View
226
Download
0
Category
Tags:
Preview:
Citation preview
Synchronous Languagesand System Design with Esterel
Ellen Sentovich
Cadence Berkeley Laboratories
Outline
• Context : Reactive Systems• Principles : Synchronous languages• Esterel in-depth
– Language, Compilation– Causality– Optimization and Verification
• New applications: ECL• Implementing Esterel on CFSM networks
System Design• Systems produce a steady sequence of input/output
sequences• Inconvenient to specify sequences; need models and
languages• Model
– Simple and intuitive– Accurate enough model of physical reality
– Mathematically efficient– General enough to allow different implementation styles
• Language– Accurate expression of the model– Convenient and efficient expression of the design
• Analysis• Implementation
– compilation to hardware, software
Reactive Systems
control
data
signals
sensors
signals
values
EsterelStatechartsArgosEsterelStudio
LustreSCADESignal
Applications• Software and hardware controllers
– process control, embedded systems,data-path control
• Communication Protocols– software protocols,bus interfaces,cache
coherence
• Drivers– man-machine interface,systems
drivers,pipeline logic
Concurrency + Determinism
Reactive System Characteristics
• Reactivity– continually react at a speed determined by the
environment
• Concurrency– at least between system and environment
• Strict time and reliability requirements• Deterministic• Mixed hardware/software implementations
Synchronous SystemsCycle based read inputs compute reaction produce outputs
Synchronous within the same cycle at the same time (0-delay)
(must be checked on implementation)
Synchronous control propagation signal broadcastingEquivalent FSM implementation
(good analysis techniques)
Synchronous Languages
• Invented for the design of reactive kernels– not the interactive interface or data management
• Programmer views system as an instantaneous reactor to events
• Program behavior is completely deterministic• Attempt to resolve concurrency and non-
determinism (in other models)
Esterel: Background• Esterel is one of a set of synchronous
languages developed in France:– Esterel: reactive control– Lustre, Signal: data flow– Argos, SyncCharts: graphical
• Esterel development goal: natural expression of control– Specific statements to deal with time, preemption– Departure from concurrency as interleaving and rendez-vous
to concurrency as instantaneous propagation of control
Esterel: Background• Synchronous programming environment...
– Language:• For control-dominated, reactive systems• Constructs for sequencing, concurrency, preemption
– Compiler:• Produces sorted Boolean equations• Causality checking, symbolic debugging, verification• Implementation as C-code or digital circuits
Esterel: Basic Principles• Synchronous hypothesis : instantaneous
communication• Communication via broadcast signals (event)
– signals, sensors, variables– pure, valued– Boolean and arithmetic operators
• Modularity : program = collection of modules• Concise programs : write things once !!• Concurrency, sequencing, preemption• Well-defined semantics
Overview of Syntax• Signal reading/writing
emit S emit S(value) present S then p else q
• Basic control and looping:
halt loop p end run module• Sequencing, concurrency
p ; q p || q• Preemption
suspend p when S abort p when Sweak abort when S abort when immediate S
Syntax : await statement• Most basic signal control statement
await S
• Equivalent toabortloop
haltend
when S
• Note: “Await” always stops– consider await S; await S– versus await immediate S; await immediate S
Variables and Ordering
• Variable manipulation (local)V := value if V=value then p else q
• Variable computations : orderedV := 5;V := V+1;Y := V;emit S(V)
• Signal emissions (communication) : unorderedLegal: emit S; emit SIllegal: emit S(3); emit S(5) (non-deterministic)
• Signal computations : orderedWell-defined: emit S; present SUndefined: present S then emit S
The ABRO Example
• “Wait until both A and B have occurred, then output O, unless the reset R occurs”
A B
B/0 A/O
AB/O
R
R
R
Number of states is exponential in inputs
The ABRO Example in Esterel
• Wait until both A and B concurrency
• Unless R preemption
[await A || await B] ;
emit O
abort
when R
loop
end
Write things ONCE !!
Code size is linear in inputs; efficient circuit
Compilation• Esterel program extended finite state machine
– finite # inputs, deterministic reaction finite program– FSM + data computations
• Can be compiled to a single automata - EXPENSIVE!!– exhaustive exploration of set of control states– Esterel v3
• Can be translated to sorted Boolean equations– Esterel v5
• State machine is represented implicitly
Translation to Boolean Circuits
• Structural translation• Network of interconnected cells• Implementation of control:
– control signal runs through the circuit– boot signal : latch, initially 1, thereafter 0
• Each cell contains– signal input/output; control input/output– suspend, kill, resume signals– return codes (nested preemption)
• One register per halting statement
Translation to Boolean Circuits
•present S then p else q
S
control
control for q
control for p
control
Causality
• Cycles occur naturally in Esterel specifications– Cyclic dependency between variables– Some are harmful, some not
• The Causality Problem is analyzing these cycles and deciding which to accept– It is related to analyzing hardware in circuits– Combinational cycles
• How do we define a causally correct program?– We want a unique, comprehensible solution– All present signals must be emitted somewhere– A solution is a set of consistent assignments to all signals– Need to be able to express program in a non-cyclic way
Constructive causality
Harmful Cycles
No Boolean solution (non-reactive),or several solutions (non-deterministic)
Electrically unstable
Useless !
