The classical Infinite Loop statement has the format:

loop Body end loop;

and it forever executes the enclosed Esterel statements. The only restriction is that the Body must not terminate in the same instant that it started; this will cause an instantaneous infinite loop and the compiler will usually flag this as an error. Note that in this form, the loop statement never terminates; whenever an execution of Body terminates, a new execution of Body is started.

The multiple await statement has the form:

await
    case Occurrence₁ do Body₁
    case Occurrence₂ do Body₂
    ...
    case Occurrence_n do Body_n
end await;

This statement is used to wait for any of the n occurrences: Occurrence₁, Occurrence₂, ..., Occurrence_n. If only one of the occurrences, Occurrence_i, is complete in the current instant, then the execution of the corresponding case alternative behavior (given by the body Body_i of Esterel statements) is started and all other awaits are terminated. If more than one occurrence is complete in the current input instant, then the case alternative for the occurrence that textually occurs first is executed and the other occurrences are ignored (that is, the behavior for them not executed). This rule makes the multiple await statement deterministic. This await statement terminates whenever the body Body_i, whose execution was started, terminates.

The statement await Occurrence; waits till the Occurrence is complete and terminates when it happens.

The statement emit Signal-name; is used to broadcast the given output signal given by Signal-name; the emit statement executes instantaneously. That is, the emitted signal is also made available as part of the present instant.

The sequential composition operator ; terminates an Esterel statement and binds two Esterel statements in a sequential order for execution. Note that the semicolon does not denote an empty statement (unlike in C); thus ;; is illegal.

Now that the system behavior is specified as an Esterel program, we shall see how to test these behavioral specifications. Following are some examples of test cases for the above program (which can be performed by compiling and executing the Esterel program):

1. T₁ = ({COIN},{}), ({TEA},{SERVE_TEA})

This test case consists of two instants; expected input and output events are given for each instant. Initially, the user inserts a coin; the system is not expected to produce any reaction to this input event. Then the user presses the TEA button and the system is expected to react by serving tea to him. No other input events are happening during the execution of this test case.

2. T₂ = ({COIN},{}), ({COFFEE}, {SERVE_COFFEE})

This test case is similar to T1 but checks the behavior of the COFFEE subsystem.

3. T₃ = ({COIN},{}),({COIN},{}), ({TEA},{SERVE_TEA}), ({TEA},{SERVE_TEA})

This test case is similar to T1 but checks whether the system "remembers" the number of coins inserted (it does not).

A temperature controller

The temperature within a chamber (perhaps the site of some chemical process) needs to be maintained at a known constant value (C = 250 degrees). We need to specify the behavior of a temperature controller to do this job. Two boilers, B1 and B2, are available to heat the chamber (Figure 4). The temperature of the chamber is regularly provided by a thermometer at every N seconds. As soon as the temperature within the chamber goes below C, boiler B1 should be switched on (unless it is already on). If B1 does not restore the temperature to C within a known constant time interval ΔT = 1 minute, then boiler B2 should be switched on. As soon as the temperature rises above C, each boiler that is on must be switched off.

The temperature controller system just described is specified in Listing 2. TEMP is an integer valued input signal. The input signal SAMPLE_TIME is used to indicate the need to sample the temperature reading; that is, the environment supplies the input signal SAMPLE_TIME whenever it is time to receive the TEMP signal. SAMPLE_TIME is a logical input signal but it can be generated by a clock whenever it is time to see the temperature. Local signals HIGH and LOW indicate whether the current temperature is above or below C. The output signals B1_ON, B1_OFF, B2_ON, and B2_OFF are used to indicate the output actions of the system in switching the boilers on or off.

