Modeling 8N1 Protocol with Uppaal

Transcription

1 Modeling 8N1 Protocol with Uppaal Faranak Heidarian July Introduction 8N1 Protocol is a common physical layer protocol used in UARTs. Indeed, 8N1 is a common shorthand notation for a serial port parameter setting or configuration in asynchronous mode, in which there are eight (8) data bits, no (N) parity bit, and one (1) stop bit. 8N1 is the most common configuration for PC serial communications today. The abbreviation is usually given together with the line speed in bits per second, as in 9600/8N1. The speed includes bits for framing (stop bits, parity, etc.) and the effective data rate is lower than the bit transmission rate. For 8N1 encoding, only 80% of the bits are available for data (for every eight bits of data, ten bits are sent over the serial link: one start bit, the eight data bits, and the one stop bit). This mode was also commonplace for the link between modems until the 1990s when Link Access Procedure for Modems became widespread. 8N1 is still in use for the computer to modem connection. 8N1 is a simple encoding scheme in which an edge is guaranteed to occur only at the beginning of each frame, a sequence of bits that includes a start bit, stop bit, and eight data bits. Data bits are encoded by the identity function in which a 1 is a 1 and a 0 is a 0. Consequently, the clock can only be recovered once in each frame in which the eight data bits are transmitted. Thus, the central design issue for a data decoder is reliably extracting a clock signal from the combined signal. Once the locations of the clock events are known, extracting the data is relatively simple. Although the clock events have a known relationship to signal transitions, detecting these transitions precisely is usually impossible because of distortion in the signal around the transitions, clock jitter, and other effects. The transmitter and receiver of the data do not share a common time base, and hence the estimation of clock events is affected by differences in the reference clocks used. Constant delay is largely irrelevant; however, transition time and variable delay (e.g., jitter) are not. Furthermore, differences in receiver and transmitter clock phase and frequency are significant. Any correctness proof of an 8-N-1 decoder must be valid over a range of parameters defining limits on jitter, transition time, frequency, and clock phase. 8N1, illustrated in Fig. 1, is a frame-based protocol where re-synchronization occurs once per frame. Each frame consists of a start bit (0), eight data bits, and one or more stop bits (1), making 10 bits in total. 1

2 of the serial interface, not application nuances of handshaking or the physical layer, and so is applicable to all generalized UART applications. UART Timing A typical UART frame is shown in Figure 1. It comprises a Start bit, 8 data bits, and a Stop bit. Other variants are also possible in RS-232 applications - the data packet could be 5, 6, or 7 bits long, there could be 2 Stop bits, and a Parity bit could be inserted between the data packet and the Stop bit for rudimentary error detection. Figure 1 shows the signaling as seen at a UART's TXD (Transmit Data) or RXD (Receive Data) pins. RS-232 bus drivers invert as well as level shift, so a logic 1 is a negative voltage on the bus, and a logic 0 is a positive voltage. receiver doesn't know when a packet will be sent, with respect to the receiver clock, hence the protocol is termed asynchronous. The receiver circuitry is correspondingly more complex than that of the transmitter. While the transmitter simply has to shuffle out a frame of data at a defined bit rate, the receiver has to recognize the start of the frame to synchronize itself, and therefore determine the best data sampling point for the bitstream. Figure 2 shows a common method used by UART receivers to synchronize to a received frame. The receive UART uses a clock which is 16 times the data rate. A new frame is recognized by the falling edge at the beginning of the active-low Start bit, when the signal changes from the active-high Stop bit or bus idle condition. The receive UART resets its counters on this falling edge, and expects mid Start bit to occur after 8 clock cycles, Figure 1. and A the typical mid UART point data of each frame. subsequent bit to appear every 16 clock cycles thereafter. The Start bit is typically sampled at the mid bit time to check that the level is still low, to ensure that the detected falling edge was a Start bit not a noise spike. Another common improvement is to sample each bit not simply once at the mid bit When two position UARTs (clock communicate, Figure count 81: out it Aof is 16), a Typical given but that three both UART times transmitter (clock Data counts and receiver Frame 7, 8, and know 9 out the of signaling 16). speed. The Figure 2. UART receive frame synchronization and data sampling points. Figure 2: UART Receive Frame Synchronization and Data Sampling Points Timing Accuracy So the question is: how accurate does the receive UART clock have to be to be sure of receiving data correctly? (Actually, a better question is to ask how far different the transmit and receive UART clocks can be, since the absolute clock rate is unimportant for the purposes of accurate reception. More on this later.) To answer this, the first point to understand is that because the UART receiver synchronizes itself to the start of each and every frame, we only care about accurate data sampling during one frame. There isn't any buildup of error beyond a frame's Stop bit, which simplifies analysis because we only have to consider one frame as the worst case. When two UARTs communicate, it is a given that both transmitter and receiver know the signaling speed. The receiver doesn t know when a packet will be sent, with respect to the receiver clock, hence the protocol is termed asynchronous. The receiver circuitry is correspondingly more complex than that of the transmitter. While the transmitter simply has to shuffle out a frame of data at a defined bit rate, the receiver has to recognize the start of the frame to synchronize itself, and therefore determine the best data sampling point for the bitstream. Figure 2 shows a common method used by UART receivers to synchronize to a received frame. The receive UART uses a clock which is 16 times the data rate. A new frame is recognized by the falling edge at the beginning of the active-low Start bit, when the signal changes from the active-high Stop bit or bus idle condition. The receive UART resets its counters on this falling edge, and expects mid Start bit to occur after 8 clock cycles, and the mid point of each subsequent bit to appear every 16 clock cycles thereafter. The Start bit is typically sampled at the mid bit time to check that the level is still low, to ensure that the detected falling edge was a Start bit not a noise spike. In this paper, we present a Uppaal model of 8N1 protocol and analyze it by performing compositional abstraction on our model which leads to an abstract Uppaal model of the protocol. We analyze the abstract model to obtain two constraints on the system parameters that guarantee a correct communication between the sender and the receiver. When do we get a timing error due to transmit-receive clock mismatch? Well, we are attempting to sample each bit at the mid point (Figure 2). If we sample a bit! a bit period too early or too late, we will sample at the bit transition and have problems (Figure 3). 2

