ebook img

A Formal Model For Real-Time Parallel Computation PDF

0.17 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview A Formal Model For Real-Time Parallel Computation

A Formal Model For Real-Time Parallel Computation Peter Hui SatishChikkagoudar PacificNorthwestNationalLaboratory Washington,USA [email protected] [email protected] The imposition of real-time constraints on a parallel computing environment— specifically high- performance,cluster-computingsystems—introducesavarietyofchallengeswithrespecttothefor- malverificationofthesystem’stimingproperties.Inthispaper,webrieflymotivatetheneedforsuch asystem,andweintroduceanautomaton-basedmethodforperformingsuchformalverification.We definetheconceptofaconsistentparalleltimingsystem:ahybridsystemconsistingofasetoftimed automata(specifically,timedBu¨chiautomataaswellasatimedvariantofstandardfiniteautomata), intendedtomodelthetimingpropertiesofawell-behavedreal-timeparallelsystem. Finally,wegive a brief case study to demonstratethe conceptsin the paper: a parallelmatrixmultiplicationkernel which operates within provable upper time bounds. We give the algorithm used, a corresponding consistentparalleltimingsystem, andempiricalresultsshowingthatthe systemoperatesunderthe specifiedtimingconstraints. 1 Introduction Real-time computing has traditionally been considered largely in the context of single-processor and embedded systems, andindeed, thetermsreal-time computing, embedded systems, andcontrol systems areoften mentioned inclosely related contexts. However, real-time computing inthecontext ofmultin- ode systems, specifically high-performance, cluster-computing systems, remains relatively unexplored. Itcanbearguedthatonereasonfortherelativedearthofworkinthisareaisthelackofscenariostodate whichwouldrequire such asystem. Previously [11,12],wehavemotivated theemerging needforsuch aninfrastructure, givingaspecificscenariorelatedtothenextgenerationNorthAmericanelectricalgrid. Inthatwork,wedescribedthechangesandchallengesinthepowergriddrivingtheneedformuchhigher levelsofcomputational resourcesforpowergridoperations. Tobrieflysummarize(andtoprovidesome motivational context forthecurrent work), manyofthese computations— particularly floating-point in- tensive simulations and optimization calculations ([2, 3, 8, 9, 10])—can be more effectively done in a centralized manner, and the amount and scale of such data is estimated by some [11, 12] to be on the order of terabytes per day of streaming sensor data (e.g. Phasor Measurement Units (PMUs)), with the need to analyze thedata within astrict cyclical window (every 30ms), presumably with theaid ofhigh- performance, parallel computing infrastructures. With this in mind, the current work is part of a larger research effort at Pacific Northwest National Laboratory aimed at developing the necessary infrastruc- turetosupportanHPCclusterenvironmentcapableofprocessingvastamountsofstreamingsensordata underhardreal-timeconstraints. While verifying the timing properties of a more traditional (e.g. embedded) real-time system poses complex questions in its own right, imposing real-time constraints on a parallel (cluster) computing environmentintroducesanentirelynewsetofchallengesnotseeninthesemoretraditionalenvironments. Forexample,inadditiontostandardreal-timeconceptssuchasworst-caseexecutiontime(WCET),real- time parallel computation introduces the necessity of considering worst case transmission time when C.ArthoandP.C.O¨lveczky(Eds.):FTSCS2012 EPTCS105,2012,pp.39–55,doi:10.4204/EPTCS.105.4 40 FormalModelforRTParallelComputation communicating overthe network between nodes, aswell asthe need toensure that timing properties of oneprocess donotinvalidate thoseoftheentireparallelprocess asawhole. These are but two examples of the many questions which must be addressed in a real-time parallel