![Page 1: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/1.jpg)
Soundness of the Quasi-Synchronous Abstraction
Guillaume Baudart Timothy Bourke Marc Pouzet
École normale supérieure, INRIA Paris, UPMC
FMCAD’16 Mountain View, 06-10-2016
![Page 2: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/2.jpg)
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Example: Flight Control SystemGenerate pitch and roll guidance commands
![Page 3: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/3.jpg)
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Example: Flight Control SystemGenerate pitch and roll guidance commands
![Page 4: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/4.jpg)
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Crew can switch from one to the other
Example: Flight Control SystemGenerate pitch and roll guidance commands
![Page 5: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/5.jpg)
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Crew can switch from one to the other
Example: Flight Control SystemGenerate pitch and roll guidance commands
![Page 6: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/6.jpg)
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Crew can switch from one to the other
Example: Flight Control SystemGenerate pitch and roll guidance commands
The two modules must share their state to avoid control glitch
![Page 7: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/7.jpg)
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Crew can switch from one to the other
Example: Flight Control SystemGenerate pitch and roll guidance commands
Run embedded application...
The two modules must share their state to avoid control glitch
![Page 8: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/8.jpg)
switch
Distributed Embedded SystemsDistributed controllers for critical embedded systems
2
Actuators
Sensors
Sensors
Transfer Switch
Example from [Miller et al. 2015]
FGS
FGS
cmd1
cmd2
sensor1
sensor2
cmd
Two redundant Flight Guidance Systems Only one active side (pilot side)
Crew can switch from one to the other
Example: Flight Control SystemGenerate pitch and roll guidance commands
Run embedded application......on distributed architectures
The two modules must share their state to avoid control glitch
![Page 9: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/9.jpg)
A B
• For each process: known bounds for the time between two activations. clock activations
• Buffered communication without message inversion or loss
• Bounded communication delay CD
0 ≤ τmin ≤ τ ≤ τmax
0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax
(κi)i∈N
For each process, activations are triggered by a local clock Execution: infinite sequence of activations
Synchronous Real-Time Model
3
![Page 10: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/10.jpg)
A B
• For each process: known bounds for the time between two activations. clock activations
• Buffered communication without message inversion or loss
• Bounded communication delay CD
0 ≤ τmin ≤ τ ≤ τmax
0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax
(κi)i∈N
For each process, activations are triggered by a local clock Execution: infinite sequence of activations
Synchronous Real-Time Model
3
![Page 11: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/11.jpg)
A B
• For each process: known bounds for the time between two activations. clock activations
• Buffered communication without message inversion or loss
• Bounded communication delay CD
0 ≤ τmin ≤ τ ≤ τmax
0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax
(κi)i∈N
For each process, activations are triggered by a local clock Execution: infinite sequence of activations
Synchronous Real-Time Model
3
![Page 12: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/12.jpg)
A B
• For each process: known bounds for the time between two activations. clock activations
• Buffered communication without message inversion or loss
• Bounded communication delay CD
0 ≤ τmin ≤ τ ≤ τmax
0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax
(κi)i∈N
For each process, activations are triggered by a local clock Execution: infinite sequence of activations
Synchronous Real-Time Model
3
![Page 13: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/13.jpg)
A B
• For each process: known bounds for the time between two activations. clock activations
• Buffered communication without message inversion or loss
• Bounded communication delay CD
0 ≤ τmin ≤ τ ≤ τmax
0 ≤ Tmin ≤ κi − κi−1 ≤ Tmax
(κi)i∈N
For each process, activations are triggered by a local clock Execution: infinite sequence of activations
Synchronous Real-Time Model
3
![Page 14: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/14.jpg)
OverviewVERIMAGUNITE MIXTE DE RECHERCHE
Centre Equation2 avenue de Vignate38610 GIERESTel. +33 4 76 63 48 48Fax +33 4 76 63 48 50
Universite Joseph FourierCentre National de la Recherche Scientifique Institut National Polytechnique de Grenoble
4
Industrial practices observed at Airbus
[Caspi 2000]
![Page 15: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/15.jpg)
OverviewVERIMAGUNITE MIXTE DE RECHERCHE
Centre Equation2 avenue de Vignate38610 GIERESTel. +33 4 76 63 48 48Fax +33 4 76 63 48 50
Universite Joseph FourierCentre National de la Recherche Scientifique Institut National Polytechnique de Grenoble
Verification Verifying safety critical applications running on quasi-periodic architectures
Quasi-Synchronous Abstraction
4
Industrial practices observed at Airbus
[Caspi 2000]
