Synthèse automatique de circuits numériques à partir de spécifications temporelles by Javaheri, Fatemeh Negin
Automatic synthesis of digital circuits from temporal
specifications
Fatemeh Javaheri
To cite this version:
Fatemeh Javaheri. Automatic synthesis of digital circuits from temporal specifications. Micro
and nanotechnologies/Microelectronics. Universite´ Grenoble Alpes, 2015. English. <NNT :
2015GREAT083>. <tel-01237690>
HAL Id: tel-01237690
https://tel.archives-ouvertes.fr/tel-01237690
Submitted on 3 Dec 2015
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
THÈSE
Pour obtenir le grade de
DOCTEUR DE L’UNIVERSITÉ GRENOBLE ALPES
Spécialité : Nanoélectronique et Nanotechnologies
Arrêté ministériel : 7 août 2006
Présentée par
Fatemeh (Negin) JAVAHERI
Thèse dirigée par Mme. Dominique BORRIONE
et codirigée par Mme. Katell MORIN-ALLORY
Préparée au sein du Laboratoire TIMA
Dans l’École Doctorale Electronique, Electrotechnique, Automatique&
Traitement du Signal (E.E.A.T.S)
Synthèse automatique de circuits
numériques à partir de spéciﬁcations
temporelles
Thèse soutenue publiquement le 1 octobre 2015,
devant le jury composé de :
M. Philippe COUSSY
Professeur, Université de Bretagne Sud, Président
M. Paolo PRINETTO
Professeur, Politecnico di Torino, Rapporteur
M. Rolf DRECHSLER
Professeur, Universität Bremen, Rapporteur
Mme. Dominique BORRIONE
Professeur, Université Joseph Fourier, Directrice de thèse
Mme. Katell MORIN-ALLORY
Maître de Conférences, Grenoble INP, Co-Directrice de thèse

Acknowledgments
Firstly, I would like to express my sincere gratitude to my supervisors Prof. Dominique
BORRIONE and Dr. Katell MORIN-ALLORY for their continuous support of my thesis
studies and research, for their patience, motivation, enthusiasm, and immense knowledge.
Their guidance helped me throughout the execution of this research, and the writing of
this thesis.
Besides my supervisors, I would like to thank the rest of my thesis committee: Prof.
Philip COUSSY for being the president, and Prof. Rolf DRECHSLER and Prof. Paolo
PRINETTO for accepting our invitation to evaluate and examine this thesis and their
useful suggestions and comments.
Also I thank the head of the VDS group, Prof. Laurence PIERRE, and administra-
tion team in the TIMA laboratory: Laurence BENTITO, Anne-Laure FOURNERET-
ITIE, Sophie MARTINEAU, Youness RAJAB, Frederic CHEVROT, Lucie TORELLA,
and Alexandre CHAGOYA for supporting and helping me kindly.
I would like to extend my appreciation to my colleagues and friends: Maryam BAH-
MANI, Alexandre PORCHER, Zeineb BELHADJ AMOR, Ladan AMINI, Hoda BARE-
NIA, Paria SALMANZADE, Leila GRAYELI, Ahmad BIJAR, Laila DAMRI, Hamed
SHEYBANI, and Sahar FOROUTAN for their kindness, support, and all the fun we have
had during the last three years.
I would like to acknowledge the help of Guillaume PLASSAN, Sebastian CORZO, and
Hugo ROYNETTE in collecting some experimental results.
I also thank my best friends Somayeh, Paria, Mona, Nastaran, and Marzieh for all
their supports from a very long distance.
I specially thank Prof. Zain NAVABI who taught me the research attitude. My
appreciation for his fatherly advises and supports cannot be expressed in words.
I would like to express my deepest gratitude to my parents, who support me spiritually
throughout my life, for all of the sacriﬁces that they have made on my behalf. Without
their encouragement and support, I would not have a chance to be here. All I have today
is because of their unconditional love and support. I thank my lovely sister Negar, and
my dear brother Ali for their love and encouragements. Although we were far apart, I felt
them every moment. I would also like to thank my mother, father and sister in-laws for
their kindness and support.
Last but not the least; I would also like to extend my appreciation to my beloved,
Sina NAKHJAVANI for his unconditional love, patience, kindness, and support. Without
his support and patience, I could not complete this journey. Words cannot express how
grateful I am to him.

Contents
1 Introduction 1
1.1 Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Classical design ﬂow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 The proposed design ﬂow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Overview of the thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Assertion-based Veriﬁcation 7
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Review of veriﬁcation technology . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 Simulation-based veriﬁcation . . . . . . . . . . . . . . . . . . . . . . 9
2.2.2 Formal veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.2.1 Terminology and notations . . . . . . . . . . . . . . . . . 10
2.2.2.2 Regular Expression . . . . . . . . . . . . . . . . . . . . . . 11
2.2.2.3 Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.2.4 Model checking . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.2.5 Equivalence checking . . . . . . . . . . . . . . . . . . . . . 15
2.2.2.6 Theorem proving methods . . . . . . . . . . . . . . . . . . 16
2.3 Assertion languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3.1 Property Speciﬁcation Language (PSL) . . . . . . . . . . . . . . . . 17
2.3.1.1 PSL Boolean layer . . . . . . . . . . . . . . . . . . . . . . 18
2.3.1.2 PSL temporal layer . . . . . . . . . . . . . . . . . . . . . . 18
2.3.1.3 PSL veriﬁcation layer . . . . . . . . . . . . . . . . . . . . 24
2.3.1.4 PSL Modeling layer . . . . . . . . . . . . . . . . . . . . . 24
2.3.1.5 PSL simple subset (PSLsimple) . . . . . . . . . . . . . . . 25
2.3.2 System Verilog Assertion (SVA) . . . . . . . . . . . . . . . . . . . . 25
2.3.2.1 Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3.2.2 Veriﬁcation directives . . . . . . . . . . . . . . . . . . . . 26
2.3.2.3 Built-in functions . . . . . . . . . . . . . . . . . . . . . . . 26
2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3 State of the art 29
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.2 Property synthesis as monitors . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.2.1 The automaton-based approach . . . . . . . . . . . . . . . . . . . . 30
3.2.2 The modular approach . . . . . . . . . . . . . . . . . . . . . . . . . 32
v
Table of Contents
3.3 Property synthesis as correct-by-construction circuits . . . . . . . . . . . . 34
3.3.1 The automaton-based approach . . . . . . . . . . . . . . . . . . . . 35
3.3.2 The modular approach . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.3.3 Synthesizing from Regular Expressions . . . . . . . . . . . . . . . . 38
3.4 Existing tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4 Fast prototyping from assertions: the overall synthesis ﬂow 43
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.2 Reactant synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.3 Running Example: Generalized Buﬀer . . . . . . . . . . . . . . . . . . . . 45
4.3.1 Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.3.2 Communication with FIFO . . . . . . . . . . . . . . . . . . . . . . 47
4.3.3 Communication with the senders . . . . . . . . . . . . . . . . . . . 48
4.3.3.1 Formal FL speciﬁcation . . . . . . . . . . . . . . . . . . . 48
4.3.3.2 Formal SERE speciﬁcation . . . . . . . . . . . . . . . . . 49
4.3.4 Communication with the receivers . . . . . . . . . . . . . . . . . . . 49
4.3.4.1 Formal FL speciﬁcation . . . . . . . . . . . . . . . . . . . 49
4.3.4.2 Formal SERE speciﬁcation . . . . . . . . . . . . . . . . . 53
5 Synthesizing FLs 55
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.2 Formalization of the annotation . . . . . . . . . . . . . . . . . . . . . . . . 56
5.2.1 Dependency relation: deﬁnition and notations . . . . . . . . . . . . 56
5.2.2 Dependency relation between operands of FL operators . . . . . . . 59
5.2.2.1 Always . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.2.2.2 Eventually! . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.2.2.3 Next family . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.2.2.4 Until family . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.2.2.5 Before family . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.2.2.6 Next event family . . . . . . . . . . . . . . . . . . . . . . 62
5.3 Dependency relation synthesis . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.3.1 Principles of the primitive reactant construction . . . . . . . . . . . 63
5.3.1.1 Boolean reactant . . . . . . . . . . . . . . . . . . . . . . . 64
5.3.2 Generic format of a FL operator . . . . . . . . . . . . . . . . . . . . 65
5.3.2.1 Implementation of an operator of the “forall” group . . . . 66
5.3.2.2 Implementation of an operator of the “exists” group . . . . 69
5.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
6 Synthesizing SEREs 73
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
6.2 Challenges and motivations . . . . . . . . . . . . . . . . . . . . . . . . . . 74
6.3 Formalization of the annotation . . . . . . . . . . . . . . . . . . . . . . . . 79
6.3.1 Dependency relation: deﬁnition and notations . . . . . . . . . . . . 80
6.3.2 Dependency relation between operands of SERE operators . . . . . 80
6.3.2.1 Base cases . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.3.2.2 Concatenation . . . . . . . . . . . . . . . . . . . . . . . . 81
6.3.2.3 Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Table of Contents
6.3.2.4 Length-matching conjunction . . . . . . . . . . . . . . . . 82
6.3.2.5 Non length-matching conjunction . . . . . . . . . . . . . . 83
6.3.2.6 Disjunction . . . . . . . . . . . . . . . . . . . . . . . . . . 84
6.3.2.7 Kleene closure . . . . . . . . . . . . . . . . . . . . . . . . 85
6.3.2.8 Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
6.4 Dependency relation synthesis . . . . . . . . . . . . . . . . . . . . . . . . . 86
6.4.1 Principles of the primitive reactant construction . . . . . . . . . . . 86
6.4.1.1 Simple SEREs . . . . . . . . . . . . . . . . . . . . . . . . 88
6.4.1.2 Compound SEREs . . . . . . . . . . . . . . . . . . . . . . 88
6.4.1.3 Unbounded SEREs . . . . . . . . . . . . . . . . . . . . . . 89
6.4.2 Implementation of primitive reactants of SERE operators . . . . . . 89
6.4.2.1 Simple SEREs . . . . . . . . . . . . . . . . . . . . . . . . 89
6.4.2.2 Compound SEREs . . . . . . . . . . . . . . . . . . . . . . 91
6.4.2.3 Unbounded SEREs . . . . . . . . . . . . . . . . . . . . . . 93
6.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
7 Annotation of the signals 97
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
7.2 Problem deﬁnition and overall view . . . . . . . . . . . . . . . . . . . . . . 98
7.2.1 Representation of the dependency relation . . . . . . . . . . . . . . 98
7.3 Construction of the property Abstract Syntax Tree (AST) . . . . . . . . . 99
7.4 Construction of the Directed Abstract Syntax Tree (DAST) . . . . . . . . 101
7.4.1 DAST of simple FL operators . . . . . . . . . . . . . . . . . . . . . 102
7.4.2 DAST of extended next FL operators . . . . . . . . . . . . . . . . . 103
7.4.3 DAST of FL logical operators . . . . . . . . . . . . . . . . . . . . . 103
7.4.4 DAST of compound FL operators . . . . . . . . . . . . . . . . . . . 104
7.4.5 DAST of implication operators . . . . . . . . . . . . . . . . . . . . 105
7.4.6 DAST of simple SERE operators . . . . . . . . . . . . . . . . . . . 105
7.4.7 DAST of compound SERE operators . . . . . . . . . . . . . . . . . 106
7.4.8 DAST of unbounded SERE operators . . . . . . . . . . . . . . . . . 107
7.4.9 DAST of PSL directives and functions . . . . . . . . . . . . . . . . 108
7.4.9.1 Boolean layer directives . . . . . . . . . . . . . . . . . . . 108
7.4.9.2 Veriﬁcation layer directives . . . . . . . . . . . . . . . . . 108
7.4.9.3 Modeling layer operators . . . . . . . . . . . . . . . . . . . 108
7.4.10 The annotation algorithm . . . . . . . . . . . . . . . . . . . . . . . 109
7.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
8 Complex Reactant 117
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
8.2 Intuitive construction of a property reactant . . . . . . . . . . . . . . . . . 118
8.2.1 Intuitive construction of an FL reactant . . . . . . . . . . . . . . . 118
8.2.2 Intuitive construction of a SERE reactant . . . . . . . . . . . . . . 119
8.2.2.1 Simple SERE . . . . . . . . . . . . . . . . . . . . . . . . . 119
8.2.2.2 Compound SERE . . . . . . . . . . . . . . . . . . . . . . . 122
8.2.2.3 Unbounded SERE . . . . . . . . . . . . . . . . . . . . . . 122
8.3 Principles of the recursive construction . . . . . . . . . . . . . . . . . . . . 123
8.3.1 The base case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
8.3.2 FL properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
vii
Table of Contents
8.3.3 SERE properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
8.3.3.1 Simple SEREs . . . . . . . . . . . . . . . . . . . . . . . . 125
8.3.3.2 Compound SEREs . . . . . . . . . . . . . . . . . . . . . . 126
8.3.3.3 Unbounded SEREs . . . . . . . . . . . . . . . . . . . . . . 126
8.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
9 Resolution of the signals 129
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
9.2 Constraints computed from directed DASTs . . . . . . . . . . . . . . . . . 130
9.3 Constraints computed from semi-directed DASTs . . . . . . . . . . . . . . 132
9.4 Dependency Graph (DG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
9.5 Dependency Graph construction . . . . . . . . . . . . . . . . . . . . . . . . 135
9.6 The resolution function: solver . . . . . . . . . . . . . . . . . . . . . . . . 136
9.6.1 Resolving duplicated signals: simple solver . . . . . . . . . . . . . . 136
9.6.2 Resolving unannotated signals: complex solver . . . . . . . . . . . . 137
9.6.2.1 Complex solver implementation . . . . . . . . . . . . . . . 137
9.7 The ﬁnal circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
9.7.1 Checking the consistency . . . . . . . . . . . . . . . . . . . . . . . . 141
9.7.2 Checking the completeness . . . . . . . . . . . . . . . . . . . . . . . 142
9.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
10 Practical Experiments and Results 145
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
10.2 Hardware prototyping and synthesis results . . . . . . . . . . . . . . . . . . 146
10.2.1 IBM Generalized Buﬀer (GenBuf) . . . . . . . . . . . . . . . . . . . 147
10.2.1.1 Synthesis for FPGA implementation . . . . . . . . . . . . 148
10.2.1.2 Synthesis for ASIC implementation . . . . . . . . . . . . . 149
10.2.2 AMBA arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
10.2.2.1 Synthesis for FPGA implementation . . . . . . . . . . . . 151
10.2.2.2 Synthesis for ASIC implementation . . . . . . . . . . . . . 153
10.2.3 Other examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
10.2.4 Comparison between FLs and SEREs . . . . . . . . . . . . . . . . . 154
10.2.4.1 GenBuf . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
10.2.4.2 AMBA Arbiter . . . . . . . . . . . . . . . . . . . . . . . . 156
10.2.4.3 HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
10.3 Completeness and coherency consideration . . . . . . . . . . . . . . . . . . 157
10.4 Guidelines for obtaining smaller circuits . . . . . . . . . . . . . . . . . . . 158
10.4.1 GenBuf: Multiple senders . . . . . . . . . . . . . . . . . . . . . . . 161
10.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
11 Conclusion and future works 163
11.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
11.2 Future works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
A Symbols 167
Table of Contents
B Case study: High-level Data Link Controller 169
B.1 Transmitter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
B.1.1 Parallel to Serial converter . . . . . . . . . . . . . . . . . . . . . . . 172
B.1.2 CRC generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
B.1.3 Zero insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
B.1.4 Flag generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
B.1.5 Transmitter controller . . . . . . . . . . . . . . . . . . . . . . . . . 173
B.2 Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
B.2.1 Flag and abort detection . . . . . . . . . . . . . . . . . . . . . . . . 180
B.2.2 Zero detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
B.2.3 CRC checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
B.2.4 Serial to Parallel converter . . . . . . . . . . . . . . . . . . . . . . . 182
B.2.5 Receiver Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
C Case study: Advanced Microcontroller Bus Architecture 187
D The Annotation Results 191
D.1 IBM Generalized Buﬀer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
D.1.1 Communication with senders . . . . . . . . . . . . . . . . . . . . . 192
D.1.1.1 FL properties . . . . . . . . . . . . . . . . . . . . . . . . . 192
D.1.1.2 SERE properties . . . . . . . . . . . . . . . . . . . . . . . 193
D.1.2 Communication with receivers . . . . . . . . . . . . . . . . . . . . . 194
D.1.2.1 FL properties . . . . . . . . . . . . . . . . . . . . . . . . . 194
D.1.2.2 SERE properties . . . . . . . . . . . . . . . . . . . . . . . 195
D.1.3 Communication with FIFO . . . . . . . . . . . . . . . . . . . . . . 196
D.2 HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
D.2.1 Transmitter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
D.2.1.1 P2S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
D.2.1.2 CRC generation . . . . . . . . . . . . . . . . . . . . . . . 199
D.2.1.3 Zero insertion . . . . . . . . . . . . . . . . . . . . . . . . . 200
D.2.1.4 Flag/Abort generation . . . . . . . . . . . . . . . . . . . . 200
D.2.1.5 Transmitter controller . . . . . . . . . . . . . . . . . . . . 201
D.2.2 Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
D.2.2.1 Flag/Abort detection . . . . . . . . . . . . . . . . . . . . . 204
D.2.2.2 Zero detection . . . . . . . . . . . . . . . . . . . . . . . . 205
D.2.2.3 CRC checker . . . . . . . . . . . . . . . . . . . . . . . . . 206
D.2.2.4 S2P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
D.2.2.5 Receiver controller . . . . . . . . . . . . . . . . . . . . . . 208
D.3 AMBA arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
E SyntHorus2 213
E.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
E.2 Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
E.2.1 Speciﬁcation ﬁle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
E.2.2 Type ﬁle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
E.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
E.3.1 Command line options . . . . . . . . . . . . . . . . . . . . . . . . . 215
E.3.2 Pragma options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
ix
E.4 Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
References 219
Acronym 229
Publications 233
List of Figures
1.1 Traditional design ﬂow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Our proposed design ﬂow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1 A VHDL assertion example . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2 PSL layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.3 The trace for property SERE1 and SERE2 . . . . . . . . . . . . . . . . . . . 21
2.4 The diﬀerence between PSL weak and strong operators . . . . . . . . . . . 23
2.5 Diﬀerent layers of a PSL property . . . . . . . . . . . . . . . . . . . . . . . 25
4.1 Overall Synthesis Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.2 GenBuf circuit interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.3 FL speciﬁcation that guarantees the correct behavior of FIFO . . . . . . . 47
4.4 An example timeline of a GenBuf to sender handshake . . . . . . . . . . . 48
4.5 FL speciﬁcation of GenBuf communication with senders in the case of two
senders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.6 SERE properties of GenBuf communication with senders in the case of two
senders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.7 An example timeline of a GenBuf to receiver handshake . . . . . . . . . . . 52
4.8 FL speciﬁcation of GenBuf communication with receivers, in the case of
two receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.9 SERE properties of GenBuf communication with receivers in the case of
two receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.1 An execution trace for P0_sender_0 . . . . . . . . . . . . . . . . . . . . . 57
5.2 Generic interface of a primitive reactant . . . . . . . . . . . . . . . . . . . 63
5.3 Boolean reactant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.4 Illustration of function Ith(�F � true�wki ) . . . . . . . . . . . . . . . . . . . 66
5.5 Interface of the shift register . . . . . . . . . . . . . . . . . . . . . . . . . 67
5.6 Implementation of the “forall” expression . . . . . . . . . . . . . . . . . . . 67
5.7 Implementation of ∀i ∈ [lb, ub] . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.8 Implementation of next![i] . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.9 Implementation of next event a![i to j](B)A . . . . . . . . . . . . . . . . 69
5.10 Implementation of A until!B . . . . . . . . . . . . . . . . . . . . . . . . . 70
5.11 Implementation of the “exists” expression . . . . . . . . . . . . . . . . . . 70
5.12 Implementation of ∃i ∈ [lb, ub] . . . . . . . . . . . . . . . . . . . . . . . . 71
xi
Table of ﬁgures
5.13 Implementation of next e[i to j]A . . . . . . . . . . . . . . . . . . . . . . . 71
6.1 An example timeline for “a is asserted on every even cycle” . . . . . . . . . 75
6.2 Using modeling layer to check “a is asserted on every even cycle” . . . . . . 75
6.3 Sample SERE properties of High-level Data Link Controller . . . . . . . . 76
6.4 FL version of HDLC_300 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
6.5 Timing diagram of P2, where b and c are generated (Example 4) . . . . . . 77
6.6 Timing diagram of P2, where b is generated, c is observed, and not c is
generated (Example 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6.7 Timing diagram of P2, where b is generated, and {c, not c} is observed
(Example 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6.8 Generic interface of a SERE operator . . . . . . . . . . . . . . . . . . . . . 86
6.9 Implementation of {b1; b2} (b1 and b2 are observed) . . . . . . . . . . . . . 90
6.10 Implementation of {b1; b2} (b1 and b2 are generated) . . . . . . . . . . . . 90
6.11 Implementation of {q; b} (q and b are generated) . . . . . . . . . . . . . . . 90
6.12 Timing diagram of {{b1; b2}; b} . . . . . . . . . . . . . . . . . . . . . . . . 91
6.13 Implementation of {b; q} (b and q are generated) . . . . . . . . . . . . . . . 91
6.14 Implementation of {b1}&{b2} . . . . . . . . . . . . . . . . . . . . . . . . . 92
6.15 Implementation of {q}&{b} (q and b are generated) . . . . . . . . . . . . . 92
6.16 Timing diagram of {{b1; b2}&b} . . . . . . . . . . . . . . . . . . . . . . . 93
6.17 Implementation of {q1}&{q2} . . . . . . . . . . . . . . . . . . . . . . . . . 93
6.18 Implementation of b[+] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.19 Implementation of b1[∗]; b2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.20 Implementation of q[∗]; b . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.21 Timing diagram of {{b1; b2}[∗]; b} . . . . . . . . . . . . . . . . . . . . . . 95
7.1 Monitoring the value of a Boolean expression . . . . . . . . . . . . . . . . . 98
7.2 The representation of �A�B�w . . . . . . . . . . . . . . . . . . . . . . . . 99
7.3 The representation of the �A�B�w dependency relation . . . . . . . . . . 99
7.4 The abstract syntax tree of P3_rec_0 . . . . . . . . . . . . . . . . . . . . . 100
7.5 The abstract syntax tree of HDLC_240 . . . . . . . . . . . . . . . . . . . . . 101
7.6 Propagation of ingoing and outgoing edges . . . . . . . . . . . . . . . . . 102
7.7 Edges direction for next! . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
7.8 Edges direction for next event! . . . . . . . . . . . . . . . . . . . . . . . . 103
7.9 Edges direction for and . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
7.10 Edges direction for or . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
7.11 Edges direction for until! . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
7.12 Edges direction for ‘–>’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
7.13 Edges direction for ‘;’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
7.14 Edges direction for ‘&&’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
7.15 Edges direction for ‘|’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
7.16 Edges direction for ‘∗’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
7.17 Edges direction for prev . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
7.18 Edges direction for ‘=’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
7.19 The necessary data structures for Annotation . . . . . . . . . . . . . . . . 109
7.20 the pseudo code for the Annotate_in function . . . . . . . . . . . . . . . . 110
7.21 the pseudo code for the Annotate function . . . . . . . . . . . . . . . . . . 111
7.22 The directed abstract syntax tree of P3_rec_0 . . . . . . . . . . . . . . . . 112
Table of ﬁgures
7.23 The directed abstract syntax tree of HDLC_240 . . . . . . . . . . . . . . . . 113
7.24 Annotated FL speciﬁcation of GenBuf communication with receiver in the
case of two receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
8.1 DAST of P5_rec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
8.2 Interconnection of the ‘–>’ primitive reactant (P5_rec) . . . . . . . . . . . 119
8.3 Reactant for P0_rec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
8.4 The directed abstract syntax tree of HDLC_240 . . . . . . . . . . . . . . . . 121
8.5 Simple SERE primitive reactant interconnection . . . . . . . . . . . . . . . 121
8.6 Unbounded SERE primitive reactant interconnection . . . . . . . . . . . . 123
8.7 Base case: Boolean reactants . . . . . . . . . . . . . . . . . . . . . . . . . . 124
8.8 Recursive construction of circuit Cn . . . . . . . . . . . . . . . . . . . . . . 124
8.9 Implementation of Genbuf property P5_rec_0 . . . . . . . . . . . . . . . . 125
8.10 Recursive construction of circuit Cn (Ωn ∈ {; , :}) . . . . . . . . . . . . . . . 125
8.11 Recursive construction of circuit Cn (Ωn ∈ {&,&&, |}) . . . . . . . . . . . . 126
8.12 Recursive construction of circuit Cn (Ωn ∈ {∗,+}) . . . . . . . . . . . . . . 127
8.13 Implementation of HDLC property HDLC_240 . . . . . . . . . . . . . . . . . 127
9.1 DAST of P1_rec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
9.2 DAST of P3_rec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
9.3 DAST of P4_rec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
9.4 DAST of P0_rec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
9.5 DAST of P2_rec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
9.6 Dependency graph of GenBufRec . . . . . . . . . . . . . . . . . . . . . . . 134
9.7 The interface of simple solver for duplicated signals . . . . . . . . . . . . . 136
9.8 The interface of complex solver for unannotated signals . . . . . . . . . . . 137
9.9 The LUT of the complex solver of GenBufRec . . . . . . . . . . . . . . . . 139
9.10 The ﬁnal circuit of GenBufRec . . . . . . . . . . . . . . . . . . . . . . . . . 140
9.11 Timing diagram of BtoR REQ(0) and corresponding trigger signals . . . . . 141
9.12 Timing diagram of BtoR REQ(0) and corresponding trigger signals . . . . . 142
10.1 HW generation time: GenBuf with multiple senders and two receivers . . . 147
10.2 HW generation: GenBuf with 2 senders, multiple receivers and with FIFO 148
10.3 Total number of gates: GenBuf with multiple senders and 2 receivers . . . 150
10.4 Total number of gates: GenBuf with multiple receivers and 2 senders . . . 151
10.5 HW generation time: AMBA arbiter . . . . . . . . . . . . . . . . . . . . . 152
10.6 Total number of gates: AMBA arbiter . . . . . . . . . . . . . . . . . . . . 153
10.7 Total number of gates: GenBuf with multiple senders and 2 receivers (gen-
erated from FLs and SEREs) . . . . . . . . . . . . . . . . . . . . . . . . . 155
10.8 Total number of gates: GenBuf with multiple receivers and 2 senders (gen-
erated from FLs and SEREs) . . . . . . . . . . . . . . . . . . . . . . . . . 156
10.9 Some properties from GenBuf that generate BtoS ACK(0) . . . . . . . . . . 158
10.10The assertion for considering the mutual exclusion of BtoS ACK(0) triggers 158
10.11The wave form, without any failure . . . . . . . . . . . . . . . . . . . . . . 159
10.12A modiﬁed property of GenBuf that generates BtoS ACK(0) . . . . . . . . 159
10.13The wave form, with assertion failure . . . . . . . . . . . . . . . . . . . . . 159
10.14Total number of gates for GenBuf with multiple senders: original and
rewritten speciﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
xiii
B.1 HDLC controller block diagram . . . . . . . . . . . . . . . . . . . . . . . . 171
B.2 Properties that describe P2S . . . . . . . . . . . . . . . . . . . . . . . . . . 172
B.3 Properties that describe CRCGen (for 16-bit CRC) . . . . . . . . . . . . . . 174
B.4 FL properties that describe ZeroInsertion . . . . . . . . . . . . . . . . . 175
B.5 Properties that describe FlagAbortGen . . . . . . . . . . . . . . . . . . . . 175
B.6 Properties that describe transmitter controller . . . . . . . . . . . . . . . . 179
B.7 SERE properties that describe FlagAbortDet . . . . . . . . . . . . . . . . 180
B.8 SERE properties that describe FlagAbortDet . . . . . . . . . . . . . . . . 181
B.9 FL properties that describe ZeroDetection . . . . . . . . . . . . . . . . . 181
B.10 SERE roperties that describe ZeroDetection . . . . . . . . . . . . . . . . 181
B.11 Properties that describe CRCCheck (for 16-bit CRC) . . . . . . . . . . . . . 183
B.12 Properties that describe S2P . . . . . . . . . . . . . . . . . . . . . . . . . . 184
B.13 Properties that describe RController . . . . . . . . . . . . . . . . . . . . . 186
C.1 The AMBA arbiter block diagram (the ﬁgure is taken from [AMB]) . . . . 187
C.2 Annotated FL speciﬁcation of AMBA arbiter (for 2 masters and 2 slaves) . 189
D.1 Annotated FL speciﬁcation of the sender side of GenBuf (2 senders) . . . . 192
D.2 Annotated SERE speciﬁcation of the sender side of GenBuf (2 senders) . . 193
D.3 Annotated FL speciﬁcation of the receiver side of GenBuf (2 receivers) . . 194
D.4 Annotated SERE speciﬁcation of the receiver side of GenBuf (2 receivers) . 195
D.5 Annotated FL speciﬁcation of the FIFO side of GenBuf . . . . . . . . . . . 196
D.6 Annotated SERE speciﬁcation of HDLC transmitter . . . . . . . . . . . . . 197
D.7 Annotated FL speciﬁcation of P2S . . . . . . . . . . . . . . . . . . . . . . . 198
D.8 Annotated FL speciﬁcation of CRCGen . . . . . . . . . . . . . . . . . . . . . 199
D.9 Annotated FL speciﬁcation of ZeroInsertion . . . . . . . . . . . . . . . . 200
D.10 Annotated FL speciﬁcation of FlagAbortGen . . . . . . . . . . . . . . . . . 200
D.11 Annotated FL speciﬁcation of transmitter controller . . . . . . . . . . . . . 203
D.12 Annotated FL speciﬁcation of FlagAbortDet . . . . . . . . . . . . . . . . . 204
D.13 Annotated SERE speciﬁcation of FlagAbortDet . . . . . . . . . . . . . . . 204
D.14 Annotated FL speciﬁcation of ZeroDetection . . . . . . . . . . . . . . . . 205
D.15 Annotated SERE speciﬁcation of ZeroDetection . . . . . . . . . . . . . . 205
D.16 Annotated FL speciﬁcation of CRCCheck . . . . . . . . . . . . . . . . . . . 206
D.17 Annotated FL speciﬁcation of S2P . . . . . . . . . . . . . . . . . . . . . . 207
D.18 Annotated FL speciﬁcation of receiver controller . . . . . . . . . . . . . . . 209
D.19 Annotated FL speciﬁcation of AMBA arbiter (with 2 masters and 2 slaves) 211
List of Tables
2.1 Deﬁnition of the SERE operators . . . . . . . . . . . . . . . . . . . . . . . 20
2.2 Deﬁnition of the FL temporal operators (in VHDL ﬂavor) . . . . . . . . . 22
2.3 Deﬁnition of the SVA operators . . . . . . . . . . . . . . . . . . . . . . . . 27
5.1 Values of parameters for forall (top) and exists (bottom) expressions . . . 66
10.1 ABS tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
10.2 Quartus II synthesis result for GenBuf controller with multiple senders, and
2 receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
10.3 Quartus II synthesis result for GenBuf controller with FIFO, multiple re-
ceivers, and 2 senders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
10.4 Design Vision synthesis result for GenBuf controller with FIFO, multiple
senders, and two receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
10.5 Design Vision synthesis result for GenBuf controller with FIFO, multiple
receivers, and two senders . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
10.6 Quartus II synthesis result for AMBA arbiter with 2 slaves and multiple
masters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
10.7 Design Vision synthesis results for AMBA arbiter . . . . . . . . . . . . . . . 153
10.8 Design Vision synthesis results for HDLC, SDRAM, and CRC . . . . . . . . 154
10.9 Design Vision synthesis results for GenBuf with multiple senders (for SERE
properties) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
10.10Design Vision synthesis results for GenBuf with multiple receivers (for SERE
properties) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
10.11Design Vision synthesis results for AMBA arbiter (for SERE properties) . . 157
10.12Design Vision synthesis results for HDLC (for SERE properties) . . . . . . 157
A.1 Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
xv

Chapter1
Introduction
Contents
1.1 Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Classical design ﬂow . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 The proposed design ﬂow . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Overview of the thesis . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Preface
Day by day the inﬂuence of technical systems on our life increases. They have emerged in
all aspects of our life, ranging from entertainment to communication, business, transport,
and medicine, where they aﬀect human life directly. Digital circuits, as processors or
controllers, are a crucial part of such systems. However, for justifying our dependence on
such systems we should be able to answer this question: “are these systems reliable and
safe?”. Circuit veriﬁcation answers to this question.
Integrated circuit capacity follows Moore’s law. The Intel’s 4004 microprocessor in-
troduced in 1971 had 2300 transistors. Due to the advances in semiconductor technology,
today’s complex systems having a wide variety of functionalities are being integrated in
a single chip as system-on-a-chip (SoC), containing billions of transistors. For example,
Intel’s 15-core Xeon Ivy Bridge-EX is a commercially available CPU (in one chip) with
over 4.3 billion transistors on a single chip [TRA].
The circuits that used to be considered a system, now are just one core among hundreds
of components on a single chip. The increasing size and complexity of the designs, and
the time to market considerations, are creating new veriﬁcation challenges; the veriﬁcation
problem is getting very huge and it has become increasingly diﬃcult to identify all the
design bugs in such a large and complex system before the chips are fabricated. Providing
the appropriate testbenches is another challenge.
Design error detection and correction in hardware is too expensive. Specially, if it
is after fabrication; all the malfunctioned chips should be collected and replaced by the
new ones. This situation occurred with the FDIV bug in the ﬂoating point unit of Intel’s
Pentium processor. The company had to spend about 475 million US dollars to replace the
1
Introduction
faulty processors [Kro99]. Therefore, design errors should be detected as soon as possible.
Earlier bug detection means shorter time to market, less cost, and more success.
However, obtaining ﬁrst time right digital circuits is a hard to reach objective when
considering the current architectures. The veriﬁcation problem of such systems is ad-
dressed by a combination of methods and technologies that include high-level simulation,
property checking, step by step reﬁnement veriﬁcation, prototyping, automatic synthe-
sis and equivalence checking. At some point in the design ﬂow, the use of pre-designed
and fully veriﬁed modules allows to stop the reﬁnement and veriﬁcation process for these
modules. However, their interconnections should still be veriﬁed.
The work reported in this thesis proposes a method and a prototype tool to help the
veriﬁcation of the control and communication protocols between modules. A drawback
of the formal veriﬁcation methods is that they only can be used after the system is
designed. The main idea of this work is to propose methods for generating a system from
its speciﬁcations and verifying its correctness during the process of hardware generation,
correct-by-construction.
In this chapter, we brieﬂy review the design process of SoCs, and discuss its limitations
that are the motivation of this work.
1.2 Classical design ﬂow
Figure 1.1 shows a very abstract view of the traditional design ﬂow. A typical design
process starts by considering the informal behavior of the system. This informal behavior
is generally given in a document written in a human language, for example in English.
Then, the design teams develop an implementation. It may be required to partition a
design into software and hardware, and implement them concurrently. In the next step,
the implementation should be veriﬁed to consider if it conforms to the given speciﬁcations.
To formally verify the design, the formal speciﬁcations should be extracted from the
informal behavior of the system. After veriﬁcation, several reﬁnements of the circuit may
be required due to the detected errors.
This reﬁnement and debugging process is very time consuming for today’s extremely
large and complex circuits. Even if faults are detected prior to fabrication, the required
time for correcting bugs may be high, which can delay the time of introducing the product
to the market. Studies show that a delay of one week equals a revenue loss of at least tens
of millions of dollars [Kro99].
Consequently, a signiﬁcant amount of time during the design process is spent for error
ﬁnding, usually by simulation or emulation. A recent study shows that the total project
time spent in veriﬁcation in 2014 was 57% in average, while it was 46% in 2007. In
addition, the number of projects that spend more than 80% of their time in veriﬁcation
has increased [Fos15].
Moreover, the ﬂow of Fig. 1.1 assumes design and veriﬁcation to be performed by
diﬀerent teams, which brings added diﬃculties:
• Communication between design and veriﬁcation engineers. Providing the formal
speciﬁcations for veriﬁcation is diﬃcult both for design engineers and veriﬁcation
engineers. It is usually diﬃcult for the designers to write temporal declarative asser-
tions. Conversely, it is diﬃcult for a veriﬁcation engineer to extract the designer’s
intent from a conventional Hardware Description Language (HDL) code.
Introduction
System behavior:
Informal speciﬁcation
Hardware
veriﬁcation
Formal
speciﬁcation
Manual hardware 
development
Hardware 
reﬁnement
Figure 1.1: Traditional design ﬂow
• Testing environment. Providing a testbench for a complex exiting design is itself a
challenge. It is diﬃcult to identify all the possible scenarios for a big and complex
design, by analyzing its HDL code. In addition, it is a formidable task to modify
the testbench after identifying a new bug and modiﬁcation in the design. All the
previously examined scenarios should be veriﬁed again, and the testbench should be
revised to consider the possible new scenarios.
1.3 The proposed design ﬂow
The above mentioned diﬃculties have brought us to the context of Assertion Based Syn-
thesis (ABS), i.e. the direct production of compliant (control and communication) modules
from a set of assertions. A property is seen as the speciﬁcation of the module to be de-
signed. The objective is then to directly produce the synthesizable Register Transfer Level
(RTL) design from its assertions.
In ABS, properties about the behavior of a component (assertions) or its environment
(assumptions) specify the input-output functional characteristics of the modules and the
communications between system parts.
Generally, a design assertion (property) expresses the design’s intent. Assertions are
concise, declarative, expressive, and unambiguous speciﬁcations of desired system behav-
ior.
A complete set of assertions can unambiguously characterize how a module reacts to
signals sent to it, logically and temporally.
In the proposed design ﬂow we start the design in a more abstract level, and incor-
porate the veriﬁcation into the design process. The design behavior is expressed formally
using assertions (see Fig. 1.2). In this method, the design and veriﬁcation tasks have
been uniﬁed; a correct-by-construction circuit is generated from the formal speciﬁcations
directly.
3
Introduction
System behavior:
Informal speciﬁcation
Formal
speciﬁcation
Automatic
correct-by-construction
hardware development SyntHorus2
Figure 1.2: Our proposed design ﬂow
The generated circuit is called reactant: it reacts to waveforms on its inputs and pro-
duces waveforms on its outputs, in compliance with the assertions. Compiling assertions
into reactants, and checking the compliance of the reactant behavior with the design is
very eﬃcient.
A reactant may be used to replace a non available module by a fast prototype of it,
to check a more comprehensive design; it may also replace the (complex) environment of
a designed module by a fast prototype of just the part of the environment that interacts
with it.
Our new proposed ﬂow has the following steps:
• providing the formal speciﬁcation of the circuit: It is the ﬁrst step in the design
process, and it is a challenging task to generate the formal speciﬁcations from the
informal description of the circuit, and it is out of the scope of this thesis. In this
context, we assume that we have the formal speciﬁcation of the circuits.
• deriving an implementation from the speciﬁcation: this thesis proposes a method
for synthesizing a circuit from its formal speciﬁcation. We have provided a tool,
SyntHorus2 to synthesize the circuits from speciﬁcations.
• correctness relation and proof: we should check if the properties are complete and
consistent, and also we should check if the implementation is equivalent to the
speciﬁcation.
1.4 Overview of the thesis
The rest of this manuscript is organized as follow: Chapter 2 introduces the principles of
circuit veriﬁcation. In addition, it addresses Property Speciﬁcation Language (PSL), and
the subset of PSL that we deal with in this thesis.
The previous works that have been done in the context of assertion-based veriﬁcation
and synthesis are summarized in Chapter 3.
Chapter 4 introduces our global synthesis ﬂow and a running example, the IBM Gen-
eralized Buﬀer: this is the simplest example that exhibits all the problems to be solved.
Chapter 5 and Chapter 6 explain how to construct the correct-by-construction library
of primitive reactants for FL operators (Chapter 5) and SERE operators (Chapter 6).
The concept of dependency relation is introduced, and a dependency relation is deﬁned
Introduction
for each FL and SERE operator. Then, for each operator, its hardware interpretation is
given in accordance with the trace semantics.
Using the dependency relations, Chapter 7 provides an annotation algorithm to decide
(annotate) the signal’s direction in a single property: the signal is an input to a property
(observed), or is an output of the property (constrained).
Having the library of primitive reactants, and also the signal directions on each prop-
erty, Chapter 8 explains how to generate a property reactant, i.e. a complex reactant. It
is the interconnection of primitive reactants.
Some signals may be constrained by several properties. Moreover, after annotation
some signals may still exist without any directions. The direction of such signals cannot
be determined by considering a property alone. Chapter 9 addresses how to identify the
value of such signals. The method extracts the dependency among all the properties that
include the signal, and then generates solver(s) to specify (resolve) the value of the signal.
Then, the ﬁnal circuit is the interconnection of the complex reactants and the solvers.
Practical results and an analysis of the performance of the method are provided in
Chapter 10. Compared to other existing works, our proposed method is fast, scalable,
and produces reasonably small reactants.
Finally, Chapter 11 concludes the work, and addresses future research.
5
Introduction
Chapter2
Assertion-based Veriﬁcation
Contents
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Review of veriﬁcation technology . . . . . . . . . . . . . . . . . 9
2.2.1 Simulation-based veriﬁcation . . . . . . . . . . . . . . . . . . . 9
2.2.2 Formal veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3 Assertion languages . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3.1 Property Speciﬁcation Language (PSL) . . . . . . . . . . . . . 17
2.3.2 System Verilog Assertion (SVA) . . . . . . . . . . . . . . . . . 25
2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7
Chapter 2 : Assertion-based Veriﬁcation
2.1 Introduction
One of the challenges of SoC design is veriﬁcation, and it is very important to reduce
the veriﬁcation time. The need for an advanced veriﬁcation methodology, with improved
observability of design behavior has increased signiﬁcantly. This requires new design and
veriﬁcation techniques. Here, we introduce an assertion-based methodology that enables
designers to deal with the complex and large circuits, and also meet the time-to-market
goals. This method takes advantage of both simulation-based and formal veriﬁcation: for-
mal veriﬁcation can check scenarios that are hard to cover in simulation, while simulation
can verify the designs that are too big for any formal veriﬁcation methods. Hence, the
assertion-based veriﬁcation can ensure higher design quality and faster time to market.
Generally, a design assertion (property) expresses the design’s intent, and refers to
the properties that should be veriﬁed. Assertions are concise, declarative, expressive,
and unambiguous speciﬁcations of desired system behavior, which are used to guide the
veriﬁcation process.
Assertions can be checked both in simulation and formal veriﬁcation. Thus, a common
environment should be provided for both. The belief that formal veriﬁcation does not
need a testbench is a myth. This can be handled by using constraints. Constraints are
the required conditions for a veriﬁcation. They are used in the testbenches to model the
environment of a DUV. Therefore, constraints are used in simulation as generators of
stimuli [YAP10]. Assertion are checked in simulation usually as monitors of simulation
traces.
In contrary to the black-box testing approach, assertion-based approach adds assertions
that monitor internal points within the DUV. This avoids missing an internal error for
a given stimulus; and increases the observability of the design. Using assertions, it is
possible to detect when and where bug occurs and isolating bugs closer to the actual
source. Therefore, design teams save debug time since an engineer does not have to
backtrack through large simulation trace ﬁles and multiple blocks of logic to identify the
exact location of the bug. Experiences demonstrate that assertions can save up to 50
percent of debug time [ABG+00, Fos08].
In addition, assertions facilitate reusing Intellectual Property (IP) components. If the
IP component comes with the assertions that describe its interface behavior, it is much
easier to use this component inside the design environment. Additionally, the support
eﬀort required by the IP supplier company is reduced because assertions tell the users
when they are using the IP incorrectly.
Assertions that describe the system behavior can be veriﬁed using various formal
techniques in early stages of the design. Verifying the assertions, some design errors,
such as inconsistencies, may be captured early.
Another advantage of assertions is specifying correct behavior of the design unam-
biguously. Other engineers can review the assertions to understand the speciﬁcs of how
to interface with another block.
Furthermore, assertions formally document protocols, interfaces, and assumptions in
an unambiguous form that clariﬁes a designer’s interpretation of the speciﬁcation and
design intent [FKL03].