computing system; certainly there aremanymore questions than can beaddressed inasingle paper. To this end, weintroduce asimple, event driven, automata-based model of computation intended tomodel the timing properties of a specific class of parallel programs. Namely, we consider SPMD(Single Pro- gram,MultipleData),parent-child typeprograms,inpartbecauseinpractice,manyparallelprograms— including many prototypical MPI-based [13, 15] programs— fall into this category. We give an exam- ple of such aprogram inSection 3. This model istypified by the existence of acyclic master or parent process,andasetofnoncyclicchildorslaveprocessesamongstwhichworkisdivided. Withthischarac- terization, averynatural correspondence emergesbetweentheprocesses andtheautomatawhichmodel them: thecyclicparentprocessisverynaturallymodeledbyanw -automaton,andthechildprocessesby astandard finiteautomaton. Ourmaincontribution ofthispaper, then,istwofold: first,aformalmethod ofmodelingtherespectiveprocesses inthismanner,combining theseintoasinglehybridsystemofpar- allel automata, and secondly, a simple case study demonstrating a practical application of this system. We should note that the notion of parallel finite automata is not a new one; variants have been studied before (e.g. [6,14]). Wetakethenovelapproach ofcombining timed variants ([1,5])offiniteautomata intoasinglehybridmodelwhichcapturesthetimingproperties ofthevariouscomponentprocesses ofa parallel system. The rest of the paper proceeds as follows: Section 2 defines the automaton models used by our system: Timed Finite Automata in Section 2.1, Timed Bu¨chi Automata in Section 2.2, and a hybrid system combining these two models in Section 2.3. Section 3 gives a case study in the form of an example real-time matrix multiplication kernel, running onasmall, four-node real-time parallel cluster. Section4concludes. 2 Formalisms Inthissection, wegiveformaldefinitionsforthemachineryusedinourhybridsystemofautomata. The definitions giveninSections2.1and2.2arenotnew[1]. However,itisstillimportantthatwestatetheir definitions here,astheyareusedlateron,inSection2.3. 2.1 Timed FiniteAutomata Inthissection,wedefineasimpletimedextensionoftraditional finitestateautomataandthewordsthey accept. Wewillusetheseinlatersectionstomodelthetimingpropertiesofchildprocessesinareal-time clustersystem. Timed strings take the form (s¯,t¯), where s¯ is a string of symbols, and t¯ is a monotonically in- creasing sequence ofreals (timestamps). t denotes the timestamp at whichsymbol s occurs. Wealso x x use the notation (s ,t ) to denote a particular symbol/timestamp pair. For instance, the timed string x x ((abc),(1,10,11)) is equivalent to the sequence (a,1)(b,10)(c,11), and both represent the case where ‘a’occursattime1,‘b’attime10,and‘c’attime11. Correspondingly, weextendtraditional finiteautomatatoincludeasetoftimers,whichimposetem- poral restrictions along state transitions. A timer can be initialized along a transition, setting its value to 0 when the transition is taken, and it can be used along atransition, indicating that the transition can onlybetakenifthevalueofthetimersatisfiesthespecifiedconstraint. Formally,weassociate witheach P.Hui&S.Chikkagoudar 41 automaton aset oftimer variables T¯, andfollowing the nomenclature of[1], aninterpretation n forthis setoftimersisanassignment ofarealvaluetoeachofthetimersinT¯. Wewriten [T 0]todenote the 7→ interpretation n with the value of timer Treset to 0. Clock constraints consist of conjunctions of upper bounds: Definition1. ForasetT¯ ofclockvariables, thesetX(T¯)ofclockconstraints c isdefinedinductively as c :=(T<c)? c c 1 2 | ∧ whereTisaclockinT¯ andcisaconstant inR+. While this definition may seem overly restrictive compared to some other treatments (e.g. [1]), we believeittobeacceptableinthisearlyworkforacoupleofreasons. First,whilesimple,thissolesyntactic