∈ X, xv ∈ xV } are a set of source states and target

states of a transition.

• ii. f G = f(en1, en2, …) = true or false, (enk, eVk) ∈ I ∪ V is a Boolean expression

composed of input events and variable states.

• iii. f A ⊆ {(rn, f R)|(rn, rv) ∈ O ∪ V, f R = f(en1, en2, …) ⊆ rV, (enk, eVk) ∈ I ∪ V } is a set
• f actions (rn = f R) which consist of a target rn and a function f R. The function is

composed of input events and variable states.

SLIDE 4

From the definition 1 to the definition 4, we define flexible FSM in definition 5. An fFSM consists of events (input events, output events and internal events), states (states and variable states), initial states, and transitions. Definition 5 (flexible FSM) f F = (I, O, IT, X, V, F). fFSM model has following restrictions. First, a variable state is referenced and updated by only an atomic fFSM, which is only one state set except variable states, |X−V|=1, so in the figure 1, atomic fFSMs are s2, s3, s4. Second, there is no inter- transition between concurrent fFSMs. Third, communication between concurrent fFSMs is achieved only by internal events. For example, the definition of figure 1 becomes following.

I = {(coin, {ε}), (ready, {ε}), (stop, {ε}), (time, {ε}), (timeout, {ε}), (error, {ε}), (exit, {ε}), (timeset, {0, …, 1000})} O = {(timeout, {ε}), (error, {ε}), (exit, {ε}), (timeset, {0, …, 1000}), (game_on, {ε}), (waitGo, {ε}), (waitStop, {ε}), (ringBell, {ε}), (tilt, {ε}), (game_over, {ε})} IT = {(timeout, {ε}), (error, {ε}), (exit, {ε}), (timeset, {0, …, 1000})} X = {(s1, {GameOff, GameOn}), (s2, {wait, TimeInit}), (s3, {Ready, Go, Stop, End}), (s4, {Rand}), (remain, {0, …, 1000}), (randn, {1, …, 3})} V = {(remain, {0, …, 1000}), (randn, {1, …, 3})} R = {(s1, GameOff), (s2,TimeInit), (s3, Ready), (s4, Rand), (remain, 0), (randn, 3)} F = {((s1, GameOff), (coin == ε), (s1, GameOn), {game_on=ε, timeset=1000}), ((s1, GameOn), (exit == ε), (s1, GameOff), {ringBell=ε, game_over=ε}), ((s1, GameOn), (erro r== ε), (s1, GameOff), {tilt=ε, game_over=ε}), …}

This version of reflex game is used for describing formal model of fFSM. The set

• f inputs to the system are coin, ready, stop, and time. All but the last are user inputs,

while the last generated by system simply counts off time. Figure 1. fFSM example of reflex game

SLIDE 5

Initially, each atomic fFSM is triggered by input events and makes a transition when its guard condition is satisfied. If the transition produces internal events, transitions triggered by the internal events are made iteratively until there is no more internal event. After every delta-delay, it clears all existing events and sets newly produced internal events at the previous delta-delay. Briefly, an execution of an atomic fFSM consists of a transition triggered by an input event and subsequent transitions triggered by internal events produced by the previous transition. And variable state and output events keep their values to make them persistent.

3 Syntax of pFSM

To define the step semantics of fFSM, we propose N flat parallel machine of fFSM,

• pFSM. Like a fFSM, there exit events, global variables, states, and transition.

I, O, and IT are sets of input events, output events, and internal events, respectively. Unlike previous definition of the event of fFSM, these sets disjoint each other. Each event

i

e in

} ..., , { 1

n

e e IT O I = ∪ ∪ is composed of its domain

i

D and initial value

i

d ,

and

) ( i e val

denotes current value of the event. Simple FSM is defined by 4-tuples ) , , , ( scr T s S , where S is a set of states, s0 is the initial state, and T is set of transition

• relations. In the PeaCE approach, dataflow models are controlled by external signals

generated by fFSM, which can be labeled at a proper state as a set of atomic

• proposition. We call the labels scripts, and Script represents the set of all scripts
• ccurring in the fFSM. Thus,

Script

S scr 2 : → is a label function to map to a set of scripts at each state. fFSM has two types of composition like other variants of Harel’s Statecharts: concurrent and hierarchical compositions. HSEM used N-flat parallel machines for describing its operational semantics, because BDD(Binary Decision Diagram) could be represented easily and the compositional model checking could be applied. In this paper, we refer to HSEM semantics to define the fFSM semantics. Definition 6 (pFSM) Now, formal semantics of fFSM is defined as N-flat parallel machines pFSM.

