Transcript Synchronous Languages and System Design with Esterel Ellen Sentovich Cadence Berkeley Laboratories

Synchronous Languages
and System Design with Esterel
Ellen Sentovich
Cadence Berkeley Laboratories
Outline
• Context : Reactive Systems
• Principles : Synchronous languages
• Esterel in-depth
– Language, Compilation
– Causality
– Optimization and Verification
• New applications: ECL
• Implementing Esterel on CFSM networks
System Design
• Systems produce a steady sequence of input/output
sequences
• Inconvenient to specify sequences; need models and
languages
• Model
–
–
–
–
Simple and intuitive
Accurate enough model of physical reality
Mathematically efficient
General enough to allow different implementation styles
• Language
– Accurate expression of the model
– Convenient and efficient expression of the design
• Analysis
• Implementation
– compilation to hardware, software
Reactive Systems
signals
signals
control
data
sensors
values
Esterel
Statecharts
Argos
EsterelStudio
Lustre
SCADE
Signal
Applications
• Software and hardware controllers
– process control, embedded systems,datapath control
• Communication Protocols
– software protocols,bus interfaces,cache
coherence
• Drivers
– man-machine interface,systems
drivers,pipeline logic
Concurrency + Determinism
Reactive System Characteristics
• Reactivity
– continually react at a speed determined by the
environment
• Concurrency
– at least between system and environment
• Strict time and reliability requirements
• Deterministic
• Mixed hardware/software implementations
Synchronous Systems
Cycle based
read inputs
compute reaction
produce outputs
Synchronous within the same cycle
at the same time (0-delay)
(must be checked on implementation)
Synchronous control propagation
signal broadcasting
Equivalent FSM implementation
(good analysis techniques)
Synchronous Languages
• Invented for the design of reactive kernels
– not the interactive interface or data management
• Programmer views system as an
instantaneous reactor to events
• Program behavior is completely deterministic
• Attempt to resolve concurrency and nondeterminism (in other models)
Esterel: Background
• Esterel is one of a set of synchronous
languages developed in France:
– Esterel: reactive control
– Lustre, Signal: data flow
– Argos, SyncCharts: graphical
• Esterel development goal: natural
expression of control
– Specific statements to deal with time,
preemption
– Departure from concurrency as interleaving and
rendez-vous to concurrency as instantaneous
propagation of control
Esterel: Background
• Synchronous programming
environment...
– Language:
• For control-dominated, reactive systems
• Constructs for sequencing, concurrency,
preemption
– Compiler:
• Produces sorted Boolean equations
• Causality checking, symbolic debugging,
verification
• Implementation as C-code or digital circuits
Esterel: Basic Principles
• Synchronous hypothesis : instantaneous
communication
• Communication via broadcast signals (event)
– signals, sensors, variables
– pure, valued
– Boolean and arithmetic operators
• Modularity : program = collection of modules
• Concise programs : write things once !!
• Concurrency, sequencing, preemption
• Well-defined semantics
Overview of Syntax
• Signal reading/writing
emit S emit S(value)
present S
then p else q
• Basic control and looping:
halt loop p end
run
module
• Sequencing, concurrency
p ; q p || q
• Preemption
suspend p when S
abort p when S
weak abort when S abort when
immediate S
Syntax : await statement
• Most basic signal control statement
await S
• Equivalent to
abort
loop
halt
end
when S
• Note: “Await” always stops
– consider await S; await S
– versus await immediate S; await
immediate S
Variables and Ordering
• Variable manipulation (local)
V := value
if V=value then p else q
• Variable computations : ordered
V :=
V :=
Y :=
emit
5;
V+1;
V;
S(V)
• Signal emissions (communication) : unordered
Legal: emit S; emit S
Illegal: emit S(3); emit S(5) (nondeterministic)
• Signal computations : ordered
Well-defined: emit S; present S
Undefined: present S then emit S
The ABRO Example
• “Wait until both A and B have occurred,
then output O, unless the reset R
occurs”
R
A
R
B
R
AB/O
B/0
A/O
Number of states is exponential in inputs
The ABRO Example in Esterel
• Wait until both A and B  concurrency
• Unless R  preemption
loop
abort
[await A || await B] ;
emit O
when R
end
Write things ONCE !!