form remains expressive enough to capture an interesting, non-trivial set of use cases (e.g. Section 3). Secondly, the timing analysis in subsequent sections of the paper becomes rather complex, even when timers are limited to this single form. Restricting the syntax in this manner simplifies this analysis to a moremanageable level. Weleave morecomplexformulations andthecorresponding analysis forfuture work. Definition2(TimedFiniteAutomaton(TFA)). ATimedFiniteAutomaton(TFA)isatuple S ,Q,s,q ,T¯,d ,g ,h f h i ,where S isafinitealphabet, • Qisafinitesetofstates, • s Qisthestartstate, • ∈ q Qistheaccepting state, f • ∈ T¯ isasetofclocks, • d Q Q S isthestatetransition relation, • ⊆ × × g d 2T¯ istheclockinitialization relation, and • ⊆ × h d X(T¯)istheconstraint relation. • ⊆ × Atuple q,q ,s d indicatesthatasymbols yieldsatransitionfromstateq tostateq ,subjecttothe i j i j h i∈ restrictionsspecifiedbythetimerconstraintsinh . Atuple q,q ,s , T ,...,T g indicatesthatonthe i j 1 n h { }i∈ transition onsymbols fromq toq ,allofthespecified timersaretobeinitialized to0. Finally, atuple i j q,q ,s ,X(T¯) h indicates that the transition on s from q to q can only be taken if the constraint i j i j h i∈ X(T¯)evaluates totrueunderthecurrenttimerinterpretation. Example 3. Thefollowing TFAaccepts the timed language (ab c,t ...t ) t t <10 (i.e., the set ∗ 1 n n 1 { | − } of all strings consisting of an ‘a’, followed by an arbitrary number of ‘b’s, followed by a ‘c’, such that the elapsed time between the first and last symbols is no greater than 10 time units). The start state is denoted withadashed circle,andtheaccepting statewithadoubleline. b a c q q q 1 2 3 T=0 (T<10)? 42 FormalModelforRTParallelComputation Pathsandrunsaredefinedinthestandard way: Definition4(Path). LetAbeaTFAwithstatesetQandtransition relationd . Then(q ,...,q )isapath 1 n overAif,forall1 i<n, s . q,q ,s d . i i+1 ≤ ∃ h i∈ Definition 5(Run). A run r of aTFA S ,Q,q ,q ,T¯,d ,g ,h over atimed word (s¯,t¯), is asequence of 0 f h i theform s s s s r:(q ,n ) 1 (q ,n ) 2 (q ,n ) 3 ... n (q ,n ) 0 0 1 1 2 2 n n −t→ −t→ −t→ −t→ 1 2 3 n satisfying thefollowing requirements: Initialization: n (k)=0, k T¯ 0 • ∀ ∈ Consecution: Foralli 0: • ≥ – d q,q ,s , i i+1 i ∋h i – (n +t t )satisfies c ,whereh q ,q,s ,c ,and i 1 i i 1 i i 1 i i i − − − ∋h − i – n =(n +t t )[T 0], T T¯,whereg q,q ,s ,T¯ i i 1 i i 1 i j i − − − 7→ ∀ ∈ ∋h i risanaccepting runifq =q . n f A TFAAaccepts atimed string s=(s¯,t ...t )ifthere isan accepting run ofs overA, and t t 1 n n 1 − iscalledtheduration ofthestring. Note (Well-Formedness). Weintroduce arestriction on how timers can be used ina TFA,thus defining what it means for a TFA to be well-formed. Namely, we restrict timers to be used only once along a path;thisistosimplifysomewhatthetiminganalysisinsubsequent sections. Inparticular, wesaythata TFAAiswell-formedif,forallpairsofstates(q ,q ),alltimersT,andallpathsfromq toq ,Tisused x y x y no more than once. For example, the TFAsshown in Figure 1 are not well-formed, since in both cases, timers can potentially be used more than once— in the first case (A ), along the self-loop on q , and 1 2 in the second case (A ), along two separate transitions along the path. At first, this may appear to be 2 overlyrestrictive, butasitturnsout,manyofthesecasescaneasilyberewrittenequivalentlytoconform tothesingle-use restriction, asshowninFigure2. b ;(T<10)? a;T=0 c A1: q1 q2 q3 a ;(T=0)? b ;(T<10)? c ;(T<20)? A2: q1 q2 q3 q4 Figure 1: Malformed TFAs. Start states are denoted with a dashed circle, and accepting states with a double line. The intent of A is to allow strings of the form a, followed by arbitrarily many bs, as long 1 as they all occur less than 10 units after the a, followed by a c. The intent of A is to allows strings of 2 theformabc,wheretheelapsedtimebetweentheaandbislessthan10,andthatbetweentheaandcis lessthan20. Bothofthesecanberewrittenusingconforming automata,asshowninFigure2. P.Hui&S.Chikkagoudar 43 b a;T=0 b ;(T<10)? c A′1: q1 q2a q2b q3 c T1=0 (T1<10)? (T2<20)? A′2: q1 q2 q3 q4 T =0 2 Figure2: Equivalent, well-formedversionsofautomatafromFigure1. 