Assertions can be expressed using a temporal property language. In the following
sections, we review the veriﬁcation technology. Then, we consider the importance of the
assertion languages, and then, introduce two formal languages that are commonly used in
2.2 : Review of veriﬁcation technology
assertion-based veriﬁcation.
2.2 Review of veriﬁcation technology
Functional veriﬁcation approaches can be classiﬁed as being either dynamic (simulation)
or static (formal). Simulation is the ﬁrst veriﬁcation step, whereas static veriﬁcation is
based on mathematical proofs and plays a complementary and also very important role.
2.2.1 Simulation-based veriﬁcation
Simulation is the experimental process that mimics the dynamic behavior of a design
through time [Mil94]. Simulation-based veriﬁcation is applied to a representative subset of
variable values and behaviors of a circuit, to check if an implementation behaves correctly
with regard to its speciﬁcation [Kro99]. Actually, this approach is a testing approach:
the designer implements the circuit using HDLs, provides a testbench that instantiates
the design under veriﬁcation (DUV), applies the input vectors (simulation stimuli) to the
DUV one by one, and compares the outputs to the expected behavior.
Using this method, some errors may be masked due to the stimuli; they may appear
using another stimulus, or by running the simulation for a few more cycles. However,
verifying all the possible stimuli and all the internal properties of a design is not possible,
because of the exponential number of stimuli with respect to the number of inputs and
states.
Symbolic simulation is a way to speed up the simulation. The key idea of symbolic
simulation is representing the arbitrary input values by symbols using the mathematical
techniques. In contrast to conventional simulation, the symbolic simulation propagates
symbols. Symbolic simulation diﬀers from logic simulation since it builds Boolean expres-
sions instead of the scalar values, as a result of circuit simulation. In symbolic simulation,
the state space of a synchronous circuit is explored iteratively by means of symbolic expres-
sions. At each step of simulation a Boolean expression is assigned to each output signal
and present state signal. The simulation proceeds by deriving the appropriate Boolean
expression for each internal signal of the combinational part of the network, based on
the expressions at the inputs of each logic gate and the functionality of the gate. The
procedure is equivalent to propagating the symbolic expressions through a time-unrolled
version of the circuit, where the combinational part is duplicated as many times as there
are simulation steps.
Formal veriﬁcation is an alternative solution that uses mathematical proof to show
that an implementation conforms to its speciﬁcation for all time instances and all input
combinations. In the following, each veriﬁcation method is explained brieﬂy.
2.2.2 Formal veriﬁcation
The goal of formal veriﬁcation is considering formally if an implementation satisﬁes a
speciﬁcation. The term implementation refers to the design description that is to be
veriﬁed, while the term speciﬁcation refers to the design description or the property with
respect to which correctness is to be determined.
In formal veriﬁcation, both speciﬁcation and design descriptions are translated into
mathematical models. The degree of the conﬁdence obtained by formal veriﬁcation de-
9
Chapter 2 : Assertion-based Veriﬁcation
pends on the power of the underlying modeling formalism and the accuracy of the speci-
ﬁcations [Mil94].
The mathematical model can be expressed in various ways: data ﬂow graphs, process
algebras, ﬁnite state machines, temporal logic, and etc. A design can be modeled directly
using these formalisms, or these models can be extracted from the HDL description of a
design. Using the mathematical model of the circuit and its behavior, formal veriﬁcation
should prove that the design satisﬁes the speciﬁcation of its intended behavior through
mathematical proofs; it is veriﬁed if there is a relationship between the implementation
and the speciﬁcations. If there exists a design bug, formal veriﬁcation techniques produce
a counter-example to facilitate the debugging process.
Almost all the formal veriﬁcation techniques can be classiﬁed in one of two categories:
model-based or proof-theoretic.
The model-based techniques use a formalization based on propositional temporal logics
(see Section 2.2.2.3) or ﬁnite state machines (see Section 2.2.2.1) [Gup92, CBE+92]. The
algorithms are based on the brute-force exploration of the whole solution space. The
eﬀective data structures for propositional logic are decision diagrams (BMD, BDD, ...).
Alternatively, the problem can be converted to a Boolean satisﬁablility problem, and SAT
solvers can be used to determine if an interpretation of a system satisﬁes the given Boolean
formula. Model-based techniques can be categorized as checking the properties over the
design: model checking and checking if two implementations are equivalent: equivalence
checking.
The other family of formal veriﬁcation techniques are proof-theoretic methods that
are based on abstractions and hierarchical methods to prove the correctness of a system.
This method uses theorem prover software to provide support in reasoning and deriving
proofs about the speciﬁcations and the developed model of a design.
Based on the above discussion, having a formalism is inevitable. Temporal logics and
regular expressions specify a set of behaviors in a rigorous formalism. Almost all the
design veriﬁcation methods are essentially the process of deciding if the design behavior
conforms to the properties. Here, we ﬁrst introduce some notations and terminologies that
are required in formal veriﬁcation. Then, the concepts of regular expression and temporal
logic are reviewed. Finally, we review the various formal veriﬁcation methods.
2.2.2.1 Terminology and notations
A proposition is a statement that can be either true or false. An Atomic Proposition (AP)
cannot be broken into simpler propositions. In a circuit, APs include all the signals in the
design. Propositional formulas are composed from APs with Boolean connectives such as
conjunction, disjunction, and negation. The truth value of a propositional formula can be
calculated from the truth values of the atomic propositions that it contains.
A way of expressing a sequential system mathematically is to represent it as a Finite
State Machine (FSM).
The FSM is modeled by means of APs. So, it is possible to process it with Boolean
operations. We assume that the set of alphabet is B = {0, 1}. A state machine M can be
formally described by a 7-tuple M = (S, s0, F, I, O, δ,λ) as follows [DB95]:
• S is a power of B, and represents the set of states of the machine.
• s0 ∈ S represents the initial state of M .
2.2 : Review of veriﬁcation technology
• F is a subset of S, and represents the set of the ﬁnal states of the machine. F is
partitioned into a set of accepting states and a set of rejecting states; F = Accept∪
Reject.
• I is a power of B, and represents the set of inputs of the machine.
• O is a power of B, and represents the set of outputs of the machine.
• δ : S × I → S, δ represents the next state function. δi : S × I → B is the transition
function of the state variable si.
• λ : S × I → O, λ represents the output function. λi : S × I → B is the output
function of the variable oi.
Any state of the machine is binary encoded into some valuation of the state variables
of the model. Two states are equal of they are represented by the same valuation.
A machine conﬁguration is represented by a unique valuation c = (s, i, o) of the vari-
ables of the model, where s is the current state, and i is the input, such that o = λ(s, i).
If no ambiguity exists, an arbitrary conﬁguration associated to the initial state can be
denoted by c0 = s0.
A machine state s� is a successor of a machine state s, if and only if: ∃i ∈ I, s� = δ(s, i).
This relation can be denoted with the Succ predicate: Succ(s, s�).
A state path is a possibly inﬁnite sequence of machine states, (s0, s1, ..., sn, ...), such
that Succ(si, si+1). For a ﬁnite path (s0, ..., sn), the length of the path is n. Similarly, a
conﬁguration path is a possibly inﬁnite sequence of machine conﬁgurations (c0, c1, ..., cn, ...),
such that Succ(ci, ci+1).
A machine state sn is reachable if there is a ﬁnite path (s0, s1, ..., sn). In other words,
a reachable state is a state that is reachable for some input sequences from a given set of
possible initial states.
The set of the reachable states is deﬁned inductively as follows:
R0 = s0 (2.1)
Rn+1 = Rn ∪ {s�|∃s, s ∈ Rn ∧ Succ(s, s�)} (2.2)
The machine has a ﬁnite number of states; therefore, there exists a k such that Rk+1 =
Rk. Rk is the set of reachable states. It is the smallest ﬁxed point of (2.2).
2.2.2.2 Regular Expression
Here, the Regular Expressions (REs) are considered in the contexts of language theory,
and also system speciﬁcation.
Language theory viewpoint. Regular expressions deﬁne formal languages as sets of
strings over a ﬁnite alphabet. An alphabet, Σ, is a ﬁnite set of symbols that form words in
a language. For example the set {0, 1} is an alphabet. A string (word) over Σ is several
number, or zero, elements of Σ that are placed in order. For example, w = ”001” is a
string over Σ = {0, 1}. The null string, denoted by �, is always a string over Σ (no matter
what Σ is). For an alphabet Σ, Σ∗ shows the set of all possible strings over Σ. A language
over Σ, L(Σ) ⊂ Σ∗, is a set of strings over Σ. New languages can be constructed from
existing ones by applying these three operations: union, concatenation, and closure.
11
Chapter 2 : Assertion-based Veriﬁcation
Starting from the simplest possible languages, consisting a single string with length
1 or the � string, and then applying any combination of the above operators, regular
languages can be constructed. Regular languages can be recognized by FSMs. A string
w is accepted by state machine M inductively:
w = �, s1 = δ(s0, �), and s1 is an accepting state
w = �0�1 . . . �n−1, s1 = δ(s0, �0)
s2 = δ(s1, �1)
. . .
sn = δ(sn−1, �n−1), and sn is an accepting state
The language accepted or recognized by M , L(M), is the set of all strings w accepted
by M : for each string w there is a ﬁnite state path (s0, . . . , s|w|) such that s|w| ∈ Accept.
Regular languages can be described by formulas called Regular Expressions (REs).
Deﬁnition 1. RE. A regular expression over the alphabet Σ is deﬁned as follow:
1 ∅ is a regular expression that corresponds to the empty language ∅.
2 � is a regular expression that corresponds to the language {�}.
3 For each symbol l ∈ Σ, l is a regular expression corresponding to the language {l}.
4 For any regular expressions p ∈ L(p) and q ∈ L(q) over Σ (L(p) and L(q) are the
corresponding languages to p and q), each of the following is a regular expression:
4-1 pq: corresponds to the language L(p)L(q), and gives the concatenations of the
strings in the L(p) and L(q).
4-2 p+ q: corresponds to L(p) ∪ L(q).
4-3 p∗: corresponds to the language L∗(p)
Interpretation in the context of circuit speciﬁcation. Let P be a non-empty set
of atomic propositions. In practice it is the set of signal names in the speciﬁcation. The
set of all possible valuations of P is denoted Σ = 2P. An element of � ∈ Σ is called“letter”,
it is a valuation of all the propositions in P. A “word” w is a sequence of “letters”: in
practice it stands for the succession over time of the signal values, i.e. an execution trace.
For a ﬁnite or inﬁnite word w = �0�1�2... and integers i and j, w
i = �i is the (i+1)
th letter
of w; wi..j = �i�i+1 . . . �j is the ﬁnite word starting at �i and ending at �j; w
i... = �i�i+1 . . .
is the suﬃx of w starting at wi.
The semantics of a Boolean expression exp over P is the set of all the letters of Σ on
which exp takes value true. � � exp reads: “exp is true in �”, meaning that exp takes value
true if all its variables take their value as in �.
2.2.2.3 Temporal Logic
Temporal logic is a formal logic used to reason about sequences of events that describes
the design behaviors over time. Linear Temporal Logic (LTL) and Computational Tree
Logic (CTL) are the two types of temporal logics used in practice in circuit veriﬁcation
(there are many more). In LTL, operators are provided for describing system behavior
2.2 : Review of veriﬁcation technology
along a single computation path. LTL properties can be checked both in simulation and
formal veriﬁcation. CTL models behavior as execution trees, which can be only checked in
formal veriﬁcation. The building blocks of both logics are the atomic propositions. LTL
formulas are inductively deﬁned as follows.
Deﬁnition 2. LTL. All APs are LTL formulas; if p and q are LTL formulas, the followings
are also LTL formulas:
• !p: is true iﬀ p is false
• p ∧ q: is true iﬀ p and q are both true
• p ∨ q: is true iﬀ either p or q is true
• Xp: is true iﬀ p is true in the next step
• pUq: is true iﬀ p is true until q is true and q must be eventually true
• pWq: is true iﬀ p is true as long as q is not true, and q does not have to be true in
the future
There are also shorthand ways of expressing commonly used formulas: Fq (q becomes
true eventually) stands for trueUq, and Gp (p is always true) stands for !F !q.
CTL was ﬁrst proposed by Clark and Emerson as a branching-time temporal logic
[CE82]. CTL formulas are composed of path quantiﬁers and temporal operators. The
path quantiﬁers are used to describe the branching structure in the computation tree.
There are two path quantiﬁers:
• A:“for all” paths,
• E: there “exists” a path or for “some” paths
There are four basic temporal operators in CTL:
• X: next time
• F : eventually or in the future
• G: always or globally
• U : until
In CTL, every quantiﬁer is followed by a temporal operator. Therefore, there are
eight basic CTL operators. Using the relations between the path quantiﬁers and temporal
operators, each of the eight basic CTL operators can be expressed in terms of only three
operators: EX, EG, and EU [LT10].
2.2.2.4 Model checking
The model checking technique was originally developed in 1981 by Clarke, Emerson, and
Sifakis [CE82, Sif82]. Model checking is an automatic technique for verifying ﬁnite-state
reactive systems, such as sequential circuit designs and communication protocols. The
requirements of model checking are a model of the system, a temporal logic framework,
and a model checking procedure. Brieﬂy, model checking has the following steps:
13
Chapter 2 : Assertion-based Veriﬁcation
1 Modeling the system as a state-transition graph, in which nodes are the states of the
system and the edges are the transitions of the system.
2 Expressing the system speciﬁcation, which may initially be in a natural language,
in temporal logic
3 Verifying if the model satisﬁes the properties: the model checker will terminate with
the answer true, if the model satisﬁes the speciﬁcation, or give a counterexample
that shows why the formula is not satisﬁed.
The properties are generally safety and liveness properties. Safety means that nothing
bad ever happens. In this case, the veriﬁcation problem is a reachability problem: ﬁnding
a trace which violates the property. Liveness means a good thing eventually happens;
the veriﬁcation problem is cycle detection: ﬁnding a run in which the “good thing” is
postponed indeﬁnitely.
Model checking can be done explicitly where all the state space is enumerated. State
space describes all the possible behaviors of the model. Therefore, it is impossible to handle
very large examples because there is an exponential relationship between the number of the
states and the number of memory elements in a system. The complexity of the algorithms
grows exponentially with the number of memory elements in a system. This problem is
called the state space explosion problem.
Model checking can also be done implicitly, by representing the state space with spe-
cial symbolic data structures such as BDDs. Implicit (symbolic) model checking, is usu-
ally more powerful. Recently, by the application of propositional satisﬁability (SAT)
[Cim08] solving techniques, model checking has been considerably enhanced. Bounded
Model Checking (BMC) is a model checking approach that uses SAT methods on a ﬁnite
number of cycles. In the rest of this section, various model checking methods are explained
brieﬂy.
Enumerative model checking
The enumerative method uses an explicit representation of the states. To prove the
properties, ﬁrst a global state machine that represents the combined behavior of all the
components of the system should be constructed. Then, through explicit state search and
checking one state at a time, model checkers search for a trace falsifying the speciﬁcation.
If there is such trace, the property does not hold.
The model checking algorithms for LTL and CTL are diﬀerent; the computational
complexity of CTL model checking is polynomial, while it is exponential for LTL. Let
|M| be the size of the system model in terms of state space and |ϕ| indicate the size
of the speciﬁcation (the total number of propositions, logical connectives, and temporal
operators). Then the model checking algorithm for CTL runs in time O(|M||ϕ|) [CES86],
while for LTL it runs in time |M|·2O(ϕ) [OLP85]. This is because CTL is state-based (i.e.
reasoning over states in time), and this set of states is easily converted into an automaton,
whereas the path-based model of LTL (where many possible paths may pass through a
single state) must be expanded.
Symbolic model checking
Symbolic model checking is an alternative approach to enumerative model checking that
operates on sets of states instead of individual states [McM93]. In contrast to the enumer-
2.2 : Review of veriﬁcation technology
ative model checking that considers one state in each step, this considers a set of states
(a symbol) in each step. Initially, Binary Decision Diagram (BDD) was the only method
used to realize symbolic model-checking systems, and symbolic model checking had been
synonymous with BDD-based model checking. The overall approach in BDD-based sym-
bolic model checking is to represent state sets and the transition relation of the FSM as
BDDs and realize the state traversal algorithms through suitable Boolean operations on
these BDDs [PH09]. The complexity of symbolic model checking is the complexity of
BDD operations, and its eﬃciency highly depends on the state space representation.
Bounded model checking
Bounded model checking was introduced by Biere et al. in [BCC+99]. It is based on
satisﬁability (SAT) methods. The method is mainly used for design error detection instead
of an approach for a full correctness proof. The essential idea for verifying a property on
a ﬁnite transition system is to search for a counter examples in the space of all executions
of the system whose length is bounded by some integer k. There are two steps in bounded
model checking: 1) encoding the sequential behavior of a transition system over a ﬁnite
interval as a propositional formula, and 2) using a propositional decision procedure, i.e.
a satisﬁability solver, to either obtain a satisfying assignment or to prove there is none.
Brieﬂy, the transition relations are unrolled symbolically up to k times steps. Then, the
checking problem is reduced to show satisﬁability of an expression using SAT solvers.
Bounded model checking has been implemented by many commercial tools; PROVER[Bor97],
SATO[Zha97], GRASP[MS95], EBMC[EBM], SATRennesPA[SAT],MiniSAT[MIN],MaxSAT[MJML14],
and Z3[MB08] are some examples of SAT solvers.
Language containment
Language containment treats the property and the design as two ﬁnite state automata.
Then, it is veriﬁed if the formal language of the property automaton contains the formal
language of the design automaton. In fact, model checking of properties in LTL is modeled
as a language containment problem.
2.2.2.5 Equivalence checking
Equivalence checking is a model-based method that checks if two descriptions of a design
specify the same behavior, which means that they produce identical output sequences for
all valid input sequences. These descriptions can be in diﬀerent abstraction levels.
There are three basic approaches for combinational equivalence checking: structural,
functional, and random simulation. The structural methods look for a counter-example,
and they are usually implemented using SAT solvers. Similarly, random simulation looks
for a counter-example by random search. Functional methods are based on a canonical
function representation. BDDs are widely used for functional methods.
General methods for sequential equivalence require the reachable states of both designs
to be computed and their corresponding outputs compared at each equivalent pair of
states. It is required to explore the state space of the circuits. However, performing such
a traversal is computationally expensive, and has the state space explosion problem, the
main disadvantage of this method. However, the equivalence checking tools provide a high
degree of automation.
15
Chapter 2 : Assertion-based Veriﬁcation
2.2.2.6 Theorem proving methods
Theorem proving approach is used where the veriﬁcation problem is described as a theorem
in a formal theory: both the design and the properties are expressed as formulas using
mathematical logic. A formal theory consists of a language in which the formulas are
written, a set of axioms, and a set of inference rules, which are the transformation rules
for the formulas. These rules together with the axioms are used for proving the theories.
A property is proved if it can be derived from the design in a logical system of axioms
and a set of inference rules.
Theorem proving is a very strong veriﬁcation method, since the formal theory can
support reasoning at all the levels of abstraction. In addition, it supports a powerful
proof technique such as induction, and allows the direct veriﬁcation of parametric designs
without having to instantiate the parameters. However, the main disadvantage is that in
contrast to all the previously mentioned methods, the veriﬁcation process is not totally
automatic. Theorem provers require detailed and explicit human guidance even for rela-
tively simple problems. Therefore, these methods need a deep understanding of the design
and formal proofs.
Although, this approach seems impractical, there are several successful real case studies
such as Motorola MC68020 microprocessor object code [BY96], the AMD K86’s division
algorithm [KMB97], and the SRT division algorithm [CGZ99].
Logic for Computable Functions (LCF) [Mil72], Higher-Order Logic (HOL) [Gor88],
Otter [McC03], Prototype Veriﬁcation System (PVS) [ORS92], and ACL2 [KM96] are some
examples of theorem provers.
2.3 Assertion languages
As was discussed earlier in this chapter, all the formal methods, and also assertion-based
veriﬁcation need a formal speciﬁcation of the design. In addition, it is necessary to have an
approach in order to communicate with the designer and understand the design structure
and its functionality. There are various approaches to achieve these requirements. For in-
stances, schematics have been used to specify the structure, programming languages have
been used to specify the behavior, and timing diagrams involving waveforms have been
used to specify timing information. In all of these types of speciﬁcations, the natural lan-
guage is used [Mil94]. However, describing the behavior informally is usually ambiguous,
incomplete, and hard to analyze. Moreover, there is always the risk that some scenarios
and properties are not covered or considered.
A formal speciﬁcation is a concise and abstract description of the behavior and prop-
erties of a system written in a mathematically based-language, stating what a system is
supposed to do. So, speciﬁcations are written in a language with a well-deﬁned semantics
that supports formal deduction.
Our focus is on assertions, which state properties that can be used both in simulation
and formal veriﬁcation. Some of the requirements for the assertion languages are the
following [Mil94]:
• The ability to represent the structure
• The ability to represent the concurrent and sequential behaviors
• Supporting hierarchical design
2.3 : Assertion languages
• The ability of presenting a design in diﬀerent abstraction levels
• The ability of mixing the design description of diﬀerent abstraction levels
• Supporting the simulation and veriﬁcation techniques by the presence of an under-
lying formal system giving a semantics and the language syntax
Not long ago most veriﬁcation activities were performed using Hardware Description
Languages (HDLs). HDLs include constructs that support assertion speciﬁcation. For
instance, VHDL includes a keyword“assert”that enables designers to embed some checkers
to model description code. This language construct expresses that the associated user-
speciﬁed condition should evaluate to true. Figure 2.1 shows a VHDL assertion that ﬁres
when (not req and gnt) evaluates to true.
assert not (not req and gnt ) report ”Grant r e c e i v ed without any reque s t ”
severity f a i l u r e ;
Figure 2.1: A VHDL assertion example
However, HDLs are not appropriate speciﬁcation formalism for the formal veriﬁca-
tion techniques. As the veriﬁcation problem began to grow, High Level Veriﬁcation
(HLV) languages emerged. Multiple veriﬁcation oriented languages such as IBM Sugar
[BBDE+01], Motorola CBV [AAH+03], Intel ForSpec [AFF+02], Synopsys Open Vera
Assertion (OVA) [OVA], Open Veriﬁcation Library (OVL) [OVL], System Verilog As-
sertion (SVA) [SMB+05], and Property Speciﬁcation Language (PSL) [FG05] have been
developed.
Here, we review the PSL and SVA assertion languages, particularly useful for their
deep embedding in the VHDL and SystemVerilog HDLs.
2.3.1 Property Speciﬁcation Language (PSL)
Property Speciﬁcation Language (PSL) [FG05] is the standardization by Accelera, then
by IEEE, of the Sugar property language originally developed by IBM [BBDE+01]. Like
Sugar, it includes and extends with more concise operators, both LTL and CTL.
A speciﬁcation written in PSL is both easy to read and mathematically precise, which
makes it ideal for both documentation and veriﬁcation. PSL can be used both in sim-
ulation and formal veriﬁcation. Unlike the SystemVerilog assertion construct, which are
used predominantly during RTL implementation, the PSL property language is suited for
specifying architectural properties before and during RTL implementation.
PSL comes in four ﬂavors, one for each of the hardware description languages Sys-
temVerilog, Verilog, VHDL, and GDL. The syntax of each ﬂavor conforms to the syntax
of the corresponding HDL.
The properties that are expressed using PSL are generally safety and liveness prop-
erties. For example, the property “whenever signal req is asserted, signal gnt is asserted
within 4 cycles” is a safety property; and, the property “whenever signal req is asserted,
signal gnt is asserted sometime in the future” is a liveness property.
A PSL property consists of four layers: Boolean, temporal, veriﬁcation, and modeling
(see Fig. 2.2). Here, each layer is introduced brieﬂy.
17
Chapter 2 : Assertion-based Veriﬁcation
Boolean layer
Temporal layer
SERE FL
LTL-based
OBE
CTL-based
Veriﬁcation layer
Modeling layer
Figure 2.2: PSL layers
2.3.1.1 PSL Boolean layer
This layer speciﬁes propositions, or expressions over design and auxiliary signals that
evaluate to true or false in a single evaluation cycle. The expressions are written in the
HDL that describes the design. This is equivalent to a condition being evaluated within
an if statement in Verilog or VHDL. Additionally, PSL provides a number of predeﬁned
functions. There are two classes of built-in functions: the ﬁrst group including prev,
next(), stable(), rose(), and fell() deal with the value of the expression over time. The
second group including isunknown(), countones(), and onehot() deals with the values of
bits in a vector at a given instant. For example, prev takes an expression of any type as
argument and returns a previous value of that expression. As another example of the ﬁrst
group, consider rose(): it takes a Bit expression as argument and produces a Boolean
result that is true if the argument’s value is 1 at the current cycle and 0 at the previous
cycle. As an example of the second group, the countones() function takes a BitVector as
argument. It returns a count of the number of bits in the argument that have the value 1.
2.3.1.2 PSL temporal layer
The temporal layer is the heart of PSL. The temporal layer is used to deﬁne properties
that describe the behavior of the design or environment over time. It is used to describe
the temporal behaviors built up with Boolean layer propositions and temporal operators.
This layer consists of both properties that use linear semantics (LTL-based) as well as
those that use branching semantics (CTL-based). The LTL-based subset includes the
Foundation Language (FL) and Sequential Extended Regular Expression (SERE), while
the CTL-based subset includes the Operational Branching Extension (OBE) (see Fig. 2.2).
FL and OBE cannot be mixed in one property.
Properties with linear semantics reason about computation paths in a design and can
be checked in simulation, as well as in formal veriﬁcation. Properties with branching
semantics reason about computation trees and can be checked only in formal veriﬁcation.
Here, we just consider the properties with linear semantics.
2.3 : Assertion languages
Sequential Extended Regular Expressions (SEREs)
Sequential Extended Regular Expression (SERE) is an extension to RE introduced in
Section 2.2.2.2. SEREs describe single- or multi-cycle behavior built from a series of
Boolean expressions. The most basic SERE is a Boolean expression. A SERE enclosed in
braces is another form of a sequence. A SERE is not a property on its own; it is a building
block of a property; properties are built from temporal operators applied to SEREs and
Boolean expressions. Table 2.1 gives the description of the SERE operators. In this table,
s represents a sequence, and b represents a Boolean.
The SERE operators can be categorized as follow:
1 Simple SERE: represent a single thread of subordinate behaviors, occurring in suc-
cessive cycles. This subset of SEREs consists of the ‘;’ and ‘:’ operators.
2 Compound SERE: represent a set of one or more threads of subordinate behaviors,
starting from the same cycle, and occurring in parallel. This subset of SEREs
consists of the ‘|’, ‘&’, “&&”, and within operators.
Here, we introduce some terms that relate to SEREs:
• hold tightly : Satisfaction of a SERE on a ﬁnite path requires an exact match, and
is referred to as the SERE holds tightly on the ﬁnite path. For example, SERE1 (see
Fig 2.3) holds tightly on a path iﬀ the path is of length six, where req is true in the
ﬁrst cycle, busy is true in cycles �2, �3, �4, �5, and gnt is true in cycle �6.
• hold : A weak sequence holds on a path iﬀ the corresponding SERE holds tightly on
an extension or on a preﬁx of the path. A strong sequence holds on a path iﬀ the
corresponding SERE holds tightly on a preﬁx of the path [FKL03]. For example,
SERE1 holds if req holds on the one-cycle path. SERE2 is the strong form of SERE1.
SERE2 does not hold in the one-cycle path. SERE2 holds, if req is followed by 4
repetitions of busy, which is followed by gnt.
• start : A sequential expression starts at the ﬁrst cycle of any behavior for which it
holds. In addition, a sequential expression starts at the ﬁrst cycle of any behavior
that is the preﬁx of a behavior for which it holds. For example, if req holds at cycle
�1 and busy holds from cycle �2 to cycle �5, and gnt holds at cycle �6, then the
sequential expression SERE1 starts at cycle �1.
• completes : A sequential expression completes at the last cycle of any design behavior
on which it holds tightly. For example, SERE1 completes at cycle �6 (see Fig. 2.3).
For ﬁnding out more about the formal syntax and semantics, refer to IEEE manual of
PSL [FG05].
Foundation Language (FL)
The Foundation Language (FL) of PSL is LTL that is extended with SERE [FG05]. A
PSL FL property can be compiled down to a LTL formula, possibly with some auxiliary
HDL code. FL properties, describe single- or multi-cycle behavior built from Boolean ex-
pressions, sequential expressions, and subordinate properties. The most basic FL property
is a Boolean expression. An FL Property enclosed in parentheses is also an FL property.
19
Chapter 2 : Assertion-based Veriﬁcation
Table 2.1: Deﬁnition of the SERE operators
SERE operator Name Description
s1; s2 concatenation s2 starts one cycle after s1 com-
pletes
s1 : s2 fusion s2 starts in the cycle that s1 com-
pletes
[∗n] count consecutive rep-
etition
skips n cycles
[∗] consecutive repetition skips 0 or more cycles
[+] consecutive repetition skips 1 or more cycles
s[∗n] count consecutive rep-
etition
s repeats n times consecutively (n
concatenations of s)
s[∗] consecutive repetition s repeats 0 or more times consec-
utively
s[+] consecutive repetition s repeats 1 or more times consec-
utively
s[∗m to n] consecutive repetition s repeats between m and n times
consecutively
b[= n] nonconsecutive repeti-
tion
b repeats n times, not necessarily
consecutively
b[= m to n] nonconsecutive repeti-
tion
b repeats between m and n times
b[–>n] Goto repetition b repeats n times, the last b oc-
curs at the end of the path
b[–>m to n] Goto repetition Boolean repeats betweenm and n
times, the last b occurs at the end
of the path
s1 | s2 or holds if either s1 or s2 holds
s1 & s2 non-length-matching
and
s1 and s2 hold at the point of
observation, they have the same
starting point, and may complete
in diﬀerent cycles
s1 && s2 length-matching and s1 and s2 hold at the point of
observation, they have the same
starting point, and should com-
plete in the same cycles
s1 within s2 s2 contains s1, s2 holds at the
point of observation, s1 starts at
or after the cycle in which s2
starts; s1 completes at or before
the cycle in which s2 completes
s1 |–>s2 suﬃx implication s2 starts at the ending cycle of s1
s1 |=>s2 suﬃx next implication s2 starts the cycle after the end-
ing cycle of s1
2.3 : Assertion languages
0 1 2 3 4 5 6 7
hold
start
hold
hold
com
plete
SERE1: {req}| => {busy[∗4]; gnt}
clock
req
busy
gnt
0 1 2 3 4 5 6 7
hold
start
pending
pending
pending
pending
com
plete
SERE2: {req}| => {busy[∗4]; gnt}!
clock
req
busy
gnt
Figure 2.3: The trace for property SERE1 and SERE2
21
Chapter 2 : Assertion-based Veriﬁcation
FL properties can be connected using the logical unary (not), binary (or and and), and
implication operators and generate more complex FL formulas. In addition to the logical
operators, more complex FL properties are built from Boolean expressions, sequential ex-
pressions, and subordinate properties using various temporal operators. These operators,
consistent to the VHDL ﬂavor of PSL, are shown in Table 2.2. In this table, p represents
an FL property, and b represents a Boolean.
Table 2.2: Deﬁnition of the FL temporal operators (in VHDL ﬂavor)
FL operator Description
eventually! p p holds eventually (it holds some time in the
future)
always p p must hold at all times
p abort b p holds unless b evaluates to true ﬁrst
never p p must never hold
next(p) p holds in the next cycle
next[n](p) p holds n cycles later
next a[m to n](p) p holds in all the cycles in the range
next e[m to n](p) p holds in at least one cycle in the range
next event(b)[n](p) p holds at the nth occurrence of b
next event a(b)[m to n](p) p holds in all the cycles in the speciﬁed range
of occurrences of b
next event e(b)[m to n](p) p holds in at least once in range of occur-
rences of b
p1 until p2 p2 holds up to the cycle p2 holds (exclusive)
p1 until p2 p1 holds up to and including the cycle p2
holds (inclusive)
p1 before p2 p1 holds before p2 holds (exclusive)
p1 before p2 p1 holds before and at the same cycle as p2
holds (inclusive)
In this table, eventually! and abort are strong operators, and all the other operators
are weak operators. Strong operators require the ending condition to eventually occur,
while the weak operators do not. Each of the weak operators that are listed in Table 2.2,
except for always has a strong version with the indicator ‘!’ appended to its keyword.
The FL operators can be categorized as the following groups:
1 Simple FL properties include the always, never, eventually!, and next! operators.
2 Extended next FL properties include the next a, next e, next event, next event a,
and next event e operators.
3 Compound FL properties include the abort, before family, and until family op-
erators.
4 Sequence-based FL properties include the suﬃx implication and suﬃx next impli-
cation operators.
5 Logical FL properties include the logical implication, logical iﬀ, and, or, and not
operators.
2.3 : Assertion languages
0 1 2 3 4 5
hold
pending
pending
pending
fail
P1: always(req –> next a![1 to 4](busy))
clock
req
busy
0 1 2 3 4 5
hold
pending
pending
pending
pending
P2: always(req –> next a[1 to 4](busy))
clock
req
busy
Figure 2.4: The diﬀerence between PSL weak and strong operators
6 LTL operators
PSL deﬁnes four levels of satisfaction of a property [FG05]
• holds strongly : 1) no bad states have been seen, 2) all future obligations have been
met, and 3) the property will hold on any extensions of the path
• holds : 1) no bad states have been seen, 2) all future obligations have been met, and
3) the property may or may not hold on any given extensions of the path
• pending : 1) no bad states have been seen, 2) future obligations have not been met,
and 3) the property may or may not hold on any extensions of the path
• fails : 1) a bad state has been seen, 2) future obligations may or may not have been
met, and 3) the property will not hold on any extensions of the path
A property that is deﬁned with a weak operator holds if the computation path is
truncated inappropriately before the expected cycles or events can happen. For example,
consider property P2 and its simulation trace in Fig. 2.4. If the simulation stops at cycle
�4, the property holds, but not strongly. If the simulation continues and busy remains
high, P2 holds strongly at cycle �6.
The strong operators demand that the property holds unconditionally. As an example,
property P1 (see Fig. 2.4) fails if the simulation stops at cycle �4.
In this work we focus on the temporal layer of PSL. At the end of this section, we
will introduce a simple subset of PSL, PSLsimple, that we can deal with in our synthesis
method.
23
Chapter 2 : Assertion-based Veriﬁcation
2.3.1.3 PSL veriﬁcation layer
The veriﬁcation layer tells the veriﬁcation tools what to do with the properties described
by the temporal layer. In addition, the veriﬁcation layer provides constructs that group
related directives and other PSL statements.
Veriﬁcation directives
There are seven veriﬁcation directives: assert, assume, assume guarantee, restrict,
restrict guarantee, cover, and fairness. Here, some veriﬁcation directives are ex-
plained.
• The assert directive: tells the veriﬁcation tool to verify that a property holds.
• The assume directive: tells the veriﬁcation tool to constrain the veriﬁcation (e.g.,
the behavior of the input signals) so that a property holds. Assumptions are often
used to specify the operating conditions of a property by constraining the behavior
of the design inputs.
• The cover directive: tells the tool to indicate if a property has been exercised by
the test inputs or given constraints.
The other directives are meaningful in the context of formal veriﬁcation only, and are not
recalled here.
Veriﬁcation units
PSL statements can be used individually in the code, or they can be grouped into the
veriﬁcation units. There are three types of veriﬁcation units: vprop, vmode, and vunit.
vprop groups assertions to be veriﬁed. vmode groups the constraints with the assume/
restrict directives. Finally, vunit combines the two, which enables grouping assertions
and assumptions together. Veriﬁcation units may also contain modeling layer constructs
that are used by the assertions or constraints. In addition, a veriﬁcation unit can inherit
other veriﬁcation unit by using the inherit statement [EF06].
2.3.1.4 PSL Modeling layer
The modeling layer makes it possible to model the behavior of design inputs, and to
declare and give behavior to auxiliary signals and variables. The modeling layer enables
writing some extra code from the underlying language to model auxiliary combinational
signals, state machines etc. that are not part of the actual design but are required to
express the property concisely. For example, the modeling layer could be used to provide
an input. The Verilog (VHDL) ﬂavor of the modeling layer consists of the synthesizable
subset of Verilog (VHDL) [FG05].
Figure 2.5 shows the four layers of a PSL property that have been discussed.
2.3 : Assertion languages
wire req;
req = req0 or req1;
assert always ( req -> next_a[1 to 4](busy and not gnt) )
Modeling layer
Veriﬁcation layer
Temporal layer
Boolean layer
{
Figure 2.5: Diﬀerent layers of a PSL property
2.3.1.5 PSL simple subset (PSLsimple)
PSL can express properties that cannot be evaluated in simulation, where time advances
monotonically along a single path, although such properties can be addressed by formal
veriﬁcation methods. The simple subset of PSL, PSLsimple, is a subset that conforms to
the notion of monotonic advancement of time, left to right through the property, which
ensures that properties within the subset can be simulated easily. Any FL property in the
simple subset should meet all of the following conditions [FG05]:
• The operand of a negation operator is a Boolean.
• The operand of a never operator is a Boolean or a sequence.
• The operand of an eventually! operator is a Boolean or a sequence.
• The left-hand side operand of a logical and operator is a Boolean.
• The left-hand side operand of a logical or operator is a Boolean.
• The left-hand side operand of a logical implication (–>) operator is a Boolean.
• Both operands of a logical iﬀ (<–>) operator are Boolean.
• The right-hand side operand of a non-overlapping until operator (until and until!)
is a Boolean.
• Both operands of an overlapping until operator (until and until !) are Boolean.
• Both operands of the before family operators are Boolean.
All other operators not mentioned above are supported in the simple subset without re-
striction. In particular, all of the next event operators and all forms of suﬃx implication
are supported in the simple subset.
2.3.2 System Verilog Assertion (SVA)
SystemVerilog [SMB+05] has integrated a set of constructs that helps to specify a system
behavior using assertions. SystemVerilog assertions are part of the language, which means
that they can be used inline with other language constructs. SVA was deﬁned at the same
time as PSL, also based on the concepts and semantics of Sugar, restricted to SEREs.
With a diﬀerent syntax, it shares most of its basic primitives with PSL.
25
Chapter 2 : Assertion-based Veriﬁcation
SystemVerilog assertions are either immediate or concurrent.
Immediate assertions follow simulation event semantics for their execution. They de-
scribe a design behavior at an instant of time. An immediate assertion is evaluated
whenever the value of a variable in the expression changes. These assertions are executed
like a statement in a procedural block. Immediate assertions are an easy way to create an
assertion and are generally used with simulation.
Concurrent assertions are based on clock semantics and use sampled values of variables.
They specify a design behavior over a period of time. Concurrent assertions are associated
with clock edges. A concurrent assertion is evaluated right before the clock edge, and any
timing or event behavior between clock edges is ignored. A concurrent assertion can occur
within a procedural block or within a module.
This section provides an overview of SystemVerilog Assertion (SVA).
2.3.2.1 Operators
Table 2.3 shows the SystemVerilog operators and their descriptions. The SystemVerilog
operators are available for relating Boolean and vector expressions within sequence and
property deﬁnition [FKL03]. A SystemVerilog sequence is often described using regu-
lar expressions. The sequence operators that are deﬁned for SystemVerilog allow us to
compose expressions into temporal sequences. These sequences are the building blocks of
properties and concurrent assertions [FKL03].
As is shown in Table 2.3, the repetition counts and temporal delay can be speciﬁed as
either a range or a single constant expression.
2.3.2.2 Veriﬁcation directives
Property directives deﬁne how to use properties (and sequences) for speciﬁc works. SVA
has three veriﬁcation directives: assert, assume, and cover. These directives are similar
to the assert, assume, and cover veriﬁcation directives of PSL (see Section 2.3.1.3).
2.3.2.3 Built-in functions
Assertions are commonly used to evaluate certain speciﬁc characteristics of a design imple-
mentation, such as whether a particular signal is onehot. The following system functions
are included to facilitate this common assertion functionality:
• $onehot(): returns true when exactly one bit of a multi-bit expression is one.
• $onehot0(): returns true when zero or one bit of a multi-bit expression is one.
• $stable(): returns true when the previous value of the expression is the same as
the current value of the expression.
• $rose(): returns true when an expression was previously zero and the current value
is one.
• $fell(): returns true when an expression was previously one and the current value
is zero.
2.3 : Assertion languages
Table 2.3: Deﬁnition of the SVA operators
SVA operator Name Description
s1[∗m : n] consecutive repetition repetition of s1 n times, or be-
tween n to m times
s1[= m : n] nonconsecutive repeti-
tion
s1 repeats betweenm and n times
s1[–>m : n] Goto repetition s1 repeats between m and n
times, the last cycle of s1 occurs
at the end of the path
s1##[m : n] s2 temporal delay concatenation of s1 and s2 with
a delay between m and n
not p1 logical not inverts the result of the evaluation
of p1
s1 and s2 and is similar to the non-length-
matching and of PSL
s1 intersect s2 intersection is similar to the length-matching
and of PSL
s1 or s2 or Either s1 or s2 occurs
if (exp) p1 else p2 condition based on the evaluation of expr,
evaluates property p1 or p2
b throughout s1 Boolean until b must be true until sequence s1
completes
s1 within s2 within s2 contains s1, s1 and s2 must
occur, the length of s1 should be
less than or equal than/to the size
of s2, and s1 may start later than
s2
s1.ended ended is true if sequence s1 completes
at this time
s1.matched matched (from diﬀer-
ent clock domains)
is true is sequence s1 (on another
clock) completes at this time
first matched(s1) ﬁrst match is true in the ﬁrst completion of
s1
s1|–> p1 overlapping implica-
tion
if s1 occurs, p1 must occur start-
ing at the ending cycle of s1
s1|=> p1 non-overlapping
implication
if s1 occurs, p1 must occur start-
ing the cycle after the ending cy-
cle of s1
27
Chapter 2 : Assertion-based Veriﬁcation
2.4 Summary
In this chapter, the importance of the veriﬁcation and its role in today’s design process
is discussed. The dynamic and static veriﬁcation techniques are introduced. Although
dynamic veriﬁcation is often the ﬁrst step of verifying a circuit, it is not exhaustive. Static
veriﬁcation is an alternative approach to verify all the possible scenarios of a system and
prove its correctness using mathematical proofs. Generally, formal methods are either
based on theorem proving or based on the model of the system (model-based techniques).
A design methodology that is becoming popular is assertion-based veriﬁcation that ben-
eﬁts of both dynamic and static methods. It uses assertions that can be simulated and
also provide a path to formal veriﬁcation. An assertion language is required to specify the
system behavior concisely and unambiguously. In this chapter two assertion languages
are introduced: PSL and SVA. The core of both languages is temporal logic. However
they are diﬀerent in some aspects. PSL is divided into the FL and OBE. SVA is a linear
temporal logic that can be compared to the FL of PSL, while SVA does not have most of
the FL operators. In the rest of the document, only PSL will be used as input speciﬁcation
language. Yet the methods developed in the thesis are applicable to SVA as well.
Chapter3
State of the art
Contents
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.2 Property synthesis as monitors . . . . . . . . . . . . . . . . . . 30
3.2.1 The automaton-based approach . . . . . . . . . . . . . . . . . . 30
3.2.2 The modular approach . . . . . . . . . . . . . . . . . . . . . . . 32
3.3 Property synthesis as correct-by-construction circuits . . . . 34
3.3.1 The automaton-based approach . . . . . . . . . . . . . . . . . . 35
3.3.2 The modular approach . . . . . . . . . . . . . . . . . . . . . . . 37
3.3.3 Synthesizing from Regular Expressions . . . . . . . . . . . . . . 38
3.4 Existing tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
29
Chapter 3 : State of the art
3.1 Introduction
In this chapter we review some works in the area of assertion-based veriﬁcation and design.
In Section 3.2 the existing methods, modular and automaton-based, for synthesizing
checkers are considered. Section 3.3 reviews the related works in synthesizing a design, a
correct-by-construction circuit, from its formal speciﬁcation.
Finally, the existing tools for automatically generating the checkers or synthesizing a
design from its speciﬁcations are introduced in Section 3.4.
3.2 Property synthesis as monitors
A monitor surveys the state of the design during simulation. It observes the signals that
are operands in a property, and outputs the status of the property. Therefore, all the
operand variables are inputs of the monitor. Monitors are generated either in a modular
way or from automata. Here, each of these methods is explained.
