You are on page 1of 8

Chapter 8

Deadlock

Model-Based Design

&RQFHSWVGHVLJQSURFHVV

UHTXLUHPHQWVWRPRGHOVWRLPSOHPHQWDWLRQV

0RGHOV FKHFNSURSHUWLHVRILQWHUHVW

VDIHW\RQWKHDSSURSULDWH VXE V\VWHP


SURJUHVVRQWKHRYHUDOOV\VWHP

3UDFWLFH PRGHOLQWHUSUHWDWLRQWRLQIHUDFWXDOV\VWHP
WKUHDGVDQGPRQLWRUV

EHKDYLRU

$LP ULJRURXVGHVLJQSURFHVV
Concurrency: model-based design

Concurrency: model-based design

Magee/Kramer

8.1 from requirements to models

5HTXLUHPHQWV
$Q\

a Cruise Control System - requirements


:KHQ WKH FDU

JRDOV RI WKH V\VWHP


VFHQDULRV 8VH &DVH PRGHOV
SURSHUWLHV RI LQWHUHVW

LJQLWLRQ LV VZLWFKHG
RQ DQG WKH

WKH FXUUHQW VSHHG

LGHQWLI\

WKH PDLQ HYHQWV DFWLRQV DQG LQWHUDFWLRQV

GHVLJQ

LGHQWLI\

DQG GHILQH WKH PDLQ SURFHVVHV

LGHQWLI\

DQG GHILQH WKH SURSHUWLHV RI LQWHUHVW

FDQ EH
XVHG

RQ

EXWWRQ LV SUHVVHG

DSSURSULDWH
DSSURDFK

Magee/Kramer

VWUXFWXUH

WKH SURFHVVHV LQWR DQ

LV UHFRUGHG DQG WKH


V\VWHP LV HQDEOHG

LW PDLQWDLQV WKH
VSHHG RI WKH FDU DW
WKH UHFRUGHG
VHWWLQJ

DUFKLWHFWXUH

3UHVVLQJ WKH EUDNH

0RGHO
Concurrency: model-based design

FKHFN

WUDFHV RI LQWHUHVW

FKHFN

SURSHUWLHV RI LQWHUHVW

DFFHOHUDWRU RU

RII

EXWWRQ GLVDEOHV WKH

EXWWRQV
3
Magee/Kramer

Concurrency: model-based design

V\VWHP 3UHVVLQJ

UHVXPH RU RQ UH

4
HQDEOHV WKH V\VWHP
Magee/Kramer

a Cruise Control System - hardware

model - outline design


RXWOLQHSURFHVVHVDQGLQWHUDFWLRQV

3DUDOOHO ,QWHUIDFH $GDSWHU 3,$ LV SROOHG HYHU\ PVHF ,W


UHFRUGV WKH DFWLRQV RI WKH VHQVRUV

buttons
brake
accelerator

EXWWRQV on

polled

PIA
CPU

engine

brake

off resume

SUHVVHG

accelerator

&UXLVH &RQWUROOHU WULJJHUV

WKH EXWWRQV EUDNH

FOHDU VSHHG DQG UHFRUG

DFFHOHUDWRU DQG

SUHVVHG

Sensors

HQJLQH HYHQWV

engine on off 

VSHHG DQG HQDEOHV RU


GLVDEOHV WKH VSHHG FRQWURO

Prompts

Engine

D/A

interrupt

wheel

throttle

:KHHO UHYROXWLRQ VHQVRU JHQHUDWHV LQWHUUXSWV WR HQDEOH WKH FDU

speed

6HQVRU 6FDQ PRQLWRUV

WR EH FDOFXODWHG

,QSXW 6SHHG PRQLWRUV

6SHHG &RQWURO FOHDUV DQG

WKH VSHHG ZKHQ WKH

UHFRUGV WKH VSHHG DQG

HQJLQH LV RQ DQG

VHWV WKH WKURWWOH

SURYLGHV WKH FXUUHQW

DFFRUGLQJO\ ZKHQ HQDEOHG

VSHHG UHDGLQJV WR

DFWXDO
WKURWWOH

setThrottle

Concurrency: model-based design

Magee/Kramer

model -design

Magee/Kramer

model - structure, actions and interactions

0DLQHYHQWVDFWLRQVDQGLQWHUDFWLRQV

7KH

on off resume brake accelerator


engine on engine off
speed, setThrottle
clearSpeed,recordSpeed,
enableControl,disableControl