2.1.1 BoundingMaximumDelay Animportantnotionthroughouttheremainderofthepaperisthatofcomputingboundsontheallowable delays along all possible paths through a TFA. Specifically, we are interested in doing so to be able to reason formally about the maximum execution timefor achild process, with the end goal of being able toboundtheexecutiontimeofthesystem—parentandallchildprocesses— asawhole. The idea is that we will ultimately use TFAs to represent the timing properties of a child process. Paths through the automaton from its start state to an accepting state correspond to possible execution paths of the child process’ code. Certainly, proving a tight upper bound on the delay between two arbitrary points along an execution path remains a very difficult problem, but to be clear, this is not our goal. Rather, our approach involves modeling an execution path through a child process (and, by extension, its corresponding timed automaton) using an event-based model, in which selected system eventsaremodeledbytransitionsintheautomaton,andwerelyontimingpropertiesoftheprocesstobe guaranteed bytheunderlying RTOSprocess scheduler. Theproblem ofcomputing theworst-case delay through theautomaton equates tothatofcomputing themaximum delay overallpossible paths through theautomaton fromitsstartstatetoitsaccepting state: D = max D (p) A p paths(A) ∈ where A= S ,Q,q ,q ,T¯,d ,g ,h istheTFA 0 f • h i paths(A)denotesthesetofallpathsinAfromitsstartstateq toaccepting stateq ,and 0 f • D (p), for path p=(q ,...,q ), denotes the maximum delay from q to q . That is, the maximum 0 f 0 f • durationofanytimedstring(s¯,t¯)suchthat(q ...q ,n¯)isarunofthestringoverA(forsomen¯). 0 f Thisproblemcanthusbeformulated inthefollowingmanner: givenatimedfiniteautomatonAand anintegern,isthere atimedwordofduration d nthatisaccepted byA? Whilesimple cases, suchas ≥ those presented in this paper, can be computed by observation and enumeration, the complexity of the general problem remains an open question, although we highly suspect it to be intractable— Courcou- betis and Yannakakis giveexponential-time algorithms forthis and related problems, and have showna strictly more difficult variant of the problem to be PSPACE-complete [4]. Furthermore, expanding the timer constraint syntax to a more expressive variant (c.f. [1]) can only complicate matters in terms of complexity. Wemustbecautious, then,toensurethatwedonotimposeaninordinately largenumberof timersonachildprocess. 44 FormalModelforRTParallelComputation 2.2 Timed Bu¨chi Automata Whereas we model the timing properties of the child processes of a cluster system using the timed finite automata of the previous section, we model these properties of the parent using a timed variant of w -automata, specifically Timed Bu¨chi Automata. We assume a basic familiarity with these; due to space constraints, we give only brief overview here. To review briefly, w -automata, like standard finiteautomata,alsoconsistofafinitenumberofstates,butinsteadoperateoverwordsofinfinitelength. Classesofw -automataaredistinguishedbytheiracceptancecriteria. Bu¨chiautomata,whichweconsider inthispaper,aredefinedtoaccepttheirinputifandonlyifarunovertheinputstringvisitsanaccepting stateinfinitelyoften. Otherclassesofw -automataexistaswell. Forexample,Mullerautomataaremore stringent, specifying theiracceptance criteria asaset ofacceptance sets; aMullerautomaton accepts its inputifandonlyifthesetofstatesvisitedinfinitelyoftenisspecifiedasanacceptanceset. Moredetailed