3 2 Uppaal Model In this section, we describe the model of the 8N1 protocol we constructed by Uppaal[5]. We modeled 8N1 protocol by a chain of timed automata in two levels: concrete and abstract. 2.1 Concrete Model Fig. 3 presents the overall architecture of our Uppaal model. the concrete model consists of a network of 7 timed automata, shown as rectangles, communicating via shared variables(circles) and synchronized actions(labeled arrows). Figure 3: Architecture of the Uppaal Model The automaton CLOCK models the hardware clock at the coning side. The automaton ENCODER models the encoding process: based on a sequence of packets which is is received via variable packet and the tick events from the CLOCK automaton, it generates edge events, that determine a square wave. The WIRE automaton nondeterministically transforms the perfect square wave from the ENCODER into a signal whose value, stored in variable w, is nondeterministically defined during a specified interval after the ENCODER generates an edge. Automaton DCLOCK which is similar to CLOCK, models the hardware clock at the decoding side. The SAMPLER automaton periodically copies(samples) the value of variable w into variable new. The boolean variable sampled is used to coordinate the SAMPLER and the DCLOCK. The automaton DECODER models the decoding process. It receives tock events of the DCLOCK and counts the clock cycle to guess the midpoints of the current bit; there, the DECODER saves the value of variable new into the variable out and informs the TESTER of a new output bit by a get event. The environment, presented by the TESTER automaton, places a new data packet in variable packet and informs the encoder by a put event. The decoder delivers the data, bit by bit, via register out to the TESTER on a get request. Whenever it observes a discrepancy, the TESTER 3

4 bit length 16 sample 8 min 99 max 100 bouncing 500 Table 1: The Parameters of the Concrete Model automaton jumps to a designated error location. Hence, in order to establish correctness we must prove that the error location is not reachable Model Parameters Table 1 lists the parameters that are used in the model (constants in Uppaal terminology) and gives an example instantiation. The domain of all parameters is the set of natural numbers. Constant bit length specifies the size of a bit in terms of the number of clock cycles. Similarly, sample specifies the sampling distance. Constants min and max specify the minimum and maximum number of time units in a clock cycle (say, measured in nanoseconds); we assume 0 < min max. Constant bouncing specifies the number of time units needed for the signal to stabilize after occurrence of an edge. The values listed for min, max and bouncing are not meant to be realistic; our models clocks are much worse than any that are used in real machines TESTER The automaton TESTER, depicted in Fig. 4, is not a part of the 8N1 protocol but just a highly nondeterministic environment of the protocol that has been designed to test its correctness. The TESTER generates a packet of 10 bits by nondeterministically selecting a value of 0 or 1 for each bit, except for the first and the last bits, which are 0 and 1, respectively and putting them in the register packet that is accessible for the ENCODER. The TESTER remembers which bits it has sent to the protocol. If the transmission of the first packet has been completed, the overflow location T3 is reached. For all parameter assignments for which the protocol operates correctly, there is no packet that has been accepted by the ENCODER but not yet delivered by the DECODER. Whenever the protocol (the DECODER) produces an output, the TESTER checks whether this is the expected value. If it is correct, the TESTER forgets the value, otherwise it jumps to a special ERROR location. If the protocol is correct then the ERROR location cannot be reached CLOCK Timed automaton CLOCK models the hardware clock at the coding side. The automaton, which is displayed in Fig. 5, only has a single location and a single transition. The automaton performs a synchronization action tick! when its clock x has reached a value between min and max, and then returns to its initial state by resetting x. 4

5 put! b1 : BIT, b2 : BIT, b3 : BIT, b4 : BIT, b5 : BIT, b6 : BIT, b7 : BIT, b8 : BIT packet[1] = b1, packet[2] = b2, packet[3] = b3, packet[4] = b4, packet[5] = b5, packet[6] = b6, packet[7] = b7, packet[8] = b8 outx == data_length && out == packet[outx] get? outx := 1 outx < data_length && out == packet[outx] get? outx++ T0 T1 put! T2 out!= packet[outx] get? get? ERROR Figure 4: TESTER timed automaton x >= min tick! x := 0 C x <= max Figure 5: CLOCK timed automaton ENCODER The automaton ENCODER displayed in Fig. 6, has 4 locations. The automaton ENCODER describes how the 8N1 protocol encodes a string of bits (of a packet) and clock edges into a square wave. In its initial location E0 the automaton waits for the environment to send a new packet of bits and jumps to location E1 via a put? transition. In E1, the ENCODER stabilizes and with the first clock tick event, it leaves for the location E2, thereby telling the environment that it is about to fetch a new bit from the packet register. In the location E2, which is urgent, the value of the fetched bit is compared with the last transmitted bit, saved in last, and the automaton jumps to location E3. In case of inequality of the fetched bit and last an edge is generated and the value of the new bit is saved in last. A local integer counter cnt is used to count clock ticks and another local integer n is used to count the bits. Upon entering location E3 the automaton waits until bit length clock ticks have occurred, and then jumps, depending 5

6 on the value of n, either to location E2 (in case n < packet size) or to location E0 (in case n = packet size), the initial location, to transmit the next bit. In our model, we assume the environment generates full packets and asks the encoder to put a packet on the wire when it has one. E1 put? E0 tick? tick? last == packet[n] cnt == bit_length 1 && n == packet_size 1 tick? cnt := 0, n := 0 E2 E3 cnt < bit_length 1 tick? cnt++ last!= packet[n] edge! last := packet[n] cnt == bit_length 1 && n < packet_size 1 tick? cnt := 0, n++ Figure 6: ENCODER timed automaton WIRE The Wire automaton, displayed in Fig. 7, is introduced to model our assumption that it takes bouncing time before an electric signal stabilizes after occurrence of an edge. The Boolean variable v is toggled when an edge? event occurs. Thus, v evolves according to the perfect square wave that is generated by the ENCODER. There is also another Boolean variable w whose values reflect the actual observations that can be made on a physical wire. In the initial location W0 the wire is stable and the values of v and w agree. Upon occurrence of an edge? the WIRE automaton moves to the unstable location W1 in which w can be assigned any value at any time. After being unstable for bouncing time units, the system moves back again to the stable location W0 and the value of w settles to v. For the parameter assignments for which the 8N1 is correct the ENCODER never generates an edge if the WIRE is in location W1. We will prove this by establishing that location W2 is unreachable in the full system for any of the parameter assignments that we consider. We find it convenient to give names to all the transitions in an automaton. This is achieved by misusing the broadcast primitive in Uppaal: the broadcast actions fuzz! and settle! do not synchronize with actions from any other automaton, but are just there to give transitions a name. 6

