Abstract
Introduction
The current VLSI design scenario is characterised by high performance, complex functionality and short timeto-market. A reuse-based methodology for SoC design has become essential in order to meet these challenges. Typically, a SoC is an interconnection of different pre-verified IP blocks which communicate using complex protocols. Approaches adopted to facilitate plug-and-play style IP reuse include the development of a few standard on-chip bus architectures such as CoreConnect [13] from IBM, AMBA [2] from ARM among others and the work of the VSI Alliance [1] and the OCP-IP [14] consortium. Figure 1 illustrates a typical bus-based SoC architecture. As IP blocks operate using different protocols and clock speeds, wrappers and bridges are introduced as shown to ensure inter-operability. Unfortunately, the vision of plug-n-play style assembly of SoCs is yet to be realised [3] as IP cores are designed with disparate protocols. IP integration involves compatibility checking between the IP protocols, interface synthesis to resolve protocol mismatches, component composition and system level verification. These additional steps increase the designers' effort and time required for chip design.
There have been research efforts towards modelling and formal verification of bus architectures [7, 11, 19] , automated synthesis and verification of interfaces between mismatched protocols [6, 18] . These efforts have been independently motivated and the semantic disparity of the formalisms used impedes consolidation of solutions from the different areas. We present a formalism called Synchronous Protocol Automata which has been motivated by an extensive study of SoC bus protocols and interaction with designers and is capable of modelling complex protocol features while maintaining syntactic simplicity. This formalism has its foundation in the theory of synchronous languages [5, 16] and unifies seemingly independent existing work in integration and verification of bus based SoC architectures.
We have used this framework to model commonly used SoC bus protocols, to establish incompatibility and to synthesise interfaces for a protocol mismatch problem faced in the industry. Our experience has revealed that in contrast to timing diagrams, our model is more conducive to reasoning about different sequences of behaviours that protocols can exhibit. The modelling exercise also led to a con-cise and comprehensive documentation of the functional aspects of the protocols which can be used by designers.
Related Work and Overview
Different formalisms exist for modelling communicating hardware. The formalisms of Interface [8] and I/O automata [15] bear syntactic similarities to synchronous protocol automata but significant differences arise as we use a lower level of abstraction and synchronous semantics. While actions in these models represent methods and procedure calls, we use actions to describe the behaviour of hardware signals at a clock tick. Our automata consist of states which are either input enabled or input insensitive, an internal clock and control and data channels, all motivated by a hardware specific model.
The models used in the literature on interface synthesis [20, 17] are quite simplistic and informal and no criteria have been identified for interface correctness. In contrast, synchronous languages provide a precise semantic interpretation [4] for hardware behaviour and currently offer sophisticated tool support. Using synchronous protocol automata, we formalise various notions related to interface synthesis and indicate algorithms which apply within this framework.
There exists an independent body of exercises in formal verification of bus protocols including PCI [7] , AMBA [19] and CoreConnect [11] . Such work involved using a model checking tool to verify that a model of the bus system satisfied a set of temporal logic specifications. Writing such specifications is a tedious task and the models used did not always capture all aspects of the protocols verified. As all existing formalisms suffer various deficiencies we propose a framework motivated by the requirements of the various problems studied.
Paper Contributions
In this paper, we present an automata-based framework for modelling all components of a bus architecture including bridges, wrappers, arbiters and components operating on multiple clocks. We provide a novel technique to establish compatibility of two SoC protocols, develop a method to reason about component composition and formalise the correctness criterion for interfaces used in IP integration. Using minimal input from the designer we can generate formal specifications and use them for system level verification. Synchronous protocol automata can easily be translated into any synchronous language or HDL enabling the designer to utilise the arsenal of tools available for these formats.
Following the suggestions of designers, we present a complete model and formal specification of the AMBA bus architecture which can be used by system builders and researchers. We are currently using this framework to generate concise documentations and formal specifications of commonly used protocols [2, 13, 14] .
The paper is organised as follows: Section 2 presents an informal, complete overview of the proposed framework, Section 3 contains the formalisation of synchronous protocol automata, notions of composition, protocol mismatch and interface correctness and outlines the steps towards automated model checking. We illustrate the modelling and verification features with the AMBA bus protocol in Section 4 and conclude with discussions in Section 5.
Overview of Synchronous Protocol Automata
We illustrate this framework using a simple protocol called Handshake shown in Figure 3 (a). Handshake receives input from the control channels grant1, Ack and Rdy, the data channel Data and can write to the control channels BReq1, Req and data channel Address. All transitions are synchronised with the protocol's clock Ð ¾ . Handshake makes a request for the bus and transits to state ½ when it is granted. It transits to state ¾ at the next clock tick, raising a request (Req!1) and writing an address(Address!y) onto the bus. After an acknowledgement is received the protocol awaits an indication(Rdy?1) that data will be available. In the next cycle, the protocol may either read data and reach its final state, which is shaded, or pipeline the next request with the data read phase and transit directly to state ¾. The choice between the outgoing transitions from state is made by an internal condition which is not visible and makes the protocol appear non-deterministic. We call this kind of behaviour weak determinism. It can be observed that states and ½ are equivalent or bisimilar when their outgoing transitions are compared. As the protocol would have had to perform at least one data operation to reach state , we may infer that one or more transfers has taken place. This feature of final states plays a key role in defining protocol compatibility even though a final state may be functionally redundant. Figure 3 (b) illustrates the protocol PipelineSlave which can pipeline its address and data phases as seen in the transition from state ¿ to state ½. Handshake and PipelineSlave can communicate and progress in a lock step fashion. Once Handshake has been granted the bus, the states of the two protocols would go through the sequence´½ ¼µ, ¾ ½µ,´¿ ¾µ,´ ¿µ,´ µ. Since the two protocols are able to communicate once the bus is granted, we call them a matched protocol pair.
