Towards An Automated Approach to Hardware/Software Decomposition by Qin, Shengchao et al.
Towards An Automated Approach to Hardware/Software Decomposition
Shengchao Qin1;2
1Singapore-MIT Alliance
2Peking University
Jifeng He
International Institute for Software Technology
United Nations University
Wei-Ngan Chin1;3
1Singapore-MIT Alliance
3National University of Singapore
Abstract
We propose in this paper an algebraic approach to hard-
ware/software partitioning in Verilog Hardware Descrip-
tion Language (HDL). We explore a collection of algebraic
laws for Verilog programs, from which we design a set of
syntax-based algebraic rules to conduct hardware/software
partitioning. The co-specification language and the target
hardware and software description languages are specific
subsets of Verilog. Through this, we confirm successful ver-
ification for the correctness of the partitioning process by
an algebra of Verilog. Facilitated by Verilog’s rich fea-
tures, we have also successfully studied hw/sw partitioning
for environment-driven systems.
Keywords. Verilog, algebraic laws, hardware/software co-
design, hardware/software partitioning
1 Introduction
The design of a complex control system is ideally de-
composed into a progression of related phases. It starts with
an investigation of properties and behaviours of the process
evolving within its environment, and an analysis of the re-
quirement for its safety performance. From these is derived
a specification of the electronic or program-centred com-
ponents of the system. The project then may go through
a series of design phases, ending in a program expressed
in a high level language. After translation into a machine
code of a chosen computer, it is executed at a high speed
by electronic circuity. In order to achieve the time per-
formance required by the customer, additional application-
specific hardware devices may be needed to embed the com-
puter into the system which it controls.
Classical circuit design methods resemble the low level
machine language programming methods. Selecting indi-
vidual gates and registers in a circuit like selecting indi-
vidual machine instruction in a program. State transition
On leave from Software Engineering Institute of East China Normal
University.
diagrams are like flowcharts. These methods may have
been adequate for small circuit design when they were in-
troduced, but they are not adequate for circuits that per-
form complicated algorithms. Industry interests in the for-
mal verification of embedded systems are gaining ground
since an error in a widely used hardware device can have
very adverse effect on profits of the enterprise concerned.
A method with great potential is to develop a useful col-
lection of proven equations and other theorems, to calcu-
late, manipulate and transform a specification formulae to
the product.
Hardware/software co-design is a design technique
which delivers computer systems comprising hardware and
software components. A critical phase of the co-design pro-
cess is to partition a specification into hardware and soft-
ware. This paper proposes a partitioning method whose cor-
rectness is verified using algebraic laws developed for the
Verilog hardware description language. One of advantages
of this approach lies in that it ensures the correctness of the
partitioning process. Moreover, it optimises the underlying
target architecture, and facilitates the reuse of hardware de-
vices.
The algebraic approach advocated in this paper to verify
the correctness of the partitioning process has been success-
fully employed in the ProCoS project. The original Pro-
CoS project [6] concentrated almost exclusively on the ver-
ification of standard compiler of a high-level programming
language based on Occam down to a microprocessor based
on Transputer [5]. Sampaio showed how to reduce the com-
piler design task to program transformation [15]. Towards
the end of the first phase of the project, Ian Page et al made
rapid advance in the development of hardware compilation
technique using an Occam-like language targeted towards
FPGAs [11], and He Jifeng et al provided a formal verifica-
tion of the hardware compilation scheme within the algebra
of Occam programs [4].
Recently, some works have suggested the use of formal
methods for the partitioning process [16, 13]. In [16], Silva
et al provide a formal strategy for carrying out the split-
ting phase automatically, and present an algebraic proof
for its correctness. However, the splitting phase delivers a
large number of simple processes, and leaves the hard task
of clustering these processes into hardware and software
components to the clustering phase and the joining phase.
Furthermore, additional channels and local variables intro-
duced in the splitting phase increase the data flow between
hardware and software components. In [13], Qin et al pro-
pose an algebraic approach to partition a specification into
hardware and software in one step and as well verify the cor-
rectness of the partition process. However, their approach
is based on algebraic laws of the high level communicat-
ing language Occam, which leaves rather a long distance to
go through in hardware/software co-synthesis phase. In this
paper, the distance has been shortened by adopting Verilog
as the language.
The remainder of this paper is organised as follows. Sec-
tion 2 introduces Verilog HDL and explores some useful al-
gebraic laws. Section 3 describes our partitioning strategy.
The co-specification language and target hardware and soft-
ware architectures are proposed in section 4. Afterwards,
we investigate our partition process in detail in section 5 by
designing a collection of proved syntax-based partitioning
rules. A simple conclusion is followed in section 6.
2 Verilog and Its Algebraic Laws
Modern hardware design typically uses a hardware de-
scription language (HDL) to express designs at various lev-
els of abstraction. A HDL is a high level programming lan-
guage with usual programming constructs, such as assign-
ments, conditionals and iterations, and appropriate exten-
sions for real-time, concurrency and data structures suitable
for modelling hardware.
Verilog is a HDL that has been standardized and widely
used in industry ([9]). Verilog programs can exhibit a rich
variety of behaviours, including event-driven computation
and shared-variable concurrency. In our hardware/software
partitioning process, the non-trivial subset of Verilog we
adopt contains the following categories of syntactic ele-
ments.
1. A Verilog program can be a sequential process or a par-
allel program made up of a set of sequential processes, with
or without local variable declaration.
P ::= S j P k P j var x  P
2. A sequential process in Verilog can be any of the forms
as follows.
S ::= PC(primitive command)
j S;S (sequential composition)
j if b S else S (conditional)
j while b S (iteration)
j (g S)[] : : : [](g S) (guarded choice)
j always S (infinite loop)
j case (e) (pt S) : : : (pt S) (switch statement)
where
PC ::= skip j chaos j ! 
v
(output event)1
j v := e (instantaneous assignment)
j v := cg e (assignment with timing control)
g ::= !
v
j cg (timing control)
cg ::= # (time delay) j eg (event control)
eg ::= @(
v
) j eg or eg j eg and eg j eg and :eg