7 In our model we assume instantaneous message delivery: edges generated by the ENCODER may be detected instantaneously by the DECODER. edge? z := 0, v := 1 v z < bouncing fuzz! w := 1 w edge? W0 W1 W2 z <= bouncing z == bouncing settle! w := v Figure 7: WIRE timed automaton y >= min && sampled tock! y := 0, sampled := false!sampled sample! new := w, sampled := true D y <= max Figure 8: DCLOCK timed automation S Figure 9: SAMPLER timed automaton DCLOCK The DCLOCK automaton, displayed in Fig. 8, models the hardware clock at the decoding side. This automaton is exactly the same as the CLOCK at the coder side, except that it also reads/writes variable sampled to ensure strict alternation of the sample and tock actions SAMPLER The SAMPLER automaton, displayed in Fig. 9, only has a single location and a single transition. The transition copies (samples) the value of the wire variable w to a variable new that is used as input for the DECODER. To ensure that the sample transition occurs exactly once during every clock cycle we use an auxiliary Boolean variable sampled: if sampled = false then the SAMPLER may sample and if sampled = true then the (decoder) clock may tick. Only the samples taken at the midpoint of bits are actually used in the protocol, though DECODER The DECODER automaton, shown in Fig. 10, models in a straightforward manner the decoding of the (sampled) wire signal into a bit string. Like the ENCODER 7

8 automaton, the activity of the DECODER automaton is driven by clock ticks. In the initial location D0, each clock tick causes the automaton to compare the most recent value that has been sampled from the wire (new) with the 1. As long as these values remain the same no action is taken. But as soon as the value of new become 0, the automaton concludes that an edge has occurred and a new data packet is started, so it moves to location D1, and starts counting the clock cycles. A local integer counter cnt is used to count clock ticks. After occurring sample clock cycles (reaching the midpoint of the assumed bit), the automaton DECODER observe the value of new; in case of new = 1, it concludes a mistake in detecting the start of the packet and jumps back to location D0, while reseting cnt and m, and waits for a falling edge, otherwise it jumps to location D2 and waits for the rest. In location D2, the automaton DECODER starts counting bit length clock cycles to reach the midpoint of the next bit, thereby it observes the value of a local integer variable m to see whether the whole data packet is processed, if so (m = data size), it jumps, depending on the value of new to either location D0 (in case of new = 1) or to location STOP BIT ERROR (in case of new = 0); otherwise it jumps to location D3 while saving the value of new in out, reseting cnt and incrementing m. Location D3 is an urgent location from which the DECODER jumps back to D2 with a get! event to inform the environment of decoding a new bit Uppaal Analysis Results We call the 8N1 protocol synchronized if whenever the encoder sends a packet the decoder detects the start bit and stop bit, correctly and receives the same data bits as the encoder sends. The basic wellformedness properties that we tested are that the system contains no deadlocks, the encoder never starts an other voltage transition (edge) while the WIRE automaton is still in its unstable location, and that there are never more than one packets in transit in the protocol: A[] not (deadlock or WIRE.W2 or TESTER.T2). But the key correctness property, of course, is that the TESTER never enters the ERROR location and the decoder never encounters a stop bit error, that is reading 0 instead of 1 as the 10th bit a packet: A[] not (TESTER.ERROR or DECODER.STOP BIT ERROR). To make the model checking easier, we merge the two properties and simply concentrate on the safety property: A[] not (deadlock or WIRE.W2 or TESTER.T2 or TESTER.ERROR or DECODER.STOP BIT ERROR) 8

9 new == 1 tock? cnt == sampling_distance 1 && new!= 0 tock? cnt := 0 cnt < sampling_distance 1 tock? cnt++ D0 new == 0 tock? D1 cnt == bit_length 1 && m == data_length && new == 1 tock? cnt := 0, m := 0 D2 cnt == sampling_distance 1 && new == 0 tock? cnt := 0 cnt == bit_length 1 && m == data_length && new!= 1 tock? cnt < bit_length 1 tock? cnt++ get! cnt == bit_length 1 && m < data_length tock? out := new, cnt := 0, m++ STOP_BIT_ERROR D3 Figure 10: DECODER timed automaton Whether these properties hold depends on the specific choice of the parameter values. min max bouncing Table 2: Some Uppaal verification results for the Concrete model Table 2 shows some example values of the parameters for which the concrete model is synchronized. In fact, the value of bouncing in this table is the smallest natural number for which the model with the values assigned to min and max is synchronized. Observe that if the ratio of min to max decrease also the values of bouncing decreases, i.e., if the hardware clocks become less accurate, the value of bouncing must be decreased to maintain synchronization. Note that these parameter values are not realistic: a realistic clock accuracy is around 30 ppm (parts-per-million)[ref?]. Through playing with different parameter assignments, and replaying the error traces 9

10 in the simulator, we discovered that there appear to be essentially one error scenario for the concrete system that leads the TESTER to the ERROR location and is the result of fast encoder and slow decoder. The error scenario is illustrated in Fig. 11. Figure 11: Error Scenario of the Concrete System:Fast Encoder-Slow Decoder The concrete system goes wrong when the encoder transmits a (0,0,0,0,0,0,0,0,0,1) packet. The encoder generates a (falling) edge and passes through the low voltage mode (v = 0), lasting 9 bit length clock cycles, maximally fast. This means that 9 bit length min time units after the (falling) edge event that marks the beginning of the packet we see the (rising) edge event that marks the start of the stop bit (the line labeled v in Fig. 11). After the first edge the wire remains unchanged maximally long, that is bouncing time units (the line labeled w in Fig. 11). The decoder may altogether miss the voltage change on the wire if it operates maximally slow for two clock cycles. The decoder continues working maximally slowly: after sample clock cycles, it observes the value of new which is 0 (start bit) and reads seven more 0 data bits, thereafter. Right before the slow decoder reads the 8th bit, the fast encoder generates the (rising) edge of the stop bit, that causes a the decoder to read 1 instead of 0. In order to avoid this error scenario, the following constraint on the parameters must be met, which ensures that an edge at the beginning of the stop bit will always be occurred after the decoder reads the value of the last bit. bouncing + 2max + sample max + 8bit length max < 9bit length min (1) One can think of an error scenario of slow encoder-fast decoder, which we analyzed and obtained constraint 2 to exclude it. However, it can easily be proven that constraint 2 is deducible from the constraint 1. 9bit length max + bouncing < sample min + 9bit length min (2) 10