X = XX
X = not XX
present X then emit X end
present X else emit X end
Harmless Cycles
Unique Boolean solutionElectrical stabilization in bounded time
=> behaves as if acyclic
Natural in Esterel programmingNatural in high-level hardware synthesisPossible exponential saving in space!
present I then present X then emit Y endelse present Y then emit X endend
Y
X
I
X
Y
I
J
X = I and not YY = J and not X
OK unless I = J = 1
1
0
X
Y
The non-constructive state (1,1) is unreachable => reachability analysis needed
Combinational Cycles in Sequential Circuits
Y = if C then G(F(X)) else F(G(X))
F
G
01
10
10
C
C
C
X Y
Naturally occurring harmless cycles:Operator sharing (S. Malik)
Causality: A Real Example• Bus arbitration
TokenOut GrantOut
TokenIn GrantInReqIn AckOutCell 1
TokenOut GrantOut
TokenIn GrantInReqIn AckOut
Cell n
TokenOut
AckOut
T
ReqIn
GrantOut
GrantInTokenIn
GrantOut
GrantIn
Strange Cycles
Unique Boolean solution
But electrically unstable !
=> Electricity = Boolean calculus/
X
Y
X = XY = X and not Y
X = 0X = 1 ?
Want to build a theory with stable solutions.Also cheaper for compiler
(interpretation possible)
present ToBe then emit ToBe else emit ToBeend
ToBe
Hamlet : ToBe = ToBe or not ToBe
Constructive Causality in Esterel
Step through programAnalyze what must be done (emit) what cannot be done (no possible emit) what can be done
Set a signal present iff it must be emittedSet a signal absent iff it cannot be emitted
Constructive causality permits interpretation
Executing Constructive Causality
module P1:input I;output O;signal S1, S2 in
present I then emit S1 end||
present S1 else emit S2 end||
present S2 then emit O endend signalend module
Circuits are Boolean proof builders
Trace values from inputs to outputs, neverguessing a value
Analysis equivalent to electron flow in a circuitA causal program is equivalent to an electrically
stable circuit, acyclic circuit
0
00 0
0
Analogy: constructive circuits
Derive facts from facts
E=0E and F = 0
F=0E and F = 0
E=1 F=1E and F = 1
E=0not E = 1
E=1not E = 0
X=E E=bX=b
Constructive Boolean Logic
Cannot determine E or not E unless E is known!
X = I and not YY = J and not X
(1) I=0(2) J=1(3) X=0 from (1)(4) not X=1 from (3)(5) Y=1 from (2) and (4)
(1) I=1(2) J=0(3) Y=0 from (2)(4) not Y=1 from (3)(5) X=1 from (2) and (4)
No proof of X and Y if I=J=1
Semantic model : Scott’s 3-valued logic
B = { , 0, 1}
View circuit as fixpoint equation
X = F(X, I)
X=b holds in fixpoint iff provable
TT
Main Theorem (Shiple Berry from Brzozowski - Seger)
Given a circuit and an input :
X=b provable in CBL (proving facts)<=> X=b in the fixpoint (Scott’s view)<=> X stabilizes to b for any delay assignment (circuit view)
Compositionality
Algorithms (Esterel v5)Interpretation
Input-dependent analysislinear time
Compilation (Shiple = Malik + Bourdoncle)Input-independent fixpoint analysis:
Combinational loops are brokenthree-valued simulation performed (BDDs)reachable state computation (BDDs)
Check that all feedback wires are well-defined
Expensive! Interpretation option in Esterel==> equivalent acyclic version
X = I and not YY = J and not X
I=0 . J=1 X : 2 Y : 2
J=1 . X=0 X : 1 Y : 2
X=0 X : 1 Y : 1
X : 1 Y : 0
Y=1 X : 1 Y : 0
X : 0 Y : 0
unknownsfacts
Interpretation Example
X = I and not YY = J and not X
I=1 . J=1 X : 2 Y : 2
J=1 X : 1 Y : 2
X : 1 Y : 1
Deadlock = proof search stops
X = I and not YY = J and not X
X = I and YX = I or YY = J and XY = J or X
X set of inputs that set X to 1 X set of inputs that set X to 0
The circuit is constructive for all inputs such that X or X = 1 for all X
Dual-Rail Encoding to Implement Constructive Analysis
X {
3-valued: 01 = 0, 10 = 1, 00 = unknown
((I and J) or I) and ((J and I) or J))
X = I and YX = I or YY = J and XY = J or X
I = I I = not I
for I input {
not(I and J)
X = 0X = IY = 0Y = J
X = I and JX = IY = J and IY = J
Fixpoint iteration
X = 0X = 0Y = 0Y = 0
Need XX = 0, YY = 0; X + X = 1, Y + Y = 1
Causality Summary
Constructive Boolean logic characterizes delay-independent digital circuits
Solves the causality problem for Esterel Strong user request! Compositional semantics
Good implementation and decision algorithms
• Xes
Graphical Symbolic Debugging
Optimization• Standard logic synthesis techniques can be applied