3.2.1 The automaton-based approach
In this method all the simulation traces are considered as the words of a language built
over the alphabet Σ of all the possible combinations of values of the design variables
(each valuation is a letter of Σ). Monitors are ﬁnite state machines that accept or reject
certain simulation traces. Some states in the monitor are initial states, some of them are
accepting states, and some of them are rejecting states. A simulation trace that drives
the monitor into an accepting state exhibits a good behavior. In the automaton-based
method, monitors use the “language-theoretic” concept to analyze the formal languages.
The automaton’s transitions are labeled with letters from the alphabet. A state may have
several outgoing transitions labeled with the same letter. A word runs over the automaton
by starting from all initial states, following the transitions that correspond to the sequence
of letters in the word. Since each state may have several outgoing transitions labeled with
the same letter, there may be several paths for a word. In the case of Regular Expression
(RE), if the ﬁnal state on any of the paths is an accepting state, then the word is accepted.
For Linear Temporal Logic (LTL), a word is accepted if it has an accepting state. If a
word is not accepted, then it is rejected. However, it is hard to trace multiple paths, and
testing the automaton accepting the condition for LTL is very diﬃcult. To solve these
problems, the automaton needs to be deterministic which means having one initial state,
and each state has just one successor state for any letter.
The construction of language-recognizing automata for REs and LTL has a long history.
Early RE to automata translations were given in [MY60] and [Tho68]. LTL to automata
translation was considered in [WVS83]. The method is a tableau-based approach, in
which the satisfaction of a temporal formula is decomposed both logically (across Boolean
connectives) and temporally (obligations in the next time). However the tableau-based
approach has some limitations. As an example, consider the negation of an RE. To
negate an RE, its Non-deterministic Finite Automaton (NFA) should be constructed and
should be converted to a Deterministic Finite Automaton (DFA). The negated RE is
then constructed by complementing the DFA. Therefore, tableau-based approaches are
not suitable for constructing the DFA of a negated RE.
3.2 : Property synthesis as monitors
Sidhu and Prasanna presented a hardware implementation of RE matchers for FPGA
[SP01]. This approach uses the method of McNaughton-Yamada [MY60] for constructing
NFAs from REs. In the proposed method, the actual NFA construction can be performed
in hardware. Moreover, the Self-Reconﬁgurable Gate Array (SRGA) can be reconﬁgured
automatically in real time to match the pattern of a new expression.
Floyd and Ullman worked on synthesizing REs into integrated circuit for hardware
RE matching [FU82]. A regular expression can be converted into a NFA. Instead of
converting the NFA to a DFA, two methods are proposed for direct implementation of
the NFA. One approach is based on producing a Programmable Logic Array (PLA).
The PLA has approximately n rows and 2n columns, where n is the number of RE’s
operands. The states of the NFA are represented by the columns. Another approach is
using McNaughton-Yamada algorithm to produce automata from REs. The hierarchical
structure of these automata can guide the layout structure of the circuit. The experimental
results show that the area of the generated circuit grows linearly with the size of the regular
expression.
Both works in [FU82] and [SP01] implement NFAs in hardware to perform RE match-
ing. However, the intersection and complementation operators in REs are not supported.
Since the standardization of Property Speciﬁcation Language (PSL), several works
have been done to convert PSL to automata [GHS03, GG05, BFH05, CRST06]. Some of
them propose a two-step conversion: 1) encoding the PSL property into an Alternating
Bu¨chi Automaton (ABA)1; 2) converting the ABA into a Non-deterministic Bu¨chi Au-
tomaton (NBA) with variants of Miyano-Hayashi’s construction [MY60]. In practice, such
approaches are ineﬃcient because of the conversion time.
Gordon et al. have modeled PSL in higher order logic for the HOL theorem prover
[GHS03]. HOL can also be used to produce a DFA from a PSL expression. The DFA can
be used to process a simulation trace in HOL to evaluate if a ﬁnite trace satisﬁes a PSL
formula. In another application that is mentioned in [GHS03], a DFA can be converted
to HDL to produce an assertion checker.
The “PROSYD” project has published methodologies for the use of PSL, and reports
on the tools that are developed in the project [BCE+04]. The PSL algorithms are intro-
duced in the context of generating checkers for simulation. The conversion of an NFA to
a Discrete Transition System (DTS) is presented as a central result. A DTS is a symbolic
program that represents an NFA, and is used during simulation for performing the asser-
tion monitoring. For the conversion of PSL assertions to NFAs it is referred to [BdFR04],
in which the automata are developed for model checking. However, in [BCE+04] it is not
mentioned how these automata are adapted to be used in checkers. In [BdFR04], which
is the basis for PSL to NFA in PROSYD, length-matching intersection of Sequential Ex-
tended Regular Expressions (SEREs) is not supported.
Gascard in [Gas05] proposes a method for transforming SEREs to DFAs. The work
is based on derivatives of REs introduced by Brzozowski in [Brz64]. The derivative of
a RE is a way of removing a given preﬁx in the language that is described by the RE.
This technique can be used to create a DFA from a RE. Then, monitors are generated
from DFAs. In most cases, monitors do not take sequence overlapping into account. In
addition, no results have been provided, neither the construction time, nor the synthesis
1A Bu¨chi automaton extends a ﬁnite automaton to inﬁnite inputs. It accepts an inﬁnite input sequence
if there exists a run of the automaton that visits (at least) one of the ﬁnal states inﬁnitely often. It
recognizes the ω-regular languages, the inﬁnite word version of regular languages.
31
Chapter 3 : State of the art
metrics.
The work presented in [GG05] deals with the translation of a subset of PSL SEREs
into monitors. For each operator of this subset, a function is implemented that builds
the corresponding non-deterministic automaton. The monitors can be generated in E and
Verilog. This method is faster than the conversion method based on HOL [GHS03], but
is slower than FoCs [ABG+00].
In [CRST06] Cimatti et al. propose an eﬀective method to transform a PSL property
into a normal form that separates the LTL and the SERE components. Then, each of them
is processed separately to generate the corresponding NBA of the original PSL property.
The aim of this approach is principally automata construction for model-checking, but it is
also possible to build monitors. This approach reduces the construction time of the NBA,
as well as the overall veriﬁcation time. In addition, the correctness of the transformation
is proved.
To the best of our knowledge, the most eﬀective approach in synthesizing monitors
from PSL SEREs is done by Boule and Zilic [BZ07, BZ08b, BZ08c]. In this work, the
SERE base cases are introduced. Then, the automata algorithms are developed for these
cases. In addition, a complete set of rewrite rules has been proposed in [MABBZ08] and
applied for all other operators, to rewrite them using the base cases. The automaton for
a complex property is obtained by combining primitive automata. Using this method,
the automata are constructed for the left and right hand side of an implication. Then,
they are connected to represent the property by a single automaton. It is shown that the
generated monitors are resource eﬃcient. The approach also enhances debug capability.
The authors in [EFP09] introduce the SynPSL tool, and also a method similar to
the method of Marc Boule for generating synthesizable HDL code from PSL assertions.
However, it does not support general Boolean layer expressions, it can just consider simple
Boolean expressions. The method does not support unbounded repetition in SEREs. In
addition, it can just be applied to the std logic type.
Despite all the attempts that have been put in this area, the automaton-based approach
is still too expensive. Although there are approaches [SP01] for constructing NFAs using
hardware, NFA is still inappropriate for hardware implementation, because of the large
number of concurrent transitions required by NFA. In addition, transforming NFA to DFA
is costly; it is exponential in the number of non-deterministic decision states.
Additionally, the automaton-based approaches generally indicate the status of the
property at the end of the simulation, and cannot be used for debugging purposes. It
would be more useful if the method could provide a dynamic trace of the assertion and
indicate each assertion failure. This goal can be reached through the modular method.
3.2.2 The modular approach
In [Ray96], Raymond proposed a modular method for building a Boolean dataﬂow net-
work (sequential circuit) to recognize the language described by a regular expression. A
safety property that is expressed using regular expression constructs is translated into a
synchronous program, such as Boolean network. A tool, reglo, has been designed that
translates a set of REs into an equivalent Boolean dataﬂow network that is expressed in
the Lustre language. The construction time, and the size of the resulting network are
linear with respect to the size of the regular expression.
Oliviera and Hu worked on generating interface monitors for verifying the intercon-
3.2 : Property synthesis as monitors
nection protocols between design modules [OH02]. The goal is providing an easy way to
generate monitors for common interface protocols. This work demonstrates that although
regular expressions work well for specifying simple IP interface monitors, they cannot be
easily used to specify complex interfaces. To overcome this problem, two new extensions
to REs have been proposed: deﬁning storage variables, and a pipe-lining operator. Using
these concepts, a speciﬁcation style has been created that can easily specify the full be-
havior of complex IP interface monitors. This style is called PREMiS (Pipelined Regular
Expression Monitor Speciﬁcation). Then, algorithms are proposed, and a prototype tool
is developed to translate these speciﬁcation into Verilog/VHDL monitor circuits. The
method is modular and works by passing the token from one sub-circuit to the next one.
The usefulness of the method has been shown by applying it to ARM AMBA AHB bus
protocol, and Open Core Protocol (OCP). However, neither the construction time nor the
combinational synthesis metric have been reported.
Pellauer et al. worked on the implementation of System Verilog Assertion (SVA)
assertion checkers [PLN05]. The ”ﬁrst-match” operator is used as a basis to implement
sequences in the right-hand side of suﬃx implications. Checkers are produced in the Blue-
Spec SystemVerilog language. It is an unclocked language; its models are subsequently
translated into sequential hardware. The implementation is not fully modular. The SERE
matching is performed using FSMs; a single FSM is used to implement the left-hand side
of a suﬃx implication, and multiple FSMs are used in the right-hand side. To process
the matches that are triggered by a left-hand side sequence, a ﬁnite number of FSMs in
the right-hand side are used. Therefore, unbounded repetition is not allowed in the left
hand-side sequence, since it needs an inﬁnite number of FSMs of the right-hand side. A
case study on a cache controller is presented.
Checker generation for SVA is performed by Das et al. in [SMDC06]. The idea is
breaking the sequence expressions as a sequence of expressions concatenated with the
corresponding time range expressions. Then, for each of the smaller sequence expressions
a sub-module is generated. These modules are interconnected in a way to determine a
match or fail of the actual sequence expression; every generated checker has the start
input that triggers the start of checking, and the match output that shows the match of
an expression. RE operators are classiﬁed into subsets, and a diﬀerent synthesis approach
is proposed for each subset. The method cannot deal with some unbounded repetitions of
a sequence since there are cases where the expressions cannot be synthesized into a ﬁnite
amount of hardware resources. For detecting the “not” of a sequence, if the sequence fails,
separate rules are given for each operator. However, there is no proof or evidence showing
that the rules are correct. In this work, assertions for the AMBA AHB bus are used, and
the corresponding checkers have been generated. The results have been compared with
the results from Synopsys OVA checker. Synopsys VCS simulator is used for simulating
the generated checkers and OVA checkers; the generated checkers are simulated faster
than the OVA checkers. In addition, the checkers are synthesized, and the area overhead
is reported.
Implementing PSL SEREs using the modular approach was performed by Morin-Allory
et al. in [MAGB07] for online fault detection. In contrast to the other reviewed modu-
lar methods, the proposed approach covers properties with both ﬁnite and inﬁnite state
sequences over time. In addition, the method supports both weak and strong operators.
In this method, a library is provided that consists of the synthesizable VHDL module
for each SERE operator, which is called SERE connector. A property sequence is built
33
Chapter 3 : State of the art
recursively by interconnecting the SERE connectors, based on the abstract syntax tree of
the SERE. Both the library and the construction of complex monitors are proven correct
with respect to the trace semantics of SEREs. The connectors have a common interface.
They are synchronized by a clock signal, and initialized by reset. They take one or two
tokens as input, and output a token. Tokens are passed from one connector module to
the next one. A monitor is triggered each time a token is transmitted to its input. The
presence of a token on the output of a monitor means that the sequence starting at the
cycle when the monitor was triggered has been recognized. Two types of token have been
introduced in [MAGB07]: monochrome and polychrome. The polychrome tokens are used
for dealing with several simultaneous evaluations of a sequence. Each color corresponds
to one evaluation of the sequence. However, the drawback is when multiple concurrent
matches happen, a large number of colors should be supported in a token, which aﬀects
the hardware overhead signiﬁcantly.
The modular approach introduced by Morin-Allory and Borrione in [KAB06] gener-
ates checkers for PSL temporal properties. In this method, the simple subset of PSL is
considered. Each PSL operator in this subset is implemented as a synthesizable VHDL
module, with a generic interface. A PSL property is generated by interconnecting the
operators’ sub-modules based on the abstract syntax tree of the property. A prototype
tool, HORUS, was developed for the automatic construction of a test environment for the
design [OMAB08, Odd09]. In these works, monitors can be triggered several times, and
are able to trace concurrently the evolution of the property for the successive triggers:
when a property succeeds or fails, the particular starting point for this particular result
is known. Therefore, this method is useful in debugging. The method was then improved
by Oddos et al. in [OMAB07] to prototype generators for on-line test vector generation.
3.3 Property synthesis as correct-by-construction cir-
cuits
Contrary to the previous section where properties are veriﬁed over an existing design
model, in this section a property is seen as the speciﬁcation of the module to be designed.
The objective is then producing the synthesizable RTL design from its assertions directly.
In contrast to the monitors, some operand variables are inputs to the module and others
are outputs.
The synthesis of control-type sequential circuits from formal formulas is not new. The
functional speciﬁcation of controller circuit involves describing sequences of events and
their interactions. The studies on automatic synthesis of a circuit from its speciﬁcations
started more than 50 years ago, with the following question raised by Church [Chu57,
Chu62]:
“Given a requirement which a circuit is to satisfy, we may suppose the requirement
expressed in some suitable logistic system which is an extension of restricted recursive
arithmetic. The synthesis problem is then to ﬁnd recursion equivalences representing a
circuit that satisﬁes the given requirement (or alternatively, to determine that there is no
such circuit).”
Almost all the solutions to this problem are automaton-based. However, the synthesis
method of our work is modular. Here, some of the related works of each groups are
reviewed.
3.3 : Property synthesis as correct-by-construction circuits
3.3.1 The automaton-based approach
In this method, an automaton is deﬁned as a set of states and transitions between them
that is speciﬁed by a given speciﬁcation. The goal is the construction of a ﬁnite-state
procedure that transforms any input sequence into an output sequence such that a given
speciﬁcation is satisﬁed. The underlying formalization of the speciﬁcations (regular ex-
pressions or temporal logic formulas) that specify sequences of events is based on either
language theory (grammar-based) [SB94, O¨be99] or automata theory [FKTMo86, PR89,
ABBSV00, SM02, BGJ+07a, FJR09, BJP+12, EKH12]. The grammar-based speciﬁcations
do not have the limitations of the procedural speciﬁcation style, that is the dependency
of the speciﬁcation implementation on time and also dependency to the size of input and
output signals.
Church’s problem was ﬁrst addressed by Bu¨chi [BL69], and then by Rabin [Rab72].
These approaches build automata of the properties, and reduce the synthesis problem
to the emptiness problem of automata. If a non-empty automaton can be found for the
speciﬁcations, its corresponding circuit is produced.
Pnueli and Rosner reconsidered the synthesis problem from LTL speciﬁcations in
[PR89]. The proposed method starts constructing a Bu¨chi automaton for a given LTL
speciﬁcation and then converts it into a deterministic Rabin automaton. The complexity
of the synthesis algorithm is double exponential in the length of the given speciﬁcation.
It is the origin of “synthesis of reactive systems”, with the algorithmic theory of two or
multi-player games. Some of the works use this approach, and formalize the synthesis as a
two-player game between the environment (that provides the inputs) and the system that
responds on its outputs [FJR09, BJP+12, EKH12, BCG+10, BGJ+07a]. The speciﬁcations
are realizable if the system can always win the game. In this case, the corresponding circuit
is extracted. Some recent works [Gre04] [BEK+14] use SAT-based method for constructing
the ﬁnal circuit.
The Clairvoyant tool was developed by Seawright and Brewer [SB94] to automatically
synthesize HDL RT level descriptions from a speciﬁcation written in Production Based
Speciﬁcation (PBS). PBS is a language that is similar to REs in many points. In a
PBS, the control part of the design is speciﬁed as a hierarchical set of productions. Each
production is viewed as a non-deterministic automaton. The idea is to transform the
speciﬁcation into BDD, then synthesize this BDD to RTL. Experimental results are good
for simple circuits. In Clairvoyant, a design entity with a single process and a well deﬁned
boundary and interface is speciﬁed. All interactions with inputs and outputs are described
at clock cycle level.
O¨berg synthesized data communication protocols that are expressed using Backus-
Naur Form (BNF) 2 grammars [O¨be99]. To do this, he developed a language, ProGram,
and its compiler. The ProGram language is based on a regular LL(1) grammar and uses
a BNF-like notation to code both input and output sequences, targeted for speciﬁca-
tion of data communication protocols. The language supports a description style that
is independent of the port sizes. The implementation is generated so that sizes are a
generic parameter that is ﬁxed in a subsequent step. The ProGram Compiler takes the
ProGram description as its input. It then parses the language and produces a RT-level
VHDL implementation of the interface protocol, by partitioning the input sequences into
2BNF is a formal notation for the speciﬁcation and documentation of programming language syntax.
Many programming languages, communication protocols or formats have a BNF description in their
speciﬁcation.
35
Chapter 3 : State of the art
a sequence of tokens, and output sequences into a sequence of output assignments. The
method uses a Directed Acyclic Graph (DAG) and explores the state space to analyze all
possible behaviors of the circuit. Some experiments have been done to evaluate the design
space exploration strategy of the ProGram compiler; a ProGram description of a reduced
F4 OAM protocol is implemented to generate diﬀerent designs by various port-size con-
straints of the inputs and outputs. To evaluate the quality of the produced designs, a set
of designs are coded in ProGram, High Level Synthesis (HLS) style VHDL code and RTL
styleVHDL code. Then, the code sizes are compared. The results show that ProGram
generates more compact designs. The same set of designs is synthesized using a commer-
cial HLS tool and the ProGram compiler followed by standard logic synthesis. The results
show that ProGram generates smaller circuits.
Heymans uses Answer Set Programming (ASP) to synthesize synchronization skele-
ton programs [HNV05]. In contrast to most of the methods, the method uses CTL for
expressing properties of concurrent programs. First, a model of the CTL speciﬁcation is
built using ASP. Next, a coherency analysis is performed and the synchronization skeleton
is extracted.
Aziz et al. [ABBSV00] describe how to synthesize sequential circuits from S1S logical
formulas. S1S is a second order logic that allows eﬀectively describing the sequential
systems. The formula is transformed into a single ﬁnite automaton, to be synthesized
into a gate-level hardware. The proposed method is automatic. It provides a systematic
way to reduce the problem of optimizing interacting FSMs to optimizing a single FSM.
Additionally, the approach can be easily extended to diﬀerent interconnection topologies.
Moreover, the approach generalizes to the synthesis of safety and liveness properties.
Any speciﬁcation provided in S1S owns a Bu¨chi automaton that can be synthesized into
a netlist. The method suﬀers from high complexity due to the use of negations and
determinizations (if necessary) in Bu¨chi automata. Although some optimizations have
been applied to reduce the algorithmic complexity, these automaton-based approaches
cannot process complex designs.
Kukula and Shiple describe in [KS00] how to eﬀectively synthesize the mathematical
relations in combinational circuit. The approach transforms the equation that speciﬁes
the relation between inputs and outputs into a FBDD (Free-BDD). Then, the ﬁnal circuit
is extracted from FBDD. The circuit size is proportional to the FBDD.
Mu¨ller and Siegmund [SM02] also worked on the synthesis of communication interfaces
from protocols. They used a SystemC extension formalism, SV, for protocol speciﬁcation.
SV allows writing the communication protocol between the components in high level. The
communication is done through abstract channels, through read/write actions. The idea
is to start with a description of the communication protocol between two SV components.
The description is then synthesized into a SystemC description. The SV part is analyzed
and the Protocol Flow Graph (PFG) is built. The PFG provides the deﬁnition of the
communication protocol. The SystemC synthesizable descriptions are obtained by trans-
forming the PFG into two FSMs, one for each interface. They used automaton-based
methods to build the ﬁnal design.
Although automatic synthesis from the speciﬁcations is not so new, it has recently been
applicable to real circuits, through the development of prototype tools [PPS06, BGJ+07a,
RAT, FJR11, EKH12].
Bloem et al. deﬁned a subset of LTL named “GR(1)” from which properties are trans-
lated to automata [BGJ+07a, BGJ+07b]. They use the two-player game method. The
3.3 : Property synthesis as correct-by-construction circuits
game theory algorithms compute all the correct behaviors of the design under all admis-
sible interactions with the environment. It is shown how to build a winning strategy and
extract a system from it. The method is polynomial in N3, where N is the sequential
complexity of the speciﬁcation. In [BGJ+07a] the method is applied to the Generalized
Buﬀer (GenBuf) from IBM [IBM] and the AMBA AHB Bus arbiter. The PSL proper-
ties of these examples are presented in [BGJ+07a], and the synthesis results are shown.
Increasing the number of senders/receivers in GenBuf, or the number of masters/slaves
in the AMBA AHB arbiter, increases the synthesis time and the size of the generated
hardware. In addition, the generated gate-level circuit is very complicated and cannot
be changed manually. The work is later extended and improved in [BJP+12], to obtain
smaller circuits.
Ehlers et al. present a game approach for synthesizing circuits from their formal
speciﬁcations [EKH12]. A general strategy is introduced as the characterization of the
set of moves that lead the system player wins the game. There may be more than one
solution for the system player to win the game. The goal is selecting a good circuit for
this strategy among the several possible extracted circuits.
These methods have been implemented and some prototype tools have been provided
for property synthesis. Brieﬂy, Lily and Anzu were implemented based on the researches
in [JB06, PPS06], and then improved to Ratsy. In addition, Unbeast was developed based
on the works of [Ehl11, EKH12] (see Section 3.4).
All the related works that have been reviewed so far extract the ﬁnal circuits from
various forms of BDDs. Some other works propose a SAT-based method for synthesizing
the circuit.
In the approach that is proposed by Greaves in [Gre04], the small components are
synthesized using SAT-based methods. The speciﬁcation is provided as input. A SAT
solver is used to generate the programming bit-stream on a pseudo-FPGA architecture to
comply with the formal speciﬁcations of the system. This method is taking advantage of
the fact that the basic component of the FPGA is the LUT. LUTs are deﬁned as functions,
having some free variables (the input signals) and some variables whose values should be
determined by SAT solvers (the intermediate or some output signals). In addition, the
design is expressed using some logical rules that consider the value of a signal in various
cycles. Both the FPGA program and the design speciﬁcations are expanded into CNF
form. Then, a SAT solver is used to ﬁnd an appropriate solution. The properties are in
the form of A → next(B). A few experiments have been tried to show the feasibility of
this method. However, the approach is not automatic.
In [BEK+14] Bloem et. al uses a SAT-based method for synthesizing circuits from
safety speciﬁcations. The proposed SAT-based learning method combines quantiﬁer elim-
ination with computational learning. The method generates smaller circuits in shorter
time in comparison to BDD-based methods. The basic algorithms that are used in this
work are not new, but new optimizations have been presented for safety speciﬁcation. It is
shown how the idea of interpolation for circuit extraction can be combined with learning
to compute the interpolants more eﬃciently.
3.3.2 The modular approach
Some other works have been done to synthesize the temporal properties of PSL or SVA
based on completely diﬀerent principles [SNBE07, EFP09].
37
Chapter 3 : State of the art
Eveking et al. introduce “Cando-Objects”, and address how they can be incorporated
in synthesizing modules from PSL properties [SNBE07]. Cando-Objects can do anything
allowed by their property, i.e. can show all the possible behaviors of the properties from
which they were generated. The properties are rewritten in a normalized form. The
normalization procedure identiﬁes the potential inconsistencies between properties and
disjoints them so that only one property speciﬁes a signals’ value in a speciﬁc state. Then,
the VHDL description of the Cando-Object is generated. The original models can then
be replaced by the corresponding Cando-Objects. In order to allow all possible behaviors,
additional signals are used to generate signal values for the cases when a signal value is
not deﬁned. If the speciﬁcation is logically non-determined, e.g. A or B, free inputs are
used. Non deterministic behaviors are admitted, and translated into the addition of more
input signals connected to random sources. The Cando-Objects are a fault-conserving
abstraction of the original modules; therefore, if the full design including the replacements
can be veriﬁed, the design is correct. Also, it proves that the set of module properties is
complete with respect to the architectural properties. The approach is limited to bounded
time properties. The method has been applied to AMBA AHB master, PCL Local Bus
and a MIPS core, and the generation time has been reported. However, there is no result
on hardware metrics.
The subject was reconsidered by Oddos et al. in [OMAB09], and a preliminary solution
was proposed to synthesize the control circuits from PSL temporal properties [Odd09].
The method is modular, each property is turned into a component combining monitor
and generator features: the extended-generator. A synthesizable VHDL sub-module is
provided for each operator in PSLsimple. These operator sub-modules are proven to be
correct. Each property is the interconnection of its operators’ sub-modules. The ﬁnal
design is the interconnection of the property modules, and it is correct-by-construction.
The approach synthesizes circuits speciﬁed by hundreds of temporal properties in a few
seconds. The idea extended HORUS, which was used for synthesizing checkers, to Syn-
tHorus. It could synthesize the circuits from FL temporal properties in PSLsimple. The
method supports both strong and weak operators. It does not imply any limitations to
the PSLsimple FL operators. It is not necessary for a designer to specify the assumptions.
In addition, the method enhanced the debugging capability of the design. However, the
method was not totally automatic. The designer should have annotated the properties,
which means in each property, the designer should have made the decision about the sig-
nal directions. Then, the input of SyntHorus was the annotated properties. Moreover, the
solution did not support duplicated signals; it was limited to the cases in which a signal
is constrained just by a single property. In addition, it was not possible to consider the
consistency and completeness of the properties. Moreover, it did not support SEREs.
These shortcomings have been resolved in this thesis. The signals in the properties are
automatically annotated, and the duplicated signals are resolved automatically. In addi-
tion, some complementary properties are generated that can be used both in simulation
and formal veriﬁcation tools to verify the consistency and completeness of the set of the
properties.
3.3.3 Synthesizing from Regular Expressions
All of the above reviewed methods, both automaton-based and modular, synthesize the
temporal properties and not the sequences. There are just a few works in synthesizing
3.3 : Property synthesis as correct-by-construction circuits
REs, some of them are very old and go back to more than 40 years ago [BP63, Brz65,
Cur68, LJ88, BL88].
Brzozowski presents a method in [BP63] for modular synthesis of REs over the Boolean
alphabet. The described designs should be synchronous, deterministic, and ﬁnite. For
each basic operator, a sub-module is constructed that implements the operator. Then,
the ﬁnal circuit is constructed recursively by interconnecting the sub-modules. The paper
introduces the notion of recursive realization, and proves that the construction is valid if
proper assumptions are considered. He then introduces the Linear Sequential Circuits in
[Brz65], and addresses how to obtain the REs that are accepted by such circuits directly.
In addition, he gives a method for interpreting the REs to construct a word description
of the circuit behavior. The method supports unbounded repetition. However, neither a
tool has been provided to implement the method nor any experimental results are given.
Curtis in [Cur68] considers how to obtain directly the realizations of synchronous
ﬁnite automata from their speciﬁcation that are expressed in REs. He deﬁnes a polylinear
sequential circuit3 realization, and proves that every synchronous ﬁnite automaton has
such a realization. A ﬁnite automaton is realized by a polylinear sequential circuit if its
next state variables and output have the polylinear property; i.e. they can be expressed
as a linear function of the present state variables for each of the inputs. In this method
the polylinear sequential circuit realizations do not require special initial circuitry. In
contrast to the indirect methods that need some combinational logics to obtain the next
state and output equations after state minimization, in this method these equations are
being generated automatically. The drawback is the size of the generated circuits.
Luk and Jones present an approach to derive regular synchronous circuits from their
RE speciﬁcation [LJ88]. In this method, some common structures are deﬁned. In the
ﬁrst step, the speciﬁcation should be rewritten based on the predeﬁned structures. From
this, a draft architecture is obtained. Then algebraic theorems are used for optimizing
the draft architecture. The method is applied to a “rank evaluation circuit” taken as case
study. First, a preliminary architecture is obtained. Then, it is optimized in several ways,
each has its own trade-oﬀ, and may aﬀect the latency, frequency or area of the obtained
architecture.
Brown and Leeser propose a method in [BL88] for synthesizing a correct sequential
circuit from its speciﬁcation. The approach is developing a circuit as a program. After
verifying the program, it is compiled to a sequential machine description. The program
speciﬁes the assignment statements of the data-path, the data-path branching conditions,
and also the structure of the controller that implements this. This program can be rep-
resented using a state transition system. Then, the states and transitions are partitioned
into a controller and data-path. Each program’s statement is labeled uniquely. The states
of the transition system consists of an assignment of values to program variables, and a
program label that speciﬁes the control part. The focus of this paper is on generating the
controller. The data-path can then be implemented automatically or manually. It has
been proven that the generated circuits are correct. The method is demonstrated on the
design of a multiplier.
In this thesis, we revisit this old problem, and propose an approach for synthesizing
PSL SEREs. To the best of our knowledge, it is the only work that addresses synthesizing
a design from SEREs, and none of the previously developed tool support SEREs; they
3In a polylinear sequential circuit the next state variables are linear functions of the present state
variables for each of the inputs.
39
Chapter 3 : State of the art
just consider the temporal operators.
3.4 Existing tools
In this section, we brieﬂy review some of the existing tools in the area of ABV, and
compare these tools.
There are a large variety of tools for formal veriﬁcation. Based on the tool being used,
the properties can be expressed as PSL, LTL, or CTL. OneSpin [ONE], Mentor Graphics
0-In, Cadence Incisive [CAD], and RuleBased from IBM [HIL04] are some of the most well-
known tools that can be used for formal veriﬁcation. We exercised RuleBased, 0-In, and
OneSpin, and selected OneSpin for formally verifying the generated circuits.
For compiling assertions into monitors some industrial tools exist. The ﬁrst industrial
tool for construction checkers of PSL properties is IBM FoCs [ABG+00]. The details
have not been published for commercial reasons. FoCs uses automata to generate HDL
checkers from PSL assertions. An “end-of-simulation” signal should be provided by the
user to mark the end of time when strong properties are used. This signal is used by
the checkers to report any unfulﬁlled obligations as errors when the cycles are truncated
(there exists no further cycles). FoCs does not support all the operators, and supports
very few strong operators.
Another tool that has recently been developed by Atrenta is BugScope [BUG]. It
uses design and testbench information, and automatically generates assertions and func-
tional coverage properties. BugScope takes an RTL design and also its testbench; then,
it synthesizes automatically the high assertions that capture key design constraints and
speciﬁcations. In addition, it generates functional coverage properties. The coverage prop-
erties are functional and are independent of the syntax of the RTL. BugScope has suﬃcient
capacity to support assertion synthesis for full SoC designs, with run-time performance
scaling linearly with respect to design complexity. It can generate the assertions in IEEE
standard formats such as SVA, PSL or synthesizable Verilog.
Dolphin integration also provides a tool, SLED SDG (Synthesizable Detector Genera-
tor), for synthesizing assertions as checkers [SDG]. It generates RTL checkers (Verilog or
VHDL) from PSL assertions. It also integrates RTL synthesizable hardware checkers into
circuits for real-time veriﬁcation.
In addition to the mentioned industrial tools, there are academic tools for compiling
assertions as checkers. MBAC is an academic tool that has been developed by Boule
[BZ08a] in McGill university. It uses an automaton-based approach to generate assertions
from PSL properties. The MBAC checker generator produces assertion-monitoring circuits
from PSL statements and augments these checkers with debug-assist circuitry. Other
forms of debug information, such as signal dependencies, can also be sent to the front-end
applications. Boule compares the checkers produced by MBAC to the checkers that are
produced by FoCs. The comparison involves generating checkers for a suite of assertions,
and then synthesizing the checkers using FPGA implementation tools. The circuit size
of the checkers are compared using the number of ﬂip-ﬂops and also combinational logic.
The results in [BZ08a] shows that the MBAC checker generator outperforms FoCs.
Horus [OMAB08] is another academic tool that has been developed in the VDS group
of TIMA Lab. It uses the modular method to generate monitors from PSL FL properties.
It can also be used for the automatic generation of a test environment. This tools is the
basis of SyntHorus and SyntHorus2.
3.5 : Summary
In the scope of correct-by-construction, there are just a few tools.
Acacia+ [ACA] is based on the works in [FJR09, FJR11]. It inputs LTL speciﬁcations,
and outputs a design in dot format. The tool is based on the two-player game approach.
It provides several options, for example: backward or forward state traversal; the circuit
player or the environment player has the initial move. However, the problem is that it
can only synthesize very small, and non realistic, circuits.
Unbeast [UNB] is based on the works in [EKH12]. It inputs LTL speciﬁcations in
XML syntax and produces an intermediate NuSMV ﬁle that is turned to an aig format
by AIGER. ABC [ABC] is used to translate aig into Verilog. The tool can be applied to
small examples, and it times out for complex or large circuits.
Ratsy (Requirements Analysis Tool with Synthesis) [RAT, BCG+10], is an update of
Rat that is developed by Bloem et al. in the University of Gratz. It contains the Lily [JB06]
and Anzu [PPS06] previous tools of the same research group. A graphical user interface
has been provided for Ratsy. Ratsy inputs GR(1) PSL properties. The properties must
be partitioned into a guarantee and an assume part. It produces a Verilog design. The
tool can also take a Bu¨chi automaton as its input. In this system the environment player
moves ﬁrst. Ratsy performs an on-the-ﬂy veriﬁcation of the properties.
SyntHorus is the extended version of Horus that is developed in TIMA Lab [Odd09].
In contrast to other existing methods, the tool is based on the modular approach, and
could synthesize PSLsimple FL properties to VHDL. However, it had some limitations.
It could just support scalar signals of type std logic. In addition, it could not deal with
the modeling layer of PSL. Moreover, the process was not totally automatic. In addition,
there were some diﬃculties for specifying the value of the signals that are being generated
in several properties. However, the synthesis results and hardware generation time are
better than Ratsy.
In this thesis, SyntHorus has been improved to SyntHorus2. This new version inputs
PSL properties and generates the synthesizable VHDL circuit automatically. It supports
FL properties, and also partially supports SEREs. The tool can automatically decide
about the signal directions in each property (see Chapter 7). Moreover, it can resolve the
value of the signals that are generated in several properties (see Chapter 9). Additionally,
SyntHorus2 supports std logic vector signals. Additionally, it partially supports the mod-
eling layer. Finally, it generates complementary properties to verify if the properties are
consistent and complete.
3.5 Summary
In this chapter we brieﬂy reviewed the related works in assertion-based veriﬁcation and
design. We considered both the automaton-based and modular approaches.
In the area of synthesizing assertion checkers for REs, the modular methods have some
limitations. Assertion checkers should be able to handle multiple simultaneous sequences
of events that can overlap temporally. In general, the modular methods indicate diﬃculties
for implementing all SERE operators, especially intersection and unbounded repetition
[SMDC06, PLN05, MAGB07, BZ05], while the automaton-based methods overcome these
diﬃculties [BZ08b].
Most of the works in designing correct-by-construction circuits are based on automa-
ton. Such methods are expensive. In addition, almost all the proposed methods only deal
with the temporal properties, not the sequences.
41
Chapter 3 : State of the art
Our synthesis approach is modular for temporal operators of PSLsimple. For synthe-
sizing SEREs, to avoid the shortcomings of the modular method, a hybrid method is
introduced. Using this method, the left-hand side of a property sequence is generated
using the automaton-based method, while the modular method is used for synthesizing
the right-hand side of the suﬃx implication.
Finally, some of the tools in the area of assertion-based veriﬁcation and design are
introduced in this chapter. In Chapter 10 the synthesis results of our tool, SyntHorus2
are compared to the results of Ratsy.
Chapter4
Fast prototyping from assertions: the overall
synthesis ﬂow
Contents
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.2 Reactant synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.3 Running Example: Generalized Buﬀer . . . . . . . . . . . . . . 45
4.3.1 Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.3.2 Communication with FIFO . . . . . . . . . . . . . . . . . . . . 47
4.3.3 Communication with the senders . . . . . . . . . . . . . . . . . 48
4.3.4 Communication with the receivers . . . . . . . . . . . . . . . . 49
43
Chapter 4 : Fast prototyping from assertions: the overall synthesis ﬂow
4.1 Introduction
In this chapter, the overall synthesis ﬂow is introduced. The details of each step of this ﬂow
will be explained in the following chapters. In addition, a running example is introduced
and used in the following chapters to show the applicability of the proposed synthesis
method.
4.2 Reactant synthesis
In this work a correct-by-construction method is proposed to directly produce the synthe-
sizable RTL design from its assertions.
The method is modular; i.e. the reactant of each property is the interconnection of its
operators’ modules. Therefore, operators’ modules are the building blocks of a property,
and are called primitive reactants, since they do not consist other reactant modules. Then,
the ﬁnal circuit is the interconnection of the properties’ reactants.
Fig. 4.1 shows the overall synthesis ﬂow that produces a circuit from a set of properties.
The initial step is providing a library of primitive reactants for FL1 and SERE2 oper-
ators. It is done by considering the formal semantics of the operators, and interpreting
these mathematical semantics to hardware (see Chapter 5 and Chapter 6). The library of
primitive reactants for FL operators has been already implemented by Morin-Allory et al.
in [OMAB09]. During this thesis, the library of primitive reactants for SERE operators
has been provided.
At the beginning, properties are processed one by one. A conventional front-end
produces the Abstract Syntax Tree (AST) from the source text of each property. The
implementation of the subsequent processing steps makes use of no further compilation
tool.
For each property it should be identiﬁed which signal occurrences are read (monitored),
and which ones are constrained (generated) by the property. We refer to this step as
annotation. To annotate the signals we use the dependency relations of the temporal
operators (see Section 5.2 of Chapter 5, and Section 6.3 of Chapter 6). Based on these
dependencies, an algorithm is proposed for annotation (see Chapter 7): a direction is
given to the edges of each AST, and the Directed Abstract Syntax Tree (DAST) of each
property is generated.
Then, using the library of primitive reactants for the operators, a complex reactant
is built for each fully annotated DAST, by applying the principles that are explained in
Chapter 8, Sections 8.3.2 (for FLs) and 8.3.3 (for SEREs).
Considering the DASTs, a signal may be constrained by several properties. In addition,
there may be cases that a signal’s direction cannot be decided just by considering a
property alone. Therefore, we need to consider all the properties together to identify
the dependency among properties. To this goal, a graph that reﬂects a global view of
the signals in the circuit is constructed from all the DASTs (See Dependency Graph in
Chapter 9). The following information can be extracted from this graph:
1 identifying which properties constrain a speciﬁc signal, duplicated signal. Using this
information we generate a simple solver that speciﬁes the value of the signal.
1Foundation Language
2Sequential Extended Regular Expression
4.3 : Running Example: Generalized Buﬀer
2 identifying the signals whose direction has not been speciﬁed in a property, unan-
notated signals, and identifying the dependency of these signals on other signals.
Using this information, we generate a component, complex solver, that speciﬁes the
value of an unannotated signal based on the value of the other signals that aﬀect it.
We refer to this procedure as resolution (see Chapter 9). The ﬁnal circuit is constructed
as the interconnection of the reactants for all the properties, together with solvers (see
Chapter 9, Section 9.7).
This is a register transfer level model that is input to a conventional industrial synthesis
tool to obtain the ﬁnal implementation, either on FPGA or on an ASIC.
From the information provided by the dependency graph, a set of complementary
properties can be generated, which can be used by an industrial veriﬁcation tool, to verify
if the set of the properties are complete and consistent.
We have provided a prototype tool, SyntHorus2 that implements the above synthesis
process: it takes a set of PSL properties as its input, and generates the ﬁnal circuit in
VHDL. It also generates some complementary properties to verify the completeness and
coherency of the set of the speciﬁcation (see Fig. 4.1). The proposed method is applicable
to the controller parts of a design.
4.3 Running Example: Generalized Buﬀer
Here, we introduce IBM Generalized Buﬀer [IBM] (GenBuf ) as our running example.
4.3.1 Presentation
The generalized buﬀer GenBuf is an arbiter that sequentializes requests coming from
nbsend senders, and transmits them one at a time to nbrec receivers (nbsend and nbrec
are generic parameters). Each sender has its own bus, and the receivers share the same
bus. A FIFO (with the length of four 32 bit data) stores the incoming data waiting to be
sent to the receivers.
A controller communicates with all the modules and the FIFO: it enforces a round-
robin selection policy on the receivers side, it blocks the senders when the FIFO is full,
and blocks the receivers when the FIFO is empty. Figure 4.2 displays the architecture of
the system and the interface control signals that are used for the communication.
• From each sender Si, GenBuf receives a request input StoB REQ(i) and replies with
an acknowledge output BtoS ACK(i).
• To each receiver Rj, GenBuf outputs a request BtoR REQ(j) and gets an acknowledge
RtoB ACK(j).
• GenBuf gets the FULL and EMPTY signals from the FIFO and provides the ENQ
and DEQ signals for writing (reading) appropriate data to (from) the FIFO.
The set of FL properties that specify the GenBuf controller are taken from [BGJ+07a].
These properties have been rewritten and completed in order to be used by our prototype
tool, SyntHorus2. In addition, the properties have been rewritten as SEREs, using the
rewriting rules that are introduced in [MABBZ08]. In the following sections, the commu-
nication between the controller, the senders, the receivers, and the FIFO, together with
the corresponding properties are explained in details.
45
Chapter 4 : Fast prototyping from assertions: the overall synthesis ﬂow
Figure 4.1: Overall Synthesis Flow
4.3 : Running Example: Generalized Buﬀer
GenBuf 
Controller
(Automatically 
generated
by SyntHorus2)
sender#0 receiver#0
FIFO
StoB_REQ(0)
BtoR_REQ(0)BtoS_ACK(0)
RtoB_ACK(0)
EN
Q
DE
Q
EM
PT
Y
FU
LL
sender#i
StoB_REQ(i)
BtoS_ACK(i) receiver#jBtoR_REQ(j)
RtoB_ACK(j)
Figure 4.2: GenBuf circuit interface
4.3.2 Communication with FIFO
Data are read/written from/to the FIFO buﬀer by activating the DEQ/ENQ signals. The
EMPTY and FULL signals show the status of the FIFO. The properties that are shown
in Fig 4.3 guarantee that the FIFO works correctly. The properties have the following
meaning:
• P0_FIFO: When the FIFO is full and no data is read from the FIFO, no data can be
written into the FIFO.
• P1_FIFO: When the FIFO is empty, no data can be read from it.
vunit genbuf FIFO
{
P0 FIFO :
always (FULL and not DEQ −> not ENQ) ;
P1 FIFO :
always (EMPTY −> not DEQ) ;
}
Figure 4.3: FL speciﬁcation that guarantees the correct behavior of FIFO
The FIFO should be selected, and the data should be put into it, whenever the GenBuf
controller sends an acknowledgment to the corresponding sender (see properties under
“FIFO interface” in Fig. 4.5). The FIFO cannot be selected and get the data before being
sure that the request from the sender is acknowledged by the buﬀer. So, the ENQ and
SLC signals follow the behavior of the acknowledgment signals to the senders.
The data should be read from the buﬀer after completion of the transfer. Hence, after
getting the acknowledgment from a receiver, the DEQ signal becomes high (see properties
under “FIFO interface” in Fig. 4.8).
47
Chapter 4 : Fast prototyping from assertions: the overall synthesis ﬂow
4.3.3 Communication with the senders
The interface between the senders and GenBuf is a 4-phase handshaking protocol. Let Si
be any one of the senders.
• Si asserts StoB REQ(i), then puts data on the next cycle
• GenBuf asserts BtoS ACK(i) after reading the data
• In the next cycle, the sender deasserts StoB REQ(i)
• GenBuf speciﬁes the end of the transaction by deasserting BtoS ACK(i)
We assume that signals take a default value 0, GenBuf maintains FIFO order, and senders
are never starved. Figure 4.4 shows an example timeline of a GenBuf to sender handshake.
0 1 2 3 4
clock
StoB REQ(i)
BtoS ACK(i)
ENQ
Figure 4.4: An example timeline of a GenBuf to sender handshake
4.3.3.1 Formal FL speciﬁcation
Figure 4.5 shows the FL properties that describe the communication between the GenBuf
controller, the senders, and the FIFO (the properties are shown for two senders).
