Tutorial Esterel - Chair of Real-Time Computer Systems

INSTITUTE FOR REAL-TIME COMPUTER SYSTEMS
TECHNISCHE UNIVERSITÄT MÜNCHEN
UNIV.-PROF. DR. SC. S. CHAKRABORTY
Preaktikum Realzeit-Programmierung
Course EI0521/72341
Tutorial Esterel
Authors
Martin Becker and Alejandro Masrur
Tutorial Esterel
Table of Contents
1 Tutorial for Esterel.....................................................................................................................................1/18
1.1 Installation....................................................................................................................................1/18
1.1.1 Prerequisites........................................................................................................................1/18
1.1.2 Installation Hints.................................................................................................................1/18
1.2 Start the development environment..............................................................................................2/18
1.3 Setting up an Esterel project.........................................................................................................3/18
1.4 Developing a program for Pololu 3pi robot..................................................................................3/18
1.5 Build.............................................................................................................................................4/18
1.5.1 Generate C code..................................................................................................................5/18
1.5.2 Build a generic simulation...................................................................................................6/18
1.5.3 Building for the Pololu 3pi..................................................................................................6/18
1.5.4 Building the Pololu 3pi Simulation.....................................................................................6/18
1.6 Running.........................................................................................................................................8/18
1.6.1 Run the Generic Simulation................................................................................................8/18
1.6.2 Running the Pololu Simulation...........................................................................................9/18
1.6.3 Running the robot................................................................................................................9/18
1.7 Model Checking..........................................................................................................................10/18
1.7.1 Steps during verification...................................................................................................10/18
1.7.2 Example.............................................................................................................................12/18
1.8 The Esterel Toolchain.................................................................................................................15/18
1.8.1 The human-readable format..............................................................................................16/18
1.9 Troubleshooting / FAQ...............................................................................................................18/18
1.9.1 Error "unknown main module: xxx".................................................................................18/18
1.9.2 The "Esterel Toolchain" menu is not there.......................................................................18/18
1.9.3 Nothing happens on build/run...........................................................................................18/18
1.9.4 Error during flashing of the robot.....................................................................................18/18
1.9.5 How do I get my data files out of the VM?.......................................................................18/18
i
1 Tutorial for Esterel
This tutorial describes step-by-step how to develop a general Esterel program, and also how to develop a
program for the Pololu 3pi robot (for simulation and for the real target). To get started with the language
Esterel, it is recommended to have a look at:
• the document "Brief Introduction to Esterel" (TUM RCS, October 13, 2010),
• more detailed information from the Esterel Primer
(http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.3.1177&rep=rep1&type=pdf).
1.1 Installation
We provide a virtual machine, which is ready-to-use on the lab computers. However, you may also install
Esterel on your own PC. In that case, read this section in more detail.
1.1.1 Prerequisites
You need:
• Linux system (here: Ubuntu 10),
• Esterel V5.92 compiler
(http://www-sop.inria.fr/esterel.org/files/Html/Downloads/Soft/SoftwareDownloads.htm) or from this
Wiki Esterel V5.92 for Linux.
• For Pololu 3pi:
♦ Simulation:
◊ binutils (gcc, etc.),
◊ libPololuSimulation by TUM RCS M.B.,
◊ openGl installed (freeglut).
♦ Real target:
◊ avr-binuntils (avr-gcc etc.),
◊ avr-dude,
◊ libpololu,
◊ the pololu 3pi robot.
Optional:
• Eclipse,
• Esterel active editor and builder plugin for Eclipse (by TUM RCS M.B.), to allow invoking the
Esterel tools directly from Eclipse and to have syntax checking and highlighting.
1.1.2 Installation Hints
Follow the instruction in the README file within the Esterel distribution. In case of errors during the
installation, use Google to search for a solution...
1.1.2.1 Error "undefined reference to '__ctype_b'" when executing XES
You need to replace the shipped libtk8.2.a with a fixed one. If Esterel is installed in /opt/esterel then:
1/18
Tutorial Esterel
10/25/12 17:01:31
cd /opt/esterel/tcltk/lib
wget http://www.tbrk.org/esterel/libtk8.2.a
mv libtk8.2.a libkt8.2.a.orig
mv libtk8.2.a.1 libtk8.2.a
1.2 Start the development environment
Read this section carefully, or you might loose your data!
