- Email: [email protected]
Communicating Reactive State Machines: Design, Model and Implementation
Copyright © IFAC Distributed Computer Control Systems, Como, Italy, 1998
COMMUNICATING REACTIVE STATE MACHINES: DESIGN, MODEL AND IMPLEMENTATION S. Ramesh 1
Department of Computer Science and Engineering, Indian Institute of Technology, Bombay - 400 076, INDIA e-mail: [email protected]
Abstract: This paper proposes a language, called Communicating Reactive State Machines (CRSM) , useful for describing behaviors of real-time distributed controllers. The characteristic features of this language are that it has a pictorial syntax, a precise formal semantics and an efficient implementation. CRSM is based on Argos, a language proposed for centralized real-time controllers. Argos is extended by including a primitive for communication between Argos programs. This communication primitive is based upon the communication primitive of CSP. A precise mathematical model, called communicating boolean automata (CBA) based upon the boolean automata model of Argos is developed. A number of operations over CBA have been defined to model the constructs of CRSM and a notion of bisimulation equivalence is also defined. CBA would form the basis for automatic verification of CRSM. An outline of an implementation of CRSM is also given. Copyright © 19981FAC Keywords: Distributed controllers, State machines, formal method, real-time systems .
1. INTRODUCTION
developed. Use of formal methods is a promising approach to solve some of these problems.
A distributed control system consists of a number of autonomous subsystems controlling disjoint physical systems but at the same time having system-wide control laws. They are becoming prevalent due to their inherent advantages like fault tolerance, con currency and modularity; some typical applications are: car automation and industrial process controllers. However, behavior of these systems are quite complex as the subsystems besides controlling their local environments normally involve complex interactions with each other in order to maintain system-wide properties. Also the critical nature of the applications demand a high degree of confidence in the systems
As a first step towards this, we propose here a new high level language for describing distributed controllers. This language builds on the success of Statecharts(Harel, 1987) and its refinement Argos(Maraninchi, 1992); Statecharts was developed by enriching with concurrency and hierarchy: finite state machines, a traditional description technique for writing controllers. The use of statecharts and Argos in abstract high level description of centralized controllers has been well demonstrated. The proposed language, called communicating reactive state machines (CRSM) is an attempt to extend their use for describing distributed controllers; CRSM is influenced by a similar extension of Esterel proposed in (Berry et al., 1993). A CRSM program consists of a set of processes , each process describing the be-
I The initial part of this work was done when this author was visiting GMD, Bonn .
105
havior of an autonomous component of the distributed controller being described. A process, besides controlling its local environment , communicates with other processes to maintain systemwide control laws. This interaction is described using the CSP(Hoare, 1978) communication primitives for communication while the local behayior is described using Argos constructs: mealy automata with input and outputs being signal combinations, concurrency, hierarchy and signal hiding constructs.
the transition. The future behavior of the machine is decided by the resultant state. Such finite state machines suffice for the description of controllers but large such descriptions can be hard to understand , due to their fiat nature. Three constructs hierarchy, concurrency and signal hiding are defined to structure large descriptions: Hierarchical composition: A hierarchical structure can be introduced in fiat state machine descriptions using this construct. Given a machine A with a state, say, q, another machine, say, B can be placed inside q. The behavior of the resulting machine is decided by A except in the state q; in this state the behavior is decided both by q and B. The state q expresses the important operation preemption that is found useful in controllers: in state q, computation proceeds as specified in B so long as none of the transition out of q can be taken; when an outgoing transition from q can be taken, the 'inside' computation is preempted and the system transits to the target state of the transition and then on behaves like A.
A precise formal semantics of CRSM , based upon the boolean automata model of Argos(Maraninchi, 1992) has been developed. This model defines a class of automata called communicating boolean automata and a number of operations on these automata corresponding to the different constructs of CRSM ; a notion of equivalence along the lines of bisimulation equivalence(Milner, 1989) is also defined. This model would form the basis for automatic verification of CRSMs. A prototype implementation of CRSM has also been developed which is based upon a translation scheme for translating Argos programs into synchronous automata(Maraninchi et al., 1994 ) and an efficient protocol for implementing CSP communication primitive(Ramesh , 1987) .
Synchronous Parallel Composition: Given two machines A, B, a parallel machine that runs both A and B concurrently can be written using this · construct. Such a description specifies that the system (being described) behaves simultaneously both like A and B: given a set of input signals representing the state of the environment, appropriate transitions in both the automata are taken and the result is the union of the sets of signals generated by both the automata. In general, one can have concurrent compositions of more than two automata. Further that, the concurrent components can interact: signals generated by one component can trigger transitions in the other components; such a triggering is instantaneous with no delay between the firing of the transitions in different components.
A brief overview of CFSM, the model CBA and an outline of the implementation are given here. Complete details will appear in the full paper.
2. COMMUNICATING REACTIVE STATE MACHINES Here we confine ourselves to a very brief description of CRSM . A CRSM is a network NI! /Nd / .. ·//Nm of independent reactive programs or nodes, Ni , each node having its own reactive interface with separate input/output signals and its own notion of instants. Intuitively, each node is locally reactively driving a part of a complex process that is handled globally by the network.
Signal Hiding: The hiding construct is defined to limit the scope of interaction between concurrent sub components. Using this construct, a signal can be declared local to a subset of components so that the generation of signal will not trigger any transition in other components. This construct can also be viewed as an abstraction primitive that enable hiding of internal details like the signals that have no effect on the environment.