v
::= s v (value change)
j " v (value rising)
j # v (value falling)
Remark: chaos is the worst program with the most un-
predictable behavior. We will see that, in the algebra of
Verilog programs, it is a zero element for some operators.
To facilitate algebraic reasoning, the language is en-
riched with
 assignment event @(v := e)
 general guarded choice construct (g
1
P
1
)[] : : : [](g
n
P
n
)
 non-deterministic choice P uQ
where the process after a guard g can be a parallel process.
Although it is reported that Verilog has been much more
widely used in industry than VHDL ([1]), the formal se-
mantics of Verilog has not been fully studied. Gordon tries
to relate event semantics of Verilog to its trace semantics
([2]). He and Zhu ([7, 19]) explore an operational and a
denotational semantics for Verilog and investigate some al-
gebraic laws from them. Zhu, Bowen and He ([17, 18])
establish formal consistency between above-mentioned two
presentations. Iyoda and He ([10]) successfully apply sim-
ple algebraic laws of Verilog to hardware synthesis process.
Recently, He has explored a collection of algebraic laws for
Verilog, by which a well-formed Verilog program can be
transformed into head normal forms ([3]). In the following,
we investigate some algebraic laws for Verilog, which will
play a fundamental role in our hardware/software partition-
ing process.
Before presenting algebraic laws, we define a triggering
predicate as follows.
Definition 2.1 Given an event control eg, we define those
simple events that enable eg as follows.
E(eg) =
df
8
>
>
>
>
>
<
>
>
>
>
>
:
f" xg; if eg = @(" x)
f# xg; if eg = @(# x)
f" x; # xg; if eg = @(s x)
E(eg
1
) [ E(eg
2
); if eg = eg
1
or eg
2
E(eg
1
) \ E(eg
2
); if eg = eg
1
and eg
2
E(eg
1
) nE(eg
2
); if eg = eg
1
and :eg
2
9
>
>
>
>
>
=
>
>
>
>
>
;
1In order to avoid any unexpected loss of signals, we claim that an ab-
stract output event only takes place at the moment when there’re no active
events at all. We will mention it again in a later section.
Given an output event ! , and an event control eg, we
adopt a triggering predicate, denoted as   eg, to de-
scribe the condition under which the former enables the lat-
ter.
  eg =
df
E(@())  E(eg)
and adopt the predicate,   p eg, to denote the condition
when the former cannot trigger the latter.
  p eg =
df
E(@()) \E(eg) = ;

By this definition, now we can define the well-
formedness of guarded choice constructs.
Definition 2.2 A guarded choice []
i2I
g
i
P
i
is well-formed
iff all its input guards are disjoint, i.e., for any input guards
g
k
, g
l
from fg
i
j i 2 Ig, if E(g
k
)\E(g
l
) 6= ;, then g
k
= g
l
,
and P
k
and P
l
are exactly the same process. 
All guarded choice constructs are well-formed in later
discussions.
Now, we explore a collection of useful algebraic laws
for Verilog programs.
Successive assignments to the same variable can be com-
bined to a single one.
(assgn-1) v := e; v := f = v := f [e=v]
In an assignment to a list of variables, the order of variables
is irrelevant.
(assgn-2) u; v := e; f = v; u := f; e
Variables not occurred on the left side of an assignment
remain unchanged during the assignment.
(assgn-3) u := e = u; v := e; v
skip does not change the value of any variable.
(assgn-4) skip = v := v
Sequential composition is associative, and has left zero
chaos . It distributes backward over conditional, internal
and external choices.
(seq-1) (P ;Q);R = P ; (Q;R)
(seq-2) chaos ;P = chaos
(seq-3) (P uQ);R = (P ;R) u (Q;R)
(seq-4) (if b P elseQ);R = if b (P ;R) else (Q;R)
(seq-5) ([]
i2I
(g
i
Q
i
));R = []
i2I
(g
i
(Q
i
;R))
By the following law, we can transform a sequential
composition of an output event and a guarded choice into a
guarded process (g P ), where output guard g will no longer
fire guards of P .
(seq-6) Let S = []
i2I
(g
i
P
i
), and g be the disjunction of all
input guards of S.
(1). !;S =

! S if   p g;
! P
k
if   g
k
for some k 2 I:
(2). (x < f)
?
; @(x := f);S =

(x < f)
?
; @(x := f)S; if " x p g;
(x < f)
?
; @(x := f)P
k
; if " x g
k
for some k 2 I:
(3). (x > f)
?
; @(x := f);S =