11 2.2 Abstract model The abstract model consists of a network of 5 timed automata, shown as hatched polygons in Fig. 12. The automata communicate via shared variables(circles) and synchronized actions(labeled arrows). In the level of abstraction, we model the hardware clock inside the encoding part to construct the AENCODER which generates edge events to determine the square wave. The AWIRE automaton is the compositional abstraction of WIRE and SAMPLER automata. AWIRE nondeterministically transforms the perfect square wave from the AENCODER into a signal whose value, stored in variable new, is nondeterministically defined during a specified interval after the AENCODER generates an edge. Automaton ADECODER models the decoding process, as well as the hardware clock. The ADECODER guesses the midpoints of the current bit, where it saves the value of variable new into the variable out and informs the TESTER of a new output bit by a get event. Within our model, the environment, presented by the TESTER automaton which is the same as the one in the concrete model, places a new data packet in variable packet and informs the encoder(concrete or abstract) by a put event. The decoder(concrete or abstract) delivers the data, bit by bit, via register out to the TESTER on a get request. Whenever it observes a discrepancy, the TESTER automaton jumps to a designated error location. Hence, in order to establish correctness we must prove that the error location is not reachable. Figure 12: Architecture of the Uppaal Model, Abstractions Model Parameters Table 3 lists the parameters that are used in the abstract model and gives an example instantiation. The domain of all parameters is the set of natural numbers. Constants max bit length and min bit length specify the maximum and minimum number of time 11

12 max bit length 1600 min bit length 1590 max sample 800 min sample 790 min edge length 99 min edge length 100 bouncing 700 Table 3: The Parameters of the Abstract Model units in a bit, respectively. Similarly, max sample and min sample specify the maximum and minimum sampling distance. Constants min edge length and max edge length specify the minimum and maximum number of time units between two consecutive edges; we assume 0 < min edge length max edge length,0 < min bit length max bit length and 0 < min sample max sample. Constant bouncing a specifies the number of time units needed for the signal to stabilize after occurrence of an edge. Our models clocks are much worse than any that are used in real machines. This model includes four timed automata: TESTER, AENCODER, AWIRE and ADECODER. In this model the TESTER automaton is the same as the previous model, but CLOCK is merged into ENCODER, Fig. 13, and DCLOCK is merged into the DECODER, Fig. 16 and WIRE, SAMPLER and DCLOCK are merged together, Fig TESTER The TESTER automaton is depicted in Fig. 4 and is explained in detail in section AENCODER Like the automaton ENCODER, the automaton AENCODER displayed in Fig. 13, has 4 locations. AENCODER performs similar to ENCODER, with a difference that the hardware clock is modeled by time delays instead of tick actions AWIRE The automaton AWIRE displayed in Fig. 14, has 4 locations. In abstract level, the SAMPLER is embedded in the WIRE thus AWIRE is the same as WIRE, except for writing directly to new instead of writing into wẇe will prove that to have a correct execution of the 8N1 protocol, the constraint bouncing a bouncing + 2max must hold ADCLOCK The ADCLOCK automaton, displayed in Fig. 15, is a simpler version of DCLOCK automaton which models the hardware clock at the decoding side. This automaton is 12

13 put? x := 0 E1 x <= max_edge_length x := 0 E0 last == packet[n] x >= min_bit_length && n == packet_size 1 n := 0 E2 E3 x <= max_bit_length last!= packet[n] edge! last := packet[n] x >= min_bit_length && n < packet_size 1 x := 0, n++ Figure 13: Abstract ENCODER timed automaton edge? z := 0, v := 1 v z < bouncing fuzz! new := 1 new fuzz! new := 1 new edge? edge? W0 z == bouncing settle! new := v W1 z <= bouncing W2 Figure 14: Abstract WIRE timed automaton exactly the same as the CLOCK at the coder side except that it doesn t read/write variable sampled, since the SAMPLER is modeled inside the AWIRE. y >= min tock! y := 0 D y <= max Figure 15: Abstract DCLOCK timed automaton 13

14 2.2.6 ADECODER Like the automaton ADECODER, the automaton ADECODER, displayed in Fig. 16, has 5 locations. ADECODER performs similar to DECODER, with a difference that the hardware clock is modeled by time delays instead of tock actions. new == 1 && y >= min_edge_length y := 0 y >= min_sampling_distance && new!= 0 y := 0 D0 y <= max_edge_length y >= min_edge_length && new == 0 y := 0 D1 y <= max_sampling_distance y >= min_bit_length && m == data_length && new == 1 y := 0, m := 0 y >= min_sampling_distance && new == 0 y := 0 D2 y <= max_bit_length y >= min_bit_length && m == data_length && new!= 1 get! y >= min_bit_length && m < data_length out := new, y := 0, m++ STOP_BIT_ERROR D3 Figure 16: Abstract DECODER timed automaton Uppaal Analysis Results The set of reachable symbolic states of our concrete model is such big that for most of the parameter assignments that we tried, Uppaal spent minutes to establish validity of the properties or produce a counterexample. We reduced the state space in our abstract model which takes only a few second to be verified by Uppaal (running Uppaal version on a standard PC). Like the concrete model, the basic wellformedness properties that we tested are that the system contains no deadlocks, the encoder never starts an other voltage transition (edge) while the WIRE automaton is still in its unstable location, and that there are never more than one packets in transit in the protocol; the key correctness property, of course, is that the TESTER never enters the ERROR location and the decoder never enters the STOP BIT ERROR location. 14

