Ch. 3.

Design of R- T Applications
Execution
Specifications Control Synthesis Tests Integration
Environment

Design Implementation Verification

Specification: non-formal (texts) or formal description

declarations
requirements
Verification of specifications Petri net based verification formal verification
E.g.: Activity diagram Petri nets based verification
Design: structure (e.g. class diagrams = static verification) + behavior (dynamic
verification)
Behavior state machines, sequence diagrams, object collaboration (communication
diagrams) Petri nets
Implementation state machines Petri net based verification
Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 1
 3.1. Transformation of Petri Nets into State Machines
3.2. Extending UML
3.3. Using UML Real-Time
3.4. Task structure diagram

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 2

 3.1. Transformation of Petri Nets into State Machines (and
reverse for verification)
PNs can be used for:
specifications When and why is the transformation necessary?
design Can the TPN be implemented using a single
verification thread?
Can the DTPN be implemented using a single
thread?
State Machines (SMs) were used for
Can the TPN with IA be implemented using a
the design of applications single thread?

The reasons of transformation:

PN SM: implementation of the specified applications
SM PN: verification of the implemented applications
A PN is equivalent to a set of SMs IFF both generate the same sequences of
events.

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 3

How can a PN be transformed into a set of state machines?

SubmachineState1

State1 T1 State2

T5 T4
State3 T2 State4

T3 State6
State5

= T5(T1&T2&T3)T4
=T5(T1T2T3 +T1T3T2 +T2T3T1 +T2T1T3 +T3T2T1 +T3T1T2)T4.

They have the same sequence of events. They are equivalent.

SM transition notation: Waited_event[Guard_condition]/Signalled_event
Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 4
Build the equivalent set of state machines.

Semaphore
acquire(P3) must be atomic
+permits: int
release(P3) must be atomic
+acquire()
+release()

= ??? <<add here the content>>

Mutual exclusion P3
What parts of the program are mutual excluded?
Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 5
 SubmachineState1

T1.acquire(P3) T3/release(P3) S6
S1 S4

T0 T5

T2.acquire(P3) T4/release(P3) S7
S2 S5

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 6

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 7
 acq(sem)/ HandleRequest /grant acq(sem)/ Handle
Free Occupied
entry/add(solicitor,semList) entry/add(solicitor,semList)

[semList=!empty]/grant
rel(sem)/
Semaphore P3 SM Legend:
Releasing acq(sem): acquire the semaphore sem
rel(sem): release the semaphore sem
[semList==empty] entry/rem(solicitor,semList) semList: semaphore sem list
add: add a new solicitor in the list
rem: remove a solicitor form the list

SubmachineState1

/acq(sem) grant/ /rel(sem)

P1 Wait P4 P6
T5
/T0 P8

/acq(sem) grant/ /rel(sem)

P2 Wait P5 P7

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 8

Draw the corresponding set of state machines.

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 9

Building the equivalent set of state
machines!
Can you see the potential deadlock in
the state machine diagrams?
Can the potential deadlock easily be
seen in the PN?

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 10

 Build the equivalent set of the state machines and prove the
equivalent behavior

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 11

Build the equivalent set of state machines.

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 12

 SubmachineState1 SubmachineState2

P5 T4
T1
P1 P3

T0 T3

T2 T5
P2 P4 P6

Double synchronization 1
Prove the equivalence of the two models!
Try the semaphore implementation. (?!?)

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 13

 SubmachineState1 SubmachineState2

P5 T4
T1
P1 P3

T0 T3

T2 T5
P2 P4 P6

Implementation solutions:
- Barrier
- join()

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 14

 wait() notify() model:

SubmachineState1

/wait() receive_notify()/
X Wait V

/notify()
Y Z

If T2 and notify() are executed before wait(), the end markings are m(X)=1, m(Z)=1.

Wait - notify synchronization

Prove the equivalence of the two models!

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 15

 Double synchronization 2
Prove the equivalence of the two models!
Initialization: P4. permits(0); P7.permits(0)

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 16

 Double synchronization 3
How can this be programmed using Java language?

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 17

 d. Timed PN

=T0[2]T1[4]T2[3]= T0(2)T1(6)T2(9)
Prove the equivalence!
T0[2] relative time
T0(2) absolute time

T0.wait(2) T1.wait(4) T2.wait(3)

P1 P2

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 18

 tick[x==0]/signal(t)

tick[x!=0]/x--

Clock
wait(x)/t=x

Wait

start

/wait(2) signal(2)/ /wait(4) signal(4)/ /wait(3) signal(3)/

Wait_2 P1 Wait_4 P2 Wait_3

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 19

 Prove the equivalence!

UpperThread

T2.wait(3)
P2

T1.wait(4)/reset(P1)
T0.wait(2)/set(p1)
P1

T3.wait(3)/reset(P1)

LowerThread

T4.wait(4) T5.wait(1)
P3 P4

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 20

 tick[x==0]/signal(t)

tick[x!=0]/x--

Clock
wait(x)/t=x

start
Wait

/wait(2) signal(2)/ /wait(4) signal(4)/ /wait(3) signal(3)/

Wait_2 P1 Wait_4 P2 Wait_3

/wait(3)

signal(3) /wait(4) signal(4)/ /wait(1) signal(1)/

Wait_3 P3 Wait_4 P4 Wait_1

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 21

 Alternative

Build the state machine

model and prove the =T0[1](T1[2]T3[4]+T2[3]T4[1])T5[0] =
equivalence! T0(1)T2(3)T4(4)T5(4+) T5(4+)

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 22

 Synchronous approach
Concurrent execution

Build the state

machine model
and prove the
equivalence!

