Professional Documents
Culture Documents
Synthesis of Embedded Software Using Free-Choice Petri Nets
Synthesis of Embedded Software Using Free-Choice Petri Nets
Synthesis of Embedded Software Using Free-Choice Petri Nets
_
Flow (BDF) networks model and proposed an algorithm to com- The paper is organized as follows. In Section 2 we shortly
pute a quasi-static schedule. However, the problem of scheduling describe the PN model and the notion of cyclic schedules. In
BDF with bounded memory is undecidable, i.e. any algorithm may Section 3 we define the QSS problem for FCPNs and present an
fail to find a schedule even if the BDF is schedulable. Hence, the al- algorithm to find a solution, if there exists one. Then, we describe
gorithm proposed by Buck can find a solution only in special cases. how to generate a C program in Section 4. Section 5 presents an
Thoen et al. [3] proposed a technique to exploit static information application (ATM Server) and experimental results.
in the specification and extract from a constraint graph description
of the system statically schedulable clusters of threads. The limit
of this approach is that it does not rely on a formal model and does
2 Preliminaries
not address the problem of checking whether a given specification Petri Nets A Petri Net is a triple (P; T; F ), where P is a non-
is schedulable. Lin [6] proposed an algorithm that generates a soft- empty finite set of places, T a non-empty finite set of transitions and
ware program from a concurrent process specification through an F : (T P ) [ (P T ) ! IN the weighted flow relation between
intermediate Petri-Nets representation. This approach is based on transitions and places. A Petri Net graph is a representation of a
the strong assumption that the Petri Net is safe, i.e. buffers can Petri Net as a bipartite weighted directed graph. If F (x;y) > 0,
store at most one data unit. This on one side guarantees termi- there is an arc with weight F (x; y) from node x to node y. [9]
nation of the algorithm, on the other side it makes impossible to Given a node x, either a place or a transition, its preset is defined as
handle multirate specifications, like FFT computations and down- x = y (y; x) F and its postset as x = y (x;y) F . For
fj 2 g fj 2 g
sampling. Safeness implies that the model is always schedulable a node y, Pre[X;y] is a vector whose i-th component is equal to
and therefore also Lin’s method does not address the problem of
verifying schedulability of the specification. Moreover, safeness
F (xi ; y). A transition (place) whose preset is empty is called source
transition (place), a transition (place) whose postset is empty is
excludes the possibility to use Petri Nets where source and sink called sink transition (place). A place p such that p > 1 is called
j j
transitions model the interaction with the environment. This makes choice or conflict. If p > 1, p is called merge. Two transitions
j j
impossible to specify inputs with independent rate 1 . t and t0 of a net N are said to be in Equal Conflict Relation if
In this paper we propose a new approach to software synthesis. Pre[P;t] = Pre[P; t0 ] = 0 [4]. A marking is an n-vector
6
Our algorithm takes as input a Petri Nets (PN) model of the system j j
= (1 ; 2 ; :::;n ) where n = P and i is the non-negative
and produces as output a software implementation consisting of number of tokens in place pi . A transition t such that each input
a set of software tasks that are invoked at run-time by the Real- place pi is marked with at least F (pi ; t) tokens is enabled and may
Time Operating System (RTOS). Here, we address the problem fire. When transition t fires, F (pi ; t) tokens are removed from each
of identifying tasks and synthesizing the code for each of them, input place pi and F (t; pj ) tokens are produced in each output place
while RTOS issues like dynamic scheduling of tasks are out of the
scope of this work. To identify tasks and synthesize the code for
pj . The following properties, that are decidable for any Petri Net
(PN), are relevant in our discussion [9]. Reachability: a marking
each task we consider only the part of the specification including 0 is reachable from a marking if there 0exists a firing sequence
data computation and data-dependent control and we compute a starting at marking and finishing at . Boundedness: a PN
quasi-static schedule. is said to be k-bounded if the number of tokens in every place of a
We have chosen PNs as underlying formal model, because reachable marking does not exceed a finite number k. A safe PN is
they allow to express concurrency, non-deterministic choice, syn- one that is 1-bounded. Deadlock-freedom: a PN is deadlock-free
chronization and causality and because most properties, including if, no matter what marking has been reached, it is possible to fire at
schedulability, are decidable for PNs. We represent data compu- least one transition of the net. Liveness: a PN is live if for every
tations using a type of nodes (transitions) and non-FIFO channels reachable marking and every transition t it is possible to reach a
between computation units using another type of nodes (places). marking that enables t.