Code size is linear in inputs; efficient circuit
Compilation
• Esterel program  extended finite state
machine
– finite # inputs, deterministic reaction finite
program
– FSM + data computations
• Can be compiled to a single automata EXPENSIVE!!
– exhaustive exploration of set of control states
– Esterel v3
• Can be translated to sorted Boolean
equations
– Esterel v5
• State machine is represented implicitly
Translation to Boolean
Circuits
• Structural translation
• Network of interconnected cells
• Implementation of control:
– control signal runs through the circuit
– boot signal : latch, initially 1, thereafter 0
• Each cell contains
– signal input/output; control input/output
– suspend, kill, resume signals
– return codes (nested preemption)
• One register per halting statement
Translation to Boolean
Circuits
•present S then p else q
control for q
S
control
control for p
control
Causality
• Cycles occur naturally in Esterel specifications
– Cyclic dependency between variables
– Some are harmful, some not
• The Causality Problem is analyzing these cycles and
deciding which to accept
– It is related to analyzing hardware in circuits
– Combinational cycles
• How do we define a causally correct program?
–
–
–
–
We want a unique, comprehensible solution
All present signals must be emitted somewhere
A solution is a set of consistent assignments to all signals
Need to be able to express program in a non-cyclic way
Constructive causality
Harmful Cycles
No Boolean solution (non-reactive),
or several solutions (non-deterministic)
Electrically unstable
Useless !
X
X=X
present X then emit X end
X
X = not X
present X else emit X end
Harmless Cycles
Unique Boolean solution
Electrical stabilization in bounded time
=> behaves as if acyclic
Natural in Esterel programming
Natural in high-level hardware synthesis
Possible exponential saving in space!
X
I
Y
present I then
present X then emit Y end
else
present Y then emit X end
end
I
X
J
Y
X = I and not Y
Y = J and not X
OK unless I = J = 1
Combinational Cycles in Sequential Circuits
1
X
0
Y
The non-constructive state (1,1) is unreachable
=> reachability analysis needed
Naturally occurring harmless cycles:
Operator sharing (S. Malik)
Y = if C then G(F(X)) else F(G(X))
C
1
0
F
C
0
1
X
1
0
C
G
Y
Causality: A Real Example
• Bus arbitration
GrantOut
TokenOut
T
ReqIn
TokenOut
GrantOut
Cell n
ReqIn
TokenIn
GrantIn
TokenOut
GrantOut
AckOut
AckOut
Cell 1
ReqIn
TokenIn
TokenIn
GrantIn
GrantIn
AckOut
Strange Cycles
Unique Boolean solution
But electrically unstable !
=> Electricity =/ Boolean calculus
X=X
Y = X and not Y
X
X=0
X=1?
Y
Want to build a theory with stable solutions.
Also cheaper for compiler
(interpretation possible)
ToBe
Hamlet : ToBe = ToBe or not ToBe
present ToBe then
emit ToBe
else
emit ToBe
end
Constructive Causality in Esterel
Step through program
Analyze what must be done (emit)
what cannot be done (no possible emit)
what can be done
Set a signal present iff it must be emitted
Set a signal absent iff it cannot be emitted
Constructive causality permits interpretation
Executing Constructive Causality
module P1:
input I;
output O;
signal S1, S2 in
present I then emit S1 end
||
present S1 else emit S2 end
||
present S2 then emit O end
end signal
end module
Analogy: constructive circuits
Circuits are Boolean proof builders
0
0
0
0
0
Trace values from inputs to outputs, never
guessing a value
Analysis equivalent to electron flow in a circuit
A causal program is equivalent to an electrically
stable circuit, acyclic circuit
Constructive Boolean Logic
Derive facts from facts
E=0
E and F = 0
F=0
E and F = 0
E=0
not E = 1
E=1 F=1
E and F = 1
E=1
not E = 0
X=E E=b
X=b
Cannot determine E or not E unless E is known!
