HOP: a process model for synchronous hardware semantics, and experiments in process composition by Gopalakrishnan, Ganesh & Fujimoto, Richard M.
H O P  : A Process Model for Synchronous Hardware 
Semantics, and Experiments in Process Composition
Ganesh C. Gopalakrishnan Richard M . Fujimoto 
Venkatesh Akella and Narayana S. Mani
UUCS-88-012 
August 15, 1988
H O P: A  Process Model for Synchronous Hardware 
Semantics, and Experiments in Process Composition
G a n e s h  C . Gopalakrishnard , R ic h a r d  M .  F u jim o to ^  
Venkatesh Akella a n d  N a r a y a n a  S. Marti 
D e p t , o f  C o m p u te r  Science, University of Utah  
Salt L a k e  City, Utah  8 4 1 1 2 , U .S .A
Abstract. We present a language “Hardware viewed as Objects and Processes” (H OP) for 
specifying the structure, behavior, and timing of hardware systems. H O P  embodies a simple 
process model for lock-step synchronous processes. An absproc specification written in H O P  
describes the externally observable behavior of a process. A collection of absprocs may be 
composed to form a larger process, using the operators parallel composition, renaming, and 
hiding.
In this paper we present the communication primitives of H O P , illustrate H O P  through 
several examples, and then present its operational semantics. Then we present the role played 
by H O P  in in three VLSI design activities: (i) inferring concise behavioral descriptions of 
systems from their structural descriptions; (ii) static detection of control timing errors during 
behavioral inferrence; (iii) productive and runtime efficient functional simulation using the 
inferred behavior.
tSupported in part by the National Science Foundation via MIP-8710874 
tfSupported in part by O N R  Contract Number 00014-87K-0184
Note: Some portions of this paper will appear in the Proceedings of the 1988 Banff Work­
shop on Hardware Verification, Banff, Canada, June 1988 (to be published by Springer-Verlag).
C o n t e n t s
1 Introduction 1
1.1 Understanding the Modeling Philosophy of H O P ...............................................  2
1.2 Related W o r k ........................................................................................................ 4
2 Th e  H O P  Language 5
2.1 Specifying an A b sp ro c ......................................................................................... 6
2.1.1 Ports and Value Communication ...........................................................  7
2.1.2 Events........................................................................................................ 8
2.1.3 Data Path States......................................................................................  9
2.1.4 The Timing M o d e l ...................................................................................  9
2.1.5 An Example of an Absproc: A  Pipelined M em ory .................................  11
2.2 Specifying Realprocs and Vecprocs ....................................................................  12
3 Semantics of H O P  14
3.1 An Operational Semantics for H O P ....................................................................  14
3.1.1 Action Product.........................................................................................  16
3.1.2 Definition of the Transition Relation ................................................... 16
3.2 Section Sum m ary..................................................................................................  19
4 Illustration of P A R C O M P  20
4.1 What Exactly Does P A R C O M P  D o ? .................................................................  20
4.2 Illustration of P A R C O M P  on the Stack..............................................................  20
4.3 How Does P A R C O M P  W o r k ? .............................................................................  22
4.3.1 Lockstep Cross-product Automaton......................................................... 22
4.3.2 An Illustrative E x a m p le ..........................................................................  22
5 Experiments with P A R C O M P  27
5.1 Introducing Protocol Errors................................................................................  27
5.2 Pipelining the S t a c k ............................................................................................  28
5.3 Testing the Pipelined Stack, aided by P A R C O M P ............................................. 30
5.3.1 Detecting Timing Errors in Tester Processes Statically........................  32
5.3.2 Obtaining Symbolic Simulation Results Without Simulation............... 32
5.3.3 Building Partial Testers..........................................................................  32
5.3.4 Interpreted Realproc Simulator............................................................... 33
5.3.5 The use of Probe Processes ....................................................................  33
5.3.6 Checking for Representation Invariants................................................... 34
6 A  Divide-and-conquer P A R C O M P ,  P A R C O M P - D C  34
7 Sum m ary of the Paper 36 
A  Appendix 41
ii
A.l A  Specification of P A R C O M P ..............................................................................  41
A .2 A  Brief Description of the H O P  Design System ................................................. 42
L i s t  o f  F i g u r e s
1 The Skeleton of an Absproc Specification...........................................................  5
2 The Skeleton of an Realproc Specification ........................................................  6
3 The Skeleton of a Vecproc Specification..............................................................  6
4 Use of Data Assertions and Queries for Value Communication........................ 7
5 Specifications of a Mem ory................................................................................... 10
6 Depiction of the P R O T O C O L  Specification of M E M  ....................................... 11
7 Stack’s Submodules:- CTR: An up/down counter; SCTL: Stack Controller . . 13
8 Schematic of the Realproc of a S tac k .................................................................  14
9 Realproc of a Stack............................................................................................... 15
10 Definition of Action Product in H O P .................................................................  16
11 An Example H O P  Specification..........................................................................  19
12 Temporal Logic Equivalent of the Example H O P  Specification........................ 19
13 Absproc Automatically Inferred from stkreal using P A R C O M P ........................ 21
14 Processes A, B, and A B ......................................................................................  23
15 The Realization of the System A B .......................................................................  24
16 Inferred Behavior of the Stack using an Erroneous S C T L ................................. 27
17 The Pipelined Stack Controller..........................................................................  28
18 Inferred Behavior of the Pipelined Stack (one that uses P C T L ) ........................  29
19 A  Tester Process for the Pipelined S tack ...........................................................  30
20 Composition of the Tester and the Testee (the pipelined Stack)........................ 31
21 Divide and Conquer P A R C O M P ..........................................................................  35
22 Data Flow Diagram of the H O P  Design System ................................................ 43
iii
1  I n t r o d u c t i o n
The use of formal specifications for specifying, verifying, manually designing, and automat­
ically synthesizing hardware systems is becoming widespread. Not only are there different 
formal specification languages, but also there are a number of different formalisms in use: 
Functional Programming [21,35] Prolog [38], Petri Nets [7], Temporal Logic [4], various Calculii 
of Communicating Systems [26,16] Trace Theory [36], Higher Order Logic [6,22], Algebraic 
Specifications and Equational Techniques [14,37,32], Synchronized Transition Systems [9], and 
Path Expressions [1], to name a few. Enough impressive results have been demonstrated to 
justify the use of formal specifications for VLSI design. However, as will be discussed momen­
tarily, many problems in the use of formal specifications for VLSI design remain unsolved. 
More importantly, many indirect benefits of writing formal specifications— especially for un­
ambiguous documentation of designs, supporting design automation activities, etc.— have not 
been emphasized enough.
In this paper, we present a simple and formal Hardware Description Language (HDL) 
“H O P ” (Hardware viewed as Objects and Processes), and present its role in three VLSI 
design activities: (i) inferring concise behavioral descriptions of systems from their structural 
descriptions; this is done using an algorithm called P A R C O M P ; (ii) the detection of control 
timing errors during behavioral inference; (iii) productive and runtime efficient functional 
simulation using the inferred behavior. The main contributions of this work are believed to 
be: (i) doing the above three tasks by capitalizing on the the formal semantic rules of the 
language H O P ; (ii) demonstrating the utility of these ideas on a working implementation of 
H O P  and P A R C O M P .
Despite being a formal specification language, H O P  specifications are easy to understand. 
H O P  can intuitively model the intricate timing protocols that synchronous hardware systems 
exhibit. It can model commonly used structures in VLSI, such as through connections and reg­
ular arrays, directly. It has the ability to highlight timing/control aspects, and function/data 
aspects separately, so that designers may focus on one aspect at a time. Last, but not the 
least, H O P  has a simple semantics that can be exploited for doing P A R C O M P , functional 
simulation, and design verification.
W e  now present the motivation for designing H O P , and our specific results to date.
M o t iv a t io n
Specifying the timing protocols and the functional behavior of synchronous systems with 
clarity is quite important. More importantly, the functional details are also intricately inter­
woven with timing. The examples in this paper are chosen to illustrate the clarity with which 
H O P  can specify such intricate behaviors.
It has been reported that the complete formal verification of even extremely simple ICs is 
at present a challenging task [8]. More importantly, impressive results with theorem provers 
have almost always been exhibited by persons who played a major role in developing the 
theorem prover (and hence knew its innards)— not by end-users of theorem provers. Until 
these situations change significantly, the main uses of formal specifications will be for its 
indirect benefits— better understanding of designs, better communication among hardware 
designers and systems-software writers, and support for specification-driven design automation 
activities. In this paper, we focus on such indirect benefits of using HOP .
1
•  Section 2 presents the H O P  language, and illustrates the various language concepts 
introduced through the example of a simple stack.
•  Section 3 presents the operational semantics of HOP. (Note: If the reader were to feel 
intimidated by the formal notation in this section, then he/she may read this section 
cursorily without much loss.)
•  Section 4 illustrates P A R C O M P  on a simple example, and also illustrates how each rule 
of the the operational semantics are used.
•  Section 5 presents various experiments conducted using P A R C O M P . First, we present 
the result of performing P A R C O M P  on the stack module. W e  then deliberately intro­
duce errors into the stack controller, and show how P A R C O M P  can (often) reveal these 
errors. W e  then show how the stack may be pipelined, and present the behavior of the 
pipelined stack inferred using P A R C O M P . W e  also show how P A R C O M P  can be used 
to make functional simulation more productive and efficient.
•  Section 6 presents a divide-and-conquer version of P A R C O M P . This technique exploits 
two disparate facts: (i) that the P A R C O M P  operator is commutative and associative;
(ii) that VLSI systems have a high replication factor— i.e. the ratio of the total number 
of modules to the number of different modules.
•  Section 7 presents our conclusions; In appendix A .2, we briefly describe the H O P  design 
system that was used to produce the results reported.
1.1 Understanding the Modeling Philosophy of H O P
One significant aspect of H O P  is that it emphasizes the use of abstract data types for hardware 
modeling. This was motivated by the positive results from the first author’s past work with 
the SBL language [14,10,11]. W e  now present through a simple example the essence of HOP.
Consider a stack data type implementation that uses a counter to implement the stack 
pointer and a memory array to implement the stack locations. If such a stack were to be 
specified as a “software data type” , the definitions of the stack operations (say push, pop, 
and top) would be provided via functional expressions that use operators on the stack pointer 
and memory types. The stack state would be modeled as a tuple < ctr,mem >, consisting 
of the counter and memory states. The operation push can be modeled via the functional 
expression:
push(< mem,ctr > ,u) -^ =< write(mem,read(ctr),v),addl(ctr) > .
This says that the memory state should advance to write(mem,read(ctr),v) and that the 
counter state should advance to add\(ctr). This view of hardware systems— that they imple­
ment a collection of intuitive to grasp mathematical functions— is also taken in [21].