15 We express these safety properties all in one query: A[] not (deadlock or WIRE.W2 or TESTER.T2 or TESTER.ERROR or DECODER.STOP BIT ERROR) Whether the property holds depends on the specific choice of the parameter values. min edge length max edge length min sample max sample min bit length max bit length bouncing a Table 4: Some Uppaal verification results for the Abstract model Table 4 shows some example values of the parameters for which the abstract model is synchronized. The value of bouncing in this table is the smallest natural number for which the model with the given values of edge length, bit length and sampling distance, is synchronized. Through playing with different parameter assignments, and replaying the error traces in the simulator, we discovered that there exist two error scenarios for the abstract system that lead the ADECODER to the STOP BIT ERROR location: Figure 17: Error Scenario of the Abstract System: Fast Encoder-Slow Decoder Fast Encoder-Slow Decoder Sending a (0,0,0,0,0,0,0,0,0,1) packet can make an error in the abstract system, too. The encoder generates a (falling) edge and passes through the the whole packet maximally fast. This means that 10min bit length time 15

16 units after the (falling) edge event that marks the beginning of the packet we see another (falling) edge event that marks the start of a new packet (the line labeled v in Fig. 17). After the first edge the wire remains unchanged maximally long, that is bouncing time units (the red line labeled new in Fig. 17). The decoder may altogether miss the voltage change on the wire if it operates maximally slow for max edge length time units. The decoder continues working maximally slowly: after max sample time units, it observes the value of new which is 0 (start bit) and reads the eight 0 data bits, thereafter. Right before the slow decoder reads the stop bit, the fast encoder generates the (falling) edge of the new packet s start bit, that causes a the decoder to read 0 instead of 1 and to move into location STOP BIT ERROR. In order to avoid this error scenario, the following constraint on the parameters must be met, which ensures that a new packet will be put on the wire only when the decoder is finished reading the stop bit the current packet. bouncing + max edge length + max sample + 9max bit length < 10min bit length (3) Figure 18: Error Scenario of the Abstract System: Slow Encoder-Fast Decoder Slow Encoder-Fast Decoder If the encoder performs maximally slowly, while sending a data packet of (0,0,0,0,0,0,0,0,0,1) to a maximally fast decoder, we will have the error scenario depicted Fig. 18. There, the encoder generates a (falling) edge and sends the start bit and 8 data bits maximally slowly which takes 9max bit length. Then it generates a rising edge to transmit the stop bit. However in a bouncing time units, the voltage of the wire doesn t change. The decoder performs maximally fast and observe the voltage level of the wire right after a fuzz action changes the wire immediately after the falling edge and passes through the 9 bits, maximally fast in 9min bit length. However, it observes a 0 instead of 1 as a stop bit, as the encoder is such slow that it still is not stabilized to 1. Hence, the decoder jumps into location STOP BIT ERROR. In order to avoid this error scenario, the following constraint on the parameters must be met, which ensures that the value of stop bit is stabilized on the wire, before the decoder needs it. 16

17 9max bit length + bouncing < min sample + 9min bit length (4) It is easily provable that the parameter constraints 3 and 4, are the same as the parameter constraints of [2]. We would make some simple substituitions: TSAMPLE*(1+x) = max sample + max bit length TSAMPLE*(1-x) = min sample + min bit length TPERIOD*(1+x) = max bit length TPERIOD*(1-x) = min bit length (1+x) = max edge length bouncing = TSETTLE However, there is a difference between our models of 8N1 in decoding the stop bit and that is: We made our models based on [1] which nots that The receive UART resets its counters on this falling edge, and expects mid Start bit to occur after 8 clock cycles, and the mid point of each subsequent bit to appear every 16 clock cycles thereafter. The Start bit is typically sampled at the mid bit time to check that the level is still low, to ensure that the detected falling edge was a Start bit not a noise spike. On the other hand, in [2], detection of the start of the frame causes the 8N1 decoder to wait until the middle of the first data bit to take its next sample, skipping over the start bit (which has already been detected). 3 Compositional Abstraction We extend the concept of timed-step simulation of [4], to define timed simulation relation between two networks of timed automata. Definition 3.1 Two timed transition systems, T 1 and T 2 are comparable if they have the same set of external variables. For two comparable timed transition systems T 1 and T 2, relation R S 1 S 2 is a timed simulation from T 1 to T 2, provided s 0 1 Rs0 2 and for any reachable state s of T 1 and any reachable state r of T 2, if srr then: 1. s E 1 = r E 2 2. u V al(e 1 ) : s[u]rr[u] 3. If Comm(r) then Comm(s) 4. If s a,b s, either there exists an r such that r a,b r and s Rr or a = τ and s Rr, or a R 0 and there exist a finite sequence of states r 1, r 2,, r k of T 2 and a sequence of time durations d 1, d 2,, d t+2 such that 2 r d 1,0 r 1 17

18 r 1 τ,b r 2 r 2 d 2,0 r 3 Σ k+2 2 i d i = a and q Qr. r k 1. τ,b r k, d k+2,0 2 r k r, Theorem 3.2 Let T 1 and T 2 are comparable timed transition systems and compatible with TTS T 3. If T 1 T 2, then T 1 T 3 T 2 T 3. Proof The proof is an extension of the proof of the similar theorem in [4]. As T 1 T 2, let Q be a timed simulation from T 1 to T 2 and let T 13 = T 1 T 3 and T 23 = T 2 T 3. We define a relation R S 13 S 23 such that q srr s qqr s = s and prove that it is a timed simulation from T 13 to T 23. For arbitrary (q s, r s) R, we prove that the four conditions in the definition of a timed simulation are satisfied. The whole proof is the same as the proof of [4], except for the last part of the 4th condition which is dedicated to the time elapse transitions: Assume that q s a,b q s and assume that a R 0. Then, b = 0, q a,b q and s. Since Q is a timed simulation, there exist a finite sequence of states r 1, r 2,, r k of T 2 and a sequence of time durations d 1, d 2,, d t+2 such that 2 s a,b r d 1,0 r 1 r 1 τ,b r 2 r 2 d 2,0 r 3 r k 1. τ,b r k, d k+2,0 2 r k r, Σ k+2 2 i d i = a and q Qr. Let s = s. Then s s a,b r s and q s Rr s, as requested. 18

