Formal semantics for a subset of VHDL and its use in analysis of the FTPP scoreboard circuit by Bickford, Mark
I NASA Contractor Report 191577
I NASA-CR-191577
19940028228
!
I
II FORMAL SEMANTICS FOR A SUBSET OF VHDL AND
ITS USE IN ANALYSIS OF THE FTPP SCOREBOARD
I! CIRCUIT
!
Mark Bickford
I Odyssey Research Associates, Ithaca, NY
I
,.., -- .. . ;''-:: ..:- . _ _-.,
I , • . ....
Contract NAS1-18972
I _; " JL: : ." ': . " ' ' . • _ , . ".
April, 1994
| -.
!
i National Aeronautics and : _ ,,:,, ....SpaceAdministration ' : :
LangleyResearchCenter .... " _-;:: ' .... '-:--:
I pt " .....Ham on, VA 23681-0001 _.........."_....'L = , ,_, . _ ! .~!t,,l_l
I
https://ntrs.nasa.gov/search.jsp?R=19940028228 2020-06-16T12:06:57+00:00Z
i
I
I
I
I
l
I
!
!
I
I
I
l
I
i
i
I
!
I
!
I 3 1176 01404 4870
!
!
!
i
Formal Semantics For a Subset of VHDL
and its use in analysis of the FTPP Scoreboard
i circuit 1
i Mark Bickford
ORA Inc.,
j, 301A Harris B. Dates DriveIthaca, NY 14850.
!_ April 5, 1994
I
i
I
I
1Prepared for Langley Research Center under Contract NAS1-18972.
!
t
I

IAbstract
In the first part of the report, we give a detailed description of an operational
semantics for a large subset of VHDL, the VHSIC Hardware Description Lan-guage: The semantics is written in the functional language Caliban, similar to
Haskell,:used by the theorem prover Clio. We also describe a translator from
I VHDL into Caliban semantics and give some examples of its use. In the secondpart of the report, we describe our experience in using the VHDL semantics
to try to verify a large VHDL design. We were not able to complete the ver-
ification due to certain complexities of VHDL which we discuss. We propose
a VHDL verification method that addresses the problems we encountered butwhich builds on the operational semantics described in the first part of the
report.
U
I
I
I
I
i
I
I
!
I
I
i
I
i
i
I
i
i
I
I
!!
i Contents1 I roduction 3
1.1 Formal verification of VHDL .................... 4
I 2 The Semantics 7
2.1 Simulation ............................... 7
i 2.2 Names and Expressions ....................... 9
2.3 Simple Values ............................. 11
2.4 Waveforms and Drivers ....................... 14
2.5 Functions on Names ......................... 16
i 2.6 Instances ............................... 177 Signal Values 8
2.7.1 The signal state ....................... 19
i 2.7.2 Advancing the global clock ................. 192.8 Evaluating Expressions ........................ 20
2.8.1 Function meanings . . . : .................. 23
2.9 Functions on Expressions ...................... 23
l 2.10 Processes ......... . ..................... 26. 1 Conditional function updates .................... 8
2.12 Transactions ............................. 30
2.13 Statements .............................. 322.13.1 Signal assignment statement ................ 33
2.13.2 Variable assignment statement ............... 34
I 2.13.3 Wait statement ........................ 34
2.13.4 Null statement ........................ 34
2.13.5 Conditional statement .................... 35
2.13.6 Case statement ........................ 36
2.13.7 Return statement ....................... 36. .8 Exit statem nt ................... . . . . .
2.13.9 ForLoop statement . . . ................... 36
t 2.13.10 Function meanings ...................... 372.13.11 Statement sequences ..................... 38
2.13.12 Process definition ....................... 38
i 2.14 Useful general purpose functions .................. 383 The Translator 39
4 Initial Results 46
I 5 Application to Scoreboard 51
6 Abstraction 52
7 Problems 57
I, 1
!
I
!
8 Proposed Solutions 60 1
9 Conclusions 63 I
|
i
I
List of Figures i
1 VHDL clock .............................. 40 1
2 Translation of VHDL clock ...................... 41 '1
3 An entity with two clocks ....................... 45 !
4 Declaration of a simple VHDL state machine ............ 47 I
5 Body of the VHDL state machine .................. 48
6 The testbed ...................... ........ 49
I
7 VHDL latch .............................. 54
...... t8 Schematic pipeline ........... ................ 58
]
!
]
!
!
i 1 IntroductionFormal verification is a method of validating computer designs and programs by
applying symbolic logic techniques. Hardware verification is formal verification
applied to the validation of hardware designs. To formally verify a design, ones ec fies the design and the requirements that the design is expected to satisfy
in a formal logical notation. Then, one constructs a formal proof that the
design meets the stated requirements. To construct a proof, one needs to use asystem for symbolic manipulation, such as•a theorem prover, that manipulates
expressions belonging to the logic used in the specifications.
The advantage of formal verification over traditional validation methods,
t such as simulation and testing, is that formal verification is equivalent to totaltest coverage for the verified property. When one constructs a formal proof of
a property, the property is shown to hold for all permissible inputs and initial
• conditions of a design. Of course, there is no guarantee that the requirements
a specification with respect to which the design is verified is what one wants.
But, formal verification brings potential errors in a design into sharper focus by
i subjecting the design to more intense scrutiny than is possible in simulation.The process of formal verification is, in general, labor intensive. But, there arecertain application domains, such as digital hardware, where recent experience
[9, 6, 5] suggests that the technology is applicable to industry-scale designs, and
I certain application areas, such as safety-critical and mission-critical systems,where the advantages of formal verification outweigh its cost.
NASA Langley Research Center has recently initiated a concerted effort [4]
t involving several organizations, including ORA Corporation, to study the use of, formal verification as a possible validation technology for fault-tolerant digital
flight-control systems in an application area that requires ultra-high reliability
and availability. The first step in this effort was concerned with demonstrating
the application of formal verification to key design problems in this area. Someof the significant case studies that were completed as part of the first step
are formal verification of a clock synchronization algorithm framework [8], an
I interactive consistency algorithm [1], and a Byzantine-resilient microprocessorsystem [11].
One of the goals of the second step of the NASA effort is to explore the in-
tegration of formal methods into the design and verification of key components
of current fault-tolerant architectui'es being built in the aerospace industry.
Toward this goal, ORA is currently teamed with Charles Stark Draper Lab-
oratory (CSDL), which is one of the organizations in the forefront of building
I fault-tolerant systems for safety-critical applications. As part of a NASA/Army-sponsored project, called Army Fault-Tolerant Architecture (AFTA), CSDL is
developing the Fault-Tolerant Parallel Processor (FTPP). One of ORA's current
I tasks is to formally specify and verify a key component, called Scoreboard, ofFTPP. The Scoreboard is part of the FTPP virtual bus that guarantees reliable
communication between processors in the presence of physical faults in the sys-
I
!
• !
tem. The virtual bus design is based on a conservative fault model, called the i
Byzantine fault model, in which a faulty component can exhibit arbitrary and |
malicious behavior. The Scoreboard implements a piece of control logic that
approves and validates a message before it can be transmitted. The verification
of the Scoreboard is being performed in phases, i
Since the detailed design of the Scoreboard was still evolving at the time tN
we started Phase 1, our main objective then was to lay the foundation for the
verification effort. We did this by formally specifying and verifying a simplified I
Scoreboard design as reported in [12]. The Scoreboard was subsequently fully I
designed and built (at Draper Labs) using VHDL to specify the design. VHDL
is the VHSIC (Very High Speed Integrated Circuit) Hardware Description Lan-
guage, which is an IEEE standard and is mandated for application-specific hard- $
ware developed for the USAF. We were to continue the formal verification of the
Scoreboard, this time verifying the actual design built at Draper Labs. Because
the design was written in VHDL we focused our effort in Phase 2 on the formal i
verification of VHDL designs. m
1.1 Formal verification of VHDL ,in
I!In order to integrate formal methods into the design process, a common lan-
guage for designs that can be the interface to formal verification tools as well
as to CAD tools such as synthesis tools, is of the utmost importance. While,
from the formal methods perspective, VHDL may not be the ideal language in n
which to describe designs, because of its complexity, it is nevertheless becoming
a standard and several other formal methods practitioners are working with l_t
VHDL [13, 14]. Therefore, we decided to develop a general method for verifying $
designs expressed in VHDL and apply the method to the Scoreboard design.
Since a version of the Scoreboard design had already been verified, the general
methods we developed for VHDL and our experience in applying them to the i
Scoreboard, are of more importance than the fact that this particular VHDL n
design is correct.
Any formal, theorem-prover based, verification method for a language such O
as VHDL involves the definition of a semantics for the modeled language in !1
the language of the theorem prover (Clio [2] in our case). Requirements are
then written directly in the language of the prover, or a suitable requirements fm
language can be interpreted into the language of the prover. We call the state- l
ment that a particular design entity meets a particular requirement a judgement.
Then any judgement becomes an assertion, in the language of the prover, that
the semantics of the entity satisfies the given requirement. The developer of i
a verification method must therefore choose the kind of formal semantics with U
whichto model the design language, the kind of requirements that will sup-
ported, and then build up enough of the theory of the semantic domain to I
support the proofs of the judgements. II
In choosing the kind of formal semantics with which to model the entities,
/
!
!i one of main choices we had to make was between an operational semantics and•logic-based Semantics. In the operational approach, the meaning of a entity is
given by its behavior, and its behavior is given by defining appropriate notions
of the state and the state transition function (or state transition relation if
I the semantics is not deterministic). A run is then defined to be a sequenceof states, where each state is related to the previous state by the transition
function (or relation), and requirements can be stated as assertions about runs.
i A judgement is then the assertion that any run of the given entity satisfies thegiven requirement. In the logic-based semantics, a s t of axioms and inf renc
rules for judgements is given directly. Then the meaning of a particular entity
i is just the set of judgments about it which can be proved using the given rules.We chose to write an operational semantics for VHDL for several reasons.First, since VHDL is a deterministic language, and the language of our prover,
Clio, is based on functional programming, it was very natural to write a se-
mantics using a transition function. Second, in order to use the logic-basedapproach, the set of judgements for whi h proof rules must be given must be
known. This means that the requirements language must be explicitly given.
The VHDL designs consist of sets of concurrent processes, and creating a lan-guage that can express all the requirements on such sets that we might want
to verify is an active research area. In the operational approach, the runs of a
design can be defined within the system, and any predicate on runs that can be
I stated in the language of the prover can be used as a requirement. To be sure,stating requirements in this way requires more expertise, and therefore we will
want to create a higher level requirements language that can be interpreted into
I these predicates on runs, but this task can be done after we have experience. in using the semantics, so that we know what kinds o requirements we want
to write. Third, once an operational semantics is written, we can still use the
logic-based approach by proving the desired inference rules as "meta-theorems"
I about the semantics.Once the semantic domain has been defined, we may assign meanings to
each language construct. There then arises the question of whether these mean-
I ing assignment functions should themselves be defined within the logic of thetheorem-prover or be e coded, external to the theorem-prover, into a tool which
interprets the design language (VHDL) into its formal semantics. The terms
i deep embedding and shallow embedding are introduced in the paper by Gor-don et.al. [3] to refer to these two alternatives. In order to define the meaning
functions in the logic of the theorem-prover, the abstract syntax of the design
language must be embedded as an abstract data type in the logic of the prover.
I Then the meaning functions can be defined as functions from this data typeintothe semantic domain. This approach is knownas making a deep embedding, and
has the advantage that "meta-theorems" about the meaning functions can be
i proved within the system, since the meaning functions themselves are definedin the system. The second approach, writing an interpreter from the design
language into its formal semantics, is known as making a shallow embedding.
!
!
I
It has the advantage that it can be implemented efficiently using tools such as
yaee, and it avoids the overhead of defining the syntax of the design language |
within the formal logic. Using the shallow embedding, a judgement about par-
.ticular design is translated into an assertion in the logic of the prover. We may
not directly state meta-theorems about all judgements, however rewrite-rules
about the semantic functions can be proved which can have the same effect.
Since our effort in this project was to be modest (less than one staff-year), and
since we planned to verify a particular design (the Scoreboard), we chose to /
make a shallow embedding, which we implemented using yacc. However, as the |
work progressed, we found it desirable to add some of the features of a deep
embedding to our model. Thus the final semantics may be seen as something
intermediate between a shallow and a deep embedding. _/
In the first part of this report (sections 2- 4), we describe the semantie II
domains for the operational semantics of VHDL as defined in the language
(Caliban) of our prover, Clio. We also describe the translation process from !
VHDL texts into this semantics and initial results using the semantics on simple I!
examples.
In the second part of the report (sections 5- 8) we describe our experience t
in applying this method to the Scoreboard design. Here we cannot claim to |have been successful. Our original plan was to use our VHDL semantics to map
the behavior of the Scoreboard design onto the more abstract behavior that
was used to verify the simplified Scoreboard design in phase I of our work. We
hoped that this step could be made semi-automatic, so that the behavior of Ii
any design in the synchronous, clocked style of the Scoreboard design could be
mapped automatically to a more abstract behavior at the level of our previous, •
successful verification of the Scoreboard. This abstraction would amount to re- |
placing VHDL's complex notion of explicit time, with a more abstract notion of
consecutive clock cycles. Although the initial results seemed promising, we were
unable to get the desired semi-automatic mapping to work on the Scoreboard "_
design. We therefore give an analysis of why our approach was not successful.
In particular we pinpoint those parts of the VHDL operational model that cause
the level of complexity that we were unable to overcome. In the light of this I
analysis, we can formulate a method of reasoning about VHDL designs that we ,,|
feel would have succeeded in verifying the Scoreboard, but which we could not
implement in this phase of the project. /m
The proposed solution to the problems we encountered involves moving from |
the operational approach to a more logic-based approach, which, in hindsight,
seems to invalidate the choices we made in creating our VHDL semantics. How-
ever, the current semantics will provide the basis for the proposed future se- '_
mantics, and thus much of the current effort can be reused. Also, without the
experience gained in this effort, the essential problems that must be addressed
would not have been uncovered. Our approach to VHDL modeling was a natural
one that would likely be followed by other formal methods practitioners. Thus, |
the pitfalls we encountered and our proposed solutions should be important to
!
!
t
I!l other efforts of this kind as well as to our own future work.
2 The Semantics
I In this section we describe in detail the semantic domains and
associated defi-
nitions for our operational semantics of VHDL. We give this amount of detail
(and full annotations in English) because we hope that other formal methods
i practitioners who would like to try this method or a similar one will be able tointerpret our definitions into the logic of their system easily. We assume that
the reader has some familiarity with VHDL, but we motivate our semantics by
I giving examples from VHDL and informal descriptions of VHDL concepts so/ that a reader with limited familiarity with VHDL should be able to follow the
discussion. We also assume some familiarity with functional programming lan-
guages since our definitions are written in Caliban which is a language similar to
Haskell. Here again, we give some hints to help the reader decipher
Miranda or
Caliban expressions which may be unfamiliar.
2.1 Simulation
We start with the top level module of definitions, in which STATEand Simulate
are defined, in order to give the basic structure of our semantics. In the following
I work in through the supporting definitions. After
sections, we a bottom-up way
reading those sections, the reader may want to reread this section.
To give an operational semantics we must define appropriate notions of
I STATE and state transition function. The semantics of VHDL is based onthe idea of simulation. The simulation advances through a sequence of states
called simulation cycles. Thus if we take the state transition function to be the
I function, Simulate, that gives the state of the next simulation cycle as a functionof the current state, then a simulation is the same as our notion of a run.
The STATE consists of three things:
i 1. An assignment of values to the set of signals and variables.
• 2. A set of waiting processes.
i 3. A list of times at which events are scheduled.' In Caliban:
IDa. type STATE = <<SIGSTATE, I'PR0CESS], [TIME'I>>| The values assigned to signals are complicated because in VHDL we may
assign waveforms to signals, so the value of a signal must contain information
I about future times, and we may ask how long a signal has been stable, so thevalue must also contain information about past times. We will give the details
of the SIGSTATE later, but the basic form is:
!
type SIGSTATE = NAME->NAMEVAL •|• Here NAME is a type that includes the atomic signals and variables as well as
aggregates. The type NAMEVAL includes simple values as well as the complex
signal values. We record the changes to a SIGSTATE as a list of updates or trans-
actions. Each update changes one NAME,NAMEVAL pair in the SIGSTATE. I
We call a single such update a SIGSTATE-ITEM. tim
Now, a VHDL simulation cycle proceeds as follows. The global clock is ad-
vanced to the next time at which an event is scheduled (this can be an increment
of zero), then all waiting processes are checked to see whether they will be active |
in this cycle. Each process that becomes active will execute until it suspends.
