Wright State University

CORE Scholar
Kno.e.sis Publications

The Ohio Center of Excellence in KnowledgeEnabled Computing (Kno.e.sis)

4-1997

Characterizing a Portable Subset of Behavioral VHDL-93
Krishnaprasad Thirunarayan
Wright State University - Main Campus, t.k.prasad@wright.edu

Robert Ewing

Follow this and additional works at: https://corescholar.libraries.wright.edu/knoesis
Part of the Bioinformatics Commons, Communication Technology and New Media Commons,
Databases and Information Systems Commons, OS and Networks Commons, and the Science and
Technology Studies Commons

Repository Citation
Thirunarayan, K., & Ewing, R. (1997). Characterizing a Portable Subset of Behavioral VHDL-93. Hardware
Description Languages and Their Applications, 3, 97-113.
https://corescholar.libraries.wright.edu/knoesis/889

This Conference Proceeding is brought to you for free and open access by the The Ohio Center of Excellence in
Knowledge-Enabled Computing (Kno.e.sis) at CORE Scholar. It has been accepted for inclusion in Kno.e.sis
Publications by an authorized administrator of CORE Scholar. For more information, please contact librarycorescholar@wright.edu.

Characterizing a portable subset of behavioral
VHDL-93
Krishnaprasad Thirunarayan
Dept. of Computer Science and Engineering
Wright State University, Dayton, OH-45435
email: tkprasad@cs.wright.edu
phone: (513)-873-5109
fax: (513)-873-5133
Robert L. Ewing
Wright Laboratory (Avionics Division)
Wright Patterson AFB, Dayton, OH-45433.
May 5, 2009
Abstract
Goossens defined a structural operational semantics for a subset of
VHDL-87 and proved that the parallelism present in VHDL is benign. We
extend this work to include VHDL-93 features such as shared variables and
postponed processes that change the underlying semantic model. In the
presence of shared variables, non-deterministic execution of VHDL-93 processes destroys the unique meaning property. We identify and characterize
a class of portable VHDL-93 descriptions for which unique meaning property can be salvaged. Our specification can serve as a correctness criteria
for a VHDL-93 simulator.

Topics: Hardware Description Languages, Standards; Formal Methods;
Verification and Validation.
1

1

Introduction

VHDL has been designed to facilitate specification, documentation, communication and formal manipulation of hardware designs at various levels of abstraction
[1]. The semantics of VHDL-93 are given in English prose in [7]. The goal of
developing formal semantics is to provide a complete and unambiguous specification of the language. Adherence to this standard will contribute significantly
to the sharing, portability and integration of various applications and computeraided design tools; to the implementation of language processors; and for formal
reasoning about VHDL descriptions. Furthermore, this exercise enhances our
understanding of the various VHDL-93 constructs/features.
There have been a number of proposals for a formal semantics of VHDL,
almost all of them dealing with subsets of VHDL-87 [2, 3, 4, 8, 9]. In particular,
Goossens [4] defines a structural operational semantics [5] for a subset of VHDL-87
that includes almost all the fundamental behavioral constructs in a single VHDL87 entity. Börger et al (Chapter 4, [3]) provide a formal definition of VHDL-93
features using EA-machines. However, they do not formally prove properties of
their semantics.
In this paper we build on Goossens work which deals with a subset of behavioral
VHDL-87. We define a structural operational semantics for a subset of behavioral
VHDL-93 that includes features such as shared variables and postponed processes,
not present in VHDL-87. These VHDL-93 constructs fundamentally change the
underlying semantic model of VHDL. In particular, the unique meaning (monogenicity) property proved for the subset of VHDL-87 in [4] no longer holds in the
presence of shared variables because of non-deterministic and asynchronous nature of process executions. However, we characterize a class of portable VHDL-93
descriptions for which the unique meaning property can be salvaged. That is, we
specify VHDL-93 descriptions that will always yield same results when interpreted
by different simulators or by the same simulator on different runs. The goal is to
provide an approximate but formal interpretation of the following statement in
Section 4.3.1.3 in the VHDL LRM [7].
A description is erroneous if it depends on whether or how an implementation sequentializes access to shared variables.
2

Our formalization can be viewed as a specification for the VHDL-93 simulators
against which the correctness of an implementation can be verified. It specifies
additional run-time machinery that can potentially be incorporated in a VHDL-93
simulator to flag VHDL-93 descriptions that cannot be “safely” ported. In course
of this development we also explain and correct a few errors that have crept into
the formal description of the VHDL-87 semantics given in [4].
The rest of this paper is organized as follows: Section 2 presents the abstract syntax of the VHDL-93 subset and Section 4 specifies its semantics. The
primary emphasis is on the changes to the semantics in [4] resulting from the
introduction of shared variables and postponed processes. We explore the causes
of non-portability and then formally define what we mean by portable VHDL-93
descriptions. Section 3 illustrates the portability problem. In Section 5 we prove
some interesting properties of portable descriptions. Section 6 presents some conclusions.