From now on the document describes how to use the virtual machine (VM) we provide you.
After logging into the host machine, you find a link on your Desktop called "Start VM".
• Double-click it to boot the VM.
• Booting takes a while. If you are asked to accept an RSA fingerprint answer with "yes" (see below).
• Subsequently you are asked to enter your password again. This is needed to make your home
directory's folder workspace available in the VM as /home/student/workspace (or short
~/workspace)
Inside the VM it is the only place where changes are persistent, everything else is discarded when
the VM is closed!
The output of the VM:
• ...
current username: lab_rtpl_stud10
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)'
can't be established.
RSA key fingerprint is
b2:66:3e:1f:d0:25:ea:01:5a:3d:5c:48:3d:d5:f5:af.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (RSA) to the list of
known hosts.
Enter your SMB password to connect to lab_rtpl_stud10 s home
directory:
Password: ########
...
• Finally, when the VM has booted successfully, the Ubuntu welcome banner shows up. You will work
with this command line.
Starting SSH shell for working...
Linux RTPLVM 2.6.32-32-generic #62-Ubuntu SMP Wed Apr 20 21:54:21
UTC 2011 i686 GNU/Linux
...
Welcome to Ubuntu!
* Documentation: https://help.ubuntu.com/
Last login: Thu Oct 13 13:30:34 2011 from 10.0.x.x
student@RTPLVM:~$
2/18
Tutorial Esterel
10/25/12 17:01:31
• To start a special version of Eclipse, use
rtpl-eclipse&
• Then you will get Eclipse's graphical window. On your Desktop there is also a link called "Tasks",
where you find the documents related to this lab.
Important: Change your Eclipse workspace to /home/student/workspace by selecting „File“ >
„Switch Workspace“ > „Other...“ and changing to this folder. This is the only directory where your changes
are persistent!!!
When you finish using the VM, you may just close the SSH terminal.
1.3 Setting up an Esterel project
• Select "File" > "New" > "Other". Create a general project with "General" -> "Project".
• Give it a name. The project name can be freely chosen, but for the toolchain to work later, the
main module needs to have the same name!
• Add a new folder named "src" to the project.
• In this folder, add a new file with the same name as the project and the extension *.strl. If you are
asked if you want to "Add the XText nature", then answer with "yes".
• Develop your main module. Again, its name must equal the project's name!
• You may also create other modules.
The expected structure can be seen in the screenshot, together with some example code.
Important: Make sure that the project, the file, and the module names are the same (case sensitive, as
shown in the picture)! Also make sure that your *.strl-file is located in the folder "src"!!! Otherwise you will
get errors or even just no outputs from the compiler.
1.4 Developing a program for Pololu 3pi robot
If you want to program the Pololu 3pi robot (simulation or real target), your code must comply with some
interface definitions. That is, your program's name must be RobotEsterel and the defined input and output
signals must match the software interface of Pololu 3 pi shown below:
module RobotEsterel:
% time reference: present every 500 ms for 1 cycle
3/18
Tutorial Esterel
10/25/12 17:01:31
input TAC;
% line under (center) sensor IR2? present=yes
input BLACKLINE, WHITELINE;
% obstacles in front? present=yes
input OBS_LEFT, OBS_MID, OBS_RIGHT;
% number of acoustic beeps [0,10]
output BEEP : integer;
% drive motor speeds [-250,+250]
output RMOTOR: integer, LMOTOR: integer;
% bottom sensors: 0=white ground, >0=darg ground
sensor IR0: integer,
IR1: integer,
IR2: integer,
IR3: integer,
IR4: integer;
% hint for Esterel compiler: these inputs are guaranteed to be
exclusive
relation BLACKLINE # WHITELINE;
% ----% put your code here...
% ----end module
1.5 Build
You may build different programs:
• a generic simulation,
• a Pololu 3pi-specific simulation,
• an executable for Pololu 3pi.