As we showed in our past work with SBL, these kinds of specifications may be implemented 
in hardware by synthesizing controller modules that “fire” the operations write, read, add 1, 
etc. in an applicative order (actually the in situ evaluation order [13], which is slightly more
Specific Results Reported, and Organization of the Paper
2
restrictive than the applicative order). However for this technique to be widely applicable, 
it should be possible to view a wide variety of hardware systems as data types. This isn’t 
natural often, especially where control aspects dominate. More seriously, the “software data 
type like” approach does not permit the specification of complex timings naturally, although 
it has been attempted [10,34].
T h e  C o n c e p t o f  “ M o d e s  o f  B e h a v io r”
H O P  takes a crucial departure from the functional/data-type view of hardware. Rather than 
considering data-type operations, or functions, we focus on modes of behavior. A  modes of 
behavior is a more general notion than that of an operation. It is like a trace of [17]. A  mode 
of behavior is best characterized as a finitely describable (and often finite) sequence of events, 
data input actions, and data output actions.
For example, consider a memory data type that has a read operation. A  realization of the 
memory has many possible (depending on design decisions such as pipelining etc.) read modes 
of behaviors. One such mode of behavior consist of a read trigger event, a data input action 
corresponding to the supply of address, and a data output action corresponding to the output 
of the read data. These three actions may come in any order, with the only constraint that 
the zth read event trigger and zth address input must precede the zth data output. Clearly, 
many different modes of behavior are admitted by this (rather loose) constraint. For example, 
a memory with a pipelined implementation of the read operation defines one specific mode of 
behavior for read. A  memory that queues upto (say) 12 read requests before it outputs any 
data item, defines another mode of behavior. So not only do we need mathematical functions 
to define I /O  mappings from states and inputs to new states and outputs, but we also need 
a way to capture the timings involved. The functions and their inputs and outputs must be 
inter-woven with the timing aspects of the mode of behavior.
S p e c ify in g  M o d e s  o f B e h a v io r  in  H O P
H O P  is intended to capture modes of behavior directly. It does so by introducing a protocol 
specification section. Let us understand the way protocol sections are written. Consider the 
pipelined read operation, again. One of the most natural ways of explaining the behavior 
of such an operation to a person is by drawing the picture of a Deterministic Finite-state 
Automaton (DFA). One may ask, “why not use DFAs directly for specifying hardware”?
This question is being considered mainly for two reasons. For one, in this paper we 
portray H O P  process specifications through “DFA-like graphs”, and we want to avoid the 
readers trivializing H O P  as a DFA  specification language. For another, it is widely known 
from human studies that explaining a new concept by first presenting a related but much 
weaker concept, and then showing that such a concept won’t suffice, is very effective.
The following are some of the important reasons:
•  DFA  based languages cannot handle data related aspects well; modeling data path states 
cis automaton states results in an explosion of the number of states. In contrast, in H O P  
we use high-level abstract data type (A D T ) objects to model data related aspects. Only 
control states are explicitly modeled. Data related aspects are captured by annotating 
the control graph. By doing so, both the data and control related aspects of a system 
are completely specified at a high level.
3
• The use of ADTs in HOP addresses systems engineering issues such as reported in [3]. 
Hardware systems are developed over a long time, and initially, only the “what” aspects 
(requirements) on the system’s behavior are known. High-level ADTs can be used to 
write a requirements specification of the system—and refined later when design details 
become known. These benefits are not available if DFA based models are used.
•  Similar to the act of introducing ADTs, HOP allows writing requirements specifications 
for the temporal aspects of a system using the concept of events.
•  HOP’s process model addresses design issues such as the connection of modules via 
busses, as well as the related issue of sirengtiis[5].
•  HOP’s process model is based on the three fundamental operations of hierarchical system  
design— composition, hiding, and renaming—as identified by Milner[29]. Since HOP is 
a high-level specification language for synchronous systems, the study of these (and 
related) operations provides a design theory for synchronous VLSI systems.
• Despite basing HOP on the above elementary mathematical operators, we do not propose 
that users program directly using these operators. Instead, in the HOP language we 
provide high level constructs that could be easily translated to a (much larger and 
relatively very low level) description using these elementary operators. Thus, ease of use 
as well as formal semantics are both provided.
1 . 2  R e l a t e d  W o r k
We compare HOP with other works on two aspects: (i) in its capability to specify complex 
timing and functional behaviors; (ii) in its capacity to perform PARCOMP, simulation based 
on PARCOMP, and the detection of control timing errors. Many features of HOP have been 
omitted here, but have been reported elsewhere[12].
HOP is close in some respects to the work of Milne [26]. The main differences with it are 
the following:
1. In HOP, value communication has been decoupled from synchronization. The advantages 
of doing so are discussed in section 2.
2. We emphasis the modeling of value communications and data path state changes in 
a simple, yet powerful, abstract data type oriented functional language. This is not 
addressed in [26].
3. HOP adopts a specific timing model—that of lock-step synchronous processes. HOP 
processes are deterministic. These decisions contribute directly to the simplicity of the 
language and makes specification driven design more practical.
On the other hand, Circal includes primitives that are more elementary, and hence more 
powerful at the expense of being of lower-level.
4. HOP is well suited for describing synchronous hardware systems. A large majority of 
VLSI systems are synchronous. In this realm, we have conducted a more thorough 
investigation of many practical aspects of VLSI design.
4
ABSPROC <ModuleName> [<formal params pertaining to sizes & types>]
CONST <list of constants of the same value>
TYPE <list of type identifiers of the same type>
PORT <list of ports of the same type>
CLOCK <a clock agent and the ports imported from it>
EVENT <events and their encodings in terms of port values>
PROTOCOL <a list of process definitions>
DEFUN <a list of function definitions>
END <ModuleName>
Figure 1: The Skeleton of an Absproc Specification
HOP is different from more traditional languages (e.g. VHDL[18], Karl[30], and ISPS[2]) 
in many ways, the most important being the following: (i) HOP is much simpler than these 
languages, and has an equally simple formal semantic definition; (ii) The view of hardware 
as communicating processes is attractive in many ways than modeling hardware behavior 
through traditional imperative constructs (procedural or non-procedural descriptions). By 
creating HOP, we are not discarding or ignoring ongoing efforts towards developing standard 
HDLs such as VHDL. Our objective is to experiment with interesting ideas not present in 
such standard languages, and the results may one day benefit future versions of VHDL.
PARCOMP, as well as its planned uses, are similar to the work reported in [15], and 
to the idea of constructive simulation reported in [27]. However our work is done for a 
much higher level language that includes user-defined abstract data types. Our algorithm 
embodies useful static checks of timing protocols. Our algorithm capitalizes on the structural 
information (specifically, knowledge about events that are completely hidden within a module) 
to save on computation time. This is accomplished thus (explained in detail later): “states 
reachable via transitions labeled by unsynchronized and hidden events are never visited, and 
consequently the search-space is pruned.” Further, we have developed a version of PARCOMP 
called PARCOMP-DC that can exploit the regularity of vecprocs using a divide-and-conquer 
technique (section 6). Finally, PARCOMP can be used to save the time of simulation; we 
can perform a “pre simulation” of the tester and the testee using PARCOMP, and run the 
resultant process. These computational-effort saving measures are believed to be new.
2  T h e  H O P  L a n g u a g e
The basic unit of specification in HOP is the module. The external attributes of a module
• Zero or more uni- or bi-directional data ports;
• Zero or more uni-directional events;
• An external protocol specification.
A module specified as a black box is called an absproc, standing for abstract process. 
The skeleton of an ABSPROC is shown in figure 1. A module specified as a network of 
subprocesses is called a realproc, the skeleton of which appears in figure 2. (Note: For ease of
5
REALPROC <ModuleName> [<formal params pertaining to sizes ft types>]
CONST <list of constants of the same value>
TYPE <list of type identifiers of the same type>
PORT <the external ports of the module being defined>
SUBPROCESS instantiations of prev. defined abs/real/vec processes>
CONNECT <the set of interconnections among the subprocesses>
END <ModuleName>
Figure 2: The Skeleton of an Realproc Specification
VECPROC <ModuleName> [<formal params pertaining to sizes ft types>]
CONST <list of constants of the same value>
TYPE <list of type identifiers of the same type>
PORT <the external ports of the module being defined>
SUBPROCESS instantiations of prev. defined abs/real/vec processes>
DIMENSIONS <the SIZES of each dimensions of regularity>
CONNECT interconnections betn. subprocesses, via recurrence eqns.>
END <ModuleName>
Figure 3: The Skeleton of a Vecproc Specification
parsing, currently we use a lisp-like syntax for HOP; we have hand edited alm ost all syntactic 
descriptions in this paper to an easier-to-understand higher-level syntax.)
Since topologically regular realprocs (e.g. single and two-dimensional arrays of modules) 
occur very frequently in practice, we identify a sub-category of realprocs called vecprocs (fig­
ure 3). Vecprocs in HOP may best be regarded as “arhythmic arrays”—geometrically regular 
arrays in which computations aren’t necessarily regular, or rhythmic, as in systolic arrays. A 
divide-and-conquer version of PARCOMP has been developed for Vecprocs (section 6).
A realproc is built using one or more absprocs by connecting some of the ports and events 
of the absprocs, by composing the external protocols of the absprocs, and by internalizing 
(hiding) some of the events and ports of the absprocs. A syntactically sugered notation  
(DATANODE and EVENTNODE ) mitigates the burden of specifying the renaming  and hiding  ([29]) 
information for large systems. A vecproc is essentially built in the same fashion; however a 
notation based on recurrence relations is provided to easily specify the regular placement of 
modules as well as regular interconnections among them.
We now examine the specification of an absproc in detail.
2 . 1  S p e c i f y i n g  a n  A b s p r o c
An absproc is specified by its ports, its events, and its protocol.
2.1.1 Ports and Value Com m unication
6
x o f C 1 s y o f 
C2 = 1 u b ( E 1 , E2)
U
E. g.  of  i l i t  l i c e  
f or  c o m p u t i n g  l u b
Figure 4: Use of Data Assertions and Queries for Value Communication
The mechanism of synchronized communication as used in [26] does not accurately model the 
value communication in hardware systems. As an example, consider figure 4 which depicts 
a system consisting of two producer processes P i  and P 2 that can communicate with two 
consumer processes C l and C 2 over a bus. In this system, it is perfectly acceptable to seek the 
value on the bus while there are no simultaneous writers, or vice versa. (The former case could 
arise in VLSI where the bus has a “pull-up transistor”, for example.) It is even permissible to 
have two simultaneously active data assertions (say, with compatible “strengths” [5]) on the
In HOP, value communication is performed through a mechanism called data assertions 
and queries. A data assertion, written as !p=E , binds an individual variable p representing the 
output port to the value E at the time the data assertion is made. In general, data assertions 
are of the form !p*E until e, where e is a future event, where the until operator has the 
same meaning as the until operator of temporal logic. (Events are discussed shortly.) The 
lack of an assertion can be modeled by the assertion !p=Z, where Z denotes high impedance. 