2

Abstract Syntax of VHDL-93 subset

The abstract syntax of the core subset of behavioral VHDL-93 is shown below.

1

• Syntactic Categories
pgm
p
ss
s
x
v

∈
∈
∈
∈
∈
∈

P rograms
N onP ostponedP rocesses
SequentialStatements(= SSt)
Signals(= Sig)
V ariables(= V ar)
V alues(= V al)

proc
pp
e
S
sx

∈
∈
∈
∈
∈

P rocesses
P ostponedP rocesses
Expressions(= Expr)
SetsOf Signals
SharedV ariables(= SV ar)

• Definitions
1

The corresponding VHDL-93 concrete syntax should be obvious with the exception of the
process statement:
(while true do ssi ) ≡ (i : process begin ssi end process i; )

3

pgm
proci
pi
ppi
ssi

ei

ki∈I proci
pi | postponed ppi
while true do ssi
while true do ssi
null | x := ei | sxi := ei | s <= ei after ei
| ssi ; ssi | wait on S for ei until ei
| while ei do ssi | if ei then ssi else ssi
::= null | v | x | sxi | s
| ei bop ei | uop ei | s0 delayed(ei )

::=
::=
::=
::=
::=

A program in this VHDL-93 subset can be viewed as a fully elaborated behavioral VHDL-93 description [7]. It is a collection of processes communicating with
each other through signals and shared variables. k is the parallel composition
operator and I is a finite index set. As mentioned earlier, a VHDL-93 description
is portable if one can associate a unique meaning with it. To characterize portable
VHDL-93 descriptions, we associate the identity of a process with each occurrence
of a shared variable.2 So we have tagged the meta-variables proc, p, pp, ss, and
e with subscript i representing the index of the associated process proci .3
The set of processes has been partitioned into postponed processes (pp) and
non-postponed processes (p). The predicate postponed? is true of all postponedprocess indices. A process is a sequence of statements that can be executed
repeatedly. The statements include assignments, wait statements, and control
statements. In wait statements, whenever “on S ”, “for e”, or “until e” are
omitted, “on Sue ” (where Sue is the set of signals in the until clause), “for ∞”,
or “until true” respectively are assumed. In signal assignments, whenever the
after-clause is omitted, “after 0” is assumed. The expression syntax is standard
and includes logical and arithmetic expressions.
With regards to the static semantics, we assume that the VHDL-93 descriptions are well-typed , and all the signals with multiple drivers have a suitable
resolution function associated with them. For instance, the expression e in “for
2
3

See Section 4.1.1 for concrete examples.
Alternatively, this can be easily specified through the static semantics.

4

e” is assumed to be of integer type, while that in “until e” is of boolean type.
We now explore the semantic complications caused by the introduction of
shared variables into VHDL.

3

The Causes of Non-Portability

Intuitively, a VHDL-93 description is portable if it assigns the same “observable”
values to all (shared) variables and signals. The following examples illustrate the
causes of non-portability and motivate restrictions required to guarantee portability of VHDL-93 descriptions. We assume that all variables/shared variables of
integer type are initially 0.
Example 1. The following VHDL description is not portable as the value of sx
after t-ns (> 0) can be either 1 or 2 (due to inherent nondeterminism).
while true do (sx := 1; wait for 1 ns;)
k
while true do (sx := 2; wait for 1 ns;)
Example 2. Similarly, the following description is not portable as the value of z
after t-ns can be either t or t + 1.
while true do (y := y + 1; sx := y; wait for 1 ns;)
k
while true do (z := sx; wait for 1 ns;)
Example 3. On the contrary, the following description is portable because, in
each unit-time-interval, the shared variable is either only read simultaneously by
both processes, or is accessed in read/write mode only by the second process. The
value of sx after t-ns is d 2t e.
while true do (y := sx; wait for 2 ns;)
k
while true do (z := sx; wait for 1 ns; sx := sx + 1; wait for 1 ns;)
Example 4. Similarly, the following description is portable because the two processes execute in separate (delta) cycles.
while true do (sx := sx + 1; wait for 1 ns;)
5

k
while true do (wait until sx = 5; sx := 0; )
In what follows, we develop the structural operational semantics for the given
VHDL-93 subset by extending the work of Goossens [4].

4

Structural Operational Semantics

Let Val , Sig, Var , SVar , Expr , and SSt denote the domains of values, signals,
variables, shared variables, expressions and sequential statements respectively.