to generated hardware• Finite state machine optimization and analysis• Esterel state encoding:
– locally group-hot– efficient implementation– far more latches than the minimum
• Latch minimization algorithms– exploit the latch/logic tradeoff– progressively more powerful algorithms
Latch Optimization• Replacement of latches with logic
– compute the reachable state set– compute sets of latches that can be
replaced• single latch removal : Rl Rl’= 0
• 2-for-1 removal : Rij Ri’j’ + Ri’j Rij’ = 0
Reachable statesKarnaugh map
L
L1 … Ln-1
0
1
1
1
1
1
Latch Optimization• Generate decoding logic
–single-latch: remove latch–2-for-1: remove two latches, add logic for
one
• Generate encoding logic–single-latch: E = Rl (dependent on other
latches)
EL’D
LCircuit
In Out
Latch Optimization : Exclusive Sets
• Mutually exclusive latch activityawait s1 || await s2 || await s3;await s4 || await s5 || await s6
• Latch corresponds to each wait• (s1, s2, s3) # (s4, s5, s6)• Replace 6 latches with 3 plus a
multiplexing latch
Latch Optimization : Results
• Esterel encoding maintains the structure of the initial program
• single latch removal is always beneficial• More sophisticated algorithms exploit latch/logic
tradeoff• Cost functions depend on circuit size, BDD size• Typically 2-for-1 is performed until logic becomes
prohibitively expensive• Verification times are improved
Verification
• Simulation and debugging• Synchronous observers
– specify an Esterel module to monitor the system and report errors
– specify an Esterel module to model the environment– perform symbolic reachability analysis
• Temporal logic formulas translated to Esterel modules– TempEst work at U Texas
The Esterel ToolsetLanguage + formal semanticsCompiler to hardware or software (Esterel v5) Automata (explicit FSM) Boolean circuits (implicit FSM) Proved correct w.r.t. the semanticsGraphical simulators / debuggers (xes)Verifier for safety properties Xeve, TempEstEsterelStudio : commercial product, including
graphical input, test generation
ECL Project
• ECL for system design– Done at Cadence Berkeley Laboratories– Many industrial partners– Used in one commercial product
• Language & Compilation
• Status
ECL Summary : Language• ECL = Esterel + C
– ANSI-C plus constructs for reactivity• signal communication: await(sig); emit(sig, value);• pre-emption: abort stmt when sig_exp• concurrency: par stmt; par stmt
– C : standard in embedded software, minimal learning curve, many good compilers, reactivity missing
– Esterel : high-level reactive control, rigorous mathematical semantics (FSM), strong analysis and optimization tools, limited support for data, non-reactive loops
ECL Key Features• Language support for control and data
• Esterel + FSM synthesis technology for– Efficiency : implicit state FSMs– Robust analysis and optimization– Verification– Implementation HW and/or SW
Example : simple C
for (i = 0; i < SIZE; i++) { buf [ i ] = In [ i ];}create_frame_from_buffer(&f, buf);
Example : add reactivity / concurrency
for (i = 0; i < SIZE; i++) { buf [ i ] = IN ;}create_frame_from_buffer(&f, buf);
await ( IN );
emit (frame, f);
while (1) { /* check CRC */ await (frame); for (i = 0; i < HSIZE; i++) crc ^= frame.hdr[i] if (crc != frame.crc) emit (bad_crc);}
while (1) { /* get bytes into frame */
}
par
par
Example : complete ECL module
par while (1) { /* process address (if correct) */ await (frame); do { /* … */; emit (out, frame) } abort (bad_crc); }
typedef { byte hdr[HSIZE]; byte data[DSIZE]; int crc; } frame_t;
module frame_proc (input byte in, input frame_t out)
byte buf[SIZE]; frame_t f; int crc;
{ signal frame_t frame; signal int bad_crc;
}
par while (1) { /* get bytes into frame */ for (i = 0; i < SIZE; i++) {await (in); buf[i] = in;} create_frame_from_buffer(&f, buf); emit_v (frame, f); } par while (1) { /* check CRC */ await (frame); for (i = 0; i < HSIZE; i++) crc ^= frame.hdr[i]; if (crc != frame.crc) emit (bad_crc); }
ECL compilation• Split ECL source: Esterel + C (by compiler capability)
• ECL module compiled to
– FSM (via Esterel) : reactive stmts + some C [Control +]
– C-code residue : functions and non-reactive loops [Data]
• Implementation
– SW (C) or HW (HDL) [Control +]
– C-code residue : SW produced by ECL compiler [Data]
• Trade-off: where exactly to split?