The result of executing a process is a triple containing a list of updates (trans- i!
actions) to the SIGSTATE, a new waiting process (its continuation), and a list |
of times at which the new transactions are scheduled. If the process does not
become active then its result will contain no transactions and its continuation
will be itself. The results of all the processes are combined into a triple con- -_
taining the list of all new transactions, all the new waiting processes, and all l
the new transaction times. Then the new state is obtained by updating the old
signal state with the new transactions, replacing the 01d set of waiting process _[
by the new set, and merging the new transaction times with the old. J
To read the following Caliban definitions, note that double angle brackets
construct tuples, [] is the empty list, ++ is the list append operator, the defini- am
tions of FOLDR, MAP, and MERGE are standard (see section 2.14), and that •
_update is a built-in operation that updates a function with a list of changes. • mm
Simulate :: STATE->STATE ira
Simulate S = ONE_CYCLE (START_CYCLES) I
ONE_CYCLE <<S,Q,T>> = FINISH S T (DO_PROCS S Q) i
FINISHS T <<SI,PS,TS>>= <<__updateS SI,PS,MERGETS T>> J
type RESULT = <<[SIGSTATE_ITEM],[PROCESS],[TIME]>>
DO_PROCS::SIGSTATE->[PROCESS]->RESULT |
DO_PROCS S Q = ZIP3 (MAP (DO_PROC S) O)
ZIP3 = FOLDR APPEND3 <<[],[],[]>> :i
APPEND3 <<AI,A2,A3>> <<BI,B2,B3>> = <<AI++BI,A2++B2,MERGEA3 B3>> J
We start the cycle by advancing the clock to the next time on the global list
and decrementing the remainder of the list. -_
START_CYCLE<<S,Q,[]>>= <<S,[] , []>>
'n
START_CYCLE<<S,Q,(T:REST)>>= <<ADVANCET S, Q ,DECRT REST>> i|DECR T = MAP (\X-> X $- T)
i
I
I
2.2 Names and ExpressionsThe SIGSTATE is a function fr m NAMEs to NAMEVALs. Abstractly, the only
names that must be assigned values by the SIGSTATE are the atomic signals
and variables. However, since the grammar for VHDL includes such things as
I function and array applications, selections, ports
record and generics as names,
the translation is smoother if we include these in semantic domain of NAMEs.
This is an example of where our embedding,by including some of the abstract
m syntax of VHDL, is intermediate between a shallow and a deep embedding.Now in the VHDL for the Scoreboard we enc unter:
type vlbit_Id is array(Natural range <>) of vlbit;
N architecture voter of voter is
° , .
signal cmemO: vlbit_Id(7 downto 0);
m ,, ,end voter;
This declares a SIGNALNAME "cmem0" of an array type indexed by 7 ...0.
Since there be than one instance of the entity "voter" in a given
may more
design, every signal name has an instance name as well as a local name. The
instance name is a list of strings such as
l ["boardl","voVerl"]
This identifies the instance "voterl" inside the instance "boardl". Every signal
t is uniquely identified by its instance name, local name, and type. The first twoproductions in the following Caliban data type create names for all the ignals
and variables in the state. Note that, in Caliban, strings are lists of characters,
hence [CHAR]. The other names are used for record and array selections and for
I kinds of which do not need to be declared, and also a special name
other names
to hold the value of the global clock.
j NAME::=SIGNALNAME[[CHAR]][CHAR]TYPEVARIABLENAME [[CHAR]][CHAR]TYPE
FIELDNAME [CHAR]TYPE
PORTNAME[CHAR], GENNAME[CHAR]SELECT NAMENAME
INDEX NAME NAT
i FUNCAPPLYFUNCTIONEXPRESSIONARRAYA PLYNAMEEXPRESSION
CONSTANTVALUE
m ATTRIBUTEOF [CHAR] NAMEGLOBALCLOCK
FUNCRETURNTYPE
m
!
!
!
I LOOPINDEX [CHAR]
I ILLEGAL [CHAR] |
FUNCTION ::= FUNCNAME [CHAR] I
The TYPE of a name merely distinguishes atomic names from names of
aggregates, and in the case of aggregates, allows us to find the set of atomic
names which make up the aggregate. I
IITYPE ::= RECORD [NAME]
I ARRAY [NAT] TYPE Z_
] ARRAY_UNCONSTRAINED TYPE m
i ATOMIC "
ADD_CONSTRAINT L (ARRAY_UNCONSTRAINED T) = ARRAY L T
• |
NAME_KIND ::= SIG_KIND I VAR_KIND
We also introduce here the type of expressions. They are built up from lil
names and constants by applying the predefined unary and binary operators |
and by the formation of aggregates.
EXPRESSION::=BINARYEXPRESSIONOPERATOREXPRESSION Ill
I UNARYUNARYDPEXPRESSION •
I AGGREGATEEXP[EXPRESSION]
I EXPNAMENAME
I EXPCONSTANT VALUE U
I
OPERATOR ::= ANDOP I OROP I XOROP I NOROP I NANDOP
I EOUALOP I NOTEOUALOP
I LESSOP I LEqOP I GREATEROP I GEqOP !
I PLUSOP I MINUSOP I AMPEKOP
I TIMESOP I DIVIDEOP I MODOP I REMOP i
I
UNARYOP ::= NOTOP I ABSOP I UPLUSOP I UMINUSOP I
waveform to a signal. A waveform is a list ofIn VHDL, assignwe may a
time-value pairs, so an expression for a waveform is, abstractly, a list of time- "II
expression,value-expressions pairs. Also waveform expressions may be condi-
tional as in: Ix <= y afterIns whenz=l elseu afterfins;
Therefore we define:
WAVEFOKM_EXP::=WFEXP[<<EXPRESSION,EXPRESSION>>] I
ICONDWFEXPRESSIONWAVEFORM_EXPWAVEFORM_EXP
1o |
!
I
!
i 2.3 Simple ValuesThe signals have a complex value that includes information about past and
future times, but variables have simple values. The union type VALUE includes
I all the data types defined by the user but also starts with booleans, bits, andnatural numbers. There is a special UNINITIALIZED value and lists of values
may be grouped into aggregate values.
i VALUE ::= UNINITIALIZEDI boolVAL BOOL
J bitVAL bit
l , natVAL NAT
[ AGGREGATE[VALUE]
I+
! In Caliban, the notation:
I VALUE ::= I+
means thatmore productionscan be added inlaterdeclarations.We use this
feature to allow our translator to add more kinds of values to the type VALUE
I when type declarations are seen.
The type, bit, is modeled as a seven value lattice because that is the bit type
used by the Synopsis synthesis tools that were used by Draper labs. Our current
i translator does not allow us to redeclare data types in VHDL. If it did, thenthe bit type could start with just 0 and 1, and then the Synopsis bit package
could redefine bit as the seven value type.
i bit ::= bitO [ bitl [ bitX [ bitZ I bitW [ bitL [ bitH
I We have not defined the operations on bits. The following axioms imply thathowever bitAND,bitOR,etc are defined on bits, they must be definiteness pre-
serving. (In Clio, the double exclamation mark means "is completely defined"
i which technically means that no constructor is applied to "bottom".)bitAND,bitOR,bitNAND,bitNOR,bitXOR :: bit->bit->bit
AXIOM (X)(Y) '!!(bitAND X Y) C='True', '!!X • !!Y' = 'True'
I AXIOM (X)(Y) '!!(bitOR X Y)C='True', '!!X _ !!y, = 'True'IOM )(Y) !(bitXORX Y)'='True ,' !X& !Y' = 'True'
AXIOM (X)(Y) '!!(bitNOR X Y)'='True', '!!X & !!Y' = 'True'
AXIOM(X)(Y)'!!(bitNANDX Y)'='True','!!X_ !!Y'= 'True'I
In VHDL, the bits are named by characters.
!
I
CHARTOBIT JO_ = bitVAL bitO
CHARTOBIT 'I' = bitVAL bitl |CHARTOBIT 'X_ = bitVAL bitX
CHARTOBIT 'Z' = bitVAL bitZ
CHARTOBIT 'W_ = bitVAL bitW
CHARTOBIT 'L' = bitVAL bitL .INN
CHARTOBIT 'H' = bitVAL bitH
The operations AND, OR, XOR, NOR, NAND, and NOT are overloaded M
on bits, bools, and aggregates. Any other use would be a type error so we give |
arbitrary well defined default values to those cases.
AND (boolYALX)(boolVALY) = boolYAL(X_ Y) •
AND (bitVALX)(bitVALY) = bitVAL(bitANDX Y) I
AND (AGGREGATEX)(AGGREGATEY) = AGGREGATE(MAPOPANDX Y)
ANDX Y = boolVAL(False) •iOR (boolVALX)(boolVALY) = boolVAL(X[Y)
OR (bitVALX)(bitVALY) = bitVAL(bitORX Y)
OR (AGGREGATE X)(AGGREGATE Y) = AGGREGATE(MAPOP OR X Y) l
OR X Y = b0olVAL(False) u
XOR (boolVALX)(boolVALY) = boolVAL(XxorY) l
XOR (bitVAL X)(bitVAL Y) = bitVAL(bitXOR X Y) |
XOR (AGGREGATEX)(AGGREGATEY)= AGGREGATE(MAPOPXORX Y)
X0R X Y = boolVAL(False)
,!NOR (boolVALX)(boolVALY) = boolVAL('(X(Y))
NOR (bitVAL X)(bitVAL Y) = bitVAL(bitNOR X Y)
NOR (AGGREGATE X)(AGGREGATE Y) = AGGREGATE(MAPOP NOR X Y) m
NOR x Y = boolVAL(False) i
NAND (boolVAL X)(boolVAL Y) = boolVAL('(X & Y))
NAND (bitVAL X)(bitVAL Y) = bitVAL(bitNAND X Y) |
NAND (AGGREGATE X)(AGGREGATE Y) = AGGREGATE(MAPDP NAND X Y)
NAND X Y = boolVAL(False)
,!
NOT (boolVAL X) = boolgAL('X)
NOT (bitVAL bitO) = bitVAL bitl
NOT (bitVAL bit1) = bitVAL bitO ,IN
NOT (AGGREGATEX) = AGGREGATE(MAPNOTX)
NOT X = boolVAL(False)
Since Clio has a built-in type NAT of natural numbers, we have used them ,m
to model the integers in VHDL. These definitions should be changed to use
'gin
!
!
Im INTEGER instead of NAT, but we haven't needed to make the change sincethe Scoreboard design does not use negative integers.
PLUS(natVALX)(natVALY) = natVAL(X#+ Y)
I PLUSX Y = natVAL(#O)
MINUS(natVALX)(natVALY) = natVAL(X#-Y)
MINUSX Y = natVAL(#O)
m TIMES(natVALX)(natVALY) = natVAL(X#* Y)
TIMESX Y = natVAL(#O)
,I DIVIDE(natVALX)(natVALZero)= natVAL(Zero)
DIVIDE(natVALX)(natVALY) = natVAL(X#/Y)
DIVIDEX Y = natVAL(#O)! HOD (natVALX)(natVALY) = natVAL(X#_ Y)
MODX Y = natVAL(#O)
I REM (natVALX)(natVALZero)= natVAL(Zero)
REM (natVALX)(natVALY) = natVAL(X#/Y)
I REM X Y = natVAL(#0)To defineUMINUSand ABScorrectly,weneed INTEGER ratherthan NAT.
I UHINUSX = natVAL(#O)ABSX = natVAL(#O)
EQUALX Y = boolVAL(X= Y)
m LESS(natVALx) (natVALY) = boolVAL(X< Y)
LESSX Y = boolVAL(False)
I LEq (natVALX) (natVALY) = boolVAL(X<=Y)
LEQX Y = boolVAL(False)
i GEQ (natVALX) (natVALY) = boolVAL(X>= Y)GEQX Y = b0olVAL(False)
I GREATER(natVALX) (natVALY) = boolVAL(X> Y)X Y = boolVAL(False)
i CONCAT(AGGREGATEX) (AGGREGATEY) = AGGREGATE(X++ Y)CONCAT X (AGGREGATEY) = AGGREGATE(IX]++ Y)
CONCAT (AGGREGATEX) Y = AGGREGATE(X++ [Y])
!
I
!
CONCAT X Y = AGGREGATE [X ,Y] i|KTRUE X = True
2.4 Waveforms and Drivers I
As mentioned earlier, a waveform is a list of time-value pairs. The time compo-
nents of a waveform will always be in increasing order. A single time-value pair is m
a WAVEFORM-ELEMENT and we may increment or decrement its time com- !ponent. What we are calling a WAVEFORM-ELEMENT is sometimes called
a transaction in VHDL terminology, but we are using the word transaction for
different notion. I
type WAVEFORM = [WAVEFORM_ELEMENT]
type TIME = NAT
typeWAVEFORM_ELEMENT= <<TIME,VALUE>> '/I
TIMEOF <<t,v>> = t
WE_PLUS T <<TM,VAL>> = <<TM #+ T, VAL>> i
WE_MINUS T <<TM,VAL>> = <<TM #- T, VAL>> |
The complex signal value includes information about future times. This is
because a signal assignment statement assigns a waveform to a signal. Also, in i
a VHDL design several entities may assign waveforms to the same signal, for II
example, several entities may write to a bus. The entity that is assigning to
the signal will be identified by its INSTANCE-NAME. Therefore we define a IIR
DRIVER to be essentially a record containing an INSTANCE-NAME, a WAVE- !!
FORM, and for convenience, a current VALUE.
DRIVER ::= DE INSTANCE_NAME VALUE WAVEFORM _
WAVEFORMOF (DR i v w) = w . |
DRIVERVAL (DE i v w) = v
Now, when we advance the global clock at the beginning of a simulation cy- i
cle, the time components of all waveforms in the state are decremented. When !
the time component of a WAVEFORM-ELEMENT becomes Zero, then that
driver is active, and the value component of the WAVEFORM-ELEMENT be- _11
comes the value of the driver. A list of drivers is active if one or more of the I
drivers on the list is active.
DVR_MINUS T (DR ID V WF) = DR ID V (MAP (WE_MINUS T) WF) I
D
ADVANCE_DRIVER (DR i v (<<Zero,w>>:wf))= DR i w wf
......... ADVANCE_DRIVER dvr.=.dvr......... i
JDRIVER_ACTIVE (DR i v (<<Zero,w>>:wf))= True
!
m. - .
I DRIVER_ACTIVE dvr = False
DRIVERS_ACTIVE [] = False
DRIVERS_ACTIVE (dvr:more) =
I (DRIVER_ACTIVE dvr) I (DRIVERS_ACTIVEmore)
When several entity instances are driving a signal, then the signal value
will contain several drivers, one for each instance. In that case the current
i value of the signal will be computed using a resolution function which we willdiscuss later. When, on the other hand, the same entity insta ce makes more
than one assignment to a signal, the later assignments may "cancel" .some of
I the WAVEFORM-ELEMENTs of the earlier assignments. Which of them getcancelled depends on whether the signal assignme t has inertial r transport
delay.
The function MERGE-DRIVER is used to provide a meaning to a signal
"1 assignment. It takes the DELAY-KIND, the current list of drivers, and theII
additional driver being assigned, and it returns the resulting list of drivers. The
instance name of the additional driver is compared with that of each driver on
the current list. If it differs from all of them, then the additional driver is merelyappended to the list. If it is the same as one of the current drivers, then the addi-
tional waveform is combined with the current waveform by ADD-WAVEFORM
I which implements the rules for "cancelling" WAVEFORM-ELEMENTs (trans-actions) according to the kind of delay_ Note that the current value, v2, of the
driver being merged is always ignored.
