![Page 1: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/1.jpg)
SAFE CCSL SPECIFICATION:
A SUFFICIENT CONDITION
Frédéric Mallet1, Jean-Vivien Millo1, Robert de Simone2 1Univ. Nice Sophia Antipolis, CNRS I3S, INRIA
2INRIA Sophia-Antipolis
1
MemoCODE 2013, Portland, Oregon, USA
![Page 2: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/2.jpg)
CCSL AND TIMESQUARE
CCSL: Clock Constraint Specification Language
2
http://timesquare.inria.fr
Marte profile
![Page 3: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/3.jpg)
OUTLINE
Motivation and overview
Expressing the sufficient condition
Conclusion
3
![Page 4: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/4.jpg)
MOTIVATION
Let us consider a clock c in a specification spec
Liveness(c): c can tick/occur infinitely often.
Model checking (LTL/CTL)
State-based representation of the specification
State-based representation of each constraint[1]
A composition operator[1]
Have a finite state space
4
!
[1] F. Mallet and J-V. Millo, Boundedness issues in CCSL specifications, ICFEM 2013
![Page 5: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/5.jpg)
FINITE AND INFINITE CCSL CONSTRAINTS
Some constraints are finite
coincidence, exclusion, subset, delay, or, and
Some constraints are infinite
Precedence, max, min
Some products of infinite constraints are finite
Ex: alternate
5
![Page 6: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/6.jpg)
FINITE AND INFINITE CCSL CONSTRAINTS
6
left precedes right b = a delayed by 1
a alternates with c
a precedes c
b = a delayed by 1
c precedes b x0 x1
a
c
e e
![Page 7: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/7.jpg)
BUILDING THE STATE SPACE
Problem: the composition operation terminates
only when the state space is finite.
Strategy: detect boundedness before composing.
Solution: 1/ build a MG of precedence
2/ check for strong connections
7
![Page 8: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/8.jpg)
EXAMPLE: ALTERNATES
8
a
b
c
a precedes c
b = a delayed by 1
c precedes b a precedes c
b = a delayed by 1
c precedes b
![Page 9: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/9.jpg)
OUTLINE
Motivation and overview
Expressing the sufficient condition
Conclusion
9
![Page 10: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/10.jpg)
STATE SPACE
The state space is based on d=Xleft–Xright counters
d’s are integer representations of precedencies
Precedencies are induced by every constraint …and capture its state space
A precedence is equivalent to a place in a MG
10
left precedes right
left precedes right left right
![Page 11: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/11.jpg)
INFINITE STATE CONSTRAINTS
i=inf(c1,c2): i ticks with the first of (c1,c2)
Corresponding precedence relation:
i precedes c1
i precedes c2
c1 and c2 are synchronizable 11
c1 c2
i
Here,
d=Xc1–Xc2
![Page 12: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/12.jpg)
FINITE STATE CONSTRAINTS
o= c1 or c2
Corresponding precedence relation:
o precedes c1
o precedes c2
12
d0
c1,o
c2,o
c1,c2,o
c1 c2
o
![Page 13: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/13.jpg)
MG ABSTRACTION OF A CCSL SPEC
Every clock A transition
Every constraint precedence(s) place(s)
Clock c1, c2, o
c1 precedes c2
o= c1 or c2
13
c1 c2
o
![Page 14: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/14.jpg)
BOUNDEDNESS CONDITION
For every synchronizable relation
The two transitions belong to the same SCC
In a MG, all transitions of a SCC have the same
asymptotic rate [Commoner et al. 1971]
Clock a, b, c, i
i= inf(a,b)
a precedes c
b precedes c
c alternates with i 14
a
b
c
i
![Page 15: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/15.jpg)
OUTLINE
Motivation and overview
Expressing the sufficient condition
Conclusion
15
![Page 16: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/16.jpg)
CONCLUSION
We present a sufficient condition to detect
bounded/safe CCSL specifications
We use a MG abstraction of CCSL
The condition is probably also necessary
but it is not proved.
“Clock death” has not been considered
16
![Page 17: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/17.jpg)
FUTURE WORK
Universal deadlock detection:
17
c1 alternates with c2 c1 precedes c2
c2 precedes c1
c1
c2
c1
c2
![Page 18: Safe CCSL specification: A sufficient condition](https://reader034.vdocuments.us/reader034/viewer/2022051813/6282b7c508ab5665b4367f34/html5/thumbnails/18.jpg)
QUESTIONS?
MARTE profile: http://www.omgmarte.org
Timesquare: http://timesquare.inria.fr
[1] F. Mallet and J-V. Millo, Boundedness issues
in CCSL specifications, ICFEM 2013
[2] Commoner, Holt, Even, Pnueli; Marked
Directed Graphs, 1971
18