(x > f)
?
; @(x := f)S; if # x p g;
(x > f)
?
; @(x := f)P
k
; if # x g
k
for some k 2 I:
(4). (x = f)
?
; @(x := f);S = (x = f)
?
; @(x := x)S
where b
?
is an assertion defined as if b skip else chaos
([8]).
For a general guarded choice G, we can also transform it
by this law into a guarded choice []
i2I
(g
i
P
i
), where no
output guard in fg
i
j i 2 Ig will enable any guards of the
process following it. Without loss of generality, from now
on, we assume all guarded choices meet this property.
Assignment distributes forward over conditional.
(cond-1) v := e; (if b(v)P elseQ) =
if b(e) (v := e;P ) else (v := e;Q)
Iteration is subject to the fixed point theorem.
(iter-1) while b P = if b (P ;while b P ) else skip
Non-deterministic choice is idempotent, symmetric and
associative.
(nond-1) P u P = P
(nond-2) P uQ = Q u P
(nond-3) P u (Q uR) = (P uQ) u R
Parallel operator is symmetric and associative, and has
chaos as zero.
(par-1) P k Q = Q k P
(par-2) P k (Q k R) = (P k Q) k R
(par-3) chaos k P = chaos
Local variable declaration enjoys the following laws.
(lvar-1) var x  (x := e) = skip
(lvar-2) Provided x is not free in b, then
var x  (if b P elseQ) = if b (var x  P ) else (var x Q)
(lvar-3) If x is not free in Q, then
(1) var x Q = Q
(2) (var x  P );Q = var x  (P ;Q)
(3) Q; (var x  P ) = var x  (Q;P )
(4) (var x  P ) k Q = var x  (P k Q)
(lvar-4) var v  (!
v
P ) = var v  (skip;P )
(lvar-5) var u  (var v  P ) = var v  (var u  P )
We will denote var xvar y  : : :var z as var x; y; : : : ; z.
The following is a set of expansion laws which enables us
to convert a parallel process into a guarded choice. We
assume that
G
1
= []
i2I
(g
i
Q
i
) G
2
= []
j2J
(h
j
R
j
)
G
3
= []
k2K
(e
v
k
P
k
) G
4
= []
l2L
(e
u
l
T
l
)
where all g
i
and h
j
are input guards (like @()); all e
v
k
and
e
u
l
are respectively output events with respect to variables
v
k
and u
l
(like ! or @(x := f)).
(par-4) (x := e;G
1
) k (y := f ;G
2
) =
(@(x := e) (G
1
k (y := f ;G
2
))) []
(@(y := f) ((x := e;G
1
) k G
2
))
(par-5) G
1
k (y := f ;G
2
) =
(@(y := f)(G
1
k G
2
)) [] []
i2I
g
i
(Q
i
k (y := f ;G
2
))
(par-6) Let g =
df
or
i2I
g
i
, h =
df
or
j2J
h
j
, then
(G
1
[]G
3
) k (G
2
[]G
4
) =
[]
i2I
((g
i
and :h) (Q
i
k (G
2
[]G
4
)) []
[]
j2J
((h
j
and :g) ((G
1
[]G
3
) k R
j
)) []
[]
i2I;j2J
((g
i
and h
j
) (Q
i
k R
j
)) []
[]
k2K;j2J;e
v
k
 h
j
(e
v
k
(P
k
k R
j
)) []
[]
k2K;e
v
k
 p h
(e
v
k
(P
k
k (G
2
[]G
4
))) []
[]
i2I;l2L;e
u
l
 g
i
(e
u
l
(Q
i
k T
l
)) []
[]
l2L;e
u
l
 p g
(e
u
l
((G
1
[]G
3
) k T
l
))
(par-7) An assignment thread is involved.
(1) (x := e) k (y := f) =
(@(x := e) (y := f)) [] (@(y := f) (x := e))
(2) (x := e) k G
2
=
(@(x := e)G
2
) [] []
j2J
(h
j
((x := e) k R
j
))
The parallel operator is distributive over non-deterministic
choice.
(par-8) (P uQ) k R = (P k R) u (Q k R)
In some special case, the parallel operator distributes over
conditional.
(par-9) var v
1
; : : : ; v
n
 ((if b S
1
else S
2
) k G) =
var v
1
; : : : ; v
n
 (if b (S
1
k G) else (S
2
k G)),
provided guards in G are either event controls with respect
to variables in fv
1
; : : : ; v
n
g or time-delay guards.
Time-delay guards are involved in the following law.
(par-10) Let 
1
> 
2
> 0,  > 0.
(1). (#S)[]G
3
= G
3
(2). (G
1
[] #
1
S) k (G
2
[] #
2
T ) =
[]
i2I
((g
i
and :h) (Q
i
k (G
2
[] #
2
T )) []
[]
j2J
((h
j
and :g) ((G
1
[] #
1
S) k R
j
)) []
[]
i2I;j2J
((g
i
and h
j
) (Q
i
k R
j
)) []
[] #
2
((#(
1
 
