95
Soundness of the Quasi-Synchronous Abstraction Guillaume Baudart Timothy Bourke Marc Pouzet École normale supérieure, INRIA Paris, UPMC FMCAD’16 Mountain View, 06-10-2016
Soundness of the Quasi-Synchronous Abstraction
Guillaume Baudart Timothy Bourke Marc Pouzet
École normale supérieure, INRIA Paris, UPMC
FMCAD’16 Mountain View, 06-10-2016
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Example: Flight Control SystemGenerate pitch and roll guidance commands
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Example: Flight Control SystemGenerate pitch and roll guidance commands
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Crew can switch from one to the other
Example: Flight Control SystemGenerate pitch and roll guidance commands
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Crew can switch from one to the other
Example: Flight Control SystemGenerate pitch and roll guidance commands
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Crew can switch from one to the other
Example: Flight Control SystemGenerate pitch and roll guidance commands
The two modules must share their state to avoid control glitch
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Crew can switch from one to the other
Example: Flight Control SystemGenerate pitch and roll guidance commands
Run embedded application...
The two modules must share their state to avoid control glitch
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Crew can switch from one to the other
Example: Flight Control SystemGenerate pitch and roll guidance commands
Run embedded application......on distributed architectures
The two modules must share their state to avoid control glitch
A B
• For each process: known bounds for the time between two activations. clock activations
• Buffered communication without message inversion or loss
• Bounded communication delay CD
0 ≤ τmin ≤ τ ≤ τmax
0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax
(κi)i∈N
For each process, activations are triggered by a local clock Execution: infinite sequence of activations
Synchronous Real-Time Model
3
A B
• For each process: known bounds for the time between two activations. clock activations
• Buffered communication without message inversion or loss
• Bounded communication delay CD
0 ≤ τmin ≤ τ ≤ τmax
0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax
(κi)i∈N
For each process, activations are triggered by a local clock Execution: infinite sequence of activations
Synchronous Real-Time Model
3
A B
• For each process: known bounds for the time between two activations. clock activations
• Buffered communication without message inversion or loss
• Bounded communication delay CD
0 ≤ τmin ≤ τ ≤ τmax
0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax
(κi)i∈N
For each process, activations are triggered by a local clock Execution: infinite sequence of activations
Synchronous Real-Time Model
3
A B
• For each process: known bounds for the time between two activations. clock activations
• Buffered communication without message inversion or loss
• Bounded communication delay CD
0 ≤ τmin ≤ τ ≤ τmax
0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax
(κi)i∈N
For each process, activations are triggered by a local clock Execution: infinite sequence of activations
Synchronous Real-Time Model
3
A B
• For each process: known bounds for the time between two activations. clock activations
• Buffered communication without message inversion or loss
• Bounded communication delay CD
0 ≤ τmin ≤ τ ≤ τmax
0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax
(κi)i∈N
For each process, activations are triggered by a local clock Execution: infinite sequence of activations
Synchronous Real-Time Model
3
OverviewVERIMAGUNITE MIXTE DE RECHERCHE
Centre Equation2 avenue de Vignate38610 GIERESTel. +33 4 76 63 48 48Fax +33 4 76 63 48 50
Universite Joseph FourierCentre National de la Recherche Scientifique Institut National Polytechnique de Grenoble
4
Industrial practices observed at Airbus
[Caspi 2000]
OverviewVERIMAGUNITE MIXTE DE RECHERCHE