Data-dependent control is modeled by places, called choices, with The following are some of the most common subclasses of PNs.
multiple output transitions, one for each possible resolution of the Marked Graph: a PN such that each place p has at most one
control. Data are modeled as tokens passed by transitions through input transition and one output transition. Conflict Free Net: a
places. In particular, we use a sub-class of PNs called Free-Choice PN such that each place p has at most one output transition. Free
(FCPNs), because they exhibit clear distinction between the notions Choice Net: a PN such that every arc from a place is either a unique
of concurrency and choice. Hence they are appropriate to model outgoing arc or a unique incoming arc to a transition.
computations in which the outcome of a choice depends on the Marked Graphs can represent concurrency and synchronization
value rather than on the arrival time of a token. but not conflict. Free Choice Nets allow one to model both conflict
In this paper we introduce the notion of schedulability for and synchronization, under the condition that every transition that
FCPNs. Informally, a FCPN is quasi-statically schedulable if for is successor of a choice has exactly one predecessor place. This
every possible resolution of the control at the choice places, there implies that whenever an output transition of a place is enabled, all
exists a cyclic finite sequence that returns the tokens of the net to the output transitions of that place are enabled (figure 1a)). There-
their initial places. The existence of cyclic sequences is required fore, Free Choice Nets model data-dependent control by abstracting
because it ensures that the number of data tokens that accumulate if-then-else control decisions as non-deterministic choices, but they
in any place is bounded even for infinite execution. We present can not model external conditions or multiple rendezvous. The PN
an algorithm that first checks schedulability of the net to verify the shown in figure 1b) is not a Free Choice Net, because there exists a
correctness of the specification. If the net is not schedulable, the marking in which transition t3 is enabled and transition t2 is not.
designer is notified that there exists no implementation that can be
executed forever with bounded memory. If the net is schedulable,
the algorithm computes a quasi-static schedule by decomposing Cyclic schedules Synchronous Dataflow (SDF) [1] networks are
the net into statically schedulable components. Then, it derives a a special case of Petri Nets, since they can be mapped into Marked
software implementation by traversing the schedule and replacing Graphs where actors are transitions and arcs places. The approach
transitions with the corresponding code. proposed by Lee [1] to find a static schedule for an SDF graph is
based on the notion of finite complete cycle. Given a Marked Graph
1
Two inputs have independent rate if their rates are not rationally related. An and an initial marking, or equivalently a SDF graph and an initial
example of inputs with independent rate are the input keys from a keyboard. Instead, configuration of tokens, a finite complete cycle is a sequence of
two streams of PCM samples for stereo audio are inputs with dependent rate.
transition firings that returns the net to its initial marking. If such
t1 t1 t2 t2 p2
t2 p2 t4
t1 t4
t1 p1 p1
t1
t2 t3 t3 p3 t5 t3 p3
a) b) f(s) = (2,1,1,1) valid
f(s) = a(1,1,0,1,0) + b(1,0,1,0,1)
f(s) = (2,2,0,1) unbounded
Figure 1: Free Choice Net(a), not Free Choice Net(b) a , b = 0 , 1 , 2 ...
f(s) = (2,0,2,1) unbounded
a) b)
2 2
f ( σ ) = ( 4 , 2 , 1 )T
s.t. i and l are identical up to the (j-1)th transition and have
σ =t1t1t1t1t2t2t3 σ =t1t1t1t1t2t2t3 respectively ij and tk at the j-th position in the sequence.
(0,0 ) (0,0) (0,0) ...
Definition 3.2 Given an FCPN N and an initial marking 0 , the
Figure 2: Cyclic schedule pair (N,0 ) is (quasi-statically) schedulable, if there exists a valid
schedule.
a finite complete cycle exists the number of tokens that can accu- This definition of schedulability extends to non-static Data Flow
mulate in any place of the net during the execution is bounded and networks the concept of SDF scheduling given in Section 2. If the
the net can be executed forever with bounded memory by repeating net contains non-deterministic choices that model data dependent
infinitely many times this sequence of transition firings (figure 2). structures like if-then-else or while-do, a valid schedule is a set of
Therefore, in [1] a static schedule is a periodic sequence of transi- finite complete cycles, one for every resolution of non-deterministic
tions and the period is a finite complete cycle. choices. A valid schedule must contain a finite complete cycle for
To find a finite complete cycle , one must first solve the every possible outcome of a choice because the value of the control
state equations [9] f ()T D = 0. A solution f (), called T-
tokens is unknown at compile time when the valid schedule is
invariant [9], is a vector whose i-th component fi () is the number computed.