4.1

Semantic Entities

The state of a computation is captured by the history of values of each signal, the
value bound to each variable and each shared variable, and the “activity” status
of each postponed process.
Each process has a local store LStore that models the persistent value bindings
of the variables and the signals. Without loss of generality, we assume that each
variable implicitly holds an integer or a boolean value.4 V al = Z ∪ B. Each
signal s is interpreted as a partial function f : Z 7→ V al⊥ satisfying the following
constraints [4]: for n < 0, f (n) is the value of the signal n time steps ago; f (0) is
the current value of the signal s; for n ≥ 0, f (n + 1) is the projected value for n
time steps into future. f (1) contains the value scheduled for the next delta cycle.
f contains at least h−∞, ii and h0, vi for initial value i and current value v of
s. Note that only for n ≥ 0 is h(n + 1), ⊥i a valid pair in f and encodes a null
transaction for time n.
The domain SStore models the value bindings of the shared variables. To
guarantee portability of VHDL-93 descriptions, access to shared variables must
be restricted. In any simulation cycle, all processes may read a shared variable,
or exactly one process may read and write a shared variable, without jeopardizing
portability. However, one cannot permit arbitrary reads and writes across processes. To characterize portable VHDL-93 descriptions, we associate with each
4

Z stands for the set of integers and B for the set of booleans.

6

shared variable, its current value, the type of last access (read/write) and the index
of the process accessing it. The distinguished constants ⊥ and > denote undefined
and all respectively. The constant ⊥ represents the case where a shared variable
has not yet been accessed in the current cycle, while the constant > represents
the case where all processes are permitted to access the shared variable.
It is also necessary to remember whether or not a postponed process is active,
ready to be run at the end of the last delta cycle for the current time. Thus, the
domain PPStat is defined as a subset of (postponed) process indices I .
Thus, the signatures of the semantic domains are5 :
LStore = (V ar 7→ V al) × (Sig 7→ P(Z × V al⊥ ))
SStore = (SV ar 7→ (V al × (I ∪ {⊥, >}) × P({r, w})))
P P Stat = P(I)
4.1.1

Handling of Shared Variables for Portability

We now propose a scheme to ensure that the value bound to each shared variable
in every cycle is well-defined (unique) in spite of the non-deterministic execution
of the processes. For this purpose, we tag each shared variable with two additional
pieces of information — the index of the process accessing it and the type of last
access (read/write). In each simulation cycle, if only one process accesses a shared
variable, the final value of the shared variable is uniquely determined (because
of the sequential execution of the statements in a process). Similarly, if a shared
variable is only read by some/all processes, the value of the shared variable remains
unchanged. However, if multiple processes try to access a shared variable while
one of them is writing into it in the same cycle, there is potential for ambiguity
in the final value of the shared variable. One can capture the constraints for
portability by defining a suitable transition function on the “states” of the shared
variable as explained below:
• At the beginning of each simulation cycle, the state of a shared variable can
be denoted by hv, ⊥, ∅i, where ∅ signifies that the variable has not yet been
5

P stands for the powerset operator.

7

accessed. Assume that a read by process i is denoted by i, while the action
of writing u is denoted by hi, ui.
If process i issues a read, the state of the shared variable changes to hv, i, {r}i.
i
The corresponding state transition is written as: hv, ⊥, ∅i 7−→ hv, i, {r}i.
If process i now writes a u, the state of the shared variable changes to
hi,ui
hu, i, {r, w}i and the state transition is written as: hv, i, {r}i 7−→ hu, i, {r, w}i.
• If the current state of the shared variable is hv, i, {r}i and process j issues
a read, all subsequent accesses to the shared variable can only be reads, to
ensure portability. This is because, a subsequent write to the shared variable
by a process i (resp. j) can potentially affect the value of the shared variable
read by the remaining statements in process j (resp. i). To capture this
restriction, the following state transitions are defined, where > means any
process:
hj,ui

j

hv, i, {r}i 7−→ hv, >, {r}i and hv, >, {r}i 7−→ hu, >, {r, w}i.
The state hv, >, {r}i should permit only reads by any process, while the
state hv, >, {r, w}i signifies a non-portable computation. This is mirrored
by the following transitions:
hj,ui

j

hv, >, {r}i 7−→ hv, >, {r}i and hv, >, {r}i 7−→ hu, >, {r, w}i.
hj,ui

j

hv, >, {r, w}i 7−→ hv, >, {r, w}i and hv, >, {r, w}i 7−→ hu, >, {r, w}i.
• Now consider all possible transitions from the state hv, i, {w}i.
If process i issues a read, then only i should be allowed subsequent access,
for portability. However, if process j issues a read, the code is not portable,
because there is potential for ambiguity in the value that process j reads.
In particular, it could be v or the value the shared variable had prior to v.
j

i

hv, i, {w}i 7−→ hv, i, {r, w}i and hv, i, {w}i 7−→ hv, >, {r, w}i

if i 6= j.

If process i writes v, there is no change in the state. However, if process i
writes u, then process i should have exclusive access, for portability.
hi,vi

hi,ui

hv, i, {w}i 7−→ hv, i, {w}i and hv, i, {w}i 7−→ hu, i, {r, w}i

8

if u 6= v.