2.1 CRSM Nodes
Each node is described using a structured mealy machine in the style of Statecharts/Argos. In its most simple form , a CRSM node is a simple edge labeled finite state machine with an initial state but no final state. A transition connecting a pair of states has a label of the form b/ S where b is a boolean expression involving only input signals while S is a set of output signals generated as a result of taking the transition. The input expression describes a combination of signal presence/absence status which when true , triggers
Asynchronous Composition The above constructs, however, suffice only for describing centralized controllers controlling local environments. For distributed controllers, we enrich a CRSM node with a capability to communicate with other CRSM nodes. This is done
106
by introducing a special kind of states, called rendezvous states. A rendezvous state indicates a communication with another node via a channel; the channel name is specified as a label in the state. Entering such a state initiates an attempt to communicate via the specified channel. The communication is synchronous in the sense that both the nodes involved should be ready to communicate. Till the communication takes place, the machine stays in a rendezvous state. A rendezvous state has (at least) one special exit transition which is taken when the communication succeeds; exactly which exit edge is taken is decided by the presence/ absence of local signals specified in the edge. A rendezvous state can also have normal outgoing transitions which when taken preempts the communication. Rendezvous states are flat with no hierarchy.
machines, Train and Interface. The environment of this machine inputs the following signals. • enter - indicates that the train is entering the block. • resv_next, resv_prev - is input when the train wants to enter the next or previous adjacent block respectively. • bye - is input when the train leaves the block.
The behavior of Train component is simple. It waits in the initial state till it receives the 'enter' Signal. It can exit this state provided the block has already been reserved. If the block is reserved then Interface component is in 'F ' and the signal 'ok2' is present. Thus this transition as well as the transition out of 'F' are taken at the same time. When 'Train' is in state A it waits for one of the reservation signals which when arrives , initiates a communication action with an adjacent controller via Cn or cp . This communication state corresponds to the state 'E' of the 'Interface' component of the corresponding controller. When the communication takes place, the 'goAbead' signal is emitted; the reservation in the adjacent block takes place with the transition from state 'E' to 'F'. In the state 'D', 'Train' waits for the 'bye' signal from the train which resets its state to 'I' .
2.2 Network of CR5M
A distributed controller can be described by a network of CRSM nodes. Each CRSM node drives locally a part of a complex system consisting of several distributed components . The individual nodes occasionally synchronize with each other using rendezvous states. The network of CRSM nodes is asynchronous with no common clock. The communication mechanism is similar to CSP (Hoare, 1978) communication mechanisms.
3. COMMUNICATING BOOLEAN AUTOMATA
We will now illustrate the features of CRSM through a simple example given in Figure 2.2. In this figure, we use the standard graphical representation of state machines: normal states are represented by square boxes while rendezvous states by circular ones; the exit edges are distinguished from normal ones using broken arrows. The edges are labeled with input/output signals and the normal states are named while rendezvous states are labeled, in addition, with channel identifiers.
This is a formal model of CRSMs and is based upon the model proposed in (Maraninchi, 1992) . Let 5 be an arbitrary set of signal names, £3(5) the set of all boolean expressions over the symbols in 5 and M (5) be the set of all monomials (conjunction of literals) over 5. Definition 3.1. A communicating boo lean automaton is a tuple (Q, qo , I, 0, C , T), where Q is a set of states, qo E Q is the initial state, I is a set of input signals , 0 is the set of output signals, C is the set of communication actions and T is the transition relation given by T ~ Q x £3(1) x 2c x 2° x Q.
The system described in the figure is part of a distributed track control system, described in (Fischer et al., 1992). This system controls the traffic of trains across a railway track. The track is divided into a number of blocks. Each block is controlled by a separate autonomous controller which observes and control the movement of a train when the latter is over the block. A train can cross to an adjacent block only after reservation . This reservation is done through the current block controller who communicates with the adjacent controller for this purpose. In the following design, communication between trains and a block controller is modeled using signals while communication between adjacent controllers via channels.
Simply, a communicating automaton is a directed graph with edges carrying labels of the form b/C',O': bE £3(1), C' ~ C, 0' ~ O . The intuitive meaning is that such an edge is taken when b is true and as a result all communication actions in C' are completed and the signals in 0' are generated. Two properties that can be associated with communicating automata are reactivity and determinism.
In Figure 2.2, the machine describing a part of a block controller is composed of two concurrent
107
Train
Interface
, \ (cp,cn)
F
resv_
resv_prev
xt
en!
'......
ok2
c=D
cp!
,,
,,
,
enter &okl ok
, G
G Fig. 1. Track Controller
state these. The third requirement is natural as the component transitions should be consistent .
Definition 3.2. An automaton is reactive if in any of its state q and for any monomial b involving its input symbols, there is a transition out of q with b' as the guard such that b -+ b' .
The condition of disjointness of the communication actions of the two automata is placed to avoid any interaction between the two component via communication actions.
Reactivity is a natural requirement of reactive systems. A system defined by an automaton should be defined for all possible input combinations.
The asynchronous parallel composition is given as follows .
Definition 3.3. An automaton is deterministic if from any of its state q if there are two distinct transitions (q, bl , 0 1 , Cl , qd and (q, b2, O2 , C 2, q2) then bl 1\ b2 = F.
