SPECIFICATION MODELS. Chapter 3. Overview. Introducing Hierarchy. StateCharts

Size: px

Start display at page:

Download "SPECIFICATION MODELS. Chapter 3. Overview. Introducing Hierarchy. StateCharts"

Jeffery Williams
5 years ago
Views:

hapter SPEIFITION MOELS Overview Stateharts Hierarchy oncurrency Events and ctions Simulation Semantics Non-eterminism and onflicts Petri Nets Notation oncurrency Petri Net Languages ehavioral

1 hapter SPEIFITION MOELS Overview Stateharts Hierarchy oncurrency Events and ctions Simulation Semantics Non-eterminism and onflicts Petri Nets Notation oncurrency Petri Net Languages ehavioral Properties nalysis Roger Wattenhofer ETH Zurich istributed omputing / Stateharts Introducing Hierarchy eficits of finite automata for modeling: Only one sequential process, no concurrency No hierarchical structuring capabilities Extension Statecharts: Model of avid Harel [987] Stateharts introduces hierarchy, concurrency and computation Model is used in many tools for the specification, analysis and simulation of discrete event systems, e.g. Matlab-Stateflow, UML, Rhapsody, Magnum omplicated semantics: We will only cover some basic mechanisms. f g h i j E m F S f g h i j E FSM is in exactly one of the sub states of S if S is active (either in xor xor ) super-state sub states m F / /

2 ey-off ey-on efinitions Introducing oncurrency super-state S is called OR-super-state, if exactly one of its sub states is active when S is active. S f g h i j E m F equivalent S f g h i j E urrent states of FSMs are called active states States which are not composed of other states are called basic States containing other states are called super states For each basic state s, the super-states containing s are called ancestor states m F super-state S is called N-super-state, if all (immediate) sub-states are active when S is active. answering machine ON Line monitoring Line wait ring hang-up (caller) Line Process ey-off OFF Key monitoring (excl. ON / OFF) Key wait ey-on ey pressed done Key Process /5 /6 Entering and leaving N-Super-States Representation of omputations New: on / off events handled by ey process. answering machine ON Line monitoring Line wait ring hang-up (caller) Line Process Key monitoring (incl. ON / OFF) Key wait ey pressed done Key Process esides states, arbitrary many other variables can be defined. This way, not all states of the system are modeled explicitly. The variables can be changed as a result of a state transaction ( action ). State transitions can be dependent on these variables ( conditions ). action condition variables OFF /7 /8

3 General form of edge labels Events and ctions event [condition] / reaction event [condition] / reaction Event ondition an be either internally or externally generated. Refer to values of variables that eep their value until they are reassigned. State transition Transition is enabled if event exists and condition holds Reaction / ction an be assignment to variables and/or creation of events n event can be composed of several events: (e and e) event that corresponds to the simultaneous occurrence of e and e. (e or e) event that corresponds to the occurrence of either e or e or both. (not e) event that corresponds to the absence of event e. Similarly for conditions reaction can also be composed: (a; a) actions a und a are executed sequentially. ll events, states and actions are globally visible. /9 /0 Example The Stateharts Simulation Phases e / a [c] / a event [condition] / reaction The transitions are evaluated in simulation steps. e: a: Each step is divided in three phases: a: c: true false time. Effect of changes on events and conditions is evaluated.. The set of transitions to be made in the current step and e: right hand sides of assignments are computed. a: a: c: true false. Transitions become effective, variables obtain new values. / /

4 Example Swap More on semantics of Stateharts swap e / a:=b e / b:=a / a:=; b:=0 Unfortunately, there are several time-semantics of Stateharts in use. This is one possibility: step is executed in arbitrarily small time. Internal (generated) events exist only within the next step. External events can only be detected after a stable state has been reached. In phase, variables a and b are assigned to temporary variables In phase, these are assigned to b and a, respectively s a result, variables a and b are swapped state transitions external events stable state stable state t transport of internal events step / / Example, Stable State and State iagram Example Non-eterminism a/a c/c a b/a a e E G a e F H orresponding state diagrams: ac/a, ac/c, ac/a c, c/c a/a,, b/a ab, ab/a, unstable state ba/a, a State iagram Which one is chosen? /5 /6

onflicts OR or XOR? Real Time Exercise Reservoir bc bc XOR b b c bc XOR (with priority to b if simultaneous events) What if the events b and c occur simultaneously?