If process j writes v, all processes can be permitted to write the same value,
for portability. However, if process j writes u, then the code is not portable
because the final value of the shared variable can be either v or u depending
on how the processes are scheduled.
hj,vi

hv, i, {w}i 7−→ hv, >, {w}i

if i 6= j.

hj,ui

hv, i, {w}i 7−→ hu, >, {r, w}i if i 6= j ∧ u 6= v.
We crystallize and complete the above description by formally defining a deterministic finite state automaton that keeps track of accesses to a shared variable,
to distinguish access-sequences that are portable from those that are potentially
non-portable.
A deterministic finite-state automaton (DFA) is a 5-tuple [6]: (Q,Ω,Γ,F, q0 ),
where Q is the set of possible states, Ω is the alphabet, Γ is the transition function
(Γ : Q × Ω 7→ Q), F is the set of accepting states (⊆ Q), and q0 is the initial state
(∈ Q). We customize these sets for the problem at hand as follows:
• Q = V al × (I ∪ {⊥, >}) × P({r, w}).

6

Recall that the shared variable value is tagged with the index of the process
that accesses it and the type of last/allowed access. The possible types of
accesses are: ∅, {r}, {w} and {r, w} representing no access yet, read-access,
write-access, and read/write-access respectively. The ⊥ value for the index
signifies that no process has yet accessed the shared variable in the given
simulation cycle, while the > value means that all processes are allowed
access.
• Ω = I ∪ (I × V al).
The state of a shared variable changes when it is accessed. A read-action is
represented by the index of the process from which the read has been issued,
while a write-action is represented by a pair consisting of the value to be
written and the index of the process from which the write has been issued.
6

I is finite, but Val is infinite. However, for our purposes, we make the simplifying but
realistic assumption that Val is arbitrarily large but finite. (Overflow will trigger a run-time
error.)

9

• The deterministic transition function Γ is given below:
hi,ui

i

hv, ⊥, ∅i 7−→ hv, i, {r}i

hv, ⊥, ∅i 7−→ hu, i, {w}i
j

i

hv, i, {r}i 7−→ hv, >, {r}i

hv, i, {r}i 7−→ hv, i, {r}i
hi,ui

hv, i, {r}i 7−→ hu, i, {r, w}i

hv, i, {r}i 7−→ hu, >, {r, w}i

hv, i, {w}i 7−→ hv, i, {r, w}i

hv, i, {w}i 7−→ hv, >, {r, w}i

hi,vi

hi,ui

hv, i, {w}i 7−→ hv, i, {w}i
hv, i, {w}i 7−→ hv, >, {w}i

if i 6= j

j

i

hj,vi

if i 6= j

hj,ui

hv, i, {w}i 7−→ hu, i, {r, w}i

if i 6= j
if u 6= v

hj,ui

if i 6= j hv, i, {w}i 7−→ hu, >, {r, w}i if i 6= j ∧ u 6= v
j

i

hv, i, {r, w}i 7−→ hv, i, {r, w}i

hv, i, {r, w}i 7−→ hv, >, {r, w}i

hi,ui

hj,ui

hv, i, {r, w}i 7−→ hu, i, {r, w}i

hv, i, {r, w}i 7−→ hu, >, {r, w}i

if i 6= j
if i 6= j

hj,ui

j

hv, >, {r}i 7−→ hv, >, {r}i

hv, >, {r}i 7−→ hu, >, {r, w}i

j

hv, >, {w}i 7−→ hv, >, {r, w}i
hj,vi

hj,ui

hv, >, {w}i 7−→ hv, >, {w}i

hv, >, {w}i 7−→ hu, >, {r, w}i

hv, >, {r, w}i 7−→ hv, >, {r, w}i
• F = (V al × {⊥} × {∅})
{>} × {{r}, {w}})

S

if u 6= v

hj,ui

j

hv, >, {r, w}i 7−→ hu, >, {r, w}i

(V al × I × {{r}, {w}, {r, w}})

S

(V al ×

Informally, the set of accepting states characterizes the safe sequences of
reads and writes for portability.
• q0 = hv, ⊥, ∅i.
v is the value of the shared variable at the beginning of a simulation cycle.
The index ⊥ and the type of access ∅ signify that the shared variable has
not yet been accessed.
The states in (V al × {⊥} × {{r}, {w}, {r, w}}) ∪ (V al × I × {∅}) ∪ (V al ×
{>} × {∅}) are unreachable from q0 , and those in V al × {>} × {{r, w}} are the
dead states.
Lemma 4.1 Every string (of read/write actions) in the language of the DFA
satisfies one of the following properties:
(a) Every action in the string is a read action, that is, it is in I. Furthermore,
the value of the shared variable remains unchanged.
10