Listing 2: A temperature controller

module temp_controller :
input                TEMP : integer, SAMPLE_TIME, DELTA_T;
output            B1_ON, B1_OFF, B2_ON, B2_OFF;
relation            SAMPLE_TIME => TEMP;

signal HIGH, LOW in
    every SAMPLE_TIME do
        present TEMP else await TEMP end present;
        if ( ?TEMP >= 250 ) then emit HIGH else emit LOW end if;
        end every;
        ||
        loop
            await LOW;
            emit B1_ON;
            do
                    await HIGH;
                    emit B1_OFF;
        watching DELTA_T
        timeout
                    present HIGH else
                        emit B2_ON;
                        await HIGH;
                        emit B2_OFF;
                    end present;
                    emit B1_OFF;
        end;
    end loop;
end;
.

The relation directive states the master-slave combination of the signals SAMPLE_TIME and TEMP; it states that in any instant where the input signal SAMPLE_TIME is present, the input signal TEMP should also be present. HIGH and LOW are pure local signals and are not available to the environment external to the program.

New constructs

The signal statement is used to declare the local signals used within the module and its sub-modules and parts. This statement has the format:

signal Signal-decl₁, Signal-decl₂, ..., Signal-decl_n in
    Body
end;

The above statement declares n local signals which are available only within the Body and not outside. For pure signals, Signal-decl_i contains only a signal name. For a valued signal, the declaration Signal-decl_i has the form Signal-name_i : Signal-type_i.

The nothing; statement is a null statement that does nothing and terminates instantaneously. In addition, Esterel has the halt; statement, which also does nothing but never terminates. These two statements are surprisingly effective in many situations.

The every statement is the Periodic Restart construct in Esterel. The statement:

every Occurrence do Body end every;

has the following meaning: whenever the Occurrence is complete in the present instant, the execution of Body is started and another wait starts for the completion of the next Occurrence. If the next Occurrence is complete before the execution of Body is completed, the current execution of Body is terminated and a fresh execution of Body is started. The every tick do Body end every; statement allows some actions to be performed at every instant.

The Parallel Composition construct || has the following format:

Body₁ || Body₂ || ... || Body_n

where each Body_i is a group of Esterel instructions. The execution of all the bodies starts at the same instant and continues in parallel. The entire construct terminates only after the execution of each body terminates; the execution of all bodies need not terminate at the same instant.

The present statement is the signal testing construct. The statement:

present Signal-name then Body₁ else Body₂ end present;

has the following meaning. If the signal having the name Signal-name is present in the current instant then start the execution of the statement body Body₁; otherwise, start the execution of the statement body Body₂. The entire statement terminates when the execution of Body₁ or Body₂ terminates (whichever body was started). In the present statement, either the then Body₁ part or the else Body₂ part can be omitted (but not both).

The statement:

present Signal-name else Body₂ end present;

has the following meaning: if the signal having the name Signal-name is present in the current instant then do nothing; otherwise, start the execution of the statement body Body₂. Thus it is equivalent to the statement:

present Signal-name then nothing else Body₂ end present;

Similarly, the statement:

present Signal-name then Body₁ end present;

is equivalent to the statement:

present Signal-name then Body₁ else nothing end present;

If S is a valued signal which is available in the current instant, then the expression ?S returns the value of this signal in the current instant. Thus ? is the signal value extraction operator. ? cannot be used on pure signals. Note that ? is a unary operator. The type of the value returned by the expression ? is the same as the type of signal ?.

Esterel provides the standard if-then-else control statement which has the form:

if boolean-expression then Body₁ else Body₂ end if;

When the control comes to this statement, the boolean-expression is evaluated. If the expression evaluates to true in the current instant then the execution of Body₁ is started; otherwise, the execution of Body₂ is started. In the if-then-else statement, either the then Body₁ part or the else Body₂ part can be omitted (but not both).