The properties have the following meaning:
• P0_sender_i: Once low, the acknowledge to Si remains low as long as Si sends no
request.
• P1_sender_i: The acknowledge to Si remains high as long as Si keeps its request
high.
• P2_sender_i: A new request may be raised by Si only if its acknowledge signal is
low.
• P3_sender: The senders may send simultaneous requests to GenBuf, but at most
one acknowledge signal is high.
• P4_FIFO_sender: Either ENQ is 0, or one of the acknowledge signals is 1.
• P5_FIFO_sender: If signal ENQ is low, none of the acknowledge signals has just been
raised. To generate signals, SyntHorus2 requires that all properties be temporally
aligned from present to future. Property P5_FIFO_sender has to be rewritten as:
4.3 : Running Example: Generalized Buﬀer
P5 sere FIFO sender 0 :
always (not BtoS ACK(0) −> next ! (ENQ or not BtoS ACK(0) ) ) ;
P5 sere FIFO sender 1 :
always (not BtoS ACK(1) −> next ! (ENQ or not BtoS ACK(1) ) ) ;
• P6_FIFO_sender: If there is a request from the senders and the FIFO is not full
and signal ENQ is low, ENQ must be high in the next cycle and go back to low in
the following cycle.
• P7_FIFO_sender_i: If there is an acknowledgment to Si, then the ith data is pushed
into the FIFO (SLC = i).
4.3.3.2 Formal SERE speciﬁcation
The set of SERE properties that specify the communication between the GenBuf con-
troller, the senders and the FIFO are shown in Fig. 4.6 (for 2 senders). Here, only two
properties are explained as examples.
• P1_sere_sender_i: The acknowledge to Si remains high as far as Si keeps its
request high, and it is deasserted one cycle after deactivation of the request signal.
• P6_sere_FIFO_sender: If there is a request from the senders and the FIFO is not
full and signal ENQ is low, ENQ must be high in the next cycle, and then, it will be
deasserted in the following cycle.
4.3.4 Communication with the receivers
GenBuf interacts with the receivers through a 4-phase handshake protocol. The arbitra-
tion mechanism that is used by GenBuf is round-robin: GenBuf does not request the same
receiver consecutively. In addition, it does not request both receivers at the same time.
A request signal from GenBuf remains active, until receiving the acknowledgement.
One cycle after asserting the acknowledge signal, the request will be deasserted and
cannot be asserted again until one cycle after deactivation of the acknowledge signal.
Figure 4.7 shows an example timeline of a GenBuf to receiver handshake.
4.3.4.1 Formal FL speciﬁcation
The set of FL properties that specify the communication between the GenBuf controller,
the receivers, and the FIFO are shown in Fig. 4.8 (for 2 receivers).
The properties have the following meaning:
• P0_rec: When the FIFO is not empty, GenBuf should send a request to one of the
receivers; which receiver should be requested is not speciﬁed.
• P1_rec: When the FIFO is empty, none of the receivers should be requested.
• P2_rec: Two receivers cannot be requested at the same time.
49
Chapter 4 : Fast prototyping from assertions: the overall synthesis ﬂow
vunit genbuf sender
{
P0 sender 0 :
always ( (not BtoS ACK(0) ) and (not StoB REQ(0) ) −> next ! (not BtoS ACK
(0) ) ) ;
P0 sender 1 :
always ( (not BtoS ACK(1) ) and (not StoB REQ(1) ) −> next ! (not BtoS ACK
(1) ) ) ;
P1 sender 0 :
always ( (BtoS ACK(0) and StoB REQ(0) ) −> next ! (BtoS ACK(0) ) ) ;
P1 sender 1 :
always ( (BtoS ACK(1) and StoB REQ(1) ) −> next ! (BtoS ACK(1) ) ) ;
P2 sender 0 :
always ( rose (StoB REQ(0) ) −> not BtoS ACK(0) ) ;
P2 sender 1 :
always ( rose (StoB REQ(1) ) −> not BtoS ACK(1) ) ;
P3 sender :
always ( not BtoS ACK(0) or not BtoS ACK(1) ) ;
−−−−−−−−− FIFO i n t e r f a c e
P4 FIFO sender :
always (not ENQ or BtoS ACK(0) or BtoS ACK(1) ) ;
P5 FIFO sender :
always (not ENQ −> not rose (BtoS ACK(0) ) and not rose (BtoS ACK(1) ) ) ;
P6 FIFO sender :
always ( (StoB REQ(0) or StoB REQ(1) ) and (not FULL) and (not ENQ) −>
next ! (ENQ) and next ! [ 2 ] ( not ENQ) ) ;
P7 FIFO sender 0 :
always ( rose (BtoS ACK(0) ) −> SLC = 0) ;
P7 FIFO sender 1 :
always ( rose (BtoS ACK(1) ) −> SLC = 1) ;
}
Figure 4.5: FL speciﬁcation of GenBuf communication with senders in the case of two
senders
4.3 : Running Example: Generalized Buﬀer
vunit g enbu f s ende r s e r e
{
P0 se r e s ende r 0 :
always ({not BtoS ACK(0) and not StoB REQ(0) } |=> {not BtoS ACK(0) } ! ) ;
P0 se r e s ende r 1 :
always ({not BtoS ACK(1) and not StoB REQ(1) } |=> {not BtoS ACK(1) } ! ) ;
P1 se r e s ende r 0 :
always ({ (BtoS ACK(0) and StoB REQ(0) ) } |=> {(BtoS ACK(0) ) } ! ) ;
P1 se r e s ende r 1 :
always ({ (BtoS ACK(1) and StoB REQ(1) ) } |=> {(BtoS ACK(1) ) } ! ) ;
P2 se r e s ende r 0 :
always ({not StoB REQ(0) ; StoB REQ(0) } |−> {not BtoS ACK(0) }) ;
P2 se r e s ende r 1 :
always ({not StoB REQ(1) ; StoB REQ(1) } |−> {not BtoS ACK(1) }) ;
P3 se r e s ender :
always ( not BtoS ACK(0) or not BtoS ACK(1) ) ;
−−−−−−−−− FIFO i n t e r f a c e
P4 sere FIFO sender :
always (BtoS ACK(0) or BtoS ACK(1) or not ENQ ) ;
P5 sere FIFO sender 0 :
always ({not BtoS ACK(0) } |=> {ENQ or not BtoS ACK(0) } ! ) ;
P5 sere FIFO sender 1 :
always ({not BtoS ACK(1) } |=> {ENQ or not BtoS ACK(1) } ! ) ;
P6 sere FIFO sender :
always ({ (StoB REQ(0) or StoB REQ(1) ) and not FULL and not ENQ} |=> {
ENQ; not ENQ} ! ) ;
P7 sere FIFO sender 0 :
always ({not BtoS ACK(0) ; BtoS ACK(0) } −> SLC = 0) ;
P7 sere FIFO sender 1 :
always ({not BtoS ACK(1) ; BtoS ACK(1) } −> SLC = 1) ;
}
Figure 4.6: SERE properties of GenBuf communication with senders in the case of two
senders
51
Chapter 4 : Fast prototyping from assertions: the overall synthesis ﬂow
0 1 2 3 4 5 6 7 8
clock
EMPTY
BtoR REQ(j)
RtoB ACK(j)
DEQ
Figure 4.7: An example timeline of a GenBuf to receiver handshake
vunit g enbu f r e c e i v e r
{
−−−−− r e c e i v e r s i d e
P0 rec :
always (not EMPTY −> next ! ( BtoR REQ(0) or ( BtoR REQ(1) ) ) ) ;
P1 rec :
always (EMPTY −> next ! ( not BtoR REQ(0) and (not BtoR REQ(1) ) ) ) ;
P2 rec :
always (not BtoR REQ(0) or not BtoR REQ(1) ) ;
P3 rec 0 :
always ( rose (BtoR REQ(0) ) −> next ! (next event ! (prev (not BtoR REQ(0)
) ) (not BtoR REQ(0) unti l (BtoR REQ(1) ) ) ) ) ;
P3 rec 1 :
always ( rose (BtoR REQ(1) ) −> next ! (next event ! (prev (not BtoR REQ(1)
) ) (not BtoR REQ(1) unti l (BtoR REQ(0) ) ) ) ) ;
P4 rec 0 :
always ( (BtoR REQ(0) ) and (not RtoB ACK(0) )−> next ! (BtoR REQ(0) ) ) ;
P4 rec 1 :
always ( (BtoR REQ(1) ) and (not RtoB ACK(1) )−> next ! (BtoR REQ(1) ) ) ;
P5 rec 0 :
always ( (RtoB ACK(0) ) −> (next ! (not BtoR REQ(0) ) ) ) ;
P5 rec 1 :
always ( (RtoB ACK(1) ) −> (next ! (not BtoR REQ(1) ) ) ) ;
−−−−−−−−− FIFO i n t e r f a c e
P6 FIFO rec :
always ( ( f e l l (RtoB ACK(0) ) or ( f e l l (RtoB ACK(1) ) ) and not EMPTY) −> (
DEQ) ) ;
P7 FIFO rec :
always (not f e l l (RtoB ACK(0) ) and not f e l l (RtoB ACK(1) ) −> (not DEQ) ) ;
}
Figure 4.8: FL speciﬁcation of GenBuf communication with receivers, in the case of two
receivers
4.3 : Running Example: Generalized Buﬀer
• P3_rec_0: Describes the round-robin scheme on the receiver side. Once receiver R0
has been requested, it cannot be requested again before receiver R1 is requested.
• P4_rec_j: The request to Rj remains high as long as the acknowledgment from Rj
is not received.
• P5_rec_j: The request to Rj is deasserted one cycle after RtoB ACK(j) is set by Rj.
• P6_FIFO_rec: If there is an acknowledgment from one of the receivers, and the
buﬀer is not empty, then a data is read from FIFO (DEQ becomes high) in the
falling edge of the acknowledgment signal.
• P7_FIFO_rec: No data is read from the FIFO as long as none of the acknowledg-
ments has not been deasserted.
4.3.4.2 Formal SERE speciﬁcation
The set of SERE properties that specify the communication between the GenBuf con-
troller, the receivers, and the FIFO are shown in Fig. 4.9.
Here, a property is explained as an example.
• P3_sere_rec_0: Describes the round-robin scheme on the receiver side. Once re-
ceiver R0 has been requested, we wait until deassertion of the request signal. Then,
this request signal remains low until requesting R1.
53
Chapter 4 : Fast prototyping from assertions: the overall synthesis ﬂow
vunit g e nbu f r e c e i v e r s e r e
{
P0 se r e r e c :
always ({not EMPTY} |=> {BtoR REQ(0) or BtoR REQ(1) } ! ) ;
P1 s e r e r e c :
always ({EMPTY} |=> {not BtoR REQ(0) and not BtoR REQ(1) } ! ) ;
P2 s e r e r e c :
always (not BtoR REQ(0) or not BtoR REQ(1) ) ;
P3 s e r e r e c 0 :
always ( {not BtoR REQ(0) ; BtoR REQ(0) ; {BtoR REQ(0) [ ∗ ] ; not BtoR REQ
(0) }} |=> {(not BtoR REQ(0) ) [ ∗ ] ; (prev (BtoR REQ(1) ) ) } ! ) ;
P3 s e r e r e c 1 :
always ( {not BtoR REQ(1) ; BtoR REQ(1) ; {BtoR REQ(1) [ ∗ ] ; not BtoR REQ
(1) }} |=> {(not BtoR REQ(1) ) [ ∗ ] ; (prev (BtoR REQ(0) ) ) } ! ) ;
P4 s e r e r e c 0 :
always ( {BtoR REQ(0) and (not RtoB ACK(0) ) } |=> {BtoR REQ(0) } ! ) ;
P4 s e r e r e c 1 :
always ( {BtoR REQ(1) and (not RtoB ACK(1) ) } |=> {BtoR REQ(1) } ! ) ;
P5 s e r e r e c 0 :
always ( {RtoB ACK(0) } |=> {not BtoR REQ(0) } ! ) ;
P5 s e r e r e c 1 :
always ( {RtoB ACK(1) } |=> {not BtoR REQ(1) } ! ) ;
P6 sere FIFO rec :
always ( ( f e l l (RtoB ACK(0) ) or ( f e l l (RtoB ACK(1) ) ) and not EMPTY) −> (
DEQ) ) ;
P7 sere FIFO rec :
always (not f e l l (RtoB ACK(0) ) and not f e l l (RtoB ACK(1) ) −> (not DEQ) ) ;
}
Figure 4.9: SERE properties of GenBuf communication with receivers in the case of two
receivers
Chapter5
Synthesizing FLs
Contents
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.2 Formalization of the annotation . . . . . . . . . . . . . . . . . . 56
5.2.1 Dependency relation: deﬁnition and notations . . . . . . . . . . 56
5.2.2 Dependency relation between operands of FL operators . . . . 59
5.3 Dependency relation synthesis . . . . . . . . . . . . . . . . . . . 63
5.3.1 Principles of the primitive reactant construction . . . . . . . . 63
5.3.2 Generic format of a FL operator . . . . . . . . . . . . . . . . . 65
5.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
55
Chapter 5 : Synthesizing FLs
5.1 Introduction
In this chapter, we address how to synthesize an FL temporal operator, and provide a
library of primitive reactants for FL operators. First, the dependency relation concept is
introduced. Then, for each operator, the dependency relation between its operands are
considered, and formalized. Based on the dependency relations and the formal semantics
of the operators, a generic format is proposed for FL operators. Then, it is shown how each
of the FL temporal operators can be mapped into this generic format, and be synthesized.
5.2 Formalization of the annotation
The purpose of this section is to formally deﬁne the notion of dependency between
operands of a PSL operator, in order to have a synthezisable VHDL description of each op-
erator and to mark signals. To this aim, we deﬁne a dependency relation which character-
izes the conditions under which an argument of a temporal operator is free or constrained
to a value, based on the value of the other argument.
The materials of this section are originally provided by Katell Morin-Allory and are
published in [MAJB15]. Since they are the underlying formalism of the annotation, they
have been brought here. Later, in Chapter 7 it is shown how these dependency relations
can be used to annotate the signals in a property.
5.2.1 Dependency relation: deﬁnition and notations
For proving the dependency relations, we use the PSL semantic deﬁnitions in Appendix
B of the IEEE Standard [FG05]. The essential concepts and notations have been already
introduced in Chapter 2. Here, we review some of the required notations that were
introduced in Chapter 2, Section 2.2.2.2.
• P: a non-empty set of atomic propositions, in practice the set of signal names in a
property
• Σ = 2P: the set of all possible valuations of P
• letter: a letter, � ∈ Σ, is a valuation of all the propositions in P.
• word: a word, w, is a sequence of letters (w = �0�1�2...), and it stands for the
succession over time of the signal values, i.e. an execution trace. If i and j are
integers, wi = �i is the (i + 1)
th letter of w; wi..j = �i�i+1 . . . �j is the ﬁnite word
starting at �i and ending at �j; and w
i... = �i�i+1 . . . is the suﬃx of w starting at w
i.
• The semantics of a Boolean expression exp over P is the set of all the letters of Σ
on which exp takes value true.
• � � exp (exp is true in �): means that exp takes value true if all its variables take
their value as in �.
• w |= property (“property” is true on word w): is the extended semantics by
structural induction over FL properties to words.
Example 1. Notations.
5.2 : Formalization of the annotation
Consider property P0_sender_0 from GenBuf sender.
P0 sender 0 :
always (not BtoS ACK(0) and (not StoB REQ(0) ) −> next ! ( not BtoS ACK(0) ) ) ;
The set of atomic propositions isP = {StoB REQ(0), BtoS ACK(0)}. Then, Σ = {<
0, 0 >,< 0, 1 >,< 1, 0 >,< 1, 1 >}, which is the set of all possible valuations of P. Each
element of Σ, ex.< 1, 1 >, denotes a letter, �. w = (< 1, 0 >,< 1, 1 >,< 0, 1 >,< 0, 0 >)
is an execution trace, which is the sequence of letters. Property P0_sender_0 holds on
trace w, since the � � exp implication holds on each letter of w (see Fig.5.1).
0 1 2 3 4
clock
StoB REQ(i)
BtoS ACK(i)
Figure 5.1: An execution trace for P0_sender_0
Deﬁnition 1. Let w be a trace, A and B two FL formulas. The dependency relation
between A and B is deﬁned as follows:
�A�B�w ⇐⇒ w |= B ⇒ w |= A
When ∀w, �A�B�w we can write: A�B.
The relation �A�B�w reads: on a trace w, the value of A depends on the value of B.
For a trace w, if B is satisﬁed on w, A must be satisﬁed on w.
Based on this deﬁnition, we express some properties that are useful in proving the
dependency relations in Section 5.2.2.
Property 1. �A�B�w ∧ �A�C�w ⇔ �A�(B orC)�w
Proof.
⇔ (w |= B ⇒ w |= A) ∧ (w |= C ⇒ w |= A)
⇔ (w |= ¬B ∨ w |= A) ∧ (w |= ¬C|w |= A)
⇔ w |= A ∨ (w |= ¬B ∧ w |= ¬C)
⇔ w |= A ∨ (w |= (¬B or¬C))
⇔ w |= A ∨ (w |= ¬(B orC))
⇔ w |= (B ∨ C)⇒ w |= A
⇔ �A�(B orC)�w
�
Property 2. �A�B�w ∨ �A�C�w ⇔ �A�(B andC)�w
57
Chapter 5 : Synthesizing FLs
Proof.
⇔ (w |= B ⇒ w |= A) ∨ (w |= C ⇒ w |= A)
⇔ (w |= ¬B ∨ w |= A) ∨ (w |= ¬C|w |= A)
⇔ w |= A ∨ (w |= ¬B ∨ w |= ¬C)
⇔ w |= A ∨ (w |= (¬B or¬C))
⇔ w |= A ∨ (w |= ¬(B andC))
⇔ w |= (B andC)⇒ w |= A
⇔ �A�(B andC)�w
�
Property 3. �(A andB)�C�w ⇔ �A�C�w ∧ �B�C�w
Proof.
⇔ w |= C ⇒ (w |= A andB)
⇔ w |= C ⇒ (w |= A ∧ w |= B)
⇔ w |= ¬C ∨ (w |= A ∧ w |= B)
⇔ (w |= ¬C ∨ w |= A) ∧ (w |= ¬C ∨ w |= B)
⇔ (w |= C ⇒ w |= A) ∧ (w |= C ⇒ w |= B)
⇔ �A�C�w ∧ �B�C�w
�
Property 4. �(A orB)�C�w ⇔ �A�(C ∧ ¬B)�w
Proof.
⇔ w |= C ⇒ (w |= A orB)
⇔ w |= C ⇒ (w |= A ∨ w |= B)
⇔ w |= ¬C ∨ (w |= A ∨ w |= B)
⇔ w |= (¬C orB) ∨ w |= A
⇔ w |= ¬(C ∧ ¬B) ∨ w |= A
⇔ (w |= (C ∧ ¬B)⇒ w |= A
⇔ �A�(C ∧ ¬B)�w
�
Property 5. �A�B�w ⇔ �¬B�¬A�w
Proof.
⇔ w |= B ⇒ w |= A
⇔ w |= ¬B ∨ w |= A
⇔ w |= ¬A⇒ w |= ¬B
⇔ �¬B�¬A�w
5.2 : Formalization of the annotation
�
Deﬁnition 2. Let ϕ be a FL formula. A and B are two operands of ϕ. Let w be a trace.
A depends on B in ϕ if: ∀w, �ϕ� true�w ⇔ �A�B�w.
Property 6. For any trace w, ���w is a partial order
Proof.
Reﬂexivity: A�A
∀w, |w| > 0, (w |= A⇒ w |= A)
This is evidently true.
No Symmetry: �A�B�w �⇒ �B�A�w
∀w,(w |= B ⇒ w |= A)
⇒(w |= A⇒ w |= B)?
We replace w |= A with a and w |= B with b. Then, we should prove: (b ⇒ a) ⇒
(a⇒ b)
This statement is not a tautology. Therefore, ���w is not symmetric.
Antisymmetry: �A�B�w ∧ �B�A�w ⇒ A⇔ B
∀w,(w |= B ⇒ w |= A) ∧ (w |= A⇒ w |= B)
⇒ (A⇔ B)?
By changing the variables as a = w |= A and b = w |= B, we should prove: (b ⇒
a) ∧ (a⇒ b)⇔ (a⇔ b)
This statement is a tautology.
Transitivity: �A�B�w ∧ �B�C�w ⇒ �A�C�w
∀w,(w |= B ⇒ w |= A) ∧ (w |= C ⇒ w |= B)
⇒ (w |= C ⇒ w |= A)?
With the same variable changes as above, we need to prove:
(b⇒ a) ∧ (c⇒ b)⇒ (c⇒ a)
This formula is a tautology; ���w is transitive. The relation ���w is thus a partial order
for any trace w. �
5.2.2 Dependency relation between operands of FL operators
For an FL formula the dependency between its operands is stated using the general ���w
relation.
In the following, the dependency relation for each FL operator is presented.
59
Chapter 5 : Synthesizing FLs
5.2.2.1 Always
Dependency Rule 1. Always
Let ϕ = alwaysA, then
�ϕ� true�w iﬀ ∀i < |w|, �A� true�wi...
Proof. We replace always by its semantic deﬁnition (see Appendix B of [FG05]).
∀w,�ϕ� true�w
⇔ w |= true ⇒ w |= alwaysA
⇔ w |= true ⇒ ∀i ∈ N, |w| > i, wi... |= A
⇔ ∀i < |w|, �A� true�wi...
�
5.2.2.2 Eventually!
Dependency Rule 2. Eventually!
Let ϕ = eventually!A, then
�ϕ� true�w iﬀ ∃i < |w|, �A� true�wi...
Proof. In the second line, we replace eventually! by its semantic deﬁnition.
∀w,�ϕ� true�w
⇔ w |= true ⇒ w |= eventually!A
⇔ w |= true ⇒ ∃k < |w|, wk... |= A ∧ ∀i < k, wi... |= true
⇔ w |= true ⇒ ∃k < |w|, wk... |= A
⇔ ∃i < |w|, �A� true�wi...
�
5.2.2.3 Next family
Dependency Rule 3. Next![k]
Let ϕ = next![k]A, then
�ϕ� true�w iﬀ �A� true�wk...
Proof. In the second line, next! is replaced by its semantic deﬁnition.
∀w,�ϕ� true�w
⇔ w |= true ⇒ w |= next![k]A
⇔ w |= true ⇒ |w| > k ∧ wk... |= A
⇔ �A� true�wk...
�
5.2 : Formalization of the annotation
Dependency Rule 4. Next a!
Let ϕ = next a![i to j]A, then
�ϕ� true�w iﬀ ∀k ∈ [i..j], �A� true�wk...
Proof. next a![i to j]A can be rewritten as:
(next![i]A) ∧ (next![i+ 1]A) ∧ .... ∧ (next![j]A)
Using the Dependency Rule 3, and substituting each next! operator, the dependency
relations is proved easily. �
Dependency Rule 5. Next e!
Let ϕ = next e![i to j]A, then
�ϕ� true�w iﬀ ∃k ∈ [i..j], �A� true�wk...
Proof. next e![i to j]A can be rewritten as:
(next![i]A) ∨ (next![i+ 1]A) ∨ .... ∨ (next![j]A)
The proof is done simply by mathematical rewriting of the above formula. �
5.2.2.4 Until family
Dependency Rule 6. Until!
Let ϕ = A until! B, then
�ϕ� true�w iﬀ ∃k < |w|, �B� true�wk... ∧ ∀i < k, �A�¬B�wi...
Proof.
∀w�ϕ� true�w
⇔ w |= true ⇒ w |= A until! B
⇔ w |= true ⇒ ∃k < |w|, wk... |= B ∧ ∀i < k, wi... |= A
⇔ w |= true ⇒ ∃k < |w|, wk... |= B ∧ ∀i < k, wi... |= A or(B and¬B)
⇔ w |= true ⇒ ∃k < |w|, wk... |= B ∧ ∀i < k, (wi... |= A ∨ wi... |= B)
∧ (wi... |= A ∨ wi... |= ¬B)
⇔ w |= true ⇒ ∃k < |w|, wk... |= B ∧ ∀i < k, wi... |= ¬B ⇒ wi... |= A
∧ (wi... |= A ∨ wi... |= ¬B)
⇔ w |= true ⇒ ∃k < |w|, �B� true�wk... ∧ ∀i < k, �A�¬B�wi...
∧ (wi... |= A ∨ wi... |= ¬B)
In the last equivalence, if we assume that k is the least integer such that w |= B,
(wi... |= A∨wi... |= ¬B) can be simpliﬁed to true. Then, the last equivalence is simpliﬁed
to:
⇔ w |= true ⇒ ∃k < |w|, �B� true�wk... ∧ ∀i < k, �A�¬B�wi...
⇔ ∃k < |w|, �B� true�wk... ∧ ∀i < k, �A�¬B�wi...
61
Chapter 5 : Synthesizing FLs
�
In this dependency relation, if A and B are both Boolean, the dependency relation
�A�¬B�wi... can be reversed (see Property 5).
Dependency Rule 7. Until
Let ϕ = A until B, then
∀w,
� ∃k < |w|, �B� true�wk... ∧ ∀i < k, �A�¬B�wi...
or
∀i < |w|, �A� true�wi...
Proof. The ﬁrst dependency is like the dependency rule of the until! operator. Since
until is a weak operator, B may never occur, and ∀i < |w|, �A� true�wi... .
�
5.2.2.5 Before family
Dependency Rule 8. Before!
Let ϕ = A before! B, then
�ϕ� true�w iﬀ ∃k < |w|, �¬B andA� true�wk... ∧ ∀i < k, �¬B� true�wi...
Proof. before! can be rewritten using the until! operator.
∀w�ϕ� true�w
⇔ w |= true ⇒ w |= (¬ B) until! (A and¬B)
Using the Dependency Rule 6 for until! we have:
∀w�ϕ� true�w
⇔ w |= true ⇒ ∃k < |w|, �A and¬B� true�wk... ∧ ∀i < k, �¬B�¬A orB�wi...
The above statement can be rewritten using Property 1, as follows:
⇔ w |= true ⇒ ∃k < |w|, �A and¬B� true�wk... ∧ ∀i < k, �¬B or(¬B andA)� true�wi...
⇔ w |= true ⇒ ∃k < |w|, �A and¬B� true�wk... ∧ ∀i < k, �¬B� true�wi...
⇔ ∃k < |w|, �¬B andA� true�wk... ∧ ∀i < k, �¬B� true�wi...
�
5.2.2.6 Next event family
Dependency Rule 9. Next event!
Let ϕ = next event!(B)A, then �ϕ� true�w iﬀ
∃k < |w|, �B � true�wk... ∧ ∀i ≤ k, �A�B�wi...
Proof. We rewrite next event! using the until! operator, as follows:
∀w�ϕ� true�w
⇔ w |= true ⇒ w |= (¬ B) until! (A andB)
5.3 : Dependency relation synthesis
Using the Dependency Rule 6 for until! we have:
∀w�ϕ� true�w
⇔ w |= true ⇒ ∃k < |w|, �A and B� true�wk... ∧ ∀i < k, �¬B�¬A or¬B�wi...
The above statement can be rewritten using Property 3, and Property 1, as follows:
⇔ w |= true ⇒ ∃k < |w|, �A� true�wk... ∧ �B� true�wk... ∧ ∀i < k, �¬B�¬B�wi...
∧ �¬B�¬A�wi...
⇔ w |= true ⇒ ∃k < |w|, �A� true�wk... ∧ �B� true�wk... ∧ ∀i < k, �¬B�¬A�wi...
Using Property 5, we have:
⇔ w |= true ⇒ ∃k < |w|, �B� true�wk... ∧ ∀i ≤ k, �A�B�wi...
�
All the other FL operators are deﬁned as expressions involving the operators above.
Their dependency rules are derived from the rewrite rules provided by the PSL standard[FG05].
5.3 Dependency relation synthesis
Each operator is a primitive reactant. In order to synthesize PSLsimple properties into
circuits, a library of FL primitive reactants is provided. To this goal, we give a hardware
interpretation of the dependency relation �ϕ� true�w, where ϕ stands for a call to any of
the FL operators, and Ω stands for the FL temporal operator (dependency Rules 1 to 9
above). For example if ϕ = A until!B , Ω is the operator until!.
Here, we address how to implement the FL primitive reactants. The complex reactants
are constructed recursively from these primitives (see Chapter 8).
5.3.1 Principles of the primitive reactant construction
The primitive reactants have a general interface: they take clock and reset as the syn-
chronization signals. Each primitive reactant has a start signal for its activation (see
Fig.5.2).
observed
Figure 5.2: Generic interface of a primitive reactant
The operands of an FL operator, Ω, are observed or constrained by the primitive
reactant of Ω during its activity. Thus, the output of a reactant is not the value of a
63
Chapter 5 : Synthesizing FLs
signal, but the trigger that will start the primitive hardware component in charge of the
signal value generation or observation (see Fig. 5.2).
In particular, for a Boolean signal S, triggering S = 0 and S = 1 is done by two
distinct signals TrigS and Trig¬S. In the following, without loss of generality, we shall
only consider the positive case S = 1. TrigS is set to 1 by the reactant at all cycles when
the dependency �S� true�w holds.
Let P be the set of the signal names in ϕ; i.e. the operands of Ω. The operands may be
observed or constrained. Therefore, we split P in two sets Pin and Pout (P = Pin∪Pout),
that contain observed and constrained operands respectively.
Circuit C is the circuit that implements a primitive reactant.
The setPC of atomic propositions for the circuit C is given byPC = Pin∪{reset, start}∪
{TrigS,Trig¬S | S ∈ Pout}. We denote ΣC the alphabet built on PC.
Let wC be a trace built on ΣC and wϕ (or w) a trace built on Σ.
Deﬁnition 3. wC is equivalent to w on Pin, denoted wC ≡|Pin w iﬀ ∃j such that
• wjC � start and ∃k < j such that wk−1C � reset and ∀l, k < l ≤ j, wlC � ¬reset and
wlC � ¬start
• ∀i, wj+iC |Pin = wi|Pin
Circuit C is activated after being reset, when the start signal becomes 1. It means that
there is a time point in the trace (wjC) where start becomes 1. Before this point, C has
been reset and it is not active. After this point, wC and w1 should have identical values
for the atomic propositions in Pin; i.e. circuit trace wC is equivalent to w on Pin. For the
sake of simplicity, we assume that j = 0.
Deﬁnition 4. wC is equivalent to w, denoted wC ≡ w, iﬀ
• wC ≡|Pin w
• ∀S ∈ Pout, ∀i, wiC � TrigS =⇒ wi � S
• ∀S ∈ Pout, ∀i, wiC � Trig¬S =⇒ wi � ¬S
A trace wC is equivalent to w, if they are equivalent on inputs. Additionally, for each
output signal if its trigger takes value true in wiC, the signal takes value true in w
i.
Deﬁnition 5. A circuit C implements the dependency �ϕ�True�w iﬀ wC ≡ w
and ∀i, wiC � start → �ϕ� true�wi...
Deﬁnition 6. A circuit C is a primitive reactant circuit that implements the temporal
formula ϕ, iﬀ C implements the dependency �ϕ� true�w for all traces w, and we write:
C�ϕ.
In this chapter, we address how to synthesize C for FL primitive reactants.
5.3.1.1 Boolean reactant
The simplest primitive reactant implements Boolean expressions. A Boolean expression
can be written as one of the following: a constant in {0,1}, a signal or the negation of a
5.3 : Dependency relation synthesis
Figure 5.3: Boolean reactant
signal, the conjunction or disjunction of two Boolean expressions. Fig. 5.3 shows the four
diﬀerent implementations for a Boolean reactant.
In the case of a disjunction, when the reactant is started, if all the signals of one
operand are in Pin (exp2 in Fig. 5.3), the operand is observed: in that case, there is no
constraint on the other operand if exp2 is known to be 1. Due to the commutativity of OR,
the roles of exp1 and exp2 can be exchanged. It may happen that deciding which operand
is observed cannot be decided locally to a property: this is discussed in Chapter 9.
5.3.2 Generic format of a FL operator
We proposed a generic format for all FL operators [MAJB15]. This format is based on
the operator semantics deﬁnition. It is shown that all primitive reactants for the temporal
operators can be built from a few number of elements that are the circuit counterpart of
the constituting elements of the operator semantic deﬁnition.
Considering the dependency rule of the temporal operator shows that each dependency
is a special case of one of two following generalized expressions
1 the“forall” family includes: always, until, next!, next a, next event, next event a.
2 the “exists” family includes: eventually!, before, next e, next event e.
The “forall” and “exists” generalized expressions have the following format:
∀i ∈ [kmin , kmax ], �exp� cond�wki (5.1)
∃i ∈ [kmin , kmax ], �exp� cond�wki (5.2)
In the above formulas, exp and cond are two Booleans, and min and max are two
naturals such that max ≥ min. kmin and kmax are computed using a counting function,
Ith. The Ith function returns the number of times that its operand, a formula F computed
on trace w, has been true on w0..k. We are interested in the ﬁrst time point for each
number of occurrences of formula F = true. This consists in numbering the time points
of trace w that satisfy:
Ith(�F � true�wki ) = i ∧ �F � true�wki , ∀i ∈ N
65
Chapter 5 : Synthesizing FLs
The sequence {k0, k1, ..., ki...} is the set of these time points (see Fig. 5.4).
0 1 2 3 4 5 6 7 8 9
k1 k2 k3
clock
F
Ith(. . . ) 0 1 2 3
Figure 5.4: Illustration of function Ith(�F � true�wki )
The values of min,max , exp, cond and F depend on the temporal operator. Table 5.1
gives their value for each PSL FL operator. Column F speciﬁes what is counted by
function Ith. When F = true, Ith counts clock cycles. Otherwise, it counts each time
point k in the trace where a dependency relation holds. The two columns opt. and opt.
!, indicate if the operator can have overlap/non overlap and strong/weak options. As was
mentioned earlier, based on the dependency rules, operators Until and Before have two
versions, depending on whether their left operand A is observed or generated.
Temporal Operator F min max cond exp opt. opt. !
alwaysA true 0 | w | true A no no
A untilB (1) B 0 1 ¬B A yes yes
A beforeB (1) ¬B 0 1 ¬A ¬B yes yes
next![i]A true i i true A no yes
next a[i to j]A true i j true A no yes
next event[i](B)A B i i B A no yes
next event a[i to j](B)A B i j B A no yes
eventually!A A 0 1 true A no no
A untilB (2) B 0 1 ¬A B no yes
A before B (2) ¬B 0 1 B A no yes
next e[i to j]A true i j true A no yes
next event e[i to j](B)A B i j true A no yes
Table 5.1: Values of parameters for forall (top) and exists (bottom) expressions
In the following, the implementation of the I th function is explained. Then, the im-
plementation of the “forall” and “exists” expressions will be discussed.
Implementation of function Ith. The counting function is implemented as a generic
shift register, instantiated with a parameterized number of cells (Fig. 5.5). The shift
register reads data one bit at a time on input s in. The content of the register can be
read serially on output s out , and in parallel on output p out . The shift input control
signal shifts the register. The other input control signal, clear , clears the register. By
default, shift is 1 (it shifts at all cycles) and clear is 0 (the input value is propagated).
Since PSL operators are re-entering, the shift register may count events simultaneously
starting from several distinct start times.
5.3.2.1 Implementation of an operator of the “forall” group
Fig. 5.6 illustrates the implementation of the “forall” expression. It is based on the in-
terconnection of 4 components: Min, Max, ForAll, and Dep. In the following, in case of
ambiguity, we preﬁx a signal name with the component name when we do not mean the
global module interface signal.
5.3 : Dependency relation synthesis
Figure 5.5: Interface of the shift register
ForAll Dep
Figure 5.6: Implementation of the “forall” expression
67
Chapter 5 : Synthesizing FLs
• Component Dep (for the dependency �) is a mere AND gate that implements the
expression �exp� cond�wk . It triggers the evaluation of exp depending on the value
of cond .
• Component ForAll implements the ∀i ∈ �kmin, kmax� expression. It is used to trigger
the evaluation of the dependency relation at all times between the two bounds kmin
and kmax that are connected to its inputs lb and ub. The signal ForAll.trig is asserted
at all times between lb and ub. Depending on whether the operator is overlapping
or not, two versions are used (see Fig. 5.7).
(a) non overlapping (b) overlapping
Figure 5.7: Implementation of ∀i ∈ [lb, ub]
• Component Min(Max) takes start and cond as its inputs. The start signal initiates
counting of the occurrences of F on its input Min.cond (Max.cond). The Min and
Max components embed a shift register of size min for Min, of size max −min for
Max. If min is 0, the shift register is just a wire. If max is unbounded, component
max is the ground. (see columns min and max of Table 5.1 for ﬁnding the value
of min and max for each operator). The reach output signal takes value 1 when
the min (max ) value is found. The Min.pending (Max.pending) output signal is
the output of the embedded shift register in Min(Max), and is 1 as long as the min
(max ) value is not found. The global output pending is the OR of Min.pending and
Max.pending, and is 1 between the min-th and the max-th occurrences of F after
start = 1.
All the FL operators of this group observe F , which can be an operand of an operator
(e.g. B in next event(B)A), and constrain exp (ex. A in next event(B)A).
Example 2. Implementation of operator next![i].
ϕ = next![i]A is a special case of the “forall” expression (see Dependency Rule 3):
∀i ∈ [kmin , kmax ], �exp� cond�wki
In the above expression, [min = max = i], and formula F = B = true (see Table 5.1).
Therefore, the shift register of Min has i cells, and component Max is a wire, and Min
counts clock cycles. Fig. 5.8 shows the implementation of ϕ.
5.3 : Dependency relation synthesis
ForAll
Dep
Figure 5.8: Implementation of next![i]
Example 3. Implementation of next event a![i to j](B)A.
ϕ = next event a![i to j](B)A corresponds to the general “forall” expression, where
[min = i,max = j], and F = B. Therefore, two full Min and Max components are used
(see Fig. 5.9).
ForAll
Dep
Figure 5.9: Implementation of next event a![i to j](B)A
Example 4. Implementation of A until!B.
ϕ = A until!B corresponds to the general “forall” expression, where [min = 0,max =
1], and F = B. Thus, the Max component is 1-bit register. Once B is observed, the Dep
component is activated, and implements the �A�¬B� dependency relation (see Fig. 5.10).
So, the operator constrains A.
5.3.2.2 Implementation of an operator of the “exists” group
The implementation of the “exists” expression is shown in Fig. 5.11. Component Min and
Max observe the formula F , and count the numbers of its occurrence in the [kmin, kmax]
interval.
69
Chapter 5 : Synthesizing FLs
ForAll
Dep
Figure 5.10: Implementation of A until!B
Figure 5.11: Implementation of the “exists” expression
5.3 : Dependency relation synthesis
The Exists component inputs exp, lb, and ub (see Fig. 5.12). If exp = 1 has not been
met in the [kmin, kmax] interval, Exists triggers the evaluation of the dependency relation
at time kmax (Exists.trig = 1). Otherwise, if exp is 0 in this interval, the Exists component
has no external eﬀect, and Exists.f ind = 0. Output Exists.f ind is connected to the clear
input of component Max to stop the counting when exp = 1 has been met.
Simultaneous executions of an “exists” expression that has been started several times
may be cleared by a single occurrence of exp = 1.
Figure 5.12: Implementation of ∃i ∈ [lb, ub]
Example 5. Implementation of operator next e[i to j].
ϕ = next e[i to j]A is a simple case of the “exists” expression. Since F = B = true,
the clock cycles should be counted between min = i and max = j, while exp = A = 0.
Whenever A becomes 1, Exists.trig is set to 1. Since the cond input of the Dep component
is is 1, the rightmost AND gate is eliminated, and trig = Exists.Trig (see Fig. 5.13)
Figure 5.13: Implementation of next e[i to j]A
Remark.
It should be mentioned that this implementation of the temporal operators is not optimal.
However, it facilitates the proof of correctness of their compliance with the formal trace
semantics that is provided in the PSL standard document [FG05]. In the library of our
71
Chapter 5 : Synthesizing FLs
prototype system, all the operators have been simpliﬁed, and their optimized version
proven equivalent to the one presented here.
5.4 Summary
In this chapter, we addressed how to provide a correct-by-construction library of primitive
reactants for FL temporal operators of PSLsimple. First, the concept of the dependency
relation ���w is introduced. For each FL temporal operator of PSLsimple, the relation
between its operands are deﬁned formally based on the formal trace semantics of the oper-
ator. Based on these semantics, a generic format is proposed for the operators. All the FL
temporal operators of PSLsimple are special cases of a general dependency expression, ei-
ther universally (“forall”expression) or existentially (“exists”expression) quantiﬁed. Then,
some elements are introduced for constructing the quantiﬁers, and “forall” and “exists” ex-
pressions. Based on these constructions, a hardware interpretation for the mathematical
formulas of the temporal FL operators’ dependency relations is given. The presented de-
pendency relations are the underlying formalism of the annotation (see Chapter 7). Later
in Chapter 8, we show how these primitive reactants are used to construct the complex
reactant of a property.
Chapter6
Synthesizing SEREs
Contents
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
6.2 Challenges and motivations . . . . . . . . . . . . . . . . . . . . 74
6.3 Formalization of the annotation . . . . . . . . . . . . . . . . . . 79
6.3.1 Dependency relation: deﬁnition and notations . . . . . . . . . . 80
6.3.2 Dependency relation between operands of SERE operators . . 80
6.4 Dependency relation synthesis . . . . . . . . . . . . . . . . . . . 86
6.4.1 Principles of the primitive reactant construction . . . . . . . . 86
6.4.2 Implementation of primitive reactants of SERE operators . . . 89
6.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
73
Chapter 6 : Synthesizing SEREs
6.1 Introduction
In this chapter we discuss the synthesis principles of SEREs1. SEREs are very similar to
the sequences in SVA2. SEREs are a convenient way to express the signals’ waveforms, by
writing simple properties of the form:
{observe} |=> {observe}
or
{observe} |=> {generate}
These properties can represent the environment behavior or a communication protocol.
First, using some examples we demonstrate some of the diﬃculties and challenges that
we should deal with in considering SEREs.
Then, we address how to provide a library of primitive reactants for SERE operators.
We start by formalizing the relationships between the operands of a SERE operator based
on its trace semantics. Then, we categorize SERE operators, and show with some examples
how a SERE operator of each category can be implemented.
Later in Chapter 8 we show how these primitive reactants are used to construct the
complex reactant of a SERE property.
Finally, we introduce a synthesizeable subset of SEREs.
6.2 Challenges and motivations
We can rewrite some SEREs as FLs3 (see the rewriting rules in [MABBZ08]). In this case,
we do not need to synthesize SEREs, and the provided library of FLs is suﬃcient. However,
SEREs cannot be always translated to FLs. Properties that involve some special form of
counting cannot be expressed in PSL without using SEREs. If we want to rewrite such
properties in FLs, we may need to deﬁne auxiliary variables and properties. Moreover,
some behaviors or English speciﬁcation can be expressed using SEREs more easily, and
in a more compact way.
Example 1. FL or SERE?
Assume that we want to write a property that states: “signal a is asserted on every
even cycle”4. The assertion may be written as assertion_FL:
as s e r t i on FL :
assert ( a and always ( a −> next [ 2 ] ( a ) ) ) ;
This assertion expresses that a should be asserted in cycle �0, and then, whenever a is
1, it should be asserted 2 cycles later. Now, consider the trace shown in Fig. 6.1. a is 1
in cycle �5. Based on assertion_FL, a should be 1 in cycle �7. Since it is 0 in cycle �7,
assertion_FL fails. However, in the English property, we did not say anything about a
in odd cycles. Therefore, assertion_FL is checking a condition that is not intended to
be checked. Brieﬂy, the trace shown in Fig. 6.1 is correct based on the English property,
however, it is not correct based on assertion_FL.