We now consider a protocol Peripheral in Figure 3 These automata describe a system with two masters and a slave on a high speed bus, a slave on a low speed bus, an arbiter and a bridge. Once all components in the system have been modelled, compatibility checks can be enforced. Additional aspects of correctness can be checked by translating the automata into the input language of a model checker. Properties that the designer may wish to ensure include mutual exclusion in bus ownership specified as ´ Ö ÒØ ½ Ö ÒØ ¾ µ and liveness which includes the specification ´ Ù×Ê Õ ¾ Ö ÒØ ¾ µ. This liveness property will fail as the arbiter in this system may ignore Ö ÒØ ¾ forever. As such properties would be required to hold in all bus protocols, it is sufficient for the designer to identify the grant, request and acknowledge signals to automate property generation. More complex specifications are explored in sections 3 and 4. The predicate ÐÓ Ò ´Õµ is true in a state Õ if all outgoing transitions are guarded. Õ is non-blocking if all outgoing transitions are unguarded. When the automaton is in a state, the transition whose guard evaluates to true is taken at the clock tick. If more than one guard is true, a nondeterministic choice is made. We require that all states be ei-ther blocking or nonblocking. Our focus is restricted to a subclass of nondeterministic automata which are weakly deterministic like Handshake. A protocol is weakly deterministic if transitions to multiple target states are distinguishable by their output or lead via identical transitions to states distinguishable in this manner. A state with two different data transitions is non-deterministic but not weakly deterministic. These restrictions reflect the general structure of bus protocols and are unique to our formalism. 
Formal Definitions

Definition 2 Two non-blocking states
Protocol Compatibility
Given models of the communicating components in a SoC architecture, it is of great importance to ensure that data is always transferred as required and that deadlocks do not occur. Intuitively, at any clock tick, the actions that a pair of protocols attempt to perform should permit both of them to progress. We use the predicate permit and a transaction relation defined below to formalise these notions. Intuitively, Ô ÖÑ Ø´Ë ½ Ë ¾ µ holds for a given pair of actions if for every read operation in one action, a write exists in the other and vice versa. Causality cycles are eliminated by using the causal graph. Using Ô ÖÑ Ø´Ë ½ Ë ¾ µ we may establish that two actions are compatible with each other. In order to establish compatibility between two automata È ½ and È ¾ with final states Ö and Ø respectively, we define a relation on their states. 
Definition 4 A causal dependency graph between a pair of actions Ë ½ and Ë ¾ is constructed by adding a directed edge from to
Definition 6 A transaction relation is a symmetric binary
The first condition matches the final states of two protocols. The second condition ensures that if both protocols perform only data operations they operate on the same channels and the third ensures that each guard in a transition in one protocol is satisfied by some action of the other. The last condition states that if both protocols have a default guard which is true they should transit simultaneously to matched states. This situation would be extremely rare in a real protocol but has been added for completeness. 
Definition 7 A protocol pair
If such a relation does not exist, the protocol pair is mismatched and an interface has to be synthesised. An interface can also be modelled as a synchronous protocol automaton Á. Á can be composed with either protocol, say È ¾ to get a new automaton denoted Á È ¾ where is a synchronous parallel composition operator. We formalise the notion of interface correctness which applies to wrappers and bridges as well. Correctness can be defined equivalently in terms of È ½ Á and È ¾ . Interfaces can be synthesised using techniques presented in [6, 17, 20] . We present a synthesis technique which is correct by construction in [10] . Synchronous parallel composition is defined below.
Definition 9
The synchronous parallel composition È ½ È ¾ of two synchronous protocol automata È ½ and È ¾ with a shared set of channels Using this model and requirements stated in the AMBA specification [2] , a formal specification of the protocol was created. Some interesting properties are discussed below. The page numbers refer to the AMBA specification. 16 wait states led to cumbersome formulae. It was easier to write protocol automata describing these properties. A single protocol automaton can be written to capture all properties pertaining to burst constraints. This automaton can then be used to observe if the architecture satisfies a given property by composing it with the system and checking to see if bad states are reachable. This style of observer based verification is well known in the synchronous language literature [12] .
Conclusions
In this paper we used Synchronous Protocol Automata to formalise the notions of protocol mismatch, interface correctness and component composition and showed how these methods lend themselves to interface synthesis and model checking. This formalism has been used to document and formally specify the AMBA protocol. Complete documentation and specifications of other bus architectures such as the CoreConnect and the Open Core Protocol will be available soon. We have applied our framework successfully in an industrial setting. This formalism has proved to have a high utility value and we are currently focusing on providing tool support for the methods described here.