(For a bus with a pull-up transistor, the assertion !p*weakl may be used.)
A data query, written as x=?q, binds x to the value bound to the input port  q at the time 
the query is made. Multiple data assertions (as in bus connections) end up asserting the least 
upper bound (LUB) of the asserted values on the port. For handling multiple data assertions, 
the type of values communicable via ports in HOP must be organized into a strength lattice
[5]. For example the bit type  of HOP includes the weakest value Z (high-impedance), truth 
values T and F, an unknown value U, and the most dominant value E, error. T,F, and U are 
incomparable amongst themselves and lie in-between Z and E. This lattice may also contain 
other values, such as weakl and weakO.
The above mechanism of data assertions can be extended for modeling bidirectional devices 
such as pass transistors, ignoring threshold drops. This is done exactly as done in HOL[6],
7
by asserting that the source and drain nodes are have the same value if  the gate is held at 
T. Thus, data assertions and queries permit the relational style  of specification (i.e. non- 
directional interactions) for modeling bidirectional devices.
A dvantages o f D ata  A ssertions and Queries
By having two processes interaction mechanisms (events and data assertions) we have es­
sentially separated synchronization from communication. We now show through an example 
that this separation is advantageous for hardware modeling. Consider a counter with two 
commands reset and up that are triggered via events with the same names. After the counter 
has been subject to the reset event and until it is subject to the up event, it asserts a data 
of 0 on its output port. The process that is responsible for the reset and the up events can, 
after it has applied the reset event (but before it has applied the up event) safely assume that 
the output will be well-defined (and equal to zero) and sample this output as many times as 
it wishes, without any participation of the counter. In contrast, if value communication were 
bundled up with rendezvous—as is the case with CSP, CCS, and Circal, the counter would 
have to actually rendezvous, causing the counter process to make progress in its computation. 
The writer of the counter process thus has to anticipate all possible places where such ren­
dezvous are possible, and make provisions for them in the specification. Our experience is that 
this renders hardware specifications unnatural and more complicated. In contrast, with data 
assertions, once the counter has asserted 0 on its output, it has “discharged all its duties”.
The spirit in which this extension to communication mechanisms was made, is similar to 
the extension made by Martin to CSP to include Probes [24]. Both these mechanisms show 
that concurrency constructs developed for concurrent software modeling may not be the best 
possible ones for hardware modeling.
2.1.2 Events
Events are of two kinds: input, and output. An input event e (written Ie) denotes a condition 
that a module senses via wires. An output event e (written Oe) denotes a condition that a 
module generates via wires. Most modules have, at every point in time, a set of events GE 
( “good events”) that would steer the module into well defined modes of activity. Modules also 
have, at every point in time, a set of events BE ( “bad events”) for which they do not have 
any useful behavior defined. We call the GEs at every point in time as the “synchronization 
points” of the module.
Events help in making implicit synchronization points explicit. For illustration, consider 
a clocked synchronous system supporting multiple operations. In traditional designs of syn­
chronous systems, the completion of an operation is not explicitly notified, but is tacitly 
assumed after the elapse of a certain interval of time from the start of the operation. However 
this approach is worse than hard-wiring literal constants in programs leading to programs that 
are hard to debug or modify. A better approach would be to encourage the writers of module 
specifications to “highlight” these synchronization points by introducing events. These events 
may be thought of as being implemented by fictitious control and status wires.
Events have a conceptual reality even at very early stages of the design; however they attain 
implementational reality (e.g. “should an event be represented in unary, or in binary?”, etc.) 
only much later. The latter decision is influenced by the nature of the controller, and this is
8
typically decided much later in a design life-cycle.
Some of the advantages of using events are:
1. It becomes possible to statically check for sequencing errors. We show some examples 
in section 4.
2. It highlights the allowed modes of usage of a module. Hardware specifications must not 
merely attempt to model hardware as it is; rather they must model hardware as it is 
expected  to  be used. Hardware systems have astronomically more useless combinations 
of inputs (as well as sequences of combinations of inputs) than useful ones.
3. As digital designs evolve, the events that were originally thought to represent fictitious 
control wires may be implemented as combinations of control signals and clocks. Combi­
national logic necessary to decode these combinations and raise the corresponding input 
event will be tacitly assumed, and not modeled explicitly. This is of advantage on two 
occasions: (i) when these encodings haven’t been decided; (ii) in later stages of a design, 
when these encodings would be excess baggage to carry around.
4. Event connections between modules is achieved via renaming. The actual implemen­
tation of renaming is through combinational logic that translates a condition in one 
module to a condition in another. This could pave the way for the synthesis of “glue 
logic” that connect modules. This connection between a language operator (renaming) 
and its hardware interpretation (glue logic) is natural.
2.1.3 D ata  P ath  States
In the specification of an absproc, the data path state of the system being specified can 
be modeled using an appropriate high-level ADT. In our experience, (and as illustrated by 
the Roll Back Chip [12]), the use of ADTs having simple definitions can make reference 
specifications far more reliable and easier to  understand.
2.1.4 T he T im ing M odel
Time is a way to order events. In HOP, processes are lockstep synchronous. Therefore the 
time of every process advances at the same rate, and thus the event ordering we have can 
be described via three relations: simultaneous, before, and after. A HOP specification may 
or may not refer to a central clock depending on whether it models a clocked synchronous 
system or a unit-delay combinational system. Currently we do not have the ability to model 
some subsystems at the unit-delay combinational level, and the remaining subsystems at the 
clocked level. We hope to add this capability later on, by specifying clock periods to be fixed 
integral multiples of unit-delays (an idea proposed in [19]).
In later versions of HOP, we will provide a “clock library”, i.e. an expandable library 
of various clocking schemes. Each entry in this library would specify a clock generator of a 
certain kind; for instance there would be a two-phase clock generator in this library.
2.1.5 An Exam ple of an Absproc: A Pipelined M em ory
9
in t  ] — Note-0
—  This is a comment.
ABSPROC MEM [ address.size, data.size 
TYPE
addressType = 0 .. address.size - 1 
dataType ■ 0 .. data_size - 1 
memoryType ■ array[addressType] of dataType 
PORT
?din, !dout : array [data_size] of bit 
?ain : array [address.size] of bit 
EVENT
Imnop, Iread, Iwrite ■ TBD 
PROTOCOL
MEM [ms : memoryType] <=
Imnop -> MEM [ms]
I Iwrite, va=?addr, vd=?din -> MEM [write(ms,va,vd)] 
I Iread, va=?addr -> MEMl[ms, va] — ‘—  Note-1
MEM1 [ms : memoryType, oa : addressType] <=
Imnop, !dout=read(ms,oa) -> MEM [ms]
I Iwrite, na=?addr, vd=?din,
!dout=read(ms,oa) -> MEM [write(ms,na,vd)]
I Iread, na=?addr, !dout=read(ms,oa) -> MEMl[ms, na]
DEFUN
write m : memoryType, a: addressType, d:dataType -> ml : memoryType 
IF (> addr memSize)
(print "Illegal memory address")
(error-obj memType) —  Note-2
ELSE (update-vector memType m a d )  —  Note-3
read :: m : memoryType, a: addressType -> d : dataType 
IF (> addr memSize)
(print "Illegal memory address")
(error-obj int) —  Note-2






Upper and Lower Cases are Treated the Same in HOP. 
write (defined in DEFUN) computes the new data path state, 
error-obj is supported for memoryType by our ADT library 
index-vector and update-vector supported by memoryType 
which is defined in ADT Library.
Figure 5: Specifications of a Memory
10

by the unasserted combination of the read and write controls) causes MEM to go back to its 
top control state; event Iwrite when asserted from outside must be accompanied by data 
assertions va on the ?addr bus, and vd on the data bus ?din. It causes MEM to go back to 
the control state MEM; however its datapath state changes to write (ms ,va,vd). Event Iread 
must be accompanied by a data assertion va on port ?addr. The next control state attained
In control state MEM1, process MEM1 is in data path state [ms ,oa]. It again offers the choice 
of three events. However note that while waiting here, the data assertion ! dout=read(ms, oa) 
is made (this is the pipelining effect). This assertion corresponds to the result of the previously 
requested read. A  Iwrite or Imnop takes MEM1 back to MEM; however while reads keep coming,
If this memory were to be used in a clocked system, the events Iw rite , Iread, etc. would 
be generated at the appropriate clock phases. Thus, details such as multiphase clocking would 
be described in the EVENT section of an ABSPROC by replacing the “TBD”s by boolean
We assume that Imnop is a special event that is asserted if none of the other events are 
asserted. Such an event exists in most modules, and should be defined to be the “unasserted
A realproc specifies a system’s realization. As an example let us use the memory unit in 
figure 5 to build a stack using an absproc CTR to implement the stack pointer and a controller 
SCTL to control the stack. The design of the stack would be specified by writing a realproc 
specification, as shown in figure 9. This specification captures the schematic shown in figure 8. 
Let us now discuss the sections that are important to highlight the roles played by a Realproc.
In the PORT and EVENT sections, the external ports and events of the realproc are 
declared. All other ports and events are assumed to be internal, and hence hidden from the
In the SUBPROCESS section of a Realproc, previously specified abs/real/vec processes 
are instantiated to the required sizes as well as types. For example we could now instantiate a 
generic stack to be a stack over bytes. The subprocesses themselves are described in figure 7. 
We present only the PROTOCOL section of the subprocesses. In the CONNECT section, 
interconnections between ports as well as events among the submodules, and between the 
submodules and the external ports/events of the stack are specified. Semantically, connections 
are treated as renamings, in the style of [29]. That is, connected entities are renamed to
Let us look at the first two lines of the DATANODE subsection of the CONNECT section. 
(The remainder of the realproc is similar.) The node that connects ?cdo of MEM and !cdo 
of CTR is hidden. The ?din port of MEM connects to ?din of the stack.
12
CTR [cs] <* Icnop, !cdo*cs -> CTR [cs]
I Iload, vdin=?cdi -> CTR [vdin]
I Iup, !cdo»cs -> CTR [addl(cs)]
I Idovn, !cdo«cs -> CTR [subl(cs)]
Idown 
Icdo s cs 
[subl (cs)]





SCTL <= Isnop, Omnop, Ocnop -> SCTL
1 Ireset, Omnop, Ocnop -> Oload, Omnop -> SCTL
1 Ipush, Omnop, Ocnop -> Oup, Omnop -> Ovrite , Ocnop
-> SCTL
1 Ipop, Omnop, Ocnop -> Odovn, Omnop -> SCTL
1 Itop, Omnop, Ocnop -> Oread, Ocnop -> Omnop, Ocnop
—  Note: All the ''nop'' events have to be specified in the present version












Figure 8: Schematic of the Realproc of a Stack
3  S e m a n t i c s  o f  H O P
3 . 1  A n  O p e r a t i o n a l  S e m a n t i c s  f o r  H O P
In this section, we provide an operational semantics for HOP, using many of the conventions 
presented by Plotkin [33] for writing operational definitions. In addition to describing HOP 
unambiguously, these rules form the basis for implementing design tools based on HOP. For 
instance, PARCOMP is written by following these operational rules. Towards the end of this 
section, we also briefly touch upon the subject of viewing HOP specifications as Temporal 
Logic formulae.