(b) Every action in the string contains the same index i, that is, it is either i or
hi, ?V al i. Furthermore, the final value of the shared variable is the last value
written.
(c) Every action in the string is a write action with the same value component,
that is, it is in I × {{v}}. Furthermore, the final value of the shared variable
is the value written.
Proof Sketch: It is easy to see the result by starting from the final states and
tracing all the relevant transitions in reverse.
•
Lemma 4.1 lays the foundation for defining portability. Let Size(rs) return
the size of the set of indices in the read sequence rs. (size(ijkjij) = 3.)
Lemma 4.2 Let q, q1 , q2 ∈ Q, and rs1 , rs2 ∈ I ∗ be two sequences of reads that are
rs
rs
permutations of each other. Then, the relation (q 7−→1 ∗ q1 ∧ q 7−→2 ∗ q2 ⇒ q1 = q2 )
holds.
Proof: We consider two cases: (a) Size(rs1 ) <= 1. Trivial. (b) Size(rs1 ) > 1.
Follows straightforwardly from the definition of the transition function.
•
4.1.2

Advancing time

A program is evaluated with respect to the global structure Store defined as
follows:
Store = P(LStore) × SStore × P P Stat
σ, σi ∈ LStore
ψ
∈ SStore

Σ, Σi ∈ P(LStore)
ξ
∈ P P Stat

Two functions — T , U : Store 7→ Store — are defined to advance time and
delta time respectively [4]. The function T transforms a Store as follows:
• The (local) variables are unchanged: T (σi )(x) = σi (x).

11

• For signals: T (σi )(s) = {hn−1, vi | hn, vi ∈ σi (s)} ∪ {h0, σi (s)(2) else σi (s)(0)i}.
Here x else y means “if x is defined then x else y”. Note that there is an
error in [4] since it has 1 in place of 2, and as shown later, σi (s)(1) is always
undefined when T is applied.
• For shared variables: T (ψ)(sx) = hv, ⊥, ∅i, where ψ(sx) = hv, i, ai.
• For the status of the postponed-processes: T (ξ) = ∅.
A signal s is active if ∃σi ∈ ΣI , v ∈ V al⊥ : h1, vi ∈ σi (s). A process can resume
if it is sensitive to an active signal or it has been timed-out. (See Section 4.4.)
The function U effects only the value of the active signals, the state of the
shared variables, and the status of the postponed processes. It leaves unchanged
the values of variables, shared variables, and inactive signals.
• For shared variables: U(ψ)(sx) = hv, ⊥, ∅i, where ψ(sx) = hv, i, ai.
• For active signals s, the current value is replaced by rs ∈ V al, obtained
through the signal resolution function fs applied to the driving values of the
signal [4]:
rs = fs {{vi | ∃i ∈ I : h1, vi i ∈ σi (s) ∧ vi 6= null}}
U(σi )(s) = (σi (s) \ {h0, σi (s)(0)i, h1, σi (s)(1)i}) ∪ {h0, rs i}
Here, {{.}} denotes a multiset. fs is assumed to be a commutative resolution
function. null signifies disconnection. Note that inactive signals do not
participate in determining the final resolved value.
• The determination of the status of the postponed processes is described in
Section 4.4.
The signatures of the relevant semantic functions are:
E : Expr 7→ LStore × SStore 7→ V al⊥ × SStore
→ss , →proc : (LStore × SStore × SSt) 7→ (LStore × SStore × SSt)
→pgm : (Store × SSt) × (Store × SSt)
12

An expression is evaluated with respect to the local/shared store and it returns
a value and a (possibly modified) shared store. A program (resp. statement) and a
store evolve into a new program (resp. statement) and an (resp. unique) updated
store.

4.2

Semantics of Expressions

Let fst stand for the function that extracts the first component of a pair and the
set dom(f ) stand for the domain of a partial function f . Let ψv (sx) ∈ V al denote
the first (value) component of the triple ψ(sx) associated with the shared variable
sx. For concreteness, we specify the rules for variables, signals and for compound
expressions involving a binary operator. Also, ψ[sx 7→ st] = (λsy. if sx ≡
sy then st else ψ(sy)).
E [[x]] hσ, ψi
E [[sxi ]] hσ, ψi
E [[s]] hσ, ψi
E [[s0 delayed(ei )]] hσ, ψi
E [[ei bop e0i ]] hσ, ψi

=
hσ(x), ψi
i
= hψv (sxi ), ψ[sxi 7→ st]i,
if ψ(sxi ) 7−→ st
=
hσ(s)(0), ψi
=
hσ(s)(n), ψi
n = max{m | m ∈ dom(σ(s)) ∧
m ≤ −fst(E [[ei ]] hσ, ψi) ≤ 0}
0
00
=
hv bop v , ψ i
if E [[ei ]] hσ, ψi = hv, ψ 0 i
and E [[e0i ]] hσ, ψ 0 i = hv 0 , ψ 00 i

