Timers

The ATmega16 has three timers: two 8 bit timers (Timer/Counter0 and 2) and one 16 bit timer (Timer/Counter1). In [mc]square, we abstract from time because its accurate modeling would, in our approach, lead to state spaces that are too large to be handled. Model checking of real-time models is, for example, described by Bengtsson et al. [14] and Larsen et al. [71, 72]. The model of a timer used within [mc]square over-approximates the real behavior of a timer. We only distinguish two timer states: the timer is running or not running. Depending on whether a timer is running or not, the registers accessing the timer have different values. This section describes the modeling of Timer/Counter0 within [mc]square.

Figure 5.5 shows the UML class diagram depicting the classes that model the timers of the ATmega16. Timer/Counter0, which is represented by Timer0, is controlled by five I/O registers. The values of these I/O registers are stored within the array representing the SRAM data memory and not in the Register classes. The Register classes only store the addresses of the corresponding I/O registers (see also Sect. 5.3.2). In the following, these five registers and their modeling in [mc]square are described:

Timer/Counter Control Register 0 (TCCR0) is utilized to control Timer/Coun-ter0. It is used to select the clock source, to choose the output compare mode, to choose the waveform generation mode, and to trigger the output compare event. Possible clock sources are, for example, none, internal, and external.

The instance of the ControlRegister in Timer0 models the TCCR0 register. Its value is deterministic and independent of the state of Timer0. This instance controls Timer0 determining whether it is running or not. If a clock source is selected, Timer0 is running. If no clock source is selected, Timer0 is not running. Depending on the ControlRegister, the values of certain register representations are nondeterministic in [mc]square because we abstract from time.

Timer/Counter Register 0 (TCNT0) is the register that stores the current value of Timer/Counter0. It can be read and written, that is, users can read and change the current timer/counter value. Doing so can introduce side-effects,

5.3 Microcontroller

ATMega ATMega16

Device

SRAM Registers

Register Fake

Timer

Timer8Bit Timer16Bit

Timer0 Timer2 Timer1

CompareRegister

ControlRegister

CounterRegister

CompareRegisterHigh CompareRegisterLow

ControlRegisterA

ControlRegisterB

CounterRegisterLow CaptureRegisterHigh CaptureRegisterLow

CounterRegisterHigh

ExtraRegister TimerFlagRegister

TimerMaskRegister

Visual Paradigm for UML Standard Edition(RWTH Aachen)

Figure 5.5: Classes of the Simulator package related to timers.

5 State Space Building in [mc]square

for example, events can be missed. In case the register overflows, an overflow event is raised by setting the corresponding bit in the TIFR register. If the overflow interrupt is enabled, it is triggered by the overflow event.

The instance of the CounterRegister in Timer0 models the TCNT0 in [mc]-square. The value of the CounterRegister depends on the state of Timer0, that is, whether it is running or not, which is determined by the Control-Register. If Timer0 is not running and was not running before, the value of the CounterRegister is deterministic. If Timer0 is running, the value of the CounterRegister is nondeterministic. If Timer0 was running before and is now deactivated, the value of this Register is nondeterministic too.

This is remembered within the TBDM of the CounterRegister. After the nondeterminism of the value is resolved, the value is deterministic again because the TBDM is reset.

Output Compare Register 0 (OCR0) stores the output compare value for Timer-/Counter0, which is continuously compared with the TCNT0 register. Every time both values are equal, a compare match is signaled by setting the corresponding bit within the TIFR. If the compare match interrupt is enabled, it is triggered.

The instance of CompareRegister in Timer0 models the OCR0 register. As it stores the compare value, it is completely deterministic regardless of the state of Timer0.

Timer Interrupt Flag Register (TIFR) is used by all three timers. Each of the timers has its own bits inside the TIFR. Timer/Counter0 uses two bits of this register: Output Compare Flag 0 and Timer/Counter0 Overflow Flag. The former is utilized to store whether an output compare event occurred and the latter is used to store whether an overflow event occurred. This register is set by the hardware and can be read by the program. Bits of this register are reset when either a one is written to them, or the associated interrupt handler is entered. These flags can be used in two different ways. First, they can be used by utilizing the corresponding interrupts. Second, users can poll these flags in their programs and reset them manually after handling the events.

TimerFlagRegister models the TIFR register. As this register is used by all timers, it is not modeled in the Timer classes but rather in the ATMega16 class. Timer0 uses two bits of the TimerFlagRegister. The values of these bits are dependent on the state of Timer0. If Timer0 is running, the values of these two bits are nondeterministic, but this nondeterminism can be restricted. If the nondeterminism of the value of one of these bits was resolved and instantiated to one due to an access by the Simulator, it remains one until it is reset.

Otherwise, if it was instantiated to zero, the value remains nondeterministic

5.3 Microcontroller

in the next state. If Timer0 is not running and was not running before, the values of both bits are zero. If Timer0 is not running, but was running before, the values of these two bits are nondeterministic and have to be instantiated once to become deterministic again. This is recorded in the TBDM of the TimerFlagRegister because the actual source of the nondeterminism, that is, timer is running, is no longer enabled. The resolution of the nondeterminism is not done within this class but rather within the Determinizer.

Timer Interrupt Mask Register (TIMSK) determines which timer/counter inter-rupts are enabled. This register is used by all three timers. Timer/Counter0 uses two bits of this register: Timer/Counter0 Output Compare Match Inter-rupt Enable and Timer/Counter0 Overflow InterInter-rupt Enable. The first bit determines whether the compare match interrupt is enabled and the second bit determines whether the overflow interrupt is enabled. Writing a one to a bit activates the respective interrupt. Writing a zero to a bit deactivates the interrupt. The interrupts are only enabled if the I bit in the SREG is also set.

The TIMSK register is modeled by the TimerMaskRegister. It is implemented within the ATMega16 class because it is used by all three timers. The value of this register in deterministic and independent of the state of Timer0. It is, for example, used by the Determinizer to decide which timer interrupts are enabled.

Modeling the devices accurately helps to minimize the size of the state space.

Without modeling the dependencies between the different timer registers, the values of both the TCNTx and the TIFR would be nondeterministic regardless of the state of the timer. Timer interrupts could then occur at every program location.

Another reduction of nondeterminism that could not be used without modeling the dependencies of the timers is the abstraction we implemented for the TIFR, which avoids paths where the values of the interrupt flags are first one and then, in the next state, zero without being reset. On the real microcontroller such paths are not possible, but if these dependencies were not modeled, the value of the TIFR would always be nondeterministic making such paths possible. This would increase the size of the state space and lead to more false alarms.

The modeling of Timer/Counter2 is similar to the modeling of Timer/Counter0.

As Timer/Counter1 is a 16 bit timer, its modeling is more complex. Timer/Coun-ter1 has eleven registers in contrast to the five registers of Timer/Counter0 and Timer/Counter2. Additionally, Timer/Counter1 has features that are not present in either Timer/Counter0 and Timer/Counter2.

5 State Space Building in [mc]square