19 4 Analysis We prove the abstract model of the 8N1 protocol, modeled by a network of timed automata, is timed-similar to the concrete model. Indeed, we find timed simulation from parts of the concrete system to the parts of abstract system and use the compositional characteristic of time-simulation. Assume T 1 to be a subsystem of the concrete model,, and T 2 to be a subsystem of the abstract model; we define a relation R from the state space of T 1 to the state space of T 2, thereafter, we prove R is a timed simulation by proving that R possesses the four properties of definition 3.1. We prove that for any reachable state s i 1 of T 1 and any reachable state s j 2 of T 2 such that, s i 1 Rsj 2, the four conditions of definition3.1 hold. Theorem 4.1 Let and for which the sets of external variables are We define the relation G as sgr r.packet = s.packet r.loc = s.loc r.n = s.n r.last = s.last loc = E1 s.x r.x T 1 CLOCK ENCODER T 2 AENCODER E 1 = E 2 = {packet}. loc {E2, E3} min s.cnt + s.x r.x max s.cnt + s.x G is a timed simulation relation. Proof Assume that sgr for an arbitrary reachable state s of T 1 and a reachable state r of T 2. By the definition of G, sgr implies s.packet = r.packet which leads to the satisfaction of properties 1 and 2 of the timed simulation. We have no committed states, so the property 3 holds, too. We prove any possible transition from s is mimicked by the abstract system (property 4). Assume that s is reachable from s by a transition labeled by action. 1 action = a time (d) This transition doesn t change the values of any variables but x, thus we consider only the value of x. 19

20 11 s loc = E0 and r loc = E0: The tick event manipulates the value of x, in which we are not interested when loc = E0. 12 s loc = E1 and r loc = E1. sgr s.x r.x (max )s.x + d r.x + d If max = max edge length then, r.x + d max edge length there exists r such that r d r s.x r.x s Gr 13 s loc = E3 and r loc = E3. sgr min s.cnt + s.x r.x max s.cnt + s.x min s.cnt + s.x + d r.x + d max s.cnt + s.x + d min s.cnt + s.x r.x + d max s.cnt + s.x If r.x + d max bit length, there exists r such that r d r min s.cnt + s.x r.x max s.cnt + s.x s Gr invariant 16 : loc = E3 max(s.cnt) = bit length 1 r.x + d max (bit length 1) + s.x + d r.x + d max (bit length 1) + max If max bit length max bit length the tick event holds the conditions of the definition of timed simulation. 2 action = a tick 21 In state s loc = E0 x min, the tick event manipulates the value of variable x, in which we are not interested. 22 s loc = E1 x min and r loc = E1 x min edge length. s = s after tick : s loc = E2 x = 0 Let r = raftera E1 E2 : r loc = E2 x = 0 Invariants?? and 15 s.x = 0 s.cnt = 0 r.x = 0 min s.cnt + s.x r.x max s.cnt + s.x s Gr 23 s loc = E3 x min and r loc = E3. By our assumption that sgr, we know that min s.cnt + s.x r.x max s.cnt + s.x. A tick event from state s can lead to three possible states: 20

21 231 s loc = E3 cnt < bit length cnt = s.cnt + 1 x = 0 min s.cnt + s.x r.x max s.cnt + s.x min s.cnt + min r.x max s.cnt + max min (s.cnt + 1) + 0 r.x max (s.cnt + 1) + 0 min s.cnt + s.x r.x max s.cnt + s x Invariant 16 : loc = E3 s.cnt = bit length 1 min (bit length 1) r.x max (bit length 1) Invariant 20 : r.x max bit length If max bit length max (bit length 1), this tick event holds the conditions of the definition of timed simulation. 232 s loc = E2 cnt = 0 x = 0 which means s loc = E3 cnt = bit length 1 min s.cnt + s.x r.x max s.cnt + s.x min (bit length 1) + min r.x max (bit length 1) + max min bit length r.x max bit length thus, max bit length max bit length and min bit length min bit length are necessary to have a timed simulation. Furthermore, s.cnt = 0 and s.x = 0 and there exists r loc = E2 x = 0 such that min s.cnt+s.x r.x max s.cnt + s.x and r a E3 E2, so s Gr. 233 s loc = E0 cnt = 0 x = 0 which means s loc = E3 cnt = bit length 1, min s.cnt + s.x r.x max s.cnt + s.x min (bit length 1) + min r.x max (bit length 1) + max min bit length r.x max bit length thus, max bit length max bit length and min bit length min bit length are necessary to have a timed simulation. Furthermore, s.cnt = 0 and s.x = 0 and there exists r loc = E0 x = 0 n = 0 such that min s.cnt + s.x r.x max s.cnt + s.x and r a E3 E2, so s Gr. 3 action = a put The event put is enabled in location E0 of T 1 and T 2 ; and s loc = E0 and r loc = E0, and s put s such that s loc = E0. There exists r loc = E0 x = 0 such that r put r. We know s.x 0 and from invariant 14, we know s.x = s.x max, so we have s.x r.x and s Gr. 4 action = a edge The event edge is enabled in location E2 of T 1 and T 2, and dose not change any state variable but the location and last, so we focus only on loc 21

22 and last. s loc = E2 last packet[n] and r loc = E2 last packet[n], and s put s such that s loc = E3 last = packet[n]. There exists r loc = E3 last = packet[n] such that r edge r, so s Gr. 5 action = a E2 E3 The event E2-E3 is enabled in location E2 of T 1 and T 2, and dose not change any state variable but the location, so we focus only on loc. s loc = E2 and r loc = E2, and s put s such that s loc = E3. There exists r loc = E3 such that r a E3 E2 r, so s Gr. Theorem 4.2 Let and for which the sets of external variables are We define the relation Q as T 1 ADCLOCK DECODER sqr r.new = s.new r.out = s.out r.loc = s.loc r.m = s.m r.out = s.out T 2 ADECODER E 1 = E 2 = {new, out}. min s.cnt + s.y r.y max s.cnt + s.y Q is a timed simulation relation. Proof Assume that sqr for an arbitrary reachable state s of T 1 and a reachable state r of T 2. By the definition of Q, sqr implies s.new = r.new and s.new = r.new which leads to the satisfaction of properties 1 and 2 of the timed simulation. We have no committed states, so the property 3 holds, too. We prove any possible transition from s is mimicked by the abstract system (property 4). Assume that s is reachable from s by a transition labeled by action: 1 action = a time (d) 22