– more Esterel more optimization
– more C more predictable compilation process
ECL compilation
Implementationin HW / SW
ECLSpecification
Esterel Code C - code
C functions
non-reactive loops
module calls: get_data (signal IN)reactive statements: await a;concurrency: par await a; par await b;C statements reactive loops
SimulationModel
EsterelCompiler to C
EsterelCompiler to C/FSM
Example : pre-compilationtypedef { byte hdr[HSIZE]; byte data[DSIZE]; int crc; } frame_t;module frame_proc (input byte in, output frame_t out){ signal frame_t frame; signal int bad_crc; byte buf[SIZE]; frame_t f; int crc; par while (1) {/* get bytes into frame */ for (i = 0; i < SIZE; i++) {await (in); buf[i] = in;} create_frame_from_buffer(&f, buf); emit (frame, f); } par while (1) {/* check CRC */ await (frame); for (i = 0; i < HSIZE; i++) crc ^= frame.hdr[i]; if (crc != frame.crc) emit (bad_crc); } par while (1) {/* process address (if correct) */ await (frame); abort{ /* … */; emit (out, frame) } when (bad_crc); }}
Non-reactive loop
Reactive loop
Example : post-compilationtypedef { byte hdr[HSIZE]; data[DSIZE]; int crc } frame_t;void crc_compute(int crc, frame_t frame) { for (i = 0; i < HSIZE; i++) crc ^= frame.hdr[i]; }/* plus interface functions such as set_buffer_i */
module frame_proc:input in : byte;output out : frame_t;signal frame : frame_t, bad_crc:integer invar buf : frame_t, crc:integer in loop % get bytes into frame trap DONE in cnt := 0; loop {await in; set_buffer_i(buffer, i, in); if (cnt < SIZE) else exit DONE end if;} end loop emit frame(?buffer); end trap; end loop|| loop % check CRC await frame; crc_compute(crc, frame); if (crc != get_frame_crc(frame) then emit bad_crc end if; end loop || etc
Compiled to C
Compiled toEsterel
Reactive loop
Non-reactive loop
ECL Summary• ECL smoothly integrates
– C (standard for embedded software development)– Esterel (concurrency, preemption, FSM semantics)
into a single language and development environment • ECL compiler
– generates Esterel and C for embedded SW implementation– permits (partial) hardware implementation
• Opensource : http://www.sourceforge.net/projects/ecl– Java source code, test/tutorial examples, regression
tests, documentation (html, ps, pdf)• Ongoing work:
– ECL for hardware specification– ECL and Esterel in Metropolis
Implementing Esterel Programs in POLIS
• POLIS: system-level design tool created at UCB• Model of computation:
– GALS via communicating CFSMs– Global: asynchronous
• Events can arrive at any time• Different parts of system compute at different rates• Buffering of events for each module
• Goal : implement Esterel programs in a POLIS system while preserving their semantics
POLIS : a GALS modelGlobally Asynchronous Locally Synchronous
CFSM
Input buffer
CFSM: FSM w/data, support for asynch communication
Input Buffer = presence + value
- A CFSM is runnable when an input comes in-Several inputs may come in before actual run- Presence / absence can be tested for each input- Value can be accessed for present signals-Transition in 0-delay-Inputs are consumed during the run- Output broadcast by the network, with delay- 1-place buffers can be overwritten
CFSM
• Synchronous programs- nice semantics / mathematics- concurrency + deterministic - optimization + verification feasible- limited in scope : compact systems
• CFSM networks- POLIS implementation model- good for hardware / software codesign- formal semantics, but can be wild- semantics purely operational (scheduler)
Examplemodule m1:input a, ONE;output TWO;
loop await case [a and ONE] do emit TWO endend loop
module m2:input a, TWO;output ONE, THREE;[loop await case TWO do emit THREE endend loop]||[loop await case a do emit ONE endend loop]
a = 1m1 -> m2 -> m1 -> m2m2 -> m1 -> m2
await case : wait until at least one case is true
Can we implement synchronous languages on CFSM networks?