![Page 16: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/16.jpg)
ACSD'06
OverviewVERIMAGUNITE MIXTE DE RECHERCHE
Centre Equation2 avenue de Vignate38610 GIERESTel. +33 4 76 63 48 48Fax +33 4 76 63 48 50
Universite Joseph FourierCentre National de la Recherche Scientifique Institut National Polytechnique de Grenoble
Verification Verifying safety critical applications running on quasi-periodic architectures
Quasi-Synchronous Abstraction
Verimag'08DASC'14
Memocode'14Memocode'15
Air Force'15
4
Industrial practices observed at Airbus
[Caspi 2000]
![Page 17: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/17.jpg)
ACSD'06
OverviewVERIMAGUNITE MIXTE DE RECHERCHE
Centre Equation2 avenue de Vignate38610 GIERESTel. +33 4 76 63 48 48Fax +33 4 76 63 48 50
Universite Joseph FourierCentre National de la Recherche Scientifique Institut National Polytechnique de Grenoble
Verification Verifying safety critical applications running on quasi-periodic architectures
Quasi-Synchronous Abstraction
Verimag'08DASC'14
Memocode'14Memocode'15
Air Force'15
4
Contributions
Abstraction is not sound in general
Give exact conditions of application
Industrial practices observed at Airbus
[Caspi 2000]
![Page 18: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/18.jpg)
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax
0 < τmin ≤ τA, τB ≤ τmax
τA
τB
A
B
A B
Scheduler
cA cB
A
B
The Big Picture
Real-time Model (RT)
5
![Page 19: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/19.jpg)
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax
0 < τmin ≤ τA, τB ≤ τmax
τA
τB
A
B
A B
Scheduler
cA cB
A
B
The Big Picture
Real-time Model (RT)
5
![Page 20: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/20.jpg)
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax
0 < τmin ≤ τA, τB ≤ τmax
τA
τB
A
B
A B
Scheduler
cA cB
A
B
The Big Picture
Real-time Model (RT)
Soundness DT |= ϕ.l, RT |= ϕ
5
![Page 21: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/21.jpg)
Discrete-time Model (DT)
A B
TA TB
0 < Tmin ≤ TA, TB ≤ Tmax
0 < τmin ≤ τA, τB ≤ τmax
τA
τB
A
B
A B
Scheduler
cA cB
A
B
The Big Picture
Real-time Model (RT)
Soundness DT |= ϕ.l, RT |= ϕ
Why discretize? Verification in a simpler discrete-time model Use discrete-time model checking tools (Lesar-Verimag, Kind2-UIowa)
[Halbwachs et al 1992] [Hagen, Tinelli 2008]5
![Page 22: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/22.jpg)
Abstracting Real Time
6
![Page 23: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/23.jpg)
Abstracting Real TimeAbstracting execution time
6
![Page 24: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/24.jpg)
Abstracting Real TimeAbstracting execution time
τexec
τsend
6
![Page 25: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/25.jpg)
Abstracting Real TimeAbstracting execution time
τexec
τsend
τ = τexec + τsend
6
![Page 26: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/26.jpg)
Abstracting Real TimeAbstracting execution time
6
![Page 27: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/27.jpg)
7
Abstracting Real TimeAbstracting execution time
![Page 28: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/28.jpg)
Abstracting communication
7
Abstracting Real TimeAbstracting execution time
![Page 29: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/29.jpg)
Abstracting communication
7
Abstracting Real TimeAbstracting execution time
![Page 30: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/30.jpg)
Abstracting communication
7
Abstracting Real TimeAbstracting execution time
![Page 31: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/31.jpg)
Abstracting communicationProblems: • Lots of possible interleavings • Too general
7
Abstracting Real TimeAbstracting execution time
![Page 32: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/32.jpg)
Abstracting communicationProblems: • Lots of possible interleavings • Too general
Can we do better using real-time assumptions?
7
Abstracting Real TimeAbstracting execution time
![Page 33: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/33.jpg)
The Quasi-Synchronous Abstraction
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
8
![Page 34: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/34.jpg)
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
8
![Page 35: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/35.jpg)
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock)
8
![Page 36: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/36.jpg)
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock)
8
![Page 37: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/37.jpg)
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock)
8
![Page 38: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/38.jpg)
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock)
8
Replace transmission with precedence
![Page 39: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/39.jpg)
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock) A process is at most twice as fast as another
2. Limit activations interleavings
8
Replace transmission with precedence
![Page 40: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/40.jpg)
The Quasi-Synchronous Abstraction
Reduce the state-space in two ways:
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Focus on 'almost' synchronous architectures with fast transmissions
1. Transmissions as unit delays (one step of the logical clock) A process is at most twice as fast as another
2. Limit activations interleavings
8
Replace transmission with precedence
Is this abstraction sound?