X = I and not Y
Y = J and not X
(1)
(2)
(3)
(4)
(5)
I=0
J=1
X=0 from (1)
not X=1 from (3)
Y=1 from (2) and (4)
(1)
(2)
(3)
(4)
(5)
I=1
J=0
Y=0 from (2)
not Y=1 from (3)
X=1 from (2) and (4)
No proof of X and Y if I=J=1
Semantic model : Scott’s 3-valued logic
T
B = { , 0, 1}
T
View circuit as fixpoint equation
X = F(X, I)
X=b holds in fixpoint iff provable
Main Theorem
(Shiple Berry from Brzozowski - Seger)
Given a circuit and an input :
X=b provable in CBL (proving facts)
<=>
X=b in the fixpoint (Scott’s view)
<=>
X stabilizes to b for any delay assignment
(circuit view)
Compositionality
Algorithms (Esterel v5)
Interpretation
Input-dependent analysis
linear time
Compilation (Shiple = Malik + Bourdoncle)
Input-independent fixpoint analysis:
Combinational loops are broken
three-valued simulation performed (BDDs)
reachable state computation (BDDs)
Check that all feedback wires are well-defined
Expensive! Interpretation option in Esterel
==> equivalent acyclic version
Interpretation Example
X = I and not Y
Y = J and not X
facts
unknowns
I=0 . J=1
X:2 Y:2
J=1 . X=0
X:1 Y:2
X=0
X:1 Y:1
X:1 Y:0
Y=1
X:1 Y:0
X:0 Y:0
X = I and not Y
Y = J and not X
I=1 . J=1
X:2 Y:2
J=1
X:1 Y:2
X:1 Y:1
Deadlock = proof search stops
Dual-Rail Encoding to Implement
Constructive Analysis
X
{
X set of inputs that set X to 1
X set of inputs that set X to 0
The circuit is constructive for all inputs such
that X or X = 1 for all X
X = I and not Y
Y = J and not X
X = I and Y
X = I or Y
Y = J and X
Y = J or X
3-valued: 01 = 0, 10 = 1, 00 = unknown
X = I and Y
X = I or Y
Y = J and X
Y = J or X
Fixpoint
iteration
for I input
X=0
X=0
Y=0
Y=0
X= 0
X= I
Y=0
Y= J
{
I=I
I = not I
X = I and J
X= I
Y = J and I
Y= J
Need XX = 0, YY = 0; X + X = 1, Y + Y = 1
((I and J) or I) and ((J and I) or J))
not(I and J)
Causality Summary
Constructive Boolean logic characterizes
delay-independent digital circuits
Solves the causality problem for Esterel
Strong user request!
Compositional semantics
Good implementation and decision algorithms
Graphical Symbolic
Debugging
• Xes
Optimization
• Standard logic synthesis techniques can
be applied to generated hardware
• Finite state machine optimization and
analysis
• Esterel state encoding:
– locally group-hot
– efficient implementation
– far more latches than the minimum
• Latch minimization algorithms
– exploit the latch/logic tradeoff
– progressively more powerful algorithms
Latch Optimization
• Replacement of latches with logic
– compute the reachable state set
– compute sets of latches that can be
replaced
• single latch removal : Rl  Rl’= 0
• 2-for-1 removal : Rij  Ri’j’ + Ri’j  Rij’ = 0
L
L1 … Ln-1
0
1
1
1
1
1
Reachable states
Karnaugh map
Latch Optimization
• Generate decoding logic
–single-latch: remove latch
–2-for-1: remove two latches, add logic for
one
• Generate encoding logic
–single-latch: E = Rl (dependent on other
latches)
In
Circuit
Out
L
D
L’
E
Latch Optimization : Exclusive
Sets
• Mutually exclusive latch activity
await s1 || await s2 || await s3
;
await s4 || await s5 || await s6
• Latch corresponds to each wait
• (s1, s2, s3) # (s4, s5, s6)
• Replace 6 latches with 3 plus a
multiplexing latch
Latch Optimization : Results
• Esterel encoding maintains the structure