• Run large-scale synchronous programs on networks• Maintaining synchronous semantics
• Study classes of “well-behaved” CFSM networks• Study progressive relaxation of synchrony
Previous work : P. Caspi and A. Girault E,. Ledinot et.al., Dassault Aviation
Constructive and not gate as a CFSM - v1
AB
C
input A: boolean, B : boolean;output C : boolean;[ await A; if not ?A then emit C(false) end|| await B; if ?B then emit C(false) end];if ?A and not ?B then emit C(true) end
• Encode facts in CFSM events• Create a logic network of gates representing the Esterel program• Use one CFSM per gate• Create at POLIS network of CFSMs to propagate the facts
POLIS Implementation
Combinational gates -> sequential CFSMsSynchronous cycle -> full network execution
Constructive and not gate as a CFSM - v1
AB
C
input A: boolean, B : boolean;output C : boolean;[ await A; if not ?A then emit C(false) end|| await B; if ?B then emit C(false) end];if ?A and not ?B then emit C(true) end
Problem: C can be emitted twice
signal Caux : combine boolean with and in [ await A; if not ?A then emit Caux(false) end || await B; if ?B then emit Caux(false) end ]; if ?A and not ?B then emit Caux(true) end|| await Caux; emit C(?Caux)end signal
V2 : protecting double emission
Given an input assignment, the network builds a proof
• Each gate buffer is written at most once - no buffer overwriting - bounded time (linear)
• Termination when no more runnable CFSM - #events = #fanins -> constructive - else non-constructive
• Any scheduling gives the right answer!
But works only for one global tick!
Macro-cycles - give synchronous events successively - logical timing by stream ordering
a0 a1 a2 a3 a4 b0 b1 b2 b3 b4 c0 c1 c2 c3 c4
Four basic solutions :
1. Wait long enough (as for circuits)
2. Compute explicit termination signal
3. Let the scheduler report termination
4. Use a flow control protocol
-> pipelining
Flow Control
AB
C
A_Free
B_FreeC_Free
loop signal Caux : combine boolean with and in [ await A; emit A_Free; if not ?A then emit Caux(false) end || await B; emit B_Free; if ?B then emit Caux(false) end ]; if ?A and not ?B then emit Caux(true) end || [ await Caux || await C_Free ] ; emit C(?Caux) end signalend loop
V3 : flow control
A gate resets for next tick when it has received all its input. No additional protocol needed!
A=0 A_FreeC_Free C=0B=1 B_Free loop
A=1 A_FreeC_Free B=0 B_Free C=1 loop
Automatic Gate Reset
Pipelining
Problem : out-of-order data for next cycle
A(0) -> A_FreeC_Free -> C(0)A(1) ->B(1) -> B_Free
3. Tell the scheduler that only arrival of B matters => sensitivity lists
1. Memorize A(1) in the CFSM - heavy!
2. Write back 1 in the A buffer but gate immediately made runnable again!
module AndNot :
% Boolean IOinput A : boolean, B : boolean;output X : boolean;
% Flow control IOoutput A_Free, B_Free;input C_Free;
% Scheduling IOoutput A_Wait, B_Wait;output C_Free_Wait;
loop signal Caux : combine boolean with and in < handle A and B > || < handle C > end signalend loop
[ abort sustain A_Wait when A; emit A_Free; if not ?A then emit Caux(false) end|| abort sustain B_Wait when B; emit B_Free; if ?B then emit Caux(false) end];if ?A and not ?B then emit Caux(true)
[ await Caux|| abort sustain C_Free_Wait when C_Free];emit C(?Caux)
Termination signal
X
Y
I
J
DONE
Too expensiveNon-local
• One can implement a constructive circuit in POLIS by translating each gate into a CFSM
• Therefore, on can implement Esterel by first translating Esterel programs into gates
• Of course, this is inefficient : too fine grain
• But, we did not use compositionality yet!
Using Compositionality
• Any network of gates acts just as a gate• Group gates either synchronously, using v5 algo., or asynchronously, in the network• Adjust grouping according to geographical and performance requirements
Summary
• Constructive logic semantics facts as information quanta• Propagate facts synchronously in CFSM nodes asynchronously in the network• Correct by construction• Applicable to (some) real problems
Recommended