I MERGE_DRIVER:: DELAY_KIND->[DRIVER]->DRIVER->[DRIVER]DELAY_KIND ::= INERTIAL I TRANSPORT
MERGE_DRIVER knd [] dvr = [dvr]
I MERGE_DRIVER knd ((DR il vl wfl):more) (DR il v2 wf2) =(DR il vl (ADD_WAVEFORM knd wfl wf2)):more
MERGE_DRIVER knd ((DR il vl wfl):more) (DR i2 v2 w_2) =
I (DR il vl wfl):(MERGE_DRIVER knd more (DR i2 v2 wf2))To add the new waveform, wf2, to the existing waveform, wf, we consider
the time, t, and value, v, of the first element in wf2, and the delay kind. We first
I create waveform wfl by "cancelling" all elements of wf that have times greaterthan or equal to t. Since the elements of the waveform are kept in increasing
order of time, this amounts to removing the tail of the list, wf, starting at the
t first element with time component greater than or equal to t. If the delay istransport then we merely append the new waveform to wfl. If the delay is
inertial then we must also cancel any element of wfl with a value that differs
from v, or which has a time earlier than some element that is cancelled because
I of this.
ADD_WAVEFORM :: DELAY_KIND->WAVEFORM->WAVEFORM->WAVEFDRM
!|
ADD_WAVEFORM knd wf [] = wf
ADD_WAVEFORM TRANSPORT wf (<<t,v>>:wf2) = \|(CANCELt wf) ++ (<<t,v>>:wf2)
•ADD_WAVEFORHINERTIAL..f(<<t,v>>:.f2)=
(INERTIAL_CANCEL v (CANCEL t .f)) ++ (<<t,v>>:.f2) I
'ml
CANCELt []= []
CANCELt.(<<t2,v2>>:wf)= (t2 >= t)->[];<<t2,v2>>: CANCELt wf Q
INEKTIAL_CANCEL v [] = []
INERTIAL_CANCELv (<<t,v>>:rest)=
((INERTIAL_CANCEL v rest) = rest)-> <<t,v>>:rest; I
INERTIAL_CANCEL v rest U
INERTIAL_CANCEL v (<<t,w>>:rest) = INERTIAL_CANCEL v rest
!2.5 Functions on Names
The NAMEs can be partioned into two classes, those NAMEs that are signals /
will have values that have drivers. The names that are variables have plain |
values.
KINDOF (SIGNALNAME X Y Z) = SIG_KIND i
KINDOF (VAKIABLENAME X Y Z) = VAK_KIND J
KINDDF (SELECT NI N2) = KINDOF NI
KINDOF (INDEX N1N2) = KINDOF N1 i
KINDOF (ARRAYAPPLY NI E) = KINDOF NI |KINDOF GLOBALCLOCK = SIG_KIND
KINDOF N = VAK_KIND
• !Given a NAME we can find its TYPE.
TYPEOF (CONSTANT V) = ATOMIC
TYPEOF (ATTKIBUTEOF A N) = ATOMIC •
TYPEOF (SIGNALNAME INST NM T) = T I
TYPEOF (VAKIABLENAME INST NM T) = T
TYPEOF (FIELDNAME id T) = T
TYPEOF (SELECT NI N2) = TYPEOF N2 |
TYPEOF (INDEX NI N2) = ARRAYTYPEOF (TYPEOF N1)
TYPEOF GLOBALCLOCK = ATOMIC
TYPEOF (FUNCRETURN T) = T |TYPEOF (LOOPINDEX N) = ATOMIC
ARRAYTYPEOF (ARRAY L T) = T
Given a NAME and its TYPE, we can formthe list of SUBNAMES whose !
values formthe aggregate value.
!
!
!!
k SUBNAMES N ATOMIC = IN]SUBNAMES N (RECORD L) = MAP (SELECT N) L
SUBNAMES N (ARRAY L T) = MAP (INDEX N) L
subnames N (ARRAY_UNCONSTRAINEDT) = bottom
Given a NAME we can find its INSTANCE-NAME
INSTANCE_NAMEOF (SIGNALNAME INST NM T) = INST
i INSTANCE_NAMEOF (VARIABLENAME INST NM T) = INST' STANCE_NAMEOFSELECTN1N2)= INSTANCE_ AMEOFN1
INSTANCE_NAMEOF (INDEX NI N2) = INSTANCE_NAMEOF Ni
I INSTANCE_NAMEOF (ARRAYAPPLY N1 E) = INSTANCE_NAMEOF N1INSTANCE_NAMEOF (ATTRIBUTEOF A NI) = INSTANCE_NAMEOF N1
INSTANCE_NAMEOF N = []
I 2.6 Instances
The following statement creates an instance of the entity "voter" with the
generic "active" mapped to bit '1' and the ports "pl" and "p2" mapped tonames "x" and "y". The label "A" will be used to give signals and v riable in
this instance unique identifiers.
I A voter ( active=> 'I')generic mapport map (pl => x, p2 => y )
i In our semantics, the INSTANCE records the information contained in a
component instantiation statement such as the above. It contains enough infor-
mation so that the meaning of an arbitrary flame can be resolved. For example,
I in the above example, suppose that the name "x" had been declared a portof entity "scoreboard" and that the component instantiation statement labeled
"A" is part of the architecture of "scoreboard". Suppose the top level "testbed"
entity contained the following signal declaration and component instantiationstatement:
signal clock : bit;
I B: scoreboard port map (x => clock) ;
Then when evaluating an expression in the body of "voter" that contains the
name "pl", we must resolve the name "pl" to the signal to which it is mapped.We give the Caliban definition of the type INSTANCE, and then continue the
example.
I INSTANCE ::= TOP I Inst [CHAR] PORTMAP GENMAP INSTANCEtype PORTMAP= [<<[CHAR],NAME>>]
type GENMAP = [<<[CHAR],VALUE>>]
I 17
!
i!
|
Now, in our example the "testbed" instance is TOP. The instance for the com-
ponent instantiation statement labeled "B" is: |
I1 = (Inst "B" [<<"x",clock>>] [] TOP)
where clock : (SIGNALNAME [""] "clock" ATOMIC) j
x = PORTNAME "x"
and the instance for the component instantiation statement labeled "A" is:
I2 = (Inst "A" [<<"pl",x>>.<<"p2",y>>][<<"active",'l'>>] I1), !
Each instance contains its label, its port and generic maps and it parent instance.
Now, given instance 12 and the portname "pl", we resolve the name using the I
portmap, and find the portname, x. This is resolved, recursively, using the !
parent instance, I1 to the signal, clock.
Given an instance we can pull out the list of names which uniquely identify
the instance. ,|
typeINSTANCE_NAME= [[CHARJ]
INST_NAME::INSTANCE->INSTANCE_NAME •
INST_NAME TOP = [] I
INST_NAME (Inst n p g i) = (INST_NAME i)++[n]
For example INST_NAMEI2 = ["B","A"]. I
When a generic is declared it can be assigned a default value. The translator !
creates from these declarations the definition of the function DEFAULT-VALUE.
Then by updating the default function with the generic map from an instance,
we may look up the current value of a generic. a
DEFAULT_VALUE:: [CHAR]->VALUE
GEN_LOOKUP::GENMAP->[CHAR3->VALUE l
GEN_LOOKUP L X = _update DEFAULT_VALUE L X 'I
2.7 Signal Values ,I
As mentioned earlier, there are two kinds of values that a name can have. The
names that refer to variables have simple values. The names that refer to signals
have complex values containing information about the past and future times, i
The complex SigVal contains:
1. the time since last active _t
J2. the time since last event
3. the current value ....... I
g
4. a list of drivers
I
!
!
i The "time since last active" is updated whenever there is any assignment to thename, even when the current value does not change. The "time since last event"
is updated only _vhen the value of the name changes. Using this information
about the past, we can evaluate the attributes x'stable, x'event, x'active
I of a name x.
NAMEVAL ::= SigYal TIME TIME VALUE [DRIVER]
[ VarVal VALUE
I" VALOF (SigVal tl t2 v w_) = v
VALOF (VarVal v ) = v
I EVENTOF (SigVal tl t2 v wf) = boolVAL (t2 = Zero)Var v) = boolVAL False
STABLEOF (SigYal tl t2 v wf) = natVAL t2
I STABLEOF(VarValv) = natVhLZero
2.7.1 The signalstate
A SIGSTATE assigns values to the names (signals and variables). The initialSIGSTA E, STARTSIG, is a function that a signs the UNINITIALIZED value
to all name, and an empty list of drivers to all signals.
I type SIGSTATE = NAHE->NAMEVAL_ITEM = <<BOOL,NAME,NAMEVAL>>
I STAKTSIG :: SIGSTATESTAKTSIG n {KINDOF n = SIG_KIND} = SigVal #0 #0 UNINITIALIZED []
STARTSIG n {KINDOF n = YAK_KIND} = VarVal UNINITIALIZED
A SIGSTATE is meant to map names that are signals to SigVals and namesthat are variables to VarVals. We define a predicate that is true of such
SIGSTATEs.
I PROPER 's' := (name)
'IS_SigVal (s name)'=tKINDOF name = SIG_KIND'
'IS_VarVal (s name)'='KINDOF name = VAK_KIND'
I 2.7.2 Advancing the global clock
Here we define functions which advance the global clock and update the current
i values of the signals. When the global clock advances by a non-zero amount,we decrease the time components of all waveforms in drivers and increase the
times in the "time since last event" and "time since last active" components.
I Then we do a b-transition. A, di-transition does not advance the clock, but if thetime component of any waveform in a driver is zero, then its value becomes the
current value of the driver. Then the current value of the signal is computed
! " "
!
I
!
from the current values of its drivers. If there is more than one driver for a signal
this involves resolution. Assigned to each signal is a commutative-associative i
resolution function. (The default is always undefined.) U
Resolve :: NAME->VALUE->VALUE->VALUE m
(S)(X)(Y) 'Resolve S X Y' = 'Resolve S Y X' iAXIOM
AXIOM (S) (X) (Y) (Z) i
'Resolve S X (Resolve S Y Z)'='Resolve S (Resolve S X Y) Z'
If there is more than one driver for a signal then its resolution function is applied i
to the list of current values of its drivers.
We start with the function ADVANCE, which advances the signal-state, S,
by T units of time. This is done by advancing the signal-value for each signal, _l
SIG. The function ADVANCE-NAMEVAL does this, and it is provided with the II
resolution function, (Resolve SIG), assigned to SIG, which is used when there
are multiple drivers of SIG. 111
ADVANCE::TIME->SIGSTATE->SIGSTATE I
ADVANCE T S SIG = ADVANCE_NAMEVALT (Resolve SIG) (S SIG)
To advance a signal-value, we adjust all the times by T units, and then I
perform a DELTA, which computes new values for signals with active drivers. II
ADVANCE_NAMEVAL T F (VarVal Y ) = VarVal V
ADVANCE_NAMEVAL Zero F SV = DELTA F SV
ADVANCE_NAMEVAL T F (SigVal TMI TM2 V DVRS) = '!
DELTA F
(SigVal (TMI #+ T) (TM2 #+ T) V (MAP (DVR_MINUS T) DVRS)) iiTo do a DELTA transition on a signal-value, we check whether any of its
drivers are active, and if so advance all the active drivers, and (if there's more
than one driver) resolve their values to get the new value, newv. Then we update
the last-active to Zero, and adjust the last-event if the value has changed. !
DELTAf (SigValtl t2v dvrs){DRIVERS_ACTIVEdvrs}=
SigVal Zero lastevt newv newdvrs i
where newdvrs = MAP ADVANCE_DRIVER dvrs m
newv = doResolve _ (MAP DRIVERVAL newdvrs)
lastevt = (v=newv)->t2;Zero
IDELTA f sv = sv
doResolve f [a] = a
doResolve f (a:b:more) = doResolve f ((f a b):more) Iqmm
2.8 Evaluating Expressions
IExpressions are built up from names and constants using the predefined opera-
tors and aggregates. Given an instance we can resolve all the names to atomic
|
I
!
!
signals and variables. Given a signal-state we can find the current value of the
I and variables. Thus, given an instance and a signal-state, weatomic signals
may evaluate an expression. The definition of OPERATORMEANING is given
in section 2.9.
I EVAL INST SS (BINARY el op e2) =
OPERATORMEANING op (EVAL INST SS el )(EVAL INST SS e2 )
EVAL INST SS (UNARY op el) =
i UOPEKATOKMEANING (EVAL INST SS el)
op
EVAL INST SS (AGGREGATEEXP L) =
AGGREGATE(MAP (EVAL INST SS ) L)
EVAL INST SS (EXPNAME n) = CURRENT INST SS nEVALINST SS (EXPCONSTANT v) = v
ISTRUE.e INST S = ((EVAL INST S e) = (boolVAL True))
I To find the current value of a name given the instance and state, we first
use the instance (and state) to find the real name, which is a name in which
I references to port connections and generic values have been resolved using theinstance. Also "local" names are made absolute by adding the instance name.
The value of the real name then depends only on the current state.
i. CURRENT INST SS N = CURRENTVAL SS (REALNAME INST SS N)
The current value of an ATOMIC name is read directly from the signal
state. Otherwise the aggregate value is formed from the current values of the
i subnames.
CURRENTVALSS (CONSTANTV) = V
i CUKKENTVAL SS (ATTRIBUTEOF A N) = ATTRIBUTEVAL ASS NCURRENTVAL SS N {TYPEDF N = ATOMIC} = VALDF (SS N)
CURRENTVAL SS N =
AGGREGATE (MAP (CURRENTVAL SS) (SUBNAMES N (TYPEOF N)))
I SUBNAMES N ATOMIC = IN]
SUBNAMES N (RECORD L) = MAP (SELECT N) L
i SUBNAMES N (ARRAYL T) = MAP .(INDEXN) LSUBNAMES N (ARRAY_UNCONSTRAINEDT) = bottom
The meanings of signal attributes are defined below. We haven't defined all
B attributes that predefined in VHDL. These were all that were needed in
the are
Scoreboard.
I ATTRIBUTEVAL "event,".SS N = EVENTOF (SS N)ATTRIBUTEVAL "stable" SS N = STABLEDF (SS N)
ATTRIBUTEVAL"left"SS N = LEFTOFN
!
!
!
ATTRIBUTEVAL "length" SS N = LENGTHOF N
iLEFTOF (SIGNALNAMEX N (ARRAYL T)) = natVAL (hd L)
LEFTOF (VARIABLENAMEX N (AKRAYL T)) = natVAL (hd L)
LENGTHOF(SIGNALNAMEX N (ARRAYL T)) = natVAL (## L)
LENGTHOF(VAKIABLENAMEX N (ARRAYL T)) = natVAL (## L) |
As described earlier, the KEALNAME replaces relative names by absolute
and resolves re_rences to ports and generics. It also evaluates expres- •names,
sions that occur in names (in function applications and array applications).
REALNAMEINSTSS (SIGNALNAMEX N T) =
SIGNALNAME((INST_NAMEINST)++X)N T J
REALNAMEINST SS (VARIABLENAMEX N T) =
VARIABLENAME((INST_NAMEINST)++X)N T
INST SS (SELECTN1N2) = SELECT(REALNANEINST SS NI) N2 IEEALNAME
KEALNAMEINST SS (INDEXNI N2) = INDEX (REALNAMEINST SS NI) N2 g
REALNAMEINST SS (POETNAMEid) = PORTCONNECTINST (POETNAMEid)
KEALNAMEINST SS (GENNAMEid) = CONSTANT(GENVALINST id) i
REALNAMEINST SS (ARRAYAPPLYN E) = II
INDEX (KEALNAMEINST SS N) (natVALOF(EVALINST SS E))
REALNAMEINSTSS (ATTRIBUTEOFA N ) = il
ATTKIBUTEOFA (KEALNAMEINSTSS N) l
REALNAMEINST SS (FUNCAPPLYf E) = mw
CONSTANT(FUNCMEANINGf (EVALINST SS E))
REALNAMEINSTSS N = N I
I
To findoutwhata portisconnectedto,we needonlytheINSTANCE. The
connection cannot depend on the state, e.g. a port cannot be connected to i
A(x) where x is an expression containing variables. When we resolve such a |
connection we check that the expression x is state-independent. The definition
of state-independent is given in section 2.9. A port can only be connected
to certain names, namely: signals of its parent, ports of its parent, and to
components of array or record aggregates of its parent. Any other connection I!
will resolve to ILLEGAL.
POKTCONNECT(InstId Pt Gn Parent)(POKTNAMEX) = I
PORTCONNECTParent (_updatePOETNAMEPt X) I
PORTCONNECTTOP (PORTNAMEX) = ILLEGALX
POKTCONNECTINST (SIGNALNAME[] N T) =
SIGNALNAME(INST_NAMEINST)N T II
PORTCONNECTINST (VARIABLENAME[] N T) =
.....VARIABLENAME(INST_NAMEINST)N T
POKTCONNECTINST (ARRAYAPPLYN E) {STATE_INDEPENDENTE} = |
INDEX (PORTCONNECTINST N) (natVALOF(EVALINST bottomE))
,!