specificscanbefoundelsewhere— forexample,[1]. ATimedBu¨chiAutomaton(TBA)isatuple S ,Q,q ,q ,T¯,d ,g ,h ,where 0 f h i S isafinitealphabet, • Qisafinitesetofstates, • q Qisthestartstate, 0 • ∈ F Qisasetofaccepting states, • ⊆ T¯ isasetofclocks, • d Q Q S isthestatetransition relation, • ⊆ × × g d 2T¯ istheclockinitialization relation, and • ⊆ × h d X(T¯)istheconstraint relation. • ⊆ × A tuple q,q ,s d indicates that a symbol s yields a transition from state q to state q , subject i j i j to the restrichtions spiec∈ified by the clock constraints in h . A tuple q,q ,s ,T¯ g indicates that on i j h i ∈ the transition on symbol s from q to q , all clocks in T¯ are to be initialized to 0. Finally, a tuple i j q,q ,s ,X(T¯) h indicates that the transition on s from q to q can only be taken if the constraint i j i j h i∈ X(T¯)evaluates totrueunderthevaluesofthecurrenttimerinterpretation. Wedefinepaths,runs,andsubruns overaTBAanalagously tothoseoveraTFA: Definition 6 (Path (TBA)). Let A be a TBA with state set Q and transition relation d . (q ,...,q ) is a 1 n pathoverAif,forall1 i<n, s . q,q ,s d . i i+1 ≤ ∃ h i∈ Definition 7 (Run, Subrun (TBA)). A run (subrun) r, denoted by (q¯,n¯), of a Timed Bu¨chi Automaton S ,Q,q ,q ,T¯,d ,g ,h overatimedword(s¯,t¯),isaninfinite(finite)sequence oftheform 0 f h i s s s r:(q ,n ) 1 (q ,n ) 2 (q ,n ) 3 ... 0 0 1 1 2 2 −t→ −t→ −t→ 1 2 3 satisfying thesamerequirements asgiveninDefinition 5. For a run r, the set inf(r) denotes the set of states which are visited infinitely many times. A TBA A with finalstates F accepts atimedwordw=(s¯,t¯)ifinf(r) F =0/, wherer isthe run ofwonA. T 6 Thatis,aTBAacceptsitsinputifanyofthestatesfromF repeataninfinitenumberoftimesinr. Example8. ConsiderthefollowingTBAA ,withstartstateq andacceptstatesF = q : 1 1 1 { } P.Hui&S.Chikkagoudar 45 c ;(T <50)? b a;T =0 q q 1 2 ThisTBAacceptsthew -language L = ((ab c)w ,t ) x. i,j. k.f wheref istheboolean formula 1 ∗ { |∀ ∃ ∀ } t <t <t = (s =a) (s =b) (s =c) (t t <50) i k j i k j j i ⇒ ∧ ∧ ∧ − Lastly, we take the concept of maximum delay, introduced in the previous section with respect to Timed Finite Automata, and extend it to apply to Timed Bu¨chi Automata. Doing so first requires the followingdefinition, whichallowsustorestrictthetiminganalysis forTBAstofinitesubwords: Definition9(Subword overq¯). LetA beaTBA,and letq¯=(q ...q )beafinite path over A. Afinite m n timedwordw=((s ...s ),(t ...t ))isasubwordoverq¯iff q ,...,q ,s ,...,s ,t ,...,t such m n m n 0 m 1 0 m 1 0 m 1 that(q ...q q ...q ,n¯)isasubrunof((s ...s s ...s ),∃(t ...t −t ...t ))ove−rA forsom−en¯. 0 m 1 m n 0 m 1 m n 0 m 1 m n − − − Definition 9isatechnicality whichisnecessary tosupport thefollowing definition ofthemaximum delaybetweenstatesofaTBA: Definition10. LetA beaTBA,andletq¯beafinitepathoverA. ThenD A(q¯)isthemaximumduration ofanysubwordoverq¯. Example11. ConsiderA1 fromExample8. ThenD A1(q1q2q2q1)=50. Algorithmically computing D A(q¯) for a TBA A is analogous to the case for TFAs; in small cases (i.e., relatively few timers with small time constraints), the analysis is relatively simple, while we con- jecture theproblem formorecomplexcasestobeintractable; weleavemoredetailed analysis forfuture work. 2.3 ParallelTiming Systems Next,wemodelthetimingproperties ofaSPMD-typeparallel systemasawholebycombining thetwo models ofSections 2.1and2.2into asingle parallel timing system. Aparallel timingsystem (PTS)isa tuple P,A¯,y ,j ,where h i P= S ,Q,q ,q ,T¯,d ,g ,h isaTBA(usedtomodelthetimingproperties oftheparentprocess) 0 f • h i A¯ isaset A ,...,A ofTFAs(usedtomodelthetimingproperties ofthechildprocesses) 1 n • { } y d A¯ isafork relation(usedtomodelthespawningofchildprocesses) • ⊆ × j d A¯ isajoinrelation(usedtomodelbarriers (joins)) • ⊆ × Atuple q,q ,s ,A iny ,withA A¯,indicates thataninstanceofAistobe“forked” onthetransition i j h i ∈ fromq toq onsymbols ,andthis“fork” isdenoted graphically asq Y (A) q ,modelingthespawning i j i j of a child process along the transition. Similarly, a tuple q,q ,s ,A −−in−→j indicates that a previously i j h i forkedinstanceofAistobe“joined”onthetransitionfromq toq onsymbols . This“join”isdenoted i j W (A) graphically as q q , modeling the joining along the transition with a previously spawned child i j −−−→ process1. 