Note: This section describes the build process using Esterel builder plugin for Eclipse (by TUM RCS,
M.B. 2011-2012). You can also do everything manually by invoking the Esterel command line tools "esterel",
"xes" and "xeve".
The build process is done as follows:
1. generate C code from Esterel specification,
2. compile the C code to either,
a. a generic simulation to be executed locally (for any Esterel program),
b. an openGL simulation of the Pololu 3pi robot (only for Esterel programs matching the Pololu
3pi interface),
c. an executable program for the Pololu 3pi robot (only for Esterel programs matching the
Pololu 3pi interface).
4/18
Tutorial Esterel
10/25/12 17:01:31
1.5.1 Generate C code
To build an executable from your Esterel model (Esterel -> C code), proceed as below:
1. make sure the currently opened file is the main source file of your project (*.strl)
2. use the menu "Esterel Toolchain" > "Build Esterel..."
3. on the window that pops up, choose "build".
See the screenshot in the above section "Setting up an Esterel project" to see the menu.
Now, this generates C code from the Esterel specification, if no errors are encountered. Check the Eclipse
console for error messages. The code is generated in a new directory called "gen" (see screenshot below).
5/18
Tutorial Esterel
10/25/12 17:01:31
1.5.2 Build a generic simulation
This works for any Esterel program: You can build a generic simulation from the generated C code, which
you can use to go step-by-step through your program.
To generate C code for the simulation, proceed as follows:
1. make sure the currently opened file is the main source file of your project (*.strl)
2. use the menu "Esterel Toolchain" > "Build Esterel...",
3. On the window that pops up, choose "simbuild".
After a successful code generation, you may find C code representing your Esterel specification, named
"sim_<project name>.c" in the directory "gen/sim/". This code in turn needs to be compiled with gcc (or any
other C compiler) to get an executable. This is described in the following section "Running the generic
simulation".
1.5.3 Building for the Pololu 3pi
You may use the generated C code to build a simulation or a real executable for the Pololu 3pi robot. Make
sure that your Esterel code complies with the above stated interface definitions!
1.5.4 Building the Pololu 3pi Simulation
1. make sure the currently opened file is the main source file of your project (*.strl)
2. Use the menu "Esterel Toolchain" > "Build Esterel...",
3. choose "robot_sim_build",
You get a new directory called "SimulationTarget". In this directory, You will find the executable
"PololuSimulation" of the simulation.
6/18
Tutorial Esterel
10/25/12 17:01:31
1.5.4.1 Building for the Pololu 3pi target
1. make sure the currently opened file is the main source file of your project (*.strl)
2. Use the menu "Esterel Toolchain" > "Build Esterel...",
3. choose "robot_build",
You get a new directory called "AVRTarget", in which a *.hex-file (in "src/main.hex") is located. This is the
actual data/program that is later loaded (flashed) onto the robot.
7/18
Tutorial Esterel
10/25/12 17:01:31
Warning: Check that the build was successful (see screenshot). Also make sure that the memory usage
(see screenshot) is less than 100% for both data and program; otherwise the executable would not fit into flash
and/or RAM memory.
If you have errors like "undefined references", then you probably did not follow the interface specification
mentioned earlier. Make sure you do have exactly the needed input and output signals, and no additional
ones!!!
1.6 Running
1.6.1 Run the Generic Simulation
You now can check your Esterel specification by running the model.
To execute the generic simulation (works with any Esterel program):
1. make sure the currently opened file is the main source file of your project (*.strl)
2. use the menu "Esterel Toolchain" > "Run Esterel...",
3. On the window that pops up, choose "simxes".
This will compile the above generated C code, and hand it over to "xes", the simulation tool of Esterel. The
XES window pops up. There you may use the buttons to step through your program (see screenshot).
With
the button "tick" you proceed to the next time instant. The input buttons on the left are used to assign inputs to
be applied with the next time instant. To understand this better, it might be useful to try some sequences and
record them meanwhile, and then look at the playback.
8/18
Tutorial Esterel
10/25/12 17:01:31
1.6.2 Running the Pololu Simulation
1. make sure the currently opened file is the main source file of your project (*.strl)
2. Use the menu "Esterel Toolchain" > "Run Esterel...",
3. choose "robot_sim_run".