!
!
PORTCONNECTINST (SELECT N1 N2) = SELECT (PORTCONNECTINST Hi) N2
I PORTCONNECT INST N = ILLEGAL °°PORT°'
i GENVALTOPN =-UNINITIALIZED(InstIdPt GnParent)N = GEN_LOOKUPGnN
Waveform expressions were built up from lists of
I time-expression, value-expression pairs using conditionals. They are evaluatedto waveforms using the instance and state as follows:
I WAVEFORM_EVAL :: NAVEFORM'EXP -> INSTANCE-> SIGSTATE-> NAVEFORMWAVEFORM_EVAL (WFEXP wf) INST s = MAP (WF_ELEM_EVAL INST s) wf
WAVEFORM_EVAL (CONDWF e wfl wf2 ) INST s =
(ISTRUE e INST s)->(WAVEFORM_EVAL wfl INST s);
i (WAVEFORM_EVAL wf2 INST s)NF_ELEM_EVALINST s <<el,e2>>=
<<natVALOF(EVALINST s el),(EVALINST s e2)>>
I 2.8.1 Function meanings
In the definition of REALNAME, a name which is a function application is
i evaluated by evaluating its arguments and then applying whatever functionis boun to the f nction name. Thi binding should come from an environ-
ment, so that EVAL would need an instance, a state, and an environment.
i But our current translator does not allow functions to be declared locally.All functions are declared globally. Therefore the translator defines a global
function, FUNCMEANING, which assigns a meaning to each function name.
The meaning is a function from values to values. A function of several argu-
I ments is thought of as taking a single, aggregate, value as its argument. Thus,FUNCMEANING, acts as a global environment. We do not support procedures,
but they should not be difficult to add to the semantics. The Scoreboard design
does not use procedures.FUNCMEANING::FUNCTION->VALUE->VALUE
I 2.9 Functions on Expressions
The predefined operators are mapped to their meanings which were previously
I defined on VALUEs.OPERATORME NING ANDOP = AND
OPERATORMEANING OROP = OR
I OPERATORMEANING'XOROP = ,XOR.OPERATORMEANING NOROP = NOR
OPERATORMEANING NANDOP = NAND
!
!
!
OPERATORMEANING PLUSOP = PLUS
OPERATORMEANING MINUSOP = MINUS
OPERATORMEANING TIMESOP = TIMES
OPERATORMEANING DIVIDEOP = DIVIDE
OPERATORMEANING MODOP = MOD
UOPERATORMEANING REMOP = REM
0PERATORMEANING EQUALOP = EQUAL
OPERATORMEANING NOTEQUALOP X Y = NOT (EQUAL X Y) |OPERATORMEANING GEQOP = GEQ
OPERATORMEANING LEQOP = LEQ
OPERATORMEANING LESSOP = LESS
OPERATORMEANING GREATEROP = GREATER
IOPERATORMEANING AMPEROP = CDNCAT
•UOPERATORMEANING NOTOP = NOT |UOPERATORMEANING UMINUSOP = UMINUS
UDPERATORMEANING UPLUSDP = I
UOPERATORMEANING ABSOP = ABS i
Some handy abbreviations. I
EXPTRUE = EXPCONSTANT (boolVAL True)
EXPFALSE= EXPCONSTANT(boolVALFalse) if
EXPZER0= EXPCONSTANT(natVALZero) i
EXPPLUSX Y = BINARYX PLUSOPY
EXPGEQX Y = BINARYX GEq0PY
EXPEQUALX Y = BINARYX EQUALOPY i
ATTRIBUTEEXP art n = EXPNAME (ATTRIBUTEOF art n)
There is a special name, GLOBALCLOCK, which cannot be assigned to. There-
fore it will remain stable Horn the initial simulation cycle on. Its attribute, II
"stable", will therefore measure the elapsed time on the global clock. We ab-
breviate this as CLOCK.
I!CLOCK = EXPNAME(ATTRIBUTEOF"stable"GLOBALCLOCK)
When we combine expressions using OR or AND, we can check forsome II
simple reductions. |
EXPOR (EXPCONSTANT (boolVAL False)) Y = Y
EXPOR X (EXPCONSTANT (boolVAL False)) = X
EXPOR (EXPCONSTANT (boolVAL True)) Y = EXPTRUE l
EXPOR X (EXPCONSTANT (boolVAL True)) = EXPTRUE
EXPOR X Y = BINARY X DROP Y ..
IIEXPAND(EXPCONSTANT(boolVALFalse))Y = EXPFALSE
,!
!
!
!
EXPAND X (EXPCONSTANT (boolVAL False)) = EXPFALSE
i EXPAND (EXPCONSTANT (boolVAL True)) Y = YEXPAND X (EXPCONSTANT (boolVAL True)) = X
EXPAND X Y = BINARY X ANDOP Y
i When we know that a name represents a constant, we can get
then its value.
CONSTNAMEVAL (CONSTANT v) = v
The value of an expression that represents a constant, possibly dependingon the values of the generics, does not depend on the current state. These are
the only expressions that can occur in the names of connections to ports.
i STATE_INDEPENDENT(BINARYel op e2)=
(STATE_INDEPENDENT el ) _ (STATE_INDEPENDENT e2 )
STATE_INDEPENDENT (UNARY op el) = (STATE_INDEPENDENT el )
i STATE_INDEPENDENT(AGGREGATEEXPL) = ALLTRUESTATE_INDEPENDENTLSTATE_INDEPENDENT (EXPNAME (GENNAME id)) = True
STATE_INDEPENDENT (EXPNAME (FUNCAPPLY f E)) = STATE_INDEPENDENT E
i STATE_INDEPENDENT (EXPCDNSTANT v) = TrueSTATE_INDEPENDENT E = False
Sometimes we need a list of all names mentioned in an expression. In par-
I ticular, a signal assignment statement like:
x <= yl • y2 • y3;
will be translated into a process that is waiting on an event on any of the namesm
I yl,y2,y3 which are mentioned.
NAMES(BINARYelop e2)= (NAMESel)++ (NAMESe2)
l NAMES(UNARYop el)= NAMESelAGG EGATEEXPL) = FOLDR(++)[] (MAPNAMESL)
NAMES (EXPNAME n) = [n]
I NAMES(EXPCONSTANTv) = [](EXPEVENT e) is an expression that evaluates to true in any state in which
one of the names mentioned in expression e has an event. (EXPTRUEEVENTe)
I is an expression that evaluates to true in any state in which one of the namesmentioned in expression e ha an event and e ev luates to true. This is used to
translate a wait statement like:
m wait until clock = 'I';
NAMESEVENT N =
FOLDREXPOREXPFALSE(MAP(ATTRIBUTEEXP"event,)N)
i EXPEVENTe = NAMESEVENT(NAMES
e)
EXPTRUEEVENT e = EXPAND (EXPEVENT e) e
!
!
!
To get an expression which is true when E equals one of the things on a list Ill
of CHOICEs, we use: ,Im l
CHOICE ::= OTHERS I CHOOSEEXPRESSION
CHOICEEXPE [] = EXPFALSE i
CHOICEEXPE (OTHERS:REST) = EXPTRUE !1CHOICEEXPE ((CHOOSE A) :REST) =
EXPOR(EXPEQUALE A) (CHOICEEXPE REST)
al
We can convert a waveform expression into an expression that is true when !
any signal mentioned in the waveform expression has an event.
WFEVENT(WFEXPL) = FOLDK EXPOREXPFALSE (HAP WF_ELEH_EVENTL) I
WFEVENT(CONDWFe wfl wf2) = II
EXPOR (EXPEVENTe) (EXPOR (WFEVENTwfl) (WFEVENTwf2))
WF_ELEH_EVENT<<t,v>> = EXPEVENTv j
gA GENMAP is a list of name-value pairs. If we have a list of name-expression
pairs, where each expressions is a constant, we can convert.
MAKE_GENMAP L = MAP F L I
where F <<HI,N2>> = <<NI.CONSTNAMEVAL N2>>
2.10 Processes I
A VHDL design is a collection of instances of entities. Each entity is a collection
of processes. Thus the process is the basic actor in our semantics. The process
is what changes the state by updating the variables and adding waveforms to |
the signal drivers.
In any simulation cycle, a set of processes are wailing. If the condition a
is waiting on is true in that simulation cycle, it becomes active. The •process
body of a process is a list of sequential statements. When a process becomes U
active, its body is executed. This generates state changes of two kinds. Changes
to the variables are immediate. Changes to the signal drivers will not affect the
values of signals at least until the next simulation cycle. When the process B
suspends, the result is that there is a new process waiting (which may be the
original process, or some other process). The new process is the continuation of _lm
the process. Thus the result of executing a process is three things: |
I. a list of changes to the variables
2. a list of scheduled changes to the signals .I
3. a new process
A single change to a variable can be represented as a single update to the I
SIGSTATE. We have already defined a type for such single updates, called
!
!
!
SIGSTATE-ITEM. A single scheduled change to a signal we call a TRANSAC-
I TION (see section 2.12). Thus, if we executing a process
callthe result of an
ACTION-RESULT, we can make the following definition:
I type ACTION_RESULT= <<[,SIGSTATE_ITEM],[-TRANSACTION],PROCESS>>Now, the result of executing a process depends, of course, on the values
of expressions in the body. Hence, it depends on the instance and signal-state.
I These are tile only things the result depends on, so we can say that the meaningof a proc ss b dy is a function from instance and signal-state to result.
type PROCESS_ACTION= INSTANCE->SIGSTATE->ACTION_RESULT
I Now a single process is completely characterized by:
1. the condition it is waiting on
I 2. the meaning of its body
3. the entity instance it belongs to
I So, we define the following data type in Caliban:
PROCESS ::= PROC EXPRESSIONPROCESS_ACTIONINSTANCE
I constructed from PROCESS-ACTION which is a func-
Note that PROCESS is
tion type that returns ACTION-RESULT which includes PROCESS. Thus,
PROCESS is a recursively defined type. The type system of Caliban and the
I lazy evaluation semantics of Caliban make this sort of definition convenient.Now we can defi e how a process is run in a given signal-state, SS. If the
process, P, is (PR0C W A INST), then we use. the given instance INST, and state
SS to evaluate the wait condition W.If it evaluates to true, then the body A isapplied to the instance and state to give the result. Otherwise, the result is
<<l'], [,] ,P>>, which means that no changes will be made to the state, and the
process P will still be waiting in the next simulation cycle.
I RUN_PROC:: SIGSTATE->PROCESS->ACTION_RESULT
RUN_PROC SS (PROC W A INST) = (A INST SS), (ISTRUE N INST SS)
I <<1"] [,] ,(PROC W A INST)>>
D
In section 2.1 we defined the type:
= <<['SIGSTATE_ITEMJ [-PROCESS] [,TIME]>>type
RESULT $ i
This is the information about the result of running a process that the top level
I function, Simulate, uses. Here the first component is a list of changes to theSIGSTATE which includes both the immediate changes to the variables and
the scheduled changes to the signals. The second component is the process
!
!
!
continuation made into a singleton list so that it can be appended to the con- 1
tinuations of the other processes. The third component is the list of times at |
which transactions are scheduled.
Since the function RUN-PR0C returns and ACTION-RESULTwe must convert
this into a RESULTas follows: The ACTION-RESULT,<<VAR-UPDTS,TRS,CONT>>, I
contains the updates to the variables, a list of transactions, and a continuation. !1
In section 2.12 we define TRANSACTIONS-TIMESwhich maps a list of transactions
to the times of the scheduled events. We use this to define the third component of Ill
the result. The second component of the result is just a singleton list containing |
the process continuation CONT.So, we must explain how the first component of
the following definition is computed. III
PROC_RESULT :: SIGSTATE->ACTION_RESULT->RESULT U
PR0C_RESULT S <<VAR_UPDTS,TRS,CONT>>=
<< (TRANSACTION_UPDATESS TRS) ++ VAR_UPDTS, i
ECONT], |TRANSACTIONS_TIMESTRS
>>
A transaction represents a scheduled change to a signal. This change is !
accomplished by changing the signal's list of drivers. Thus, the transaction
corresponds to a change of the signal state. This change is computed by taking
the current state S, extracting the current set of drivers for the given signal,
and then merging the additional driver from the transaction. This computation g
is done by the function TRANSACTION-UPDATESwhich is defined in section 2.12.
This list of signal-updates is then appended to the variable updates.
By composing this conversion, PROC-RESULT,with RUN-PR0C we obtain the II
function D0-PR0C which is used in the definition of Simulate.
DO_PROC S P = PROC_RESULT S (RUN_PROC S P) I
2.11 Conditionalfunctionupdates
The reader may have noticed that some definitions involving a single update !
to a function (say from NAMEto VALUE) represent the update not as a pair
<<NAME, VALUE>> but as a triple <<BOOL,NAME, VALUE>> . We call such a
triple a conditional function update. To motivate their introduction, consider I
the following example in an unspecified programming language L. II
if a then x := 1; else x := 2; endif
if b then y := 3; else y := 4; endif I
If we give L an operational semantics similar to the semantics we have given
for VHDL, then a state, S, would be a function from names to values. Then Ill
the effect of executing the first statement of the example in an arbitrary state |S would be:
!
!
!
if al then (_update S [<<x,l>>]) else (_update S [<<x, 2>>])
I .here al (eval S a)
Now, if we compose the meanings of the two statements in the example in the
natural way to get the meaning of the sequence, then the effect of the sequence
m would be:
if al then if bl then (_update S [<<x,l>>,<<y,3>>])
m else (_update S [<<x,l>>,<<y,4>>])else if bl then (-update S [<<x, 2>>,<<y,3>>])
else (_update S [<<x, 2>>,<<y,4>>])
I We can see the beginnings of an exponential "explosion" in the sizes of condi-tional expressions that result from symbolic execution of the semantics.
Since the changes to "x" and "y" in the example are independent, we would
rather have the resulting expression for the state be:
_update S [<<x,if al then 1 else2>>,<<y,i_ bl then 3 else 4>>]
In this form, many such updates could be composed (provided they were inde-
m pendent) without an exponential explosion.
We have found no easy way to define the semantics so that they directly
give results as in the above expression. However, by introducing the conditional
I function update we get similar results in a natural way. Using the conditional
updates, the effect of the example would be:
i __update S [<<al ,x, 1>> ,<<'al ,x,2>> ,<<bl ,y,3>>,<<'bl ,y,4>>]The operators _update and _update are both predefined in Caliban. The
conditional update, _update, acts as follows:
I __update S (<<a,x,v>>:more)arg x=arg}
{a v
__updateS (<<a,x,v>>:more)arg.= __updateS morearg
__updateS []arg = S arg
m (Note that the "most recent" updates are at the head of the list. Therefore,
when interpreting a list of updates as a history of changes, the list must be
"read backwards").
i this definition a rewrite rule:
From we may prove
'__update S (<<a,x,v>>:<<b,x,w>>:more) '
D = '__update S (<<a I b, x, (a->v;w)>>:more)'Thisrulesaysthat woconditionalupdatestothesame"address"canbecom-
binedby "oriing''theirconditionsand making the "value"conditional.Using
i this rewrite rule the effect of our example rewites to:
__update S [<<(all-al),x,(al->l;2)>>,<<(bll-bl),y,(bl->3;4)>>]
m
!
!
!
This simplifies to: •
__update S [<<True,x,(al->l;2)>>,<<True,y,(bl->3;4)>>]
This form is essentially the form originally desired, m
These rewrite rules (and others, such as deletion of updates with condition |
False) are built-in to Clio. In several other efforts we have found that the
introduction of conditional updates was the key technical "trick" needed to
make an operational semantics usable. I
In the next section we define the type TRANSACTION,and we introduce condi- !I
tional transactions that behave with respect to transactions the way conditional
updates behave with respect to function updates.
!
2.12 Transactions
One result of executing a process may be that a driver is added to the list of
drivers of a signal or is merged with an existing driver. We define a data type, I!