![Page 41: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/41.jpg)
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
![Page 42: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/42.jpg)
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
![Page 43: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/43.jpg)
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
![Page 44: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/44.jpg)
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
![Page 45: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/45.jpg)
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
![Page 46: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/46.jpg)
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
![Page 47: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/47.jpg)
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
![Page 48: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/48.jpg)
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
![Page 49: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/49.jpg)
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
![Page 50: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/50.jpg)
Unitary Discretization
τmax
τmax
τmax
Theorem: A real-time model with more than two processes is, in general, not unitary discretizable.
Always possible if transmissions are not instantaneous
9
Some traces are not captured by the discrete abstraction
Definition: A trace is unitary discretizable if there exist a discretization where transmission can be modeled as unit-delays
![Page 51: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/51.jpg)
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
![Page 52: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/52.jpg)
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph.
Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
![Page 53: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/53.jpg)
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph. τmax
τmax
τmaxDefinition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
![Page 54: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/54.jpg)
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph. τmax
τmax
τmax
1
Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
![Page 55: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/55.jpg)
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph. τmax
τmax
τmax
1
0Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
![Page 56: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/56.jpg)
Trace Graph
10
x 1−→ y =⇒ f(x) < f(y) x 0
−→ y =⇒ f(x) ≤ f(y)
x
y
x
y
Gather all contraints on the unitary discretization f in a weighted graph
After reception Before reception
Lemma: A trace is unitary discretizable if and only if there is no cycle of positive weight in the associated trace graph. τmax
τmax
τmax
1
0
0Definition: A real-time model is unitary discretizable if all possible traces are unitary discretizable.
![Page 57: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/57.jpg)
Recovering Soundness
11
A B
D C
A B
C
A B
D C
Forbidden topologies in the static communication graph
u-cycle balanced u-cyclecycle
![Page 58: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/58.jpg)
Recovering Soundness
11
A B
D C
A B
C
A B
D C
Forbidden topologies in the static communication graph
u-cycle balanced u-cyclecycle
![Page 59: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/59.jpg)
Recovering Soundness
11
A B
D C
A B
C
A B
D C
Forbidden topologies in the static communication graph
u-cycle balanced u-cyclecycle
can be allowed at the cost of additional timing constraints
![Page 60: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/60.jpg)
Recovering Soundness
11
A B
D C
A B
C
A B
D C
Forbidden topologies in the static communication graph
u-cycle balanced u-cyclecycle
can be allowed at the cost of additional timing constraints
Theorem: A quasi-periodic architecture is unitary discretizable if and only if, in the communication graph
1. All u-cycles are cycles of balanced u-cycle, or , and 2. There is no balanced u-cycle, or , and 3. There is no cycle in the communication graph, or
Lc: size of the longest elementary cycle
τmin = τmax
Tmin ≥ Lcτmax
τmax = 0
![Page 61: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/61.jpg)
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
Recovering Soundness
12
![Page 62: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/62.jpg)
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
Recovering Soundness
12
![Page 63: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/63.jpg)
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
Recovering Soundness
12
![Page 64: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/64.jpg)
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
Recovering Soundness
12
![Page 65: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/65.jpg)
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmin
Recovering Soundness
12
![Page 66: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/66.jpg)
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmin
1
Recovering Soundness
12
![Page 67: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/67.jpg)
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmin
τmin
1
Recovering Soundness
12
![Page 68: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/68.jpg)
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmin
1
τmin
1
Recovering Soundness
12
![Page 69: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/69.jpg)
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
⇒ ε = (
τmax
τmin
1
τmin
1
Recovering Soundness
12
![Page 70: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/70.jpg)
A
B
C
D
E
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
![Page 71: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/71.jpg)
A
B
C
D
E
⇒ ε = (
τmax
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
![Page 72: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/72.jpg)
A
B
C
D
E
⇒ ε = (
τmax
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
![Page 73: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/73.jpg)
A
B
C
D
E
⇒ ε = (
τmax
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmax
⇒ ε = (
0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
![Page 74: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/74.jpg)
A
B
C
D
E
0
⇒ ε = (
τmax
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmax
⇒ ε = (
0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
![Page 75: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/75.jpg)
A
B
C
D
E
0
⇒ ε = (
τmax
Proof: If there is a u-cycle, construction of a counter-example
A
B
C
DE
Communications
q = 3: # p = 2: #
q > p =⇒ ε = (qτmax − pτmin)/q > 0
τmax
⇒ ε = (
We built a cycle of positive weight!