1Y waschosenasthesymbolfor‘fork’,asitgraphicallyresemblesa“fork”;W waschosenasthatfor‘join’,asitconnotes “ending”or“finality”. 46 FormalModelforRTParallelComputation Example12. Considerthefollowing timingsystemS = P, A ,y ,j : 1 h { } i c ;(T <50)? W (A) b a;T =0 0;U =0 1 ;(U <10)? P: q1 q2 A: s1 s2 s3 Y (A) P is the parent TBAwith initial state q and final state set F = q . P accepts the w -language L 1 2 1 { } (seep.45),andAisaTFAwhichacceptsthetimedlanguage (01,t t ) t t <10 . Inaddition,the 1 2 2 1 { | − } fork and join relations y and j dictate that on the transition from q to q , an instance of A is forked 1 2 (Y (A)), and that the transition from q to q can only proceed once that instance of A has completed 2 1 (W (A)). Conceptually, this system models a parent process (P) which exhibits periodic behavior, accepting aninfinitenumberofsubstringsoftheformab c,inwhichtheinitial‘a’triggersachildprocessAwhich ∗ mustbecompletedpriortotheendofthesequence,markedbythefollowing‘c’. Inaddition,the‘c’must occur nomorethan 50timeunits aftertheinitial ‘a’. Thechildprocess ismodeled byA,whichaccepts strings oftheform01,inwhichthe1mustoccurnomorethantentimeunitsaftertheinitial0. In theory, child processes could spawn children of their own (e.g. recursion). For now, however, we disallow this possibility, as it somewhat complicates the analysis in the following section without adding significantly totheexpressivepowerofthemodel. Themodelcanbeexpanded latertoallowfor arbitrarily nestedchildrenofchildrenwiththeappropriate modifications;specifically, TBAswouldneed tobeextended toinclude theirowny andj relations, aswouldthedefinitionofD forTBAs. Before proceeding, it is important to note that a PTS S= P,A¯,y ,j is not itself interpreted as an h i automaton. Inparticular, wedonoteverdefinealanguage accepted byS. Indeed, itisnotentirely clear what such a language would be, as we never specify the input to any of the children in A. Rather, the sole intent in specifying such a system S is to specify the timing behavior of the overall system, rather thananyparticular language thatwouldbeaccepted byit. 2.3.1 Consistency Withthissaid, wenotethatinExample12,Aisinsomesense “consistent” withitsusage inP. Specifi- cally,sincethemaximumdurationofanystringacceptedbyAis10,weareguaranteedthatanyinstance a c ofAforked onthe q q transition willhave completed intimeforthe‘join’ along the q q tran- 1 2 2 1 →− −→ sition and hence, the timer (T <50)? on this transition would be respected in all cases. In this sense, all (Y (A),W (A)) pairs are consistent with timer T. However, such consistency is not always the case. Consider, forinstance, theparallel timingsystem S showninFigure 3. Inthiscase, therearetwochild 2 c ;(T <25)? 0;U=0 1 ;(U<10)? W (B) A: s1 s2 s3 a;T =0 b 0;V=0 1 ;(V<20)? P: q1 q2 q3 B: s1 s2 s3 Y (A) W (A);Y (B) Figure3: Aninconsistent paralleltimingsystemS . 