Definition 3.5. Asynchronous Product: Let Ai = (Qi,qOi,1i,Oi,Ci,Ti),i = 1,2 be two automata with the additional condition that (11 u Od n (12 u O2) = 0. Then we define the asynchronous product A = Ad /A2 to be the automaton (Ql x Q2, qOl X q02, h U 12 , 0 1 U O 2 , Cl U C2, T), where T is given by
Given two automaton AI, A 2 , we have defined four operators Al IIA 2 , Ad /A 2, (Ad(qIIA2) and Al that model respectively the four constructs used for building CRSMs. Definition 3.4. Synchronous Product : Given two boolean automaton Ai = (Qi, qOi , 1;, Oi, C i , Ti ), i = 1,2, with Cl n C2 = 0, we define the synchronous product automaton a A = AIIIA2 to be the automaton (QI x Q2 , qOI X q02 , h U 12, 0 1 U O2 , Cl U C 2 , T) , where T is given by
T
={(( ql , q2), bl
1\ b2, C~ U
(qi , bi , q , O~ , qD E b1 1\ b2 =1= F}
C; , O~ u 0; , (q~ , q2) ) I T;,i
= 1, 2
The transitions of the synchronous product A are joint transitions of the components. That is, every transition of A involves simultaneous transitions of its components. The first two requirements on the right hand sides of above definition essentially
108
T ={((q1, q2) , bl 1\ b2, C~ U C;, O~ u 0; , (q~, q;))1 (qi, bi , CL O~ , q~) E T i , i = 1, 2, C~ n C; =1= 0} u { ((ql , q2 ), b1 , Cf , O~ , (q~ , q2) ) I (ql,bl,C~,O~ , qD E Tl'C~ n C 2 = 0} U{ ((ql, q2), b2 , C2, 0;, (ql, q2))1 (q2 , b2, C;, O 2, q;) E T 2, C 2n Cl = 0} The transitions of the asynchronous product automaton are of three kinds: (i) one in which both the components participate; an essential requirement in such a case is that there should be at least one common communication actions between the two components, (ii) one in which the first component makes a move while the second one idles and (iii) one in which the first one is idle while the second component makes the move. The above definition corresponds to the standard three rules for parallel composition used in CCS .
which a is output and a is assumed to be present in the input; the latter is represented by substituting the truth value T for a in the input expression band (ii) all those transitions in which a is not output by A and a is assumed to be absent in the input. Note that a does not occur neither in the input condition nor in the output set of Aa.
The requirement that the input set of one of the component automaton is disjoint from the output set of the other is to ensure that no synchronous interaction take place between the two components. Now we define another operator on boolean automata that models the hierarchical composition.
It would be interesting to see that whether these operators preserve reactivity and determinism. The following lemmata provide the answer:
Definition 3.6. Hierarchical Product: Let Ai = (Qi ,qOi , l i , Oi,Ci , T i ),i = 1, 2 be two automata. Then their hierarchical product, denoted by, A = (Ad (qIIA2 l is defined to be the automaton that models the behavior of the hierarchical reactive state machine that is obtained by refining one of the states, q of Al to contain A 2. This automaton is given by (Q,qO , I] U 12 ,0] U 02,C1 U C 2,T) , where
Lemma 3. 7. If Al and A2 are reactive (or deterministic) then so are AI11A2 and (Ad q IlA2. Lemma 3.8. Aa need not be reactive (nor deterministic) even if A is.
Q =(Q1 \ {q}) U ({q} x Q2) qO =<10] if q ":/; q01 qO] X q02 , otherwise T ={(q] , b,0',C',q2) E T 1Iq1 , q2":/; q}U {(q1 , b,0' , C' , (q , qOz))I(q1 , b,0',C',q ) E Tdu {((q , qd,b 1 /\ b2, 0',C', (q,q2))1 (q,b 1,0,0,q) E T 1,(q1,b2, 0',C',q2) E T 2, b1 /\ b2 ":/; false}U {( (q, q1), b1 /\ b2, 0', C', q') 1 (q,b],01,0,q') E T 1,(q1,b2,02,C',q2) E T 2, 0' = 0 1 U 02,b 1 /\ b2 ":/; false}
Lemma 3.9. Ad / A2 is reactive when AI, A2 are reactive. But it need not be deterministic even if Al and A2 are. Now we define an equivalence relation over automata.
Definition 3.10. Let Ai = (Qi,qOi,li,Oi , Ci,Ti) , i = 1,2 be two automata. Suppose n is a symmetric binary relation over the states of these automata. Then n is a bisimulation relation provided whenever q1 n q2 , if (q1 , b,0' , C' , q~) E T 1 , then 'rim E M(I) : ((m -+ b) -+ 3b' :(m -+ b')/\
The transitions of the hierarchical automaton A are of four kinds: (i) those transitions of Al with the state q not being a source nor target state, (ii) those transitions of Al in which the target state is q; after taking such a transition, the hierarchical automaton enters the initial state of A 2 , (iii) those transitions of A2 in which Al is idle and (iv) those in which q is exited. In the above definition, these four kinds of transitions are given by the four sets of transitions on the right hand side of the above definition of T.
(q2 , b' , 0' , C' , q~) E q~nq~)
T2/\
and vice versa. A pair of CBA automata is said to be bisimilar, provided that there is a bisimulation equivalence relation n such that the initial states of the two automata are related by n.