2
)S) k T )
(3). (G
1
[] #S) k (G
2
[] #T ) =
[]
i2I
((g
i
and :h) (Q
i
k (G
2
[] #T )) []
[]
j2J
((h
j
and :g) ((G
1
[] #S) k R
j
)) []
[]
i2I;j2J
((g
i
and h
j
) (Q
i
k R
j
)) []
[] # (S k T )
The guarded choice is idempotent, symmetric and associa-
tive.
(guard-1) G
1
[] G
1
= G
1
(guard-2) G
1
[] G
2
= G
2
[] G
1
(guard-3) (g
1
Q
1
) [] ((g
2
Q
2
) [] (g
3
Q
3
)) =
((g
1
Q
1
) [] (g
2
Q
2
)) [] (g
3
Q
3
)
(guard-4) var v  ((@(
v
)P ) []G
1
) = var v G
1
The construct always S executes S forever.
(always-1) always S = S; always S
From the operational semantics of Verilog ([7]), we know
the fact that skip is not a left zero of sequential composition
in general cases, because it might filter some signal.
Hereby, the following inequation is obvious.
@ " v 6= skip; @ " v
The following definition will capture those cases where
skip is a left zero of sequential composition.
Definition 2.3 (Event control insensitive) A process P is
event control insensitive if skip;P = P . 
Theorem 2.4 The following processes are event control in-
sensitive.
 x := e, skip , chaos , or #(t);
 @(x := e), !
v
;
 if b P elseQ, case (e) (pt
1
S
1
) : : : (pt
n
S
n
), while bQ;
 []
i2I
(g
i
Q
i
), v := g e, where no guards are event con-
trols;
 P
1
;P
2
, where P
1
is event control insensitive;
 P
1
u P
2
, P
1
k P
2
, where both P
1
and P
2
are event
control insensitive;
 always S, where S is event control insensitive;
 var v
1
; : : : ; v
n
 (S
1
k : : : k S
n
), where each S
i
is
either event control insensitive, or only guarded by
events with respect to variables in fv
1
; : : : ; v
n
g. 
From those basic algebraic laws mentioned above, we in-
vestigate the following lemma, which will be very useful in
later discussions.
Lemma 2.5 Let P = (@
u
P
2
); Q = (! 
u
; @
v
Q
2
),
suppose sequential programs P
2
; Q
1
are event control in-
sensitive, P
1
is a sequential process not containing any tim-
ing controls, and variables u; v do not occur in P
1
or Q
1
,
then
(1):var u; v  (P k Q) = var u; v  (P
2
k (@
v
Q
2
))
(2): var u; v  (P k (Q
1
;Q)) =
var u; v  (Q
1
; (P k Q))
(3): var u; v  ((P
1
;P ) k (Q
1
;Q)) =
var u; v  ((P
1
k Q
1
); (P k Q)) 
Proof: The proof is presented in [12].
We introduce an ordering relation between programs before
further investigation.
Hardware/Software Allocation
Hardware/Software Partitioning
for Kernel Specification
Hardware/Software Partitioning for the
Whole Environment-Driven System
a collection of provable
partitioning rules:
correctness-preserv ing
 system partition rule:
correctness preserv ing
Kernel Specification
M arked Specification
Kernel Sw Specification Kernel Hw Specification
Software Specification Hardware Specification
Figure 1. Hw/Sw Partitioning Strategy
Definition 2.6 (Refinement) Let P; Q be Verilog pro-
cesses employing the same set of variables, we say Q is
a refinement of P , denoted as P v Q, if P u Q = P is
algebraically provable. 
3 Partitioning Strategy
This section is devoted to introduce our hard-
ware/software partitioning strategy, which can be described
in four steps, see Fig. 1.
 Before conducting the partitioning process, the pro-
grammer codes the kernel specification for the system
in our co-specification language, which is a sequential
subset of Verilog and will be explained in detail in next
section.
 Then, assisted by program analysis techniques ([13]),
the programmer carries out the hardware/software al-
location task, i.e., marks out those parts that should
be implemented by hardware and divides the variables
employed by the kernel specification into two disjoint
sets.
 Our hardware/software partitioning algorithm will take
such a marked program as input, and deliver as output
the corresponding hardware and software kernel speci-
fications. In this step, we design and prove a collection
of syntax-based splitting rules, which ensure the cor-
rectness of the partitioning process and make computer
automatic partitioning possible.
 Finally, hardware/software partitioning results for the
whole environment-driven system are derived from the
results in the third step.
We successfully propose an algebraic approach to hard-
ware/software partitioning, which ensures the correctness
of the hardware/software partitioning process and facilitates
the automatic partitioning.
In later sections, we will first investigate our partitioning
framework and then explore the algebraic partitioning rules.
4 The Decomposition Framework
In this section, we intend to introduce our hard-
ware/software partitioning framework. We propose our co-
specification language and investigate the underlying target
hardware/software architectures.
The co-specification language we adopt is a sequential
subset of Verilog, which comprises the following syntactic
elements.
S ::= AC (primitive command)
j S;S (sequential composition)
j if b S else S (conditional)
j S u S (non-deterministic choice)
j while b S (iteration)
j (g S) [] (g S) (guarded choice)
where
AC ::= v := e j !
v
j @
v
j # j chaos
j (v := e)
n
(assign. with timing constraint)
j hSi (specific block)