TRANSACTION,that holds the information needed to record one such result. The
production TR constructs a simple transaction assigning a driver to a name; it •
also records the delay kind (which is either transport or inert!al). !1
TRANSACTION ::= TR DELAY_KIND NAME DRIVER
I CONDTR B00L TRANSACTION J
I DUMMY NAT i
As explained in the previous section, it is convenient to be able to tag a trans-
action with a boolean to make a conditional transaction. That is what the •
production CONDTRis for. A transaction contains a driver which contains a ql
waveform. The time components of the waveform are the times at which the
driver is scheduled to change values, hence they are the times at which a simu- •
lation cycle must happen. There is one case in which we schedule a simulation
cycle even though there may be no driver scheduled to change value. That is
the case of a "timeout wait" as in: I
IIwaitfor I0ns;
In this case we want to schedule a simulation cycle for 10 ns in the future. In II
our semantics, the next simulation cycles is scheduled for the next transaction |
time. Therefore, to handle the timeout wait, we also have a DUMMYtransaction
that has a time but no driver or signal name.
Here is how we extract the transaction times from a list of transactions. I
TRANSACTIONS_TIMES :: [TRANSACTION]-> [NAT]
TKANSACTIONS_TIMES TL = MERGE_LIST (MAP TRANSACTION_TIMES TL)
TRANSACTION_TIMES :: TRANSACTION-> [NAT]
|
!
!
!
TRANSACTION_TIMES (DUMMY T) = [T]
I TRANSACTION_TIMES (TR KND SIG DVR) = MAP TIMEOF (WAVEFORMOF DVR)TRANSACTION_TIMES (CONDTR BEXP TRI) = TRANSACTION_TIMES TRi
Every non-DUMMYtransaction, corresponds to a (conditional) change to thesignal state, s. The change to S corresponding to the transaction, T, is a single
conditional update and is computed by extracting the current set of drivers for
the given signal, and then merging the additional driver from the transaction.
I SIG_UPDATE S T'=
<<CONDOF T, SIGOF T, UPDATE_DRIVERS (S (SIGOF T)) (BODYOF T)>>
t UPDATE_DRIVERS (SigVal TM WE V DVRS) (TR KND SIG DVR) =SigVal TM WE V (MERGE_DRIVER KND DVRS DVR)
i SIGOF (TR KND SIG DVR) = SIGSIGOF (CONDTR BEXP T) = SIGOF T
CONDOF (TR KND SIG DVR) = TrueCONDOF (CONDTR BEXP T) = BEXP &_ (CONDOF T)
BODYOF (CONDTR BEXP T) = BODYOF T
I BODYOF T = T
When we define the result of a process in section 2.10, we convert a list of
transactions into a list of (conditional) updates to the signal state. Since the
g dummy transactions do not affect the state they are removed before computingthe list of updates.
TRANSACTION_UPDATES::SIGSTATE->[TRANSACTIDN]-> [SIGSTATE_ITEM]
l S TL = MAP (SIG_UPDATES) (REMOVE_DUMMY TL)
TRANSACTION_UPDATES
REMOVE_DUMMY [] = []
J REMOVE_DUMMY ((DUMMY X):MORE) = REMOVE_DUMMY MORET:MORE) = T: (REMOVE_DUMMY ORE)
As explainedinsection2.11,conditionalfunctionupdatesand conditional
J transactions have been introduced in order to define the effect of if-then-elsestatements in an efficient way. To give a meaning to the statement sequence:
if BEXP then A else B endif; C;
B Suppose that the statements in h generate a list of transactions, TR1, the state-
ments in B generate the transactions TR2, and the statements in C generate
transactions TR0. Then the combined list of conditional transactions must con-
I tain the list TR1, conditional on BEXP, TR2,
and the list conditional on --1BEXP _
and the list TROunconditionally.
|
!
!
!
COND_TRANS BEXP TRO TRI TR2 =
TRO 1++ (MAP (ADDCOND BEXP) TRI)
++ (MAP (ADDCOND ('BEXP)) TR2)
ADDCOND BEXP (CONDTR BEXP2 X) = CONDTR (BEXP _ BEXP2) X I
ADDCOND BEXP X = CONDTR BEXP X
For variable updat_ generated by statements, we use conditional function
updates directly (rather than transactions). For use in defining the iSthen-else I
statement we define a function similar to COND_TRANSthat works on conditional
function updates, tCOND_VAR_UPDATEBEXP SO S1 $2 =
SO
++ (MAP (ADDCONDI BEXP) S1) I
++ (MAP (ADDCONO1('BEXP)) $2) W
ADDCOND1 BEXP <<BEXP2,NM,VAL>> = <<BEXP _ BEXPR,NM,VAL>> I
W
2.13 StatemeNts
The body of a process is composed of sequential statements. Recall that the
meaning of a process body was assigned the type: J
type PROCESS_ACTION = INSTANCE->SIGSTATE->ACTION_RESULT
Wwhere
type ACTION_RESULT = << [SIGSTATE_ITEM],[TRANSACTION],PROCESS>> m
IWe use the standard continuation semantics for sequential statements by
letting the meaning, M S, of a statement S, be the transformation from PROCESS-
ACTION to PROCESS-ACTION which is describe informally as follows. If A is the I
meaning of a process body containing sequential statements SS, then M S A is g
the meaning of the process body containing the sequence S;SS . Hence, the
meaning of any sequential statement has the following type: Ig
type PROCESS_TRANSFORMATION = PROCESS_ACTION -> PROCESS_ACTION
We next give a Caliban data type that encodes the abstract syntax of the
sequential statements that we currently support. Thus, at the sequential state- I
ment level, we are making a deep embedding of VHDL into Caliban. We will
discuss each kind of statement when we define its meaning. The main omis- m
sions from this set are procedure call statements, assertion statements, next
statements, and while loops. W
!
!
STATEMENT ::= SIGASSIGN DELAY_KIND NAME WAVEFORM_EXP
I WAIT EXPRESSION
m m
TIMEOUTWAIT EXPRESSION
IF_THEN_ELSE EXPRESSION [STATEMENT] [STATEMENT]
I CASE [<<EXPRESSION,[STATEMENT]>>]RETURN EXPRESSION
EXIT
I FORLOOP NAME [NAT] [STATEMENT]
VARASSIGN NAME EXPRESSION
NULL
t As stated above, the meaning of a STATEMENT is aPROCESS-TRANSFORMATION. Therefore we define a meaning function:
M_S :: STATEMENT-> PROCESS_TRANSFORMATION
I In order to define M_S ST, where ST a statement, we
is must define (M_SST A
INST S) where A is a PROCESS-ACTIONrepresenting the effect of the statements
that come after ST, and INST and S are the current instance and signal-state.
Then (M_S ST A INST S) must be defined to correspond to the effect of execut-ing ST in instance INST and signal-state S, and then executing the action A in ..
the resulting state. We will call the action Athe continuation in this section, but
this is a continuation of a statement sequence and is different from the processcontinuation mentioned in section 2.10, which was the process that results when
a process suspends.
I 2.13.1 Signal assignment statement
The signal assignment SIGASSIGN knd name wf is the abstract syntax for the
VHDL statement name <= wf, (with optional key word "transport" to indicatetransport delay). To execute this statement with instance INST and state S,
we evaluate the waveform expression wf to get a waveform, make a driver la-
beled with the instance name, resolve the name being assigned to its real name,
J and then make a transaction out of the delay-kind, the resolved name and thedriver. This transaction has no immediate effect on the state, so (A INST S)
is the effect of the continuation. The effect of the signal assignment followed
by its continuation is obtained by appending the transaction to transaction listreturned by the continuation.
M_S (SIGASSIGNkndnamewf)A INSTS =
I APPEND_TRANSACTION' (TR knd (REAL AME INST S name).(DRIVER_EVAL INST _f S))
(AINSTS)
I DRIVER_EVAL INST wf s =
DR (INST_NAMEINST)UNINITIALIZED(WAVEFDRM_EVALwf INSTs)
!
I
I,
B
APPEND_TRANSACTION t <<s,ts,c>> = <<s,t:ts,c>> m
2.13.2 Variable asslgnment statement
A variable assignment N := E; is similar to the signal assignment in that we m
evaluate E and resolve the name N to get a single state update X. Since variable
assignments are immediate, we must update the state S with the single change
X before executing the continuation. The change X is appended to the changes m
made by the continuation.
M_S (VARASSIGN N E) A INST S = i
APPEND_VAR_UPDATE X (A INST (__update S [X])). |
where X = VARUP N E INST S
VARUP N E INST SS = m
<<True,(REALNAME INST SS N), VarVal (EVAL INST SS E)>>
APPEND_VAR_UPDATE X <<LI,L2,CONT>> = <<LI++IX],L2,CONT>>
IN
2.13.3 Wait statement !
The wait statement WAIT Wis the abstract syntax of the statement wait until mmL
W. When h is its continuation, then the effect of the wait statement is to make
no state changes, and to suspend the process. The process continuation is then (m
the process that waits on Wand has A as its body, and INST as its instance:
M_S (WAIT W) h INST S = <<[], [], (PROC W A INST) >> I
A wait statement of the form wait _or t is a timeout wait. It is equiva-
lent.to temp := CLOCK; wait until CLOCK>---- temp+t; And it schedules a R
dummy transaction after t, to make sure that there will be a simulation then I
even if there were no other transactions then.
M_S (TIMEOUTWAITt) A INSTS = m
<<[], [DUMMY (natVALOF(EVAL INST S t))], TIMEOUT t A INST S>> J
TIMEOUT t A INST S = m
PROC (TIMEOUTTEST (EVAL INST S (EXPPLUS CLOCK t))) A INST m
TIMEOUTTEST v = EXPGEQ CLOCK (EXPCONSTANT v)
2.13.4 Null statement m
A null statement does nothing, so as a PROCESS-TRANSFORMATION it is
...... the identity: ..........
g
M_S NULL = I
!
!
2.13.5 Conditional statement
I The statement (IF_THEN_ELSE e ssl ss2) is the abstract syntax of the state-
ment if e then ssl else ss2. Its meaning is derived from the expression e
and the meanings of the two statement sequences, ssl and ss2. The functionM_SSgives the meaning of a statement sequence and is defined in section 2.13.11.
M_S (IF_THEN_ELSE e ssl ss2) = IFMEANING e (M_SS ssl) (M_SS ss2)
I IFMEANING :: EXPRESSION
-> PROCESS_TRANSFORMATION
I -> PROCESS_TRANSFDRMATION-> PROCESS_TRANSFORMATION
Now to understandthe definitionof IFMEANING,remember that (A INST
I S) is the result of executing the continuation (the statements that come afterthe if-then-else) and that (IFME_ING e ssl ss2 A INST S) is the result of
executing the if-then-else and then the continuation. Basically, we apply the
meanings of the two branches of the conditional to the continuation and thenmake the resulting transactions conditional on the value of the expression e.
However, this would make all the transactions from the continuation appear
twice, as conditional on e being true and on e being false. This would lead to
I of conditional in simulation. Therefore we make"explosion"
expressionsan a
our definition as follows. We let A1 be an action which is the same as A except
that it generates no transaction (so it makes the same variable updates and
I has the same process continuation). We let A1 be the continuation of the twobranches, ssl and ss2, of the conditional. Then we combine the results of the
two branches and the original continuation.
I IFMEANING(EXPCONSTANT(boolYALTrue))sslss2= sslIFMEANING(EXPCONSTANT(boolVALFalse))sslss2= ss2
IFMEANINGe sslss2A INSTS =
I CONDACTION (ISTRUE e INST S)AINSTS)
(sslAI INSTS)
I (ss2 A1 INST S)where A1 = DELETE_TItANSA
DELETE_TRANS A INST S = REMOVE_TRANSACTIONS (A INST S)
I REMOVE_TRANSACTIONS <<S,TRS CONT>> = <<S [] CONT>>
J D $
The functionsCOND_VAR_UPDATEand COND_TKANShavealreadybeendefined.
i They take three lists of transactions and return a list of conditional transactionswhere the first of the three argument lists is left unconditional, and the second
and third argument lists are made conditional on BEXPand _BEXP.
I 35
!
!
!
CONDACTION BEXP <<SO,TRO,CO>> <<SI,TRI,CI>> <<$2,TR2,C2>> =
<<COND_VAR_UPDATEBEXP SO S1 $2,m m JCOND_TRANSBEXP TRO TR1 TR2,
(BEXP->C1 ;C2) >>
I
2.13.6 Case statement S
The statement case e is when xl => ssl ...when xn => ssn end ease is, III
abstractly, CASE l'<<e=xl ,ssl>> ..... <<e=xn,ssn>>'l, so it is given by a list of |
<<EXPRESSION, [STATEMENT]>> pairs. We reduce its meaning to the IFMEAN-
ING as follows:
ma
M_s(CASE[])= I l
M_S (CASE (<<e,ss>>:rest))=
IFMEANING e (M_SS ss) (M_S (CASE rest)) I
2.13.7 Return staten,ent
The return statement "return e" is the same as "FUNCRETURN := e; exit;" I
for a special name "FUNCI_ETURN". II
M_S (RETURNe) A INSTS =.(SAVERETURNe (M_SEXITA) INSTS)
SAVERETURN e A INST S = |
A INST (__update S [VARUP (FUNCRETURN ATOMIC) e INST S])
2.13.8 Exit statement I
The exit statement, does nothing and continues to the dead process.
!M_S EXIT A INST S = <<[],[],DEADPROC INST >>
DEADPRDC = PROC EXPFALSE (M_S EXIT bottom) A
2.13.9 ForLoop statement B
The statement (FORL00P i L B) is the abstract syntax of the statement for
£ in L loop B endloop. We can define the meaning of this statement by g
primitive recursion on the list L. If L is empty then the statement is a null
statement. If not, we compose the meanings of: II
1. Assign head of L to variable 1.
2. Execute tim body, B.
a3. Do for-loop for i in the tail of L.
|
!
i
!
l M_S (FORLOOP i [] B) = I
M_S (FORLOOP i (n:rest) B) =
(M_S (VARASSIGN i (EXPCONSTANT(natVAL n))))
•(M_SS B)
l .(M_S (FORLOOP i rest B))
2.13.10 Function meanings
When the translator recognizes the body of a function, F, with arguments x, y, z,
and a body consisting of a statment sequence B, it enters the meaning of the
function into the global environment by definingFUNCMEANING (FUNCNAME "F") = FUNCEFFECT [x,y,z] (M_SS B)
I The meaning of a function is of type VALUE----,VALUE,and is obtained asfollows. Given the v lues of the actuals as a single aggregate value v, we make
a state (BIND ,ms v) that binds those values to the formals, ,ms. Then we
evaluate the effect of the body in that state (with instance TOP) and get thevalue that is bound to the special variable name (FUNCRETURN ATOMIC).
FUNCEFFECT :: [NAME] ->PROCESS_TRANSFORMATION->VALUE->VALUE
FUNCEFFECT ,ms bodyv =CURRENT TOP (EFFECT body TOP (BIND ,ms v))
(FUNCRETURN ATOMIC)
i The effect of the body is obtained by giving it a continuation which is the
meaning of the EXIT statement (applied to the undefined continuation "bot-
tom"). From the result we extract only updates to variables (functions may not
I have side effects Signals) and apply those updates to the initial state.
on
EFFECT :: PROCESS_TRANSFORMATION->INSTANCE->SIGSTATE->SIGSTATE
I EFFECT body INST SS =__update SS (SIGUPDATES ((body (M_S EXIT bottom) ) INST SS))
SIGUPDATES <<S,T,CONT>> = S
I The state (BIND ,ms v) is obtained by updating the uninitialized STARTSIfiso that each name on the list ,ms is bound to the corresponding value in the
aggregate v.
i BIND[]v = STARTSIG
BIND [a] v = _update STARTSIG [<<a,VarVal v>>]
BIND,ms (AGGREGATEv)= _updateSTAKTSIG(BINDLISTrimsv)BINDLIST (a:b) (v:w) = <<a,VarVal v>>:(BINDLIST b w)
BINDLIST [] v = []
!
!
!
2.13.11 Statement sequences BI
Now, to give a meaning to a list of sequential statments, we compose their mean- I
ings to get a PROCESS-TRANSFORMATION. The "dot" operator is Caliban
notation for function composition.
M_SS = FOLDR ((.).M_S) I i
• 2.13.12 Process definition QA process with wait condition w, body ss, and instance INST, can be obtained
via the following recursive definition.