1.6.3 Running the robot
To execute the program on the robot, you need to flash it onto the Pololu 3pi. For the reason that there are
some technical limitations, the flashing of the robot needs to be done outside the virtual machine, i.e., on the
host computer. Do not use the Toolchain menu for flashing, this won't work!
1. make sure the currently opened file is the main source file of your project (*.strl)
2. Connect the USB cable to the robot first,
3. connect the ISP and make sure it is set to "power target" on the PCB.
4. power on the robot,
5. on the host machine, open a new terminal and change to the directory (using command cd) where
your binary file for the robot is located. The binary file is of type *.hex and is usually in your project
folder under AVRTarget/src/main.hex. E.G. If the path to this file in the VM is
/home/rtlstudent/Workspace/Esterel/foo/AVRTarget/src/main.hex, then this
file is located on the host machine under ~/Esterel/foo/AVRTarget/src/main.hex.
6. from there, call rtpl-flash-robot main (without the extension ".hex"!). Now the process of
flashing both flash memory and EEPROM (if '*.eep' exists) is initiated,
Do not remove the cables during the flashing process. Otherwise, you can cause serious
damages to the robot!!!
The flashing process takes some time (1-2 minutes). Make sure that the flash verification went properly. You
should see something like this:
...
9/18
Tutorial Esterel
10/25/12 17:01:31
Writing | ############################
| 56%
22.08sCMD: [4c 11 00 00] [05 4c 11 00]
Writing | #############################
| 57%
22.43sCMD: [4c 11 40 00] [91 4c 11 40]
Writing | #############################
| 58%
22.80sCMD: [4c 11 80 00] [23 4c 11 80]
...
Writing | ################################################## | 100%
40.47s
avrdude: 15370 bytes of flash written
avrdude: verifying flash memory against avr_e_machine/src/e_machine.hex:
...
avrdude: 15370 bytes of flash verified
...
avrdude: safemode: Fuses OK
avrdude done. Thank you.
If flashing was successfully completed, your robot should automatically start the program.
1.7 Model Checking
The verification tool for Esterel is called Xeve. Xeve can be used to formally verify that the program has
certain properties and works on the equations the Esterel compiler produces. These eqiatons implicitly
represent a finite state machine (FSM). The FSM is translated to a binary decision diagram (BDD) and can be
subsequently checked to fulfill certain properties.
Properties in most cases are proven by checking that "their opposite never happens".The Esterel checker
supports two types of checks:
• Check if an output is possibly not emitted: try to refute the property "always emitted" by checking
if there exists a combination of input signals, which cause the signal not to be emitted.
• Check if an output is possibly emitted: try to refute the property "never emitted" by checking if
there exists a combination of input signals, which cause the signal to be emitted.
This checking can be done also with constraints on the input signals, i.e., some input signals may be fixed.
Note: The tool also generates traces for the outputs to verify, i.e., it produces the sequence of inputs,
which prove that an output was emitted, or gives a "bad trace", a counterexample for this. This way the
graphical simulator XES included in the Esterel distribution can be used to "replay" the situation.
1.7.1 Steps during verification
There are these main steps:
1. specify an observer program,
2. translate the Esterel program including observer into Berkely Logical Interchange Format (BLIF),
3. define the checks by stating expected status of outputs, e.g. "emitted or not",
4. run the check,
5. optional replay the resulting trace to check why an output is "(not) possibly emitted".
10/18
Tutorial Esterel
10/25/12 17:01:31
1.7.1.1 Specify an observer program
The properties which the developer wants to prove have to be defined by means of a "synchronous observer
program". This is also an Esterel program, which is made to check the behavior of the program under analysis
(PUA). The observer's inputs are both the inputs and outputs of the PUA; its outputs are - sort of - "OK
signals" for the properties to be proven. The observer is often in the form:
if present(PUA_INPUT1 and PUA_OUTPUT1) then emit PROPERTY_VIOLATED
However, the observer may also be more complex (see also the Esterel V5.92 Xeve manual). Via an observer,
the following 2 categories of properties can be checked:
• Safety: that "something bad never happens", e.g. never "exceed a deadline" or "never emit beep".