v
::= s v j " v j # v
The assignment statement with time constraint (v := e)
n
doesn’t appear explicitly in Verilog’s syntax introduced in
section 2, but it is in fact a well-formed Verilog program
since
(v := e)
n
= u
0kn
(v := #k e)
Moreover, the block notation in hSi has no semantical
meanings.
From the customer’s requirements, the programmer can
describe the kernel specification for the system to be de-
signed in this co-specification language. After appropriate
hardware/software marking and allocation, a marked source
program is passed to the partitioning process.
The underlying target hardware and software compo-
nents from the kernel specification will own specially-
chosen forms. We adopt an event-trigger mechanism to syn-
chronise behaviours between hardware and software, and
use a shared-variable mechanism to cope with interactions
between hardware and software.
The kernel part of the software specification is a member
of CP (r; a), a subset of Verilog programs, which is con-
structed by the following inductive rules.
(1). An event control insensitive process not containing
variables r; a;
(2). ! 
r
;C; @
a
, where C is a member of CP (r; a)
not mentioning r; a, or any timing controls;
(3). C
1
;C
2
, or if bC
1
elseC
2
, or C
1
u C
2
, or
(g
1
C
1
) [] (g
2
C
2
), where C
1
; C
2
; g
1
; g
2
2 CP (r; a);
(4). while bC, where C 2 CP (r; a).
We introduce another set CP
"
(r; a) comprising those
processes in CP (r; a) not mentioning variable ".
As mentioned in last section, our splitting task is divided
into two steps. Firstly, we design a collection of algebraic
rules to refine any source program S (the kernel specifica-
tion for the system) to its hardware/software decomposition
C
0
k D
0
where the software componentC
0
is of the form (C;!
"
),
C is a member of CP
"
(r; a), the special event ! 
"
is
adopted for the purpose of synchronisation between hard-
ware and software, and the hardware component D
0
is sub-
ject to the following equation:
D
0
= X  ((@
r
M ;!
a
;D
0
) [] (@
"
skip))
whereM =
df
case (id) (p
1
M
1
) : : : (p
n
M
n
) is a case con-
struct not containing r; a; ". D
0
represents a digital device
which offers a set of services M
1
; : : : ;M
n
to its environ-
ment. It responds to a request by matching the current value
of shared variable id (a natural number assigned by the soft-
ware) with the patterns p
1
; : : : ; p
n
to choose a correspond-
ing method to serve.
We denote as DP (r; a; ") the set of processes with the
same form as D
0
.
To avoid any possible loss of signals at the moment when
the fixed point construct (equation) is expanded, we nat-
urally claim that an abstract event only takes place at the
moment when there’s no other active events at all.
Secondly, given the kernel specification S of a system,
rather than considering its hardware/software partition, we
deal with the decomposition for the whole system’s specifi-
cation
	
s
f
(S) =
df
always (@
s
S;!
f
)
which is driven by the external environmental process:
Env =
df
always (!
s
; @
f
)
and derive the partitioning of 	s
f
(S) under the environment
Env as
	
s
f
(C) k
Env
D
where P k
Env
Q =
df
P k Env k Q; the software com-
ponent enjoys the form
	
s
f
(C) =
df
always (@
s
C;!
f
)
where C is a process from CP (r; a); the hardware compo-
nent D is of the form:
D =
df
always (@
r
M ;!
a
)
We denote as DP (r; a) the set of processes of the same
form as D.
The following theorem ensures the synchronized termi-
nation between the kernel hardware and software specifica-
tions.
Theorem 4.1 For any C
1
; C
2
in CP
"
(r; a) and D
0
in
DP (r; a; "), we have
(C
1
;C
2
;!
"
) k D
0
=
((C
1
;!
"
) k D
0
); ((C
2
;!
"
) k D
0
)

Proof: By structural induction on C
1
. The detailed proof is
presented in [14]. 
The following corollary is directly from theorem 4.1.
Corollary 4.2 Given C 2 CP
"
(r; a), D
0
2 DP (r; a; "),
we have
(while bC;!
"
) k D
0
= while b ((C;!
"
) k D
0
)

5 Hardware/Software Partitioning
This section specifies our hardware/software partition-
ing process in detail. As mentioned in section 3, the task
is divided to two steps: hardware/software partitioning for
kernel specification; decomposition of the whole system’s
specification. The process will be investigated in detail in
the following two subsections.
5.1 Splitting Rules for Kernel Specification
This subsection is meant to design program partitioning
rules. We explore a set of splitting rules which demonstrate
how to construct hardware and software parts of a program
construct from those of its constituents. Meanwhile, we
show how to split atomic commands.
We introduce a predicate Split which plays a vital role
in formalising the splitting rules.
Definition 5.1 (Split) Let V = fr; a; "; idg. Given a
program S in the co-specification language, its hard-
ware/software partition ((C;!
"
); D
0
) is specified by the
following predicate:
Split
V
(S;C;D
0
) =
df
(S v (C;!
"
) k D
0
) ^
(C 2 CP
"
(r; a)) ^ (D
0
2 DP (r; a; ")) ^
(V  V ar(C;!
"
) \ V ar(D
0
)) ^
(V \OccVar(S) = ;)
where OccVar(P ) denotes the set of variables occurring in
the program P . 
We design two set of syntax-based splitting rules in
two different styles: the software-extraction style and the
software-hardware-extraction style. The programmer can
choose either of them to conduct hardware/software parti-
tioning.
5.1.1 The Software-Extraction Splitting Rules
The software-extraction approach builds the hardware com-
ponent from a marked program in one step before partition-
ing, i.e., all services the hardware should provide are inte-
grated at the beginning. However, it constructs the software
component from those of its constituents using the follow-
ing rules.
Software-Extraction Rule for Sequential Composition
Split
V
(S
i
; C
i
; D
0
); i = 1; 2
V ar(S
1
) = V ar(S
2
)
Split
V
(S
1
;S
2
; C
1
;C
2
; D
0
)
Proof
S
1
; S
2
f; is monotonicg
v ((C
1
;!
"
) k D
0
); ((C
2
;!
"
) k D
0
) ftheorem 4:1g
= (C
1
; C
2
;!
"
) k D
0