1Sequential Extended Regular Expression
2System Verilog Assertion
3Foundation Language
4The example is taken from [EF06]
6.2 : Challenges and motivations
0 1 2 3 4 5 6 7 8 9 10 11
clock
a
Figure 6.1: An example timeline for “a is asserted on every even cycle”
We can ﬁx this problem by deﬁning an auxiliary variable and writing a code in the
modeling layer (see Fig. 6.2). Signal even becomes 1 in every even cycle, and signal a
should be asserted whenever even is 1.
vunit check even {
signal even : s t d l o g i c := ’1 ’ ;
process ( c lk ’ event and c l k = ’1 ’ )
begin
even <= not even ;
end process ;
assert always ( even −> a ) ;
}
Figure 6.2: Using modeling layer to check “a is asserted on every even cycle”
However, this property can be easily written using SEREs:
assertion SERE :
assert { [ ∗ 1 ] ; { [ ∗ 2 ] } [ ∗ ] } |−> {a } ;
Additionally, rewriting a SERE property as FL may cause that it does not ﬁt in
PSLsimple anymore.
Example 2. Rewriting SEREs as FLs.
Consider HDLC_200 from Fig. 6.35. It states the behavior of the controller in the case
of having an abort command. In this situation, 7 consecutive 1’s should be put on the
output, followed with one or more ﬂags, which is “01111110”. It can be easily written
as a SERE. Conversely, property HDLC_200 reﬂects this behavior easily: once an abort
command is received, i.e. TxSendAbort changes from 0 to 1, while the transmitter is enabled
the output TxDout becomes 1 for at least 7 consecutive cycles, and ﬁnally it is followed
by one or more ﬂags.
As another example consider HDLC_300. It can be easily converted to an FL property;
however, it is not in PSLsimple(see Fig. 6.4), since the left-hand side of the implication
operator is not Boolean.
Since all the SEREs cannot be expressed using FLs, in the rest of this chapter we
propose a method for synthesizing SEREs. Before going to the synthesis method, here we
bring some examples that reveal the diﬃculties and challenges that we should consider.
These diﬃculties impose some limitations to the subset of SEREs that we are able to
synthesize.
5The properties describe High-level Data Link Controller (HDLC), and are taken from [PPSQ13]
75
Chapter 6 : Synthesizing SEREs
HDLC 200 :
always ({not TxSendAbort and TxEnable ; TxSendAbort and TxEnable}
|−> {TxDout [ ∗ 7 ] ; TxDout [ ∗ ] ; {not TxDout ; TxDout [ ∗ 6 ] ; not TxDout
} [+ ]} ) ;
HDLC 300 :
always ({not BuffEmpty and TxEnable ; (BufEmpty and not TxDataWr and
TxEnable ) ; (not TxDataWr and TxEnable ) [ ∗ 7 ] }
|−> next (TxUnderRun) ) ;
Figure 6.3: Sample SERE properties of High-level Data Link Controller
HDLC 300 FL :
always (not BuffEmpty and TxEnable and next ( ( BuffEmpty and not not
TxDataWr and TxEnable ) and next a [ 2 to 8 ] ( not TxDataWr and TxEnable ) )
−> next [ 9 ] ( TxUnderRun) ) ;
Figure 6.4: FL version of HDLC_300
It should be mentioned that when we constrain a signal, we assign a speciﬁc value to
that signal. Generating a signal means constraining the signal value. When a signal is
not constrained, its value is don’t care. However, in the following examples we consider
value 0 for unconstrained signals.
Example 3.
Consider property P1, where a, b, and c are Boolean:
P1 : always {a} |=> {b [ ∗ ] ; c}
Assume that a is observed and we generate b and c. Then, the question is: “when should
we stop constraining b to 1, and start constraining c to 1”? If we want to generate c, the
property is not deterministic since c can be constrained to 1 in any cycle after a = 1. If
we observe b and generate c, when should c be constrained to 1? It may depend on other
properties.
If we observe c and generate b, b is no longer constrained as soon as c becomes 1.
Example 4.
In this example, we assume value 0 for unnamed signals. Consider property P2, where
a, b, and c are Boolean:
P2 : always {a} |=> {b [+ ] ; c ; not c}
Assume that a is observed, and b and c are generated. Some questions may arise: “when
should we stop constraining b to 1?”, “If a is 1 in two consecutive cycles, how should we
constrain b and c to avoid an inconsistency?”
Figure 6.5 shows two possible traces. Sequence 1 starts at cycle �0. b is constrained
to 1 for three cycles. In cycle �4, c is constrained to 1, and it is constrained to 0 in cycle
�5, and sequence 1 completes in this cycle.
Assume a is 1 in two consecutive cycles �6 and �7. Sequence 2 starts when a is asserted
in cycle �6. Then, b is constrained to 1 in cycles �7 and �8, c is constrained to 1 at cycle
�9 and it is constrained to 0 at cycle �10. Sequence 2 completes in cycle �10. Sequence 3
6.2 : Challenges and motivations
1
1 completes
2
2 completes
3
3 completes
4
4 completes
5
contradiction
0 1 2 3 4 5 6 7 8 9 10
clock
a
b
c
a
b
c
Figure 6.5: Timing diagram of P2, where b and c are generated (Example 4)
starts when a is asserted in cycle �7. Then, b is constrained to 1 in cycle �8, c is constrained
to 1 at cycle �9 and it is constrained to 0 at cycle �10. Sequence 3 completes in cycle �10.
Now, consider the bottom trace of Fig. 6.5. Sequence 4 starts in cycle �6. Then, b is
constrained to 1 in cycle �7, c is constrained to 1 at cycle �8 and it is constrained to 0 at
cycle �9; hence, sequence 4 completes in this cycle. Sequence 5 starts in cycle �7. Then,
b is constrained to 1 in cycle �8. If we stop constraining b to 1 at this cycle and want to
constrain c to 1 at cycle �9, there is a contradiction with the value that is being generated
at the same cycle for c by sequence 4. This example shows that when we should stop
generating b, for each run of the property is an issue.
Assume that b is generated. We observe c, and constrain b to 1 while c is 0. Whenever c
is asserted, in the following cycle, we constrain c to 0. In brief, we generate b, we observe c,
and we generate not c. It implies that other properties should constrain c. Our prototype
tool, SyntHorus2, can identify if the signal is constrained by any property. However,
constraining c by other properties may cause inconsistency. As it will be explained in
Chapter 9, SyntHorus2 generates some complementary properties to identify if there are
any inconsistencies. Figure 6.6 shows a possible trace. Sequence 1 starts in cycle �0, and
completes in cycle �3. Sequence 2 starts in cycle �1. This sequence cannot be completed,
since c is 1 in cycle �2, and hence, b cannot be constrained to 1.
Sequence 3 starts in cycle �5. c is 0 in cycles �6, �7, and �8. Therefore, b is constrained
to 1 in these cycles. In cycle �9, c is asserted. Consequently, we should stop constraining b
to 1 at cycle �9, and we should constrain c to 0 in cycle �10. However, c is constrained to
1 by other properties, and there is an inconsistency. If we keep constraining b to 1 in cycle
�9, there would be no contradiction, and the property holds. So, we may conclude that we
should monitor {c; not c} instead of observing c and generating not c. In the following,
we explain why it is not a good solution.
Now, assume that we generate b, and observe {c; not c}. We should stop constraining
b to 1 as soon as {c; not c} occurs. However, it is not possible. The limitation is shown
in Fig. 6.7. In this ﬁgure, signal ended indicates the completeness of {c; not c}. Signal b
is constrained to 1 as far as ended is 0. The sequence starts in cycle �0. In cycles �1, �2,
�3, and �4 the ended signal is 0; i.e. {c; not c} has not been observed, so b is constrained
to 1. In cycle �5, {c; not c} completes, and we stop constraining b to 1. However, it is
not correct and P2 does not hold. Because the last occurrence of b should be followed
by {c; not c}, which is not the signals’ behavior here (remember our assumption that the
77
Chapter 6 : Synthesizing SEREs
1
1 completes
2
2 completes but not hold
3
contradiction
0 1 2 3 4 5 6 7 8 9 10
clock
a
c
b
Figure 6.6: Timing diagram of P2, where b is generated, c is observed, and not c is
generated (Example 4)
1
contradiction
0 1 2 3 4 5 6
clock
a
c
ended
b
Figure 6.7: Timing diagram of P2, where b is generated, and {c, not c} is observed
(Example 4)
default value of the signals are 0 when they are not constrained). The problem is that
we cannot have the length of the sequence that should be observed, and we cannot move
backward and correct the value of the generated signal.
To solve this problem, we have to put a limitation: each unbounded repetition should
be followed by a Boolean signal that is observed and is the stopping condition for the
constraint.
Example 5.
Consider property P3, where a, b, and c are Boolean:
P3 : always {a ; b } [ ∗ 3 ] |=> {c } ;
In this property, we observe the left-hand side of the implication, and constrain c.
Assume that there is a signal start that starts the evaluation of P3, and a signal ended
that shows when {{a; b}[∗3]} completes in order to constrain c. To compute when ended
becomes 1, we should count the number of times that {a; b} occurs, therefore we need a
counter. If start is 1 in 2 consecutive cycles, we need 2 counters. Generally, re-entering
the property is a challenge. We need several instances of the input and output tokens.
We can solve this problem by rewriting {{a; b}[∗3]} as three concatenations of {a; b}.
Example 6.
Consider property P4, where a, b, and c are Boolean:
P4 : always {a} |=> {b} | {c } ;
First, assume that a is observed, and we want to generate the right-hand side of the
property. If both b and c are output signals, we cannot constrain them in this property.
6.3 : Formalization of the annotation
The solution of this problem is explained in Chapter 9. Now, suppose that b is an input.
Therefore, we observe b, and constrain c whenever b is 0, i.e. the value of c depends on
¬b.
Example 7.
Consider property P5, where a, b, and c are Boolean:
P5 : always {a} |=> {b ; not b} | {c } ;
First, assume that a, b and c are observed. We start observing {b;not b} and {c} at the
same time. P5 holds and completes when either {b;not b} or {c} completes.
Now assume that a is observed, and we want to generate the right-hand side of the
implication. If both b and c are output signals, we cannot constrain them in this property.
In addition, the left operand, {b;not b}, is a sequence. In this case we cannot synthesize
the property.
If c is the input, and b is the output, we observe c and if it is 0, we generate {b;not b}.
However, if b is input and c is the output, we are not able to constrain c, since we should
wait for the completeness of {b;not b}, and then constrain c based on that. However, this
is not possible, since two sequences {c} and {b;not b} should start at the same time.
Based on the last two examples, we put a limitation that we can only synthesize
the hardware of disjunction if: 1) both operands are observed, or 2) both operands are
generated and are Boolean, or 3) one operand is generated, and the other one is observed
and is Boolean.
Example 8.
Consider property P6, where a, b, c, and d are Boolean:
P6 : always {a ; b ; c} & {{b ; c } [∗2 ]} |=> {d } ;
In this property, we should observe a, b, and c. The sequences {a; b; c} and {{b; c}[∗2]}
should start at the same time. There may be also an re-entering condition, i.e. the start
signal remains 1 for more than a cycle (it is permanently 1 after always). In this case,
we need to use polychrome tokens [MAGB07], or an automata-based method [BZ08c] for
observing the sequence. This problem does not exist in the generation mode, since we
start generating {a; b; c} and {{b; c}[∗2]} at the same time when start = 1.
These diﬃculties show that some restrictions may apply in order to produce deter-
ministic hardware. It may also be necessary to perform some sanity checks using a model
checker to make sure that a set of properties is consistent to lead to meaningful hardware.
SyntHorus2 generates complementary properties for consistency checking.
6.3 Formalization of the annotation
The purpose of this section is to formally deﬁne the notion of dependency between the
operands of a SERE operator, in order to have a synthezisable VHDL description of each
operator. To this aim, two dependency relations are introduced for each SERE operator:
a dependency relation for expressing when a sequence holds, and a dependency relation
for expressing when the sequence completes.
79
Chapter 6 : Synthesizing SEREs
In FLs (see Chapter 5) we do not need to determine the end of a temporal operator
trace. Because, in PSLsimple a FL property can just be dependent on a Boolean, not on
another FL. However, in SEREs, a sequence can depend on another sequence.
Example 9.
Assume ϕ1 = {b1; b2}, where b1 and b2 are Boolean. We assume that b1 is 1 at cycle
�0, therefore, ϕ1 starts at this cycle. In the following cycle, if b2 is 1, ϕ1 completes.
Now, assume that ϕ2 = {ϕ1; b3}. ϕ2 starts when ϕ1 starts. To complete ϕ2, ϕ1 should
complete, and in the following cycle b3 should occur. Therefore, we need to identify when
ϕ1 completes.
In this section, ﬁrst some terminology and notations are introduced. Then, the depen-
dency relations for each operator are deﬁned.
6.3.1 Dependency relation: deﬁnition and notations
Here, we use the SERE semantic deﬁnitions in Appendix B of the IEEE Standard [FG05],
and also the same notations and deﬁnitions as Chapter 5. We only introduce one notation
here, necessary for SEREs.
• w |≡ property: is the extended semantics by structural induction over SERE prop-
erties to words, and means “property” holds tightly on word w (w models tightly
property).
For deﬁning the dependency relation, we use Deﬁnition 1 given in Chapter 5.
Brieﬂy, the dependency relation �A�B�w means that on a trace w, the value of A
depends on the value of B. Semantically, for a trace w, if B is satisﬁed on w, A must be
satisﬁed on w. Let ϕ be a sequence that is composed of sub-sequences A and B using a
SERE operator Ω, and w be a trace. Then, A depends on B in ϕ if
∀w, �ϕ� true�w ⇔ �A�B�w.
Deﬁnition 1. Let ϕ be a SERE, and Endedϕ be a Boolean that becomes 1 when ϕ
completes. w is a trace, and � is the jth letter of w (� = wj), so that � � Endedϕ. Then,
for each sequence ϕ we can say:
∀w, �ϕ� true�wi...j ⇔ �Endedϕ� true�wj
We refer to the dependency relation �Endedϕ� true�wj as EϕRelation.
Here, the rules that were discussed for FLs in Chapter 5, are applicable (see properties
1 to 5 of Chapter 5).
6.3.2 Dependency relation between operands of SERE operators
In this section, two dependency relations are given for each SERE operator. The ﬁrst de-
pendency relation is referred to as“ϕRelation”, and expresses the dependency between sub-
sequences of ϕ in order that ϕ holds. This dependency between operands is stated using
the general ���w relation. The second dependency relation is referred to as “EϕRelation”
and expresses the dependency between the sub-sequences of ϕ at the cycle that ϕ com-
pletes. This dependency is stated using ���wi (See Deﬁnition 1).
6.3 : Formalization of the annotation
In the following, ϕ represents a sequence, A and B are the left and right operands
(sub-sequences). A and B are assumed to be not empty (they do not satisfy the empty
sequence). Endedϕ, EndedA and EndedB are the Boolean variables that specify the end of
ϕ, A, and B sequences respectively.
6.3.2.1 Base cases
Let exp be a Boolean expression, and A be a SERE:
�exp� true�w ⇔�exp� true�w0 ∧ �Endedexp � true�w0
�{A}� true�w ⇔�A� true�w
These relations are the direct rewriting of the semantic deﬁnitions.
6.3.2.2 Concatenation
Dependency Rule 1. ϕRelation for concatenation
Let ϕ = A;B , then:
�ϕ� true�w iﬀ ∃i < |w|, �EndedA� true�wi ∧ �B � true�wi+1...
Proof. We replace concatenation by its semantic deﬁnition.
∀w,w |≡ true ⇒ w |≡A;B
⇔ ∃w1, w2, w = w1w2, w1 |≡A ∧ w2 |≡B
⇔ ∃i < |w|, w1 = w0 . . . wi, w2 = wi+1 . . . w|w|−1, w1 |≡A ∧ w2 |≡B
⇔ ∃i < |w|, w1 = w0 . . . wi, w2 = wi+1 . . . w|w|−1, �EndedA� true�wi ∧ �B � true�w2
The proof is immediate by replacing w1 and w2. �
Dependency Rule 2. EϕRelation for concatenation
Let ϕ = A;B , then:
∃j < |w|, �Endedϕ� true�wj iﬀ ∃k < j, �EndedA� true�wk ∧ �EndedB � true�wj
Proof. The proof is immediate, by considering the ϕRelation:
∃i < |w|, �EndedA� true�wi ∧ �B � true�wi+1...
We expect that the evaluation of B completes at some point in the trace, which means:
⇔ ∃i < j < |w|, �EndedB � true�wj
⇔ ∃j < |w|, �Endedϕ� true�wj
�
In a special case where B is a Boolean, then j = k + 1.
81
Chapter 6 : Synthesizing SEREs
6.3.2.3 Fusion
Dependency Rule 3. ϕRelation for fusion
Let ϕ = A : B , then:
�ϕ� true�w iﬀ ∃i < |w|, �EndedA� true�wi ∧ �B � true�wi...
Proof. In the second line of the rule, we replace fusion by its semantic deﬁnition.
∀w,w |≡ true ⇒ w |≡A : B
⇔ ∃w1, w2, l, w = w1lw2, w1l |≡A ∧ lw2 |≡B
⇔ ∃w1, w2, l, w = w1lw2, �EndedA� true�l ∧ �B � true�lw2
Let i = |w1|, we can write:
∃i < |w|, w1l = w0...i−1l = w0...i ∧ lw2 = lwi+1... = wi...
So, by replacing l and w2 in the proof, we have:
⇔ ∃i < |w|, �EndedA� true�wi ∧ �B � true�wi...
�
Dependency Rule 4. EϕRelation for fusion
Let ϕ = A : B , then
∃j < |w|, �Endedϕ� true�wj iﬀ ∃k ≤ j, �EndedA� true�wk ∧ �EndedB � true�wj
Proof. Considering the ϕRelation, we have:
∃i < |w|, �EndedA� true�wi ∧ �B � true�wi...
B starts to be evaluated in the last cycle of A, and its evaluation should complete, which
means:
⇔ ∃j ≥ k, �EndedB � true�wj
�
In the case where B is a Boolean, j = k.
6.3.2.4 Length-matching conjunction
Dependency Rule 5. ϕRelation for length-matching conjunction
Let ϕ = A && B , then
�ϕ� true�w iﬀ �A� true�w ∧ �B � true�w
Proof. The proof is straightforward, just by replacing length-matching conjunction
with its semantic deﬁnition.
∀w,w |≡ true ⇒ w |≡A && B
⇔ ∀w,w |≡A ∧ w |≡B
⇔ ∀w, �A� true�w ∧ �B � true�w
�
6.3 : Formalization of the annotation
Dependency Rule 6. EϕRelation for length-matching conjunction
Let ϕ = A && B , then
∃j < |w|, �Endedϕ� true�wj iﬀ �EndedA ∧ EndedB � true�wj
Proof. Considering the ϕRelation, we have:
⇔ ∀w, �A� true�w ∧ �B � true�w
Therefore, we expect at some points in the trace, the evaluation of A and B completes,
which means:
⇔ ∃j < |w|, �EndedA� true�wj ∧ ∃k < |w|, �EndedB � true�wk
In length-matching conjunction the sequences start at the same time and should complete
at the same time. Therefore, k = j. Using Property 3 from Chapter 5 we have:
⇔ ∃j < |w|, �EndedA ∧ EndedB � true�wj
�
6.3.2.5 Non length-matching conjunction
Dependency Rule 7. ϕRelation for non length-matching conjunction
Let ϕ = A & B , then
�ϕ� true�w iﬀ ∃i < |w|, (�A� true�w ∧ �B � true�w0...i) ∨ (�A� true�w0...i ∧ �B � true�w)
Proof. The proof is straightforward, just by replacing non length-matching conjunction
with its semantic deﬁnition.
∀w,w |≡ true ⇒ w |≡A & B
⇔ ∀w,w |≡ true ⇒ w |≡{A && {B ; true[∗]}} | {{A; true[∗]} && B}
⇔ ∀w, (�A� true�w ∧ �{B ; true[∗]}� true�w)
∨ (�B � true�w ∧ �{A; true[∗]}� true�w)
⇔ ∀w, (�A� true�w ∧ ∃i < |w|, �B � true�w0...i)
∨ (�B � true�w ∧ ∃i < |w|, �A� true�w0...i)
⇔ ∃i < |w|, (�A� true�w ∧ �B � true�w0...i) ∨ (�B � true�w∧, �A� true�w0...i)
�
Dependency Rule 8. EϕRelation for non length-matching conjunction
Let ϕ = A & B , then
∃j < |w|, �Endedϕ� true�wj iﬀ
(�EndedA� true�wj ∧ ∃k < j, �EndedB � true�wk)∨
(�EndedB � true�wj ∧ ∃k < j, �EndedA� true�wk)
Proof. Considering the ϕRelation, we have:
∃i < |w|, (�A� true�w ∧ �B � true�w0...i) ∨ (�A� true�w0...i ∧ �B � true�w)
83
Chapter 6 : Synthesizing SEREs
Therefore, we expect at some point in the trace, the evaluation of A and B completes.
Since the sequences may not have the same length, we consider two cases: 1) A is longer,
2) B is longer, then:
⇔ 1) ∃j < |w|, �EndedA� true�wj ∧ ∃k < j, �EndedB � true�wk
∨
2) ∃j < |w|, �EndedB � true�wj ∧ ∃k < j, �EndedA� true�wk
�
6.3.2.6 Disjunction
Dependency Rule 9. ϕRelation for disjunction
Let ϕ = A | B , then
�ϕ� true�w iﬀ �A�¬B�w ∨ �B �¬A�w
Proof. The proof is straightforward, just by replacing star with its semantic deﬁnition.
∀w,w |≡ true ⇒ w |≡A | B
⇔ ∀w,w |≡A ∨ w |≡B
⇔ ∀w, �A� true�w ∨ �B � true�w
By rewriting using Property 4 from Chapter 5 (�(A or B)�C�w ⇔ �A�(C ∧¬B)�w) we
have:
�A�¬B�w ∨ �B �¬A�w
�
Dependency Rule 10. EϕRelation for disjunction
Let ϕ = A | B , then
∃j < |w|, �Endedϕ� true�wj iﬀ �EndedA� true�wj ∨ �EndedB � true�wj
Proof. Considering the ϕRelation, we have:
⇔ ∀w, �A� true�w ∨ �B � true�w
Therefore, we expect at some point in the trace, the evaluation of A and B completes,
which means:
⇔ ∃i < |w|, �EndedA� true�wi ∧ ∃k < |w|, �EndedB � true�wk
Let j = min(i, k). Then:
⇔ ∃j < |w|, �EndedA� true�wj ∨ �EndedB � true�wj
�
6.3 : Formalization of the annotation
6.3.2.7 Kleene closure
Dependency Rule 11. ϕRelation for star
Let ϕ = A[∗0], then
�ϕ� true�w iﬀ |w| = 0
Let ϕ = A[∗], then
�ϕ� true�w iﬀ |w| = 0 ∨ ∃i < |w|, �EndedA� true�wi ∧ �ϕ� true�wi+1...
Proof. The star operator is replaced with its semantic deﬁnition.
∀w,w |≡ true ⇒ w |≡A[∗]
⇔ w |≡[∗0] ∨ ∃w1, w2, |w1| > 0, w = w1w2, w1 |≡A ∧ w2 |≡A[∗]
Let w1 = w
0...i. We can write:
⇔ |w| = 0 ∨ ∃i < |w|, �EndedA� true�wi ∧ �ϕ� true�wi+1...
�
6.3.2.8 Plus
Dependency Rule 12. ϕRelation for plus
Let ϕ = A[+], then
�ϕ� true�w iﬀ ∃i < |w|, �EndedA� true�wi ∧ �A[∗]� true�wi+1...
Proof. The plus operator is replaced with its semantic deﬁnition.
∀w,w |≡ true ⇒ w |≡A[+]
⇔ ∃w1, w2, w1 �= �, w = w1w2, w1 |≡A ∧ w2 |≡A[∗]
�
Dependency Rule 13. EϕRelation for plus
Let ϕ = A[+], then
∃j < |w|, �Endedϕ� true�wj iﬀ �EndedA� true�wj
We assume that each time A completes, Endedϕ becomes 1, not only the last time.
Proof. Considering the ϕRelation, we have:
∃i < |w|, �EndedA� true�wi ∧ �A[∗]� true�wi+1...
The proof is immediate; A occurs at least once, and then its evaluation completes
every j = |A| cycles:
⇔ ∃j, 0 ≤ j < |w|, �EndedA� true�wj
�
85
Chapter 6 : Synthesizing SEREs
6.4 Dependency relation synthesis
In order to construct a library of primitive reactants for SERE operators, we give a
hardware interpretation of the two dependency relations ϕRelation ( �ϕ� true�w), and
EϕRelation (�Endedϕ� true�wi).
6.4.1 Principles of the primitive reactant construction
The primitive reactants have a general interface: they take clock and reset as the syn-
chronization signals. Each primitive reactant has a start signal for its activation. The
corresponding circuit of each SERE operator is the interconnection of the circuits of the
ϕRelation and EϕRelation dependency relations. This interconnection is shown in Fig. 6.8.
Figure 6.8: Generic interface of a SERE operator
The operands of a SERE operator, Ω, are observed or constrained by the primitive
reactant of Ω during its activity. Thus, the output of a primitive reactant is not the
value of a signal, but the trigger that will start the primitive hardware component in
charge of the signal value generation or observation. In particular, for a Boolean signal
S, triggering S = 1 and S = 0 is done by two distinct signals TrigS and Trig¬S. In the
following, without loss of generality, we shall only consider the positive case S = 1. TrigS
is set to 1 by the reactant at all cycles when the dependency �S� true�w holds.
The left circuit in Fig. 6.8, C1 implements ϕRelation and based on this dependency it
generates two trigger signals: trig l and trig r. These signals start the primitive hardware
components that are in charge of generating or observing left or right sub-sequences. For
example, if S is the left sub-sequence, then trig l = TrigS means that trig l constrains S
to 1.
Then, the right circuit C2, which implements EϕRelation, generates a signal that
indicates if ϕ completes. We call the output of this module ended . It is equivalent to the
Endedϕ Boolean that has already been introduced (see Deﬁnition 1).
Here, we deﬁne C1 and C2 that implement ϕRelation and EϕRelation respectively.
Let P be the set of the signal names in ϕ. The signals may be observed or be con-
strained. Therefore, we split P in two sets Pin and Pout (P = Pin ∪ Pout), that contain
observed and constrained signals in the sub-sequences respectively.
Circuit C is the circuit that implements a primitive reactant, and is the interconnection
of C1 and C2.
6.4 : Dependency relation synthesis
The sets PC1 and PC2 of atomic propositions for the circuits C1 and C2 are given by
PC1 = Pin∪{reset, start}∪{trig l, trig r}, and PC2 = {start}∪{trig l, trig r}∪{ended}.
Then, PC = PC1 ∪PC2.
We denote ΣC the alphabet built on PC. In a similar way , we denote ΣC1 and ΣC2 the
alphabets built on PC1 and PC2.
Let wC1 be a trace built on ΣC1 and wϕ (or w1) a trace built on Σ. Similarly, let wC2
be a trace built on ΣC2 and wEndedϕ (or w2) a trace built on Σ.
Deﬁnition 2. wC1 is equivalent to w1 on Pin, denoted wC1≡|Pin w1 iﬀ ∃j such that
• wjC1 � start and ∃k < j such that wk−1C1 � reset and ∀l, k < l ≤ j, wlC1 � ¬reset and
wlC1 � ¬start
• ∀i, wj+iC1 |Pin = wi|Pin
This deﬁnition is very similar to Deﬁnition 3 of Chapter 5. Brieﬂy, it means that there
is a time point in the trace (wjC1) where start becomes 1. Before this point, C1 has been
reset and it is not active. After this point, wC1 and w1 should have identical values for
the atomic propositions in Pin. For the sake of simplicity, we assume that j = 0.
Deﬁnition 3. Let ϕ = AΩB, where A and B are the left and right sub-sequences:
• wC1 is equivalent to w1, denoted wC1 ≡ w1, iﬀ
– wC1 ≡|Pin w
– ∀i, wiC1 � trig l =⇒ w1i � A
– ∀i, wiC1 � trig r =⇒ w1i � B
• wC2 is equivalent to w2, denoted wC2 ≡ w2, iﬀ
– ∃m ≥ j such that wmC2 � C2.start
– ∀i, wiC2 � ended =⇒ w2i � Endedϕ
Brieﬂy, wC1 is equivalent to w1 if they are equivalent on inputs, and for the left and
right operands of Ω, if they take value true in w1, their corresponding trigger should take
value true in wC1. Additionally, wC2 is equivalent to w2, if C2 starts with or after C1,
and if ended takes true in wC2, Endedϕ takes true in w2. The value of m in the above
deﬁnition depends on the SERE operator, that is discussed later in this section.
Deﬁnition 4. A circuit C implements the ϕRelation and EϕRelation dependencies; it is
the interconnection of two sub-circuits C1 and C2 as in Fig. 6.8, and:
• Circuit C1 implements the dependency �ϕ� true�w1 (C1�ϕ) iﬀ wC1 ≡ w1 for all
traces w1 and ∀i, wiC1 � start → �ϕ� true�w1i... .
• Circuit C2 implements the dependency �Endedϕ�True�w2n (C2�Endedϕ) iﬀ wC2 ≡
w2 for all traces w2 and ∀m ≥ i, wmC2 � C2.start→ ∃n ≥ m, �Endedϕ� true�w2n
Simply, C1 implements ϕRelation if wC1 is equivalent to w1 on Pin, and also after
starting the circuit at wiC1, the �ϕ� true�w1i... dependency holds. Additionally, C2 im-
plements EϕRelation if it starts after C1, and zero or more cycles later, Endedϕ becomes
true.
87
Chapter 6 : Synthesizing SEREs
In this chapter, we explain how to synthesize C for SERE primitive reactants.
Based on the syntactic abstract tree of the operators and also the dependency relation
between the operands, we have categorized SERE operators into three groups: simple
SEREs, compound SEREs, and unbounded SEREs.
Here, we ﬁrst explain each SERE category brieﬂy, and then discuss how to build their
corresponding hardware intuitively.
6.4.1.1 Simple SEREs
A simple SERE operator is a binary operator, whose left sub-sequence should complete,
and then, the right sub-sequence starts. The sequence completes when the right sub-
sequence completes. The set of simple SERE operators is denoted by SimSERE = {; , :}.
For a simple SERE operator we have the following dependency relations:
∃i < |w|, �EndedA� true�wi ∧ �B � true�wi+1... for ‘;’
∃i < |w|, �EndedA� true�wi ∧ �B � true�wi... for ‘:’
Limitations and remarks. The following remarks should be considered:
1 The count repetition operator, [∗n], can be categorized as a simple SERE operator,
since we can rewrite it as n concatenations of its operand.
2 If the left sub-sequence is an unbounded repetition (e.g. ϕ = A[∗]; b), the concate-
nation operator belongs to SimSERE , however, a new limitation is added: the right
sub-sequence should be a Boolean expression.
6.4.1.2 Compound SEREs
A compound SERE operator is a binary operator, whose left and right sub-sequences start
at the same time. The completeness of the sequence depends on the operator. The set
of compound SERE operators is denoted by CompSERE = {&&,&, |}. For compound
SERE operators we have the following dependency relations:
�A� true�w ∧ �B � true�w for ‘&&’
∃i < |w|, (�A� true�w ∧ �B � true�w0...i) ∨ (�A� true�w0...i ∧ �B � true�w) for ‘&’
�A�¬B�w ∨ �B �¬A�w for ‘|’
Limitations and remarks. Based on the operator and also the direction and type of
the operands, some limitations may apply to observe or constrain a compound SERE.
1 The left and right sub-sequences are not an unbounded repetition.
2 If all the signals of both operands are in Pout, both operands should be constrained.
In this case, Ω cannot be the && operator. If Ω = |, deciding which operand is
observed cannot be made locally to a property. This will be explained in Chapter 9.
In addition, if Ω = |, both operands should be Boolean expressions, possibly within
curly brackets, i.e. SEREs of length 1.
6.4 : Dependency relation synthesis
4 If all the signals of operand A are in Pin, A is observed. If some of the signals
of the other operand, B , are in Pout, B should be constrained, based on the value
of the observed operand. In this case, the observed operand should be a Boolean
expression (see Example 7). Due to the commutativity of &, &&, and |, the roles of
A and B can be exchanged. In this case, if Ω ∈ {|,&&}, both operands should be
Boolean.
6.4.1.3 Unbounded SEREs
An unbounded SERE operator is a unary operator. The set of unbounded SEREs is
deﬁned as UnbSERE = {∗,+}.
Limitations and remarks. Assume that ϕ = A[Ω], Ω ∈ {+, ∗}. Based on the type
of the operands and their signal directions some limitations may apply to observe or
constrain an unbounded SERE.
1 When evaluating6 A, we need to know when the evaluation should be terminated
(see Example 3). Therefore, ϕ should be followed by a Boolean expression. Based
on this limitation, we assume that ϕ = {A[Ω]; b}, b is observed, and we have the
following dependency relation:
∃i < |w|, �b� true�wi... ∧ ∀j < i, �A�¬b�wj...
2 If Ω = +, we assume that �¬b� true�w0 . Because based on the semantic deﬁnition
of the plus operator, its operand should occur at least once (|w| > 0).
Considering the mentioned limitations, the synthesizable subset of SEREs, SynSERE ,
is deﬁned as:
SynSERE = SimSERE ∪ CompSERE ∪ UnbSERE .
6.4.2 Implementation of primitive reactants of SERE operators
In this section we address how a SERE primitive reactant can be implemented intuitively
using a simple example for each SERE category.
6.4.2.1 Simple SEREs
Example 10. Implementation of ϕ = {b1; b2}
First, assume ϕ is observed; hence, b1 and b2 are observed. The hardware is shown in
Fig. 6.9. When circuit starts, start = 1, b1 should be observed. If it is 1, trig l becomes
1, and in the next cycle, we observe b2. If b2 is 1, trig r becomes 1, and the sequence
completes (trig = 1).
If ϕ is generated, we generate b1 when the circuit starts, and we generate b2 in the
next cycle (see Fig. 6.10). Therefore, trig l constrains b1 (Trigb1 = trig l), and in the
next cycle, trig r constrains b2 (Trigb2 = trig r), and the sequence completes.
6here evaluation means either observation or generation
89
Chapter 6 : Synthesizing SEREs
Figure 6.9: Implementation of {b1; b2} (b1 and b2 are observed)
Figure 6.10: Implementation of {b1; b2} (b1 and b2 are generated)
Example 11. Implementation of ϕ = {q; b}
Assume that we want to generate ϕ; therefore, we generate q and b. The circuit of
q is activated when the circuit of ϕ starts (start = 1). Then, we should wait for the
completeness of q. Simply, we should register the start signal to indicate a sequence has
been already started and is in progress. trig l becomes 1 when q completes and the
registered start signal is 1. In the next cycle, b is generated (trig r = 1), and the sequence
completes (ended = 1).
Circuit for q Wait for q 
to complete
Figure 6.11: Implementation of {q; b} (q and b are generated)
For clarifying this discussion, assume that q = {b1; b2}. Figure 6.12 shows the corre-
sponding trace. If the circuit starts at cycle �0, then q takes two cycles to complete. In
this period, the circuit that is waiting for the completeness of q, registers the start signal
(see start reg in Fig. 6.12). In cycle �1, q completes, and start reg is 1, therefore, trig l
becomes 1 that shows the completeness of q. In the next cycle b is generated and the
sequence completes.
6.4 : Dependency relation synthesis
0 1 2 3 4
clock
start
start reg
b1
b2
trig l
b
trig r
ended
Figure 6.12: Timing diagram of {{b1; b2}; b}
Example 12. Implementation of ϕ = {b; q}
Assume that we want to generate ϕ. Therefore, we generate b and q. The implemen-
tation is shown in Fig. 6.13. When the circuit starts, trig l becomes 1 that constrains b.
In the next cycle, trig r starts the circuit of q. Then, we should wait for the completeness
of q; and ended becomes 1 when q completes.
Circuit for q
Wait for q
to complete
Figure 6.13: Implementation of {b; q} (b and q are generated)
As is shown in these examples, when the left sub-sequence is a SERE, we should wait
for its completion and register the start signal. The right sub-sequence starts when the
left sub-sequence completes. In order to identify when the sequence completes, we need
to implement a circuit to wait for completion of the right sub-sequence, while registering
the trig l signal.
The same discussion is valid for the fusion operator. The only diﬀerence is that the
right sub-sequence starts at the last cycle of the left sub-sequence. Therefore, it is not
necessary to have a ﬂip-ﬂop between trig l and the start of the right sub-sequence.
6.4.2.2 Compound SEREs
Example 13. Implementation of ϕ = {b1}&{b2}
91
Chapter 6 : Synthesizing SEREs
ϕ is implemented like a logical AND. Suppose that ϕ is observed; then b1 and b2 are
observed (see Fig. 6.14 (a)). In the case of generation, both operands should be generated
at the same time (see Fig. 6.14 (b)). Then, ended1 and ended2 constrain b1 and b2
respectively. ended becomes 1 if both operands are 1 (in the case of observation), or both
are generated (in the case of generation).
(a) ϕ is observed (b) ϕ is generated
Figure 6.14: Implementation of {b1}&{b2}
Example 14. Implementation of ϕ = {q}&{b}
Assume that we want to generate ϕ. Therefore, both sub-sequences should be gen-
erated, and they should start at the same time (trig l = trig r = start). The right
sub-sequence is a Boolean, it is constrained by ended2 when the circuit starts. The left
sub-sequence is a SERE. We should wait for its completeness. The ϕ sequence completes
(ended = 1), when q completes (ended1 = 1). Figure 6.15 shows the implementation.
For clarifying the discussion, suppose that q = {b1; b2}. The trace is shown in Fig. 6.16.
Circuit for q
Wait for q 
to complete
Figure 6.15: Implementation of {q}&{b} (q and b are generated)
Both sub-sequences start in cycle �0. ended2 becomes 1 in cycle �0 and constrains b.
The circuit of q starts at the same cycle; it generates b1 in cycle �0. We should wait for
completeness of q, while registering ended2 (see ended2 reg in Fig. 6.16, it is the output
of a register inside the module that is waiting for the completeness of q). In cycle �1, b2
is generated, and q completes (ended1 = 1). Since ended1 and ended2 reg are 1 in cycle
�1, the sequence completes in cycle �1 (ended = 1).
6.4 : Dependency relation synthesis
0 1 2 3 4
clock
start
trig r
b
ended2
ended2 reg
trig l
b1
b2
ended1
ended
Figure 6.16: Timing diagram of {{b1; b2}&b}
Example 15. Implementation of ϕ = {q1}&{q2}
If we want to generate ϕ, we should generate both q1 and q2. Figure 6.17 shows the
implementation. Both circuits of q1 and q2 start at the same time (trig l = trig r =
start). The sequence ϕ holds if q1 and q2 hold, and completes when the longer sequence
completes. Therefore, we need to wait for the sub-sequences to complete (ended1 = 1 and
ended2 = 1), and specify the value of ended based on ended1 and ended2.
Circuit for q1
Circuit for q2
Wait for the
longer 
sequence 
to complete
Figure 6.17: Implementation of {q1}&{q2}
In the case of monitoring, we should monitor both q1 and q2. In this case, the hardware
is more complex and is not beneﬁcial, since we need to implement an extra circuit to
guarantee if two sub-sequences start at the same time. At this point, we put a limitation
that ϕ = {q1}&{q2} can be just generated, not monitored. Later in this chapter, we
explain how we can overcome this limitation.
6.4.2.3 Unbounded SEREs
Example 16. Implementation of ϕ = b[+]
93
Chapter 6 : Synthesizing SEREs
Assume that b is generated. The implementation is shown in Fig. 6.18. In this ﬁgure
the trig l signal constrains b. The once more internal signal becomes 1, one cycle after
each occurrences of b. b should be generated for 1 (when start = 1) or more times (when
once more = 1). However, when should the generation of b be terminated? As was
discussed in Section 6.2, we put a limitation that each unbounded repetition should be
followed by a Boolean, which is the stopping condition.
Figure 6.18: Implementation of b[+]
Example 17. Implementation of ϕ = b1[∗]; b2
In this example, we observe b2, and stop generating b1 as soon as b2 becomes 1. Fig-
ure 6.19 shows the corresponding circuit. Therefore, in addition to considering start and
once more for generating b1, we should consider b2. The shaded AND gate implements
the dependency of b1 on b2: trig l, which constrains b1 becomes 1 if b2 is 0. As is shown in
Fig. 6.19 the completeness of the sequence is detected by the circuit of the concatenation.
If b2 is 1 in the ﬁrst cycle, b1 does not occur, and the sequence completes.
Circuit for concat
Figure 6.19: Implementation of b1[∗]; b2
Example 18. Implementation of ϕ = q[∗]; b
Figure 6.20 shows the corresponding circuit. The only diﬀerence is that after the ﬁrst
generation of q, if it is possible due the value of b, we should wait for its completeness
(wait until q.ended becomes 1), and then start generating the next q.
For clarifying the discussion assume that q = {b1; b2}. The trace is shown in Fig. 6.21.
start is 1 in cycle �0, and b is 0. Therefore, q.start becomes 1 to start generating the ﬁrst
6.4 : Dependency relation synthesis
Circuit for concat
Circuit for q Wait for q to complete
Figure 6.20: Implementation of q[∗]; b
occurrence of {b1; b2}. {b1; b2} completes (q.ended = 1) in cycle �1, once more becomes
1 in the following cycle, and since b is 0, q.start becomes 1 to start the circuit of q.
q completes in cycle �3. In cycle �4, b is 1. Therefore, q.start = 0, and the sequence
completes (ended = 1).
Now, assume that the start signal becomes 1 again in cycle �6. We generate {b1; b2}; it
completes in cycle �7; therefore, once more becomes 1 in cycle �8, and since b is 0, q.start
becomes 1 to generate {b1; b2}. However, b becomes 1 in cycle �9, when {b1; b2} has not
been completed yet. At this point, the value of b is not taken into account until cycle �10,
i.e. the cycle after {b1; b2} completes.
0 1 2 3 4 5 6 7 8 9 10
clock
start
b
q.start
b1
b2
q.ended
once more
ended
Figure 6.21: Timing diagram of {{b1; b2}[∗]; b}
95
Chapter 6 : Synthesizing SEREs
6.5 Summary
The “synthesizable subset of SEREs” supported in this thesis are the SEREs in the fol-
lowing form:
SEREsynth =BoolExpr.
| {SEREsynth}
| SERE|–>SEREsynth
| SERE|=>SEREsynth
| SEREsynth;SEREsynth
| SEREsynth : SEREsynth
| SEREsynth&SEREsynth
| {BoolExpr} | {BoolExpr}
| SEREsynth[∗n]
| SEREsynth[∗];BoolExpr
| SEREsynth[+];BoolExpr
| [+];BoolExpr
| [∗];BoolExpr
Assume that ϕ is a SERE, A and B (if it exists) are its sub-sequences, and Ω is
any SERE operator deﬁned above. Then ϕ can be synthesized if it meets the following
conditions:
1 If ϕ = A[Ω]:
1 If Ω ∈ {+, ∗}, then A[Ω] should be followed by a Boolean expression, which
is the stopping condition for evaluating A. Therefore, we should have: ϕ =
{A[Ω]; b}, where b is a Boolean expression and is observed.
2 If Ω = +, we assume that b is 0 when the sequence starts (A should occur at
least once).
2 If ϕ = AΩB , and Ω ∈ {; , :}, if the left sub-sequence is an unbounded repetition the
right sub-sequence should be a Boolean expression.
3 If ϕ = AΩB , and Ω ∈ {&, |}:
1 The left and right sub-sequences are not unbounded repetition.
2 If all the signals of both operands are in Pout and Ω = |, both operands should
be Boolean expressions.
3 If Ω = &, if all the signals of an operand, assume A, are in Pin, and some of the
signals of the other operand B are in Pout, A should be a Boolean expression.
Due to the commutativity of &, the roles of A and B can be exchanged.
Chapter7
Annotation of the signals
Contents
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
7.2 Problem deﬁnition and overall view . . . . . . . . . . . . . . . 98
7.2.1 Representation of the dependency relation . . . . . . . . . . . . 98
7.3 Construction of the property Abstract Syntax Tree (AST) . . 99
7.4 Construction of the Directed Abstract Syntax Tree (DAST) . 101
7.4.1 DAST of simple FL operators . . . . . . . . . . . . . . . . . . . 102
7.4.2 DAST of extended next FL operators . . . . . . . . . . . . . . 103
7.4.3 DAST of FL logical operators . . . . . . . . . . . . . . . . . . . 103
7.4.4 DAST of compound FL operators . . . . . . . . . . . . . . . . 104
7.4.5 DAST of implication operators . . . . . . . . . . . . . . . . . . 105
7.4.6 DAST of simple SERE operators . . . . . . . . . . . . . . . . . 105
7.4.7 DAST of compound SERE operators . . . . . . . . . . . . . . . 106
7.4.8 DAST of unbounded SERE operators . . . . . . . . . . . . . . 107
7.4.9 DAST of PSL directives and functions . . . . . . . . . . . . . . 108
7.4.10 The annotation algorithm . . . . . . . . . . . . . . . . . . . . . 109
7.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
97
Chapter 7 : Annotation of the signals
7.1 Introduction
Each property written in a set of circuit speciﬁcations deﬁnes a piece of the circuit behav-
ior, for which some signals are considered inputs (they are observed or monitored), and
some signals are outputs (they are generated).