Localization/Hiding: Given a boolean automaton , A = (Q,qO,I , O , C,T) , and a signal a, we define the hiding operation A a to yield a new automaton that localizes the signal a so that in A a, (i) any occurrence of a is hidden and (ii) any requirement of a is demanded from Aa itself.
4. IMPLEMENTATION OF COMMUNICATING REACTIVE STATE MACHINES An Argos program is compiled into a reactive process that communicates with an environment that provide/accept the input/output signals required/produced during the execution of the reactive process. The execution of a reactive process is a series of atomic reactions (usually at regular intervals of time). Each reaction takes a bounded and a priori known amount of time, which is negligible compared to the frequency of reactions (synchrony hypothesis). Its effect is deterministic, it being a function of the state of the reactive process and the various inputs provided by the environment. Reactions are defined for all possible
Aa is given by the automaton Aa = (Q,qO , 1 \ {a} ,O \ {a}, C, Ta) , where ra is as follows : Ta ={(q],b[a H true]' 0' \ {a} , C, q2)1 (q,b , O',C',q) E T , b[aH true]":/; false, a E O'}U {(ql, bra H false], 0', Cl, q2)1 (q , b,O' , C' , q) E T , b[a H false]":/; false, at/. Cl} The transitions in Ta are derived from two kinds of transitions in T: (i) All those transitions of Tin
109
states of the reactive process and for all possible status of input signals . As a result of a reaction , output events are generated and the internal state of the process changes.
be relaxed by preventing the reactive computation at certain crucial times. An efficient solution to the problem is given in the context of communicating reactive processes has been given in (Ramesh , 1998).
A CFSM is translated into a set of such reactive processes one corresponding to each of its nodes. The environment of such a reactive process is independent and they, besides providing/accepting signals to/from the reactive process , will have a special process , called coordinator for handling rendezvous statements. The interaction between a node and its coordinator is also by means of logical signals. Each node interacts with its coordinator by means of (at least ) three implicit signals for each rendezvous command. Suppose r is a rendezvous statement . Then the three signals are Sr , the start signal, Rr the return signal and Kr the kill signal. Sr is the request signal output by the node in a reaction where it is ready to execute the rendezvous T. Kr is the signal, again output by the CFSM node when a local reaction preempts the rendezvous T. Rr is the input signal generated by the coordinator to indicate to the node that it can go ahead with the completion of the execution of the rendezvous statement.
5. REFERENCES Y-K Tsay and R. L. Bagrodia, A Real-time algorithm for Fair-Interprocess Synchronization, In Proceedings of the 12th International Conference on Distributed Computing Systems , Yokohama, Japan , 1992. G. Berry, S. Ramesh , and R. K. Shyamasundar, Communicating Reactive Processes, Proceedings of the POPL Conference, ACM , 1993. S. Fischer, A. Scholz and D. Taubner, Verification in Process Algebra of the Distributed Control of Track Vehicles - A Case study, in 4th Int. Workshop on CAV '92, Montreal, LNCS Vol. 663, 1992. D. Harel, A visual formalisms for complex systems , Science of Computer Programming, 8, 1987. C.A.R. Hoare, Communicating Sequential Processes, Comm. of the ACM, 21(8) , August 1978. F. Maraninchi and N. Halbwachs, Compositional semantics of nondeterministic synchronous languages, Proc. of ESOP '96, LNCS Vol. 630, Springer Verlag, 1996. F. Maraninchi, Argonautte, graphical description, semantics and verification of reactive systems by using process algebra, LNCS Vol. 407, Springer Verlag, August 1992. F. Maraninchi, Operational and compositional semantics of synchronous automaton compositions , In CONCUR. Springer Verlag, LNCS 630 , August 1992. F . Maraninchi and M. Jourdan , A modular state transition approach for programming real time systems, ACM SIGPLAN workshop on languages, compiler tool support for real time systems, 1994. R. Milner, Communication and concurrency, Prentice-Hall, New- York, 1989. S. Ramesh , A new efficient implementation of CSP with output guards. In Proceedings of the 7th International Conference on Distributed Computing Systems. , Berlin, Germany, 1987. S.Ramesh and C.M.Shetty, Impossibility of Synchronization in the presence of preemption, Journal of Parallel Processing Letters, Vo!. 8, No. 1, March/April 1998. S.Ramesh, Implementation of Communicating Reactive Processes , Submitted for Publication , 1997.