of the initial program
• single latch removal is always beneficial
• More sophisticated algorithms exploit
latch/logic tradeoff
• Cost functions depend on circuit size,
BDD size
• Typically 2-for-1 is performed until logic
becomes prohibitively expensive
• Verification times are improved
Verification
• Simulation and debugging
• Synchronous observers
– specify an Esterel module to monitor the
system and report errors
– specify an Esterel module to model the
environment
– perform symbolic reachability analysis
• Temporal logic formulas translated to
Esterel modules
– TempEst work at U Texas
The Esterel Toolset
Language + formal semantics
Compiler to hardware or software (Esterel v5)
Automata (explicit FSM)
Boolean circuits (implicit FSM)
Proved correct w.r.t. the semantics
Graphical simulators / debuggers (xes)
Verifier for safety properties
Xeve, TempEst
EsterelStudio : commercial product, including
graphical input, test generation
ECL Project
• ECL for system design
– Done at Cadence Berkeley Laboratories
– Many industrial partners
– Used in one commercial product
• Language & Compilation
• Status
ECL Summary : Language
• ECL = Esterel + C
– ANSI-C plus constructs for reactivity
• signal communication: await(sig); emit(sig, value);
• pre-emption: abort stmt when sig_exp
• concurrency: par stmt; par stmt
– C : standard in embedded software, minimal
learning curve, many good compilers, reactivity
missing
– Esterel : high-level reactive control, rigorous
mathematical semantics (FSM), strong analysis
and optimization tools, limited support for data,
non-reactive loops
ECL Key Features
• Language support for control and data
• Esterel + FSM synthesis technology for
– Efficiency : implicit state FSMs
– Robust analysis and optimization
– Verification
– Implementation HW and/or SW
Example : simple C
for (i = 0; i < SIZE; i++) {
buf [ i ] = In [ i ];
}
create_frame_from_buffer(&f, buf);
Example : add reactivity /
concurrency
par while (1) { /* get bytes into frame */
for (i = 0; i < SIZE; i++) {
await ( IN );
buf [ i ] = IN ;
}
create_frame_from_buffer(&f, buf);
emit (frame, f);
}
par while (1) { /* check CRC */
await (frame);
for (i = 0; i < HSIZE; i++) crc ^= frame.hdr[i]
if (crc != frame.crc) emit (bad_crc);
}
Example : complete ECL
module
typedef { byte hdr[HSIZE]; byte data[DSIZE]; int crc; } frame_t;
module frame_proc (input byte in, input frame_t out)
{
signal frame_t frame; signal int bad_crc;
byte buf[SIZE]; frame_t f; int crc;
par while (1) {
/* get bytes into frame */
for (i = 0; i < SIZE; i++) {await (in); buf[i] = in;}
create_frame_from_buffer(&f, buf);
emit_v (frame, f);
}
par while (1) {
/* check CRC */
await (frame);
for (i = 0; i < HSIZE; i++) crc ^= frame.hdr[i];
if (crc != frame.crc) emit (bad_crc);
}
par while (1) {
/* process address (if correct) */
await (frame);
do { /* … */; emit (out, frame) } abort (bad_crc);
}
}
ECL compilation
• Split ECL source: Esterel + C (by compiler
capability)
• ECL module compiled to
– FSM (via Esterel) : reactive stmts + some C [Control +]
– C-code residue : functions and non-reactive loops [Data]
• Implementation
– SW (C) or HW (HDL) [Control +]
– C-code residue : SW produced by ECL compiler [Data]
• Trade-off: where exactly to split?