The value of the delayed expression is required to be non-negative. (There is
a minor error in [4] here.) s0 delayed(0 ns) 6= s during any simulation cycle where
there is a change in the value of s. (See Section 14.1 in the LRM [7].) For correct
handling of delayed-attribute we also need to store the previous value of each
signal in the LStore.
Theorem 4.1 The meaning of an expression is independent of the order of evaluation of its subexpressions.
Proof Sketch: The meaning of an expression consists of its value and the shared
store. As the expressions only inspect (read) the values bound to variables, shared
variables and signals, and never modify (write) them, the value component is
independent of the order of evaluation. So the result follows from Lemma 4.2 and
structural induction.
•
13

4.3

Semantics of Statements

The semantic rules for all but the signal assignment statement and the wait statement are more or less standard.
For concreteness, the rules for assignment to a shared variable and for whileloop can be specified as follows: (Recall that, σ[x 7→ v] = (λy. if x ≡
y then v else σ(y)). )
E [[e]] hσ, ψi = hv, ψ 0 i ∧ ψ 00 = ψ 0 [ sxi 7→ Γ(ψ 0 (sxi ), hi, vi) ]
hσ, ψ, sxi := e ; ss i →ss hσ, ψ 00 , ss i
E [[e]] hσ, ψi = htrue, ψ 0 i
hσ, ψ, while e do ss0 i →ss hσ, ψ 0 , ss0 ; while e do ss0 i
E [[e]] hσ, ψi = hfalse, ψ 0 i
hσ, ψ, while e do ss0 ; ssi →ss hσ, ψ 0 , ss i
The signal assignment statement changes the value of a signal by adding a
time-value pair and eliminating all other pairs that are scheduled for a later time.
Let update(σ, s, v, t) = (σ(s) \ {hn, σ(s)(n)i | n > t}) ∪ {ht + 1, vi}. (There is a
minor error in [4] here.)
E [[e]] hσ, ψi = hv, ψ 0 i ∧ E [[et]] hσ, ψ 0 i = ht, ψ 00 i ∧ t ≥ 0
hσ, ψ, s <= e after et ; ssi →ss hupdate(σ, s, v, t), ψ 00 , ss i

4.4

Semantics of Processes and Programs

The semantic rules for processes/postponed processes (that is, for →proc ) are similar to those for statements (that is, →ss ). A process unwinds into a potentially
infinite sequence of statements.
A program (that is, fully elaborated behavioral VHDL-93 description) consists
of a collection of sequential processes that execute independently. Global synchronization and (synchronous) communication through (common) signals takes place
when all the processes reach a wait-statement. Otherwise, these processes execute
asynchronously between wait-statements and can communicate (asynchronously)
through shared variables. ( We use kI hσi , ψ, ξ, ssi i for h hkI σi , ψ, ξi, kI ssi i.)

14

Rule 1:
kI∪{j}

hσj , ψ, ssj i →ss hσj0 , ψ 0 , ss0j i
hσi , ψ, ξ, ssi i →pgm kI∪{j} hσi0 , ψ 0 , ξ, ss0i i

σi0

where = σi ∧ ss0i = ssi for all i 6= j, and σi0 = σj0 ∧ ss0i = ss0j for i = j.
This rule is applicable as long as the first statement of ssj is not a wait-statement.
In the presence of shared variables, the nondeterministic execution of processes embodied in this rule may yield different results. However we can define
restrictions that ensure that all possible executions are “equivalent”, as explained
later.
If no processes can resume (or there are no postponed processes that can run
in the last delta cycle), then the global simulation time is advanced by one. To
achieve this, the store is updated using T and the timeout value in the waitstatment is decremented by one. We use wsi [tei , bei ] for (wait on Si for tei
until bei ).
Rule 2:
¬resume(kI hσi , ψ, ξ, wsi [tei , bei ] ; ssi i) ∧ ∀ i ∈ I : htvi , ψ 0 i = E [[tei ]] hσi , ψi
kI hσi , ψ, ξ, wsi [tei , bei ] ; ssi i →pgm kI hT (σi ), T (ψ), T (ξ), wsi [tvi − 1, bei ] ; ssi i
resume(kI hσi , ψ, ξ, wsi [tei , bei ] ; ssi i) ≡ ∃i ∈ I : resume(σi , ψ, tei ) ∨ (ξ 6= ∅)
A process can resume if it contains a signal that is active or it has been timed
out.
resume(σi , ψ, tei ) ≡ active(σi ) ∨ timeout(σi , ψ, tei )
active(σ) ≡ ∃s ∈ dom(σ), ∃v ∈ V al⊥ : h1, vi ∈ σ(s)
timeout(σ, ψ, te) ≡ f st(E [[te]] hσ, ψi) = 0
A delta cycle7 is initiated in the above situation. Non-postponed processes are
executed if they are timed-out or if the condition in the wait-statement holds.
Rule 3:
∃i ∈ I : ¬postponed?(i) ∧ resume(σi , ψ, tei )
kI hσi , ψ, ξ, wsi [tei , bei ] ; ssi i →pgm kI hU(σi ), U(ψ), ξ 0 , F(wsi [tei , bei ] ; ssi ) i
Informally, the function F executes the wait-statements for those non-postponed
processes that can run.
7

A delta cycle is a simulation cycle where the global time is not advanced.