5 onflicts OR or XOR? Real Time Exercise Reservoir bc bc XOR b b c bc XOR (with priority to b if simultaneous events) What if the events b and c occur simultaneously? bc bc OR bc Initial ondition Empty pools, faucets closed Sensors & regulators F i, G i = 0 if closed H i, L i = if water is above sensor Operation fter pressing button m, the pools are filled up to level H i. When pool i has reached H i, close F i and open G i until the water level reaches L i. Restarting is only possible after both pools have been emptied. Q: raw a Statehart that models this system. H reservoir F F H Pool Pool L L G G m /7 /8 Real Time Solution Reservoir Usability reservoir F F H L H Pool Pool L G G m ε [ && ] m \ F =;F = H \ F =0;G = H \ F =0;G = Intuitive language to describe event driven automata New: oncurrency incl. synchronization Used in different flavors in industry and even for ids: L \ G =0 L \ G =0 /9 /0

6 Summary Where are we? dvantages of hierarchical state machines: Simple transformation into efficient hardware and software implementations Efficient simulation asis for formal verification (usually via symbolic model checing), if in reactions only events are generated isadvantages: Intricate for large systems, limited re-usability of models No formal representation of operations on data Large part of the system state is hidden in variables. This limits possibilities for efficient implementation and formal verification. Stateharts Hierarchy oncurrency Events and ctions Simulation Semantics Non-eterminism and onflicts Petri Nets Notation oncurrency Petri Net Languages ehavioral Properties nalysis / / Petri nets Motivation Petri net efinition In contrast to hierarchical state machines, state transitions in Petri nets are asynchronous. The ordering of transitions is partly uncoordinated; it is specified by a partial order. Petri net is a bipartite, directed graph defined by a -tuple (S, T, F, M 0 ), where Therefore, Petri nets can be used to model concurrent distributed systems. Many flavors of Petri nets are in use, e.g. ctivity charts (UML) ata flow graphs and mared graphs GRFET (programming language for prog. logic controllers) S is a set of places p i T is a set of transitions t i F is a set of edges (flow relations) f i M 0 : S N; the initial maring p p p t Invented by arl dam Petri in 96 in his thesis Kommuniation mit utomaten p5 p / /

7 Toen maring Toen game of Petri nets Each place p i is mared with a certain number of toens The initial distribution of the toens is given by M 0 M(s) denotes the maring of a place s The distribution of toens on places defines the state of a Petri net The dynamics of a Petri net is defined by a toen game maring M activates a transition t T if each place p i connected through an edge f i towards t contains at least one toen. If a transition t is activated by M, a state transition to M fires (happens) eventually. Only one transition is fired at any time. When a transition fires, it onsumes a toen from each of its input places dds a toen to each of its output places fires /5 /6 Non-eterministic Evolution Syntax Exercise The evolution of Petri nets is not deterministic. Q: Is it a valid Petri Net? Which transitions are activated? Maring after firing? ny of the activated transactions might fire t t E t t F G H I /7 /8

8 Syntax Exercise () Weighted Edges Q: Is it a valid Petri Net? Which transitions are activated? Maring after firing? t ssociating weights to edges: Each edge f i has an associated weight W(f i ) (defaults to ) transition t is active if each place p i connected through an edge f i to t contains at least W(f) toens. J K H O H O Reaction H + O H O L H O H O /9 /0 Finite apacity Petri Net Removing apacity onstraints Each place p i can hold maximally K(p i ) toens transition t is only active if all output places p i of t cannot exceed K(p i ) after firing t. For each place p with K(p) >, add a complementary placep with initial maring M 0 (p ) = K(p) M 0 (p). For each outgoing edge e = (p, t), add an edge e from t to p with weight W(e). For each incoming edge e = (t, p), add an edge e from p to t with weight W(e). K()= t K()= t t K()= t remove capacity constraint Note: Only wors for pure Petri nets, i.e. without self loops. Pure finite capacity Petri Nets can be transformed into equivalent infinite capacity Petri Nets (without capacity restrictions). Equivalence: oth nets have the same set of all possible firing sequences K()= t t K(p)=5 / /

9 Resolving Self-Loops Your turn! The algorithm to remove capacity constraints wors if the Petri net has no self loops (is pure). No Problem! Rewrite the Petri net without self loops: dummy transition Remove the capacity constraint from place t5 t t5 t t K()= t t dummy place / / Modeling FSM oncurrent ctivities FSM can be represented by a subclass of Petri nets, where each transition has exactly one incoming edge and one outgoing edge. Such Petri nets are called state machines oe vending machine revisited Q 0 5 Q 5 Q Q 0 5 Q 5 Q Q State machines allow representation of decision, but no synchronization. General Petri nets support concurrency with intuitive notation: decision / conflict for join / synchronization Soda /5 /6