– more Esterel  more optimization
– more C  more predictable compilation process
ECL compilation
module calls: get_data (signal IN)
reactive statements: await a;
concurrency: par await a; par await b;
C statements
reactive loops
ECL
Specification
non-reactive loops
Esterel Code
C - code
Esterel
Compiler to C
Esterel
Compiler to C/FSM
C functions
Simulation
Model
Implementation
in HW / SW
Example : pre-compilation
typedef { byte hdr[HSIZE]; byte data[DSIZE]; int crc; } frame_t;
module frame_proc (input byte in, output frame_t out)
{
signal frame_t frame; signal int bad_crc;
byte buf[SIZE]; frame_t f; int crc;
par while (1) {
/* get bytes into frame */
for (i = 0; i < SIZE; i++) {await (in); buf[i] = in;}
create_frame_from_buffer(&f, buf);
emit (frame, f);
}
par while (1) {
/* check CRC */
await (frame);
for (i = 0; i < HSIZE; i++) crc ^= frame.hdr[i];
if (crc != frame.crc) emit (bad_crc);
}
par while (1) {
/* process address (if correct) */
await (frame);
abort{ /* … */; emit (out, frame) } when (bad_crc);
}
}
Reactive loop
Non-reactive loop
Example : post-compilation
typedef { byte hdr[HSIZE]; data[DSIZE]; int crc } frame_t;
void crc_compute(int crc, frame_t frame)
{ for (i = 0; i < HSIZE; i++) crc ^= frame.hdr[i]; }
/* plus interface functions such as set_buffer_i */
module frame_proc:
input in : byte;
output out : frame_t;
signal frame : frame_t, bad_crc:integer in
var buf : frame_t, crc:integer in
loop % get bytes into frame
trap DONE in
cnt := 0;
loop {await in; set_buffer_i(buffer, i, in);
if (cnt < SIZE) else exit DONE end if;} end loop
emit frame(?buffer);
end trap; end loop
||
loop % check CRC
await frame;
crc_compute(crc, frame);
if (crc != get_frame_crc(frame) then emit bad_crc
end if; end loop
||
etc
Compiled to C
Compiled to
Esterel
Reactive loop
Non-reactive loop
ECL Summary
• ECL smoothly integrates
– C (standard for embedded software development)
– Esterel (concurrency, preemption, FSM semantics)
into a single language and development environment
• ECL compiler
– generates Esterel and C for embedded SW
implementation
– permits (partial) hardware implementation
• Opensource :
http://www.sourceforge.net/projects/ecl
– Java source code, test/tutorial examples,
regression tests, documentation (html, ps, pdf)
• Ongoing work:
– ECL for hardware specification
– ECL and Esterel in Metropolis
Implementing Esterel Programs
in POLIS
• POLIS: system-level design tool created at UCB
• Model of computation:
– GALS via communicating CFSMs
– Global: asynchronous
• Events can arrive at any time
• Different parts of system compute at different rates
• Buffering of events for each module
• Goal : implement Esterel programs in a POLIS
system while preserving their semantics
POLIS : a GALS model
Globally Asynchronous Locally Synchronous
CFSM
Input buffer
CFSM: FSM w/data, support for asynch communication
CFSM
Input Buffer = presence + value
- A CFSM is runnable when an input comes in
-Several inputs may come in before actual run
- Presence / absence can be tested for each input
- Value can be accessed for present signals
-Transition in 0-delay
-Inputs are consumed during the run
- Output broadcast by the network, with delay
- 1-place buffers can be overwritten
• Synchronous programs
- nice semantics / mathematics
- concurrency + deterministic
- optimization + verification feasible
- limited in scope : compact systems
• CFSM networks
- POLIS implementation model
- good for hardware / software codesign
- formal semantics, but can be wild
- semantics purely operational (scheduler)
Example
module m1:
input a, ONE;
output TWO;
loop
await
case [a and ONE] do emit TWO
end
end loop
a=1
m1 -> m2 -> m1 -> m2
m2 -> m1 -> m2
module m2:
input a, TWO;
output ONE, THREE;
[loop
await
case TWO do emit THREE
end
end loop]
||
[loop
await
case a do emit ONE
end
end loop]
await case : wait until at least one case is true
Can we implement synchronous languages
on CFSM networks?