To synthesize a property, it is essential to specify the direction of the signals involved in
the property. We call this process annotation. This is the topic of this chapter, using the
formalism introduced in Chapters 5 and 6. The annotation of FL properties is illustrated
on the receiver side of GenBuf, which we call GenBufRec.
7.2 Problem deﬁnition and overall view
If we are interested in monitoring an existing design, the global property outputs trig
(in the case of FL) or trig l and trig r (in the case of SEREs) are used to monitor the
expected value of the operand. To do so, the property trigger (trig , trig l, or trig r) is
connected to the input trig of the multiplexer of Fig. 7.1. This constitutes the monitor
for the property: all the signals are inputs of the monitor.
Figure 7.1: Monitoring the value of a Boolean expression
If we are interested in synthesizing the design, the global property’s trigger output
(trig , trig r or trig l) is used to generate the value of one or more signals, depending on
the values of the monitored input signals.
Example 1. Property P3_rec_0.
Consider property P3_rec_0 from GenBufRec (see Chapter 4):
P3 rec 0 :
assert (always ( rose (BtoR REQ(0) ) −> next ! (next event ! (prev (not
BtoR REQ(0) ) ) (not BtoR REQ(0) unti l (BtoR REQ(1) ) ) ) ) ) ;
In this property, BtoR REQ(0) is both monitored and generated.
It is thus essential to determine, for each instance of a signal Sig in a property, if it is
monitored (and we annotate it Sig m) or generated (annotated as Sig g).
7.2.1 Representation of the dependency relation
The dependency �A�B� can be represented as is shown in Fig. 7.2. As this ﬁgure implies,
the value of B should be monitored, and A is generated based on the value of B .
In particular, assuming that ϕ = AΩB , and Ω is a binary FL or SERE operator, we
can represent the �A�B�w dependency among A and B as is demonstrated in Fig. 7.3(a).
7.3 : Construction of the property Abstract Syntax Tree (AST)
A B
Figure 7.2: The representation of �A�B�w
In this ﬁgure, we represent ϕ by its Abstract Syntax Tree (AST). The directions obtained
from the dependency relation directly implies that we should observe B , and based on
its value generate A. If A and B are Boolean, the dependency relation can be reversed
(Property 5 in Chapter 5): we observe A and generate B (see Fig. 7.3(b)).
A B
(a) A or B is FL
BA
(b) A and B are
Boolean
Figure 7.3: The representation of the �A�B�w dependency relation
Representing the dependency relations in this way enables us to specify the signals’
directions. Therefore, the idea is considering the properties one-by-one, and constructing
the Abstract Syntax Tree of each property. We use the dependency relations of the FL
and SERE operators, and interpret these relations into the edge directions of the abstract
syntax tree.
The remainder of this chapter explains the principles of annotating reactant operands.
7.3 Construction of the property Abstract Syntax
Tree (AST)
The Abstract Syntax Tree (AST) of a property is a classical binary non-directed tree. The
leaves are the design signals 1, that may be observed or generated; the other nodes are
the temporal and logical operators. We denote AST = (V,E), where:
• V is the set of nodes (or vertices) of the tree. L is the set of leaves (the operands of
the property), and N = V \ L is the set of internal nodes (the operators).
• E ⊂ V ×V is the set of edges of AST. (v1− v2) denotes an edge between two nodes
v1 and v2; v1 is the parent and v2 is a child.
Three partial functions are deﬁned on V : P(v), Lch(v), Rch(v) return the parent, the
left child and the right child of node v.
1There are some exceptions, e.g. when having bounded repetition, the bounds of the repetition operator
are leaves of the tree. For instance, in [∗3 to 6], 3 and 6 are the leaves.
99
Chapter 7 : Annotation of the signals
Example 2. AST of P3_rec_0.
Figure 7.4 illustrates the AST of P3_rec_0 (see Chapter 4 for details).
always
rose
BtoR_REQ(0)
next!
next_event!
BtoR_REQ(1)
prev
not
BtoR_REQ(0)
until_
not
BtoR_REQ(0)
>
assert
Figure 7.4: The abstract syntax tree of P3_rec_0
Take as example, v = next!. Then we have:
P(v) = –>
Lch(v) = next event!
Rch(v) = NULL
Example 3. AST of HDLC_240.
Consider property HDLC_240 2.:
HDLC 240 :
assert always ( {not TxLastBit and not TxDataWr ; TxLastBit and not
TxDataWr}
|−> { {not TxDout ; (TxDout) [ ∗ 6 ] ; not TxDout } ;
{TxDout } [ ∗ ] ; { {TxEnable and TxDataWr} | {TxDout and (not TxEnable
or not TxDataWr) } } }) abort not r e s e t n ;
Fig. 7.5 illustrates part of the AST of HDLC_240.
As an example, consider the leftmost repetition, v = REP. Then we have:
P(v) = ;
Lch(v) = TxDout
Rch(v) = ∗
2The complete set of properties describe High-level Data Link Controller (HDLC), and is taken from
[PPSQ13]
7.4 : Construction of the Directed Abstract Syntax Tree (DAST)
always
assert
|->
;
;
TxDout *
REP |
and
TxEnable TxDataWr
and
orTxDout
TxEnable TxDataWr
not not
;
not
TxDout
;
TxDout
REP
*
6
not
TxDout
Figure 7.5: The abstract syntax tree of HDLC_240
7.4 Construction of the Directed Abstract Syntax
Tree (DAST)
For each PSL operator, one or more dependency rules have been deﬁned between its
operands, in accordance with the formal semantics of the operator (see Chapters 5 and
6).
In order to determine which variables are read by a property, and which are generated,
we translate the dependency relations to a directed graph, and build the Directed Abstract
Syntax Tree (DAST) of each AST. DAST = (V,E�) represents the dependency between
the signals of the property, going through its operators. It is built using:
• the input/output direction of the module interface signals,
• the implementation of the dependency rules as a direction between the node for an
operator and its children.
Each edge in E � is a directed edge of E. The direction of an edge is seen from the
parent node. Let v denote the sub-property extracted from node v in DAST and l denote
the Boolean expression of a leaf l.
• An outgoing edge from a parent to its child (P(v)→ v) means that the value of v is
constrained to ‘1’; in other words, the signals in sub-property v must be constrained
to give value ‘1’ to v. It represents the dependency relation �v� true�. If v is a leaf,
it will be generated, otherwise this outgoing edge needs to be propagated to at least
one child of v (see Fig. 7.6 (a)).
• An ingoing edge to a parent from its child (P(v)← v) means that the value of v is
not constrained. If v is a leaf it will be observed, otherwise this ingoing edge needs
to be propagated to v from all its children (see Fig. 7.6 (b)).
101
Chapter 7 : Annotation of the signals
• If there is a directed path between the two children of a node v, e.g. Lch(v)→ v →
Rch(v), the value of the left child constrains the value of the right child (see Fig. 7.6
(c)). It represents the relation �Rch(v)�Lch(v)�
• A dependency relation may be reversed if both operands are Boolean (Property 5
of Chapter 5). Otherwise, the dependency relation may not be turned around, as
this would introduce a negated FL, which is not allowed in the PSL simple subset.
When two directions may hold (�Rch(v)�Lch(v)� or �¬Lch(v)�¬Rch(v)�), edges
are directed and marked unsettled (denoted with dash arrows). A node is unsettled
if the edges to both its children are unsettled. When a node is unsettled, all its
sub-trees are unsettled. Conversely, when a node is settled, the path from the node
to the root is settled.
vv or
(a) (P(v)→ v)
v
(b) (P(v)← v)
v
(c) Lch(v)→v→Rch(v)
Figure 7.6: Propagation of ingoing and outgoing edges
For each PSL and SERE operator, we have deﬁned the direction of the parent and
children edges according to their dependency relation. Here, we explain how to build the
DAST of each category of FL and SERE operators based on their dependency relations.
When observing a node v, all its children are observed and the problem is solved. Here, we
focus on constraining a node. After constructing the DAST of each operator, we propose
an annotation algorithm that utilizes these DASTs for specifying the signal directions in
the AST of a property.
In the remainder of this chapter, we shall only consider DASTs in which the root node
edges are outgoing to its children.
7.4.1 DAST of simple FL operators
This category contains the always, never, eventually!, and next! (also its weak version)
operators. All these operators are annotated in the same way. Consider the next! operator,
and assume ϕ = next!(A); then:
�ϕ� true�w iﬀ �A� true�w1...
From the dependency relation �A� true�w1... we can deduce that there will be an
outgoing edge from next! to A (Fig. 7.7).
7.4 : Construction of the Directed Abstract Syntax Tree (DAST)
next!
A
Figure 7.7: Edges direction for next!
7.4.2 DAST of extended next FL operators
This category contains the next a, next e, next event, next event a, and next event e
operator families. The annotation of the next a and next e families is the same as the
annotation of the next! operator. Here, we demonstrate the DAST of next event!. Other
operators of the next event family have a similar DAST.
Since next event! is an FL operator, its parent (if any) is an FL operator, and its
parent edge direction is outgoing and it is settled.
Dependency Rule 9 (Chapter 5) gives the dependency relation of ϕ = next event!(B)A:
�ϕ� true�w iﬀ ∃k < |w|, �B � true�wk... ∧ ∀i ≤ k, �A�B�wi...
The left operand B needs to be asserted before the end of the simulation. Other
properties are expected to provide it. The dependency relation �B � true� is thus re-
moved. From the second dependency relation �A�B� we can deduce that there will be
an outgoing path from B to A (Fig. 7.8 (a)). If A is Boolean, the dependency direction
may be reversed, and the path is unsettled (Fig. 7.8 (b)).
next_
event
AB
(a) A is FL
next_
event
next_
event
B A B A
(b) A is Boolean
Figure 7.8: Edges direction for next event!
7.4.3 DAST of FL logical operators
For the Boolean operator and, Property 3 of Chapter 5 (�(A andB)�C�w ⇔ �A�C�w∧
�B�C�w) implies that either both operands are generated (Fig. 7.9 (a)) or they are both
103
Chapter 7 : Annotation of the signals
observed (Fig. 7.9 (b)). The directions may be settled or unsettled based on the edge
between “and” and its parent.
AND AND
(a) Generation
AND AND
(b) Observation
Figure 7.9: Edges direction for and
For the Boolean operator or, Property 4 of Chapter 5 (�(A orB)�C�w ⇔ �A�(C ∧
¬B)�w) implies that either both operands are observed (Fig. 7.10 (a)), or one of the
operands is generated based on the value of the other operand. We cannot annotate the
signals in the case of generation (Fig. 7.10 (b)), since we may have either dependency
�A�¬B�w or �B�¬A�w. In Chapter 9 we explain how this problem can be solved.
OR OR
(a) Observation
OR
A B
(b) Generation
Figure 7.10: Edges direction for or
7.4.4 DAST of compound FL operators
This category contains the abort, until, and before families of operators. Here, we
consider the annotation of the until! operator. Since until! is an FL operator, its parent
(if any) is an FL operator, and its parent edge direction is outgoing and it is settled.
Dependency Rule 6 (see Chapter. 5) gives the dependency relation of ϕ = A until! B:
�ϕ� true�w iﬀ ∃k < |w|, �B� true�wk... ∧ ∀i < k, �A�¬B�wi...
The left operand B needs to be asserted before the end of the simulation. Other
properties are expected to provide it. The dependency relation �B � true�wk... is thus
removed. From the second dependency relation �A�¬B�wi... we can deduce that there
will be an outgoing path from B to A (Fig. 7.11 (a)). If A is Boolean, the dependency
direction may be reversed, and the path is unsettled (Fig. 7.11 (b)).
7.4 : Construction of the Directed Abstract Syntax Tree (DAST)
BA
until!
(a) A is FL
until!
BA BA
until!
(b) A is Boolean
Figure 7.11: Edges direction for until!
7.4.5 DAST of implication operators
The ‘–>’, ‘|–>’ and ‘|=>’ operators are annotated exactly the same. Here, we consider
DAST of the ‘–>’ operator. Since ‘–>’ is an FL operator, its parent (if any) is an FL
operator, and its parent edge direction is outgoing and it is settled. Let assume ϕ = A–>B.
The dependency relation is given as:
�ϕ� true�w iﬀ �B�A�w
Dependency �B�A�w implies that there will be an outgoing path from A to B
(Fig. 7.12 (a)). Since we deal with PSLsimple A should be a Boolean. If B is also a
Boolean, the dependency direction may be reversed (Fig. 7.12 (b)).
BA
>
(a) B is FL
A B
>
(b) B is Boolean
Figure 7.12: Edges direction for ‘–>’
7.4.6 DAST of simple SERE operators
This category contains the ‘;’, ‘:’ and any bounded repetition operator (e.g. [∗n]). Here,
we consider the annotation of the ‘;’ operator as an example.
Since ‘;’ is a SERE operator, its parent (if any) is an FL or SERE operator, and its
parent edge direction is outgoing and it is settled.
105
Chapter 7 : Annotation of the signals
Dependency Rule 1 (see Chapter. 6) gives the dependency relation for ϕ = A;B :
�ϕ� true�w iﬀ ∃i < |w|, �EndedA� true�wi ∧ �B � true�wi+1...
The dependency �EndedA� true�wi implies that A should have been already generated.
Therefore, there will be an outgoing edge from ‘;’ to its left child (see Fig. 7.13). The
second relation, �B � true�wi+1... , implies that there is an outgoing edge from ‘;’ to its
right child. These directions are settled.
;
BA
Figure 7.13: Edges direction for ‘;’
It should be mentioned that none of A and B are unbounded repetition. Otherwise,
the annotation diﬀers (see Section 7.4.8).
7.4.7 DAST of compound SERE operators
This groups contains the ‘&&’, ‘&’, and ‘|’ operators. Here, we consider the DAST of
‘&&’ and ‘|’. The DAST of ‘&’ is the same as ‘&&’.
Assuming that ϕ = {A}&&{B}, we have the following dependency relation:
�ϕ� true�w iﬀ �A� true�w ∧ �B � true�w
This dependency relation implies that either both operands are generated or both of
them are observed (Fig. 7.14).
&&
BA
(a) Generation
&&
BA
(b) Observation
Figure 7.14: Edges direction for ‘&&’
Assuming that ϕ = {A}|{B}, we have the following dependency relation:
�ϕ� true�w iﬀ �A�¬B�w ∨ �B �¬A�w
7.4 : Construction of the Directed Abstract Syntax Tree (DAST)
This dependency relation implies that either both operands are observed, or one of
the operands is generated based on the value of the other operand. We cannot annotate
the signals in the case of generation (Fig. 7.15), since we may have either dependency
�A�¬B�w or �B�¬A�w. In Chapter 9 we explain how this problem can be solved.
However, we can solve the problem only if A and B are Boolean expressions.
A B
|
(a) Generation
BA
|
(b) Observation
Figure 7.15: Edges direction for ‘|’
7.4.8 DAST of unbounded SERE operators
This category contains the ‘∗’ and ‘+’ operators.
As was discussed in Chapter 6, each unbounded repetition should be followed by a
Boolean expression. Assume that ϕ = A[∗];B . We have this dependency relation:
�ϕ� true�w iﬀ ∃i < |w|, �B � true�wi... ∧ ∀k < i, �A[∗]�¬B�wk...
Since ‘∗’ is a SERE operator, its parent is a SERE operator, and its parent edge
direction is outgoing and it is settled.
The dependency �B � true�wi... implies that B ﬁnally becomes true. From the de-
pendency �A[∗]�¬B�wk... we can conclude that there is an outgoing path from B to A
(Fig. 7.16).
A
;
BREP
*
Figure 7.16: Edges direction for ‘∗’
107
Chapter 7 : Annotation of the signals
7.4.9 DAST of PSL directives and functions
In addition to FL and SERE operators, we annotate the signals for some of the functions
of the Boolean and veriﬁcation layers of PSL. Moreover, we annotate the operands of some
the operators of the PSL modeling layer (VHDL ﬂavor).
7.4.9.1 Boolean layer directives
We annotate the functions rose, fell, and prev from the PSL Boolean layer. Let assume
ϕ = prev(A), where A is a Boolean expression. A is always annotated as monitored. In
addition, the direction is settled because it is based on the previous value of the operand,
which may not be changed at the current cycle (see Fig. 7.17).
prev
A
Figure 7.17: Edges direction for prev
7.4.9.2 Veriﬁcation layer directives
We annotate the assume and assert directives. The operand of assert is always gener-
ated, while the operand of assume is always monitored 3.
7.4.9.3 Modeling layer operators
We consider the VHDL operators: Boolean, comparison and arithmetic operators. The
annotation of the Boolean operators are the same as FL logical operators. Here, we
consider the comparison and arithmetic operators.
Assume that ϕ = (A = B), where A and B are Boolean expressions. The edge
directions between ‘=’ and its children depend on the edge direction between ‘=’ and its
parent. Figure 7.18 shows two possible directions. If there is an ingoing edge to P(=)
from ‘=’, then it is observed, and both children are observed (Fig. 7.18(a)). Otherwise,
if the right child is observed, and A is a Boolean signal, then A = B is interpreted as an
assignment of B to A. Then there is an outgoing path from the right child to the left
child (Fig. 7.18(b)), and the left child is generated.
In the case of the arithmetic operators, the children are observed.
Example 4.
3Industrial users have requested this interpretation of the directives in the context of reactants syn-
thesis.
7.4 : Construction of the Directed Abstract Syntax Tree (DAST)
=
A B
(a) Observation
A B
=
(b) Generation
Figure 7.18: Edges direction for ‘=’
Consider the following property:
P: always (C −> A = prev (B) ) ;
In this property, A is generated and B is observed, and prev(B) is assigned to A.
7.4.10 The annotation algorithm
The annotation process marks each signal instance in each property as either monitored
or generated by the property.
Before discussing the annotation algorithm, we introduce some data structures and
auxiliary functions that are used in the algorithms. We represent a DAST with the node
data structure (see Fig. 7.19).
// the s e t of edge d i r e c t i o n s
enum Di r e c t i on s {none , ingo ing , un s e t t l ed ingo ing , outgoing ,
un s e t t l ed ou tgo ing } ;
// the annotat ion type of a node : m: monitored , g : generated , u : unannotated
enum AnnotType{m, g , u} ;
// the s e t of a l l the PSL and SERE opera to r s
enum Types{always , next , ∗ , . . . } ;
s t r u c t node{
i n t id ; // unique name of the node in DASTs
Types type node ; // the type of the node
s t r u c t node ∗LCH; // the l e f t c h i l d of the node
s t r u c t node ∗RCH; // the r i g h t ch i l d of the node
// the d i r e c t i o n of edge between node n and i t s parent and ch i l d r en
D i r e c t i on s PDir ;
D i r e c t i on s LchDir ;
D i r e c t i on s RchDir ;
AnnotType type mark ; // the annotat ion type of a node
} ;
Figure 7.19: The necessary data structures for Annotation
109
Chapter 7 : Annotation of the signals
The following auxiliary functions are called:
• IsLeaf(node ∗ a): returns true if a is a leaf,
• IsInput(node ∗ a): returns true if the corresponding signal of a is an input signal,
• SetDir(node ∗ a, Directions LchDir, Directions RchDir, Directions PDir): as-
signs the directions speciﬁed in its arguments to the corresponding edges of a; if a
is a leaf, this function marks the corresponding signal as ‘m’ or ‘g, based on PDir.
If PDir = ingoing or PDir = unsettled ingoing, the signal is marked as ‘m’, if
PDir = outgoing or PDir = unsettled outgoing, the signal is marked as ‘g’.
• SettledEge(node ∗ a): This function considers the edge directions (a–>LchDir,
a–>RchDir, and a–>PDir) and tries to settle them. Based on the direction of the
edges of a and its operator, the new directions of the edges of a are computed, the
edge directions are updated by calling SetDir, which returns a with the updated
direction for its corresponding edges. For each operator, we have deﬁned the set
of all the possible directions for its corresponding edges (see Section 7.4). For each
possible set of directions, we consider all the possible directions after being settled,
and store these directions in a ﬁle for each operator.
As an example, assume a is the until! operator, and:
a–>LchDir = none, a–>RchDir = none, a–>Pdir = settled outgoing
In this case, we can have the following directions:
– a–>LchDir = settled outgoing, a–>RchDir = settled ingoing
– a–>LchDir = unsettled outgoing, a–>RchDir = unsettled ingoing
– a–>LchDir = unsettled ingoing, a–>RchDir = unsettled outgoing
The last two directions are for the case that the operands are Boolean.
Initially, all the edges are undirected. The annotation process is performed in two
steps.
First, we start from the direction of the interface signals, and annotate all the input
signals as ‘m’, and give a direction to its corresponding edge (see recursive function An-
notate_in in Fig. 7.20). These directions are settled, and cannot be changed later due
to the directions of the operator’s edges.
1 node ∗ Annotate in ( node ∗a ) {
2 i f ( I sLea f ( a ) ) {
3 i f ( I s Input ( a ) )
4 SetDir ( a , none , none , s e t t l e d i n g o i n g ) ; // s e t s d i r e c t i o n (P( a )<−a )
5 return a ;
6 }
7 else {
8 Annotate in ( a−>LCH) ; // i f ( a−>LCH != NULL)
9 Annotate in ( a−>RCH) ; // i f ( a−>RCH != NULL)
10 }
11 }
Figure 7.20: the pseudo code for the Annotate_in function
7.4 : Construction of the Directed Abstract Syntax Tree (DAST)
Then, the recursive Annotate function (Fig. 7.21) takes as input a partially directed
DAST (a); it returns a more settled DAST. It starts from the root of the tree, and based
on its operator, gives the direction to the corresponding edges.
1 node∗ a Annotate ( node ∗a ) {
2 i f ( I sLea f ( a ) )
3 return a ;
4 else {
5 a = Sett ledEdge ( a ) ;
6 l e f t e d g e d i r = a−>LchDir ;
7 r i g h t e d g e d i r = a−>RchDir ;
8
9 Lch ( a ) = Annotate (Lch ( a ) ) ;
10 Rch( a ) = Annotate (Rch( a ) ) ;
11
12 i f ( l e f t e d g e d i r == a−>LchDir ) {
13 i f ( r i g h t e d g e d i r == a−>RchDir ) {
14 return ( a ) ;
15 else {
16 a = Sett ledEdge ( a ) ;
17 l e f t e d g e d i r = a−>LchDir ;
18 Lch ( a ) = Annotate (Lch ( a ) ) ;
19 return a ;
20 }
21 }
22 else {
23 i f ( r i g h t e d g e d i r == a−>RchDir ) {
24 a = Sett ledEdge ( a ) ;
25 r i g h t e d g e d i r = a−>RchDir ;
26 Rch( a ) = Annotate (Rch( a ) ) ;
27 return a ;
28 }
29 else {
30 a = Sett ledEdge ( a ) ;
31 l e f t e d g e d i r = a−>LchDir ;
32 r i g h t e d g e d i r = a−>RchDir ;
33
34 Lch ( a ) = Annotate (Lch ( a ) ) ;
35 Rch( a ) = Annotae (Rch( a ) ) ;
36
37 return a ;
38 }
39 }
40 }
41 }
Figure 7.21: the pseudo code for the Annotate function
If a is a leaf, it is returned unchanged. Otherwise, we call function SettledEdge on a.
SettledEdge computes a ﬁrst direction for the left and right children edges (�6). Then, the
right and left edge directions are updated with the new edge directions (�7, 8). Annotate
is then called recursively on both children of a (�10, 11). The new edge directions are
compared to the ones obtained from function SettledEdge. If none of the children edges
changes, a is returned (�15). If one of the children edges changes, the change may impact
111
Chapter 7 : Annotation of the signals
the direction and type of the two other edges of node a (sibling and root edge). If only
the direction of the right edge is changed (�16), function SettledEdge is again called on
a (�17), the direction of the left edge is updated (�18), and the left child is re-annotated
(�19). Similarly, if the direction of the left edge is changed, the right child should be
re-annotated (�27). If both edges’ directions are changed (�30), both children should be
re-annotated (�35, 36). The algorithm stops when none of the edge directions of the DAST
changes after calling the Annotate function.
Example 5. DAST of P3_rec_0.
Figure 7.22 illustrates the DAST of property P3_rec_0. Next to each edge, the recur-
sion depth is written.
At step 0, the child edge of assert is outgoing and settled. At step 1, always is
outgoing and settled (see 7.4.1). At step 2, since –> has a FL operand, the two edges are
settled and there is an ingoing path from left child to right child. At step 3 (left child of
‘–>’) and according to Fig. 7.17, the edge must be settled and ingoing: signal BtoR REQ 0
is marked settled monitored. Step 4 (the child of next!) is similar to step 1, and the edge
is settled outgoing. At Step 5, ﬁrst, the two edges are unsettled, then both DAST children
are annotated. The annotation of the left DAST (steps 6 and 7) returns a settled ingoing
edge to next event!. Step 8 is similar to step 5, the two edges are unsettled, but in this
case the annotation of their two sub-trees is not able to settle the edges.
Finally, we get that the ﬁrst two occurrences of BtoR REQ 0 are marked settled moni-
tored, the third one is unsettled generated, and the occurrence of BtoR REQ 1 is unsettled
monitored.
2
0
5
3
8
7
1
86
4
>
assert
2
5
9
always
rose
BtoR_REQ(0)
next!
next_event!
BtoR_REQ(1)
prev
not
BtoR_REQ(0)
until_
not
BtoR_REQ(0)
Figure 7.22: The directed abstract syntax tree of P3_rec_0
Example 6. DAST of HDLC_240.
Figure 7.23 illustrates the DAST of property HDLC_240. As is shown in this ﬁgure, we
have an unbounded repetition: TxDout[∗]. It is followed by a Boolean expression:
7.4 : Construction of the Directed Abstract Syntax Tree (DAST)
{{TxEnable and TxDataWr} | {TxDout and (not TxEnable or not TxDataWr)}}
Therefore, this Boolean expression is marked as monitored, and all its signals should
be observed.
always
assert
|->
;
;
TxDout *
REP |
and
TxEnable TxDataWr
and
orTxDout
TxEnable TxDataWr
not not
;
not
TxDout
;
TxDout
REP
*
6
not
TxDout
Figure 7.23: The directed abstract syntax tree of HDLC_240
Example 7. Annotation of the properties of GenBufRec.
Figure 7.24 shows the properties of GenBufRec after annotation. We can observe that
some signals are both observed and generated. Consider BtoR REQ(0). Property P1_rec
constrains this signal to 0. Property P3_rec_0 observes this signal, and also constrains
it to 0. In addition, property P4_rec_0 constrains this signal to 1. BtoR REQ(0) is a
duplicated signal.
Moreover, we can see in Fig. 7.24 that some signals have not been annotated. As an
example see signals BtoR REQ(0) and BtoR REQ(1) in property P0_rec. This property
states that if GenBuf is not empty, a request should be sent to one of the receivers, but
does not state which receiver. This cannot be decided locally based on this property alone;
it depends on other properties that constrain BtoR REQ(0) and BtoR REQ(1). We call
such signals unannotated signals.
Example 8. Annotation of the properties of High-Level Data Link Controller
(HDLC) transmitter.
Figure D.6 of Appendix D shows several annotated SERE properties of the HDLC
transmitter4. All the signals in the set of properties have been annotated. However, there
are several duplicated signals generated by several properties, for instance TxDout.
4The original properties are taken from [PPSQ13].
113
Chapter 7 : Annotation of the signals
vunit g enbu f r e c e i v e r
{
−−−−− r e c e i v e r s i d e
P0 rec :
assert (always (not EMPTYm −> next ! ( BtoR REQ(0) or ( BtoR REQ(1) ) ) ) ) ;
P1 rec :
assert (always (EMPTYm −> next ! ( not BtoR REQ g(0) and (not BtoR REQ g
(1) ) ) ) ) ;
P2 rec :
assert (always (not BtoR REQ(0) or not BtoR REQ(1) ) ) ;
P3 rec 0 :
assert (always ( rose (BtoR REQ m(0) ) −> next ! (next event ! (prev (not
BtoR REQ m(0) ) ) (not BtoR REQ g(0) unti l (BtoR REQ m(1) ) ) ) ) ) ;
P3 rec 1 :
assert (always ( rose (BtoR REQ m(1) ) −> next ! (next event ! (prev (not
BtoR REQ m(1) ) ) (not BtoR REQ g(1) unti l (BtoR REQ m(0) ) ) ) ) ) ;
P4 rec 0 :
assert (always ( (BtoR REQ m(0) ) and (not RtoB ACK m(0) )−> next ! (
BtoR REQ g(0) ) ) ) ;
P4 rec 1 :
assert (always ( (BtoR REQ m(1) ) and (not RtoB ACK m(1) )−> next ! (
BtoR REQ g(1) ) ) ) ;
P5 rec 0 :
assert (always ( (RtoB ACK m(0) ) −> (next ! (not BtoR REQ g(0) ) ) ) ) ;
P5 rec 1 :
assert (always ( (RtoB ACK m(1) ) −> (next ! (not BtoR REQ g(1) ) ) ) ) ;
−−−−−−−−− FIFO i n t e r f a c e
P6 FIFO rec :
assert (always ( ( f e l l (RtoB ACK m(0) ) or ( f e l l (RtoB ACK m(1) ) ) and not
EMPTYm) −> (DEQ g) ) ) ;
P7 FIFO rec :
assert (always ( not f e l l (RtoB ACK m(0) ) and not f e l l (RtoB ACK m(1) ) −>
(not DEQ g) ) ) ;
}
Figure 7.24: Annotated FL speciﬁcation of GenBuf communication with receiver in the
case of two receivers
7.5 : Summary
7.5 Summary
In this chapter we explained how to decide the direction of each signal involved in a
property. We started by representing each property using its Abstract Syntax Tree (AST).
We interpreted the dependency relation of each FL and SERE operator into a Directed
Abstract Syntax Tree (DAST). The annotation algorithm uses the DAST of each operator,
and builds recursively the DAST of the property.
As was shown in the above examples, two issues remain to be solved: duplicated and
unannotated signals. In Chapter 8 we explain how to ﬁnd the duplicated and unannotated
signals using DASTs, and in Chapter 9 we explain how to resolve these signals.
115
Chapter 7 : Annotation of the signals
Chapter8
Complex Reactant
Contents
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
8.2 Intuitive construction of a property reactant . . . . . . . . . . 118
8.2.1 Intuitive construction of an FL reactant . . . . . . . . . . . . . 118
8.2.2 Intuitive construction of a SERE reactant . . . . . . . . . . . 119
8.3 Principles of the recursive construction . . . . . . . . . . . . . 123
8.3.1 The base case . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
8.3.2 FL properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
8.3.3 SERE properties . . . . . . . . . . . . . . . . . . . . . . . . . . 125
8.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
117
Chapter 8 : Complex Reactant
8.1 Introduction
In this chapter we explain how to construct the complex reactant of a property, hav-
ing the primitive reactants and signal directions. We use the Directed Abstract Syntax
Tree (DAST) of each property to interconnect the primitive reactants and construct the
complex reactant.
8.2 Intuitive construction of a property reactant
The DAST of each property is either fully directed, or may have some undirected sub-
trees. The reactant is built for the fully directed sub-tree of the DAST. Each non-terminal
node is replaced by an instance of the primitive reactant (i.e. hardware implementation
for a temporal operator) or logic gate (for a Boolean operator) interconnected to its
children. For a logic gate, the interconnection is obvious. For a primitive reactant, the
interconnection principles are discussed based on the operator.
8.2.1 Intuitive construction of an FL reactant
To interconnect the FL primitive reactants corresponding to each node v of a DAST we
should consider the direction of the corresponding edges of v.
• If the direction is (P(v) → v), the trig output of P(v) is connected to the start
input of v. If v is a leaf, the DAST whose root is v is assigned to the trig output;
trig constrains v.
• If the direction is (P(v)← v), the observed signal (for a leaf) or the trig output of
v (for an internal node) is connected to the cond input of P(v).
Example 1. Reactant construction for P5_rec_0.
Consider the annotated property P5_rec_0 from GenBufRec:
P5 rec 0 :
always ( (RtoB ACK m(0) ) −> (next ! (not BtoR REQ g(0) ) ) ) ;
Figure 8.1 shows the DAST of this property. The DAST is fully directed; therefore,
the reactant is built for the DAST.
Consider the connection of the primitive reactant of ‘–>’ to its children. Therefore v
in the above discussion is any child of ‘–>’. On the right-hand side, v = next!. We have
(–> → next!); therefore, the trig of ‘–>’ should be connected to the start signal of next!
(Fig. 8.2). For the left child we have (–> ← RtoB ACK m(0)); therefore, RtoB ACK m(0)
should be connected to the cond port of the primitive reactant of ‘–>’.
Example 2. Reactant construction for P0_rec.
Consider the annotated property P0_rec from GenBufRec:
P0 rec :
always (not EMPTYm −> next ! ( BtoR REQ(0) or BtoR REQ(1) ) ) ;
8.2 : Intuitive construction of a property reactant
always
next!
not
BtoR_REQ(0)
>
RtoB_ACK(0)
Figure 8.1: DAST of P5_rec
RtoB_ACK(0)
next!
>
RtoB_ACK(0)
cond trig
start
> cond trig
start
next!
Figure 8.2: Interconnection of the ‘–>’ primitive reactant (P5_rec)
Figure 8.3(a) shows the DAST of this property. The DAST is not fully directed (see
the sub-tree whose root is or); signals BtoR REQ(0) and BtoR REQ(1) are unannotated.
The reactant is built for the fully annotated sub-tree of this DAST.
The complex reactant for P0_rec is shown in Fig. 8.3(b). In this ﬁgure, the trig
output of the next! primitive reactant constrains a Boolean expression (BtoR REQ(0) or
BtoR REQ(1)), instead of constraining a signal value. We represent this expression with
Expr , and the trigger output of the reactant with Etrig . Actually, Etrig corresponds to
the unannotated sub-tree of the DAST. Component assert activates the circuit after
reset.
8.2.2 Intuitive construction of a SERE reactant
To interconnect the SERE primitive reactants, we should consider various categories of
SERE operators. Remember from Chapter 6 that the primitive reactant of a SERE
operator, has start , cond1, and cond2 inputs in addition to the synchronization signals.
It has also three outputs: trig l, trig r, and ended . The ended output becomes 1 when
the sequence completes.
8.2.2.1 Simple SERE
In a simple SERE sequence, e.g. ϕ = A;B , the primitive reactant of ‘;’ and its left sub-
sequence (A) start at the same time; therefore, they share the same start signal. Based
on the edge directions between the simple SERE operator and its children we have:
• If v is the left child (v = Lch(P(v))):
119
Chapter 8 : Complex Reactant
>
Etrig
always
not
BtoR_REQ(0)
next!
or
BtoR_REQ(1)
EMPTY
(a) DAST of P0_rec
not EMPTY
cond
trigstart
> cond
trigstart
next!
cond
trigstart
always
clock
reset
trig
assert BtoR_REQ(0) or
BtoR_REQ(1)
Etrig
(b) The complex reactant for P0_rec
Figure 8.3: Reactant for P0_rec
– If v is an internal node:
∗ the start input of P(v) is connected to the start input of v.
∗ the ended output of v is connected to the cond1 input of P(v).
– If v is a leaf:
∗ If the direction is (P(v)← v), v (the signal represented by v) is connected
to the cond1 input.
∗ If the direction is (P(v) → v), cond1 is connected to ‘1’, and trig l con-
strains v.
• If v is the right child (v = Rch(P(v))), the same rules as for the left child apply,
replacing:
– cond1 by cond2
– trig l by trig r
Here, we assumed that none of the left and right sub-sequences are an unbounded
repetition.
Example 3. Simple SERE reactant construction.
Consider the annotated property HDLC_240 from the HDLC transmitter:
HDLC 240 :
always ( {not TxLastBit m and not TxDataWr m ; TxLastBit m and not
TxDataWr m}
|−> { {not TxDout g ; (TxDout g ) [ ∗ 6 ] ; not TxDout g } ;
{TxDout g } [ ∗ ] ; { {TxEnable m and TxDataWr m} | {TxDout m and (not
TxEnable m or not TxDataWr m) } } }) ;
8.2 : Intuitive construction of a property reactant
always
|->
;
;
TxDout *
REP |
and
TxEnable TxDataWr
and
orTxDout
TxEnable TxDataWr
not not
;
not
TxDout
;
TxDout
REP
*
6
not
TxDout
depth = 7
depth = 6
depth = 3 depth = 2
depth = 2
depth = 1
depth = 1
Boolean
expr
Figure 8.4: The directed abstract syntax tree of HDLC_240
The DAST of this property is shown in Fig. 8.4. In this ﬁgure, the depth of each
sub-property, deﬁned in Section 8.3.3, is written next to the root of its sub-tree.
Figure 8.5(a) shows a sub-tree of the DAST of property HDLC_240, corresponding to
(TxDout)[∗6]; notTxDout. The root of this sub-tree is operator ‘;’.
;
TxDout
REP
*
6
not
TxDout
trig_r
(a) Partial DAST of HDLC_240
cond1
endedstart
cond2
trig_l
trig_r
;
cond1
endedstart
cond2
trig_l
trig_r
REP
(*6)
start
'1''0'
'1'
(b) Interconnection of the ‘;’ primitive reactant (HDLC_240)
Figure 8.5: Simple SERE primitive reactant interconnection
We connect the primitive reactant of ‘;’ to the primitive reactants of its children. Node
v in the above discussion is any child of ‘;’. First assume that v = REP, left child of ‘;’.
We have (; → REP); therefore, the start signal of REP is connected to the start signal of
‘;’, and the ended signal of REP is connected to cond1 of ‘;’ (Fig. 8.5(b)).
121
Chapter 8 : Complex Reactant
For the right child we have (; → not). The right child is a Boolean expression; there-
fore, the cond2 input is connected to ‘1’ and trig r constrains TxDout to 0 (Fig. 8.5(b)).
The sub-tree of the partial DAST with root not is associated to the trig r. The ended
output of ‘;’ indicates that the sequence completes, with the emission of trig r.
8.2.2.2 Compound SERE
In a compound SERE sequence, both sub-sequences start at the same time.
• If v is the left child (v = Lch(P(v))):
– If v is an internal node:
∗ the trig l output of P(v) is connected to the start input of v.
∗ the ended output of v is connected to the cond1 input of P(v).
– If v is a leaf:
∗ If the direction is (P(v)← v), v (the signal represented by v) is connected
to the cond1 input of P(v).
∗ If the direction is (P(v) → v), cond1 is connected to ‘1’, and trig l con-
strains v.
• If v is the right child (v = Rch(P(v))), the same rules as for the left child apply,
replacing:
– cond1 by cond2
– trig l by trig r
Here, we assumed that none of the left and right sub-sequences are unbounded repe-
tition.
8.2.2.3 Unbounded SERE
As was mentioned in Chapter 6, an unbounded repetition should be followed by a Boolean
expression (see the right-most sub-tree in Fig. 8.4, whose root is ‘;’). Let v be node REP,
the root of the unbounded repetition sub-tree.
• If Lch(v) is not a leaf:
– The trig l output of the ‘∗’ primitive reactant is connected to the start input
of Lch(v).
– The ended output of Lch(v) is connected to the cond1 input of the ‘∗’ primitive
reactant.
• If Lch(v) is a leaf:
– The trig l output of the ‘∗’ primitive reactant constrains the signal of Lch(v).
– The cond1 input of the ‘∗’ primitive reactant is connected to ‘1’.
• the Boolean expression associated to the sibling of v (Rch(P(v))) is connected to
the cond2 input of the ‘∗’ primitive reactant.
8.3 : Principles of the recursive construction
Example 4. Unbounded SERE reactant construction.
Figure 8.6(a) shows the simpliﬁed sub-tree of the unbounded repetition in Fig. 8.4.
Node v is REP. Its sibling is a Boolean expression that is connected to cond2 of the ‘∗’
primitive reactant. The trig l output of this reactant constrains TxDout (Fig. 8.6)(b).
;
TxDout
REP
*
Boolean
expr
trig_l
(a) Partial DAST of HDLC_240
cond1
endedstart
cond2
trig_l
trig_r
REP
(*)Boolean expr
'1'
(b) Interconnection of the ‘∗’ primitive reactant (HDLC_240)
Figure 8.6: Unbounded SERE primitive reactant interconnection
8.3 Principles of the recursive construction
In this section, we explain the principles of the recursive construction using the concepts
and formalism introduced in Chapters 5 and 6.
Informally, all the operands of ϕ stand for signals of the reactant, some of which are
observed, others are generated (see Chapter 7). All reactants have a reset and a clock
input signal. By default, we consider that all signal values are taken at the rising edge of
clock. An input signal start is used to set the reactant active, and the activity may take
one or more clock cycles.
During its activity, the reactant observes input signals and constrains the value of one
or more signals. We recall that the output of a reactant is not the value of a signal, but
the trigger that will start the primitive hardware component in charge of the signal value
generation or observation.
For each operator, circuit C implements its primitive reactant.
A complex reactant is built by interconnecting the primitive reactants; it is done
recursively according to the depth (number of nested FL or SERE operators) of property
ϕ, denoted | ϕ |.
We now show how, for all n ∈ N, for all properties ϕn of depth n, we construct a
reactant circuit that implements ϕn.
∀n ∈ N, ∀ϕn, n =| ϕn |, ∃Cn, Cn�ϕn
8.3.1 The base case
Let n = 0 be the depth of property ϕ0. In this case, ϕ0 is a Boolean expression, which is
implemented using a Boolean primitive reactant introduced in Chapter 5. Here, we just
123
Chapter 8 : Complex Reactant
bring again Fig. 8.7 as a reminder. The trigger output(s) of a primitive reactant constrains
its operand(s).
Figure 8.7: Base case: Boolean reactants
In the remaining of this chapter, we eliminate all the Boolean reactants from the ﬁgures
for the sake of simplicity.
8.3.2 FL properties
Let n > 0 be the depth of property ϕn. According to the abstract syntax tree of ϕn, there
exists a FL operator denoted Ωn, a subproperty ϕn−1 and a Boolean operand opn such
that ϕn = Ωn(ϕn−1, opn). The circuit Cn is the interconnection of the subcircuit Cn−1 and
a primitive reactant that implements Ωn (Fig. 8.8).
Circuit Cn takes the synchronization signal, start and some observed signals. The trig
output of Ωn connects to the start input of circuit Cn−1, if ϕn−1 is not Boolean; otherwise,
trig constrains ϕn−1.
Figure 8.8: Recursive construction of circuit Cn
Example 5. Reactant for property P5_rec_0.
The construction of the reactant for this property follows the principles just explained.
Property P5_rec_0 is a depth 3 property, with Ω3 = always, Ω2 = –>, and Ω1 =
next!. The complex reactant of this property is shown in Fig. 8.9. Signal BtoR REQ(0)
is constrained by the trig signal of the next! operator primitive reactant.
8.3 : Principles of the recursive construction
RtoB_ACK(0)
cond
trigstart
> cond
trigstart
next!
cond
trigstart
always
clock
reset
trig
assert
Figure 8.9: Implementation of Genbuf property P5_rec_0
8.3.3 SERE properties
Here, we show how a complex reactant for a SERE property is constructed recursively,
based on the depth of the property, | ϕ |. The depth of a SERE property is deﬁned as
n =| ϕL | + | ϕR | +1, where | ϕL | and | ϕR | are the total number of nested SERE
operators in ϕL and ϕR. As an example, see the DAST of property HDLC_240, shown in
Fig. 8.4. Here, we show how for each category of SERE operators, Cn is constructed using
the primitive reactant of the operators.
8.3.3.1 Simple SEREs
Let n > 0 be the depth of property ϕn, n
L ≥ 0 and nR ≥ 0 the depths of its left and right
children, ϕLnL and ϕ
R
nR .