of times that transition ti appears in sequence . Schedulability implies the existence of at least one valid sched-
Definition 2.1 A Petri Net is consistent iff f () > 0 s.t. f ()T
9
ule that ensures that there is no unbounded accumulation of tokens
in any place. This property is different from k-boundedness, that
D = 0. implies that for all the reachable markings, the number of tokens in
The existence of a T-invariant is a necessary, but not sufficient any place does not exceed a certain number k.
condition for a finite complete cycle to exist: deadlock can still We can also consider the scheduling problem as a game played
occur if there are not enough tokens to fire any transition. There- against an adversary who can arbitrarily choose among conflicting
fore, once a T-invariant f () is obtained, it is necessary to verify transitions and has the goal of accumulating infinitely many tokens
by simulation that there exists a sequence i that contains transition in any place of the net. Then, our objective is to find a non-
tj as many times as fj () and such that the net does not deadlock terminating bounded memory execution by matching his choices
during execution. Such a sequence i , if it exists, is a finite com- with a cyclic schedule that returns the net to the initial marking.
plete cycle. Lee [1] has shown that it is sufficient to simulate the f g
Given the net in figure 3a, Σ = (t1 t2 t4 ); (t1 t3 t5 ) is a valid
firing sequences corresponding to the minimal vector in the one- schedule because for every solution of the conflict between transi-
dimensional T-invariant space. This approach is not adequate for tions t2 and t3 , it is possible to complete a cycle that returns the
larger classes of Petri Nets that contain non-deterministic choices net to the initial marking by firing t4 after t2 or t5 after t3 . Instead,
[8]. The rest of this paper is devoted to the solution of the scheduling the net shown in figure 3b is not schedulable because there exists
problem for Free Choice Nets. no finite complete cycle if the conflict is always solved choosing t2
(t3 ). In fact, if the token values in p1 are such that t2 (t3 ) is always
3 Quasi-static Scheduling of FCPN fired, unbounded accumulation of tokens occurs in place p2 (p3 ).
The net shown in figure 4 is schedulable and
Denition of schedulability Let Σ = f1 ; 2:::g be a non- f g
Σ = (t1 t2 t1 t2 t4 )(t1 t3 t5 t5 ) is a valid schedule. The weight two
empty finite set of finite firing sequences such that for all i 2 Σ, on the input arc of transition t4 implies that t2 has to fire twice
i is a finite complete cycle and contains at least one occurrence before transition t4 is enabled. However, there is no guarantee that
of each source transition of the net. Let ij be the j-th transition in
this happens within a cycle because it is not possible to know a
priori which transition among t2 and t3 fires. So, if transitions
sequence i = (i1 i2 :::ij,1 ij ij+1 :::i i ) and Θ be the charac-
N
teristic function of the Equal Conflict Relation, i.e. Θ(t;t0 ) = 1 iff
t1t2 t1t3 t5t5 fire in this order, one token remains in place p2 and the
t and t0 are in Equal Conflict Relation.
net does not return to the initial marking. The net is considered
schedulable because repeated executions of this sequence do not
Definition 3.1 The set Σ is a valid schedule if 8i 2 Σ; 8ij 2 i
result in unbounded accumulation of tokens (as soon as there are
two tokens in place p2 , transition t4 is fired and the tokens are
s.t. ij 6= ih 8h < j , 8tk 2 T s.t. tk 6= ij and Θ(tk ; ij ) = 1, consumed).
9l 2 Σ ms.t. m This shows that a valid schedule does not necessarily include all
(1) l = i ; 8m j , 1 the possible cyclic firing sequences, some even of infinite length,
(2) lm = tk , m=j that can occur depending on the resolution of the non-deterministic
choices (in this case the set would be t1t3 t5 t5 ; t1 t2 (t1 t3 t5 t5 )n t1 t2 t4 ;
f
This definition informally means that for each sequence i that 8 2 [ f1g
n IN
includes a conflict transition ij , for each transition tk that is in
). A valid schedule should be intended only as a
complete set of cyclic firing sequences that ensure bounded mem-
Equal Conflict Relation with ij , there exists another sequence l ory execution of the net. The set is complete in the sense that it is
t2 p2 t4
2 a set of subnets generated from the image of the T-allocation using
t1 p1 the Reduction Algorithm.
p6
a) Algorithm (modified from [7]; for further details see [8]).
p7
Ri = N (TR = T , PR = P , FR = F ).
t8 t9
A1={t1,t2,t4,t5,t6,t7,t8,t9}
t2 p2 t4 p4 t6
1. i i i
R1
p1
2. i = i
(a) Remove tk .
t1
( t s s.t. t TRi ).
