**Department of Computer Science National Tsing Hua University** 

#### CS 5244: Introduction to Cyber Physical Systems

### Unit 20: Hierarchical State Machines (Ch. 5)

**Instructor: Cheng-Hsin Hsu** 

Acknowledgement: The instructor thanks Profs. Edward A. Lee & Sanjit A. Seshia at UC Berkeley for sharing their course materials

#### **Recall Synchronous Composition:**

 $S_C = S_A \times S_B$ outputs: *a*, *b* (pure)







Synchronous composition

#### **Recall Asynchronous Composition:**





with interleaving semantics

### Recall program that does something for 2 seconds, then stops

```
volatile uint timerCount = 0;
void ISR(void) {
  ... disable interrupts
  if(timerCount != 0) {
    timerCount--;
  }
  ... enable interrupts
}
int main(void) {
  // initialization code
  SysTickIntRegister(&ISR);
  ... // other init
  timerCount = 2000;
  while(timerCount != 0) {
    ... code to run for 2 seconds
  }
```

Is synchronous composition the right model for this?

Is asynchronous composition (with interleaving semantics) the right model for this?

Answer: no to both.

#### Position in the program is part of the state

```
volatile uint timerCount = 0;
void ISR(void) {
  ... disable interrupts
   if(timerCount != 0) {
      timerCount--;
   ... enable interrupts
int main(void) {
   // initialization code
   SysTickIntRegister(&ISR);
   ... // other init
   timerCount = 2000;
   while(timerCount != 0) {
    ... code to run for 2 seconds
  whatever comes next
```

A key question: Assuming interrupt occurs infinitely often, is position C always reached?

#### State machine model

```
volatile uint timerCount = 0;
void ISR(void) {
   ... disable interrupts
   if(timerCount != 0) {
      timerCount--;
   ... enable interrupts
int main(void) {
   // initialization code
   SysTickIntRegister(&ISR);
   ... // other init
   timerCount = 2000;
   while(timerCount != 0) {
    ... code to run for 2 seconds
⇒ whatever comes next
```

variables: timerCount: uint
input: assert: pure
output: return: pure



Is asynchronous composition the right thing to do here?

#### Asynchronous composition

timerCount = 0 /



#### Modeling an interrupt controller

FSM model of a single interrupt handler in an interrupt controller:



#### Modeling an interrupt controller



#### **Hierarchical State Machines**



Reaction:

- 1. First, the refinement of the current state (if any) reacts.
- 2. Then the top-level machine reacts.
- If both produce outputs, they are required to not conflict.

The two steps are part of the same reaction.

#### **Hierarchical State Machines**



Simultaneous transitions can produce multiple outputs. These are required to not conflict.

#### **Hierarchical State Machines**



A history transition implies that when a state with a refinement is left, it is nonetheless necessary to remember the state of the refinement.

# Flattening the state machine (assuming history transitions):



refinement. Hence A,C and A,D.

#### Hierarchical State Machines with Reset Transitions



A reset transition implies that when a state with a refinement is left, you can forget the state of the refinement.

# Flattening the state machine (assuming reset transitions):





A reset transition implies that when a state with a refinement is left, it is not necessary to remember the state of the refinement. Hence there are fewer states.

#### **Preemptive Transitions**



#### Modeling an interrupt controller



#### Simplified interrupt controller

This abstraction assumes that an interrupt is always handled immediately upon being asserted:



#### Hierarchical interrupt controller

### This model assumes further that interrupts are disabled in the ISR:



#### Hierarchical interrupt controller

This model assumes interrupts are disabled in the ISR:



#### Hierarchical composition to model interrupts



variables: timerCount: uint
input: assert: pure
output: return: pure



Answer: NO! Counterexample: each time timerCount = 1, get more than one nested interrupt. Trace in upper machine: idle, D, E, D2, E2, D2, E, D, ...

What if interrupts are not disabled?

#### **Communicating FSMs**

In the ISR, example our FSM models of the main program and the ISR communicate via shared variables and the FSMs are composed asynchronously.

We call this model of computation *threads*.

There are better alternatives for concurrent composition.

- Hierarchical FSMs + Synchronous Composition: Statecharts [Harel 87]
- Modeling with
- o Hierarchy (OR states)
- o Synchronous composition (AND states)
- o Broadcast (for communication)



#### Example due to Reinhard von Hanxleden

#### Summary

- o Composition enables building complex systems from simpler ones.
- o Hierarchical FSMs enable compact representations of complex behaviors.
- Both forms of composition can be converted to single flat FSMs, but the resulting FSMs are quite complex and difficult to analyze by hand.
- o Algorithmic techniques are needed (e.g., model checking, the inventors of which won the 2009 Turing Award).