15

F(wsi [tei , bei ] ; ssi ) =




ssi
if ¬postponed?(i) ∧ run(σi , U(σi ), ψ, tei , bei )
 wsi [tvi , bei ] ; ssi otherwise, where tvi = f st(E [[tei ]] hσi , ψi)

run(σi , σi0 , ψ, tei , bei ) ≡ ( timeout(σi , ψ, tei ) ∨
[ ∃s ∈ Si : event(σi , σi0 , s) ∧ f st(E [[bei ]] hσi0 , ψi) ] )
event(σ, σ 0 , s) ≡ σ(s)(0) 6= σ 0 (s)(0)
Effectively, the timeout expression is evaluated only once in the first deltacycle, while the condition in the wait-statement is evaluated in every delta cycle
in which there is an event on a signal that the process/condition is “sensitive” to.
Whether or not a postponed process can run in the last delta cycle is determined
as follows.
ξ 0 ≡ ξ ∪ {i ∈ I | postponed?(i) ∧ run(σi , U(σi ), ψ, tei , bei )}
The postponed processes that can run are executed only when no non-postponed
process can resume. The condition that causes a postponed process to run may
no longer hold in the state in which the postponed process is actually executed.
(See Section 8.1 in the LRM [7].) It is an error if the execution of a postponed
process initiates another delta-cycle.
Rule 4:
¬(∃i ∈ I : ¬postponed?(i) ∧ resume(σi , ψ, tei )) ∧ ξ 6= ∅ ∧
∀i ∈ ξ : ( hU(σi ), U(ψ), ssi i →ss hσi0 , ψ 0 , ws0i [te0i , be0i ] ; ss0i i ) ∧
∀i ∈ I − ξ : ( (σi = σi0 ) ∧ (wsi [tei , bei ] ; ssi ≡ ws0i [te0i , be0i ] ; ss0i ) )
∧ ∀i ∈ I : ¬ready(σi0 , U(σi0 ), ψ 0 , te0i , be0i )
kI hσi , ψ, ξ, wsi [tei , bei ] ; ssi i →pgm kI hσi0 , ψ 0 , ∅, ws0i [te0i , be0i ] ; ss0i i
Again, the well-definedness of →∗pgm depends on the portability restrictions
we impose. Also recall that →ss is transitive.

16

5

Properties of the Operational Semantics

We are now ready to formally define the notion of portability. Let →∗pgm be the
reflexive transitive closure of →pgm , and (Q,Ω,Γ,F, q0 ) be the DFA described
in Section 4.1.1.
Definition 5.1 A program (kI while true do ssi ) is a portable VHDL-93 description if, for every computation of the form
(kI hσi , ψ, ξ, while true do ssi i →∗pgm kI hσi0 , ψ 0 , ξ 0 , ss0i i),
we have ∀sx ∈ SV ar : (ψ(sx) = q0 ) ⇒ ψ 0 (sx) ∈ F.
From Lemma 4.1, this implies permitting arbitrary interleaving of statementexecutions as long as each shared variable is accessed either by all processes in
read-mode, or by all processes in write-mode and the same value is written in, or
by the same process in read/write mode, between two successive synchronization
points.
We now investigate properties about the semantics of the portable VHDL-93
descriptions, to gain deeper understanding and to increase our confidence in the
formalization of the semantics.
Theorem 5.1 A process that does not contain a wait-statement loops forever.
Theorem 5.2 The semantics of expressions E (resp. statements →ss ) is determisnitic.
Theorem 5.3 The statement wait on ∅ for ∞ until true; causes the enclosing process to suspend forever.
We now show that the portable VHDL-93 descriptions can be given a unique
meaning.
Theorem 5.4 The values bound to variables, shared variables, and signals of the
processes of a portable VHDL-93 description sampled when all of them are waiting
are unique.
17