MAKEPROCESS :: EXPRESSION->[STATEMENT]->INSTANCE->PRDCESS I
mwMAKEPROCESS w ss INST =
PROC w (M_SS ss (NULLACTION (MAKEPROCESS w ss INST ))) INST
NULLACTIONc INSTs = <<[],[],c>> I
i
Ifthebody ss werenull,thenthe processwould produceno transactionsand
would be its own continuation. Reading the above definition with (M_SS ss) i
replacedbythe identity, we see that it defines just such a process. If we let that _B
process be the continuation on which the meaning (M_SS ss) acts, We see that lm
the above definition defines the desired process. The MAKEPROCESSfunction is
used by the translator to make the translations of concurrent statements such J
as process statements. II
2.14 Use_l general purpose _nctions iIF=F
KFX=F
CFXY=FYX i
COND b X Y = b->X;Y
MERGE [] LST = LST i
MERGE LST [] = LST
MERGE (A:As) (B:Bs) = (A<B)-> h : MERGE As (B:Bs) mm
(A=B)->h : MERGEAs Bs •
B : MERGE(A:As)Bs i
FOLDR F E [] = E
FOLDR F E (A:X) = F A (FOLDR F E X) |
MAP F [] = [] Im
= (F A): (MAP F X)MAP F (A:X)
g
38 !
!
!
!
MAPOPF X [] = X
I F [] X = X
MAPOP
MAPOP F (A:X) (B:Y) = (F A B): (MAPOP F X Y)
J FILTER P [] = []I (A:X) = (P A) -> (A:FILTER P X); (FILTER P X)
ALLTRUEF [] = TrueALLTRUEF (A'X) = (F A) _-(ALLTRUE F X)
MAP_AT L X = MAP (AT X) L
g ATXF=FX
MERGE_LIST :: [[*]]->[*]
I MERGE_LIST = FOLDR (MERGE) []
l DIRECTION ::= UPT0 [ DOWNTOFROMTO UPTON M {N <= M} = N:(FROHTO UPTO (Succ N) M)
FROMTO UPTON M = []
FROMTO DOWNTO N M {N > M} = N:(FROMTO DOWNTO (N #- #1) M)
FROMTO DOWNTO N M {N = M} = [N]
I FROMT0 DOWNTON M = []
3 The Translator
I In defining our semantics we have made a deep embedding of VHDL up to
the level of sequential statement sequences. This means that we have defined
Caliban data types that are isomorphic to the abstract syntax of expressions,
I and statement Because of this, the translator is mostly
statements, sequences.
just a parser. We built our translator using yacc, starting with a public yacc
grammar for VHDL obtained over the net.
I As the parser recognizes each grammatical item, it writes the correspondingCaliban text to its output stream. So that th output will be readable, we
make many abbreviations. For example, if the translator recognizes a waveform
expression on line 20 of the file being translated, it will write a line like:
B WAVEFORM20 = (WFEXP ... )
Then, for example, the signal assignment statement on that line, which con-
t tained the wavefoi-rfi'expressi0n might be translated as:
SIGASSIGN20 = SIGASSIGN INERTIAL clockstate WAVEFORM20
I
1
1
I: packageclock_packageis 1
2: subtypeoutput_typeis BIT;
3: end clock_package;
5: entity clock_ent is 1
6: generic (
7: clock_delay : TIME := 1 ns
8: ); !9 port (
I0: clock_out: out output_type
11: ); !12: end clock_ent;
14: architectureclock_archof clock_entis m_
15: signalclockstate: BIT; 1
116: begin
17: process (clockstate)
18: begin I9 if clockstate= '0'then
20: clockstate<= '1' afterclock_delay;
21: clock_out <= 'I' after clock_delay; 1
122: else
23: clockstate <= '0' after clock_delay;
24: clock_out <= '0' after clock_delay;
25: end i_; 1
26: end process; u
27: end clock_arch;
1
Figure 1: VHDL clock. 1
With such abbreviations, each line of the translation is short and each abbrevi- 1
ation can be traced back to the original VHDL text.
We illustrate the translation process with the simple VHDL design for a 1
numbered the lines in order to rear to them later). 1clock in figure 1. (wehave
The translation is given in figure 2.
We will examine the translation line by line. The first line causes all the
definitions of the vhdl semantics to be loaded. 1
FROM vhdl IMPORT ALL
• |We do not currently support the "with" and "use" clauses, so, currently, all
packages are globally visible. Thus the lines 1-3 of the example are not translated
|
• !
1
m
FROM vhdl IMPORT ALL
IIDeclarationof entityclock_ent.
DEFAULT_VALUE"clock_delay"= CONSTVAL(EXPCONSTANT(natVAL#I))
I ENTITY::=clock_ent(+Im************************************************************
m(Architectureclock_archof elock_ent.
clockstate= SIGNALNAME[]"clockstate"ATOMIC
m SIGLIST17= [clockstate]COND TION19= (BINARY(EXPNAMEclockstate)
EqUALOP(EXPCONSTANT(bitVALbitO)))
m NAVEFORM20= (NFEXP[<<(EXPNAME(GENNAME"clock_delay")),(EXPCONSTANT(bitVALbit1))>>])
SIGASSIGN20= SIGASSIGNINERTIALclockstateWAVEFORM20
SIGASSIGN21=
m SIGASSIGNINERTIAL(PORTNAME"clock_out")NAVEFORM20SS22= [SIGASSIGN20,SIGASSIGN21]
NAVEFORM23= (NFEXP[<<(EXPNAME(GENNAME"clock_delay")),
m (EXPCONSTANT(bitVALbitO))>>])SIGASSIGN23= SIGASSIGNINERTIALclocksta eW VEFORM23
SIGASSIGN24=
SIGASSIGNINERTIAL(PORTNAME"clock_out")WAVEFORM23
m SS25= [SIGASSIGN23,SIGASSIGN24]
IFSTMT25= IF_THEN_ELSECONDITION19SS22SS25
$526= [IFSTMT25]
m WAIT26= (NAMESEVENTSIGLIST17)PROCESS26= MAKEPROCESSWA T26(SS26)
CONCURRENT27= [PROCESS26]
m ENTITYMEANINGclock_ent= CONCURRENT27
m Figure 2:Translation of VHDL dock.
m 41
I
I
I
but merely install the declaration of "output_type" in the internal symbol table
of the translator. I
!
!
!
!
!
I
!
!
!
i
!
' ' !
!
!
!Lines 5-12 of the example produce the following output.
I " " I I************************************************************
II Declaration of entity clock_ent.
I DEFAULT_VALUE "clock_delay" = CONSTVAL (EXPCONSTANT (natVAL #I))
ENTITY ::= clock_ent I+
"clock_ent" is added to the enumerated type of all entities. "clock_delay" is
added to the internal symbol table as a generic and its default value is defined.clock_out is added to the internal symbol table as a port name, but this
generates no output from the translator.
Lines 14 and 15 generate the following:
I I************************************************************
II Architecture clock_arch of clock_eng.
I clockstate = SIGNALNAME [] "clockstate" ATOMIC"clockstate" is defined as an abbreviation for the atomic signal name in the type
NAME.
The sensitivity list on line 17 generates this line:SIGLISTI7 = [clockstate]
The condition from the if-then-else.starting on line 19 generates:CONDITIONi9 = (BINARY (EXPNAME clockstate)
EOUALOP (EXPCONSTANT (bitVAL bitO)))
I The waveform, 'I'afterclock_delay,on
line20istranslated:
WAVEFORM20 = (WFEXP [<<(EXPNAME (GENNAME "clock_delay")),
I (EXPCONSTANT (bitVAL bit1))>>])Now the signal assignments on lines 20 and 21 are recognized and combined
into a statement-sequence that is terminated by the "else" on line 22.
I SIGASSIGN20= SIGASSIGNINERTIALclockstateWAVEFORM20
SIGASSIGN21 =
SIGASSIGN INERTIAL (PORTNAME "clock_out") WAVEFORM20
I SS22 = [SIGASSIGN20, SIGASSIGN21]
Note that the waveform on line 21 is identical to the waveform on line 20, so
its abbreviation is reused (this is implemented via a hashing algorithm in the
I translator).Similarly, lines 23-24 are translated as fbllowsi
I WAVEFORM23= (WFEXP[<<(EXPNAME(GENNAME"clock_delay")),(EXPCONSTANT(bitVALbitO))>>])
SIGASSIGN23 = SIGASSIGN INERTIAL clockstate WAVEFDRM23
• !
SIGASSIGN24 =
SIGASSIGN INERTIAL (PORTNAME "clock_out") WAVEFORM23 I
SS25 = [SIGASSIGN23, SIGASSIGN24] u
The if-then-else ends on line 25 and is recognized. I
IBIFSTMT25 = IF_THEN_ELSE CONDITIONI9 SS22 SS25
The body of the process ends at line 26. It is a statement-sequence containing III
the single if-then-else statement. |
SS26 = [IFSTMT2S]
Now, the process will be waiting for an event on its sensitivity list. The I
following expression evaluates to true exactly in this case.
WAIT26 = (NAMESEVENT SIGLIST17) Bi
The process that ends at line 26, is defined with the appropriate wait-
condition and body. The result, PR0CESS26, has the type INSTANCE ---* PROCESS i
because the instance has not yet been supplied. I
PROCESS26= MAKEPROCESSWAIT26(SS26)
The entity ends at line 27. Its body is a sequence of concurrent processes I
containing only the single process. The function ENTITYMEANINGis defined by I
the translator to map ENTITY to [INSTANCE ---. PROCESS]. This make an entity
into something that when supplied with an instance will be a list of processes. Ig
CONCURRENT27 = [PROCESS26]
ENTITYHEANINGclock_ent= CONCURRENT27
This example illustrates the translation of sequential statements and pro- I
tess statements. The main structuring mechanism in VHDL is the component
instantiation statement, so we will continue our example to illustrate the trans- R
lation of component instantiation. |
Suppose we wish to build an entity that contains two clocks, one that ticks
twice as fast as the other, and that has two output ports with the two clock
outputs on them. Then the VHDL code in figure 3 appended to our previous I
example defines such an entity. !1
Again, we will examine the translation line by line. Lines 29-31 generate the
declaration of "iwoclock" as an entity. •
IIENTITY ::: twoclock I+
The constant declaration on line 34 defines "two".
!two = CONSTVAL (EXPCONSTANT (natVAL #2))
44 |
m 29: entity twoclock is30 port ( utl,out2 : out output_type);
31: end twoclock;
I 33: architecture foo of twoclock is34: constant two : TIME := 2 ns;
35: beginaim
[] 36: clock! : clock_ent1 37: GENERICMAP (clock_delay=>two)
38: PORTMAP (clock_out=> out1);
[] 39: clock2 : clock_ent PORT MAP (clock_out => out2);
! 40: end Zoo;
Figure 3: An entity with two clocks.
The component instantiation that starts on line 36 will define an instance
with a generic-map and a port map. The generic map is defined by the following:MAP37= [<<"clock_delay",(CONSTANTtwo)>>]
GENMAP37= MAKE_GENMAPMAP37
m The port map is recognized on
line 38.
MAP38= [<<"clock_out",(PORTNAME"outl")>>]
m Now the label "clockl" is used to abbreviate the following partial instance.It has the type INSTANCE---*INSTANCEecause it has n t been applied to its
parent instance.
I clockl= Inst"clockl"MAP38GENMAP37
Similarly, we form the partial instance for "clock2"
MAP39 = [<<"clock_out",(PORTNAME "out2")>>]
clock2 = Inst "clock2" MAP39 []
Now tile entity ends at line 40 and the translation reads:
CONCURRENT40=(MAP (\_->_.clockl)(ENTITYMEANINGclock_ent))
++ (MAP (\f->f.clock2)(ENTITYMEANING clock_ent))
ENTITYMEANING twoclock = CONCURRENT40The body of "twoclock" is the two component instantiation statements. The
body is supposed to have the type: [INSTANCE ---+PROCESS], that is, it should
be a list of things which when supplied with an instance are processes. Now(ENTITYMEANINGclock_ent) is already such a list. We have composed each
member of this list with the partial instance "clockl" resulting in the list:
m
!
!
!
(MAP (\f->f.clock1)(ENTITYMEANING¢lock_ent)) m
Nowa memberof this list whensuppliedwith a "parent" instance Xwillform the m
complete instance (clockl X) and supply that instance to form the processes
in "clock_ent". The second clock instance is formed in the same way, and the •
two lists have been appended. m
Finally,howdo wedefinea set of processesthat we canactuallysimulate.'?
One argument to the translator is the name of the top level entity. This is like
telling an ADAcompiler whichlibrary unit is the main program. For example, n
if the "testbed" entity for a design is called "test", and we call the translator u
with that name, weget the followinglinesof output:
m
INITLIST = MAP INIT (MAP_AT (ENTITYMEANINGtest) TOP) m
STARTSTATE = Simulate <<STAKTSIG,INITLIST,[#0]>>
The first line takes the meaning of the entity "test" and supplies it with the •
instance TOP. The result is a list of processes. Then the function INIT is applied l
to each:process on the listL The definition of INIT is:
INIT (PROC $/ Jt INST) = PROC EXPTRUE h INST m
m
This means that (INIT P) is a process identical to P except that it is waiting on
"true". In VHDL, during the first simulation cycle, all the processes are active,
and this is our way of achieving that behavior, m
The second line: m
STARTSTATE = Simulate <<STAKTSIG,INITLIST,[#0]>> i
then starts the simulation in an uninitialized starting signal-state, with the list !
of "activated" processes, and an &event scheduled.
In the next section we will give an example of symbolic simulation of a simple •
state machine. l
4 Initial Results mB
In our initial experiments with our semantics, we used the example of a simple
state machine given in figure 4. The example is taken from Dennis Morton's m
thesis, [7], which we got from Draper Labs and which contains a partial VHDL •
design of the Scoreboard. The example defines a machine with inputs "clock"
IIw
and "control" (as well as "reset"). It has an internal signal "state" which can
take one of four values. When the clock is active, then as a function of the control m
and the internal state, a next state and some output values are computed.
In order to simulate this example, we had to provide the "testbed" in figure 6.
In this testbed, we are driving the clock and control wires with instances of the m
clock-entity used in the previous examples. The clock connected to the cont.rol- |
wire ticks at half the rate of the clock connected to the clock-wire.
4° m
!
!
m
packagestate_machine_packageis
t type state_typeis (sO,sl,s2,s3);subtypecontrol_typeis BIT;
subtypeoutput_typeis BIT;
m constantclock_active: control_type;ontrol_active: control_type;
constantoutput_active: output_type;
m end state_machine_package;
packagebody state_machine_packageis
constantclock_active: control_type:= 'I';
m control_active control_type:= '1';
constant
constantoutput_active: output_type:= _I';
end state_machine_package;
m entitystate_machineis
generic( output_delay: TIME := Ins;
m state_delay: TIME := 1 ns);port ( control,reset: in control_type;
clock : in control_type;
outl,out2: out output_type);
m end state_machine;
j Figure 4: Declaration of a simple VHDL state machine.
m I • .
m 47
m
!
!
!
architectureb stof state_machineis •|signalstate : state_type;
begin
machine : process (clock,reset) m
variablenext_state: state_type; •
mmbegin
if reset = control_active then
next_state := sO; m
elsif clock = clock_active and clock'event then J
case state is
when sO =>
out1 <= not output_active after output_delay; m
out2 <= not output_active after output_delay;
w
if control = control_active then
next_state :=sl; m
Ioutl <= output_active after output_delay;
out2 <=not output_active after output_delay;
end if; m
when sl =>
if control = Control_active then
next_state := s2; l
out1 <= not output_active a_ter output_delay;
out2 <= output_active after output_delay;
end if; I
when s2 =>
if control = control_active then i
mnext_state := sl;
out1 <= output_active after output_delay;
out2 <= not output_active after output_delay;
else Inext_state := sO;
out1 <= not output_activeafter output_delay;
out2 <= not output_activeafter output_delay; m
end if; m
when others =>
next_state := sO;
end case; m
state <= next_state after state_delay;
end if; Iprocess;
end best;
_ mFigure 5: Body of the VHDL state machine.
!
m
m entitytest is end test;
architecturefoo of test is
m signalclock_wire: output_type;signalcontrol_wire: control_type;
signalreset_wire: control_type;
signalout1_wire,out2_wire: output_type;
m constanttwo : TIME := 2 ns;begin
control_inst : clock_ent
m GENERICMAP (clock_delay=> two)PORT MAP (clock_out=> control_wire);
¢lock_inst: clock_entPORT MAP (clock_out=> clock_wire);
machine_inst: state_machinePORT MAP (
m control=> control_wire,reset=> reset_wire,
clock=> clock_wire,
m outl => outl_wire,2 2 );
end Zoo;
m Figure 6: The testbed.
m "
m ....
m 49
!
