May 22, 2020

Disassemble el_servo.o

So far I have had no luck finding the source to el_servo.o. This may in part be due to losing some data when a hard drive died in my machine (cholla) around 2015 or so. Or perhaps I simply have not looked hard enough or in the right places.

I could be for the best anyway -- it gives yet another good reason not to try to use code generated by real time workshop in the future. My own refusal to have anything to do with such an exercise should put the final nail in that coffin.

And we can learn a fair amount by disassembling el_servo.o. The bulk of this can be ignored. It is compiled from C code generated by real time workshop, which is all but inscrutable even as C source. What we are interested in is the scaffolding which is embedded in this code. I disassemble the file using the command: 

objdump386 -d -r el_servo.o > el_servo.dis
This yields 7884 lines of assembly language. (The source file, el_servo.o, is 45292 bytes in size).

We can examine this and find the code for rt_run() and the call to mmt_mount_connect(), both of which are good starting points. The call to mmt_mount_connect() comes from inside a good sized routine named rt_main(). The routine rt_main() seems to be called from rt_loop(), which is a small routine. rt_main() is spawned as a VxWorks task by rt_run() which seems to do little else.

There are a surprising number of calls (7) to semTake, as follows: 

One in rt_main()
One in tSubRate()
Five in tBaseRate()
Are these all the same semaphore? Perhaps not. There are 4 calls to semGive in tBaseRate() suggesting that four of the calls are lock/unlock of some resource.

In rt_main() there are two calls to semBCreate(), and a third call later in the routine, just prior to a call to taskSpawn(). This is a surprise, and in fact there are five (count 'em), five calls to taskSpawn().

Discovery of rt_main.c

I do a search of my Matlab installation files (for the string "taskSpawn") and find this: 
/u1/Mathworks_2007b/rtw/c/tornado/rt_main.c
/u1/Mathworks_2007b/rtw/c/tornado/tornado.tlc
Along with finding the source for the rt_main() routine (provided by Mathworks), this jogs my mind about making a customized version of this that involved my modifying the "tlc" file. The file rt_main.c contains rt_main(), along with quite a number of other routines that are of interest, including tSubRate() and tBaseRate(). No sign of rt_run() however, that must have been code that I added.

Finding mmt386 (I hit the jackpot)

Given the above path (rtw/c/tornado), I have an idea and I look in /mmt/Mathworks_2009b. And look what shows up: 
/mmt/Mathworks/rtw/c/mmt386
/mmt/Mathworks/rtw/c/mmt386/rt_main.c
/mmt/Mathworks/rtw/c/mmt386/mmt386.tmf
/mmt/Mathworks/rtw/c/mmt386/mmt386.tlc
This is my customized version of the "tornado" files noted above. And looking at rt_main.c, I see rt_run(), so I can do a lot better now than poking through the assembly language from the disassembly.

Key things missing now would be the simulink blocks for things like the dac and the encoders that are used in the simulink generated el_servo model.