) , , , , , ( V M IT O I pFSM γ =

, where I, O, IT are set of events above, V is a set of global variables,

j

v ∈(

j

D ,

j

d ) , and

} ,..., {

1 n

m m M =

is the set of simple

• FSM. Let the

U

n i i

S

1 =

= ∑

be the set of all states in M, hierarchical relation γ maps a state to the set of machines which belong to the state:

. 2 :

M

→ ∑ γ

The hierarchical function γ has three properties: there exist a unique root machine, Every non-root machine has exactly one ancestor state, and the composition function contains no cycles. Let , 2 :

∑

→ ∑ sub and } ' ) ( | ' { ) (

i i

S s s M s s sub ∈ ∧ ∈ = γ is another function to relate between a super state and its sub states. sub+ denotes the transitive closure of sub and sub* denotes the reflexive transitive closure of sub.

SLIDE 6

Definition 7 (Simple FSM) ) , , , (

i i i i i

scr T s S m = i. } ..., , , {

1 n i i i i

s s s S = is the finite set of states of mi, ii.

i

s is a initial state, iii.

i

T is the set of transition of mi, and a transition ) ' , , , ( s A g s T t

i =

∈ is composed

• f source and target states s, s′∈Si, guarding condition g which is Boolean

expression, and set of actions A, iv.

Script i i S

scr 2 : → is a function to map a set of script into a state. Guards that include variables and events have the following minimal grammar. Exp v Exp v Exp e Exp e G G G true G = < = < ∧ ¬ = | | | | | | ::

2 1 2 1

| | :: Exp Exp v n Exp

• =

, where n is an integer constant, V v∈ is a global variable, •∈{+, −, ×, / } represents a set of binary operators. To select some facts of a transition ) ' , , , ( s A g s t = , following projection functions are useful: source(t) = s, target(t) = s′, guard(t) = g, action(t) = A. Also, in a set of actions A, each action element a∈A consists of variable assignment

• r event emission:

a ::= v:=Exp | e:=Exp. For an action element, following three projection functions are used, because an action set is composed of updating variables, emitting some output events, and producing internal signals(or events). } ) : .( | : { ) ( A Exp v V v Exp v A update ∈ = ∈ ∃ = = } ) : .( | : { ) ( A Exp e O e Exp e A

• utput

∈ = ∈ ∃ = = } ) : .( | : { ) ( A Exp e IT e Exp e A signal ∈ = ∈ ∃ = = Figure 2 shows pFSM corresponding to figure 1, and the below example presents the definition of figure 2.

I = {coin, ready, stop, time}, O = {game_on, waitGo, waitStop, ringBell, tilt, game_over} IT = {timeset, timeout, error, exit}, V = {randn, remain} M = {m1, m2, m3, m4}, γ(m1) = {m3, m4}, γ(m2) = γ(m3) = γ(m4) = ∅,

) , , , (

1 1 1 1 1

scr T s S m =

, S1 = {GameOff, GameOn},

1

s = GameOff,

T1 = {(GameOff, coin = 1, {game_on = 1, timeset = 1000}, GameOn), (GameOn, exit = 1, {game_over = 1, ringBell = 1}, GameOff), (GameOn, error = 1, {game_over = 1, tilt = 1}, GameOff}, scr1 = ∅

Figure 2. Flatten machine pFSM

SLIDE 7

4 Semantics of pFSM

Step semantics or operational semantics of an fFSM defines how the model changes state from one configuration to another on the reception of some events, while it at the same time executes actions consisting of emitting output and internal events and updating of global variables. Definition 8 (Configuration) ∆ represents the whole configurations of pFSM model, for each mi of pFSM, its formal definition is } , | } , ... , {{ 1 n i S s s s

i i n

≤ < ∈ ∃ = ∆ . ∆ ∈ δ , } , , {

1 n

s s K = δ is an initial configuration. Erich’s definition of a configuration is a set of active states, so the size of the set is not fixed. But the size of a configuration δ is the same of the set of machines M, so we need to define which state is active. Definition 9 (Active state) It can be defined that a state s is active in configuration δ as follow: s = | δ iff δ ∈ ⇒ ∈ ∑ ∈ ∀ ' ) ' ( . '