Centre Equation2 avenue de Vignate38610 GIERESTel. +33 4 76 63 48 48Fax +33 4 76 63 48 50
Universite Joseph FourierCentre National de la Recherche Scientifique Institut National Polytechnique de Grenoble
Verification Verifying safety critical applications running on quasi-periodic architectures
Quasi-Synchronous Abstraction
4
Industrial practices observed at Airbus
[Caspi 2000]
ACSD'06
OverviewVERIMAGUNITE MIXTE DE RECHERCHE
Centre Equation2 avenue de Vignate38610 GIERESTel. +33 4 76 63 48 48Fax +33 4 76 63 48 50
Universite Joseph FourierCentre National de la Recherche Scientifique Institut National Polytechnique de Grenoble
Verification Verifying safety critical applications running on quasi-periodic architectures
Quasi-Synchronous Abstraction
Verimag'08DASC'14
Memocode'14Memocode'15
Air Force'15
4
Industrial practices observed at Airbus
[Caspi 2000]
ACSD'06
OverviewVERIMAGUNITE MIXTE DE RECHERCHE
Centre Equation2 avenue de Vignate38610 GIERESTel. +33 4 76 63 48 48Fax +33 4 76 63 48 50
Universite Joseph FourierCentre National de la Recherche Scientifique Institut National Polytechnique de Grenoble
Verification Verifying safety critical applications running on quasi-periodic architectures
Quasi-Synchronous Abstraction
Verimag'08DASC'14
Memocode'14Memocode'15
Air Force'15
4
Contributions
Abstraction is not sound in general
Give exact conditions of application
Industrial practices observed at Airbus
[Caspi 2000]
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax
0 < τmin ≤ τA, τB ≤ τmax
τA
τB
A
B
A B
Scheduler
cA cB
A
B
The Big Picture
Real-time Model (RT)
5
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax
0 < τmin ≤ τA, τB ≤ τmax
τA
τB
A
B
A B
Scheduler
cA cB
A
B
The Big Picture
Real-time Model (RT)
5
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax
0 < τmin ≤ τA, τB ≤ τmax
τA
τB
A
B
A B
Scheduler
cA cB
A
B
The Big Picture
Real-time Model (RT)
Soundness DT |= ϕ.l, RT |= ϕ
5
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax
0 < τmin ≤ τA, τB ≤ τmax
τA
τB
A
B
A B
Scheduler
cA cB
A
B
The Big Picture
Real-time Model (RT)
Soundness DT |= ϕ.l, RT |= ϕ
Why discretize? Verification in a simpler discrete-time model Use discrete-time model checking tools (Lesar-Verimag, Kind2-UIowa)
[Halbwachs et al 1992] [Hagen, Tinelli 2008]5
Abstracting Real Time
6
Abstracting Real TimeAbstracting execution time
6
Abstracting Real TimeAbstracting execution time
τexec
τsend
6
Abstracting Real TimeAbstracting execution time
τexec
τsend
τ = τexec + τsend
6
Abstracting Real TimeAbstracting execution time
6
7
Abstracting Real TimeAbstracting execution time
Abstracting communication
7
Abstracting Real TimeAbstracting execution time
Abstracting communication
7
Abstracting Real TimeAbstracting execution time
Abstracting communication
7
Abstracting Real TimeAbstracting execution time
Abstracting communicationProblems: • Lots of possible interleavings • Too general
7
Abstracting Real TimeAbstracting execution time
Abstracting communicationProblems: • Lots of possible interleavings • Too general
Can we do better using real-time assumptions?
7
Abstracting Real TimeAbstracting execution time
The Quasi-Synchronous Abstraction
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
8
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
8
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock)
8
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock)
8
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock)
8
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock)
8
Replace transmission with precedence
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock) A process is at most twice as fast as another
2. Limit activations interleavings
8
Replace transmission with precedence
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock) A process is at most twice as fast as another
2. Limit activations interleavings
8
Replace transmission with precedence
Is this abstraction sound?
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Some traces are not captured by the discrete abstraction
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph.
Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph. τmax
τmax
τmaxDefinition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph. τmax
τmax
τmax
1
Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph. τmax
τmax
τmax
1
0Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph. τmax
τmax
τmax
1
0
0Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
Recovering Soundness
11
A B
D C
A B
C
A B
D C
Forbidden topologies in the static communication graph
u-cycle balanced u-cyclecycle
Recovering Soundness
11
A B
D C
A B
C
A B
D C
Forbidden topologies in the static communication graph
u-cycle balanced u-cyclecycle
Recovering Soundness
11
A B
D C
A B
C
A B
D C
Forbidden topologies in the static communication graph
u-cycle balanced u-cyclecycle
can be allowed at the cost of additional timing constraints
Recovering Soundness
11
A B
D C
A B
C
A B
D C
Forbidden topologies in the static communication graph
u-cycle balanced u-cyclecycle
can be allowed at the cost of additional timing constraints
Theorem: A quasi-periodic architecture is unitary discretizable if and only if, in the communication graph
1. All u-cycles are cycles of balanced u-cycle, or , and 2. There is no balanced u-cycle, or , and 3. There is no cycle in the communication graph, or
Lc: size of the longest elementary cycle
τmin = τmax
Tmin ≥ Lcτmax
τmax = 0
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
Recovering Soundness
12
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
Recovering Soundness
12
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
Recovering Soundness
12
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
Recovering Soundness
12
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmin
Recovering Soundness
12
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmin
1
Recovering Soundness
12
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmin
τmin
1
Recovering Soundness
12
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmin
1
τmin
1
Recovering Soundness
12
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
⇒ ε = (
τmax
τmin
1
τmin
1
Recovering Soundness
12
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
A
B
C
D
E
⇒ ε = (
τmax
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
A
B
C
D
E
⇒ ε = (
τmax
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
A
B
C
D
E
⇒ ε = (
τmax
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmax
⇒ ε = (
0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
A
B
C
D
E
0
⇒ ε = (
τmax
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmax
⇒ ε = (
0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
A
B
C
D
E
0
⇒ ε = (
τmax
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmax
⇒ ε = (
We built a cycle of positive weight!
0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
Proof: On the other hand, by contraposition,
Recovering Soundness
13
Proof: On the other hand, by contraposition,
PC/u-cycle
Recovering Soundness
13
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle
Recovering Soundness
13
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced
Recovering Soundness
13
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced
Recovering Soundness
13
+1 =⇒ τmax = 0
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced
Condition
1.
Recovering Soundness
13
+1 =⇒ τmax = 0
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced+1 =⇒ τmin < τmax
Condition
1.
Recovering Soundness
13
+1 =⇒ τmax = 0
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced+1 =⇒ τmin < τmax
Condition
2.
Condition
1.
Recovering Soundness
13
+1 =⇒ τmax = 0
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced
+1 =⇒ Tmin ≥ Lcτmax
+1 =⇒ τmin < τmax
Condition
2.
Condition
1.
Recovering Soundness
13
+1 =⇒ τmax = 0
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced
Condition
3.+1 =⇒ Tmin ≥ Lcτmax
+1 =⇒ τmin < τmax
Condition
2.
Condition
1.
Recovering Soundness
13
+1 =⇒ τmax = 0
A B C D
A
B
C
DE
F
A
B
C
DE
A
B
C
DE
A
B
C
DE
daisy chain: Tmin ≥ 2τmax
star: Tmin ≥ 2τmax
unidirectional ring: Tmin ≥ 5τmax
bidirectional ring: τmax = 0
fully connected: τmax = 0
Topology Examples
14
Communications of the application
A B C D
A
B
C
DE
F
A
B
C
DE
A
B
C
DE
A
B
C
DE
daisy chain: Tmin ≥ 2τmax
star: Tmin ≥ 2τmax
unidirectional ring: Tmin ≥ 5τmax
bidirectional ring: τmax = 0
fully connected: τmax = 0
Require instantaneous communications
Topology Examples
14
Communications of the application
Quasi-Synchronous Systems
15
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
For any node: 1. no more than 2 activations between 2 message receptions 2. no more than 2 message receptions between two activations
Condition 1. Condition 2.
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
Worst-case scenario
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
τmin
Worst-case scenario
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
Tmax
τmax
τmin
Worst-case scenario
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
Tmax
τmax
τmin
Worst-case scenario
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
Tmax
τmax
τmin
Tmin Tmin
Worst-case scenario
Conclusion
17
The quasi-synchronous abstraction:1. Model transmission as unit delays 2. Constrain node activations interleavings
Contributions:• Condition 1 is not sound in general • Notion of unitary discretization • Necessary and sufficient conditions to recover soundness • Characterization of quasi-synchronous systems
Constrain both the communication graph and the real-time characteristics of the architecture to recover soundness of the
quasi-synchronous abstraction.