It is a common convention when providing semantic definitions to take an abstract syntax 
of the language in question. The (hopefully obvious) translation from the real syntax  to the 
abstract syntax  is not discussed. Also, we do not have space here to summarize the style of 
writing operational definitions as presented by Plotkin [33], but let us capture the main idea. 
When writing operational definitions in this style, we try to provide definitions directly using 
the syntax of the language, through certain “symbol pushing” rules. These rules are to be 
justified independently using a denotational or axiomatic semantics; however once so justified, 
the operational “symbol pushing” rules which are usually much simpler can be used in the 
day-to-day use of the semantics. This is precisely our approach. This is why we have provided 
a temporal logic based semantics for HOP to match the operational rules presented here. A 
brief discussion appears at the end of this section. (Readers who find this section hard may 
cursorily read it.)
The operational meaning of a HOP process is its transition relation ^ =  Proc x act x Proc  
where the domain of actions for a process is act and that of processes is Proc. This relation 
is defined via structural induction using the notation where ante is an already defined 
HOP process (the “antecedent”), and conse (the “consequent”) introduces the next syntactic
14
REALPROC stack [<various size k type parameters>]
PORT
?cdi, ?din, !dout : <suitable types>
EVENT
Ireset, Ipush, Ipop, Itop, Inop ■ TBD 
SUBPROCESS —  Note-4
MEM : mem [<actual size parameters>]





HIDDEN CONNECTS ((MEM ?cdo) (CTR !cdo))
?din CONNECTS ((MEM ?din))
?cdi CONNECTS ((CTR ?cdi))
!dout CONNECTS ((MEM fdout))
EVENTNODE
—  Notes-2,3
HIDDEN CONNECTS ((MEM Imnop) (SCTL Omnop))
HIDDEN CONNECTS ((MEM Iread) (SCTL Oread))
HIDDEN CONNECTS ((MEM Iwrite) (SCTL Ovrite))
HIDDEN CONNECTS ((CTR Icnop) (SCTL Ocnop))
HIDDEN CONNECTS ((CTR Iload) (SCTL Oload))
HIDDEN CONNECTS ((CTR Iup) (SCTL Oup))
HIDDEN CONNECTS ((CTR Idown) (SCTL Odown))
Ipush CONNECTS ((SCTL Ipush))
Ireset CONNECTS ((SCTL Ireset))
Ipop CONNECTS ((SCTL Ipop))
Itop CONNECTS ((SCTL Itop))
Inop CONNECTS ((SCTL Isnop))
END stack
— Note-1: Each line of form <extport>/<hidden> CONNECTS <ports>
— Note-2: Each line of form <extevent>/<hidden> CONNECTS <events> 
— Note-3: Currently we have to specify even “obvious defaults’*.
—  Later such defaults (such as unasserted values of events etc.)
—  will be automatically provided.
— Note-4: In general module instance names and module type names
—  are different. Here they are the same. E.g. SCTL and sctl.
Figure 9: Realproc of a Stack
15
I e , Ie => Ie (1)
Ie, Oe => Oe (2)
Oe, Oe => Oe (3)
Oidle,  e => e (4)
!?=  Ely \ p =  E 2 => \p =  bus (E \ ,E i ) (5)
Figure 10: Definition of Action Product in HOP 
category of processes th a t has not been defined so far.
3.1.1 A ctio n  P ro d u ct
Action product captures how simultaneous actions (events and da ta  actions) interact.
An input event I e  represents a logical condition th a t is awaited (a t some time) by a module. 
An output event Oe represents the assertion of a logical condition a t a particular tim e instant. 
Event product, w ritten e l,e 2  captures how two simultaneous events interact.
As an example, the rule I e ,  O e  =$ O e  of figure 10 says th a t if a module awaits an input 
condition I e  and simultaneously another module asserts an ou tpu t condition Oe, the result 
is as if Oe is alone produced a t th a t moment. One may ask “what happened to  7e”? The 
answer is: “it got satisfied by the assertion Oe” ; in other words, I e  got synchronized with O e .  
This fact, when taken along with the way in which the rules of Hiding  are defined later, will 
show us th a t the process th a t was awaiting Ie  will make progress.
D ata  actions have only one simplification rule defined for them  by action product: when 
two different da ta  assertions !p =  E\ and !p =  Ei are made, the resultant value on the port 
!p is defined by the function lub(E\, E^). The lub function computes the least upper bound of 
its two argum ents over a value lattice. (See figure 4 for an example.) A complete definition 
of the action product operator is given in figure 10.
3 .1 .2  D efin ition  o f  th e  T ransition  R ela tion
In this section, we define the transition relation by structural induction. Before these defini­
tions are applied to a realproc or a vecproc, all the port and event names in their submodules 
are assumed to  be renamed so as to be distinct. Also every compound action used in a defi­
nition is assumed to have been reduced to an irreducible form by repeated applications of the 
action product operator
P ro cess  ST O P
STOP is the simplest of HOP processes. It has a null transition relation; i.e. it always remains 
halted.
A finite process  is defined to be one th a t will become STOP in a finite num ber of steps. 
A finite process does not usually represent any practically useful hardware system. Therefore 
if PARCOM P results in a finite process starting from non-finite processes, there is room for
16
suspicion th a t there are sequencing errors in the system. W hen none of the input events in 
the branches of a CHOICE process P are synchronized, and when these input events are all 
hidden, process P is turned into a  finite process. This can happen (for example) due to the 
erroneous sequencing of control inputs.
Sequential Processes
Action: (ca —> P )  P
If P  is a process, ca —* P  is a process th a t first performs the compound action ca and then 
behaves like P.  Sequential Processes are a special case of deterministic choices where there is 
exactly one choice available.
D eterm in istic  Choice
Det-choice: (|; ca, —> Pj)  P,
A process P  = |, ca, —► P,, where i ranges over an index set I  is one th a t offers a deter­
ministic choice consisting of the compound actions ca, during its first com putational step. If 
choice Cm is accepted, P  continues to behave like Pm -
If I  has more than  one element, then there must be an input event e,- present in each ca,. 
Since the e,s govern the selection of one of the alternatives of the choices, the e,s m ust have 
pairwise m utually exclusive definitions for their control encodings.
A dding A ctions To Initials
If P  is a process, c a l ,P  is a process which adds cal to the initials of P. 
P  ca > P'
Add-to-initials: 1 7") cal»ca r\ic a l ,P  — ► P
H iding
“Hiding an event e” is a shorthand for saying th a t both I t  and Oe are hidden from a process. 
Rule Hiding-sync considers the hiding of Oe. Oe is replaced by Oidle.
Hiding-sync
P'
Hide e in  P  — ► Hide e in  P
The notation “[new/old.]” is used to  mean th a t “new” replaces “old” .
Hiding I e  from a process prevents it from synchronizing on this event. This can be captured 
by pruning those branches of the synchronization tree th a t are labeled by Ie:
Hiding-unsync
P  P', P  P", e € cal 
(Hide e in  P )  (Hide e in P " )
Hiding a data  ou tpu t port removes data  assertions m ade on th a t po rt from the current 
compound-action of the process. This would affect those processes th a t perform a da ta  query 
from a connected port a t the same time:
17
Hiding-dout
p  ca,'p=E p i
Hide p in  P  Hide p in  P ’
Hiding a data  input port causes those variables th a t would have been bound by a data 
query on this port to  remain unbound:
p  ca,x=JP p>
Hiding-din Hide p  in P  Hide p  in P ' w i t h  x f r e e  in P'
R en am in g
Processes are m ade to  interact with each other either via events or via data  actions (<fa) on 
ports by renam ing their individual event and port names to common names:
„  . P - U P '
R enam m g-e  ---------------------------------—-------------------------------- -
Rename e to el in P  Rename e to el inP'
_ . P  P ' , da uses  p
R en am in g-port ------------------------------- rfa[Pi /P]-------------------------------
Rename p  to p i in P  ----► Rename p  to p i inP'
Parallel C om p osition
The parallel composition operator || models the process of realizing a system by putting 
together several sub-processes, and perm itting their interaction through events and ports tha t 
are connected.
P zrco m p
After performing parallel composition according to the above rule, we may simplify the 
result by using the following rule (if applicable). This rule captures the effect of value com­
munication:
Value Communication During Parallel Composition
C ond ition a ls
p  (x=?p),(!p=E),ca p>
P  P '  [£ /x ]
HOP processes are usually defined as process schemas P[dps\ ,  where for each value of dps  we 
have one specific process, dps  usually represents the da ta  path  s ta te  of the process. We have 
the notion of condit ional  processes in HOP that allows us to  specify the behavior of a process 
based on its dps variable. Thus we may define a process P  as:
P[dps]  i f  p{dps)  then  P l [ f ( d p s ) ]  e lse  P2[g(dps)] .
After reducing the predicate application p(dps)  to t rue  or f a l s e , one of the following rules 
would apply:
18
P I  p '  p 2 -£i+ P'
Condit ional  ( ^  ^  p , ; ( . f  ^  p ,
R ec u rs io n
A collection of one or more processes may be defined recursively. Since only tail-recursion is 
allowed, recursion can be modeled as iteration.
3 . 2  S e c t i o n  S u m m a r y
It is possible to  view HOP as stylized formulae in Temporal Logic. For instance the  specifi­
cation in figure 11 can be modeled in tem poral logic as shown in figure 12.
P [s] <- Iel -> Idout ■ 55 -> P [fCs)]
I Ie2, x*?din -> Q [g(s,x)]
Figure 11: An Example HOP Specification
P ( s )  =  □ ( ( / c l  D 0((Wou< =  55) A O P ( f ( s ) ) ) )
A (/e2  D (x =?<fm A O Q {g { s ,  x ))))
A (n o t( /e l)  A n o t(I e 2)) D T E R R O R ).
Figure 12: Temporal Logic Equivalent of the Example HOP Specification
In the Temporal Logic specification, we trea t port names ?<fm and \din as individual 
variables. Renaming and hiding are modeled in an obvious way. The effect of simultaneous 
data  assertions and queries on a bus can be handled by first computing the LUB of the asserted 
values (over the value-lattice of the data  items asserted), and then binding this LUB to the 
variables involved in all the  queries on this bus.