Proof Sketch: Effectively, we need to show that, if
kI hσi , ψ, ξ, wsi [tei , bei ] ; ssi ; ws0i [te0i , be0i ] ; ss0i i →∗pgm kI hσi0 , ψ 0 , ξ 0 , ws0i [te0i , be0i ] ; ss0i i
holds, then σi0 , ψ 0 , and ξ 0 are unique, where each ssi does not contain any waitstatements.
Now consider the four semantic rules for →pgm given in Section 4.4, which
have disjoint antecedents. The application of Rule 1 and Rule 4 for portable
descriptions yields unique result because of Definition 5.1 and Lemma 4.1. The
application of Rule 2 and Rule 3 for the wait-statement define a unique transformation because the resolution functions fs and U, and the time increment function
T are one to one and total.
•
Theorem 5.5 The portability condition given in Definition 5.1 is sufficient but
not necessary for VHDL-93 descriptions to have a unique meaning.
Proof: There exist trivial descriptions such as kI while true do sx := sx; that
have a unique meaning, but violate the portability definition.
•
Theorem 5.6 The portability condition given in Definition 5.1 is non-local.
Proof: Consider the two processes PS (with sflag initially true)
while true do (if sflag then sx := 1 else sx := 2; wait for 2 ns;)
k
while true do (sx := 1; wait for 2 ns;)
executing in parallel with each of the following processes:
P1: while true do ( wait for 1 ns; sflag := true; wait for 1 ns;)
P2: while true do ( wait for 1 ns; sflag := false; wait for 1 ns;)
Running with P1, PS is portable; while running with P2, PS is not portable. •
As a consequence of this non-locality, it is not possible to incrementally check
VHDL-93 descriptions for portability.
Theorem 5.7 Given a VHDL-93 description, it is not possible to determine statically (that is, at compile time) whether or not it is portable.

18

Proof Sketch: If the VHDL-93 description contains a “free” shared variable
whose value is not known at compile-time, then it is obvious that portability
check cannot be made statically. The program PS and the shared variable sflag
given in the proof of Theorem 5.6 exemplify this situation.
Interestingly, the result holds even when all the variables, shared variables and
signals are completely defined. The test for portability can then be reduced to
determining whether or not two programs compute the same function.
while true do (
while true do (

. . . sx := Func1(x1) . . . ;
k
. . . sx := Func2(x2) . . . ;

x1 := x1 + 1;

wait for 1 ns;)

x2 := x2 + 1;

wait for 1 ns;)

Let x1 and x2 be initially 0; Func1 and Func2 abbreviate the effect of the
code that computes sx from x1 and x2 . The above program is portable if and
only if the value written into sx by the two processes in every step is identical.
That is, Func1 and Func2 stand for the same function. However, since equivalence
problem for Turing-complete languages is undecidable, the portability cannot be
determined at compile-time.
•
In order to detect lack of portability at run-time, the simulator can be augmented with additional information specified in the DFA described in Section 4.1.1.
One can in fact view this as a new implementation of the abstract data type shared
variable.

6

Conclusions

The designers of VHDL-93 extended VHDL-87 by introducing shared variables
and postponed processes into the language. Here, we developed a structural operational semantics for a behavioral subset of VHDL-93 along the lines of Goossens’
work. In particular, we extended the underlying semantic model to accomodate
new VHDL-93 features. This formal specification can serve as a guide to the implementor and as a correctness criteria for the VHDL-93 simulator. Furthermore,
VHDL-93 LRM stipulates that the VHDL-93 descriptions that generate different behaviors on different simulators are erroneous. In this paper, we explored
19

causes of non-portability through examples and later proposed sufficient conditions for a VHDL-93 behavioral description with shared variables and postponed
processes to be have unique meaning. We also specified how a simulator can be
augmented with additional information to detect and flag non-portability. We
then stated some basic properties about VHDL-93 descriptions, and showed that
test for portability is neither local nor static.

References
[1] Bhasker, J., A VHDL Primer , Second Edition, Prentice Hall, Inc., 1994.
[2] Breuer, P., Sanchez, L., and Kloos, C. D., A simple denotational semantics, proof
theory and validation condition generator for unit delay VHDL, Formal Methods
in System Design, 7(1-2), July 1995.
[3] Kloos, C. D., and Breuer, P., eds., Formal Semantics of VHDL, vol. 307, Kluwer
Academic Publishers, March 1995.
[4] Goossens, K. G. W., Reasoning about VHDL using operational and observational semantics, In: Advanced Research Workshop on Correct Hardware Design
Methodologies, ESPRIT CHARME, Springer Verlag, October 1995.
[5] Hennessy, M., The Semantics of Programming Languages: An Elementary Introduction using Structural Operational Semantics, John Wiley & Sons, 1990.
[6] Hopcroft, J., and Ullman, J., Introduction to Automata Theory, Languages and
Computation, Addison-Wesley Co, 1979.
[7] Institute of Electrical and Electronics Engineers, 345 East 47th Street, New York,
USA. IEEE Standard VHDL Language Reference Manual, Std 1076-1993 , 1993.
[8] van Tassel, J. P., Femto-VHDL: The Semantics of a Subset of VHDL and its
Embedding in the HOL Proof Assistant, Ph. D. Dissertation, University of Cambridge, 1993.
[9] Wilsey, P. A., Developing a formal semantic definition of VHDL, In: Mermet,
J., eds, VHDL for Simulation, Synthesis and Formal Proofs of Hardware, Kluwer
Academic Publishers, pp. 243-256, 1992.

20