The statement:

if boolean-expression else Body₂ end if;

has the following meaning: if the boolean-expression evaluates to true in the current instant then do nothing and pass the control to the following statement; otherwise start the execution of the statement body Body₂. Thus it is equivalent to the statement:

if boolean-expression then nothing else Body₂ end if;

Similarly, the statement:

if boolean-expression then Body₁ end if;

is equivalent to the statement:

if boolean-expression then Body₁ else nothing end if;

The do-watching-timeout is a basic and important temporal statement in Esterel. This statement has the following format:

do
    Body₁
    watching Occurrence
    timeout
        Body₂
end;

The timeout clause is optional. Whenever the control arrives at this statement, it executes as follows:

if the Occurrence is complete in the
    current instant then
        if Body₂ is given then
            start executing Body₂
        else pass control to the following statement
else start executing Body₁.
if Occurrence becomes complete
    before Body₁ has finished then
        immediately abort the execution of
            Body₁
        if Body₂ is given then
            start executing Body₂
    else pass control to the following statement
else Body₁ has finished execution but Occurrence is
not complete yet
    pass control to the following statement

As is clear from the above flowchart, this statement terminates either when Body₁ does or when Body₂ does, provided Occurrence completes before Body₁ has finished its execution. The statement await Occurrence; is equivalent to the statement:

do halt watching Occurrence;

Back to the example

With these new Esterel constructs, we are ready to describe the specification shown in Listing 2. The module consists of two loops which are executing in parallel and which exchange information using local signals HIGH and LOW; let us call them Loop1 and Loop2.

Loop1 keeps waiting for the input signal SAMPLE_TIME. Every instant when this input signal is available, Loop1 also reads the input signal TEMP and emits the local signal HIGH or LOW depending on the value of the input signal TEMP.

Loop2 assumes that, initially, the temperature within the chamber will be less than C. If that is not the case, then it simply waits till the temperature falls below C. When the temperature falls below C (as indicated by the presence of the local signal LOW emitted by Loop1), Loop2 switches on boiler B1 (as indicated by the emission of the output signal B1_ON) and then waits until either the temperature again rises above C (as indicated by the presence of the local signal HIGH emitted by Loop1) or time interval DT elapses (as indicated by the presence of the input signal DELTA_T). This effect is achieved by the do-watching-timeout statement. If HIGH arrives before DELTA_T, boiler B1 is switched off (as indicated by the emission of the output signal B1_OFF). Otherwise, boiler B2 is switched on and when HIGH finally arrives, both B1 and B2 are switched off. The above behavior is forever repeated using the loop statement. Notice how we have used logical clock signals SAMPLE_TIME and DELTA_T.

The specification of the system needs to be tested for a number of typical situations. For each such situation, you can design a test case. Then test the system simulator constructed from Listing 2 using these test cases. Some examples of the test cases are as follows:

1. ({SAMPLE_TIME,TEMP(200)},{B1_ON}), ({SAMPLE_TIME,TEMP(300)},{B1_OFF})

Initially, the temperature is below C, so the system should react by switching on boiler B1. Then the temperature crosses above C, so the system should react by switching off B1.

2. ({SAMPLE_TIME,TEMP(100)},{B1_ON}), ({SAMPLE_TIME,TEMP(150)},{}), ({SAMPLE_TIME,TEMP(300)},{B1_OFF})

Initially, the temperature is below C, so the system should react by switching on boiler B1. Then the temperature is still below C (but the time interval ΔT is not yet finished), so the system should not produce any output. Then the temperature crosses above C, so the system should react by switching off boiler B1.

3. ({SAMPLE_TIME,TEMP(100)},{B1_ON}), ({SAMPLE_TIME,TEMP(200)},{}), ({SAMPLE_TIME,TEMP(220),DELTA_T}, {B2_ON}), ({SAMPLE_TIME,TEMP(300)},{B1_OFF, B2_OFF})

Initially, the temperature is below C, so the system should react by switching on boiler B1. Then the temperature is still below C (but the time interval ΔT is not yet finished), so the system should not produce any output. Then while the temperature is still below C, the time interval ΔT finishes, so the system should react by switching on boiler B2. Then the temperature crosses above C, so the system should react by switching off both B1 and B2.

The following properties of the above system are of interest:

• It should never happen that B1 is OFF and B2 is ON at the same instant.
• It should never happen that a boiler (either B1 or B2) is switched on when it is already on.
• It should never happen that a boiler (either B1 or B2) is switched off when it is already off.