The semantics of rendezvous requires that a node can complete a rendezvous provided its partner node also completes the rendezvous . Thus, in order to generate return signals, coordinators of different CFSM nodes execute a complex protocol at the end of which they can generate the corresponding return signals to the respective CFSM nodes. This protocol is similar to a protocol required for executing CSP I/O commands (Ramesh, 1987; Tsay and Bagrodia, 1992). The translation of each CFSM node into a reactive process is a straightforward extension of the conventional compilation of Argos processes. The difficult part of the implementation is the design of the protocol between coordinators for generating the return signals. Though a rendezvous involves explicitly one handshake communication between a pair of CFSM nodes, the protocol requires a number of control signals to be exchanged between the concerned coordinators. The problem of designing this protocol is complicated by the following two important aspects: • The required solution should be distributed in the sense that no single coordinator has complete knowledge about the instantaneous state of the entire system. • Local reactive computations are invoked at arbitrary points of time. It has been shown in (Ramesh and Shetty, 1998) that it is impossible to have a reasonable implementation without relaxing one of the above constraints. The constraint of distributed solution can not be relaxed. The other constraint can
110
COMMUNICATING REACTIVE STATE MACHINES: DESIGN, MODEL AND IMPLEMENTATION S. Ramesh 1
Department of Computer Science and Engineering, Indian Institute of Technology, Bombay - 400 076, INDIA e-mail: [email protected]
Abstract: This paper proposes a language, called Communicating Reactive State Machines (CRSM) , useful for describing behaviors of real-time distributed controllers. The characteristic features of this language are that it has a pictorial syntax, a precise formal semantics and an efficient implementation. CRSM is based on Argos, a language proposed for centralized real-time controllers. Argos is extended by including a primitive for communication between Argos programs. This communication primitive is based upon the communication primitive of CSP. A precise mathematical model, called communicating boolean automata (CBA) based upon the boolean automata model of Argos is developed. A number of operations over CBA have been defined to model the constructs of CRSM and a notion of bisimulation equivalence is also defined. CBA would form the basis for automatic verification of CRSM. An outline of an implementation of CRSM is also given. Copyright © 19981FAC Keywords: Distributed controllers, State machines, formal method, real-time systems .
1. INTRODUCTION
developed. Use of formal methods is a promising approach to solve some of these problems.
A distributed control system consists of a number of autonomous subsystems controlling disjoint physical systems but at the same time having system-wide control laws. They are becoming prevalent due to their inherent advantages like fault tolerance, con currency and modularity; some typical applications are: car automation and industrial process controllers. However, behavior of these systems are quite complex as the subsystems besides controlling their local environments normally involve complex interactions with each other in order to maintain system-wide properties. Also the critical nature of the applications demand a high degree of confidence in the systems
As a first step towards this, we propose here a new high level language for describing distributed controllers. This language builds on the success of Statecharts(Harel, 1987) and its refinement Argos(Maraninchi, 1992); Statecharts was developed by enriching with concurrency and hierarchy: finite state machines, a traditional description technique for writing controllers. The use of statecharts and Argos in abstract high level description of centralized controllers has been well demonstrated. The proposed language, called communicating reactive state machines (CRSM) is an attempt to extend their use for describing distributed controllers; CRSM is influenced by a similar extension of Esterel proposed in (Berry et al., 1993). A CRSM program consists of a set of processes , each process describing the be-
I The initial part of this work was done when this author was visiting GMD, Bonn .
105
havior of an autonomous component of the distributed controller being described. A process, besides controlling its local environment , communicates with other processes to maintain systemwide control laws. This interaction is described using the CSP(Hoare, 1978) communication primitives for communication while the local behayior is described using Argos constructs: mealy automata with input and outputs being signal combinations, concurrency, hierarchy and signal hiding constructs.
the transition. The future behavior of the machine is decided by the resultant state. Such finite state machines suffice for the description of controllers but large such descriptions can be hard to understand , due to their fiat nature. Three constructs hierarchy, concurrency and signal hiding are defined to structure large descriptions: Hierarchical composition: A hierarchical structure can be introduced in fiat state machine descriptions using this construct. Given a machine A with a state, say, q, another machine, say, B can be placed inside q. The behavior of the resulting machine is decided by A except in the state q; in this state the behavior is decided both by q and B. The state q expresses the important operation preemption that is found useful in controllers: in state q, computation proceeds as specified in B so long as none of the transition out of q can be taken; when an outgoing transition from q can be taken, the 'inside' computation is preempted and the system transits to the target state of the transition and then on behaves like A.
A precise formal semantics of CRSM , based upon the boolean automata model of Argos(Maraninchi, 1992) has been developed. This model defines a class of automata called communicating boolean automata and a number of operations on these automata corresponding to the different constructs of CRSM ; a notion of equivalence along the lines of bisimulation equivalence(Milner, 1989) is also defined. This model would form the basis for automatic verification of CRSMs. A prototype implementation of CRSM has also been developed which is based upon a translation scheme for translating Argos programs into synchronous automata(Maraninchi et al., 1994 ) and an efficient protocol for implementing CSP communication primitive(Ramesh , 1987) .
Synchronous Parallel Composition: Given two machines A, B, a parallel machine that runs both A and B concurrently can be written using this · construct. Such a description specifies that the system (being described) behaves simultaneously both like A and B: given a set of input signals representing the state of the environment, appropriate transitions in both the automata are taken and the result is the union of the sets of signals generated by both the automata. In general, one can have concurrent compositions of more than two automata. Further that, the concurrent components can interact: signals generated by one component can trigger transitions in the other components; such a triggering is instantaneous with no delay between the firing of the transitions in different components.
A brief overview of CFSM, the model CBA and an outline of the implementation are given here. Complete details will appear in the full paper.
2. COMMUNICATING REACTIVE STATE MACHINES Here we confine ourselves to a very brief description of CRSM . A CRSM is a network NI! /Nd / .. ·//Nm of independent reactive programs or nodes, Ni , each node having its own reactive interface with separate input/output signals and its own notion of instants. Intuitively, each node is locally reactively driving a part of a complex process that is handled globally by the network.
Signal Hiding: The hiding construct is defined to limit the scope of interaction between concurrent sub components. Using this construct, a signal can be declared local to a subset of components so that the generation of signal will not trigger any transition in other components. This construct can also be viewed as an abstraction primitive that enable hiding of internal details like the signals that have no effect on the environment.