&21752/
V\VWHP LV
VWUXFWXUHG
DV WZR
SURFHVVHV

Sensors

Prompts

7KH PDLQ
DFWLRQV DQG
LQWHUDFWLRQV
DUH DV
VKRZQ

,GHQWLI\PDLQSURFHVVHV
Sensor Scan, Input Speed,
Cruise Controller, Speed Control and
Throttle

,GHQWLI\PDLQSURSHUWLHV
VDIHW\  GLVDEOHG ZKHQ

VHWV WKH

VSHHG FRQWURO

2XWSXW 7KH FUXLVH FRQWURO V\VWHP FRQWUROV WKH FDU VSHHG E\ VHWWLQJ
WKH throttle YLD WKH GLJLWDOWRDQDORJXH FRQYHUWHU
Concurrency: model-based design

speed

7KURWWOH

off brake

'HILQHDQGVWUXFWXUHHDFKSURFHVV
Concurrency: model-based design

RU

accelerator

SUHVVHG
7

Magee/Kramer

CONTROL
SENSOR
SCAN

Sensors

Engine
INPUT
SPEED

CRUISE
CONTROLLER

CRUISE
CONTROL
SYSTEM

Prompts
speed

SPEED
CONTROL

THROTTLE
set
Throttle

set Sensors = {engineOn,engineOff,on,off,


resume,brake,accelerator}
set Engine = {engineOn,engineOff}
set Prompts = {clearSpeed,recordSpeed,
enableControl,disableControl}
Concurrency: model-based design

8
Magee/Kramer

model elaboration - process definitions

model elaboration - process definitions


// enable speed control when cruising,
// disable when off, brake or accelerator pressed

SENSORSCAN = ({Sensors} -> SENSORSCAN).

// monitor speed when engine on


INPUTSPEED = (engineOn -> CHECKSPEED),
CHECKSPEED = (speed -> CHECKSPEED
|engineOff -> INPUTSPEED
).

CRUISECONTROLLER = INACTIVE,
INACTIVE =(engineOn -> clearSpeed -> ACTIVE),
ACTIVE
=(engineOff -> INACTIVE
|on->recordSpeed->enableControl->CRUISING
),
CRUISING =(engineOff -> INACTIVE
|{ off,brake,accelerator}
-> disableControl -> STANDBY
|on->recordSpeed->enableControl->CRUISING
),
STANDBY =(engineOff -> INACTIVE
|resume -> enableControl -> CRUISING
|on->recordSpeed->enableControl->CRUISING
).

// zoom when throttle set


THROTTLE =(setThrottle -> zoom -> THROTTLE).

// perform speed control when enabled


SPEEDCONTROL = DISABLED,
DISABLED =({speed,clearSpeed,recordSpeed}->DISABLED
| enableControl -> ENABLED
),
ENABLED = ( speed -> setThrottle -> ENABLED
|{recordSpeed,enableControl} -> ENABLED
| disableControl -> DISABLED
).
Concurrency: model-based design

Concurrency: model-based design

Magee/Kramer

10
Magee/Kramer

model - CONTROL subsystem

model - Safety properties

||CONTROL =(CRUISECONTROLLER
||SPEEDCONTROL
).