• Liveness: that something good eventually (somewhere in the future) happens. For example, "call the
elevator, eventually it WILL come/you will not wait forever".
This observer is then put in parallel (parallel statement "||") with the program under analysis and then
compiled to BLIF format. The resulting program is the program to be loaded and analyzed subsequently with
XEVE.
Note: There exists a commercial application called "TEMPEST", which assists you in writing observers. It
allows specifying the properties by Linear Temporal Logic (LTL) formulae and generates an Esterel observer
program for you.
1.7.1.2 Translating the Esterel program into BLIF
The verification tool takes the Berkely Logical Interchange Format (BLIF) as an input, which can be
generated with the Esterel toolchain. You do not need to take any care of this, as the Eclipse plugin handles
this for you.
1.7.1.3 Define and run checks
All the following steps are taken in XEVE, the graphical frontend for model checking of Esterel programs.
Start XEVE by:
1. make sure the currently opened file is the main source file of your project (*.strl)
2. in Eclipse, use the menu "Esterel Toolchain" > "Check Esterel...",
3. on the window that pops up, choose "checkxeve",
4. the XEVE GUI pops up.
The GUI is described in the following figure (taken from Esterel V5.92 Xeve manual):
11/18
Tutorial Esterel
10/25/12 17:01:31
First, load your BLIF file (or alternatively a *.bddf file saved from XEVE in a previous session):
1. click "File" > "open FSM (blif format)...",
2. select the file *.blif from the project's folder "gen",
3. the inputs and outputs are shown in the respective lists.
To specify a property:
1. select "check outputs",
2. use the buttons below the input and output lists to define input signal constraints and what the outputs
shall be,
3. click on "Apply" to start the check,
4. a window with the result pops up.
1.7.2 Example
The following (temporal) safety property shall now be verified:
• when A is present, C must be output within the next 2 cycles.
Consider the main module representing the program under analysis, which is subject to the checks:
module ABC: % main
input A, B;
output C;
await A || await B;
12/18
Tutorial Esterel
10/25/12 17:01:31
emit C;
.
To check the mentioned property, first write another Esterel module - the synchronous observer - which
implements this check:
module OBS_SAFETY:
% checks the property "emit C within next 2 cycles when A occurs".
% emits "SAFETY_FAIL" if this does not hold true.
input A;
output C, SAFETY_FAIL;
loop
await A;
% wait for A to occur.
trap deadline in
[
await C;
% wait until is present;
exit deadline;
]
||
[
pause; pause;
% 2-tick timeout.
emit SAFETY_FAIL;
]
end trap;
end loop;
.
The observer's output signal "SAFETY_FAIL" is in XEVE (note that it could also have any other name). In
this example, it must be checked for "possible emission", which must not occur. If an emission is possible,
this means this safety property is not satisfied, i.e. the program under analysis failed the check.
Now simply put this observer in parallel (statement "||") with the whole program under analysis:
module ABC: % main
input A, B;
output C;
% observer signals must be in main module
output SAFETY_FAIL;
[
await A || await B;
emit C;
]
||
13/18
Tutorial Esterel
run OBS_SAFETY;
10/25/12 17:01:31
% observer in parallel
.
Note that the newly introduced output signal "SAFETY_FAIL" must be declared here again, because it is the
main module.
Now proceed as described before:
1. start XEVE via the "Esterel Toolchain" menu in Eclipse ("Check Esterel" > "checkxeve"),
2. load your *.blif file,
3. sefine that input signals A and B may be arbitrary (=leave black),
4. define that output signal C is not important (=leave black),
5. define that output signal SAFETY_FAIL shall be checked for "possibly emitted",
6. click "apply".
The result here is obviously that the signal indeed is "possibly emitted". This means that the property "when A
is present, C must be output within the next 2 cycles" does not hold true, because there exists an input
combination where the observer emits "SAFETY_FAIL".