We assume that the left sub-sequence is not an unbounded repetition. Then, the
circuit Cn is the interconnection of the sub-circuit CLnL , CRnR and a primitive reactant that
implements Ωn ∈ {; , :}.
In the simple SEREs, the Cn and CLnL sub-circuits start at the same time, after the
activation of the start signal (startLnL = startn). Ωn generates three signals:
1 The Ωn.trig l signal is directly connected to Ω.cond1. It constrains the left operand,
if it is a Boolean.
2 The Ωn.trig r signal starts the sub-circuit CRnR , if ϕRnR is not Boolean; otherwise, it
constrains ϕRnR .
3 The Ωn.ended output indicates ϕ completes.
Figure. 8.10 illustrates the recursive construction.
Figure 8.10: Recursive construction of circuit Cn (Ωn ∈ {; , :})
125
Chapter 8 : Complex Reactant
8.3.3.2 Compound SEREs
Let n > 0 be the depth of property ϕn. According to the abstract syntax tree of ϕn, there
exists a SERE operator denoted Ωn, a left sub-sequence ϕ
L
nL and a right sub-sequence ϕ
R
nR .
As the right and left sub-sequences start at the start time of Cn (startLnL = startRnR =
startn). Ωn generates these signals:
1 The Ωn.trig l signal indicates the start of the reactant of ϕ
L
nL , if it is not Boolean.
Otherwise, it constrains the left operand.
2 The Ωn.trig r signal indicates the start of the reactant of ϕ
R
nR , if it is not Boolean.
Otherwise, it constrains the right operand.
3 The Ωn.ended signal indicates if ϕn completes.
Figure. 8.11 illustrates the recursive construction.
Figure 8.11: Recursive construction of circuit Cn (Ωn ∈ {&,&&, |})
8.3.3.3 Unbounded SEREs
Assume that ϕn = ϕn−1[∗]. Figure. 8.12 illustrates the recursive construction of ϕn−1[∗].
As was discussed before, an unbounded repetition is followed by a Boolean expression
(op0). The Boolean expression is connected to the cond2 input of the reactant of Ωn = ∗.
The primitive reactant of Ωn generates the following signals:
1 The Ωn.trig l signal that is connected to Cn−1.start , if ϕn−1 is not Boolean. Other-
wise, Ωn.trig l is the output of the reactant and constrains ϕn−1.
2 The Ωn.ended signal that indicates each time ϕn−1 occurs.
Example 6. Reactant for property HDLC_240 (from HDLC transmitter).
8.3 : Principles of the recursive construction
Figure 8.12: Recursive construction of circuit Cn (Ωn ∈ {∗,+})
The construction of the reactant for this property follows the principles just explained.
We show the reactant of the right-hand side of the implication operator. Figure 8.13 shows
the complex reactant of this sub-sequence.
cond1
start
cond2
trig_l
REP
(*)b
cond1
start
cond2
trig_l
trig_r
;
cond1
start
cond2
trig_l
trig_r
;cond
start
>
cond1
start
cond2
trig_l
trig_r
;
cond1
start
cond2
trig_lREP
(*6)
cond1
start
cond2 trig_l
trig_r
;'1'
'1'
step 1
step 2
step 3
step 4
step 5
step 6
trig ended
ended
ended
ended
endedended
Figure 8.13: Implementation of HDLC property HDLC_240
The steps for constructing this complex reactant are shown in the following. In each
step, the left and right sub-sequences are shown. In the ﬁrst step, we instantiate the
primitive reactant for ‘;’. Then we connect it to the primitive reactant of ϕL3 and ϕ
R
2 .
Therefore, we construct the reactant of these sub-sequences recursively.
127
Chapter 8 : Complex Reactant
step 1 :ϕ6 = {notTxDout; {TxDout[∗6]; notTxDout}}; {TxDout[∗];BoolExpr}
Ω6 =;
ϕL3 = notTxDout; {TxDout[∗6]; notTxDout}
ϕR2 = TxDout[∗];BoolExpr
step 2 :ϕ3 = notTxDout; {TxDout[∗6]; notTxDout}
Ω3 =;
ϕL0 = notTxDout
ϕR2 = TxDout[∗6]; notTxDout
step 3 :ϕ2 = TxDout[∗6]; notTxDout
Ω2 =;
ϕL1 = TxDout[∗6]
ϕR0 = notTxDout
step 4 :ϕ1 = TxDout[∗6]
Ω1 = [∗6]
ϕ0 = TxDout
step 5 :ϕ2 = TxDout[∗];BoolExpr
Ω2 =;
ϕL1 = TxDout[∗]
ϕR0 = BoolExpr
step 6 :Ω1 = [∗]
ϕ0 = TxDout
As is shown in Fig. 8.13, signal TxDout is constrained several times in the property. A
signal s is called duplicated if it is generated several times in a property, or is generated
by several properties.
8.4 Summary
In this chapter we discussed the principles of the recursive construction of a reactant. A
reactant is constructed for each property. The advantage of our construction method is
having access to the trigger of each primitive reactant module. It increases the observabil-
ity of the generated circuit, and makes it appropriate for debugging purposes. However,
two issues still remain to be solved: duplicated signals and unannotated signals. In the
next chapter, we solve these issues.
Chapter9
Resolution of the signals
Contents
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
9.2 Constraints computed from directed DASTs . . . . . . . . . . 130
9.3 Constraints computed from semi-directed DASTs . . . . . . . 132
9.4 Dependency Graph (DG) . . . . . . . . . . . . . . . . . . . . . . 133
9.5 Dependency Graph construction . . . . . . . . . . . . . . . . . 135
9.6 The resolution function: solver . . . . . . . . . . . . . . . . . . 136
9.6.1 Resolving duplicated signals: simple solver . . . . . . . . . . . 136
9.6.2 Resolving unannotated signals: complex solver . . . . . . . . . 137
9.7 The ﬁnal circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
9.7.1 Checking the consistency . . . . . . . . . . . . . . . . . . . . . 141
9.7.2 Checking the completeness . . . . . . . . . . . . . . . . . . . . 142
9.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
129
Chapter 9 : Resolution of the signals
9.1 Introduction
In this chapter we explain how to resolve the value of the duplicated and unannotated
signals. We express the dependency among all properties using a Dependency Graph. To
this goal, we partition the Directed Abstract Syntax Trees (DASTs) of the properties into
directed and semi-directed. Then, we consider directed DASTs to extract the dependencies
for a duplicated signal, and analyze the semi-directed DASTs to extract the dependencies
for unannotated signals.
We construct two kind of solvers: 1) simple solvers for resolving the duplicated signals,
and 2) complex solvers for resolving the unannotated signals.
Additionally, from the dependency graph we extract the information for verifying if
the set of properties are complete and consistent.
9.2 Constraints computed from directed DASTs
In a directed DAST all the edges are directed, and hence, all the signals are annotated.
We start by an example.
Example 1. Directed DASTs of GenBufRec.
As was shown in Chapter 7, several properties of GenBufRec are fully annotated,
and there are several properties that constrain a signal. For example, consider the three
following properties:
P1 rec :
always (EMPTYm −> next ! ( not BtoR REQ g(0) and (not BtoR REQ g(1) ) ) ) ;
P3 rec 0 :
always ( rose (BtoR REQ m(0) ) −> next ! ( next event ! ( prev (not BtoR REQ m
(0) ) ) (not BtoR REQ g(0) unti l (BtoR REQ m(1) ) ) ) ) ;
P4 rec 0 :
always ( (BtoR REQ m(0) ) and (not RtoB ACK m(0) )−> next ! ( BtoR REQ g(0) ) ) ;
The DASTs of these properties are shown in Fig. 9.1, Fig. 9.2, and Fig. 9.3.
>
not
always
not
BtoR_REQ(0)
next!
and
BtoR_REQ(1)
EMPTY
Figure 9.1: DAST of P1_rec
9.2 : Constraints computed from directed DASTs
>
always
rose
BtoR_REQ(0)
next!
next_event
BtoR_REQ(1)
prev
not
BtoR_REQ(0)
until_
not
BtoR_REQ(0)
Figure 9.2: DAST of P3_rec
>
notBtoR_REQ(0)
always
BtoR_REQ(0)
next!and
RtoB_ACK(0)
Figure 9.3: DAST of P4_rec
131
Chapter 9 : Resolution of the signals
All these DASTs are fully directed, and all the signals are annotated. As is shown in
these DASTs, BtoR REQ(0) is constrained to 0 by properties P1_rec and P3_rec_0, while
it is constrained to 1 by P4_rec_0.
Considering all the properties of GenBufRec (see Chapter 7, Fig. 7.24), the set of the
directed DASTs is:
DIRECTED = { P1_rec, P3_rec_0, P3_rec_1, P4_rec_0, P4_rec_1, P5_rec_0,
P5_rec_1, P6_FIFO_rec, P7_FIFO_rec }
As was discussed in Chapter 8, for each DAST of DIRECTED , the reactant is built,
and the trigger output, trig , constrains a signal to 0 or 1. For each signal z, there may be
several trigger signals that constrain z to 0 (Trig¬z) or to 1 (Trigz). We should ﬁnd all
these trigger signals. Let Trig i¬z , 0 ≤ i ≤ nb0−1 be the nb0 triggers of the reactants that
constrain signal z to 0, and Trig jz , 0 ≤ j ≤ nb1 − 1 be the nb1 triggers that constrain z
to 1. Two vectors T 0 z and T 1 z are deﬁned as:
T 0 z = (Trig0¬z,Trig1¬z, . . . ,Trignb0−1¬z )
T 1 z = (Trig0z,Trig1z, . . . ,Trignb1−1z )
For each signal z, signals T0 z and T1 z are deﬁned as:
T0 z =
�
i
Trig i¬z , and T1 z =
�
j
Trig jz
Back to Example 1, for signal BtoR REQ(0) we have:
T 0BtoR REQ(0) = (Trig0¬BtoR REQ(0),Trig1¬BtoR REQ(0))
T 1BtoR REQ(0) = (Trig0BtoR REQ(0))
where, Trig0¬BtoR REQ(0) corresponds to property P1_rec, Trig
1
¬BtoR REQ(0) corresponds to
property P3_rec_0, and Trig0BtoR REQ(0) corresponds to property P4_rec_0 (see ﬁgures
9.1, 9.2, and 9.3). Consequently,
T0BtoR REQ(0) = Trig
0
¬BtoR REQ(0) ∨ Trig1¬BtoR REQ(0)
T1BtoR REQ(0) = Trig
0
BtoR REQ(0)
9.3 Constraints computed from semi-directed DASTs
As was shown in Chapter 7 several signals of properties remain unannotated. We start
by an example.
Example 2. Semi-directed DASTs of GenBufRec.
Consider the two following properties of GenBufRec:
P0 rec :
always (not EMPTYm −> next ! ( BtoR REQ(0) or ( BtoR REQ(1) ) ) ) ;
P2 rec :
always (not BtoR REQ(0) or not BtoR REQ(1) ) ;
9.4 : Dependency Graph (DG)
>
always
not
BtoR_REQ(0)
next!
or
BtoR_REQ(1)
EMPTY
Figure 9.4: DAST of P0_rec
not not
always
BtoR_REQ(0)
or
BtoR_REQ(1)
Figure 9.5: DAST of P2_rec
Figures 9.4 and 9.5 show the DASTs of properties P0_rec and P2_rec.
Both DASTs are semi-directed, since they have some unannotated signals: BtoR REQ(0)
and BtoR REQ(1). This is due to the fact that several dependency rules apply for operator
or. Intuitively, property P0_rec states that whenever the EMPTY signal is 0, there should
be a request to a receiver, but is does not say which receiver.
Considering these properties in isolation cannot suﬃce to decide which signal among
BtoR REQ(0) and BtoR REQ(1) must be generated. All the properties that aﬀect these
signals must be considered together.
In the case of GenBufRec, the set of semi-directed DASTs is:
SEMIDIRECTED = { P0_rec, P2_rec }
For each DAST of SEMIDIRECTED , the semi-directed sub-trees are pruned away,
and the reactant is built for the directed sub-tree with the method explained in Chap-
ter 8. Let Etrig j be the output signal of such reactant, and Expr j the Boolean expres-
sion for the pruned sub-tree. The expressions E = (Expr 0, . . . ,Exprm) are triggered by
Etrig0, . . . ,Etrigm (see Fig. 9.4 and Fig. 9.5).
9.4 Dependency Graph (DG)
The Dependency Graph DG of a set of properties (P0, . . . , Pk−1) is a semi-directed and
labeled graph. We denote DG = (V,E), where:
• V = V 1 ∪ V 2 is the set of nodes:
– V 1 = L0∪· · ·∪Lk−1, where L0, . . . , Lk−1 are the set of leaves of DAST0, . . . ,DASTk−1
133
Chapter 9 : Resolution of the signals
– V 2 is the set of all the trig outputs of all the properties.
• E = E1 ∪ E2, where E1 is the set of the directed edges, and E2 is the set of
undirected edges, and:
– E1 ⊂ V 2× V 1, e.g. e = (Trig l → l)
– E2 ⊂ V 1× V 1, e.g. e = (l1–l2)
• Each edge e of the graph has a label w = (id, val, type), where:
– id: identiﬁes the property that creates edge e; therefore, 0 ≤ id ≤ k − 1
– val: if e is directed, val speciﬁes the value of the destination node, if the
value of the source node is 1. If e is undirected, val is set to -1. Therefore,
val ∈ {0, 1,−1}.
– type: speciﬁes if the edge is directed; therefore, type ∈ {d, u}, where ‘d’ means
directed, and ‘u’ means undirected.
The dependency graph may have several strongly connected components, each one speciﬁes
a set of interdependent generated signals Z = {z1, . . . zn} (see Fig. 9.6).
Example 3. Dependency graph of GenBufRec
DEQ(6, 1, d) (7, 0, d)
BtoR_REQ(0) BtoR_REQ(1)
(0, -1, u)
(2, -1, u)
(1, 0, d)
(3, 0, d)
(5, 0, d)
(4, 1, d)
(1, 0, d)
(3, 0, d)
(5, 0, d)
(4, 1, d)
Figure 9.6: Dependency graph of GenBufRec
The dependency graph of GenBufRec has 2 strongly connected components. DG1 con-
sists in nodes BtoR REQ(0) and BtoR REQ(1) and all their corresponding related triggers;
Z1 = {BtoR REQ(0), BtoR REQ(1)}. Consider edge (BtoR REQ(0) – BtoR REQ(1)), with
label w = (0,−1, u). The label means that the edge is created due to DAST0, P0_rec;
and the edge is undirected. It means that BtoR REQ(0) and BtoR REQ(1) depend on each
other.
Now consider node v1 = BtoR REQ(0), and v2 = Trig
0
¬BtoR REQ(0). There is a directed
edge e = (v2 → v1). The label of this edge is w = (1, 0, d). The ﬁrst element of the
label means that this edge is created due to DAST1, P1_rec. The second element means
9.5 : Dependency Graph construction
that if the value of Trig0¬BtoR REQ(0) is 1, then BtoR REQ(0) is constrained to 0. The third
element means that this edge is directed.
Component DG2 consists in signal DEQ and its two triggers; Z2 = {DEQ}. Since this
component has only one generated signal, the value of DEQ is independent from other
generated signals, it only depends on the value of its triggers (Trig0DEQ and Trig
0
¬DEQ).
9.5 Dependency Graph construction
The dependency graph is constructed in two steps from the DASTs of the properties.
1 For each directed DAST, DASTk:
1-1 For each generated leaf l of DASTk (i.e. (P(l)→ l)):
1-1-1 Add l to the nodes of DG (if it is not in V )
1-1-2 Add the corresponding trigger (Trig il or Trig
j
¬l) to V
1-1-3 Create an edge e from the trigger node to the signal node, e = (Trig il → l)
1-1-4 If the corresponding signal of l is constrained to 0: create the label w =
(k, 0, d), otherwise w = (k, 1, d)
2 For each semi-directed DAST, DASTk:
2-1 Prune away the fully directed sub-tree, and keep the undirected sub-tree
2-2 Add all the leaves of the undirected sub-tree into V (if they are not in V )
2-3 For each pair of nodes l1 and l2 coming from DASTk:
2-3-1 Add an edge between l1 and l2
2-3-2 Create the label w = (k,−1, u)
Example 4. Dependency graph construction for GenBufRec
Using the principles explained above, we show how to construct the dependency graph
of GenBufRec (see Fig. 9.6). Here, the result of each construction step is shown for the
DAST of properties P0_rec and P1_rec:
1 For DAST1 (corresponds to P1_rec):
1-1 For leaf BtoR REQ(0):
1-1-1 BtoR REQ(0) is added to the nodes of DG
1-1-2 Trig0¬BtoR REQ(0) is added to V
1-1-3 e =(Trig0¬BtoR REQ(0) → BtoR REQ(0))
1-1-4 w = (1, 0, d)
1-2 The above steps are repeated for leaf BtoR REQ(1)
2 For DAST0 (corresponds to P0_rec):
2-1 keep the undirected sub-tree whose root is or
2-2 BtoR REQ(0) and BtoR REQ(1) already exist in V
2-3 For BtoR REQ(0) and BtoR REQ(1)
2-3-1 e =(BtoR REQ(0) – BtoR REQ(1)) is added to E
2-3-2 w = (0,−1, u)
135
Chapter 9 : Resolution of the signals
9.6 The resolution function: solver
Now we discuss how to use the dependency graph DG for generating the solvers. We
construct two types of solvers: simple and complex. The ﬁrst one speciﬁes the value of
the duplicated signals, while the second one speciﬁes the value of the unannotated signals.
To extract the list of the duplicated and unannotated signals, we consider each strongly
connected sub-graph DGi (0 ≤ i ≤ k) of DG. For each DGi:
1 If it contains only one signal, z, the signal is annotated, and it is constrained only
by its triggers. If there is more than one trigger, the signal is duplicated. We need
a simple solver to specify its value based on its triggers.
2 If DGi contains a set of signals Z = {z1, . . . zn}, it means that the signals are not
annotated in all the properties, and their values depend not only on their triggers,
but also on the value of other signals in Z. In this case, we need a complex solver to
identify the signals’ values. Here, in addition to T 1 zj and T 0 zj for each signal zj, we
need to ﬁnd TZ = (Etrig0, . . . ,Etrigm−1), where m is the number of the expressions
that relate the signals of Z.
9.6.1 Resolving duplicated signals: simple solver
In DGi we consider each edge e = (v → z). If label w = (i, 0, d) we add the trigger that
is represented by node v to T 0 z; if label w = (i, 1, d) we add the trigger to T 1 z. After
ﬁnding T 1 z and T 0 z, the value of z should be calculated.
Signals T0 z and T1 z are the inputs of the solver component. The output will be the
ﬁnal value of signal z (see Fig. 9.7).
simple
solver
Figure 9.7: The interface of simple solver for duplicated signals
In our implementation, if none of T0 z and T1 z is active, the user has the choice to
select if signal z keeps its previous value or takes a default value. The solver function is
one of:
z =�0� when T0 z =� 1� else z =�0� when T0 z =� 1� else
�1� when T1 z =� 1�; �1� when T1 z =� 1� else
default value;
Example 5. Simple solver for GenBufRec.
For GenBufRec we have Z2 = {DEQ} (see Example 3). Considering DG2 of the
dependency graph, it is obvious that there are two edges whose destination node is DEQ.
Considering the label of each edge, we add Trig0DEQ to T 1DEQ and Trig0¬DEQ to T 0DEQ.
9.6 : The resolution function: solver
Then, a simple solver computes the value of DEQ :
DEQ =�0� when T0DEQ =� 1� else
�1� when T1DEQ =� 1� else
�0�;
Here, the default value is 0.
9.6.2 Resolving unannotated signals: complex solver
Assume that Z = (z1, . . . , zn), then, all the signals zi of this list are unannotated in
at least one property. These signals are interdependent through the list of expressions
E = (Expr 0, . . . ,Exprm−1), which are triggered by TZ = (Etrig0, . . . ,Etrigm−1). Generally,
we can say that signals zi, . . . , zn are the operands of the expressions Expr 0, . . . ,Exprm−1
triggered by Etrig0, . . . ,Etrigm−1.
At the ﬁrst step, for each signal zi we ﬁnd the list T 1 zi and T 0 zi using the principles
explained in Section 9.6.1.
Then, we should ﬁnd TZ . We consider each edge e of DG. If e is undirected, we add the
corresponding trigger signal, Etrig j, to TZ , and add its corresponding expression Expr j
to E .
9.6.2.1 Complex solver implementation
A complex solver takes (Etrig0, . . . ,Etrigm−1), (T1 z1 , . . . ,T1 zn), and (T0 z1 , . . . ,T0 zn) as
inputs, and it outputs the values of (z1, . . . , zn).
simple
solver
simple
solver
FindMatch
ComplexSolver
Figure 9.8: The interface of complex solver for unannotated signals
The problem is to solve the following set of equations, i.e. the values of (z1, . . . , zn),
by considering (T1 z1 , . . . ,T1 zn) and (T0 z1 , . . . ,T0 zn).

...
Etrig j → Expr j(z1, . . . , zn) = 1
...
The brute force idea is to construct a Look Up Table (LUT) for the FindMatch sub-
module (Fig. 9.8) by enumerating all the values of Z for each value t of TZ (initially, the
137
Chapter 9 : Resolution of the signals
LUT has m+ n columns, and at most 2m+n rows). Then, we select an appropriate row of
this LUT. However, most of these combinations are impossible due to the properties and
some valuation of TZ may never happen.
We consider the 2m values of vector TZ = (Etrig0, . . . ,Etrigm−1). Each value t of
TZ corresponds to the set of triggers that are simultaneously active. We associate to
this set of active triggers the global Boolean expression that is the “and” of the Expr j
corresponding to Etrig j = 1.
Mathematically, we deﬁne a function F that associates to each set of active triggers
its Boolean expression:
F : 2m → ExprBooln
t �→
m�
j=1
Etrigj=1 in t
Expr j
ExprBooln is the set of Boolean functions of n variables.
F(t) is an expression of z1, . . . , zn. Any assignment of z1, . . . , zn satisfying F(t) (i.e.
verifying that F(t) = 1) is a combination of the signal values that is compatible with the
value t of TZ .
We denote S(t) = {Z = (z1, . . . , zn)|F(t)(Z) = 1}, and we add these valuations of TZ
and Z to the LUT (a m + n bit vector, the ﬁrst m-bits represent value t of TZ , and the
next n-bits represent the valuation of Z ∈ S(t)).
After constructing the LUT, we should ﬁnd an appropriate row of the LUT based on
the value of TZ , (T1 z1 , . . . ,T1 zn), and (T0 z1 , . . . ,T0 zn). This is done in two steps:
1 First, we use n instances of the simple solver. For each signal zi, if either T1 zi = 1 or
T0 zi = 1, the value of zi is obtained from its triggers: zi = T1 zi ∨¬T0 zi . Therefore,
we ﬁrst ﬁx the value of such signals (see Fig. 9.8). The value of the other signals
is don’t care. The output of this step is thus the vector as Z � = (z�1, . . . , z�n), where
some signal values have been ﬁxed and the others are don’t care and should be
obtained from the LUT based on the signals that have ﬁxed values and TZ .
2 We deﬁne a compatibility relation R between the values of TZ and the values of Z �:
t R z� means that the particular combination of signal values z� may hold when the
triggers have value t .
R : 2m × 2n → Bool
t R z� ⇔ F(t)(z�) = 1
⇔ z� ∈ S(t)
In Fig. 9.8, the FindMatch circuit implements relation R, and it returns the value
of Z, if relation R holds. This circuit ﬁrst looks for the rows of the LUT that
correspond to value t of TZ . There may be several rows that match the value t .
These rows give various valuation of z� (S(t) has more than one member).
Among these rows, we select a row that matches with the signals that have ﬁxed
values, and obtained in step 1. If there is just one such row, the value of the other
signals is obtained from this row. Otherwise, we have to choose one row (currently,
we take the ﬁrst one).
9.7 : The ﬁnal circuit
Example 6. Complex solver of GenBufRec.
For GenBufRec, Z1 =(BtoR REQ(0), BtoR REQ(1)). To construct the LUT, we need
TZ1 = (Etrig0, Etrig1) (see Fig. 9.4 and Fig. 9.5). First, we add all the possible valuation
of TZ1 into the LUT, and for each valuation enumerate all the values of Z1.
To this goal, we consider expressions Expr 0 and Expr 1:
Expr 0 = BtoR REQ(0) orBtoR REQ(1)
Expr 1 = notBtoR REQ(0) or notBtoR REQ(1)
For value “11” of TZ , where Etrig0 and Etrig1 are simultaneously active, we have:
ExprBool2 = Expr0 ∧ Expr1
Based on this expression, if TZ =“11”, then S(11) = {01, 10}. Therefore, we add lines
“1101” and “1110” to the LUT. Similarly, if TZ = “10”, then S(10) = {01, 10}, and we
add “1001” and “1010” to the LUT. Actually, this combination of Etrig0 and Etrig1 never
happens, since Etrig1 corresponds to the child of the always operator and it is always
1 (Fig. 9.5). To eliminate this row, we need to do model checking, to identify which
combinations of the Etrig signals never occur. If TZ = “01”, S(01) = {00, 01, 10}, and
“0100”, “0101”, and “0110” are added to the LUT. The LUT is shown in Fig. 9.9.
Etrig0 Etrig1 BtoR REQ(0) BtoR REQ(0)
1 1 0 1
1 1 1 0
1 0 0 1
1 0 1 0
0 1 0 0
0 1 0 1
0 1 1 0
Figure 9.9: The LUT of the complex solver of GenBufRec
Now assume that TZ = “01”, T1BtoR REQ(0) = 1, T0BtoR REQ(0) = 0, T1BtoR REQ(1) =
0, and T0BtoR REQ(1) = 0. First, we consider the trigger signals. For signal BtoR REQ(0)
we have T1BtoR REQ(0) ∨ T0BtoR REQ(0) = 1, therefore, the value of BtoR REQ(0) is ob-
tained from its trigger signals and it is 1. For signal BtoR REQ(1) both trigger signals
are 0. Therefore, the value of this signal should be obtained from the LUT. TZ = “01”,
therefore, the last three lines of the LUT are selected. The value of BtoR REQ(0) has
been already ﬁxed to 1. Consequently, we should select the last line, and the value of
BtoR REQ(1) becomes 0.
9.7 The ﬁnal circuit
The ﬁnal circuit is the interconnection of the property reactants (see Chapter 8) and
solvers.
Example 7. The ﬁnal circuit of GenBufRec.
Figure 9.10 shows the interconnection of all the property reactants with the solver
components for GenBufRec.
139
Chapter 9 : Resolution of the signals
clock reset
RtoB_ACK(0) RtoB_ACK(1)
BtoR_REQ(0)
DEQ
BtoR_REQ(1)
P7_FIFO_rec
P6_FIFO_rec
P0_rec
P1_rec
P2_rec
P3_rec_0
P3_rec_1
P4_rec_0
P4_rec_1
P5_rec_0
P5_rec_1
simple
solver
complex
solver
EMPTY
Figure 9.10: The ﬁnal circuit of GenBufRec
9.7 : The ﬁnal circuit
9.7.1 Checking the consistency
The deﬁnition of z is consistent iﬀ in all the cycles:
T1 z ∧ T0 z = 0
For each signal we obtained T1 z and T0 z from the dependency graph. Therefore, we
can generate complementary properties automatically for verifying the above condition.
These properties, together with the generated circuit are the inputs of a formal veriﬁcation
tool to prove the correctness of the generated circuit (see Chapter 4, Fig. 4.1).
Example 8. Consistency checking for the BtoR REQ(0) signal from GenBufRec
Considering all the properties of GenBufRec, for signal BtoR REQ(0) we have:
T0BtoR REQ(0) = Trig
0
¬BtoR REQ(0) ∨ Trig1¬BtoR REQ(0) ∨ Trig2¬BtoR REQ(0)
T1BtoR REQ(0) = Trig
0
BtoR REQ(0)
The corresponding timing diagram is shown in Fig. 9.11.
0 1 2 3 4 5 6 7 8 9
clock
EMPTY
BtoR REQ(1)
Trig0¬BtoR REQ(0)
Trig1¬BtoR REQ(0)
Trig2¬BtoR REQ(0)
T0BtoR REQ(0)
Trig0BtoR REQ(0)
T1BtoR REQ(0)
BtoR REQ(0)
RtoB ACK(0)
Figure 9.11: Timing diagram of BtoR REQ(0) and corresponding trigger signals
The PSL property that veriﬁes if the set of properties constraining BtoR REQ(0) are
consistent is:
always (not T1 BtoR REQ 0 or not T0 BtoR REQ 0 ) ;
Now, assume that we change P5_rec_0 as follows:
P5 r e c 0 f a l s e :
assert (always ( (not RtoB ACK m(0) )−> next ! (not BtoR REQ g(0) ) ) ) ;
The new timing diagram is shown in Fig. 9.12. As is shown, the property fails in cycles
�2 to �5, since in these cycles both T1BtoR REQ(0) and T0BtoR REQ(0) are active.
141
Chapter 9 : Resolution of the signals
0 1 2 3 4 5 6 7 8 9
clock
EMPTY
BtoR REQ(1)
Trig0¬BtoR REQ(0)
Trig1¬BtoR REQ(0)
Trig2¬BtoR REQ(0)
T0BtoR REQ(0)
Trig0BtoR REQ(0)
T1BtoR REQ(0)
BtoR REQ(0)
RtoB ACK(0)
Figure 9.12: Timing diagram of BtoR REQ(0) and corresponding trigger signals
9.7.2 Checking the completeness
The deﬁnition of z is complete iﬀ in all the cycles:
T1 z ∨ T0 z = 1
Again, we can generate complementary properties automatically for verifying the above
condition.
Example 9. Checking the completeness of the properties that constrain the
BtoR REQ(0) signal from GenBufRec
Considering T0BtoR REQ(0) and T1BtoR REQ(0), for signal BtoR REQ(0). The PSL prop-
erty that veriﬁes if the set of properties constraining BtoR REQ(0) are complete is:
always (T1 BtoR REQ 0 or T0 BtoR REQ 0 ) ;
In the timing diagram of Fig. 9.12, in cycles �0 and �1 none of the T0BtoR REQ(0) and
T1BtoR REQ(0) signals are active; therefore, the annotated properties are not suﬃcient to
specify the BtoR REQ(0) signal completely.
SyntHorus2 generates the PSL properties and VHDL assertions for verifying the consis-
tency and completeness of the set of properties both in formal veriﬁcation and simulation.
If the deﬁnition is consistent but not complete, one or more signal z may not have
been annotated and depends on other signals. In this case, its value should be speciﬁed by
a complex solver. Otherwise, the designer may wish to provide a default value for signal
z.
9.8 Summary
In this chapter we discussed how to resolve the value of unannotated and duplicated
signals. We explained how to express the dependency among all properties by constructing
9.8 : Summary
a dependency graph. Using this graph we identiﬁed the properties that constrain a signal,
and built a simple solver for resolving the value of such signals. Additionally, from the
dependency graph we obtained the unannotated signals, and their dependencies. We
constructed a complex solver for resolving the value of each set of unannotated signals.
The ﬁnal circuit is the interconnection of properties’ reactants and solvers. Moreover, we
can generate complementary properties for verifying the consistency and completeness of
the speciﬁcation.
143
Chapter 9 : Resolution of the signals
Chapter10
Practical Experiments and Results
Contents
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
10.2 Hardware prototyping and synthesis results . . . . . . . . . . 146
10.2.1 IBM Generalized Buﬀer (GenBuf) . . . . . . . . . . . . . . . . 147
10.2.2 AMBA arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
10.2.3 Other examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
10.2.4 Comparison between FLs and SEREs . . . . . . . . . . . . . . 154
10.3 Completeness and coherency consideration . . . . . . . . . . . 157
10.4 Guidelines for obtaining smaller circuits . . . . . . . . . . . . . 158
10.4.1 GenBuf: Multiple senders . . . . . . . . . . . . . . . . . . . . . 161
10.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
145
Chapter 10 : Practical Experiments and Results
10.1 Introduction
We applied our synthesis method to several case studies: GenBuf 1(see Chapter 4),
AMBA2 Arbiter (Appendix C), HDLC3 (Appendix B), CRC4, and SDRAM5. The gen-
erated circuits are synthesized both for FPGA6 and ASIC7 implementation. The results
are compared to the results of another tool, Ratsy. We show how our method considers
coherency and completeness of the properties. Finally, some guidelines are provided for
writing the properties so that the generated circuits are smaller.
10.2 Hardware prototyping and synthesis results
SyntHorus2 implements the ABS8 method disclosed in this thesis. It takes as input the
entity (interface) declaration of the speciﬁed module and a set of properties written in the
simple subset of PSL, and produces a RTL design in the synthesizable subset of VHDL
(see Appendix E for details about running SyntHorus2).
As discussed in Chapter 3, most of the other works that deal with ABS are automata
based, and are based on the “two players game”. Since our approach is so diﬀerent, it is
of interest to evaluate how it compares on a set of benchmarks of increasing complexity.
Acacia [FJR09, ACA] inputs LTL speciﬁcations, and outputs a design in dot format.
We have written a dot to VHDL translator to enter the same logic synthesis tool for the
last processing phase. Several options may be selected (backward or forward state space
traversing; the circuit player or the environment player has the initial move), leading to
very diﬀerent results. Whatever the option, we were not able to process a real example.
Unbeast [EKH12, UNB] inputs LTL speciﬁcations in XML syntax and produces an
intermediate NuSMV ﬁle that is turned to an aig format by AIGER. ABC is used to
translate aig into Verilog.
Ratsy [RAT] inputs GR(1) PSL properties through a graphical interface and produces
a Verilog design. Also based on game theory, in this system the environment player moves
ﬁrst. Ratsy checks every input, and the properties must be partitioned into a guarantee
and an assume part.
Table 10.1 summarizes the characteristic of these tools: the input and output formats,
and the subset of PSL that each supports.
Table 10.1: ABS tools
Tool Input Output FL SERE
Acacia LTL dot � no
Unbeast LTL in XML format NuSMV � no
Ratsy LTL Verilog GR(1) subset of PSL no
SyntHorus2 PSL VHDL and PSL properties PSLsimple partially (see Chapter 6)
We have installed SyntHorus2, Acacia, Unbeast and Ratsy on a workstation with the
1IBM Generalized Buﬀer
2ARM Advanced Microcontroller Bus Architecture
3High-level Data Link Controller
4Cyclic Redundancy Check
5Single Data-rate Random Access Memory
6Field Programmable Gate Array
7Application Speciﬁc Integrated Circuit
8Assertion Based Synthesis
10.2 : Hardware prototyping and synthesis results
following characteristics: 64 bit Intel Core 2 Duo CPU E8400, clock rate 3.0GHz, RAM
size 2 giga bytes.
For each case study, we took the same speciﬁcation for all the tools. We had to rewrite
our speciﬁcations between Ratsy and SyntHorus2, because the GR(1) PSL subset does
not accept operators rose, fell, and next event with a temporal expression operand
nor any weak PSL operators.
We executed Unbeast, Acacia, Ratsy, and SyntHorus2 for each example. We were able to
run Unbeast on the small examples provided with the software distribution, but we timed
out on GenBuf even without FIFO. So we shall not enter Unbeast in the comparison.
Acacia can also work just on very simple and small examples, e.g. it works for GenBuf,
with 2 senders and 2 and 3 receivers, without considering its FIFO; therefore, we excluded
the results from the tables.
After execution, the result of all tools has been synthesized with the same synthesis
tool to allow a fair comparison in terms of logic gates and area.
Here, we give the synthesis results for the case studied.
10.2.1 IBM Generalized Buﬀer (GenBuf)
We generate the hardware of GenBuf with multiple senders and 2 receivers, and 2 senders
and multiple receivers using SyntHorus2 and Ratsy. In each case, the hardware generation
time of the tools are compared, and the generated circuits are synthesized using Quartus
II and Design Vision.
Figure 10.1 compares the hardware generation time of SyntHorus2 and Ratsy for GenBuf
with multiple senders and 2 receivers.
Figure 10.1: HW generation time: GenBuf with multiple senders and two receivers
Figure 10.2 compares the hardware generation time of SyntHorus2 and Ratsy for GenBuf
with multiple receivers and 2 senders.
The circuit generation time is one to two orders of magnitude smaller for SyntHorus2
depending on the number of senders/receivers. The higher the number, the higher the
147
Chapter 10 : Practical Experiments and Results
Figure 10.2: HW generation: GenBuf with 2 senders, multiple receivers and with FIFO
order of magnitude. At this point, it is fair to say that SyntHorus2 does not perform veriﬁ-
cation, while Ratsy has veriﬁcation embedded in the generation process. Thus, comparing
the runtimes of the two tools is not relevant for who wants to perform veriﬁcation.
Acacia timed out for GenBuf with multiple senders, and multiple receivers. It just
worked for GenBuf with 2 senders, and 2 and 3 receivers, without considering FIFO. For
other cases, it timed out after 24 hours, most probably due to memory explosion.
10.2.1.1 Synthesis for FPGA implementation
First, we synthesized the generated circuits of SyntHorus2 and Ratsy using Quartus II in
order to implement them on a FPGA board (device EP4CE30F23C6 from Cyclone IV
device family).
Multiple senders and two receivers
Table 10.2 gives the synthesis results of Quartus II for GenBuf with multiple senders
and two receivers running SyntHorus2 and Ratsy. In this table, the number of registers,
the total number of LUTs (2-input, 3-input, and 4-input LUTs), and the maximum clock
frequency are reported. The reported clock frequency is the maximum potential frequency
of the circuits. Based on the selected FPGA device, this frequency may be limited to the
maximum clock frequency of the selected FPGA device.
Multiple receivers and two senders, with FIFO
We synthesized GenBuf circuits with multiple receivers and two senders using Quartus II
on the same FPGA. Table 10.2 gives the synthesis results for SyntHorus2 and Ratsy.
SyntHorus2 generates faster circuits with less LUTs than Ratsy, but with more registers.
10.2 : Hardware prototyping and synthesis results
Table 10.2: Quartus II synthesis result for GenBuf controller with multiple
senders, and 2 receivers
SyntHorus2 Ratsy
# # # # F # # # F
sen. prop. reg. LUTs (MHz) prop. reg. LUTs (MHz)
1 20 25 57 726.8 41 16 158 251.5
2 25 34 89 701.8 49 21 961 158.2
3 29 33 97 806.4 59 25 2361 133.6
4 33 38 118 766.8 67 29 3417 124.1
5 37 43 132 782.5 76 33 2647 132.6
6 41 46 149 668.0 85 38 6007 104.5
7 45 49 172 659.6 99 42 7160 108.5
8 49 54 188 746.8 103 46 6524 99.9
Table 10.3: Quartus II synthesis result for GenBuf controller with FIFO, multiple
receivers, and 2 senders
SyntHorus2 Ratsy
# # # # F # # # F
rec prop. reg. LUTs (MHz) prop. reg. LUTs (MHz)
3 28 37 98 756.4 56 24 2092 130.4
4 31 45 119 781.2 63 27 2587 140.2
5 34 53 146 609.0 70 30 4251 121.6
6 37 61 166 745.7 77 34 10408 92.5
7 40 99 196 616.5 84 36 15191 89.8
8 46 77 215 647.7 91 40 18180 83.6
10.2.1.2 Synthesis for ASIC implementation
We synthesized all the circuits generated by SyntHorus2 and Ratsy with Design Vision
under the same conditions:
• considering the typical conditions of the C35 corelib library
• setting the clock period to 20 ns, to do static timing analysis, and computing the
approximate frequency of the circuit
• setting the “ungroup” compile option
• using the“Exact Map”option with the“medium”eﬀort in mapping, area, and power
For each tool, we provide the number of properties used for the circuit synthesis, the
execution time, and the size and timing characteristics of the resulting circuit: number
of combinational and sequential cells, total area (including the interconnection area) and
approximate clock frequency. The Design Vision execution time is not reported, it is
negligible.
Multiple senders and two receivers
Table 10.4 gives the results of our experiments on Genbuf with a FIFO, for 1 to 8 senders
and 2 receivers, running SyntHorus2 and Ratsy.
As is shown in this table, SyntHorus2 generates more registers and less combinational
cells than Ratsy; and the generated circuits are smaller. For 1 to 5 senders, the clock
frequency is less dependent on the number of the inputs. The critical path is determined
by the round-robin properties in the receiver side (properties P3 rec 0 and P3 rec 1). By
149
Chapter 10 : Practical Experiments and Results
Table 10.4: Design Vision synthesis result for GenBuf controller with FIFO,
multiple senders, and two receivers
SyntHorus2 Ratsy
# # # comb. # seq. Total F # #comb. # seq. Total F
send prop. cells cells area (MHz) prop. cells cells area (MHz)
1 20 231 63 33624 571 41 221 16 25034 222
2 25 335 83 46748 521 49 1322 21 127502 127
3 29 360 88 50054 571 59 2541 25 240411 90
4 33 467 101 60934 571 67 3818 29 358160 78
5 37 590 113 72594 521 76 3230 33 303860 77
6 41 643 124 80203 463 85 6954 38 648910 64
7 45 764 134 92016 442 99 8320 42 773090 69
8 49 879 147 105155 418 103 7471 46 695581 64
increasing number of the senders from 5 to 8, a property in the sender side determines
the critical path, which depends on the number of senders.
Figure 10.3 compares the total number of the gates for the circuits that are generated
by SyntHorus2 and Ratsy. For each circuit, the total number of gates is presented as the
number of the 2-input NAND gates, which is computed by dividing the total cell area
(not the total area reported in the table) by the area of a 2-input NAND gate obtained
from C35 corelib library. This number is not accurate, and is just for giving an evaluation
of the number of gates.
Figure 10.3: Total number of gates: GenBuf with multiple senders and 2 receivers
Multiple receivers and two Senders, with FIFO
Table 10.5 gives the results of our experiments on Genbuf with a FIFO, for 3 to 8 receivers
and 2 senders, running SyntHorus2 and Ratsy.
As is shown in this table, the clock frequency of the circuits generated by SyntHorus2
is less dependent on the number of receivers, than the circuits generated by Ratsy.
Figure 10.4 compares the total number of gates for the circuits that are generated by
SyntHorus2 and Ratsy. Again, the number of gates is the number of 2-input NAND gates
10.2 : Hardware prototyping and synthesis results
Table 10.5: Design Vision synthesis result for GenBuf controller with FIFO,
multiple receivers, and two senders
SyntHorus2 Ratsy
# # # comb. # seq. Total F # #comb. # seq. Total F
rec prop. cells cells area (MHz) prop. cells cells area (MHz)
3 28 414 102 57876 568 56 2781 24 259796 96
4 31 467 118 66715 565 63 3285 27 306134 80
5 34 546 134 76961 555 70 5146 30 475880 67
6 37 624 150 87188 555 77 12970 34 1198182 57
7 40 714 175 100559 555 84 17934 36 1647189 56
8 46 860 191 114564 555 91 20828 40 1894378 65
and it is computed approximately.
Figure 10.4: Total number of gates: GenBuf with multiple receivers and 2 senders
10.2.2 AMBA arbiter
We have performed the same kind of experiments on the AMBA-AHB bus arbiter, a
popular benchmark. Figure 10.5 compares the HW generation time of SyntHorus2 and
Ratsy.
As is shown in this ﬁgure, SyntHorus2 generates the circuits faster than Ratsy. We
synthesized AMBA using Quartus II and Design Vision, with the same options as GenBuf.
10.2.2.1 Synthesis for FPGA implementation
Table 10.6 shows the synthesis results of Quartus II for AMBA arbiter.
As is shown in this table, the AMBA arbiter speciﬁcation holds 2 to 3 times more
properties for Ratsy than for SyntHorus2. It should be noted that some complex properties
accepted by SyntHorus2 become 14 or 16 simple properties after rewriting to comply with
the Ratsy acceptable PSL subset. For example, the following property of AMBA arbiter
is rewritten into 14 simpler properties.
151
Chapter 10 : Practical Experiments and Results
Figure 10.5: HW generation time: AMBA arbiter
Table 10.6: Quartus II synthesis result for AMBA arbiter with 2 slaves and
multiple masters
SyntHorus2 Ratsy
# # # # F # # # F
masters prop. reg. LUTs (MHz) prop. reg. LUTs (MHz)
2 35 24 59 795.5 77 21 382 199.2
3 46 33 113 852.5 96 29 2941 131.1
4 56 42 119 923.4 114 29 6085 106.9
5 66 51 150 795.5 133 34 3091 130.45
6 77 60 181 758.1 151 37 4355 115.8
10.2 : Hardware prototyping and synthesis results
G3:
always ( (HMASTLOCK and (HBURST = INCR4) and HREADY and (HTRANS = NON−SEQ)
) −> next ( (HTRANS = SEQ) unti l [ 3 ] HREADY) ) ;
In SyntHorus this property can be rewritten as two properties, using the next event
operator, which is not supported in Ratsy.