6DIHW\FKHFNVDUHFRPSRVLWLRQDO,IWKHUHLVQRYLRODWLRQ
DWDVXEV\VWHPOHYHOWKHQWKHUHFDQQRWEHDYLRODWLRQ
ZKHQWKHVXEV\VWHPLVFRPSRVHGZLWKRWKHUVXEV\VWHPV

$QLPDWHWRFKHFNSDUWLFXODU
WUDFHV  ,V FRQWURO HQDEOHG

7KLVLVEHFDXVHLIWKHERRORVWDWHRIDSDUWLFXODUVDIHW\
SURSHUW\LVXQUHDFKDEOHLQWKH/76RIWKHVXEV\VWHPLW
UHPDLQVXQUHDFKDEOHLQDQ\VXEVHTXHQWSDUDOOHO
FRPSRVLWLRQZKLFKLQFOXGHVWKHVXEV\VWHP+HQFH

DIWHU WKH HQJLQH LV


VZLWFKHG RQ DQG WKH RQ
EXWWRQ LV SUHVVHG"
 ,V FRQWURO GLVDEOHG
ZKHQ WKH EUDNH LV
WKHQ SUHVVHG"
 ,V FRQWURO UH
HQDEOHG ZKHQ UHVXPH
LV WKHQ SUHVVHG"
Concurrency: model-based design

+RZHYHUZHQHHGWR
DQDO\VHWRH[KDXVWLYHO\
FKHFN 6DIHW\ ,V WKH
FRQWURO GLVDEOHG
ZKHQ

off brake
accelerator LV

6DIHW\SURSHUWLHVVKRXOGEHFRPSRVHGZLWKWKH
DSSURSULDWHV\VWHPRUVXEV\VWHPWRZKLFKWKH
SURSHUW\UHIHUV,QRUGHUWKDWWKHSURSHUW\FDQFKHFN
WKHDFWLRQVLQLWVDOSKDEHWWKHVHDFWLRQVPXVWQRWEH
KLGGHQLQWKHV\VWHP

RU

SUHVVHG"

3URJUHVV &DQ HYHU\


DFWLRQ HYHQWXDOO\ EH
VHOHFWHG"
11
Magee/Kramer

Concurrency: model-based design

12
Magee/Kramer

model - Safety properties

model analysis

property CRUISESAFETY =
({off,accelerator,brake,disableControl} -> CRUISESAFETY
|{on,resume} -> SAFETYCHECK
),
SAFETYCHECK =
({on,resume} -> SAFETYCHECK
|{off,accelerator,brake} -> SAFETYACTION
|disableControl -> CRUISESAFETY
),
SAFETYACTION =(disableControl->CRUISESAFETY).

/76"

||CONTROL =(CRUISECONTROLLER
||SPEEDCONTROL
||CRUISESAFETY
).

,VCRUISESAFETY
YLRODWHG"

:HFDQQRZFRPSRVHWKHZKROHV\VWHP
||CONTROL =
(CRUISECONTROLLER||SPEEDCONTROL||CRUISESAFETY
)@ {Sensors,speed,setThrottle}.
||CRUISECONTROLSYSTEM =
(CONTROL||SENSORSCAN||INPUTSPEED||THROTTLE).
'HDGORFN"
6DIHW\"

No deadlocks/errors

3URJUHVV"

Concurrency: model-based design

13

Concurrency: model-based design

Magee/Kramer

model - Progress properties

model - Progress properties

3URJUHVVFKHFNVDUHQRWFRPSRVLWLRQDO(YHQLIWKHUHLVQR
YLRODWLRQDWDVXEV\VWHPOHYHOWKHUHPD\VWLOOEHD
YLRODWLRQZKHQWKHVXEV\VWHPLVFRPSRVHGZLWKRWKHU
VXEV\VWHPV

&KHFN ZLWK QR
KLGGHQ DFWLRQV
Progress violation for actions:
{engineOn, clearSpeed, engineOff, on, recordSpeed,
enableControl, off, disableControl, brake,
accelerator...........}
Path to terminal set of states:
engineOn
clearSpeed
on
recordSpeed
enableControl
&RQWUROLVQRWGLVDEOHG
engineOff
ZKHQWKHHQJLQHLV
engineOn
VZLWFKHGRII
Actions in terminal set:
{speed, setThrottle, zoom}