2.1 CRSM Nodes
Each node is described using a structured mealy machine in the style of Statecharts/Argos. In its most simple form , a CRSM node is a simple edge labeled finite state machine with an initial state but no final state. A transition connecting a pair of states has a label of the form b/ S where b is a boolean expression involving only input signals while S is a set of output signals generated as a result of taking the transition. The input expression describes a combination of signal presence/absence status which when true , triggers
Asynchronous Composition The above constructs, however, suffice only for describing centralized controllers controlling local environments. For distributed controllers, we enrich a CRSM node with a capability to communicate with other CRSM nodes. This is done
106
by introducing a special kind of states, called rendezvous states. A rendezvous state indicates a communication with another node via a channel; the channel name is specified as a label in the state. Entering such a state initiates an attempt to communicate via the specified channel. The communication is synchronous in the sense that both the nodes involved should be ready to communicate. Till the communication takes place, the machine stays in a rendezvous state. A rendezvous state has (at least) one special exit transition which is taken when the communication succeeds; exactly which exit edge is taken is decided by the presence/ absence of local signals specified in the edge. A rendezvous state can also have normal outgoing transitions which when taken preempts the communication. Rendezvous states are flat with no hierarchy.
machines, Train and Interface. The environment of this machine inputs the following signals. • enter - indicates that the train is entering the block. • resv_next, resv_prev - is input when the train wants to enter the next or previous adjacent block respectively. • bye - is input when the train leaves the block.
The behavior of Train component is simple. It waits in the initial state till it receives the 'enter' Signal. It can exit this state provided the block has already been reserved. If the block is reserved then Interface component is in 'F ' and the signal 'ok2' is present. Thus this transition as well as the transition out of 'F' are taken at the same time. When 'Train' is in state A it waits for one of the reservation signals which when arrives , initiates a communication action with an adjacent controller via Cn or cp . This communication state corresponds to the state 'E' of the 'Interface' component of the corresponding controller. When the communication takes place, the 'goAbead' signal is emitted; the reservation in the adjacent block takes place with the transition from state 'E' to 'F'. In the state 'D', 'Train' waits for the 'bye' signal from the train which resets its state to 'I' .
2.2 Network of CR5M
A distributed controller can be described by a network of CRSM nodes. Each CRSM node drives locally a part of a complex system consisting of several distributed components . The individual nodes occasionally synchronize with each other using rendezvous states. The network of CRSM nodes is asynchronous with no common clock. The communication mechanism is similar to CSP (Hoare, 1978) communication mechanisms.
3. COMMUNICATING BOOLEAN AUTOMATA
We will now illustrate the features of CRSM through a simple example given in Figure 2.2. In this figure, we use the standard graphical representation of state machines: normal states are represented by square boxes while rendezvous states by circular ones; the exit edges are distinguished from normal ones using broken arrows. The edges are labeled with input/output signals and the normal states are named while rendezvous states are labeled, in addition, with channel identifiers.
This is a formal model of CRSMs and is based upon the model proposed in (Maraninchi, 1992) . Let 5 be an arbitrary set of signal names, £3(5) the set of all boolean expressions over the symbols in 5 and M (5) be the set of all monomials (conjunction of literals) over 5. Definition 3.1. A communicating boo lean automaton is a tuple (Q, qo , I, 0, C , T), where Q is a set of states, qo E Q is the initial state, I is a set of input signals , 0 is the set of output signals, C is the set of communication actions and T is the transition relation given by T ~ Q x £3(1) x 2c x 2° x Q.
The system described in the figure is part of a distributed track control system, described in (Fischer et al., 1992). This system controls the traffic of trains across a railway track. The track is divided into a number of blocks. Each block is controlled by a separate autonomous controller which observes and control the movement of a train when the latter is over the block. A train can cross to an adjacent block only after reservation . This reservation is done through the current block controller who communicates with the adjacent controller for this purpose. In the following design, communication between trains and a block controller is modeled using signals while communication between adjacent controllers via channels.
Simply, a communicating automaton is a directed graph with edges carrying labels of the form b/C',O': bE £3(1), C' ~ C, 0' ~ O . The intuitive meaning is that such an edge is taken when b is true and as a result all communication actions in C' are completed and the signals in 0' are generated. Two properties that can be associated with communicating automata are reactivity and determinism.
In Figure 2.2, the machine describing a part of a block controller is composed of two concurrent
107
Train
Interface
, \ (cp,cn)
F
resv_
resv_prev
xt
en!
'......
ok2
c=D
cp!
,,
,,
,
enter &okl ok
, G
G Fig. 1. Track Controller
state these. The third requirement is natural as the component transitions should be consistent .
Definition 3.2. An automaton is reactive if in any of its state q and for any monomial b involving its input symbols, there is a transition out of q with b' as the guard such that b -+ b' .
The condition of disjointness of the communication actions of the two automata is placed to avoid any interaction between the two component via communication actions.
Reactivity is a natural requirement of reactive systems. A system defined by an automaton should be defined for all possible input combinations.
The asynchronous parallel composition is given as follows .
Definition 3.3. An automaton is deterministic if from any of its state q if there are two distinct transitions (q, bl , 0 1 , Cl , qd and (q, b2, O2 , C 2, q2) then bl 1\ b2 = F.
