6.8 MODECHART SPECIFICATION LANGUAGE

Figure 6.5 Modechart 2.

instant when the mode is exited or entered. There are three types of modes: atomic, serial, and parallel.

An atomic mode has no internal structure and represents a primitive control state of the system. Atomic modes are basic building blocks of a Modechart specification. In Figure 6.4, the atomic modes are ModeA, ModeB, ModeC, ModeD, and ModeE. In Figure 6.5, the atomic modes are ModeA, ModeC, ModeD, ModeE, ModeF, and ModeG.

A serial mode contains one or more child modes connected sequentially by transitions, and these child modes are said to be in series. Therefore, a serial mode is a sequential composition of its child modes. In Figure 6.4, the serial modes are Mode1 and Mode2. In Figure 6.5, the serial modes are Root and ModeB. One of the child modes in a serial mode must be active at any time when the serial mode is active. One of these child modes is labeled as the initial mode, and this is the mode that is entered when the serial mode itself is entered. The initial mode is represented by a box with bold lines. In Figure 6.4, the initial mode of Mode1 is ModeA. In Figure 6.5, the initial mode of Mode2 is ModeC. However, if the transition leading to this serial mode points to another child mode M that is different from the initial mode, then mode M is entered instead when the serial mode itself is entered.

A parallel mode contains zero or more unconnected child modes, and these child modes are said to be in parallel. Therefore, a parallel mode is a parallel composition of its child modes. In Figure 6.4, the parallel mode is Root. In Figure 6.5, the parallel modes are Mode1 and Mode2. All of the child modes in a parallel mode must be active at any time when the parallel mode is active. A parallel mode with no child modes is equivalent to an atomic mode.

In a Modechart specification, the root mode is the outermost mode with no parent. A computation begins by entering the root mode at time 0. Note that a root mode can be one of the following: atomic, serial, or parallel. The Root mode of the modechart in Figure 6.4 is parallel with two child modes, each of which is serial. On the other

174 REAL-TIME LOGIC, GRAPH-THEORETIC ANALYSIS, AND MODECHART

hand, the Root mode of the modechart in Figure 6.5 is serial with two child modes, each of which is parallel.

6.8.2 Transitions

A transition from one mode to another mode represents the control flow between these modes, and thus indicates a change in the control information of the specified system. A transition is drawn as a directed edge from a source mode to a destination mode and represents control exiting the source mode and being moved to the destination mode. Since the child modes of a parallel mode must be all active, a transition can occur only between modes in series. More precisely, the parent of these pair of modes must be a serial mode, and either the first common ancestor of these pair of modes must be a serial mode or the transition must be a self-loop. In Figure 6.4, there are transitions from ModeA to ModeB, from ModeC to ModeD, and from ModeD to ModeE. In Figure 6.5, there are transitions from ModeC to ModeD and from ModeC to ModeG.

A mode transition is an event that happens instantaneously (takes zero time units), just like an RTL transition event, and is denoted Ms → Md , where Ms is the source mode and Md is the destination mode. An earlier notation [Jahanian and Mok, 1994] for a transition event is Ms − Md . The event of entering a mode M is denoted → M, and the event of exiting a mode M is denoted M →, both of which happen instantaneously. Note that “a mode is active” is not an event since by definition an event occurs at an instant of time taking zero time units.

Since the model of computation used by Modechart considers a computation as a sequence of sets of event occurrences, every computation is a sequence of sets of mode entry events, mode exit events, and/or transition events. Each transition is labeled with a condition, and when this condition is satisfied, this transition occurs. A condition is expressed in disjunctive normal form c1 · · · ck and each disjunct ci is either a triggering condition or a timing condition.

A triggering condition is expressed in conjunctive normal form e1 · · · en and each conjunct is either an event or a predicate. For a triggering condition to be satisfied, all events in it must occur and all predicates in it must hold at the same time. More precisely, each conjunct is chosen from one of the following:

1.Event → M is satisfied when mode M is entered.

2.Event M → is satisfied when mode M is exited.

3.Event M1 → M2 is satisfied when the transition M1 → M2 occurs.

4.Predicate M == true is satisfied if mode M is active.

5.Predicate M == false is satisfied if mode M is not active.

6.Mode list predicate {(M1, . . . , M N )} is satisfied if any of the list’s modes are active.

7.Before list predicate {(< M1, . . . , M N )} is satisfied if any of the list’s modes are active and have been active for at least one time unit.

A timing condition is a delay and deadline pair of the form (r, d), where r ≤ d and both values are non-negative integers. This timing condition is also known as a lower/upper bound condition. The notation (delay r) means (r, ∞). (deadline d) means (0, d). (alarm r) means (r, r). In Figure 6.4, the transition with triggering condition (a timing condition) (2,5) from ModeA to ModeB indicates that this transition can occur 2 times units after ModeA is entered and within 5 time units after this mode is entered. In Figure 6.5, the transition with triggering condition (0,10) from ModeC to ModeD indicates that this transition can occur immediately after ModeC is entered and within 10 time units after this mode is entered. The transition with triggering condition (2,8) from ModeC to ModeG indicates that this transition can occur 2 time units after ModeC is entered and within 8 time units after this mode is entered.

6.9VERIFYING TIMING PROPERTIES OF MODECHART SPECIFICATIONS

To verify timing properties in a Modechart specification, we first generate a computation graph [Jahanian and Stuart, 1988] from the specification. This computation graph represents all behaviors allowed by the Modechart specification. Then we apply specialized decision procedures [Jahanian and Stuart, 1988] or more general model-checking algorithms [Clarke, Emerson, and Sistla, 1986] to the computation graph to determine if a given timing property is satisfiable. To apply either of these approaches, the computation is viewed as the model of the specified system and the timing property to be checked is given as an RTL formula. Then the decision procedure or model checker decides whether the computation graph satisfies this property.

We first describe the computations of a specified system and how these are represented by an infinite computation tree. Then we show how this computation tree can be converted into a finite computation graph for analysis and verification.

6.9.1 System Computations

Given a Modechart specification, we can generate a computation tree showing all possible behaviors of the system, that is, all possible sequences of sets of event occurrences. The computation tree is a rooted directed tree, possibly of infinite size, with nodes labeled with events and with edges indicating causality. This is similar to the computation tree corresponding to a state transition graph representing a specified system for model checking in chapter 4. However, a node in the computation tree here is a point in time when events occur, and it does not assign values to variables in a predicate.

Therefore, here we refer to a node in the computation tree as a point, and a point P pointed to by an edge represents the event occurrence caused by the events along the path from the root to P. A point may be labeled with more than one event if the events occur at the same time. Since there are timing constraints on transitions between modes in the Modechart specification, the corresponding computation tree