9 2 2
t1
t3 p3 t5
2
p6
ii. the successor transition of s has a predecessor
place that is different from s and is not a source
b)
How to nd a valid schedule To find a valid set of finite com- (d) Apply the previous two steps until they cannot be applied
any longer.
plete cycles the net is first decomposed into as many Conflict Free
(CF) components as the number of possible solutions for the non-
Step 2. Check if every CF component is statically schedulable
deterministic choices. Then, each component is statically sched-
uled. If every component is schedulable, a valid schedule is a set of Definition 3.5 A T-reduction Ri is schedulable if (1)it is consis-
finite complete cycles, one for each CF component. If at least one tent, (2)for each source transition ts in N , it has a T-invariant
of the CF components is not schedulable, the net itself is said to be containing ts , (3)there exists a firing sequence that returns Ri to
not schedulable. the initial marking without any deadlock when its execution is sim-
A similar approach, called MG decomposition, has been used ulated (generalization of [1]).
by Hack [7] to check liveness and safeness of strongly connected or-
dinary FCPNs. More recently, Teruel [4] has extended to weighted A T-reduction Ri is a schedulable CF component if it has a
nets a theorem that is used to check whether a given strongly con- finite complete cycle that contains at least one occurrence of every
nected net is bounded. However, in the domain of embedded re- source transition of the net and returns Ri to the initial marking.
active systems most applications usually have lots of interactions Conflict Free nets do not contain any non-deterministic choice and
with the environment, that are naturally modeled as source and sink therefore, to check if there exists a static schedule, it is possible to
transitions. As a result, nets modeling embedded systems are not apply the standard techniques for SDF described in Section 2.
strongly connected. Moreover, as we outlined in the previous sec-
tion, boundedness is a too restrictive property for our objective. For Step 3. Derive a valid schedule, if there exists one
this reason we modify Hack’s MG decomposition algorithm and The following theorem states that schedulability of each T-
apply it to the class of FCPNs that have source and sink transitions. reduction is a necessary and sufficient condition for the existence of
Step 1. Decompose the net into Conflict Free (CF) components a valid set of finite complete cycles. A net is schedulable if for all its
T-reductions, each of them corresponding to a sequence of choices,
Definition 3.3 A T-allocation over a FCPN N is a function : there exist a firing sequence containing at least one occurrence of
!
P T that chooses exactly one among the successors of each every transition of the reduction. This means that a schedulable
place ( p P(p) p ).
8 2 2 net, if there is no deadlock during execution of the cyclic schedules,
can be executed forever with bounded memory, because for every
Definition 3.4 The T-reduction associated with a T-allocation is resolution of the choices there is always the possibility to complete
t8 p7 t9 t8 p7 t9 t2 p2 t4 p4
p1 t6
t2 p2 t4 p4 t6 t2 p2 t4 p4 t6
p1 2 2 p1 2 2 p5
p5 t7 p5 t7 t1
2 2
t1 t1 t3 p3 t7
t5
p3 t5 2 t5 2
p6 p6 p6
t8 p7 t9 t8 p7 t9 t4
t2 p2 p4
p1 t6
t2 p2 t4 p4 t6 t2 p2 t4 p4 t6 R1 p5
p1 2 2 p1 2 2
t1
p5 t7 t7
t1 t1 p4
p1 t6
R2 p5
p6
Step 4) Remove p5, p6 t1
Step 3) Remove t5 t7
t3 p3 t5
t8 p7 t9
p6
t2 p2 t4 p4 t6
2 2 b)
p1
t1
Figure 7: Non-schedulable FCPN
Step 5) Remove t7
f g
Σ = (t1 t2 t1 t2 t4 )(t1 t3 t5 t5 ) . CELL
f
MSD Cell_emission_time
while (true)
t1 ; ARBITER
WFQ
f
TICK
if (p1 )
COUNTER SCHEDULING
t2 ; count(p2 )++;
CELL
Cell_emission EXTRACT Emit_cell
f
if (count(p2 ) == 2)
g
t4 ; count(p2 )-=2;
g elsef Figure 8: ATM Server example
t3 ; count(p3 )+=2;
f
while (count(p3 ) 1) the FCPN. We have presented an algorithm that first checks schedu-
ggg
t5 ; count(p3 )- -; lability of the net and then, if the net is schedulable, computes a