Definition 3.5. Asynchronous Product: Let Ai = (Qi,qOi,1i,Oi,Ci,Ti),i = 1,2 be two automata with the additional condition that (11 u Od n (12 u O2) = 0. Then we define the asynchronous product A = Ad /A2 to be the automaton (Ql x Q2, qOl X q02, h U 12 , 0 1 U O 2 , Cl U C2, T), where T is given by
Given two automaton AI, A 2 , we have defined four operators Al IIA 2 , Ad /A 2, (Ad(qIIA2) and Al that model respectively the four constructs used for building CRSMs. Definition 3.4. Synchronous Product : Given two boolean automaton Ai = (Qi, qOi , 1;, Oi, C i , Ti ), i = 1,2, with Cl n C2 = 0, we define the synchronous product automaton a A = AIIIA2 to be the automaton (QI x Q2 , qOI X q02 , h U 12, 0 1 U O2 , Cl U C 2 , T) , where T is given by
T
={(( ql , q2), bl
1\ b2, C~ U
(qi , bi , q , O~ , qD E b1 1\ b2 =1= F}
C; , O~ u 0; , (q~ , q2) ) I T;,i
= 1, 2
The transitions of the synchronous product A are joint transitions of the components. That is, every transition of A involves simultaneous transitions of its components. The first two requirements on the right hand sides of above definition essentially
108
T ={((q1, q2) , bl 1\ b2, C~ U C;, O~ u 0; , (q~, q;))1 (qi, bi , CL O~ , q~) E T i , i = 1, 2, C~ n C; =1= 0} u { ((ql , q2 ), b1 , Cf , O~ , (q~ , q2) ) I (ql,bl,C~,O~ , qD E Tl'C~ n C 2 = 0} U{ ((ql, q2), b2 , C2, 0;, (ql, q2))1 (q2 , b2, C;, O 2, q;) E T 2, C 2n Cl = 0} The transitions of the asynchronous product automaton are of three kinds: (i) one in which both the components participate; an essential requirement in such a case is that there should be at least one common communication actions between the two components, (ii) one in which the first component makes a move while the second one idles and (iii) one in which the first one is idle while the second component makes the move. The above definition corresponds to the standard three rules for parallel composition used in CCS .
which a is output and a is assumed to be present in the input; the latter is represented by substituting the truth value T for a in the input expression band (ii) all those transitions in which a is not output by A and a is assumed to be absent in the input. Note that a does not occur neither in the input condition nor in the output set of Aa.
The requirement that the input set of one of the component automaton is disjoint from the output set of the other is to ensure that no synchronous interaction take place between the two components. Now we define another operator on boolean automata that models the hierarchical composition.
It would be interesting to see that whether these operators preserve reactivity and determinism. The following lemmata provide the answer:
Definition 3.6. Hierarchical Product: Let Ai = (Qi ,qOi , l i , Oi,Ci , T i ),i = 1, 2 be two automata. Then their hierarchical product, denoted by, A = (Ad (qIIA2 l is defined to be the automaton that models the behavior of the hierarchical reactive state machine that is obtained by refining one of the states, q of Al to contain A 2. This automaton is given by (Q,qO , I] U 12 ,0] U 02,C1 U C 2,T) , where
Lemma 3. 7. If Al and A2 are reactive (or deterministic) then so are AI11A2 and (Ad q IlA2. Lemma 3.8. Aa need not be reactive (nor deterministic) even if A is.
Q =(Q1 \ {q}) U ({q} x Q2) qO =<10] if q ":/; q01 qO] X q02 , otherwise T ={(q] , b,0',C',q2) E T 1Iq1 , q2":/; q}U {(q1 , b,0' , C' , (q , qOz))I(q1 , b,0',C',q ) E Tdu {((q , qd,b 1 /\ b2, 0',C', (q,q2))1 (q,b 1,0,0,q) E T 1,(q1,b2, 0',C',q2) E T 2, b1 /\ b2 ":/; false}U {( (q, q1), b1 /\ b2, 0', C', q') 1 (q,b],01,0,q') E T 1,(q1,b2,02,C',q2) E T 2, 0' = 0 1 U 02,b 1 /\ b2 ":/; false}
Lemma 3.9. Ad / A2 is reactive when AI, A2 are reactive. But it need not be deterministic even if Al and A2 are. Now we define an equivalence relation over automata.
Definition 3.10. Let Ai = (Qi,qOi,li,Oi , Ci,Ti) , i = 1,2 be two automata. Suppose n is a symmetric binary relation over the states of these automata. Then n is a bisimulation relation provided whenever q1 n q2 , if (q1 , b,0' , C' , q~) E T 1 , then 'rim E M(I) : ((m -+ b) -+ 3b' :(m -+ b')/\
The transitions of the hierarchical automaton A are of four kinds: (i) those transitions of Al with the state q not being a source nor target state, (ii) those transitions of Al in which the target state is q; after taking such a transition, the hierarchical automaton enters the initial state of A 2 , (iii) those transitions of A2 in which Al is idle and (iv) those in which q is exited. In the above definition, these four kinds of transitions are given by the four sets of transitions on the right hand side of the above definition of T.
(q2 , b' , 0' , C' , q~) E q~nq~)
T2/\
and vice versa. A pair of CBA automata is said to be bisimilar, provided that there is a bisimulation equivalence relation n such that the initial states of the two automata are related by n.