One benefit of using pragmatically oriented HDLs th a t have a clean semantics (like HOP), 
as opposed to  directly using universal functional/relational calculii, is simplicity. HOP pro­
cesses may be viewed as a collection of communicating autom atons. The operational semantics 
provided in this section define the rules of communication, and they may be understood syn­
tactically. Milner [28] and Plotkin [33] have extolled the virtues of this approach.
Another major benefit of using HDLs is the following. Useful “idioms”—commonly oc­
curring patterns in HDL descriptions—can be identified by trying out a large number of 
examples. Then we can identify a subset  of Temporal Logic (or another formalism) that 
matches these idioms. The advantages of identifying such subsets of ( inherent ly  undecidable) 
theories is obvious—we can make a focussed attack on the problem of verification and testing 
of hardware.
19
4  I l l u s t r a t i o n  o f  P A R C O M P
4 . 1  W h a t  E x a c t l y  D o e s  P A R C O M P  D o ?
PARCOMP takes as input a realproc or a vecproc and produces as output an absproc. It works 
by symbolically simulating all possible interactions between the subprocesses of a realproc or 
vecproc. PACOMP implements the operational rules of HOP presented in section 3.
The absproc inferred by PARCOM P captures, via symbolic expressions, the behavior of 
the realproc or vecproc for all possible starting  states of the submodules, and for all external 
inputs. The text of the inferred absproc can be manually studied to see if the system  behaves 
as understood by the designer. Thus, PARCOMP greatly facilitates the understanding of the 
co llective  beh avior  of a collection of synchronous systems.
In addition, PARCOM P throws away all of the  unused capabilities of a system. Consider a 
system  built using three modules A, B, and C, where C is the controller for A and B. Though 
A and B may individually support (say) 5 operations each, C may actually use only (say) 2 
each of their operations. In addition, of these 2 operations used, C may sequence them  on ly  
in a sm a ll num ber o f  w ays—out of the myriads of possible ways they may be sequenced. In 
other words, C implements only some of the astronomically large num ber of possible micro­
routines. Such under-utilization of system capabilities is the rule, rather than the exception, 
in hardware. PARCOMP “distills out” only the used modes of behavior by capitalizing on the 
event hid in g  information supplied by the designer. Thus, the behavioral descriptions inferred 
by PARCOM P contain just the right am ount of information, and nothing more.
In addition to distilling away unutilized modes of behavior, the H iding-unsync  rule reduces 
the tim e complexity of PARCOMP. The worst-case tim e complexity of PARCOM P is propor­
tional to  the num ber of control state  tuples actually generated. By pruning away as many 
control sta te  tuples as early as possible, these control sta te  tuples as well as their successors 
are never visited.
Finally, PARCOM P can be used to save the time of simulation; we can perform a “pre 
sim ulation” of the tester and the testee using PARCOMP, and run the resultant process. 
These computational-effort saving measures are believed to be new.
4 . 2  I l l u s t r a t i o n  o f  P A R C O M P  o n  t h e  S t a c k
Given the above stack realproc specification and given the specifications for CTR and SCTL 
shown in figure 7, we can use PARCOMP to infer the equivalent absproc specification STACK 
shown in figure 13. (Only the PRO TO CO L section of the inferred process is shown.) This 
description was obtained autom atically, using our implementation of PARCOMP. Inferring the 
behavior of the stack takes less than ten seconds of elapsed tim e running on an H P-Bobcat 
running compiled HP Common Lisp.
The inferred PRO TO CO L specification asserts th a t the STACK system  offers a choice of 
events I r e s e t ,  Ipush , I to p , Ipop, and Inop.
Let us study I to p . After asserting this event, the external world (say, the “tester process” 
of the stack) has to idle for one tick. No event is entertained by the stack (signified by the 
absence of any input events following I to p ) , as it is internally busy. During the second tick, it 




Iresst -> di - ?cdi -> STACK [di.ms]
I Ipush -> Oidle -> vd»?din -> STACK [addl(cs), write(ms,addl(cs),vd)] 
I Itop -> Oidle -> !dout«r®ad(ms,CB) -> STACK [cs.ms]
I Ipop -> Oidle -> STACK [subl(cs), ms]
I Inop -> STACK [cs,ns]
Isnop
[ms ,up (cs)]
Figure 13: Absproc A utom atically Inferred from stkreal using PARCOM P
21
the stack would output the correct result on port !dout following the top  command. Finally, 
the STACK [cs,ms] process continues to behave like STACK [cs,ms] itself, meaning th a t the 
STACK process did not suffer any sta te  changes.
Let us study the p ush  operation. The external world is expected to supply the item 
to be pushed tw o  t icks  after it applied the Opush trigger th a t matched with the Ipush  
event. If this value were vd, then the future behavior of STACK would be like tha t of 
STACK [addl(cs),w rite(m s,addl(cs),vd)]. This symbolic expression shows th a t the push  op­
eration was implemented correctly. This is because the  counter sta te  has advanced from cs 
to  addl(cs), and the  memory s ta te  has advanced from ms to  write(ms,addl(cs) ,vd). In­
formally, the  stack pointer was incremented, and the memory location pointed to  by the new 
stack pointer was w ritten with vd.
The other operations are similarly correct. (Note: While doing the reset, the  initial stack 
pointer value has to  be fed from outside via ?cd i.)
4 . 3  H o w  D o e s  P A R C O M P  W o r k ?
4.3.1 L o c k s te p  C ro s s -p ro d u c t  A u to m a to n
Our explanation of PARCOM P would be greatly facilitated by introducing the concept of 
lockstep  cross-product  automatons.  Given two DFAs A and B, a lockstep cross-product au­
tom aton (LCA) of A and B, w ritten lca(A,  B ), can be obtained from A and B by the following 
algorithm:
(Basis clause): If A 0 is the initial s ta te  of A, and B 0 is the initial s ta te  of B, then the 
pair <  Ao,B o  >  is in l c a ( A , B ) .
(Inductive clause): If s ta te  <  A i , B i  >  is in lca(A,  B ) ,  and there is a directed edge i n ­
going from Ai  to  a state  A j  in A, (and likewise Fij is a directed edge going from sta te  B, 
to a state  B j  in B), then <  A j ,  B j  >  is in lca(A,  B ) .  Further, the edge EF ij  is introduced 
in lca(A,  B ) going from <  Ai, Bi  >  to  <  A j ,  B j  > .
(Closure clause): There is no other sta te  or edge in l c a ( A , B ) .
Example: Consider the state  diagrams in figure 14 to be DFAs, with state  0 being the starting 
states of A and B. Then, l c a ( A , B )  contains all the 25 states in the cross-product of A and 
B. On the other hand if the self-loop at sta te  0 of process B were to be absent, then it will 
contain only the five states 00, 11, 22, 33, and 44. The edges in l c a ( A , B )  would then be:
00 —» 11, 11 —» 22, 22 —» 33, 33 —*■ 44, 44 —*■ 00. Thus, we conclude th a t the num ber of states 
in l c a ( A , B )  is less than  or equal to  the product of the number of individual control states in 
A and B.
PARCOMP works by attem pting to  create the LCA. However, as we show below, it actually 
doesn’t create the entire LCA graph—often it creates only a small portion of the LCA graph. 
In this section, we discuss only the version of PARCOM P th a t doesn’t use the cond  construct. 
The cond  construct is considered in section A .I.




Figure 14: Processes A, B, and AB
?exp
Oer Idor
Figure 15: The Realization of the System AB
We illustrate PARCOM P on one example th a t has been specially constructed to involve most 
of the interesting cases th a t arise during PARCOMP. (A rigorous specification of PARCOMP 
is presented in section A .I.)
T h e  S t r u c tu r a l  D e ta ils
Two processes A and B are connected to form a system called AB, as shown in figure 15. The 
Oel event of A is unconnected as well as hidden; hence it is effectively ignored throughout. 
Event Oe of A is conneced to event I e  of B, and hence whenever I e  is offered by B and Oe is 
asserted by A, the events would synchronize. This event is also exported as event Oer of AB. 
Thus whenever Oe is asserted by A, event Oer would be seen asserted outside AB.
Process A has a  da ta  port !do connected to port ? d i of B. Since this connection is hidden 
within AB, the d a ta  assertions on !do will not be visible outside AB. A also has an output 
port ! do2 th a t is connected to input port ? d i of A, ou tpu t port ! do of B, and output port ! do 
of AB. The effects of these connections will be discussed momentarily. B has an input port 
? h id  th a t is connected nowhere; the effect of querying through this port will be of interest. 
Finally, B has an input port ?exp th a t is exposed outside AB; the  effect of B ’s query on this 
port will also be of interest.
T h e  B e h a v io ra l D e ta ils
The above structu ral connections show the potent i&b  for interaction through events and da ta  
ports. W hether these potentials are actually used would depend upon the protocol specifica­
tions of A and B.
Figure 14 depicts the PRO TO CO L sections of processes A and B. At tim e 0, process A is 
in control s ta te  0 and has da ta  path  s ta te  [ a s ] . (D ata  path  states are always sequences of 
one or more items, and we write them  within square brackets, to  mimic the syntax used in the 
textual version of the HOP specification.) While in control s ta te  0, A keeps an ou tpu t event
24
Oe asserted. It also asserts the data  value !do*F(as) so long as it stays in control state  0. It 
instantaneously jum ps to state  1, when time instant 1 arrives. In control sta te  1, it asserts a 
data  item, and also queries port ?d i to obtain a value for a local variable y. Until it is bound 
again, the value of variable y will represent the value on port ? d i a t tim e 1. Process A then 
moves to control s ta te  2. Further behavior of A can be similarly understood. We indicate 
the state  0 of A using a darker circle because it corresponds to the explicitly named process 
“A [a s]” in the textual description of A.
Let us consider B. It offers a  deterministic choice (as explained in section 3) between events 
I e l  and I e  in s ta te  0. The former transition will be taken if event I e l  is asserted (from outside 
B), and event Ie  is not asserted. The la tte r transition will be taken if event Ie  is asserted, 
and event I e l  is not asserted. (The events guarding the “arms’’ of a  determ inistic choice are 
m utually exclusive, by definition.) If Ie  is asserted, the d a ta  query x=?di will be made. After 
this query, B goes to control s ta te  1. From control sta te  1, it goes to control sta te  2, and 
its da ta  path  sta te  changes to [ b s , x ] . S tate 2 of B is shown using a dark circle because it 
corresponds to  the explicitly named process B l [ b i s , t ] .  Note th a t we show the “next data 
path  s ta te” only if it changes. B starts from control sta te  2 in da ta  path  state  [b is  , t ]  . This 
pair is bound to  [bs ,x] by virtue of the data  path  state  change shown along the arc 1 —► 2.
If processes A and B are coupled using the structure shown in figure 15, and allowed to run 
starting  them  both in s ta te  0, their behavior, as seen from outside AB, will be th a t of process 
AB in figure 14. This behavior was autom atically deduced using the PARCOMP procedure.