Software-Extraction Rule for Conditional
Split
V
(S
i
; C
i
; D
0
); i = 1; 2
V ar(S
1
) = V ar(S
2
)
Split
V
(if b S
1
else S
2
; if bC
1
elseC
2
; D
0
)
Software-Extraction Rule for Non-Deterministic Choice
Split
V
(S
i
; C
i
; D
0
); i = 1; 2
V ar(S
1
) = V ar(S
2
)
Split
V
(S
1
u S
2
; C
1
u C
2
; D
0
)
Software-Extraction Rule for Guarded Choice
Split
V
(S
i
; C
i
; D
0
); i = 1; 2
V ar(S
1
) = V ar(S
2
)
Split
V
((g
1
S
1
) [] (g
2
S
2
); (g
1
C
1
) [] (g
2
C
2
); D
0
)
Proof The proofs for the above three rules are presented in
[14].
Software-Extraction Rule for Iteration
Split
V
(S; C; D
0
)
Split
V
(while b S; while bC; D0)
Proof It’s straightforward from corollary 4.2. 
5.1.2 The Software-Hardware-Extraction Splitting
Rules
In the software-hardware-extraction style, both the hard-
ware and software components of the source program are
integrated from those of its constituents.
Before investigating the software-hardware-extraction
splitting rules, we introduce the notion of mergeable on
hardware components from DP (r; a; ").
Definition 5.2 Let
D
i
=
df
X  ((@
r
M
i
;!
a
;X) [] (@
"
skip)),
where
M
i
=
df
case (id) (pi
1
M
i
1
) : : : (p
i
n
M
i
n
i
), for i = 1; 2.
D
1 and D2 are said to be mergeable, denoted by
mergeable(D
1
; D
2
), if
V ar(D
1
) = V ar(D
2
), and
(p
1
i
= p
2
j
) implies M1
i
= M
2
j
, for 1  i  n
1
, 1  j 
n
2
.
In such a case, we define
D = integrate(D1; D2) =
df
X  ((@
r
M ;!
a
;X) [] (@
"
skip)),
where M =
df
case (id) (t
1
M
1
) : : : (t
r
M
r
),
and
ft
1
; : : : ; t
r
g = fp
1
1
; : : : ; p
1
n
1
g [ fp
2
1
; : : : ; p
2
n
2
g,
and
fM
1
; : : : ;M
r
g = fM
1
1
; : : : ;M
1
n
1
g [ fM
2
1
; : : : ;M
2
n
2
g. 
First of all, we present a basic rule for hardware aug-
mentation, from this and the software-extraction rules in
the former section, we can directly obtain the corresponding
software-hardware-extraction rules in all cases.
Auxiliary Rule for Hardware Augmentation
Split
V
(S; C; D)
mergeable(D;D
0
)
Split
V
(S; C; integrate(D;D0))
Proof The proof can be reached in [12]. 
SW-HW-Extraction Rule for Sequential Composition
Split
V
(S
i
; C
i
; D
i
)
V ar(S
1
) = V ar(S
2
)
mergeable(D
1
; D
2
)
Split
V
(S
1
;S
2
; C
1
;C
2
; integrate(D
1
; D
2
))
SW-HW-Extraction Rule for Conditional
Split
V
(S
i
; C
i
; D
i
)
V ar(S
1
) = V ar(S
2
)
mergeable(D
1
; D
2
)
Split
V
(if b S
1
else S
2
;
if bC
1
elseC
2
; integrate(D
1
; D
2
))
SW-HW-Extraction for Non-Deterministic Choice
Split
V
(S
i
; C
i
; D
i
)
V ar(S
1
) = V ar(S
2
)
mergeable(D
1
; D
2
)
Split
V
(S
1
u S
2
; C
1
u C
2
; integrate(D
1
; D
2
))
SW-HW-Extraction Rule for Guarded Choice
Split
V
(S
i
; C
i
; D
i
)
V ar(S
1
) = V ar(S
2
)
mergeable(D
1
; D
2
)
Split
V
((g
1
S
1
) [] (g
2
S
2
);
(g
1
C
1
) [] (g
2
C
2
); integrate(D
1
; D
2
))
The software-hardware-extraction rule for iteration en-
joys exactly the same form as the corresponding software-
extraction rule.
5.1.3 Splitting Atomic Commands
The details for specific blocks’ partitioning are similar to
discussions in [13].
For the assignment with time constraint (v := f(x; c))
n
,
we only concentrate on the cases where both the hardware
and software participate in the update of v.
Case 1: f is a hardware-marked function, and x is allo-
cated to hardware.
Split
B
(S = ((v := f(x; c))
n
); C; D), where
C =
df
((id := 1)
0
;!
r
; @
a
; (v := ly)
0
), and
D =
df
X 

(@
r
case (id) (1 (ly := f(x; c))
n
);!
a
;X)
[] (@
"
skip)

.
Case 2: f is a hardware-marked function, but x is allo-
cated to software.
Split
B
(S = ((v := f(x; c))
n
); C; D), where
C =
df
((id := 1)
0
; (lx := x)
0
;!
r
; @
a
; (v := ly)
0
),
and
D =
df
X 

(@
r
case (id) (1 (ly := f(lx; c))
n
);!
a
;X)
[] (@
"
skip)

.
Case 3: f is not a hardware-marked function, but x is
allocated to hardware.
Split
B
(S = ((v := f(x; c))
n
); C; D), where
C =
df
((id := 1)
0
;!
r
; @
a
; (v := f(lx; c))
n
), and
D =
df
X 

(@
r
case (id) (1 (lx := x)
0
);!
a
;X)
[] (@
"
skip)