0
⇒ ε = (
τmax0
τmin
1
τmin
1
Recovering Soundness
12
![Page 76: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/76.jpg)
Proof: On the other hand, by contraposition,
Recovering Soundness
13
![Page 77: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/77.jpg)
Proof: On the other hand, by contraposition,
PC/u-cycle
Recovering Soundness
13
![Page 78: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/78.jpg)
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle
Recovering Soundness
13
![Page 79: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/79.jpg)
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced
Recovering Soundness
13
![Page 80: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/80.jpg)
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced
Recovering Soundness
13
+1 =⇒ τmax = 0
![Page 81: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/81.jpg)
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced
Condition
1.
Recovering Soundness
13
+1 =⇒ τmax = 0
![Page 82: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/82.jpg)
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced+1 =⇒ τmin < τmax
Condition
1.
Recovering Soundness
13
+1 =⇒ τmax = 0
![Page 83: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/83.jpg)
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced+1 =⇒ τmin < τmax
Condition
2.
Condition
1.
Recovering Soundness
13
+1 =⇒ τmax = 0
![Page 84: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/84.jpg)
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced
+1 =⇒ Tmin ≥ Lcτmax
+1 =⇒ τmin < τmax
Condition
2.
Condition
1.
Recovering Soundness
13
+1 =⇒ τmax = 0
![Page 85: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/85.jpg)
Proof: On the other hand, by contraposition,
PC/u-cycle
cycle
cycle balanced
balanced
Condition
3.+1 =⇒ Tmin ≥ Lcτmax
+1 =⇒ τmin < τmax
Condition
2.
Condition
1.
Recovering Soundness
13
+1 =⇒ τmax = 0
![Page 86: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/86.jpg)
A B C D
A
B
C
DE
F
A
B
C
DE
A
B
C
DE
A
B
C
DE
daisy chain: Tmin ≥ 2τmax
star: Tmin ≥ 2τmax
unidirectional ring: Tmin ≥ 5τmax
bidirectional ring: τmax = 0
fully connected: τmax = 0
Topology Examples
14
Communications of the application
![Page 87: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/87.jpg)
A B C D
A
B
C
DE
F
A
B
C
DE
A
B
C
DE
A
B
C
DE
daisy chain: Tmin ≥ 2τmax
star: Tmin ≥ 2τmax
unidirectional ring: Tmin ≥ 5τmax
bidirectional ring: τmax = 0
fully connected: τmax = 0
Require instantaneous communications
Topology Examples
14
Communications of the application
![Page 88: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/88.jpg)
Quasi-Synchronous Systems
15
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
For any node: 1. no more than 2 activations between 2 message receptions 2. no more than 2 message receptions between two activations
Condition 1. Condition 2.
![Page 89: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/89.jpg)
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
![Page 90: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/90.jpg)
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
Worst-case scenario
![Page 91: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/91.jpg)
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
τmin
Worst-case scenario
![Page 92: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/92.jpg)
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
Tmax
τmax
τmin
Worst-case scenario
![Page 93: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/93.jpg)
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
Tmax
τmax
τmin
Worst-case scenario
![Page 94: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/94.jpg)
Quasi-Synchronous Systems
16
“It is not the case that a component process executes more than twice between two successive
executions of another process.”
Theorem: A real-time model is quasi-synchronous if and only if,
1. it is unitary discretizable 2. coucou2Tmin + τmin ≥ Tmax + τmax
Tmax
τmax
τmin
Tmin Tmin
Worst-case scenario
![Page 95: Soundness of the Quasi-Synchronous Abstraction · The Quasi-Synchronous Abstraction Reduce the state-space in two ways: “It is not the case that a component process executes more](https://reader033.vdocument.in/reader033/viewer/2022042222/5ec859b6a23ed260c86775df/html5/thumbnails/95.jpg)
Conclusion
17
The quasi-synchronous abstraction:1. Model transmission as unit delays 2. Constrain node activations interleavings
Contributions:• Condition 1 is not sound in general • Notion of unitary discretization • Necessary and sufficient conditions to recover soundness • Characterization of quasi-synchronous systems
Constrain both the communication graph and the real-time characteristics of the architecture to recover soundness of the
quasi-synchronous abstraction.