O perational Rules Invoked in D educing Process A B
The rules Renaming-e and Renaming-port of section 3 are used to model connections between 
ports and events. (In our narration below, we will perform these renamings “as and when 
needed” during explanation.) Since A and B interact, we invoke the rules Parcomp and Value 
Communication During Parallel Composition. Finally we invoke the rules of hiding, to take 
into account the hidden events and ports.
We now discuss some specific instances of these rules, with respect to figure 14.
•  PARCOM P can be thought of as a nested iterative procedure where the outer loop 
attem pts to generate the LCA. The inner loop performs action products of events and 
da ta  queries/assertions, obtaining simplified events and d a ta  queries/assertions. These 
are used to annotate the  edges of the LCA, thus obtaining the inferred absproc.
To clarify this, consider the  move of B from 0 to 0, and of A from 0 to  1. We obtain the 
LCA edge 00 —► 10. Label this edge with the set of actions obtained from the 0 -»  1 
edge of A a n d  the 0 —► 0 edge of B.
(Convention: We show these actions prefixed by “A:” if they are caused by A, and “B:” 
if caused by B. If caused by A and B collectively, we prefix it by “AB:” .)
This compound action is:
B  : I e l ,  A : Oe, A : !do =  F ( a s ) -------- (1)
The other edge in the LCA is 00 —► 11, and is labeled by
A  : Oe, B  : Ie , A :!do =  F(as), B  : x = ? d i -------- (2)
25
• Consider equation (1). This equation is irreducible under the action product operation 
(the rules in figure 10). Further, it contains the event I e l  th a t is unsynchronized and 
hidden. This represents a  possible move of B th a t will never materialize. So we can 
invoke the rule Hiding-unsync, and prune away this possibility. Thus, we delete the
00 —♦ 10 edge from the lca(A,B).
This step accounts for the practical efficiency of PARCOMP. In the current example, 
this one pruning step prevents the generation of the  following control sta te  pairs of AB: 
20, 30, 40. This is because 20, 30, and 40 are all successors of 10, in the LCA of AB.
• Consider equation (2). It is reducible through equation 2 of figure 10. It reduces to
A B  : Oe, A  :!do =  F(as), B  : x = ? d i -------- (3)
This fact represents th a t I e  synchronizes w ith Oe.
Ports !do and ? d i are connected. Since connections are modeled via renaming to  a com­
mon name, let us rename ? d i to ?do. Now we can invoke the rule value communication 
during parallel composition, and simplify (3) to:
A B  : Oe, A B  : !do =  F ( a s ) -------- (4)
and also generate the substitution [F(a5)/x] to be applied to the “rest of the  parallel 
composition” . This shows th a t the variable x of B would be bound to  F(as), thus 
showing th a t a value communication has occurred.
• Equation (3) contains Oe th a t is not hidden—it connects to  the  event Oer of AB. Thus 
we see Oer being asserted by AB during the first transition. However, port ! do is hidden, 
and so we do not see this d a ta  assertion being asserted by AB. The value communication 
does happen, albeit internally.
• PARCOM P proceeds thus, and re-encounters s ta te  00. It now has to com pute PAR­
COM P of A and B which are (respectively) in da ta  path states NS-A( . .  .)  and NS-B( . . . ) .  
However we have already computed the PARCOM P of A and B for d a ta  path  states (re­
spectively) as  and bs—these are free variables, and hence more general than  NS-A( . . . )  
and N S -B (.. . ) .  Hence nothing is to be gained by doing PARCOM P again, and so the 
algorithm  stops.
The other interesting things tha t happen along the way are:
— The da ta  assertion !do t= lub(G (x) ,a s )  is produced by AB a t tim e 1, as a result 
of the “collision” of the da ta  assertions !do2=as by A and !do=G(x) by B. The 
“resu ltan t” assertion is computed using the action product rule 3 of figure 10.
— The assertion !d o r= J(F (a s)  ,H (lu b (G (F (a s )) , a s ) ) )  m ade a t t im e 3 is explained 
thus: there is an assertion m ade by B a t tim e 3. This assertion is J ( t  , z ) . However 
by now, t  and z have accumulated value bindings, and these value bindings are 
substitu ted in. Thus we see th a t the behavior of AB represents the effects of value 
communications between A and B in a closed form.
26
Isnop
Figure 16: Inferred Behavior of the Stack using an Erroneous SCTL
— A final point of interest is the occurrence of the term  UB in the  next da ta  path 
expression when going from sta te  44 of AB to  s ta te  00. UB stands for “unbound” , 
and results from the query th a t B performed on its hidden port ?h.id. This is 
obtained formally by invoking the rule Hiding-din.  So long as this UB value is never 
“used” , the system  can compute along safely. An example would be this: if B were 
an OR gate and if one of its inputs is already 1, then the  other input could be UB. 
(UB will be bound to  H O P’s HIZ value “Z” , or to  boolean False ( “F ” in HOP), 
depending on the  actual IC technology used.)
5  E x p e r i m e n t s  w i t h  P A R C O M P
In this section we present various experiments th a t we have conducted using PARCOMP.
5 . 1  I n t r o d u c i n g  P r o t o c o l  E r r o r s
We deliberately introduced mistakes into the stack controller and wanted to see if PARCOMP 
could detect these errors. Here is a specific experiment: take the process SCTL defined in 
figure 7, and delete the Oread event th a t is generated after synchronizing on event Ito p . 
PARCOM P is able to  detect this as an error.
This is possible because of the following reason. By om itting Oread, the  SCTL process 
does not generate any of the choices th a t MEM offers a t th a t moment. Thus the behavior of 
MEM beyond this point is not defined. Hence the behavior of the stack beyond this point is 
not defined.
The results of PARCOM P with this erroneous SCTL are shown in figure 16. The inferred
27
Absproc has a transition from sta te  000 to s ta te  STOP, which is a dead-end. A STOP control 
s ta te  in a process is indicative of a design error, because a hardware system ’s behavior m ust 
be defined for every time instant. Thus when a STO P sta te  is generated during PARCOMP, it 
issues a warning to the  user. This feature of PARCOM P can help ensure th a t tim ing protocols 
are m u tu a l l y  compatible .  Much like in type-checking, the assum ption is th a t in a m ajority 
of cases only one process would be “wrong” relative to the other; th a t is, we won’t make 
“com patible m istakes” in two systems, a t the same time.
However note th a t not all tim ing errors will be caught in the above manner. It should be 
clear th a t certain errors will not lead to  any dead-end control states, but would nevertheless 
give rise to  erroneous modes of behavior.
5 . 2  P i p e l i n i n g  t h e  S t a c k
The inferred behavior of the Stack presented in figure 13 shows th a t it takes 3 ticks to  complete 
the  p ush  operation. Probing the reasons for this, we see th a t SCTL is the source of this time 
wastage. It accepts Ip u sh  during the  first tick, does Dup during the  second, and O v rite  during 
the third; then only goes back to  s ta te  0.
We can overlap the  last O w rite operation with the awaiting of the next command on the 
stack. Doing so, we would have pipelined the stack. The controller used for this purpose 
is PC TL, shown in figure 17. After accepting Ipush  and performing Oup, PC TL goes into 
control s ta te  3. Here while it awaits the  next stack operation, it performs the deferred O w rite
Figure 17: The Pipelined Stack Controller

© ~ —*0— <D— KDOreset >—■S  [cot = 0 ' —'  Opush 
Oidle
Ires s topval 
topval = ?dit 6
© Opush Idot & 1
Oidle 0
Oidle 
OpopOtop Oldie r r \ f
0 — 0 — o ^ b
Figure 19: A Tester Process for the Pipelined Stack
operation.
Using PCTL and the same old MEM and CTR, PARCOM P infers the behavior shown in 
figure 18. This behavioral description shows all the  modes of behavior of the stack. We will 
study some of these modes in the next section.
5 . 3  T e s t i n g  t h e  P i p e l i n e d  S t a c k ,  a i d e d  b y  P A R C O M P
How do we know th a t the pipelined stack is correct? One way is to formally verify it against 
a requirements specification. We do not take this approach in this paper.
Let us instead test the pipelined stack, to  gain some confidence in its correctness. Let us 
describe a fester process  in HOP th a t would apply the following sequence of operations:
r e se t ( s tack ) ]  p u s h ( s t a c k , 1); push(s tack ,  2)\ pop(stack)\  top(s tack) .
The expected result of this test is 1.
In order to  test the stack, we should apply the above sequence of commands observing 
proper timings for command invocations, da ta  assertions from outside, and the data  query for 
the result of the top  operation. It is our  unders tanding o f  the t im in g  as wel l  as funct ional i ty  
o f  the  s tack  tha t  we wish to  confirm through testing.  The tester so constructed is shown in 
figure 19.
We can compose the tester and the “testee” (the pipelined stack) using PARCOMP, and 
thus obtain a single process th a t embodies all observable aspects of the collective behavior 
of the tester+ testee. We can then run this single resultant process. T he resultant process is 




5.3.1 D etectin g  Tim ing Errors in Tester Processes Statically
PARCOM P can reveal certain tim ing errors in the tester, relative to the testee. In these cases, 
wasteful simulation needn’t be performed, and instead the error can be corrected.
5.3.2 O btaining Sym bolic Sim ulation R esults W ithout Sim ulation
As figure 20 shows, the inferred process reveals (approximately) how the simulation would 
proceed. For instance, it tells us th a t the final result delivered by the top operation is:
.•result ■
(READ
(WRITE (WRITE MS (ADD1 0) 1) (ADD1 (ADD1 0 ) )  2)
(SUB1 (ADD1 (ADD1 0 ) ) )
)
In this simple example, we can readily tell that this answer is correct; for, we can apply simple 
algebraic rules of ADD1 and SUB1, to simplify this data assertion to:
!result =
(READ (WRITE (WRITE MS 1 1) 2 2) 1)
This can further be simplified to 1, using the following algebraic axiom of ordinary read-write 
memories:
read(w rite (m ,a ,d ) ,a )  =  d.
And 1 was indeed our expected answer.
This opens up the following attractive path towards speeding up functional simulation:
1. Build an algebraic expression simplifier as a part of the abstract d a ta  type library.
2. O btain the “tester+ testee” process th ru  PARCOMP.
3. E xtrac t all the the next data-path state  and data assertion expressions present in this 
tester+ testee. Simplify them  using the expression simplifier.
4. Plug these simplified expressions back into the tester+ testee.
5. Run detailed functional simulation on this simplified tester+ testee.
We also have developed the prototype of a compiled simulator th a t compiles “tester+ testee” 
processes into procedural code. This sim ulator is called the CAPS (Compiled AbsProc Sim­
ulator). (Note: Some of the above ideas may be found in [15] also.)