*

s s sub s s . Definition 10 (Satisfiability) To decide which transition is enabled, given the set of events

IT I

E 2 2 ∪ ⊆ and the current configuration δ, configuration δ and events E satisfies a guard g, ) ( | , t guard E = δ , is defined inductively. true iff true E = | , δ G E not iff G E = ¬ = | , | , δ δ

2 1 2 1

| , | , | , G E and G E iff G G E = = ∧ = δ δ δ ) ( ) ( | , Exp val e val and E e iff Exp e E < ∈ < = δ ) ( ) ( | , Exp val e val and E e iff Exp e E = ∈ = = δ ) ( ) ( | , Exp val v val iff Exp v E < < = δ ) ( ) ( | , Exp val v val iff Exp v E = = = δ , where n n val = ) ( , ) (e val denotes the current value of event e, and ) (v val denotes the current value of variable v. ) ( ) ( ) (

2 1 2 1

Exp val Exp val Exp Exp val

• =
• .

Definition 11 (Enabled transition) Through the definitions of active states and satisfiability relation, we define a set of enable transitions for each active state. )} ( | ) ( | , }. ,..., 1 { | { t source t guard E T t n i t ET

i

= ∧ = ∧ ∈ ∈ ∀ = δ δ Definition 12 (Executable transition) The set of executable transitions are non- conflicting set of transitions and every simple FSM must contribute at most one

• transition. As fFSM model has no inter-level transition, the conflict only occurs

SLIDE 8

between two transitions which have different and comparable priorities. ))} ' ( ( ) ( . ' | { t source sub t source ET t ET t XT

+

∈ ∈ ¬∃ ∈ = , 1 | | . ≤ ∩ ∈ ∀

i i

T XT M m Definition 13 (LKS) Step semantics of pFSM is defined by LKS(Labeled Kripke Structure). ) , , , ( L R q Q LKS = is defined: } , ... , { 0

n

q q Q = is the finite set of states in LKS, ) , , ( c q ∅ = δ is an initial state, Q Q R

Act ×

× ⊆ 2 is the set of transitions with label as the set of actions,

Script

Q L 2 : → is label function such that

U

δ |

) ( ) (

= ∀

=

s i

s scr q L . The step could be explained both micro step and macro step. The micro step stands for one step triggered by input or internal events, and macro step is a finite sequence

• f micro steps each of which is triggered by one input event or consequent internal

events until the produced internal event won’t exit any more. Definition 14 (Micro step) ) , , ( ) , , ( c E c E

Act

′ ′ ′ ⎯→ ⎯ δ δ Given the current configuration δ and the set of events E, the next configuration δ′ is defined as follow: )} )) ( ( ( )) ( )) ( ( ( )) ( ) ( .( . | {

*

s s t source sub s s reset s t source sub s t get tar s t source s XT t s s = ′ ⇒ ∉ ∨ = ′ ⇒ ∈ ∨ = ′ ⇒ = ∈ ∃ ∈ ∀ ′ = ′

+

δ δ

,

where

i i i

S s s m s sub s s s reset ∈ ∧ ′ ′ ∈ ∧ ′ ′ ∈ = ) ( ) ( , ) ( γ

U

XT t

t action signal E

∈ ∀

= ′ )) ( ( , and ) (q L c ′ = ′ ,

U U

XT t XT t

t action update t action

• utput

Act

∈ ∀ ∈ ∀

∪ = )) ( ( )) ( ( Definition 15 (Macro step) Step semantics of pFSM is represented by q q

Exe

′ ⎯→ ⎯ , called an execution, which is triggered by input event and produces cascaded input

• events. Thus one input event and consequent internal events make transitions until

any internal event cannot be produced. After each micro step, all previous events are consumed by delta-delay. In the following definition, k > 1 is the first k which makes Ei,k to ∅, and

U

k j j i

Act Exe

< < ∀

= is a set of all actions during macro step. ) , , ( ) , , (

1 1 + + ∅

⎯ ⎯→ ⎯

i i Exe i i i

c c E

i

δ δ iff ) , , ( ) , , (

, , 1 , 1 , 1 ,

1 1

k i k i Act Act i i i

c c E

k

∅ ⎯ ⎯ → ⎯ ⎯ ⎯→ ⎯

−

δ δ L .