7KLVLVEHFDXVHDQDFWLRQLQWKHVXEV\VWHPPD\VDWLVI\
SURJUHVV\HWEHXQUHDFKDEOHZKHQWKHVXEV\VWHPLV
FRPSRVHGZLWKRWKHUVXEV\VWHPVZKLFKFRQVWUDLQLWV
EHKDYLRU+HQFH
3URJUHVVFKHFNVVKRXOGEHFRQGXFWHGRQWKHFRPSOHWH
WDUJHWV\VWHPDIWHUVDWLVIDFWRU\FRPSOHWLRQRIWKH
VDIHW\FKHFNV

Concurrency: model-based design

14
Magee/Kramer

15
Magee/Kramer

Concurrency: model-based design

16
Magee/Kramer

cruise control model - minimized LTS

model - revised cruise control system


0RGLI\

||CRUISEMINIMIZED = (CRUISECONTROLSYSTEM)
@ {Sensors,speed}.

engineOn

on

2
speed

engineOn

3
on
speed

engineOff

on
resume

VR WKDW FRQWURO LV GLVDEOHG ZKHQ WKH

CRUISING =(engineOff -> disableControl -> INACTIVE


|{ off,brake,accelerator} -> disableControl -> STANDBY
|on->recordSpeed->enableControl->CRUISING
),

engineOff
accelerator
brake
off

CRUISECONTROLLER

HQJLQH LV VZLWFKHG RII

0RGLI\ WKH VDIHW\ SURSHUW\

speed

speed

$FWLRQ KLGLQJ DQG PLQLPL]DWLRQ


FDQ KHOS WR UHGXFH WKH VL]H RI
WKH /76 GLDJUDP DQG PDNH LW
HDVLHU WR LQWHUSUHW

engineOff
Concurrency: model-based design

17

property IMPROVEDSAFETY = ({off,accelerator,brake,disableControl,


engineOff} -> IMPROVEDSAFETY
|{on,resume}
-> SAFETYCHECK
),
SAFETYCHECK = ({on,resume} -> SAFETYCHECK
|{off,accelerator,brake,engineOff} -> SAFETYACTION
|disableControl
-> IMPROVEDSAFETY
),
Concurrency:
model-based
design
18
SAFETYACTION
=(disableControl
-> IMPROVEDSAFETY).

Magee/Kramer

model - revised cruise control system


Minimized LTS:
engineOn

accelerator
brake
off

on

2
speed

engineOff

on
resume

Magee/Kramer

model - system sensitivities


||SPEEDHIGH = CRUISECONTROLSYSTEM << {speed}.

No deadlocks/errors
Progress violation for actions:
{engineOn, engineOff, on, off, brake, accelerator,
resume, setThrottle, zoom}
Path to terminal set of states:
engineOn
tau
Actions in terminal set:
7KHV\VWHPPD\EH
{speed}

3
on
speed

speed

No progress
violations detected.

engineOff

VHQVLWLYHWRWKH
SULRULW\RIWKH
DFWLRQ speed.

engineOff

:KDWDERXWXQGHUDGYHUVHFRQGLWLRQV"
&KHFNIRUV\VWHPVHQVLWLYLWLHV
Concurrency: model-based design

2.QRZ"

19
Magee/Kramer

Concurrency: model-based design

20
Magee/Kramer

model interpretation

The central role of design architecture

0RGHOVFDQEHXVHGWRLQGLFDWHV\VWHPVHQVLWLYLWLHV

'HVLJQ

,ILWLVSRVVLEOHWKDWHUURQHRXVVLWXDWLRQVGHWHFWHGLQWKH
PRGHOPD\RFFXULQWKHLPSOHPHQWHGV\VWHPWKHQWKH
PRGHOVKRXOGEHUHYLVHGWRILQGDGHVLJQZKLFKHQVXUHV
WKDWWKRVHYLRODWLRQVDUHDYRLGHG
+RZHYHULILWLVFRQVLGHUHGWKDWWKHUHDOV\VWHPZLOOQRW
H[KLELWWKLVEHKDYLRUWKHQQRIXUWKHUPRGHOUHYLVLRQVDUH
QHFHVVDU\