2 P.Hui&S.Chikkagoudar 47 processes: A and B. The maximum duration of a timed word accepted by A is 10, and that of B is 20. Supposing that an ‘a’ occurs (and A forked) at time 0, it is thus possible that the A will not complete untiltime10 e ,atwhichtimethe‘b’andforkofBcanproceed. ItisthereforepossiblethatBwillnot 1 − completeuntiltime30 e e (forsmalle ,e ). Thiswouldthenviolatethe(T<25)?constraint, cor- 1 2 1 2 − − responding toacase inwhich achild process could take longer tocomplete thanisallowable, given the timingconstraints oftheparent process. Itisprecisely thistypeofinterference whichwemustdisallow inorderforatimingsystemtobeconsidered consistent withitself. To this end, we propose a method of defining consistency within a timing system. Informally, we take theapproach ofderiving anewsetofconditions from thetimingconstraints ofthechild processes, so thatchecking consistency reduces tothe process ofverifying that these conditions respect thetiming constraints ofthemasterprocess. First, wereplace A¯,y , and j from the parallel timing system with a new set of derived timers, one for each A A¯, defining the possible “worst case” behavior of the child processes. Each such timer T A ∈ isinitialized onthetransition along whichthecorresponding Aisforked, andisusedalong (constrains) anytransitionsalongwhichAisjoined. EachsuchuseensuresthatthetimerislessthanD ,representing A thefactthat theelapsed timebetweentheforking andjoining ofachild process isbounded intheworst casebyD —thelongestpossible duration forthechildprocess. Asanexample, “flattening” thetiming A a system S of Example 12 results in a single new timer T , initialized along the q q transition, and 1 A 1 2 c −→ usedalong theq q transition withtheconstraint (T <10)?. Wethencheck thatnoneofthese new 2 1 A −→ derivedtimersinvalidate thetimingconstraints oftheparentprocess. Formally,wedefinetworelations. Thefirstoftheseisflattening,whichtakesaparalleltimingsystem P,A¯,y ,j and yields a new pair of relations (g ,h ). Intuitively, g defines the edges along which each h i of thederived timers are initialized, and h defines theedges along which each ofthe derived timers are used: Definition13. LetS= P,A¯,y ,j beaparalleltimingsystem. Thenflatten(S)=(g ,h ),where h i g = q,q ,s , T q,q ,s ,A y i j A i j {h { }i|h i∈ } h = q,q ,s ,X q,q ,s ,A j i j i j {h i|h i∈ } and X = ^ (TA <D A) qi,qj,s ,A j h i∈ The second relation takes y and j as inputs and extracts a set of edge pairs, defined such that each suchpair(e ,e )specifieswhenaderivedtimerisinitialized (e )andused(e ). 1 2 1 2 Definition14. LetS= P,A¯,y ,j beaparalleltimingsystem,withA A¯. Thenthesetofallusepairs h i ∈ of A in S is defined as pairs(A,S)= ((q ,q ),(q ,q )) ( q ,q ,s ,A y ) ( q ,q ,s ,A j ) x y m n x y 1 m n 2 { | h i∈ ∧ h i∈ } forsomes ,s . Furthermore, 1 2 pairs(S)= [ pairs(A,S) A A¯ ∈ Example15. ConsiderparalleltimingsystemS showninFigure4. ObservethatD =25andD =11. 3 A B Then: flatten(S )=(g ,h ),where 3 g = q ,q ,a, T , q ,q ,b, T 1 2 A 2 3 B {h { }i h { }i} h = q ,q ,c,X ,whereX =(T <25) (T <11) 3 1 A B {h i} ∧ 48 FormalModelforRTParallelComputation q 3 ? 4) 2 < T ;( B) b Y (B) 0;V=0 0 ;(V<11)? c A, ( t t t W 1 2 3 a;T=0 P: q1 q2 B: Y (A) 1;V=0;(U<20)? 1 s5 s6 ;(V 1 <5)? 0;U =0 0 s s s 1 2 7 A: 0 s3 s4 0 ; (U < 10)? 0 Figure4: ParalleltimingsystemS . D =25,D =11. 3 A B showngraphically inFigure5,and pairs(S)=pairs(A,S) pairs(B,S) ∪ = ((q ,q ),(q ,q )) ((q ,q ),(q ,q )) 1 2 3 1 2 3 3 1 { }∪{ } = ((q ,q ),(q ,q )),((q ,q ),(q ,q )) 1 2 3 1 2 3 3 1 { } q 3 T < 2 4)? 1 1))? ( < c ; ( T B b TB=0 2 5) ∧ < (( T A a q q 1 2 T=0,T =0 A Figure5: TheresultofflatteningS : forksandjoinsofAandBareshownalongwithderivedtimersT 3 A andT . ComparewithFigure4. B Wecannowproceedwithaformaldefinitionofconsistency foraparalleltimingsystem. Recallthat intuitively, suchasystemisconsistentiftheworstcasetimingscenariosoverallchildprocesseswillnot invalidate thetiming constraints ofthe parent process— inother words, ifthe maximum delay between two states allowed by the child processes never exceeds the corresponding maximum delay allowed by thetimersintheparentprocess. Definition16(Consistency). LetS= A,y ,j ,A¯ beaPTS,where h i A = S ,Q,q ,F,T¯,d ,g ,h isaTBA 0 • h i flatten(S)=(g ,h ) ′ ′ •

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.