=T0[0]((T1[2]T3[4])&(T2[3]T4[5]))T5[0] T6[0]=
T0(0)((T1(2)T3(6)) & (T2(3)T4(8))T5(8+) T6(8++)
T8(8++) T0 and T5 were supposed to be executed immediately.

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 23

When is the transition T5 executed?

Build the state machine model and

prove the equivalence!

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 24

 = T0(0+)((T1[1]T3[3]) + (T2[2]T4[4]))
is the blocking action
= T0(0+)T1(1)T3(4)(5+)
The system is blocked at t=5+ t. u. and remains in this state forever.
T5 is not executed.

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 25

 Asynchronuous approach
Concurrent execution on the same processor
Monoprocessor
system
two threads
implementation
timesharing
equal priorities

=T0[0](T1[2]T3[?]&T2[3]T4[?])T5[0] T6[0]= State

T0(0)(T1(2)T3(9) &T2(3)T4(11))T5(11+) T6(11++) machines?
T6(11++)

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 26

 Asynchronuous Approach with Variable Durations

=T0[0]((T1[1]T3[?;?])&(T2[2]T4[?;?]))T5[0]T6[0]= Build the state machine model

T0(0)(T1(2)T3(4;10) & T2(3)T4(6;12))T5[0] T6[0]= and prove the equivalence!
= T0(0) T5(6+;12+) T6[0]
T6(6++; 12++)
StateName

entry/EntryAction1
do/DoAction1
exit/ExitAction1
Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 27
 Asynchronuous approach - Deadlock with variable timming

1=T0[0](T1(1)T3(1+)T5(3)T7(6+)&T2(6+)T4(6++)T6(8)T8(10+))T9[0]T11[0]
NO Deadlock
2=T0[0]((T1(1)T3(1+)T5(5?))&(T2(4)T4(4+) ))T9[0]T11[0] Deadlock
Conclusion: Sometimes the program is deadlocked and sometimes is not.

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 28

 Constraints specification and verification
Monoprocessor
system
two threads
implementations
timesharing
equal priorities
variable durations
Period timing constraint
is 12 t.u.
Can it be met?

1=T0[0+](T1(3)T3(7;13) &T2(2)T4(7;13))T5(7+;13+)T6[3]T7[0]
T0(10++;16++) ....
Conclusion: Sometimes YES and sometimes NO Answer: NO for real-time systems.
IF periodConstraint=17 YES
Homework: Get an implementation such that the period is always 18 t.u.
How can this be programmed using Java language?
Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 29
 Output arc
of transition

Build the state machine model and prove the

equivalence!

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 30

1. Time division based execution = Time sharing = time slicing
Let be the time slice duration.

M(P5)

Build the state machine model and prove

the equivalence!

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 31

P5 represents the processor occupation by the two threads.
P4 and P6 represent the execution of the main (relevant) activities of the two threads. So, the
timing T4 and T5 respectively must be extended when the processor is used simultaneously by
the two threads because the processor time is divided (considered here equally) between the
threads.
What are the periods of thread executions?
What is the processor loading?

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 32

 Assumption a: If more than one thread is executable simultaneously, the
processor time is divided equally between the threads.

If two or more transitions are executed simultaneously the place P5 is loaded with the
number of tokens equal with the number of threads. The transition execution
semantics is changed!

1 2
U
The processor loading is given by formula: 10 1 15 2

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 33

 Assumption b: If more threads are simultaneously executable they get execution
times proportionally with their priority (represented by a natural number).

Example: Thread1 has the priority 3 and Thread2 has the priority 5. The time slice
durations fulfills:
1 2

3 5 1

How can 1 and 2 be calculated in this case?

How can the processor loading be calculated in this case? Is it different from the
previous case?

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 34

2. Single thread based execution
Assumption a: When a thread started its execution another one cannot start
its execution. Mutual exclusion! The processor is a resource!
StateName

entry/EntryAction1
do/DoAction1
exit/ExitAction1

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 35

int w=Math.random();
int x =2+4*10*w;
wait(x);

Build the state machine model and

Semaphore
prove the equivalence ! +permits: int

+acquire()
+release()

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 36

When a thread starts its execution it blocks the starting of another thread execution.
How can the thread periods be calculated? Are they fixed?

How are the threads periods from the next PN? Can they be calculated?

Homework: Construct a TPN with the fixed periods of the corresponding

threads.

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 37

 Build the state machine
model and prove the
equivalence!

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 38

Assumption b: The operating systems works with preemption. When a higher
priority thread becomes executable, it preempts the processor (if this is necessary)
from a lower priority thread currently in execution.
Let be the moment at which the transition t is chosen to be executed.
It must fulfill the constraint a b (in a strong firing model). The transition t
is executed at (+) and it changes the net state from the marking M to marking M
(denoted by M [t> M) in an instantaneous and atomic process with two phases:

The transition execution semantics is changed!

How can this be described?

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 39

 Thread1

Build the state machine

model and prove the
equivalence!
- priorities!
[3;4] - pre-emption!
Thread2

[4;5]

[4;5]
Thread3

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 40

 Conclusions
1) Any kind of PN can be transformed into a set of communicating state
machines
2) Any set of communicating state machines can be transformed into a PN
3) Any kind of PN can be implemented by a set of communicating tasks
4) Any set of communicating tasks can be transformed into a kind of PN
5) Any set of communicating tasks can be verified using a kind of PN
6) Any multitasking program can be verified using a kind of PN

A drawback is the dimension of PN to be analyzed.

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 41

 *
****
***END***
****
*

Tiberiu Leia: Real-Time Systems Transformation PN-SM-PN 42