valid schedule, composed of as many cyclic firing sequences as
5 Experimental Results the number of possible resolution of the non-deterministic choices.
In the future it could also allow one to explore different sched-
We applied our algorithm to synthesize a software implementation ules, evaluating tradeoffs between code and buffer size. Finally,
of a real life embedded system: an ATM Server for Virtual Pri- we have described the application of our technique to a real case
vate Networks [2]. The main functionalities of the Server are (1) study and presented experimental results that clearly show that per-
a message discarding technique (MSD) that avoids node conges- formances can be improved using our approach. The advantages of
tion and (2) a bandwidth control policy based on a Weighted Fair using our technique can be shortly outlined as follows. (1) Quasi-
Queueing (WFQ) scheduling discipline. Figure 8 gives a high-level Static Scheduling, if compared to dynamic scheduling, minimizes
description of the algorithm. The inputs of the system are Cell, an the execution runtime overhead since it maximizes the amount of
interrupt that occurs at irregular times when a non-empty cell enters work done at compile time. (2) The model of computation is
the Server and Tick, an event that periodically triggers the process of FCPNs, where schedulability is decidable. Differently from other
forwarding the next outgoing cell to the output port. Therefore, Cell algorithms applied to models (like BDF) that are undecidable, our
and Tick are inputs with independent firing rate. The module MSD algorithm is complete, in that it can solve the scheduling problem
decides whether an incoming cell must be accepted and the module for any PN that is quasi-statically schedulable. (3) Schedulability
CELL EXTRACT selects, every cell slot, which cell must be emit- of the specification is checked before the code is synthesized, dif-
ted among those stored in the internal buffer. WFQ SCHEDULING ferently from most existing approaches that assume schedulability
may be activated either by MSD or by CELL EXTRACT and com- a priori. (4) System functions with the same execution rate are au-
putes the cell emission time. We have chosen this example because tomatically partitioned into a minimum number of concurrent tasks
it implements a data-dominated algorithm containing several data- that are invoked at runtime by the RTOS.
dependent control structures. We modeled the algorithm using a
FCPN containing 49 transitions and 41 places, of which 11 non- References
deterministic choices [8]. From the FCPN model we could derive
a valid schedule containing 120 finite complete cycles, one for each [1] E.A.Lee and D.G.Messerschmitt. Static scheduling of syn-
different T-reduction, and from the valid schedule we obtained a chronous dataflow programs for digital signal processing. IEEE
software implementation composed of two tasks, one for each input Transactions on computers, January 1987.
with independent firing rate. In table I we compare two software
[2] E.Filippi et al. Intellectual property re-use in embedded system
co-design: an industrial case study. In International Symposium
Sw implementation QSS Functional task partitioning System Synthesis, December 1998.
Number of tasks 2 5
[3] F. Thoen et al. Real-time multi-tasking in software synthe-
Lines of C code 1664 2187 sis for information processing systems. In Proceedings of the
Clock cycles 197526 249726 International System Synthesis Symposium, 1995.
Table I [4] E.Teruel. Structure theory of Weighted Place/Transition Net
systems. The Equal Conflict hiatus. Ph.D dissertation. Univer-
implementations: the first, named QSS, was obtained using our sidad de Zaragoza, 1994.
Quasi-Static Scheduling technique presented in this paper and con-
sists of two tasks, the second, named functional task partitioning, [5] J.Buck. Scheduling dynamic dataflow graphs with bounded
consists of five tasks and was obtained by synthesizing separately memory using the token flow model. Ph.D dissertation. UC
one tasks for each of the five modules shown in figure 8. The results, Berkeley, 1993.
obtained using a testbench of 50 ATM cells, show that the number
[6] B. Lin. Software synthesis of process-based concurrent pro-
of clock cycles and the code size are significantly smaller for the
grams. In Proceedings of the Design Automation Conference,
QSS implementation that is composed of a smaller number of tasks
June 1998.
and therefore has a smaller overhead due to tasks activation.
[7] M.Hack. Analysis of Production Schemata by Petri Nets. Master
6 Conclusions thesis. MIT, 1972.
[8] M. Sgroi. Quasi-static scheduling of embedded software using
In this paper we have proposed a software synthesis technique based free-choice petri nets. Technical Report Memo No. UCB/ERL
on quasi-static scheduling of Free Choice Petri Nets. The input of M98/, M.S. dissertation. UC Berkeley, May 1998.
our tool is a FCPN model of the system to be designed, the output is
a software implementation in C code composed of a number of tasks [9] T.Murata. Petri nets: properties, analysis and applications. In
that are invoked at runtime by the RTOS. The C code implemen- Proceedings of the IEEE, April 1989.
tation of each task is synthesized directly from a valid schedule of