5.3.3 B uild ing Partial Testers
Suppose we want to supply certain test stimulii “autom atically” from the tester process and 
some other test stimulii interactively from the  keyboard. This can be very easily done in our 
present approach. For example, let us assume th a t the user wants to  have control over the first 
d a ta  item being pushed on the stack. H e/she would simply leave out the da ta  assertion ! d o t= l
32
from figure 19. Running PARCOMP on this “tester+ testee” would result in an “unsatisfied 
but un-hidden” da ta  query a t tim e 4. W hen we run CAPS on such an absproc, the unsatisfied 
da ta  query is turned into a query from the keyboard.
Thus users may selectively add or take away events and d a ta  assertions from the tester 
process. Thus, a range of testers are possible. At one extreme, the tester does every data  
assertion and query, and so the CAPS simulation will run on its own, w ithout user intervention. 
At the other extreme, the tester would do noth in g , and the CAPS sim ulator would interrogate 
the user for every event and data  input. This was a pleasant and serendipitous discovery.
5.3.4 Interpreted R ealproc Sim ulator
Sometimes it may be felt necessary to simulate a collection of processes w ithout doing PAR­
COMP. This need can arise, for example, during the very early stages of a design where
(i) users m ay want to simulate a proper subset of the subprocesses; (ii) users may want to 
get detailed information about the innards of a system. To support this need, we have devel­
oped a run-tim e version of PARCOMP th a t is embodied in an Realproc  In terpre ted  Process  
Simula tor  (RIPS).
In the RIPS simulator, the tester and testee are run concurrently, and the action products 
are computed a t run-time. RIPS is relatively more inefficient than  CAPS; however, RIPS 
allows many flexible interactions not possible with CAPS. For example, after a few simulation 
steps, we can selectively ignore a subset of the modules, and carry the other modules forwards 
in simulation. Or, we can add an extra process after a few steps.
5.3.5 The use o f Probe Processes
Logic s ta te  analyzers are widely used to  debug digital systems. In HOP, we can simulate logic 
s ta te  analyzers, by constructing probe  processes.
A probe process is constructed by specifying along its transitions a trace  of the sequence 
of events and d a ta  assertions of interest. Such a trace is similar to a “trigger” specification of 
a logic sta te  analyzer. We can then PARCOMP the probe process with the submodules of a 
system, and then sim ulate the system.
Here is a probe process th a t can be used w ith the pipelined stack:
PROBE <= I v r i t e  ~> I v r i t e  ~> I v r i t e  ~> I re a d  -> Ip robeou t * ' 'S u c c e s s* ’
The operator ~> is an abbreviation for “busy wait until the following input event” . This 
derived operator is available in HOP, and can be expressed in terms of ->.
If this probe process were to be composed with the pipelined stack and tested using fig­
ure 19, it will sense w hether the memory is being subject to  three writes and one read. If so it 
will prin t " S u c c e s s 1 ’ on the Ip robeou t port. For the command sequence push; push;  pop] top  
applied by our tester, this trace m ust manifest on the memory subprocess. P robe processes 
may, after sensing the trigger condition, start acquiring data, and m ay even act like tester 
processes by supplying test patterns.
33
Probe processes may be used for flagging the violation of of representation invariants  during 
the course of operation of a module. Representation invariants [23] are predicates th a t describe 
the consistent internal states of a module. As an example, consider a simple associative 
memory (AM) with 4 locations. A representation invariant found in most AMs is: “AM never 
contains duplicate entries” . S tated formally,
V i u nary(assocsrck(A M ,  x)).
This says th a t d, the result of doing an associative search, is always a unary quantity. If the 
unary p a tte rn  is “0000” , it indicates th a t the search “missed”. If the pattern  is “0010” , it 
indicates th a t there was a hit a t location 3. If pattern  is “0101” , it indicates th a t x  was found 
in location 0 and 3; this is erroneous. A probe process to detect this condition is:
N0DUP < -  I s e a r c h ,  x » ? src h d a ta  -> i f ( u n a r y ( x ) ,  NDDUP, ERROR)
ERRDR <= Ip robeou t = ' 'E r r o r ' '  -> STOP
The probe process N0DUP samples the I s e a rc h  event th a t triggers the associative search. It 
samples the search’s result, x, also. Then if x is found to be unary, it goes back to behave like 
N0DUP. Else it behaves like the ERROR process.
This technique has one limitation: quite often, the entire internal sta te  of a module is not 
observable through its ou tput ports. To overcome this lim itation, we are investigating the 
use of daemons—data driven procedures—th a t can directly monitor the ADT object states. 
Some details appear in appendix A.2.
6  A  D i v i d e - a n d - c o n q u e r  P A R C O M P ,  P A R C O M P - D C
This section shows how we can often reduce the run-tim e of PARCOM P by exploiting the fact 
th a t it is com m utative and associative.
Consider the array A  shown in figure 21. It consists of a collection of modules M  con­
nected in a regular interconnection pattern . For simplicity of explanation, assume a nearest- 
neighbor connection th a t is regular in both the dimensions. Consider the problem of com put­
ing PA R C O M P(A)', i.e. the composition of all the A/s constituting A. Since P A R C O M P  
is both  com m utative and associative, we can split A  into two halves, say A t standing for “the 
top of A” and A b , standing for “the bottom  of A” , and assert:
P A R C O M P (A )  =  P A R C O M P ( P A R C O M P (A T), P A R C O M P (A B) )•
Since A t  and A b  differ only in the names of their external ports, we need compute only  
P A R C O M P (A t ). P A R C O M P (A b ) can be obtained from this, by renam ing the ports of 
A t  to the corresponding ports of Ab-
This division process can be carried down to  the leaf cells, as depicted in figure 21. 
PARCOM P-DC is often more efficient than  PARCOMP. Let us make an approxim ate cost 
analysis.
As discussed in section 4.3.1, the worst-case time complexity of PARCOMP is proportional 
to the cross-product of the num ber of control states in each of the processes, assuming th a t the
5.3.6 Checking for Representation Invariants
34




A TL A TR
A b l A BR
ii+i
via copying and renaming.
Figure 21: Divide and Conquer PARCOMP
number of events and data  assertions on every transition are bounded by a constant. Suppose 
for simplicity th a t array A  is square, and has N  modules of type M , M  has C  control states 
in it, and th a t N  be a power of 2. Then
c os t jparcom p(A )  =  0 ( C N).
Suppose th a t the modules formed during the division process of PARCOMP-DC are M , 
..., A i l , A t ,  A.  Let n c s ( M )  denote the number of control states in a module M .  Further let 
C jx> pyin g  denote the cost of copying the process descriptions (see figure 21). Then
cost jp a r  com p jd c (A )  =  0 ( n c s ( M )2 +  ... +  u cs(A t l )2 +  tics(A t )2 +  n cs(,4 )2 +  C  jzo p y in g ).
The above sum  has l o g i ( N ) terms. Let D  be the root mean square (RMS) value of the 
num ber of control states in M , ..., A t l , A t , A.  Let the cost of copying and applying renamings 
to a process description not exceed the number of control states in it.
Then,
c o s tjp a r c o m p jic (A ) =  0 (log2(./V) x (D 2 +  D 2)) =  0 (log2(iV) x D 2).
Firstly we note th a t D  does not tend to increase as the size of the modules grow. This is 
a fact of practical systems because when designing a module using several submodules, only 
very few of the astronomically large number of sequences of the submodule operations are 
actually used. Hence the number of control states in a module is often vastly smaller than 
w hat it could be. (Consider for example the to tal number of possible microprograms for a 
typical da tapa th  .vs. the number of microroutines th a t are actually ever used!) Thus if D  is 
close to C  and if M  is large, then there is a significant payoff by using PARCOM P-DC.
In conclusion, the following additional avenues of research are available for handling geo­
metrically regular, (but perhaps com putationally irregular—or arhythm ic) arrays:
• Perform  PARCOM P of twro modules of the array;
• Study the  inferred behavior and see if it is verifiable manually or through exhaustive 
simulation.
• The behavior inferred by PARCOMP (or PARCOMP-DC) will have complex if-then-else 
functions. C onstruct tabular functions corresponding to these.
•  Use these tabu lar functions for efficient simulation.
•  Try to perform formal verification of the whole array by setting up an induction.
7  S u m m a r y  o f  t h e  P a p e r
We presented a language “Hardware viewed as Objects and Processes” (HOP) for specifying 
the structure, behavior, and timing of hardware systems. HOP embodies a simple process 
model for lock-step synchronous processes.
We presented the communication primitives of HOP, illustrated HOP through several ex­
amples, and then presented its operational semantics. Several design autom ation algorithm s— 
especially PARCOM P—were then examined in detail.
36
The results presented herein were obtained from our implem entation of the HOP design 
system. Section A.2 presents an overview of this system. It has a working prototype, currently 
w ritten in Common Lisp and FROBS [31]. Though we have taken simple examples in this 
paper, we have worked out some larger examples as well. Some of these hardware units are 
discussed in [12]; many are yet to be published. Links to VLSI design are briefly described in 
section A.2.
37
R e f e r e n c e s
[1] T.S. Anantharaman, E.M. Claxke, M.J. Foster, and B. Mishra. Compiling Path Expressions into 
VLSI Circuits. In Proceedings of the 12th Symposium on Principles o f Programming Languages, 
ACM, January 1985.
[2] Mario R. Barbacci. Instruction Set Processor Specifications (ISPS): The Notation and Its 
Applications. IEEE Transactions on Computers, C-30(l):24-40, January 1981.
[3] Frederick P. Brooks. The Mythical Man-month. Addison-Wesley, 1975.
[4] M. Browne, Edmund Clarke, D. Dill, and B. Mishra. Automatic Verification of Sequential 
Circuits using Temporal Logic. In Proceedings of the Seventh International Conference on 
Com puter Hardware Description Languages, pages 98-113, North-Holland, 1985.
[5] Randall E. Bryant. A Switch Level Model and Simulator for MOS Digital Systems. IEEE  
Transactions on Computer, C-33:160-177, February 1984.
[6] Albert Camilleri, Michael C. Gordon, and Tom Melham. Hardware Specification and Verifi­
cation using Higher Order Logic. In Processings o f the IFIP WG 10.2 Working Conference 
on “From HDL Descriptions to Guaranteed Correct Circuit Designs”, Grenoble, August 1986, 
North-Holland, 1986.
[7] Tam-Anh Chu. Synthesis of Self-timed VLSI Circuits from Graph-theoretic Specifications. In 
International Workshop on P etri Nets and Performance Models, Madison, Wisconsin, August
1987. See also MIT VLSI Memo no.87-410, September 1987, with the same title.
[8] Avra Cohn. Correctness Properties of the Viper Block Model: The Second Level. In 1988 Banff 
Workshop on Hardware Verification, Springer Verlag, 1988.
[9] Stephen Garland, John Guttag, and Jorgen Staunstrup. Verification of VLSI circuits using LP. 