SLIDE 9

Figure 3 Example of micro step(a) and macro step(b) When input event “coin” occurs, control of the system is moved from the initial configuration {GameOff, TimeInit, Ready, Rand} to {GameOn, wait, Ready, Rand}. For error detection, we define three kinds of error: Race Condition, Ambiguous transition, and Circular transition. Definition 16 (Race Condition) There can be multiple writers for an output event or a variable state during an execution of fFSM model. LHS denote the left hand side of an assignment statement. L L ⎯ ⎯→ ⎯ ⎯ ⎯ → ⎯ ⎯ ⎯→ ⎯

− k k

Act k i k i k i Act Act i i i

c E c E ) , , ( ) , , (

, , , 1 , 1 , 1 ,

1 1

δ δ ) ( ) ( .

1 k j k j

Act LHS Act LHS = ∃

< ≤

Definition 17 (Ambiguous transition) Multiple transitions from one state can be enabled simultaneously.

) ( ) ( . , t source t source XT t t ′ = ∈ ′ ∃

Definition 18 (Circular transition) There can exist circular transitions by cascaded internal transitions. L L ⎯ ⎯ → ⎯ ⎯ ⎯ → ⎯ ⎯ ⎯→ ⎯

− k k

Act k i k i k i Act Act i i i

c E c E ) , , ( ) , , (

, , , 1 , 1 , 1 ,

1 1

δ δ

k i j i k j k i j i k j

E E Act Act

, , , , 1

. = ∧ = ∧ = ∃

< <

δ δ For example, if a snapshot of system contains a configuration {GameOn, Wait, Ready, Rand}, occurring event set are user event “ready” and system event “time”, and variable remain is zero then, although it is a rare case, it breaks the output constraint that output value must be persistent during one execution, since remain have multiple assignments. Table 1 explains it. Table 1. Violation of Race Condition

events Configuration Actions

{time, ready} {GameOn, Wait, Ready, Rand} {waitGo:=1, remain:=0} {timeset, timeout} {GameOn, TimeInit, Go, Rand} {waitStop:=1, remain:=randn*128} {timeset} {GameOn, Wait, Stop, Rand} { remain:=1000} ∅ {GameOn, Wait, Stop, Rand} −

SLIDE 10

5 Conclusions

As a systematic design approach, hardware/software codesign has been focused as a new design methodology to bridge the increasing gap between design complexity and

• productivity. PeaCE[1] is a hardware/software codesign framework and it has models

to express data flow and control flow. fFSM is a model for describing the control flow aspects in PeaCE, but due to lack of their formality, it has difficulties in verifying the specification. In this paper, for lifting the reliability for code generation in the codesign framework and enabling formal verification of the control model, we defined the step semantics for the fFSM model. Both micro and macro step semantics of an fFSM defined how the model changes state from one configuration to another on the reception of some events, while it executes actions at the same time. Also we defined three kinds of error: race condition, ambiguous transition, and circular transition. These definitions should be foundation about reliable code generation and formal

• verification. Now we are developing symbolic model checker for fFSM based on this

step semantics.

References

• 1. D. Kim, S. Ha, "Static Analysis and Automatic Code Synthesis of flexible FSM Model",

ASP-DAC 2005 Jan 18-21, 2005

• 2. iLogix: http://www.ilogix.com/
• 3. http://ptolemy.eecs.berkeley.edu/
• 4. E. Mikk, Y. Lakhnech, M. Siegel, "Hierarchical automata as model for statecharts", LNCS
• Vol. 1345, Proceedings of the 3rd ACSC, pp. 181-196, 1997.
• 5. D. Harel, A. Naamad, "The STATEMATE semantics of statecharts", ACM Transactions on

Software Engineering Methodology, 5(4), October 1996.

• 6. J. Lind-Nielsen, H. R. Andersen, H. Hulgaard, G. Behrmann, K. J. Kristoffersen, K. G.

Larsen, "Verification of Large State/Event Systems Using Compositionality and Dependency Analysis", FMSD, pp. 5-23, 2001.

• 7. IAR: http://www.iar.com/products/vs/
• 8. D. Kim, "System-Level Specification and Cosimulation for Multimedia Embedded

Systems," Ph.D. Dissertation, Computer Science Department, Seoul National University, 2004.

• 9. J. B. Lind-Nielsen, "Verification of Large State/Event Systems," Ph.D. Dissertation,

Department of Information Technology, Technical University of Denmark, 2000.