1.7.2.1 Optional replay the resulting trace to check why an output is "(not) possibly emitted"
On the output window, note the label "Path saved in file" and then "SAFETY_FAIL.esi". The generated file
"SAFETY_FAIL.esi" contains a trace proving that SAFETY_FAIL is emitted. It can be loaded and replayed
with Xes:
1. in Eclipse, use the menu "Esterel Toolchain" > "Run Esterel...",
2. select "simxes" and click "OK",
3. XES starts up,
4. in XES, click on "commands" > "recorder",
5. click on the "load" button and from the project's "gen"-folder select your *.esi file,
6. you may now step through the program using the buttons in the recorder window.
14/18
Tutorial Esterel
10/25/12 17:01:31
1.8 The Esterel Toolchain
The complete toolchain is depicted in the following figure.
15/18
Tutorial Esterel
10/25/12 17:01:31
Note: Esterel supports several target languages. The code for them is generated from either sorted (*.scc)
or unsorted boolean circuit definitions (*.sc). The distribution V5.92 comes with generators for C, Berkely
Logic Interchange Format (BLIF) and human-readable equations. There also exist other target language
generators, e.g., for Pascal. The executable esterel (what up to now was referred to as "compiler", but it does
a lot more indeed) chains the shown tools in correct order, such that the requested files are produced (see
dashed arrows). The default invocation chain is depicted by bold arrows in the figure above, i.e., C code
consisting of Boolean equations is the default target language.
1.8.1 The human-readable format
Note that there exists a human-readable format as either a finite state machine/automaton or as boolean
equations. You can generate these with the commands esterel -Adebug for the automaton or
esterel -Ldebug for the equations respectively.
1.8.1.1 Example
Consider this simple Esterel specification:
module ABC:
input A, B;
16/18
Tutorial Esterel
10/25/12 17:01:31
output C;
await A || await B;
emit C;
.
The human-readable equations are
ABC Equations (Debug Format)
1. Memory Allocation
V0: boolean (boolean of signal A)
V1: boolean (boolean of signal B)
2. Actions
2.1 Present signal tests
A1 : V0 (signal A)
A2 : V1 (signal B)
2.2 Output actions
A3 : C
2.3 Assignments
A4 : V0 := false
A5 : V1 := false
3. Equations
3.1 Wires
BIT_TYPE E[6];
3.2 Registers
BIT_TYPE R[3] where:
R[0] : initial value is true
R[1] : initial value is false
R[2] : initial value is false
3.3 Equations
E[0] = (R[2] *
E[1] = (E[0] *
if (E[1]) then
E[2] = (R[1] *
!(R[0]))
(test action A2))
execute action A3
!(R[0]))
17/18
Tutorial Esterel
E[3]
E[4]
E[5]
E[4]
E[3]
E[2]
R[1]
E[0]
R[2]
E[4]
R[0]
=
=
=
=
=
=
=
=
=
=
=
10/25/12 17:01:31
(E[2] * (test action A1))
(R[1] + R[2])
(((E[4] * !(R[1]))) + E[3])
(((E[4] * !(R[2]))) + E[1])
((((E[3] + E[1])) * E[5]))
(E[2] * !((test action A1)))
(R[0] + ((R[1] * E[2])))
(E[0] * !((test action A2)))
(R[0] + ((R[2] * E[0])))
((((R[1] + R[2])) * ((E[5] + R[1]))))
!(true)
3.4 Termination
Program is over when E[4] is false
1.9 Troubleshooting / FAQ
1.9.1 Error "unknown main module: xxx"
There was no module in your Esterel specification, which has the same name as the project. Rename the main
module to the very same name as your project and try again.
1.9.2 The "Esterel Toolchain" menu is not there
It only shows up when an Esterel file is opened (extension *.strl).
1.9.3 Nothing happens on build/run
Make sure your *.strl file is located in the folder 'src' and has the same name as the project. Also check that
there is a module in this file with the same name as the project. Take care of upper/lower case!
1.9.4 Error during flashing of the robot
On error try to re-flash: If the programmer is not found ("broken pipe"), detach the USB programmer from the
PC and re-attach it. If the error persists, contact us.
1.9.5 How do I get my data files out of the VM?
If you did the setup properly, your files are automatically available on the host machine's home directory.
CategoryEsterel
18/18