!
!
We can trace the values of a list of expressions over a simulation with the m
definitions (which are loaded along with the semantic def- mhelp of the following
initions). m
TRACE LST = _TRACE LST TOP STARTSTATE m
m
_TRACE LST INST S =
DUMPLST INST S : _TRACELST INST (Simulate S)
m
DUMP [] INST S = [] $
DUMP (A:B)INST S = (_EVALINST S A): DUMP B INST S
m
_EVAL INST <<SI,Q,T>>= EVAL INST $I I
The expression (TRACE LST) reduces to an infinite list of "dumps". The i th
"dump" consists of the values of the expressions in LST evaluated in the state m
si where So is STARTSTATEand .Si+l = SimulateSi. l
Now, after translating the state-machine example into Caliban using the
translator, we load the resulting definitions into Clio. Then if, for example, m
we want to trace the values of the control wire and the internal state of the !
machine, as well as the global clock, we can load the following definitions.
cw = EXPNAME(SIGNALNAME[] "control_wire"ATOMIC) •
st = EXPNAME(SIGNALNAME["machine_inst"]"state"ATOMIC) l
We then ask Clio to reduce the expression (TRACE[CLOCK, cw,st]), and get
the following output (in a matter of minutes): m
J[natVALZero,UNINITIALIZED,UNINITIALIZED]:
[natVAL(#I),UNINITIALIZED,UNINITIALIZED]:
[two,bitVALbitO,UNINITIALIZED]: •
[natVAL(#3) bitVALbitO,UNINITIALIZED]: m
[natVAL(#4) output_active,UNINITIALIZED]:
[natVAL(#5) output_active,state_typeVALsO]: m
[natVAL(#6) bitVALbitO, state_typeVALsO]: |
[natVAL(#7) bitVALbitO, state_typeVALsO]:
[natVAL(#8) output_active,state_typeVALsO]: m
[natVAL(#9) output_active,state_typeVALsO]: •
[natVAL(#i0):bitVALbitO, state_typeVALsO]: m
[natVAL(#II) bitVALbitO, state_typeVALsl]:
[natVAL(#12) output_active,state_typeVALsl]: •
[natVAL(#13) output_active,state_typeVALsl]: m
[natVAL(#14) bitVALbitO, state_typeVALsl]:
-[natVAL(#15) bitVALbitO, state_typeVALs2]: m
[natVAL(#16) output_active,state_typeVAL,s2]: m
|
!
!
!
(Since "output_active" was defined as bitVAL bitl and "two" was defined as
I Clio is them abbreviations in displaying the results.)
natVhL C#2), using as
We see that the values become initialized, and that the control wire is "tick-
ing" every two cycles. The user defined enumerated type has been added to the
I VALUE type by the following lines from the translation:
staZe_Zype ::= sO I sl I s2 I s3
VALUE ::= state_typeVAL state_Zype I+
I We see the internal state of the state-machine changing correctly.
These initial results were encouraging, for, at least in a simple example, the
I operational semantics seem usable.
5 Application to Scoreboard
I The Scoreboard •circuit design was given to us as a collection of eleven VHDL
files describing major blocks and averaging 504 lines of VHDL each. In addi-
tion a "shell" file of 4593 lines of VHDL connected the major blocks into the
Scoreboard. Further, two packages, totaling 2791 lines of VHDL, con-
complete
tained library functions on the seven-valued lattice of bits and other predefined
functions used by the Synopsis synthesis tools.
I Our plan was to characterize the behavior of each major block at a level ofabstraction similar to the level of abstraction at which components are described
when using Spectooh Spectool, [10], is the hardware description tool, developed
I at ORA, which we used to describe and verify the simplified Scoreboard designin our previous work [12]. The overall structure of the VHDL design of the
Scoreboard does not differ much from the Spectool design we verified. Therefore,
once we had a "Spectool-like" description of the behavior of each major block,
I we should be able to modify and reuse most of our earlier work to create theproof of tile VHDL design.
We began Our work on the actual Scoreboard design by completing the trans-
I iator until it could translate all of the major blocks, shell, and Synopsis packagesinto Caliban without any modification and result in translations that could be
read (viz. abbreviations were used to keep expressions short). After this had
been accomplished, we began the process of characterizing the behavior of each
I with the "voterblock". This block was given as 717 linesmajor block, beginning
of VHDL. We hoped to develop a "push-button" method to extract the abstract
• behavior of a block such as the voterblock from the translation of the VHDL
I code. Once this method was workingon the voterblock, it could be applied toall the oth r blocks an ecould be in modifyingour earlier proof. As skilled
users of our system, we could have begun by writing the abstract behavioral de-
I scription of each block by hand and then using Clio to prove that the translationof the VHDL implemented the abstraction. However, since our goal was more
ambitious, namely, to develop a general method for verifying VHDL designs
!
!
!
that would be usable by less skilled users, We did not pursue this approach. As B
a result, we have not verified the VHDL Scoreboard design, because we have n
not yet been able to develop a simple method to extract the abstract behavior
of a block from the VHDL. We will next describe the level of abstraction we are
attempting to extract from the VtIDL code and the method we used, unsuc- i
eessfully, to extract it. We then discuss the features of the VHDL operational II
model that caused this method to fail, and finally describe the methods that we
feel will overcome these problems, i|
6 Abstraction I
i
We will briefly discuss the level of abstraction at which components are described I
in Spectool, and illustrate the discussion by considering a simple latch. We will
then describe the same latch in VHDL and see what abstraction is needed. I
IIIn Spectool, a component has an internal state, a set of input ports, a set
of output ports, and supports a set of actions. Each action is characterized by
three things: I
• 1. A function from (state x input values) to next state. I
2. A list of functions from (state x input values) to output values, one for I
each output port. HI
I
3. A delay. I
In the Spectool model, each component has two implicit input ports, one i
connected to the CLOCK, and one connected to the CONTROLLER. In oper-
ation a component acts as follows. When the clock ticks, each component reads
its control input and, if the control input is an action (as opposed to "no-op"), II
it changes its state and outputs by applying the appropriate functions for that
action to the current values of its input ports. The changes are made with the •
delay given for that action, and in the meantime the internal state and outputs I
become undefined.
!
!
!
For example, a simple latch is described by the following information. The
type "data" is a type parameter.
• internal state: latchstate :: data
I • inputs : latchin :: data
• outputs : latchout :: data
I • actions: set
• nextstate set s in = in
I * nextout set s in = in
• delay set = 1
I To design a latch in VHDL with the same behavior (see figure 7) we must
make the clock and control inputs explicit. Also, since we do not have a simple
data abstraction mechanism (such as private types), we must declare the type
"data" to be something. For the example we chose an enumerated type witheight values.
Now, we can make a "testbed" entity to drive the clock, control, and latchin
I input ports of the latch and then run the simulation as we did for the state-machine example. However, in order to characterize the behavior of the latch,
we must prove a theorem that describes the behavior when the latch is part of
an arbitrary state that satisfies some minimal assumptions.
I In the minimal set of assumptions about the context in which the
formulating
latch will be embedded, we find that many assumptions that are implicit in the
Spectool operational model must be stated explicitly for the VttDL operational
I model. We defined the following "generic" assumption list that captures mostof th se assumptions.
Ready 's' 'inst''X' :==
I PROPER is'k SINGLE_PORT_CONNECTIONS '±nst'
'CLOCKNAMEinst'='SIGNALNAMEX "clock"ATOMIC'
I k 'X''='INST_NAMEinst'CLOCK_TICK's' '
& ALL_INTERNAL_QUIET's' 'inst'
I k DEFAULT_VALUE_TOTALFUNCMEANING_TOTALk '!!inst'='True'k '!!X'='True'
I The PROPER'predicate was previously defined and says that names of signalsget signal-values and names of variabl s get simple values. The predicate
SINGLE_PORT_CONNECTIONSsays that the given instance does not connect two
I 53
!
!
!
m
m
m
packagelatch_packageis
type actionis (set,noop); •
type data is (xl,x2,x3,x4,x5,x6,x7,x8); |
end latch_package;
entitylatch is m
port ( latchin:in data; m
elk: in bit;
control:in action; •
latchout:out data m);
end latch; marchitecture latch o_ latch is
signallatchstate:data;
begin ilatch:process
begin
wait until (clk=_1_) and (control=set); m
latchstate <= latchin a_ter Ins; m
endprocess;
latchout<= latchstate;
end latch; m
Figure 7: VHDL latch, m|
m
..... m
54 !
!
m
!
I ports to the same external signal. This is certainly not required by VIIDL,but is satisfied by most designs. In Spectool this restriction is imposed only on
output ports; in fact, no two output ports even of possibly distinct components
may be connected to the same signal because Spectool does not allow multiple
I drivers of a signal. The next three assumptions say that the input port "elk"is, in the given instance, connected to some signal called "clock" which is ex-
ternal to the component (so its instance name X differs from the instance name
I of the component) and which has a driver that is a CLOCK_TICK.A CLOCK_TICKwaveform is one that flips between bits '1' and '0' with unit delay. The predi-
cate ALL_INTERNAL_QUIETis an invariant that says that no signal internal to the
component has any pending transactions on its driver at the current simulation
I cycle. Finally, we must assume that all functions have well-defined bodies andall generics have well-defined default values and that the given instance and the
instance of the "clock" are well-defined. All of the assumptions included in the
Ready predicate are either implicit in the Spectool model or are part of a globalinvariant called Proper_state that Spectool generates.
Nowto extract the abstract behavior of the latch, we simulate an arbitrary
instance ©inst of it in an arbitrary state ¢s satisfying the Ready assumptions
I otherwise We the simulation over one clock cycle;(for arbitrary @X).some run
we take the clock cycle to include the simulation cycle in which the clock goes
low ( bit '0') and the subsequent cycles until the clock has gone high (bit '1')
I and will go low in the next cycle. Note that this may include many morethan the two simulation cycles during which the clock goes low and goes high,
because there may be many signal assignments with zero delay that cause extra
I df-transitions. In the latch example this does not happen, however, so a clockcycle is two simulation cycles, and each simulation cycle may be thought of as
a single clock phase. Since the latch has a unit delay, it has a delay of one
clock phase. Spectool also allows a clock cycle to be divided into phases. So the
I VHDL latch corresponds to the Spectool latch if the number of phases in theSpectool model is two per cycle.
In order to see the full behavior of the VHDL latch, we must simulate the
I arbitrary instance for one and a half cycles to account for the one phase delay.We then ab tract the state by extracting only the values of the internal state
and output ports.
To give a hit more detail, we define the starting state to consist of an arbi-
I the that constitute the body of the latch instance,trary signal
state, processes
and a list of scheduled clock ticks:
I StartLatch s inst =. <<s,ENTITY_PROCS latch inst,[#I,#2,#3,#4,#5]>>
We define the abstraction function to take the current values of the state and
I output:
Latchhbs inst <<s,ps,ts>> =
!
m
m
MAP (CURRENTinsts) [latchstate,PORTNAME"latchout"] m
We make the Ready assumption: m
Ready '©s' '©inst' '©X'
And then reduce the expression: m
mLatchAbs ©inst (Iterate #3 Simulate (StartLatch ©s ©inst))
Here is the resulting expression for the internal state: m
II((CURRENTVAL (ADVANCE (#2) ©s)
(PORTCONNECT ©inst (PORTNAME ("control"))))
= (actionYAL set)) -> Im
(CURRENTVAL (ADVANCE (#2) ©s) |(PORTCONNECT ©inst (PORTNAME ("latchin")))
);
CURRENTVAL ©s (REALNAME ©inst ©s latchstate) m
Since our clock cycle starts in the clock high phase, after one unit of time has
elapsed the clock goes low, then after two units of time, the clock goes high. At
this point, if the value of the signal connected to "control" is "set", then the m
value of the signal connected to "latchin" will become the new state (after one m
more phase). Otherwise the new state is whatever it was in the initial state ©s.
Clio makes the above process easy and also saves the result as a theorem when •
given the following command: m
prove
= 'LatchAbs inst (Iterate #3 Simulate (StartLatch s inst))', iN
Ready 's' ' inst' 'X' m
Thus, to summarize, our abstraction method was:
• !1. Define an abstraction function that extracts the values of internal signalsand output, ports.
2. Assume the generic Ready predicate on arbitrary state and instance. m
3. Simulate the processes of the entity over one clock cycle and apply the m
abstraction function to the resulting state.
4. Express the results as a theorem, m
The method just presented seems complex, however, it is a standardized m
procedure and the steps are well supported by Clio. Thus we can make it into
a semi-automatic "cook-book" procedure, or, by extending the translator to m
have it automatically define the abstraction function and necessary Clio com- m
mands, make it a fully automatic, "push-button" procedure. Unfortunately,
even though this general procedure works (to some extent) for this simple latch, IB
drawbacks which make it ineffective for the compo- •it suffers from some severe
merits of the Scoreboard. We discuss these problems in the next section. m
!
m
!
7 Problems
I There is a flaw in the abstraction method used on the simple latch example
defined in the previous section. The theorem we derive says that the latch,
I when executed as the only active entity in an arbitrary state (satisfying the Readycondition) will exhibit the given abstract behavior. The theorem we want would
say that the latch processes, when executed in combination with an arbitrary set
I of additional process, in an arbitrary Ready state will exhibit the correct abstractbehavior. In fact, some non.interference condition on the additional processes
will, in general, be necessary to guarantee correct behavior. For example, we
might require that no other process may drive the signal to which the "latchout"
I is connected. But, even after assuming such a non-interference condition, ourmethod will not work.
The problem is that an arbitrary set of additional processes, even non-
I interfering ones, can generate an arbitrary number of 6-delays and hence anarbitrary number of simulation cycles during one clock cycle. Now, we may
argue that since the additional processes 'are non-interfering, the additional 6-
delays have no effect on the signals which are part of the abstract behavior of
I the latch. This is correct, but it must be formalized in order to make
argument
a proof.
We may choose to ignore this problem by reasoning that if we derive the
I correct abstract behavior of a component in isolation, then we can correctly usethis beh vio at the m e abstract level supported by Sp ctool when w connect
the components together. The justification for this would be a "meta-theorem"
I that a certain non-interference condition is sufficient. This "meta-theorem"could be proved inside or outside the system. It would be most desirable to
have a non-interference condition that could be checked syntactically. Then
the user could derive an abstract behavior for each entity, and the system could
I make the non-interference check. Then the user can proceed to derive and verifythe behavior of the composite system as if it had been described in Spectool
(or any other abstract HDL). If the non-interference condition permits standard
I design styles to pass, then this will still be a useful verification style.Proceeding on the assumption that the desired non-interference condition
and "meta-theorem" could be found, we continued deriving the abstract behav-
ior of the first major component of the Scoreboard, namely the "voterblock".
I Even in isolation, that is, simulating only processes,
when the voterblock in an
arbitrary state, we have a problem with 6-delays. The basic structure of the
voterblock (and all of the other components of the Scoreboard) is a pipeline
I which is written schematically in VHDL in figure 8.The schematic pipeline consists of five processes. The first responds with a
6-delay to any change in the inport, and copies to inreg (actually several one-
I bit in ports are concatenated to form an aggregate). The second stage latchesthe inreg intothe inbuf when the clock goes high, The third stage is sensitive
to any change in the inbuf and computes the ontbuf after another 6-delay. The
!
!
!
!
!
!
port ( inportin tl; outportout t2); m
signalinreg,inbuf,outbuf,outreg;
begin
inreg<= inport; i
inlatch:process m
begin
wait until clk=_1_; m
inbu_ <= inreg; m
end process; m
compute:process(inbuf)
begin moutbu_<= answers;
end process;
outlatch:process
begin Iwait until clk='l';
outreg<= outbuf;
end process; Ioutport<= out eg;
end
m
Figure 8: Schematic pipeline, m
l
!
!
!
!
fourth stage moves the outbuf into the outreg when clock is high. The final
I stage responds to any change in outreg and updates the outport after another&delay.
Now, even simulating this pipeline as the only collection of active processes,
I in an arbitrary state, we have the following problem. The signal connectedto i po t may hav an arbitrary waveform in its driver (or drivers). As we
simulate the pipeline, this waveform may cause the ±nport to change, and
this introduces another &delay due to the first stage of the pipeline. Because
I the computation "ofoutbuf is based on inbu:f, and inbu:f is clocked, the only
change to inpor_; that affects the results of the computation is the change that
happened just prior to elk = ' 1', but, again, this is another "meta-theorem".