Localization/Hiding: Given a boolean automaton , A = (Q,qO,I , O , C,T) , and a signal a, we define the hiding operation A a to yield a new automaton that localizes the signal a so that in A a, (i) any occurrence of a is hidden and (ii) any requirement of a is demanded from Aa itself.
4. IMPLEMENTATION OF COMMUNICATING REACTIVE STATE MACHINES An Argos program is compiled into a reactive process that communicates with an environment that provide/accept the input/output signals required/produced during the execution of the reactive process. The execution of a reactive process is a series of atomic reactions (usually at regular intervals of time). Each reaction takes a bounded and a priori known amount of time, which is negligible compared to the frequency of reactions (synchrony hypothesis). Its effect is deterministic, it being a function of the state of the reactive process and the various inputs provided by the environment. Reactions are defined for all possible
Aa is given by the automaton Aa = (Q,qO , 1 \ {a} ,O \ {a}, C, Ta) , where ra is as follows : Ta ={(q],b[a H true]' 0' \ {a} , C, q2)1 (q,b , O',C',q) E T , b[aH true]":/; false, a E O'}U {(ql, bra H false], 0', Cl, q2)1 (q , b,O' , C' , q) E T , b[a H false]":/; false, at/. Cl} The transitions in Ta are derived from two kinds of transitions in T: (i) All those transitions of Tin
109
states of the reactive process and for all possible status of input signals . As a result of a reaction , output events are generated and the internal state of the process changes.
be relaxed by preventing the reactive computation at certain crucial times. An efficient solution to the problem is given in the context of communicating reactive processes has been given in (Ramesh , 1998).
A CFSM is translated into a set of such reactive processes one corresponding to each of its nodes. The environment of such a reactive process is independent and they, besides providing/accepting signals to/from the reactive process , will have a special process , called coordinator for handling rendezvous statements. The interaction between a node and its coordinator is also by means of logical signals. Each node interacts with its coordinator by means of (at least ) three implicit signals for each rendezvous command. Suppose r is a rendezvous statement . Then the three signals are Sr , the start signal, Rr the return signal and Kr the kill signal. Sr is the request signal output by the node in a reaction where it is ready to execute the rendezvous T. Kr is the signal, again output by the CFSM node when a local reaction preempts the rendezvous T. Rr is the input signal generated by the coordinator to indicate to the node that it can go ahead with the completion of the execution of the rendezvous statement.
5. REFERENCES Y-K Tsay and R. L. Bagrodia, A Real-time algorithm for Fair-Interprocess Synchronization, In Proceedings of the 12th International Conference on Distributed Computing Systems , Yokohama, Japan , 1992. G. Berry, S. Ramesh , and R. K. Shyamasundar, Communicating Reactive Processes, Proceedings of the POPL Conference, ACM , 1993. S. Fischer, A. Scholz and D. Taubner, Verification in Process Algebra of the Distributed Control of Track Vehicles - A Case study, in 4th Int. Workshop on CAV '92, Montreal, LNCS Vol. 663, 1992. D. Harel, A visual formalisms for complex systems , Science of Computer Programming, 8, 1987. C.A.R. Hoare, Communicating Sequential Processes, Comm. of the ACM, 21(8) , August 1978. F. Maraninchi and N. Halbwachs, Compositional semantics of nondeterministic synchronous languages, Proc. of ESOP '96, LNCS Vol. 630, Springer Verlag, 1996. F. Maraninchi, Argonautte, graphical description, semantics and verification of reactive systems by using process algebra, LNCS Vol. 407, Springer Verlag, August 1992. F. Maraninchi, Operational and compositional semantics of synchronous automaton compositions , In CONCUR. Springer Verlag, LNCS 630 , August 1992. F . Maraninchi and M. Jourdan , A modular state transition approach for programming real time systems, ACM SIGPLAN workshop on languages, compiler tool support for real time systems, 1994. R. Milner, Communication and concurrency, Prentice-Hall, New- York, 1989. S. Ramesh , A new efficient implementation of CSP with output guards. In Proceedings of the 7th International Conference on Distributed Computing Systems. , Berlin, Germany, 1987. S.Ramesh and C.M.Shetty, Impossibility of Synchronization in the presence of preemption, Journal of Parallel Processing Letters, Vo!. 8, No. 1, March/April 1998. S.Ramesh, Implementation of Communicating Reactive Processes , Submitted for Publication , 1997.
The semantics of rendezvous requires that a node can complete a rendezvous provided its partner node also completes the rendezvous . Thus, in order to generate return signals, coordinators of different CFSM nodes execute a complex protocol at the end of which they can generate the corresponding return signals to the respective CFSM nodes. This protocol is similar to a protocol required for executing CSP I/O commands (Ramesh, 1987; Tsay and Bagrodia, 1992). The translation of each CFSM node into a reactive process is a straightforward extension of the conventional compilation of Argos processes. The difficult part of the implementation is the design of the protocol between coordinators for generating the return signals. Though a rendezvous involves explicitly one handshake communication between a pair of CFSM nodes, the protocol requires a number of control signals to be exchanged between the concerned coordinators. The problem of designing this protocol is complicated by the following two important aspects: • The required solution should be distributed in the sense that no single coordinator has complete knowledge about the instantaneous state of the entire system. • Local reactive computations are invoked at arbitrary points of time. It has been shown in (Ramesh and Shetty, 1998) that it is impossible to have a reasonable implementation without relaxing one of the above constraints. The constraint of distributed solution can not be relaxed. The other constraint can
110