Architecture

DUFKLWHFWXUH
GHVFULEHV WKH
JURVV
RUJDQL]DWLRQ
DQG JOREDO

Behavioural View Performance View Implementation View

VWUXFWXUH RI
WKH V\VWHP LQ
WHUPV RI LWV
FRQVWLWXHQW
FRPSRQHQWV

0RGHOLQWHUSUHWDWLRQDQGFRUUHVSRQGHQFHWRWKH
LPSOHPHQWDWLRQDUHLPSRUWDQWLQGHWHUPLQLQJWKHUHOHYDQFH
DQGDGHTXDF\RIWKHPRGHOGHVLJQDQGLWVDQDO\VLV
Concurrency: model-based design

21

Program Construction

Analysis

:HFRQVLGHUWKDWWKHPRGHOVIRUDQDO\VLVDQG
WKHLPSOHPHQWDWLRQVKRXOGEHFRQVLGHUHGDV
HODERUDWHGYLHZVRIWKLVEDVLFGHVLJQVWUXFWXUH
Concurrency: model-based design

22

Magee/Kramer

8.2 from models to implementations

Magee/Kramer

cruise control system - class diagram


C arS p eed

A p p le t

0RGHO
LGHQWLI\

d is p

WKH PDLQ DFWLYH HQWLWLHV

C ru ise C o n tro l

s e t T h ro t tle ()
g e t S p e e d ()
ca r

C a rS im u la to r

 WR EH LPSOHPHQWHG DV WKUHDGV

LGHQWLI\

c o n tro l

WKH PDLQ VKDUHG SDVVLYH HQWLWLHV

b ra k e ()
a c c e le ra to r()
e n g in e O ff()
e n g in e O n ()
o n ()
o ff()
re s u m e ()

 WR EH LPSOHPHQWHG DV PRQLWRUV

LGHQWLI\

WKH LQWHUDFWLYH GLVSOD\ HQYLURQPHQW

 WR EH LPSOHPHQWHG DV DVVRFLDWHG FODVVHV

VWUXFWXUH

WKH FODVVHV DV D FODVV GLDJUDP

-DYD

Concurrency: model-based design

C ru ise D isp la y

23
Magee/Kramer

R u n n ab le

C o n tro lle r
sc

S p e e d C o n tro l
e n a b le C o n t ro l()
d is a b le C o n tro l()
re c o rd S p e e d ()
c le a rS p e e d ()
d is p

cs

SpeedControl
LQWHUDFWV ZLWK
WKH FDU
VLPXODWLRQ YLD
LQWHUIDFH

CarSpeed

Concurrency: model-based design

24

CRUISECONTROLLER

SPEEDCONTROL
Magee/Kramer

cruise control system - class Controller

cruise control system - class Controller

class Controller {
final static int INACTIVE = 0; // cruise controller states Controller
final static int ACTIVE
= 1;
LV D SDVVLYH
final static int CRUISING = 2;
HQWLW\  LW
final static int STANDBY = 3;
private int controlState = INACTIVE; //initial state
UHDFWV WR
private SpeedControl sc;
HYHQWV
Controller(CarSpeed cs, CruiseDisplay disp)
+HQFH ZH
{sc=new SpeedControl(cs,disp);}
LPSOHPHQW LW
synchronized void brake(){
DV D PRQLWRU
if (controlState==CRUISING )
{sc.disableControl(); controlState=STANDBY; }
}
synchronized void accelerator(){
if (controlState==CRUISING )
{sc.disableControl(); controlState=STANDBY; }
}
synchronized void engineOff(){
if(controlState!=INACTIVE) {
if (controlState==CRUISING) sc.disableControl();
controlState=INACTIVE;
} model-based design
Concurrency:
25
}
Magee/Kramer

synchronized void engineOn(){


if(controlState==INACTIVE)
{sc.clearSpeed(); controlState=ACTIVE;}
}
synchronized void on(){
if(controlState!=INACTIVE){
sc.recordSpeed(); sc.enableControl();
controlState=CRUISING;
}
}
synchronized void off(){
if(controlState==CRUISING )
{sc.disableControl(); controlState=STANDBY;}
}
synchronized void resume(){
if(controlState==STANDBY)
{sc.enableControl(); controlState=CRUISING;}
}
}