In fact, the instance of this meta-theorem that we need can be derived by our
simulation method by considering cases. Since the pipeline is short, only a few
simulation cycles other than &cycles are needed. The waveform on the inport
I driver cannot change in two consecutive &cycles. So, there is a bound on thenumber of changes it can make. Even if this bound is as low as two, this still
leads to four simulation histories since it can either change or not change at
two points during the simulation, generating or not generating an extra &delay.
I Of course, the extra &delays are easily seen not to affect the final behavior,
so perhaps checking all the cases will not be too inefficient. This is wishful
thinking, as we have seen in practice. In fact, Cliogenerates all the cases as
I part of a large conditional expression. Unfortunately, the "voterblock" has notone but thirty-eight input ports, and the possible changes in th drivers of these
ports cause an exponential explosion of cases which Clio cannot handle.
If we rely on the second "recta-theorem" that says that multiple events on the
I ports are irrelevant and only the event just prior to the rising clock is relevant,
we may simplify the pipeline by combining the first two stages, deleting the
signal inreg and assigning inport (or, actually, a concatenation of in ports) to
I inbuf directly.
inlat ch: process
begin
I wait until clk=' I';inbuf <= inport;
end process;
I With this modification, we should have an equivalent VHDL entity.Will we still have problems with &delays? Based on our experience with
the "voterblock" we will not. In our first efforts to obtain the abstract behavior
I of the voterblock, we wanted to isolate what we felt were the key processes.Thes wer the compute and output stages of the pipeline, and particularly the
compute stage, which contained nested for-loops, case statements, and if-then-
else statements. Therefore we commented out the signal assignment statements
I which constituted the first stage of the pipeline. This meant that the final
values on the output ports would be functions of the values that were initially
!
in the registers corresponding to inregrather than functions of the values on i
the ports corresponding to inport. Once we were able to derive the outputs as •
a function of the stage one registers, inreg, we thought it would be easy to put I
the first stage of the pipeline back in place, since it consists of simple unclocked,
unconditional signal assignments of the form inreg <= port0_portl..._port7, B
and these assignments are essentially invariants.
Having removed the first stage of the pipeline, we were indeed able to derive
the behavior of the voterblock. Modifications to the semantics had to be made, t
including rewriting them to use conditional function updates, in order to handle |
the complicated compute stage of the pipeline. Once we accomplished this much,
with very little time left to complete our work, we were disappointed to discover
a major problem with what we thought would be an easy step. At this point I
we could have modified the VHDL code we were given to combine the first N
two stages of each pipeline as described above. Then, given more time than
we had left, we could have completed the verification. However, it would have •
been an unsatisfying accomplishment since the final proof would have contained |
two major gaps corresponding to the two unproved "meta-theorems" we relied
upon. Therefore, we used the time remaining to understand the problems and in
to propose some solutions to them, which we discuss in the next section. I
8 Proposed Solutions I
The problems we encountered were caused by two things. The first is the lack of
abstraction with respect to &delays. Since our basic state transition function,
Simulate, exposes the &delays, properties of runs that we assert may not be B
invariant under the insertion of additional &transitions. Even if the property
of a run is invariant in this sense, for example, a property that relates the state
at one rising clock edge to the state at the next rising clock edge, the proof by •
symbolic execution of a fixed number of iterations of Simulate will not be. I
The second cause is the lack of composability or monolonicity of the prop-
erties and their proofs. A property proved about a process in isolation, may
not hold when the process is combined with other processes. This second cause •
is related to the first, for under suitable non-interference conditions the only J
way that additional processes can affect the behavior of a given process is by
generating extra &transitions. •
To address the first cause, we would like to state all requirements in a 6- I
invariant way. A simple way to do that is to introduce the notions of a completed
state and the distance between two states. Recall that in our semantics, the basic
state .was defined: I
type STATE = <<SIGSTATE, [PROCESS], [TIME]>>
The third component is a list of times at which a simulation cycle will occur.
In particular, if the head of this list is zero, then the next simulation cycle is
!
|
a _-transition. If the head of the list is not zero, then all 6-transitions for this
I been Let us call such a state a completed state.point
in the run have completed.
In Caliban:
I C0HPLETED<<S,P,T>> = (hd T "= Zero)
As a special case, we will also call the first, uninitializedstate completed.
Next recall that there is an expression which we abbreviated CLOCKwhose
I value in state is the elapsed time on the global clock since the start of the
any
run. If S is a state, let ts be the value of this expression CLOCKin state S.
Then define the distance between two states, Sx and S_ to be the difference
I dist(S1, $2) = ts2 - ts,. In Caliban:
DIST S1 S2 = (CLOCKVALS2) #- (CLOCKVAL51)
CLOCKVAL<<S,P,T>> = EVAL TOP S CLOCK
I Since a 6-transition does not advance the global clock, the distance between two
states is not affected by the addition of such transitions.
I If S is a state and x is a name, let ,S'_stand for the current value of x instate . Consider single concurrent signal assignment statement:
i x<=y ;This translates to a single process, p, in our semantics. In any run starting from
a state S0 in which p is waiting and no.other process ever drives the signal x,
I we can see that S_ = S_ in any completed state S in the run. Informally, theproof is that initially Sx = S_, and if y does not change then neither will x since
no other process drives x, and if y does change, then the state is not completed
because p becomes active and generates a 6-transition after which the values of
I are The formal proof would be by induction on the position of
x and equal.Y
S in the run.
If we let N(z) stand for the requirement that a process does not drive x,
I and we let EQ(x, y) stand for the assertion just proved, that x and y are equali all completed states of a run, then we have proved a judgment of the form:
i p, g(x) _ EQ(x, y)
The meaning of this judgement is that any run of any collection of processes
which includes p will satisfy E(x,y) provided every process in the collection
I except p obeys the restriction N(x). This type of judgement is by it verydefini ion monotone under the addition of processes that satisfy the given non-
interference condition N(x). We might call EQ(x, y) and invariant equation.
I Consider next the assignment:
x <= y after 2 as;
!
!
• !
If this is translated as process q, and we impose the non-interference condition I
N(x) on the set of additional processes, then we can prove that in any run, if •
S 1 and S _ are completed states and the distance dist(S 1, S 2) between them is Im
.2ns, then S_ = Su1. If we call this assertion DEQ(x,y, 2) then we have the
judgement: I1
q, N(x) _ DEQ(z, y, 2) 1
We can call DEQ(x, y, n) a delayed invariant equation.
Such judgements can be combined, if we have: 1l
(p,A _ 6) ^ (q,B _ ¢)
and p satisfies the non-interference condition B and q satisfies the condition A, I
then:
[p, q], [A, B] _ ff A ¢
In the VHDL verification system we propose, the judgements for simple pro- l
cesses like the concurrent signal assignments could be generated automatically
and added as lemmas. Also non-interference conditions of the form "process p
does not drive signal x" can be checked syntactically and added as lemmas. In •
the "voterblock" of the Scoreboard, there were thirty-two processes. Of these, II
twenty-eight were simple concurrent signal assignments that could be handled
automatically. That leaves only four processes where computations were actu- Im
ally performed. We would like to be able to use the operational semantics to •
prove a new judgement for a process that the system cannot generate automat- lm
ically.
Suppose that process p is such a process that reads from signals x and y 1
and writes to signal z. If we simulate it in isolation on an arbitrary completed
state S 1 for some number of iterations of Simulate and reach a completed
state S 2 in which Sz2, the value of z in S 2, is some function, f(S1,Sly) of the •
values of x and y in state S 1. Then, in some sense, we have proved the delayed |
invariant DEQ(z, f(x, y), d) where d = dist(S l , S:). If n = [a, b, c, z] are all
the signals other that the input signals z and y that are read or written by
p during the simulation from S 1 to S 2, then our "meta-theorem" mentioned I
earlier says that as long as no other process interferes with any signal in L,
then p together with these non-interfering processes will guarantee the delayed
equation DEQ(z, f(x, y), d). Thus, we should have proved the judgement: I
p, N(L) _ DEQ(z, f(z, y), d)
For this kind of proof to be made rigorous, more work is needed, however l
the system we propose would have the advantages of both kinds of semantics, l
the operational and the logic based. The user would typically work at the
higher level of abstraction provided by tile judgements, but would be able to •
prove new judgements directly from the operational semantics when needed. |
In summary, we think that reasoning about processes and sets of processes by
!
!
!
!
i proving judgements about them that can be composed under non-interferencerestrictions is the best way to verify complex VHDL designs. The operational
model we have created gives a precise definition to the set of processes in a
VHDL design, provides a meaning for the judgements, and provides a way
I to prove new judgements. Thus, although we could not use our operationalsemantics to verify the Scoreboard, we think it is valuable.
I 9 Conclusions
As a method for re-verifying the Scoreboard design, the approach we took, of
I creating a general method for verifying VHDL designs, was too ambitious andw d d not comp ete t e verification. If we had translated the VHDL by h
into the Spectool model, we would have completed the verification, but the
connection between the Spectool model and the VHDL code would have been
I informal and there would have been a gap in the proof.In the end, we think that the work we did is more valuable than if we
had merely verified a particular design by ad hoc methods. Although we were
I discouraged by the problems we had in applying our methods to the Scoreboard,we now think tllat the approach proposed in the previous section, combining the
logic-based and operational methods, is very promising. At present, the most
I impressive results in hardware verification have been on devices with a centralclock in which all the components operate in lock step. No easily used methods
have been developed to handle systems with interacting, independently clocked
components such as a system containing a microprocessor, memory management
I unit, and Such systems can be conveniently described in VHDL
co-processors.
and the proposed verification system seems like a good way to reason about
them.
I As explained in the previous section, the operational semantics we definedwill be used as the basis of the proposed system. Also, without the experie ce
gained in trying to use a pure operational approach to verify a large VHDL
I design, we would not have been led to the proposed, mixed logic-based andoperational method. We have also exposed, in a real example, the pitfalls that
other formal methods practitioners must address, so we think that this report
will contribute to the state of the art.!
References
I William R. Bevier and William D. Young. "Machine Checked Proofs of the[|] Design and Implementation of a Fault-Tolerant Circuit". NASA Contractor
Report 182099, November 1990.
I [2] M. Bickford, C. Mills, and E.A. Schneider. "Clio: An Applicative
Language-Based Verification System". Technical Report TR 89-13, ORA
1 63
I
!
!
Corporation, 301A Harris B. Dates Drive, Ithaca, NY 14850, September n
• 1989. 1
[3] Boulton, Gordon, Gordon, Harrison, Herbert, and Van Tassel. "Experience
with embedding hardware description languages in HOL". Technical report, I
Computer Laboratory, University of Cambridge, Cambridge, UK, 1992. 1
[4] Ricky W. Butler. "NASA Langley's Research Program in Formal Methods".
In Proceedings of the Sizth Annual Conference on Computer Assurance, •
pages 157-162, June 1991.
[5] Avra Cohn. "Correctness Properties of the Viper BlockModel: The Sec-
ond Level". Technical Report 134, Computer Laboratory, University of n
Cambridge, Cambridge, U.K., May 1988.
[6] Warren A. Hunt. "FM8501: A Verified Microprocessor". In IFIP WG I
10.2 Workshop, From HDL to Guaranteed Correct Circuit Designs, pages •
85-114. North-Holland Publishing Co., 1986. B
[7] Dennis Morton. "Hardware Modeling and Top-down Design Using VHDL". •
Technical Report CSDL-T-1082, The Charles Stark Draper Laboratory, 555 I
Technology Square, Cambridge, MA 02139, June 1991. MS Thesis, MIT,
Cambridge, MA 02139. n
[8] Natarajan Shankar. "Mechanical Verification of a Schematic Byzantine U
Clock Synchronization Algorithm". NASA Contractor Report 4386, July
1991.
[9] Mandayam Srivas and Mark Bickford. "Formal Verification of a Pipelined i
Microprocessor". IEEE Software, September 1990.
Mandayam Srivas and Mark Bickford. "Spectool: A Computer-Aided Vet- n[10]
ification Tool for Hardware Designs, Final Report, Contract No. F30602- i
89-D-0096". Technical report, Rome Laboratory, Griffis AFB, NY 13441,
1991. Authors' affiliation: ORA Corporation, 301A Dates Drive, Ithaca, n
NY 14850.
[11] Mandayam Srivas and Mark Bickford. "Verification of the FtCayuga Fault-
Tolerant Microprocessor System Volume 1: A Case Study in Theorem l
Prover-Based Verification". NASA Contractor Report 4381, 1991. m
[12] Mandayam Srivas and Mark Bickford. "Moving Formal Methods into Prac- n
tice: Verifying the FTPP Scoreboard Phase 1 Results". NASA Contractor •
Report 189607, May 1992. i
[13] J. P. Van Tassel. "A Formalization of the VHDL Simulation Cycle". Tech- •
nical Report 249, Computer Laboratory, University of Cambridge, Cam- I
bridge, UK, 1992.
°" i
!
!
I
I
I
[14] John Van Tassel and David Hemmendinger. "Toward Formal Verification
I of VHDL Specifications". In Luc Claesen, ed, Applied Formal Methods ForCorrect VLSI Design, Leuven, Belgium, November 1989.
I
I
I
I
I
I
!
I
I
!
I
I
!
I
I
I
I
• |
I
I
I
I
I
I
I
• I
I
I
I
I
I
I
I
REPORT DOCUMENTATION PAGE Form ApprovedOMB No. 0704-0188
Public reporting burden for thi\ collection of Information IS estimated to average 1 hour per response. Including the time 10r reviewing instructions. searching eXisting data sources,
gathering and maintaining the data needed. and completing an~ revIewIng the collectIon of information. Send comments re~arding this ~urden estimate or any ott'ler aspect of this
collection of information. IncludIng suggestions for reducing thIS burden. to Washington HeadQuarters Services. Directorate or Information Operations and Reports, 1215 Jefferson
DavIS Highway. SUite 1204. Arlington. VA 22202-4302. and to the Office of Managerryent and BUdget. Paperwork Reduction Project (0704·01BB). Washington. DC 20503.
1. AGENCY USE ONLY (Leave blank) 12. REPORT DATE 13. REPORT TYPE AND DATES COVERED
Anril 5 1994 Contractor Report Jan 92
-
Dec q2
4. TITLE AND SUBTITLE 5. FUNDING NUMBERS
Formal Semantics For a Subset of VHDL and its use in
analysis of the FTPP Scoreboard circuit C-NASl-18972
TA-6
6. AUTHOR(S) WU 505-64-10-13
Mark Bickford
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) B. PERFORMING ORGANIZATION
REPORT NUMBER
Odyssey Research Associates, Inc.
301 Dates Drive
Ithaca, NY 14850-1326 TM-92-0045
9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING
AGENCY REPORT NUMBER
NASA Langley Research Center
Hampton, VA 23665-5225 NASA CR-191577
11. SUPPLEMENTARY NOTES
Langley Technical Monitor: James L. Caldwell
12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE
Unclassified ~ Unlimited
Subject Category: 62
13. ABSTRACT (Maximum 200 words)
In the first part of the report, we give a detailed description of an operational
semantics for a large subset of VHDL, the VHSIC Hardware Description Language.
The semantics is written in the functional language Caliban, similar to Haskell,
used by the theorem prover Clio. We also describe a translator from VHDL into
Caliban semantics and give some examples of its use. In the second part of the
report, we describe our experience in using the VHDL semantics to try to verify a
large VHDL design. We were not able to complete the verification due to certain
complexities of VHDL which we discuss. We propose a VHDL verification method
that addresses the problems we encountered but which builds on the operational
semantics described in the first part of the report.
14. SUBJECT TERMS 15. NUMBER OF PAGES
VHDL, Clio 6716. PRICE CODE
A04
17. SECURITY CLASSIFICATION 18. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 20. LIMITATION OF ABSTRACT
OF REPORT OF THIS PAGE OF ABSTRACT
UNCLASSIFIED UNCLASSIFIED UNCLASSIFIED
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
NSN 7540-01-280-5500 Standard Form 298 (Rev 2-89)
Presmb<>d by ANSI Std l39·18
I
I
I
I
I
!
!
I
I
I
i
I
i
I
I
I
I
I
I
!
i
i
i
I
I
I
I
I
I
I
I
I
i
I
I
I
I
I
I
I
• NASA Technical I
3 1176 01404 4870
I
I
I
i
I
I
I
I
I
I
I
I
I
I
. I
I