23 11 s loc = D0 y + d max and r loc = D0; s loc = D0 y = s.y + d. sqr min s.cnt + s.y r.y max s.cnt + s.y Invariant 23 s.cnt = 0 s.y r.y s.y s.y = r.y Invariant 27 r.y max edge length If max edge length max r.y + d max edge length Thre exists state r, such that r d r and s Qr 12 s loc = D1 y + d max and r loc = D1; s loc = D1 y = s.y + d. sqr min s.cnt + s.y r.y max s.cnt + s.y Invariant 24 s.cnt < sample min s.cnt + s.y r.y max(sample 1) + s.y min s.cnt + s.y + d r.y + d max(sample 1) + s.y + d min s.cnt + s.y + d r.y + d max(sample 1) + max r.y + d max sample Invariant?? r.y max sample If max sample max sample r.y + d max sample There exists state r, such that r d r and s Qr 13 s loc = D2 y + d max and r loc = D2; s loc = D2 y = s.y + d. sqr min s.cnt + s.y r.y max s.cnt + s.y Invariant?? s.cnt < bit length min s.cnt + s.y r.y max (bit length 1) + s.y min s.cnt + s.y + d r.y + d max (bit length 1) + s.y + d min s.cnt + s.y + d r.y + d max (bit length 1) + max r.y + d max bit length Invariant 28 r.y max bit length If max bit length max bit length r.y + d max bit length There exists state r, such that r d r and s Qr 2 action = a tock 21 s loc = D0 y min new = 1 and r loc = D0 new = 1; s loc = 23

24 D0 y = 0. sqr min s.cnt + s.y r.y max s.cnt + s.y Invariant 23 s.cnt = 0 s.y r.y s.y r.y = s.y s.y min and s tock s inwhichs.y = 0 If min edge length min r.y = s.y min min edge length Then there exists state r, such that r D0 D0 r and s Qr 22 s loc = D0 y min new = 0 and r loc = D0 new = 0; s loc = D1 y = 0. sqr min s.cnt + s.y r.y max s.cnt + s.y Invariant 23 s.cnt = 0 s.y r.y s.y r.y = s.y s.y min and s tock s inwhichs.y = 0 If min edge length min r.y = s.y min min edge length Then there exists state r, such that r D0 D1 r and s Qr and r loc = D1 y = 0 new = 0 23 s loc = D1 y min cnt < sample 1 and r loc = D1; s loc = D1 y = 0 cnt = s.cnt + 1. sqr min s.cnt + s.y r.y max s.cnt + s.y Invariant 22 s.y max s.y min and s tock s inwhichs.y = 0 s.cnt = s.cnt + 1 min s.cnt + min r.y max s.cnt + max min(s.cnt + 1) r.y max(s.cnt + 1) min s.cnt r.y max s.cnt s Qr 24 s loc = D1 y min cnt = sample 1 new = 1 and r loc = 24

25 D1 new = 1; s loc = D0 y = 0 cnt = 0. sqr min s.cnt + s.y r.y max s.cnt + s.y cnt = sample 1 s.y min min(sample 1) + min r.y r.y min sample If min sample 1 min sample 1 There exists state r, such that r D1 D0 r and s Qr and r loc = D0 y = 0 new = 1 25 s loc = D1 y min cnt = sample 1 new = 0 and r loc = D1 new = 0; s loc = D2 y = 0 cnt = 0. sqr min s.cnt + s.y r.y max s.cnt + s.y cnt = sample 1 s.y min min(sample 1) + min r.y r.y min samp dist If min samp dist 1 min samp dist 1 There exists state r, such that r D1 D0 r and s Qr and r loc = D2 y = 0 new = 0 26 s loc = D2 y min cnt < bit length 1 and r loc = D2; s loc = D2 y = 0 cnt = s.cnt + 1. sqr min s.cnt + s.y r.y max s.cnt + s.y Invariant 22 s.y max s.y min and s tock s inwhichs.y = 0 s.cnt = s.cnt + 1 min s.cnt + min r.y max s.cnt + max min(s.cnt + 1) r.y max(s.cnt + 1) min s.cnt r.y max s.cnt s Qr 27 s loc = D2 y min cnt = bit length 1 m < data size and r loc = D2; s loc = D3 y = 0 cnt = 0 m = s.m + 1 out = new. sqr min s.cnt + s.y r.y max s.cnt + s.y cnt = bit length 1 s.y min min(bit length 1) + min r.y r.y min bit length If min bit length min bit length There exists state r, such that r D2 D0 r and s Qr and r loc = D3 m = s.m + 1 y = 0 25

26 28 s loc = D2 y min cnt = bit length 1 m = data size new = 1 and r loc = D2 m = data length new = 1; s loc = D0 y = 0 cnt = 0 m = 0. sqr min s.cnt + s.y r.y max s.cnt + s.y cnt = bit length 1 s.y min min(bit length 1) + min r.y r.y min bit length If min bit length min bit length There exists state r, such that r D2 D0 r and s Qr and r loc = D0 m = 0 y = 0 29 s loc = D2 y min cnt = bit length 1 m = data size new = 0 and r loc = D2 m = data size new = 0; s loc = STOP BIT ERROR. sqr min s.cnt + s.y r.y max s.cnt + s.y cnt = bit length 1 s.y min min(bit length 1) + min r.y r.y min bit length If min bit length min bit length There exists state r, such that r D2 ERROR r and s Qr and r loc = STOP BIT ERROR 3 action = a get s loc = D3 cnt = 0 m bit length out = new and r loc = D3 m bit length out = new; s loc = D2, and there exists state r, such that r get r and s Qr. Theorem 4.3 Let and T 1 WIRE DCLOCK SAMPLER T 2 AWIRE ADCLOCK for which the sets of external variables are E 1 = E 2 = {new}. 26