10 Petri Net Languages ehavioral Properties Transitions labeled with (not necessarily distinct) symbols ny sequence of firing the transitions generates a string of symbols (word) Final place Reachability maring M n is reachable iff there exists a sequence of firings {t, t, t n } s.t. M n = M 0 t t t n Reachability is decidable, but taes exponential space (and time) for the general case L(M 0 ) = {a n b m c m n m 0 }??? a b c Every finite-state machine can be modeled by a Petri net Every regular language is a Petri net language K-oundedness Petri net is K-bounded if the number of toens in every place never exceeds K. The number of states is finite. Safety -oundedness: Every node holds at most toen at any time /7 /8 ehavioral Properties () Liveness Example Liveness Having reached M n from M 0, can we eventually fire any transition? losely related to the complete absence of dead locs. transition t in a Petri net is dead iff t cannot be fired in any firing sequence of L(M 0 ) L -live iff t can be fired at least once in some sequence of L(M 0 ) L -live iff, N +, t can be fired at least times in some sequence of L(M 0 ) L -live iff t appears infinitely often in some infinite sequence of L(M 0 ) L -live (live) iff t is L -live for every maring reachable from M 0 t t Note: L -liveness ) L -liveness )L -liveness )L -liveness /9 /0

11 nalysis Methods overability Tree overability tree Enumeration of all reachable marings, limited to small nets Incidence Matrix escribes the toen-flow llows a necessary but not sufficient condition for reachability Reduction Rules Simplification rules to rewrite a Petri net, conserving liveness, safeness and boundedness properties. Question: What toen distributions are reachable? Problem: There might be infinitely many ) must avoid infinite tree Solution: etect & handle infinite cycles t Special symbol to denote an arbitrary number of toens t0 M = [0 0 ] deadend M 0 = [ 0 0] M = [0 ] t M = [ 0] M 6 = [ 0] old M 5 = [0 ] old / / overability Tree the lgorithm Special symbol, similar to : nn: > n; = ± n; Label initial maring M 0 as root and tag it as new while new marings exist, pic one, say M If M is identical to a maring on the way from the root to M, mar it as old; continue; If no transitions are enabled at M, tag it as deadend; For each enabled transition t at M do Obtain maring M' = M t If there exists a maring M'' on the way from the root to M s.t. M'(p) M''(p) for each place p and M' M'', replace M'(p) with for p where M'(p) > M''(p). Introduce M' as a node, draw an arc with label t from M to M' and tag M' new. Results from the overability Tree T The net is bounded iffdoes not appear in any node label of T The net is safe iff only 0 and appear in the node labels of T transition t is dead iff it does not appear as an arc in T If M is reachable from M 0, then there exists a node M' s.t. M M'. (This is a necessary, but not sufficient condition for reachability.) For bounded Petri nets, this tree does not contain and is also called reachability tree, as all reachable marings are contained in it. / /

12 Incidence Matrix State Equation Goal: escribe a Petri net through equations The incidence matrix (m n) describes the toen-flow according for the n different transitions ij = gain of toens at node i m when transition j n fires maring M is written as a m column vector The firing vector u i describes the firing of transition t i. It consists of all 0, except for the i-th row, where it has a. E.g. t t transition t i from M to M + is written as M + = M + u i M is obtained from M 0 by firing /5 /6 State Equation: Reachability Reduction Rules maring M is reachable from M 0 if there is a sequence σ of transitions {t σ[], t σ[],, t σ[] } such that M = M 0 t σ[] t σ[] t σ[]. Expressed with the incidence matrix: M M 0 i () () If M is reachable from M 0, equation () must have a solution where all components of are positive integers. (This is a necessary, but not sufficient condition for reachability.) u [ i] which can be rewritten as M ΔMx M 0 t nalysis of Petri nets is tedious, especially for large, complex nets Often, the complexity for analysis increases exponentially with the size of the Petri net Solution: Simplify the net while retaining the properties to analyze. In our case, the properties in question are Liveness Safeness oundedness 6 of the simplest reduction rules are shown in the sequel /7 /8

13 Reduction Rules () Reduction Rules () Fusion of Series Places (FSP) Fusion of Series Transitions (FST) Elimination of Self Loop Places (ESP) Elimination of Self Loop Transitions (EST) Fusion of Parallel Places (FPP) Fusion of Parallel Transitions (FPT) /9 /50 Reduction Example ommon Extensions t olored Petri nets: Toens carry values (colors) ny Petri net with finite number of colors can be transformed into a regular Petri net. ontinuous Petri nets: The number of toens can be real. annot be transformed to a regular Petri net Inhibitor rcs: Enable a transition if a place contains no toens annot be transformed to a regular Petri net t Final place a b c /5 /5

DES. 4. Petri Nets. Introduction. Different Classes of Petri Net. Petri net properties. Analysis of Petri net models

DES. 4. Petri Nets. Introduction. Different Classes of Petri Net. Petri net properties. Analysis of Petri net models 4. Petri Nets Introduction Different Classes of Petri Net Petri net properties Analysis of Petri net models 1 Petri Nets C.A Petri, TU Darmstadt, 1962 A mathematical and graphical modeling method. Describe