In George Milne, editor, 1988 Glasgow Workshop (IFIP WG 10.2) on Hardware Verification,
1988.
[10] Ganesh C. Gopalakrishnan. From Algebraic Specifications to Correct VLSI Systems. PhD thesis, 
Dept, of Computer Science, State University of New York, December 1986. (Also Tech. Report 
UU-CS-86-117 of Univ. of Utah).
[11] Ganesh C. Gopalakrishnan. Synthesizing Synchronous Digital VLSI Controllers Using Petri 
nets. In International Workshop on P etri Nets and Performance Models, Madison, Wisconsin, 
August 1987.
[12] Ganesh C. Gopalakrishnan, Richard M. Fujimoto, Venkatesh Akella, N.S. Mani, and Kevin N. 
Smith. Specification Driven Design of Custom Architectures in HOP. In G.Birtwistle and 
P.A.Subrahmanyam, editors, 1988 Banff Hardware Verification Workshop, Banff, June 1988, 
1988. Invited Paper, to appear as a chapter in a forthcoming Springer-Verlag book.
[13] Ganesh C. Gopalakrishnan and Mandayam K. Srivas. Implementing Functional Programs Using 
Mutable Abstract Data Types. Information Processing Letters, 26(6):277-286, January 1988.
[14] Ganesh C. Gopalakrishnan, Mandayam K. Srivas, and David R. Smith. From Algebraic Specifi­
cations to Correct VLSI Circuits. In D.Borrione, editor, From HDL Descriptions to Guaranted 
Correct Circuit Designs, pages 197-225, North-Holland, 1987. (Proc of the IFIP WG 10.2 
Working Conference with the same title.).
38
[15] Richard H. Lathrop Robert J. Hall and Robert S. Kirk. Functional Abstraction from Structure 
in VLSI Simulation Models. In Proc. 24st Design Autom ation Conference, pages 822-828, 1987.
[16] Matthew Hennessy. Proving Systolic System s Correct Technical Report CSR-162-84, Depart-
[17] C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall, Englewood Cliffs, New
[18] April 1986. Special Issue on the VHDL Language. |E .ETE c v n d L *
[19] I.S.Dhingra. Formal Verification of a Design Style. In Graham Birtwistle and 
P.A.Subrahmanyam, editors, VLSI Specification, Verification and Synthesis, pages 293-321, 
Kluwer Academic Publishers, Boston, 1988. ISBN-0-89838-246-7.
[20] Steve Jacobs and Kent Smith. TILER User’s Guide. 1986. User’s Manual Available from the
[21] Stephen Johnson, B. Bose, and C. Boyer. A Tactical Framework for Hardware Design. In Gra­
ham Birtwistle and P.A.Subrahmanyam, editors, VLSI Specification, Verification and Synthesis, 
pages 349-383, Kluwer Academic Publishers, Boston, 1988. ISBN-0-89838-246-7.
[22] Jeffrey Joyce and Graham Birtwistle. Proving a Computer Correct in Higher Order Logic. 
Technical Report 85/208/21, Dept, of Computer Science, Univ. of Calgary, August 1985.
[23] Barbara Liskov and John Guttag. Abstraction and Specification in Program Development. The
[24] Alain J. Martin. The Probe: An Addition to Communication Primitives. Information Pro­
cessing Letters , 20(3):125-130, April 1985. An Erratum related to this article appeared in the
[25] John Merk, John Lalonde, and Ganesh Gopalakrishnan. ADTP User’s Manual. Requirements 
Specification and User Manual for the Abstract Data Type definition Package (ADTP), Software
[26] George J. Milne. CIRCAL: A calculus for circuit description. Integration, (1):121-160, 1983.
[27] George J. Milne. Simulation and Verification: Related Techniques for Hardware Analysis. In 
Proceedings o f the Seventh International Conference on Computer Hardware Description Lan-
[28] Robin Milner. Calculii for Synchrony and Asynchrony. Technical Report CSR-104-82, Univ. of
[29] Robin Milner. A Calculus o f Communicating Systems. Springer-Verlag, 1980. LNCS 92.
[30] S. Morpurgo, A. Hunger, M. Melgara, and C- Segre. RTL Test Generation and Validation for 
VLSI: An Integrated Set of Tools For KARL. In Proc. Seventh International Symposium on 
Computer Hardware Description Languages, pages 261-271, North Holland, 1985.
[31] Eric G. Muehle. FROBS: A Merger o f Two Knowledge Representation Paradigms. Master’s 
thesis, Dept, of Computer Science, University of Utah, Salt Lake City, UT 84112, December 
1987. FROBS Stands for Frames-(-Objects.
39
[32] P. Narendran and J. Stillman. Hardware Verification in the Interactive VHDL Workstation. 
In Graham Birtwistle and P.A.Subrahmanyam, editors, VLSI Specification, Verification and 
Synthesis, pages 235-255, Kluwer Academic Publishers, Boston, 1988. ISBN-0-89838-246-7.
[33] Gordon D. Plotkin. A Structural Approach to Operational Semantics. Technical Report DAIMI 
FN-19, Aarhus University, Denmark, September 1981.
[34] R.C.Sekar and Mandayam Srivas. Specification and Verification of the Lilith Microprocessor in 
SBL. In Banff Hardware Verification Workshop, June 1988, 1988.
[35] Mary Sheeran. Design of Regular Hardware Structures Using Higher Order Functions. In 
Proceedings o f the Functional Programming and Computer Architecture Conference, Springer- 
Verlag, LNCS 201 , September 1985. Nancy, France.
[36] Jan Snepscheut. Trace Theory and VLSI Design. Springer Verlag, 1985. LNCS 200.
[37] Pashupathy A. Subramaniam. Overview of a Conceptual and Formal Basis for An Automat­
able High Level Design Paradigm for Integrated Systems. In Proceedings o f the International 
Conference for Computer Design and VLSI, Westchester, pages 647-651, 1983.
[38] W.F.Clocksin. Logic Programming and Digital Circuit Analysis. Journal of Logic Programming,
(4):59-82, 1987.
40
A  A p p e n d i x  
A . l  A  S p e c i f i c a t i o n  o f  P A R C O M P
Input: An expression Hide H S  in  || {P t-[Xi],..., •••} f°r * ^ j  6  { l . .n } .
C j are conditional processes of the form
C j[X J\ =  i f  qj th en  7 j[<7j(A7 ) ] e ls e  F j[h j(X J)] and Pi are non-conditional processes of 
the form
P i[)Q  =  : in i t ia h i  -► P,(t/,);
Each Pi offers a set of initial choices in i t ia h i  and for each choice y, that is offered, the 
future behavior of Pi is H S  is the H idden S e t, the set of events and ports hidden
from the parallel composition.
O u tpu t:  A behaviorally identical process P \X i,  •••].
M ethod:  A done-list is maintained for each parallel composition || {P ,[X ,],...} that has 
already been computed. Upon getting a call for performing parallel composition, the 
done-list is first consulted.
• If the requested parallel composition is in the done-list, return. Else enter it in the 
done-list and proceed as follows.
•  Combine all conditional processes into one conditional process C. Combining two con­
ditional processes is done as follows:
Cl [XT] =  i f  qi th en  7\[^i(XT)] e l s e  F i[/ii(3T )]
C2[X^ =  i f  q2 th e n  T2[52( ^ 2)] e l s e  F2[h2(A*2)]
Ci[A'i] || C 2[5Q  =  i f  (91 A q2) th en  Xi [<71 (Xi")] || T2[g2( X 2)\
e l s e  i f  (91 A n ot(q2)) th e n  T i[$ri(^ )] || ^ [ ^ 2( ^ 2)] 
e lse  ...e tc . (a ll f o u r  c o m b in a tio n s )
•  Now we are left with the task of computing Hide H S  in  || {P,[Ar, ] , ..., C }. Let C be of 
the form
i f  <71 th en  C i[# i(X 7 )]e lse  i f  <72 th en  C2[<72( ^ 2)]e*c.
|| {Pjp^T],..., C} reduces to a conditional process with <7, as the conditions. This condi­
tional has in it parallel compositions of the form || {P ,[X ^|,..., C ,}. that is (recursively) 
computed. Eventually we are faced with composing non-conditional processes in parallel. 
We take this up next.
•  Consider || {P ,[X j],...} . Let each Pj be
P O T  =  <*>!-*
I ca] -  
1 -  _
I c a " '- * " '[ / " ■ ( * , ) ]
41
T  = <  ca*1, caf2, ...ca*m >
i.e. a tuple of the x ^ h  initial compound action offered by J^, the x 2th  initial compound 
action offered by P 2> etc. This tuple T  is assumed to be the irreducible form arrived at 
after applying the action product rules of figure 10. According to the rule for parallel 
composition Parcom p  all such tuples would become the initial choices of the resultant 
process. Following such choices, the resultant process would continue to behave like
II However using the hiding information H S ,  we can
prune m any of these choices. In particular,
- those tuples T  th a t contain unsynchronized events Ie  th a t belong to H S  are 
dropped, and the corresponding arm  of the synchronization tree is pruned;
- those tuples T  th a t contain O e  th a t belong to H S  are replaced via the substitution 
T [ O id le /O e ] .
In computing
ii { t f f i / r O T i . - R r i / r m i , - } .
the  bindings generated by taking action products of the  members of T  are taken into 
account. □
Generate tuples
A . 2  A  B r i e f  D e s c r i p t i o n  o f  t h e  H O P  D e s i g n  S y s t e m
Figure 22 illustrates the  d a ta  flow diagram  of the HOP design system. The rectangular 
boxes indicate functional units, and boxes with curved sides indicate interm ediate storage 
units. D otted lines show the flow of control, and solid lines show the flow of data. Currently, 
working prototypes exist for all the functional units shown in this figure.
Inpu t specifications are entered through text editors. File name extensions .ap , .rp , and 
. vp refer to absproc, realproc, and vecproc. Cell specifications are entered using the PPL[33, 
37] layout editor called Tiler [20]. (VLSI chips will be described in PPL; see [12] for links 
between HOP and PPL.) HOP specifications are compiled into FROBS representations using 
the H O P—*FROBS compiler. The algorithm PARCOM P can now be applied on realprocs and 
vecprocs (presently implemented only for realprocs). PARCOM P infers functionally equivalent 
absproc specifications from realproc and vecproc specifications. The inferred behavior will be 
much faster to simulate.
The sim ulator preprocessor compiles the FROBS database into a form suitable for the 
sim ulator (under development). A d a ta  type definition mechanism has been implemented 
using FROBS [25]. During simulation, the  sim ulator will be called upon to  evaluate functional 
expressions th a t com pute new datapath  states as well as ou tpu t port values. These will be 
achieved by invoking the operations defined on the various d a ta  types. FROBS supports 
daemons th a t can help probe simulation results, as explained in section 5.3.6.
42
Figure 22: D ata Flow Diagram of the HOP Design System