27 We define the relation R as srr r.new = s.new (5) r.y = s.y (6) if r.loc W2 then r.z = s.z (7) if r.loc W2 then r.v = s.v (8) if s.loc = W0 bouncing s.z bouncing + 2max then r.loc = W1 (9) if s.loc = W0 s.z > bouncing + 2 max then r.loc = W0 (10) if s.loc = W1 then r.loc {W1, W2} (11) if s.loc = W2 then r.loc = W2 (12) R is a timed simulation relation. Proof Assume that srr for an arbitrary reachable state s of T 1 and a reachable state r of T 2. By the definition of R, srr implies s.new = r.new which leads to the satisfaction of properties 1 and 2 of the timed simulation. We have no committed states, so the property 3 holds, too. We prove any possible transition from s is mimicked by the abstract system (property 4). Assume that s is reachable from s by a transition labeled by action: 1 action = a time (d) 11 s loc = W0 y+d max z+d bouncing+2max and r loc = W0 y+d max z + d bouncing a ; s loc = W0 y = s.y + d z = s.z + d. srr s.y = r.y s.z = r.z s.y + d = r.y + d s.z + d = r.z + d There exists state r, such that r d r and s Rr and r loc = W0 y = r.y + d z = r.z + d z bouncing a 12 s loc = W0 y+d max z+d bouncing+2max and r loc = W1 y+d max bouncing z + d bouncing a ; s loc = W0 y = s.y + d z = s.z + d. srr s.y = r.y s.z = r.z s.y + d = r.y + d s.z + d = r.z + d r.z + d bouncing a s.z + d bouncing + 2max If bouncing a bouncing + 2max There exists state r, such that r d r and s Rr and r loc = W0 y = r.y + d z = r.z + d z bouncing a 27

28 13 s loc = W0 y+d max z bouncing+2max z+d bouncing+2max and r loc = W1 y + d max bouncing z bouncing a z + d bouncing a ; s loc = W0 y = s.y + d z = s.z + d. srr s.y = r.y s.z = r.z z.v = r.z s.y + d = r.y + d s.z + d = r.z + d r.z + d = s.z + d bouncing a There exist d 1 andd 2 R + andstatesr 1, r 2, andr, such that r d 1 r 1 and r 1 loc = W1 y = r.y + d 1 z = bouncing a r 1 settle r 2 and r 2 loc = W0 y = r.y + d 1 z = bouncing a new = v d r 2 2 r and r loc = W0 y = r.y + d z = r.z + d new = v and r loc = W0 y = r.y + d z = r.z + d new = v Invariant 32 s.z bouncing + 2max z.new = z.v Hence, s Rr 2 action = a tock s y + d min sampled = true and r y + d max; s y = 0 sampled = false, and there exists state r, such that r tock r and s Rr. 3 action = a sample 31 s loc = W0 z bouncing + 2max sampled = false and r loc = W0 z bouncing a ; s loc = W0 new = w sampled = true. srr s.new = r.new Invariant 31 s.z bouncing + 2max s.new = s.w s.new = s.new = r.new s Rr 32 s loc = W0 bouncing z bouncing + 2max sampled = false and r loc = W1 bouncing z bouncing a ; s loc = W0 new = w sampled = true. srr s.new = r.new If s.new = s.w s.new = s.new = r.new s Rr If s.new s.w there exists state r suchthatr fuzz r and r loc = W1 bouncing z bouncing a new = 1 r.new s Rr 28

29 33 s loc = W1 sampled = false and r loc = W1 z bouncing; s loc = W1 new = w sampled = true. srr s.new = r.new If s.new = s.w s.new = s.new = r.new s Rr If s.new s.w there exists state r suchthatr fuzz r and r loc = W1 z bouncing new = 1 r.new = s.new s Rr 34 s loc = W1 sampled = false and r loc = W2; s loc = W1 new = w sampled = true. srr s.new = r.new If s.new = s.w s.new = s.new = r.new s Rr If s.new s.w there exists state r suchthatr fuzz r and r loc = W2 new = 1 r.new = s.new s Rr s sampled = false and any state r of the abstract system, s new = w sampled = true 4 action = a edge 41 s loc = W0 z bouncing + 2max and r loc = W0 z bouncing a ; s loc = W1 v = 1 s.v z = 0. srr s.v = r.v s.z = r.z there exists state r suchthatr edge r and r loc = W1 v = 1 r.v = s.v s Rr 42 s loc = W0 bouncing z bouncing + 2max and r loc = W1 bouncing z bouncing a ; s loc = W1 z = 0 v = 1 s.v. srr s.v = r.v s.z = r.z there exists state r suchthatr edge r and r loc = W2 s Rr 29

30 43 s loc = W1 and r loc = W1 z bouncing; s loc = W2. srr s.v = r.v s.z = r.z there exists state r suchthatr edge r and r loc = W2 s Rr (When r.loc=w2, we are not interested in the values of the state variables, because we are looking for the paths, in which W2 is not reachable.) 5 action = a fuzz 51 s loc = W1 z bouncing and r loc = W1 z bouncing; s loc = W1 w = 1 s.w and as w is hidden in the abstract system s Rr. 52 s loc = W1 z < bouncing and r loc = W2; s loc = W1 w = 1 s.w and as w is hidden in the abstract system s Rr. 53 s loc = W2 and r loc = W2; s loc = W2 w = 1 s.w and as w is hidden in the abstract system s Rr. 6 action = a settle s loc = W1 z = bouncing and r loc = W1 z = bouncing; s loc = W0 new = w. References srr s.new = r.new If s.new = s.w s.new = s.new = r.new s Rr If s.new s.w there exists state r suchthatr fuzz r and r loc = W2 new = 1 r.new = s.new s Rr [1] Maxim Integrated Products, Inc. Determining Clock Accuracy Requirements for UART Communications, June Available at appnotes.cfm/appnotenumber/2141. [2] G. Brown and L. Pike, Easy parameterized verification of biphase and 8N1 protocols, In 12th International Conference on Tools and Algorithms for the Construction and Analysis of Algorithms (TACAS 06), volume 3920 of LNCS, pages 58 72, 2006, Springer. [3] F. W. Vaandrager and A. L. de Groot, Analysis of a biphase mark protocol with Uppaal and PVS, Formal Aspects of Computing, 2006, Springer. 30