.
5.1.4 A Small Example
Given a kernel specification for a system as follows:
w := u + v;
#1;!(w ready);
@(z ready); if (z = u) (v := u  v) else skip;
while ((b && w  u  v)
n
1
)f
u := u + w;
w := ((u   v)  (u + v))
n
2
;
#1; !(w ready)
g
We suppose hardware/software allocation has been tackled
as below, in accordance with the results of static analysis
and the programmer’s decision:
 variable allocation: only one variable v is allocated to
hardware, others are left to software;
 computation allocation: the complicated expressions,
(b && w  u  v)
n
1
) and ((u   v)  (u + v))
n
2
, will
be evaluated by hardware, others are left to software.
By applying afore-mentioned splitting rules in either
style, we obtain the following hardware and software ker-
nel specifications.
Environment System
)(SsfΨEnv
start
sη
finish
fη
start
sη
fη
SW
)(CsfΨ
HW
D
start
finish
Environment
Env finish
Figure 2. Hardware/Software Partition for the
Whole System
Hardware Part:
X
((@
r
case (id)
8
>
>
<
>
>
:
1 lv := v
2 v := lv
3 (lb := b && w  lu  v)
n
1
4 (lw := (lu   v)  (lu + v))
n
2
9
>
>
=
>
>
;
;
!
a
;X)
[](@
"
skip))
Software Part:
id := 1; !
r
; @
a
; w := u + lv;
#1; !(w ready); @(z ready);
if (z = u)
0
@
id := 1; !
r
; @
a
;
lv := u  lv;
id := 2; !
r
; @
a
1
A else skip;
id := 3; lu := u; !
r
; @
a
;
while (lb)f
u := u + w; id := 4; lu := u; !
r
; @
a
;
w := lw; #1; !(w ready);
id := 3; lu := u; !
r
; @
a
g
5.2 Hw/Sw Partitioning for the Whole System
Now we investigate hardware/software partitioning for
the whole system. The partitioning process is illustrated in
Fig. 2.
As discussed in sec. 4, suppose the whole system is spec-
ified by
	
s
f
(S) =
df
always (@
s
S;!
f
)
which is driven by environment process
Env =
df
always (!
s
; @
f
)
The system’s behavior is specified by an infinite loop (an
always construct). In each iteration cycle, the system re-
sponds to the start signal 
s
from the external environment
by running the kernel specification S, and generating the
finish signal 
f
to the external environment afterwards.
For a kernel specification S, suppose we have obtained
its hardware/software decomposition as follows by applying
those rules in section 5.1:
Split
V
(S; C; D)
where V = fr; a; "; idg,
and D = X  ((@
r
M ;!
a
;X) [] (@
"
skip)).
We design the following rule to generate the result for
the partition of the whole system.
System Partitioning Rule
Split
V
(S;C;D)
Part(	s
f
(S);	
s
f
(C);	
r
a
(M))
where
Part(S;C;D) =
df
((S k Env) v (C k D k Env))
	
v
u
(P ) =
df
always (@
v
P ;!
u
)
Env =
df
always (!
s
; @
f
)
Proof
We define falways
n
(S)g as follows, for all n  0:
always
0
(S) =
df
chaos ;
always
n+1
(S) =
df
S; always
n
(S)
then by law (always-1) ([14]), we have
always S =
F
n0
always
n
(S)
Now by continuity of the parallel operator and law (seq-2)
([14]) , we only need to prove, for all n  0,
(	
s
f
(S)
n
k Env
n
) v ((	
s
f
(C)
n
;!
"
) k D k Env
n
)
where 	s
f
(P )
n
=
df
always
n
(@
s
P ;!
f
)
Env
n
=
df
always
n
(!
s
; @
f
)
By mathematical induction on n.
(1). Basic step (n = 0).
	
s
f
(S)
0
k Env
0
f(seq-2)g
v (chaos ;!
"
) k chaos f(par-3); (par-1)g
= (	
s
f
(C)
0
;!
"
) k D k Env
0
(2). Inductive step (n! n+ 1).
We first prove, for all n  0,
(	
s
f
(C)
n
;!
"
) k Env
n
= always
n
(C);!
"
(y)
By an induction on n.
n = 0. It’s straightforward by law (par-3) and (seq-2).
n! n+ 1.
(	
s
f
(C)
n+1
;!
"
) k Env
n+1
f(par-6); (lvar-4); Theorem 2:4g
= (C;!
f
; 	
s
f
(C)
n
;!
"
) k (@
f
;Env
n
)
fLemma 2:5g
= C; ((!
f
; 	
s
f
(C)
n
;!
"
) k (@
f
;Env
n
))
f(par-6); (lvar-4); Theorem 2:4g
= C; ((	
s
f
(C)
n
;!
"
) k Env
n
)
fhypothesis; (seq-1)g
= always
n+1
(C);!
"
Then, we have
	
s
f
(S)
n+1
k Env
n+1
f(par-6); (lvar-4); Theorem 2:4g
= (S;!
f
; 	
s
f
(S)
n
) k (@
f
;Env
n
)
fLemma 2:5g
= S; ((!
f
; 	
s
f
(S)
n
) k (@
f
;Env
n
))
f(par-6); (lvar-4); Theorem 2:4g
= S; (	
s
f
(S)
n
k Env
n
)
fprecondition; ; is mono:g
v ((C;!
"
) k D); (	
s
f
(S)
n
k Env
n
)
fhypothesisg
v ((C;!
"
) k D); ((	
s
f
(C)
n
;!
"
) k D k Env
n
)
f(y)g
= ((C;!
"
) k D); ((always
n
(C);!
"
) k D)
fTheorem 4:1g
= (always
n+1
(C);!
"
) k D
f(y)g
= (	
s
f
(C)
n+1
;!
"
) k D k Env
n+1