cruise control system - class SpeedControl


class SpeedControl implements Runnable {
SpeedControl
final static int DISABLED = 0; //speed control states
final static int ENABLED = 1;
LV DQ DFWLYH
private int state = DISABLED; //initial state
HQWLW\  ZKHQ
//target speed
private int setSpeed = 0;
private Thread speedController;
HQDEOHG D QHZ
//interface to control speed
private CarSpeed cs;
WKUHDG LV
private CruiseDisplay disp;
FUHDWHG ZKLFK
SpeedControl(CarSpeed cs, CruiseDisplay disp){
SHULRGLFDOO\
this.cs=cs; this.disp=disp;
disp.disable(); disp.record(0);
REWDLQV FDU
}
VSHHG DQG VHWV
synchronized void recordSpeed(){
setSpeed=cs.getSpeed(); disp.record(setSpeed); WKH WKURWWOH
}
synchronized void clearSpeed(){
if (state==DISABLED) {setSpeed=0;disp.record(setSpeed);}
}
synchronized void enableControl(){
if (state==DISABLED) {
disp.enable(); speedController= new Thread(this);
state=ENABLED;
Concurrency:speedController.start();
model-based design
27
}
Magee/Kramer
}

7KLV LV D
GLUHFW
WUDQVODWLRQ
IURP WKH
PRGHO

Concurrency: model-based design

26
Magee/Kramer

cruise control system - class SpeedControl


synchronized void disableControl(){
if (state==ENABLED) {disp.disable(); state=DISABLED;}
}
public void run() {
// the speed controller thread
try {
while (state==ENABLED) {
Thread.sleep(500);
if (state==ENABLED) synchronized(this) {
double error = (float)(setSpeed-cs.getSpeed())/6.0;
double steady = (double)setSpeed/12.0;
cs.setThrottle(steady+error); //simplified feed back control
}
}
} catch (InterruptedException e) {}
speedController=null;
}
}

SpeedControl

LV DQ H[DPSOH RI D FODVV WKDW

FRPELQHV ERWK V\QFKURQL]HG DFFHVV PHWKRGV


WR XSGDWH ORFDO YDULDEOHV DQG D WKUHDG
Concurrency: model-based design

28
Magee/Kramer

Summary

Course Outline

&RQFHSWV
z GHVLJQ SURFHVV

3URFHVVHVDQG7KUHDGV

IURP UHTXLUHPHQWV WR

&RQFXUUHQW([HFXWLRQ

PRGHOV WR LPSOHPHQWDWLRQV

6KDUHG2EMHFWV ,QWHUIHUHQFH

&RQFHSWV

0RGHOV
z FKHFN SURSHUWLHV RI LQWHUHVW
VDIHW\ FRPSRVH VDIHW\ SURSHUWLHV DW DSSURSULDWH VXE V\VWHP
SURJUHVV DSSO\ SURJUHVV FKHFN RQ WKH ILQDO WDUJHW V\VWHP PRGHO

0RQLWRUV &RQGLWLRQ6\QFKURQL]DWLRQ

0RGHOV

'HDGORFN

3UDFWLFH

3UDFWLFH
z PRGHO LQWHUSUHWDWLRQ  WR LQIHU DFWXDO V\VWHP EHKDYLRU
z WKUHDGV DQG PRQLWRUV

0RGHOEDVHG'HVLJQ

z GHVLJQ DUFKLWHFWXUH

$LP ULJRURXVGHVLJQSURFHVV
Concurrency: model-based design

29
Magee/Kramer

6DIHW\DQG/LYHQHVV3URSHUWLHV
'\QDPLFV\VWHPV

&RQFXUUHQW6RIWZDUH$UFKLWHFWXUHV

0HVVDJH3DVVLQJ

7LPHG6\VWHPV

Concurrency: model-based design

30
Magee/Kramer