• Run large-scale synchronous programs on networks
• Maintaining synchronous semantics
• Study classes of “well-behaved” CFSM networks
• Study progressive relaxation of synchrony
Previous work : P. Caspi and A. Girault
E,. Ledinot et.al., Dassault Aviation
Constructive and not gate as a CFSM - v1
A
B
C
input A: boolean, B : boolean;
output C : boolean;
[
await A;
if not ?A then emit C(false) end
||
await B;
if ?B then emit C(false) end
];
if ?A and not ?B then emit C(true) end
POLIS Implementation
• Encode facts in CFSM events
• Create a logic network of gates representing the
Esterel program
• Use one CFSM per gate
• Create at POLIS network of CFSMs to propagate
the facts
Combinational gates -> sequential CFSMs
Synchronous cycle -> full network execution
Constructive and not gate as a CFSM - v1
A
B
C
input A: boolean, B : boolean;
output C : boolean;
[
await A;
if not ?A then emit C(false) end
||
await B;
if ?B then emit C(false) end
];
if ?A and not ?B then emit C(true) end
Problem: C can be emitted twice
V2 : protecting double emission
signal Caux : combine boolean with and in
[
await A;
if not ?A then emit Caux(false) end
||
await B;
if ?B then emit Caux(false) end
];
if ?A and not ?B then emit Caux(true) end
||
await Caux;
emit C(?Caux)
end signal
Given an input assignment, the network builds a proof
• Each gate buffer is written at most once
- no buffer overwriting
- bounded time (linear)
• Termination when no more runnable CFSM
- #events = #fanins -> constructive
- else non-constructive
• Any scheduling gives the right answer!
But works only for one global tick!
Macro-cycles
- give synchronous events successively
- logical timing by stream ordering
a0 a1
a2
a3
b0
b1 b2 b3
c0 c1
c2
a4
b4
c3
c4
Four basic solutions :
1. Wait long enough (as for circuits)
2. Compute explicit termination signal
3. Let the scheduler report termination
4. Use a flow control protocol
-> pipelining
Flow Control
A_Free
A
B
B_Free
C
C_Free
V3 : flow control
loop
signal Caux : combine boolean with and in
[
await A; emit A_Free;
if not ?A then emit Caux(false) end
||
await B; emit B_Free;
if ?B then emit Caux(false) end
];
if ?A and not ?B then emit Caux(true) end
||
[
await Caux
||
await C_Free
];
emit C(?Caux)
end signal
end loop
Automatic Gate Reset
A gate resets for next tick when it has received all
its input. No additional protocol needed!
A=0
C_Free
B=1
A_Free
C=0
B_Free loop
A=1
C_Free
B=0
A_Free
B_Free C=1 loop
Pipelining
Problem : out-of-order data for next cycle
A(0)
-> A_Free
C_Free -> C(0)
A(1)
->
B(1)
-> B_Free
1. Memorize A(1) in the CFSM - heavy!
2. Write back 1 in the A buffer
but gate immediately made runnable again!
3. Tell the scheduler that only arrival of B matters
=> sensitivity lists
module AndNot :
% Boolean IO
input A : boolean, B : boolean;
output X : boolean;
% Flow control IO
output A_Free, B_Free;
input C_Free;
% Scheduling IO
output A_Wait, B_Wait;
output C_Free_Wait;
loop
signal Caux : combine boolean with and in
< handle A and B >
||
< handle C >
end signal
end loop
[
abort
sustain A_Wait
when A;
emit A_Free;
if not ?A then emit Caux(false) end
||
abort
sustain B_Wait
when B;
emit B_Free;
if ?B then emit Caux(false) end
];
if ?A and not ?B then emit Caux(true)
[
await Caux
||
abort
sustain C_Free_Wait
when C_Free
];
emit C(?Caux)
Termination signal
I
X
J
Y
DONE
Too expensive
Non-local
• One can implement a constructive circuit in POLIS
by translating each gate into a CFSM
• Therefore, on can implement Esterel by first
translating Esterel programs into gates
• Of course, this is inefficient : too fine grain
• But, we did not use compositionality yet!
Using Compositionality
• Any network of gates acts just as a gate
• Group gates either synchronously, using v5 algo.,
or asynchronously, in the network
• Adjust grouping according to geographical
and performance requirements
Summary
• Constructive logic semantics
facts as information quanta
• Propagate facts
synchronously in CFSM nodes
asynchronously in the network
• Correct by construction
• Applicable to (some) real problems