6 Conclusion and Future Work
This paper proposes an algebraic approach to hard-
ware/software partitioning in Verilog algebra. Verilog HDL
is a hardware description language widely used by industry.
Due to its rich language features, Verilog can either be used
to capture system specification or adopted to specify sub-
sequent designs of distinct levels of abstraction, including
RTL design.
We adopt a sequential subset of Verilog as the specifica-
tion language, and allow it to contain time constraints, so as
to describe timing specification. We confine target hardware
and software specifications in specially chosen subsets of
Verilog, and use Verilog’s event-trigger mechanism to syn-
chronise behaviours between them. Whereas, communica-
tions between hardware and software is based on Verilog’s
shared variable mechanism, which will facilitate the subse-
quent hardware/software co-synthesis, and make it possible
to adopt bus techniques to implement interactions between
hardware and software.
The partitioning process in this paper is rather different
from our former approach in [13], where we only dealt with
partitioning for a sequential source program. However, this
paper not only develops a collection of splitting rules to par-
tition a source program into hardware and software compo-
nents, but also discuss hardware/software partitioning for
the whole system which takes the source program as its
kernel specification. The system is specified by Verilog’s
always constructs and its execution is driven by an envi-
ronment process. Such systems widely exist in our daily
life, embedded systems are of this kind. Developing a par-
titioning rule for such systems will be very helpful for us to
investigate correctness-preserved design of embedded sys-
tems.
As part of future work, we need to consider optimiza-
tion and reconfiguration of the hardware specification we
generate before the process of hardware synthesis. Mean-
while, in order to apply this algebraic approach to hard-
ware synthesis, we will have to investigate more helpful al-
gebraic laws for Verilog. He et al have made noticeable
progress ([3, 10]). As another emphasis in future work, we
would like to involve more program analysis techniques into
our co-design process, not only strengthening the existing
analysis for hardware/software allocation ([13]), to obtain
a more reasonable partitioning, but also introducing appro-
priate analyses into the co-synthesis process, to gain fine
performance/cost estimation and to approach an automated
design space exploration.
References
[1] M. Gordon, “The Semantic Challenge of VERILOG
HDL”, In the Proc. of Tenth Annual IEEE Symposium
on Logic in Computer Science, IEEE Computer Soci-
ety Press, pp. 136–145, 1995.
[2] M. Gordon, “Relating Event and Trace Semantics
of Hardware Description Languages”, The Computer
Journal, pp. 27–36, Vol. 45, No. 1, 2002.
[3] He J., “An Algebraic Approach to the Verilog Program-
ming”, will appear in the Proc. of Lisbon Workshop,
2002.
[4] He J., I. Page and J. Bowen, “A Provable Hardware
Implementation of Occam”, LNCS 711, pp. 693–703,
1993.
[5] He J. and J. Bowen, “Specification, Verification and
Prototyping of an Optimised Compiler”, Formal Aspect
of Computing 6, pp. 643–658, 1994.
[6] He J. et al, “Provably Correct Systems”, LNCS 863, pp.
288–335, 1994.
[7] He J. and Zhu H., “Formalising Verilog”, in the Proc. of
ICECS 2000, IEEE Computer Society Press, pp. 412–
415, Lebanon, Dec. 2000.
[8] C.A.R. Hoare and He J., Unifying Theories of Program-
ming, Prentice Hall, 1998.
[9] IEEE Computer Society, IEEE Standard Hardware De-
scription Language Based on the VERILOG Hardware
Description Language (IEEE std 1364-1995), 1995.
[10] J. Iyoda and He J., “Towards an Algebraic Synthesis of
Verilog”, in the Proc of ERSA’2001, Las Vegas, USA,
2001.
[11] I. Page and W. Luk, “Compiling Occam into FPGAs”,
in FPGAs, eds., W. Moore and W. Luk, pp. 271–283,
Abingdon EE&CS books, 1991.
[12] Qin Shengchao, “An Algebraic Approach to Hard-
ware/Software Partitioning in Hardware/Software Co-
Design”, Ph.D thesis, School of Mathematical Sci-
ences, Peking University, March, 2002.
[13] S. Qin and J. He, “Partitioning Program into Hardware
and Software”, in the Proc of APSEC 2001, IEEE Com-
puter Society Press, pp. 309–316, Macau, 4-7 Dec.,
2001.
[14] Qin S., He J., Qiu Z., and Zhang N., “Hard-
ware/Software Partitioning in Verilog”, Research Re-
port 2002-33, School of Mathematical Sciences,
http://www.math.pku.edu.cn/printdoc/182.ps. A short
version is published at LNCS 2495, pp. 168–179,
ICFEM2002, Shanghai, China.
[15] A. Sampaio, An Algebraic Approach to Compiler De-
sign, World Scientific, 1997.
[16] L. Silva, A. Sampaio and E. Barros, “A Normal Form
Reduction Strategy for Hardware/software Partition-
ing”, Formal Methods Europe (FME) 97, LNCS 1313,
pp. 624–643, 1997.
[17] Zhu H., J. Bowen and He J., “From Operational Se-
mantics to Denotational Semantics for Verilog”, in the
Proc. of CHARME 2001, LNCS 2144, pp. 449–464.
[18] Zhu H., J. Bowen and He J., “Deriving Operational
Semantics from Denotational Semantics for Verilog”,
in the Proc. of APSEC 2001, IEEE Computer Society
Press, pp. 177–184, Macau, 4-7 Dec., 2001.
[19] Zhu H. and He J., “A DC-based Semantics for Ver-
ilog”, in the Proc. of the International Conference on
Software: Theory and Practice (ICS2000), pp. 421–
432, Beijing, Aug. 21-24, 2000.