10.2.2.2 Synthesis for ASIC implementation
Table 10.7 gives our results for 2 slaves and diﬀerent numbers of masters. The columns
have the same meaning as in Table 10.5. Again, we ﬁnd that SyntHorus2 produces smaller
and faster circuits, but with more registers; in addition, the speed of the circuit is less
sensitive to the number of masters.
Table 10.7: Design Vision synthesis results for AMBA arbiter
SyntHorus2 Ratsy
# # # comb. # seq. Total F # #comb. # seq. Total F
masters prop. cells cells area (MHz) prop. cells cells area (MHz)
2 33 303 90 45165 637 77 515 21 51985 164
3 46 513 132 71915 621 96 3867 29 362589 92
4 56 567 159 82522 606 114 7712 29 721363 67
5 66 725 194 102762 629 133 3920 34 370179 82
6 77 660 228 121855 625 151 5855 37 552310 62
Figure 10.6 compares the total number of gates (2-input NAND gates) of the circuits
that are generated by SyntHorus2 and Ratsy.
Figure 10.6: Total number of gates: AMBA arbiter
The following comments can be made on these experiments (GenBuf and AMBA
arbiter):
• The number of properties used to generate the design is higher for Ratsy than for
SyntHorus2. This is due to the underlying method: game-based methods need to
consider both the guarantee and the assume properties, while the modular method
of SyntHorus2 only takes the guarantee properties to produce the circuit design.
153
Chapter 10 : Practical Experiments and Results
• In both example, except for GenBuf with 1 sender, the size of the combinational
part and the total area of the generated circuit is smaller for SyntHorus2.
• SyntHorus2 generates more registers than Ratsy. This may be in relation with the fact
that the maximum clock frequency is higher for the circuits generated by SyntHorus2.
The diﬀerence is particularly signiﬁcant for GenBuf with 2 senders and multiple
receivers. However, the total circuit size is smaller.
10.2.3 Other examples
Our ﬁnal three benchmarks are reported in Table 10.8. To our knowledge, they have never
been published in the ABS context. The SDRAM controller is one of the test cases of the
OneSpin formal veriﬁcation tools distribution. The CRC is a hardware implementation
of the cyclic redundancy check for error detection. The High-level Data Link Controller
(HDLC) is an ISO standard for point to point communication at the network data link
layer. We have complemented the assertions found in [PPSQ13] to fully specify the HDLC
controller. With 120 properties, it is the largest speciﬁcation processed, and the largest
circuit generated. Yet the circuit generation time remains small (1.06 sec), and the clock
frequency high (429 MHz).
Table 10.8: Design Vision synthesis results for HDLC, SDRAM, and CRC
SyntHorus2
Circuit # Hw. gen. # comb. # seq. Total Total # F
prop. time (s) cells cells area of gates (MHz)
HDLC 120 1.06 2646 1433 600527 9588 429
SDRAM 9 0.2 1045 769 295107 4765 513
CRC 14 0.14 641 293 131122 2401 406
10.2.4 Comparison between FLs and SEREs
To show the applicability of our synthesis method to SEREs, the SERE properties are
provided for GenBuf, AMBA arbiter and HDLC, the corresponding VHDL designs are
generated using SyntHorus2, and are synthesized using Design Vision. The number of
properties, the hardware generation time, the number of combinational and sequential
cells, the total area, and the circuit frequency are given. For all benchmarks, the properties
processing time by SyntHorus2 is very small, a fraction of a second for the classical GenBuf
and AMBA bus, less than two seconds for the more complex HDLC.
10.2.4.1 GenBuf
The FL properties of GenBuf are translated into SEREs.
Multiple senders
Table 10.9 shows the synthesis results for GenBuf with multiple senders and two receivers.
The generated circuits have larger number of registers and combinational cells comparing
to the circuits generated from the FL properties. However, the total number of gates is
very close to the circuits obtained from FLs For all the cases, the clock frequency is 370
MHz, and is independent from the number of senders.
10.2 : Hardware prototyping and synthesis results
Table 10.9: Design Vision synthesis results for GenBuf with multiple senders
(for SERE properties)
# # HW gen. # comb. # seq. Total Total#
senders prop. time (s) cells cells area of gates
1 20 0.15 319 76 45196 701
2 25 0.16 417 94 56858 879
3 29 0.20 458 100 61644 951
4 33 0.23 550 115 72416 1114
5 37 0.28 634 125 81174 1243
6 41 0.27 721 138 91258 1392
7 45 1.52 836 148 102263 1558
8 49 0.81 941 162 115783 1752
Figure 10.7 compares the total number of gates for the circuits generated from FLs
and SEREs. In average, the circuits generated from SEREs have 20% more gates than
the circuits generated from FLs.
Figure 10.7: Total number of gates: GenBuf with multiple senders and 2 receivers
(generated from FLs and SEREs)
Multiple receivers
Table 10.10 shows the synthesis results for GenBuf with multiple receivers and two senders.
Compared to the circuits generated from FLs, the generated circuits from SEREs have
more gates, and are almost 2 times slower .
Figure 10.8 compares the total number of gates for the circuits generated from FLs
and SEREs. As is shown in this ﬁgure, the diﬀerence between the number of gates of the
two circuits generated from FLs and SEREs becomes more signiﬁcant as the number of
receivers increases. With multiple senders and 2 receivers, this diﬀerence was almost the
same for all numbers of senders. It is due to the properties that specify the round-robin
policy in the receiver side. When rewriting these properties as SEREs, the property in-
volves the ‘∗’ unbounded repetition. The primitive reactant of ‘∗’ is the area and frequency
bottleneck. In the case of multiple senders and two receivers, we have two round-robin
155
Chapter 10 : Practical Experiments and Results
Table 10.10: Design Vision synthesis results for GenBuf with multiple receivers
(for SERE properties)
# # HW gen. # comb. # seq Total Total # Freq.
receivers prop. time (s) cells cells area of gates (MHz)
3 27 0.19 529 119 720701 1123 308
4 30 0.25 651 146 901106 1392 320
5 33 0.35 775 175 108083 1669 290
6 36 0.61 905 206 127124 1963 296
7 42 0.26 1052 248 150525 2325 296
8 45 0.29 1215 287 174253 2691 280
properties (one for each receiver, see properties P3_sere_rec_0 and P3_sere_rec_1 in
Fig. 4.9) whatever the number of senders. In the case of multiple receivers, the number
of round-robin properties increases with the number of receivers, and the area increases
more.
Figure 10.8: Total number of gates: GenBuf with multiple receivers and 2 senders
(generated from FLs and SEREs)
The interconnection area is larger for the circuits generated from SEREs than the
circuits generated from FLs.
10.2.4.2 AMBA Arbiter
For the AMBA bus arbiter, we wrote the SERE speciﬁcation based on its protocol descrip-
tion in English and the FL properties. Table 10.11 summarizes the synthesis results for 2
slaves and 2-6 masters. Compared to the circuits resulting from FL properties, the circuits
generated from SEREs are 20-30% smaller (less combinational and sequential cells), and
signiﬁcantly slower (up to half the speed).
10.2.4.3 HDLC
For HDLC, we provided two set of properties:
10.3 : Completeness and coherency consideration
Table 10.11: Design Vision synthesis results for AMBA arbiter (for SERE prop-
erties)
# # HW gen. # comb. # seq. Total Total # F
masters prop. time (s) cells cells area of gates (MHz)
2 28 0.14 223 62 33614 523 368
3 41 0.24 341 95 50146 777 324
4 52 0.32 429 120 63209 978 307
5 63 0.41 520 145 76471 1181 296
6 74 0.63 628 170 90546 1394 266
• SERE1: all the FL properties are translated to their equivalent SERE properties.
• SERE2: three modules, FlagDetection, ZeroDetection, and ZeroInsertion, are
directly expressed using SERE properties (see Appendix B). These SEREs are writ-
ten based on the protocol, and they have not been obtained by rewriting FLs.
Table 10.12 summarizes the synthesis result. In the SERE1 speciﬁcation, 120 FL properties
are translated to 120 SERE properties. The SERE2 speciﬁcation has 108 SERE properties.
The circuit obtained from SERE1 has more combinational and sequential cells compared
to the circuit generated from FLs, and it is almost 5 times slower.
The circuit obtained from SERE2 has more combinational cells and less sequential cells
compared to the circuit generated from FLs, and it is almost 6 times slower.
These results show that translating FLs to SEREs increases the circuit size and de-
creases the clock frequency; it is the case of GenBuf and HDLC obtained from SERE1. In
contrast, expressing the circuit behavior using SEREs may decrease the area, at the cost
of speed. It is the case of AMBA and HDLC obtained from SERE2.
Table 10.12: Design Vision synthesis results for HDLC (for SERE properties)
# HW gen. # comb. # seq. Total Total # F
prop. time (s) cells cells area of gates (MHz)
SERE1 120 1.22 3238 1157 614507 9700 82
SERE2 108 1.51 3017 839 516363 8050 59
10.3 Completeness and coherency consideration
We used OneSpin for formally verifying if the generated circuits correspond to the speci-
ﬁcation.
Then, we veriﬁed if the set of speciﬁcation is complete and consistent. As was dis-
cussed in Chapter 9, SyntHorus2 generates complementary properties for checking the
completeness and coherency of the properties. For all the circuits, we generated these
properties. We used the properties in ModelSim and also OneSpin. For all the case stud-
ies, these properties hold both in simulation and formal veriﬁcation; i.e. the speciﬁcation
is complete and consistent.
Example 1. Checking consistency
Consider the annotated properties that are shown in Fig. 10.9. These properties are
taken from GenBuf speciﬁcation.
157
Chapter 10 : Practical Experiments and Results
P0 sender 0 :
always (not BtoS ACK m(0) and not StoB REQ m(0) −>next ! ( not BtoS ACK g (0) )
) ;
P1 sender 0 :
always (BtoS ACK m(0) and StoB REQ m(0) −>next ! ( BtoS ACK g (0) ) ) ;
P2 sender 0 :
always ( rose (StoB REQ m(0) ) −> not BtoS ACK g (0) ) ;
Figure 10.9: Some properties from GenBuf that generate BtoS ACK(0)
The circuit is generated by SyntHorus2 and the complementary properties are generated
for checking the consistency. Figure 10.10 shows the VHDL assertion generated by Syn-
tHorus2 and considers the mutual exclusion of triggers that correspond to the BtoS ACK(0)
signal.
. . .
process ( c l k ) begin
i f ( c l k = ’0 ’ and c lk ’ event ) then
i f ( r e s e t n = ’1 ’) then
ASSERT ( ( (not ( t r i g g e r 1 ) ) or (not ( t r i g g e r 0 or t r i g g e r 2 ) ) ) =
’1 ’ )
REPORT ”T0 ( t r i g g e r 0 or t r i g g e r 2 ) and T1 ( t r i g g e r 1 ) are not
mutually e x c l u s i v e ”
SEVERITY ERROR;
end i f ;
end i f ;
end process ;
. . .
Figure 10.10: The assertion for considering the mutual exclusion of BtoS ACK(0) triggers
The circuit is simulated usingModelSim along with the complementary properties. The
waveform obtained from ModelSim is shown in Fig. 10.11, in which the assertion passed
in all the cycles.
Now, suppose that P1_sender_0 is written incorrectly, as shown in Fig. 10.12, and the
circuit is generated for the incorrect properties.
The waveform is shown in Fig. 10.13, in which the assertion (see Fig. 10.10) fails at
t = 13200 ns, and we get the name of the triggers that are not consistent. Therefore, the
designer can debug the properties more easily.
10.4 Guidelines for obtaining smaller circuits
Here we give some guidelines for writing the properties in a way that generates the smaller
circuits.
10.4 : Guidelines for obtaining smaller circuits
Figure 10.11: The wave form, without any failure
P1 s ende r 0 f a l s e :
always (StoB REQ m(0) −> BtoS ACK g (0) ) ;
Figure 10.12: A modiﬁed property of GenBuf that generates BtoS ACK(0)
Figure 10.13: The wave form, with assertion failure
159
Chapter 10 : Practical Experiments and Results
Since our method is modular, for each property it instantiates all the primitive reac-
tants of a property. Therefore, if we are able to merge several properties into one property,
we generate a smaller circuit.
Example 1. Merging properties.
Assume that we have the following properties:
P0 : always (A −> next ! (B) ) ;
P1 : always (A −> C and next ! (D) ) ;
In this case, we have two instances of the always, ‘–>’, and next! primitive reactants.
Since the left-hand side of both properties are the same, we can rewrite these properties
as follow:
P: always (A −> C and next ! (B and D) ) ;
In this case, we have one instance of the always, ‘–>’, and next! primitive reactants.
Another factor that aﬀects the size of the generated circuit signiﬁcantly is the size of
the complex solvers.
Remember from Chapter 9, if we have Z = (z1, . . . zn) and TZ = (Etrig0, . . . ,Etrigm),
then the complex solver has a LUT that has m + n columns and at most 2m+n rows.
Either by reducing the number of the dependent signals (n) or by reducing the number
of the properties that aﬀect these dependent signals (m) the size of the complex solvers
decreases.
Example 2. Reducing the size of the solver: reducing the number of Etrig
signals.
Assume that we have the following properties:
P0 : always (A −> next ! (B or C) ) ;
P1 : always (D −> next ! (B or C) ) ;
Here, we have two signals that are dependent: Z = (B,C), and two trigger signals:
TZ = (Etrig0,Etrig1). Therefore, the LUT has at most 16 rows. However, we can rewrite
the properties as follow:
P: always (A or D −> next ! (B or C) ) ;
In this case, we have one trigger signal; therefore, the LUT has at most 8 rows.
Example 3. Reducing the size of the solver: reducing the number of dependent
signals.
As another example assume that we have the following properties, where A is an input.
P0 : always (A or B or C) ;
P1 : always (D −> next ! (B or C) ) ;
Here, we have three signals that are dependent: Z = (A,B,C), and two trigger signals:
TZ = (Etrig0,Etrig1). Therefore, the LUT has at most 32 rows. However, we can rewrite
the properties as follow:
P0 modif ied : always (not A −> (B or C) ) ;
P1 : always (D −> next ! (B or C) ) ;
10.5 : Summary
In this case, we have two dependent signal and two trigger signals; therefore, the LUT
has at most 16 rows.
10.4.1 GenBuf: Multiple senders
For more complex properties, the way in which the properties are written has a signiﬁcant
eﬀect on the size of the generated circuit. To illustrate this fact, the properties of GenBuf
for multiple senders are modiﬁed: the properties in the form of A → B, where A and B
are Boolean, have been rewritten as :notA orB.
The generated circuit is synthesized using Design Vision. In the original speciﬁcation,
signals BtoS ACK(0), BtoS ACK(1), and ENQ are dependent. In the rewritten speciﬁca-
tion, BtoS ACK(0), BtoS ACK(1), ENQ, and DEQ are dependent; therefore, the area is
increased. Figure 10.14 compares the total number of gates for the two circuits generated
from the original and the rewritten speciﬁcations.
Figure 10.14: Total number of gates for GenBuf with multiple senders: original and
rewritten speciﬁcation
10.5 Summary
In this chapter, we applied our method to several case studies, and compared our results
with other ABS tools. The experiments show that SyntHorus2 generates smaller and faster
circuits.
161
Chapter 10 : Practical Experiments and Results
Chapter11
Conclusion and future works
Contents
11.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
11.2 Future works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
163
Chapter 11 : Conclusion and future works
In this thesis, we have presented a modular method to synthesize the controller part
of circuits, reactants not monitors, from their temporal properties written in PSL.
11.1 Contributions
Here, the main contributions of this work are summarized.
• Starting from the trace semantics of PSL, we formally deﬁned a dependency relation
between the operands of the temporal SERE1 operators. Then, we gave a hardware
interpretation of the dependency relations, which constitutes the basis on which the
library of primitive reactants is built (see Chapter 6).
• These dependency relations, accompanied by the formal dependency relation of FLs,
are the formal model on which the annotation algorithm is written (see Chapter 7).
• Considering the dependency among all the properties, solver components have been
generated to resolve the value of the duplicated and unannotated signals (see Chap-
ter 9).
• We generate some complementary properties to check the coherency and complete-
ness of the set of the properties.
• The prototype tool SyntHorus2 has been implemented, based on the principles de-
scribed in this thesis. It is being adapted based on the requirements in industry.
• SyntHorus2 was exercised on a set of benchmarks, and also on real size circuits such
as the AMBA-AHB bus arbiter and the HDLC controller. Comparing SyntHorus2
with other ABS tools is diﬃcult, since each tool requires its own subset of LTL or
PSL that should be adapted for each tool. Comparing to other tools, SyntHorus2
generates smaller and faster designs on the bigger examples.
Intermediate results of SyntHorus2 allow debugging a speciﬁcation, and verify if it
is consistent and complete. Assertions that are generated automatically on the trigger
signals may be veriﬁed by a simulator, or model checked with a formal veriﬁcation tool.
In addition, SyntHorus2 can provide an environment prototype that complies with the
speciﬁcations, for testing another circuit module.
11.2 Future works
Now, SyntHorus2 only processes scalar and vector Boolean signals in the properties. Future
works include the recognition of more complex data types, such as integers and enumerated
types.
SyntHorus2 supports partially the modeling layer of PSL. It supports arithmetic and
comparison operators. However, it does not support the deﬁnition of local signals. This
feature should be added to SyntHorus2.
As was explained in Chapter 6, our synthesizable subset of SEREs has some limitations.
For example, we cannot have non consecutive repetition. Therefore, the synthesizable
subset of SEREs should be extended and the limitations should be alleviated.
1Sequential Extended Regular Expression
11.2 : Future works
To overcome some of the limitations, e.g. observing ϕ = A&B where A and B are
sequences, we can take advantage of the automata-based method. We can combine the
automata-based and modular methods, then, use automata for the left-hand side of an
implication, which should be observed, and the modular method for the right-hand side
of an implication that should be generated.
Moreover, we should optimize the primitive reactants for SEREs. As was shown in
Chapter 10, if we rewrite an FL property into its equivalent SERE property, the circuit
obtained from the SERE is larger and slower. We should optimize both SERE primitive
reactants and their interconnections.
We have provided some guidelines on how to write properties to generate smaller
circuits; they should be enhanced. We can provide predeﬁned sets of properties to ex-
press some behaviors of the signals, e.g. mutual exclusion, round-robin scheme, 4-phase
handshaking protocol, etc.
The implementation of the complex solvers can be enhanced to generate smaller solvers.
As was discussed in Chapter 9, some rows of the LUT may not be useful, because some
combinations of Etrig signals never happen. Such rows can be eliminated by model check-
ing on the properties. This has not been automated.
As was discussed in Chapter 9, to calculate the value of the unannotated signals, there
may be several choices obtained from the LUT. Now, we select the ﬁrst row of the LUT
that matches our requirement. Other selection policies can be considered.
At this point, complex solvers are provided for scalar signals. They should be extended
to support vectors. In addition, complex solvers cannot be used in the cases that the
unannotated signals depend on the modeling layer operators and functions. We should
solve this problem.
Our method is modular; for each property it instantiates all the primitive reactants of
the property operators. This leads to redundant components. This is similar to the early
days of synthesis: each instance of an operator in the RTL design produced a distinct
hardware operator. An optimization step is needed to share primitive reactants in the
generated circuit.
165
Chapter 11 : Conclusion and future works
AppendixA
Symbols
Table A.1: Symbols
Symbol Deﬁnition Reference
P non-empty set of atomic propositions Chapter 2
Σ the set of all possible valuations of P (Σ =
2P)
Chapter 2
� “letter”: a valuation of all the propositions
in P
Chapter 2
w “word”: in practice, the succession over
time of the signal values, i.e. an execution
trace
Chapter 2
� � exp “exp is true in �”: exp takes value true if
all its variables take their value as in �
Chapter 2
w |= property “property” is true on word w: the ex-
tended semantics by structural induction
over FL properties to words
Chapter 5
�A�B�w A depends on B on w Chapter 5
Trigz a trigger signal that constrains z to 1 Chapter 5
Trig¬z a trigger signal that constrains z to 0 Chapter 5
C�ϕ C implements ϕ Chapter 5
w |≡ property “property” holds tightly on word w: the
extended semantics by structural induc-
tion over SERE properties to words
Chapter 6
AST Abstract Syntax Tree Chapter 7
DAST Directed Abstract Syntax Tree Chapter 7
ϕL
nL
the left sub-sequence of ϕ, whose depth is
nL
Chapter 8
ϕR
nR
the right sub-sequence of ϕ, whose depth
is nR
Chapter 8
DG the dependency graph Chapter 9
167
Chapter A : Symbols
Symbol Deﬁnition Reference
T 0 z = (Trig0¬z,Trig1¬z, . . . ,Trignb0−1¬z ) the vector of the trigger signals that con-
strain z to 0
Chapter 9
T 1 z = (Trig0z,Trig1z, . . . ,Trignb1−1z ) the vector of the trigger signals that con-
strain z to 1
Chapter 9
T0 z =
�
i
Trig i¬z the disjunction of the trigger signals that
constrain z to 0
Chapter 9
T1 z =
�
j
Trig jz the disjunction of the trigger signals that
constrain z to 1
Chapter 9
Z = (z1, . . . , zn) the vector of n dependent (unannotated)
signals
Chapter 9
Expr j the expression that represents the unan-
notated sub-tree of DASTj
Chapter 9
E = (Expr0, . . . ,Exprm) the vector made of Expr j signals Chapter 9
Etrigj the trigger signal that triggers Expr j Chapter 9
TZ = (Etrig0, . . . ,Etrigm) the vector made of Etrigj signals Chapter 9
AppendixB
Case study: High-level Data Link Controller
Contents
B.1 Transmitter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
B.1.1 Parallel to Serial converter . . . . . . . . . . . . . . . . . . . . 172
B.1.2 CRC generation . . . . . . . . . . . . . . . . . . . . . . . . . . 172
B.1.3 Zero insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
B.1.4 Flag generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
B.1.5 Transmitter controller . . . . . . . . . . . . . . . . . . . . . . . 173
B.2 Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
B.2.1 Flag and abort detection . . . . . . . . . . . . . . . . . . . . . 180
B.2.2 Zero detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
B.2.3 CRC checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
B.2.4 Serial to Parallel converter . . . . . . . . . . . . . . . . . . . . 182
B.2.5 Receiver Controller . . . . . . . . . . . . . . . . . . . . . . . . . 182
169
Chapter B : Case study: High-level Data Link Controller
High-level Data Link Controller (HDLC) permits synchronous or start/stop, code-
transparent data transmission. The HDLC controller IP has a transmitter and receiver
for transmitting the frames with a speciﬁc format (see Fig. B.1). The HDLC controller
IP performs serialization/deserialization, CRC generation, transparency and abort gener-
ation/detection.
The transmitter receives its input data from an external device, and sends it with a
speciﬁc frame format to the receiver. Each frame is made of an open ﬂag (the value is
“01111110”), the information (address, control, info), the CRC and the closing ﬂag.
As is shown in Fig. B.1, the transmitter and receiver have several components. The
objective is generating each component from its properties using SyntHorus2.
First, we tried to generate the HDLC circuit from the properties given in [PPSQ13].
However, these properties are not complete. When we want to generate a hardware from
the properties, the set of properties should completely specify all signals behaviors. We
provided the FL properties for HDLC, based on its protocol. We used the SERE properties
of [PPSQ13] to verify if the circuit obtained from SyntHorus2 works correctly.
B.1 Transmitter
Figure B.1 (a) shows the block diagram of the HDLC transmitter. Before describing the
functional behavior of the system, the transmitter interface signals are introduced:
• Inputs
– TxClk : the actual clock of the transmitter
– TxRstn: the active-high reset signal
– TxEnable: if this signal is 1, the transmitter is enabled
– TxData: the transmitter parallel data bus
– TxDataWr : informs the transmitter that an external packet is ready to send
– TxSendAbort : informs the transmitter that sending the frame should be stopped
and an abort sequence should be sent
– TxCRCSel : sets the CRC size (no checksum, 8, 16, or 32 bits)
• Outputs
– UnderRun: indicates the underrun error. It is generated if no new valid data
is written within 8 cycles after BuﬀEmpty goes high.
– TxDout : provides the serial output data
– TxCRCValue: the CRC value
– TxLastBit : indicates the last bit of the last ﬂag of the transmission has been
sent out
The transmitter is disable when TxEnable is 0. In this mode, idle mode, there is no
valid data on TxData (TxDataWr = 0), and consecutive 1s are transmitted. As soon as
the transmitter becomes enable, data transmission starts when the TxDataWr signal is
asserted. First, the transmitter sends an opening ﬂag (by activating the FlagAbortGen
B.1 : Transmitter
(a) Transmitter
(b) Receiver
Figure B.1: HDLC controller block diagram
171
Chapter B : Case study: High-level Data Link Controller
component). After, the data will be sent. The CRC value is sent out after sending the
last byte of the data. Then, a closing ﬂag is appended to mark the end of the frame.
The data transmission mechanism is transparent. It means that the transmitter should
prevent of occurring the ﬂag pattern in the data (including CRC). Anytime a sequence of
ﬁve consecutive 1 occurs, a 0 should be inserted. It is done by ZeroInsertion component,
which is enabled by the transmitter controller.
When the TxSendAbort signal is asserted, the transmitter goes into the abort mode,
in which the transmitter should send 7 consecutive ones, without inserted zero.
The transmitter controller is responsible for enabling/disabling the P2S, CRCGen, Ze-
roInsertion and FlagAbortGen components.
In the following, each component is explained brieﬂy, and the properties are shown.
B.1.1 Parallel to Serial converter
Figure B.2 shows the properties for P2S. In these properties, TxData, stall, and load are
inputs, and S Data is the output, and P Data is an internal signal. The P2S unit is active
if stall=0. In this mode, if there is no new data to be loaded (load=0), the data is shifted
out. If P2S is stalled, 0 is shifted out, and the P Data internal signal keeps its previous
value. The new data is loaded into P Data when P2S is active, and the load signal is 1.
vunit P2S
{
P0 in i t :
always (not T frame va l id −> ( ( P Data = ”00000000 ”) and S Data = ’0 ’ ) ;
P1 load :
always ( T frame va l id and not s t a l l and load −> (P Data = TxData ) and (
S Data = P Data (7 ) ) ) ;
P2 s t a l l d a t a :
always ( T frame va l id and s t a l l −> S Data = ’0 ’ ) ;
P3 no t sh i f t :
always ( T frame va l id and not s t a l l and not load −> ( S Data = P Data (7 ) )
and (P Data (0 ) = ’0 ’ ) and (P Data (1 to 7) = prev (P Data (0 to 6) ) ) ) ;
P4 keep data :
always ( T frame va l id and s t a l l and not load −> (P Data = prev (P Data ) )
) ;
}
Figure B.2: Properties that describe P2S
B.1.2 CRC generation
The CRCGen component calculates a CRC across the transmitted message whenever the
send crc signal is 1. Otherwise, it transfers the input data (S Data) to the output(crc data).
Two diﬀerent polynomials can be selected by specifying the value of TxCRCSel in the idle
mode of the transmitter. The 16-bit CRC uses the polynomial x16+ x12+ x5+1, and the
B.1 : Transmitter
32-bit CRC uses the polynomial x32 + x26 + x23 + x22 + x16 + x12 + x11 + x10 + x8 + x7 +
x5 + x4 + x2 + x+ 1. Figure B.3 shows the PSL properties for CRCGen (for 16-bit CRC).
In the speciﬁcations, poly16, send crc, and S Data are the inputs and crc busy, crc done,
and crc data are the outputs. R16 is an internal signal for storing and shifting the input
data. crc counter is used to calculate when the transfer is ﬁnished.
B.1.3 Zero insertion
Since the data transmission mechanism is transparent, anytime a sequence of ﬁve consecu-
tive 1 occurs, a 0 should be inserted. It is done by the ZeroInsertion component. Figure
B.4 shows the FL properties for ZeroInsertion. If the last 5 input data (crc data) are 1,
in the next cycle, the stall signal becomes 1 that halts the P2S and CRCGen modules. In
the following cycle, 0 is put on the output and the stall signal becomes 1, which informs
the transmitter controller that a 0 is inserted on the data sequence. If the input data does
not contain ﬁve consecutive 1s, the stall signal becomes 0 and the zero Data output signal
takes the value of input crc data.
B.1.4 Flag generation
The FlagAbortGen component is enabled by transmitter controller for sending an opening
and closing ﬂag whenever the send ﬂag signal is asserted. In addition, this component
should send eight consecutive 1s when TxSendAbort = 1. Moreover, this component sends
consecutive 1s when transmitter is idle (it is also possible to send ﬂag or partial ﬂag in
the idle mode, but here, we are sending consecutive 1s).
Figure B.5 shows the properties for FlagAbortGen. In these properties, zero Data,
idle, send ﬂag, TxSendAbort, and TxDataWr are inputs. TxDout is the output signal,
and ﬂag done, abort set, and idle set are internal signals.
B.1.5 Transmitter controller
The controller can be in the following states:
1 idle mode: when transmitter is enabled (TxEnable = 1), it is in idle mode. In this
mode the controller sets the idle signal to 1 (to send consecutive 1 to the output).
As soon as a valid data is available (TxDataWr = 1), idle becomes 0. If it is between
the frames, in the next cycle an opening ﬂag should be sent (send ﬂag = 1).
2 sending a new frame: the ﬁrst frame is sent when transmitter becomes enable, and
a valid data is available. The next frame can be sent immediately, or can be sent
several cycles after ﬁnishing the current frame (in this case, the transmitter is idle
between the frames).
i sending opening ﬂag: the transmitter controller sets send ﬂag to 1 to start send-
ing a new frame. It may happen after idle mode of the transmitter controller,
or just after the closing ﬂag of the previous frame.
ii sending data: to send a new data, controller should set the load signal to 1. If it
is the ﬁrst data of the frame, load becomes 1 after speciﬁc number of cycles after
send ﬂag= 1. Then, load becomes 1 after speciﬁc number of cycles after the
173
Chapter B : Case study: High-level Data Link Controller
vunit CRCGen
{
P0 in i t da ta :
not crc busy and not crc done and (R16 = ”0000000000000000 ”) and (
c r c count e r = ”00000 ”) ;
P1 crc 16 data 2 ns :
always (not abo r t s e t and not s t a l l and not s end crc and not crc busy
and (TxCRCSel = ”01 ”) and R16(15) −> next ! ( R16(15 downto 1) = (
poly16 (15 downto 1) XOR (prev (R16(14 downto 0) ) ) ) ) and next ! ( R16
(0 ) = ( poly16 (0 ) XOR prev ( S Data ) ) ) ) ;
P2 crc 16 data 1 ns :
always (not abo r t s e t and not s t a l l and not s end crc and not crc busy
and (TxCRCSel = ”01 ”) and not R16(15) −> next ! ( R16(15 downto 1) =
prev (R16(14 downto 0) ) ) and next ! ( R16 (0 ) = prev ( S Data ) ) ) ;
P3 c r c 16 data 1 s :
always (not abo r t s e t and s t a l l and not s end crc and not crc busy and (
TxCRCSel = ”01 ”) −> next ! ( R16 = prev (R16) ) ) ;
P4 CRC 16 send data :
always (not abo r t s e t and not crc busy and not s end crc and (
c r c count e r < ”01111 ”) and (TxCRCSel = ”01 ”) −> ( c r c data = S Data ) )
;
P5 s end c r c 1 6 n s t a l l :
always (not abo r t s e t and not s t a l l and crc busy and (TxCRCSel = ”01 ”)
and ( c r c count e r < ”01111 ”)−> next ! ( c rc busy ) and next ! ( R16 (0 ) =
’0 ’ ) and next ! ( c r c count e r = (prev ( c r c count e r ) + ”00001 ”) ) and next
! ( R16(15 downto 1) = prev (R16(14 downto 0) ) ) and ( c r c data = (R16
(15) ) ) ) ;
P6 s e nd c r c 1 6 s t a l l :
always (not abo r t s e t and s t a l l and crc busy and (TxCRCSel = ”01 ”) and
( c r c count e r < ”01111 ”)−> next ! ( c rc busy ) and next ! ( c r c count e r =
prev ( c r c count e r ) ) and ( c r c data = ’0 ’ ) and next ! ( R16 = prev (R16) ) ) ;
P7 crc 16 :
always (not abo r t s e t and s end crc and (TxCRCSel = ”01 ”) −> crc busy
and ( c r c count e r = ”00000 ”) ) ;
P8 done crc 16 :
always (not abo r t s e t and crc busy and (TxCRCSel = ”01 ”) and (
c r c count e r = ”01111 ”)−> next ! ( not crc busy and c r c count e r = (prev (
c r c count e r ) + ”00001 ”) ) and next ! ( R16(15 downto 1) = prev (R16(14
downto 0) ) ) and next ! ( R16 (0 ) = ’0 ’ ) and ( c r c data = (R16 (15) ) ) ) ;
P9 abort :
always ( abo r t s e t −> next ! ( not crc busy ) and next ! ( R16(15 downto 1) = ”
0000000000000000 ”) and next ! ( c r c count e r = ”00000 ”) ) ;
P10 crc done :
always ( f e l l ( c rc busy ) −> crc done and next ! (not crc done ) and next ! (
c r c count e r = ”00000 ”) ) ;
}
Figure B.3: Properties that describe CRCGen (for 16-bit CRC)
B.1 : Transmitter
vunit Ze r o In s e r t i on
{
P0 in i t :
( ( s t a l l = ’ 0 ’ ) and ( z e r o I n s e r t e d = ’0 ’ ) and ( zero Data = ’0 ’ ) ) ;
P1 Zero :
always (
prev (prev (prev (prev ( crc Data ) ) ) ) and prev (prev (prev ( crc Data ) ) ) and
prev (prev ( crc Data ) ) and prev ( crc Data ) and crc Data
−>
next ! ( s t a l l and zero Data )
) ;
P2 noZero :
always (
not prev (prev (prev (prev ( crc Data ) ) ) ) or not prev (prev (prev ( crc Data ) )
) or not prev (prev ( crc Data ) ) or not prev ( crc Data ) or not
crc Data
−>
next ! ( not s t a l l ) and next ! (not z e r o I n s e r t e d ) and next ! ( ( zero Data =
prev ( crc Data ) ) )
) ;
}
Figure B.4: FL properties that describe ZeroInsertion
vunit FlagAbortGen
{
P0 T FA init :
f l a g done and not abo r t s e t and not TxDout ;
P1 send f l ag :
always ( rose ( s e nd f l a g ) −> not f l a g done and next a ! [ 1 to 7 ] ( not
f l a g done ) and not TxDout and next a ! [ 1 to 6 ] ( TxDout) and next ! [ 7 ] (
not TxDout) and next ! [ 8 ] ( not s e nd f l a g −> f l a g done ) ) ;
P2 send data :
always ( f l a g done and not abo r t s e t and not s end f l a g and not i d l e−> (
TxDout = zero Data ) ) ;
p 3 i d l e :
always ( i d l e and not s end f l a g and f l a g done −> TxDout) ;
P4 TxAbort :
always (TxSendAbort −> (TxDout and abo r t s e t ) and next a ! [ 1 to 7 ] (
abo r t s e t and TxDout) and next ! [ 8 ] ( not abo r t s e t ) ) ;
}
Figure B.5: Properties that describe FlagAbortGen
175
Chapter B : Case study: High-level Data Link Controller
previous load (the number of the cycles is 8 + no. of the stalls). Transmitter
speciﬁes the last data of a frame by asserting TxEoF. After that, no new data
is loaded until there is a new frame.
iii sending CRC: after transmitting the last data of a frame, transmitter controller
sets the send crc signal to 1. Then, based on the value of TxCRCSel signal,
transmitter should wait for a speciﬁc number of cycles until crc done becomes
1.
iv sending closing ﬂag: when crc done becomes 1, send ﬂag is set to 1 to send the
closing ﬂag.
3 abort command: if TxSendAbort = 1, data transmission is stopped immediately,
and after eight cycles, a closing ﬂag should be sent (send ﬂag = 1).
Figure B.6 shows the PSL properties for the transmitter controller.
B.2 Receiver
Figure B.1 (b) shows the block diagram of the HDLC receiver.
Before describing the functional behavior of the system, the transmitter interface sig-
nals have been introduced:
• Inputs
– RxClk: the actual clock of the receiver
– RxRstn: the active-hight reset signal
– RxEnable: Speciﬁes if the receiver is enable
– RxCRCSel: Speciﬁes if CRC is 8, 16, or 32 bits. The value of this signal is
speciﬁed by the user when the receiver is not enable.
• Outputs
– RxDataAvail: If this signal is 1 it means that the data of RxDout is valid. This
signal is set to 1 for a cycle whenever S2P ﬁnishes paralleling the data.
– RxStartOfFrame: This signal is set to 1 whenever an opening ﬂag is detected,
and the ﬁrst data of the frame is available.
– RxEndOfFrame: This signal speciﬁes the received data is the last data of the
current frame.
– RxCRCValue: Shows the CRC value of the received data.
– RxCRCError: This output signal shows if the data has been transmitted cor-
rectly.
– RxAbortFound: This signal speciﬁes if an abort sequence has been detected.
The receiver gets the serial HDLC frames continuously through the RxData port.
When an opening ﬂag is recognized, the receiver indicates the beginning of the frame by
asserting StartOfFrame. Bytes will be passed to the user until a closing ﬂag or abort
sequence is detected. At this point, the last byte will be passed and the EndOfFrame
signal is asserted. As is shown in Fig. B.1 (b), the receiver has several sub-modules:
FlagAbortDet, ZeroDet, CRCheck, S2P, and RController.
B.2 : Receiver
vunit T Contro l l e r
{
P0 T C reset :
not TxLastBit and not load and not s end f l a g and i d l e and ( l oad counte r
= ”0000 ”) and not eo f and not s end crc and (TxCRCValue = ”
00000000000000000000000000000000 ”) and not TxCRCValAvail and (
data counter = ”000 ”) and not (TxUnderRun) and not T frame va l id ;
P1 T enab l e id l e :
always ( rose (TxEnable ) and not TxDataWr −> not s e nd f l a g and not eo f
and not s end crc ) ;
P2 f r ame a f t e r i d l e :
always ( i d l e and TxEnable and rose (TxDataWr) −> next ! ( not i d l e and
s e nd f l a g ) ) ;
P 3 l o ad f i r s t d a t a :
always ( rose ( s e nd f l a g ) and not prev ( crc done ) and not prev ( abo r t s e t )
and TxDataWr and not TxShareFlag −> not load and ( l oad counte r = ”
0000 ”) and next ! [ 7 ] ( load ) and next a ! [ 1 to 7 ] ( l oad counte r = ”0000 ”)
and next ! [ 7 ] ( TxEnable −> T frame va l id ) ) ;
P4 T frame val id :
always ( ( T frame va l id ) and not TxSendAbort and not eo f and not i d l e and
TxEnable−> next ! ( T frame va l id ) ) ;
P5 d i s ab l e m id f r :
always ( T frame va l id and not TxSendAbort and not eo f and not i d l e and
not TxEnable and ( l oad counte r < ”0111 ”)−> next ! ( T frame va l id ) ) ;
P6 T frame not va l id :
always ( s end crc or TxSendAbort or i d l e or (not TxEnable and (
l oad counte r = ”0111 ”) ) −> next ! (not T frame va l id and not load ) ) ;
P7 l o ad da t a n s t a l l :
always ( ( ( l oad counte r < ”0111 ”) and ( l oad counte r > ”0000 ”) and not
s t a l l and T frame va l id ) and not TxSendAbort−> next ! ( not TxSendAbort
−> ( l oad counte r= (prev ( l oad counte r )+”0001 ”) ) ) and (not load ) ) ;
P8 l o ad da t a n s t a l l 2 :
always ( ( l oad counte r = ”0000 ”) and not s t a l l and T frame va l id and not
TxSendAbort−> next ! ( l oad counte r= (prev ( l oad counte r )+”0001 ”) ) and (
TxDataWr −> load ) ) ;
P9 l oad data ws ta l l :
always ( l oad counte r < ”0111 ” and ( l oad counte r > ”0000 ”) and s t a l l and
not eo f and T frame val id−> next ! ( T frame va l id −> l oad counte r =
(prev ( l oad counte r ) ) ) and next ! ( not load ) ) ;
P10 l oad data ws ta l l 2 :
always ( ( l oad counte r = ”0000 ”) and s t a l l and not eo f and T frame va l id
−> next ! ( T frame va l id −> l oad counte r = (prev ( l oad counte r ) ) ) and
(not load ) and next ! ( T frame va l id and TxDataWr −> load ) ) ;
177
Chapter B : Case study: High-level Data Link Controller
P11 load new data :
always ( ( l oad counte r = ”0111 ”) and TxDataWr and not eo f and
T frame va l id −> next ! ( ( ( l oad counte r = ”0000 ”) ) ) ) ;
P12 se t counte r no load :
always ( ( l oad counte r = ”0111 ”) and not T frame va l id −> next ! ( (
l oad counte r = ”0000 ”) until ! (not rose ( s e nd f l a g ) ) ) ) ;
P13 end c r c c l o s e f l a g :
always ( rose ( crc done ) −> next ! ( s e nd f l a g and TxLastBit ) and next a ! [ 1
to 7 ] ( ( not T frame va l id ) ) ) ;
P14 id l e between f rames :
always ( rose ( crc done ) −> next a ! [ 1 to 8 ] ( not i d l e ) and next ! [ 9 ] ( ( not
TxDataWr −> i d l e ) ) ) ;
P15 new frame share f lag :
always ( rose ( crc done ) and TxShareFlag −> next ! [ 6 ] ( TxDataWr −>
T frame va l id ) ) ;
P16 new frame open f lag :
always ( rose ( crc done ) and not TxShareFlag −> next ! ( l oad counte r = ”
0000 ”) and next ! ( TxCRCValue = ”00000000000000000000000000000000 ”)
and next ! [ 9 ] ( next event (TxDataWr and not i d l e ) ( s e nd f l a g and not
load ) ) ) ;
P17 deaa s e r t s end f l ag :
always ( s e nd f l a g −> next ! ( not s e nd f l a g ) ) ;
P18 eof :
always (TxDataWr and TxEoF and load and T frame va l id −> next ! [ 3 ] ( e o f )
and next ! [ 3 ] ( data counter = ”000 ”) ) ;
P19 k e ep eo f no s t a l l :
always ( eo f and not s t a l l and ( data counter < ”101 ”) and T frame val id
−> next ! ( e o f ) and next ! ( ( data counter = (prev ( data counter ) + ”001 ”)
) ) ) ;
P20 k e ep eo f w i t h s t a l l :
always ( eo f and s t a l l and ( data counter < ”101 ”) and T frame val id−>
next ! ( ( e o f = ’1 ’ ) ) and next ! ( ( data counter = prev ( data counter ) ) ) ) ;
P 2 1 e o f s t a r t c r c :
always ( eo f and ( data counter = ”101 ”) and T frame val id−> next ! ( not
eo f and ( data counter = ”000 ”) ) and s end crc ) ;
P 2 2 e o f s t a r t c r c n f :
always ( eo f and (not T frame va l id )−> next ! ( not eo f and ( data counter
= ”000 ”) ) and s end crc ) ;
P23 deaase r t s end crc :
always ( s end crc −> next ! (not s end crc and not TxCRCValAvail ) and next
! ( ( l oad counte r = ”0000 ”) ) ) ;
B.2 : Receiver
P24 abo r t c l o s e f l a g :
always (TxSendAbort −> next ! [ 8 ] ( s e nd f l a g and TxLastBit ) and next ! (
l oad counte r = ”0000 ”) and next a ! [ 1 to 16 ] (not i d l e ) and next
! [ 1 7 ] ( ( i d l e ) ) and next a ! [ 1 to 17 ] (not T frame va l id ) and next ! [ 9 ] (
next event ( s e nd f l a g ) [ 8 ] ( T frame va l id ) ) ) ;
P25 crc va l 16 :
always ( rose ( s end crc ) and (TxCRCSel = ”01 ”) −> (TxCRCValue(15 downto 0)
= R16) and (TxCRCValue(31 downto 16) = ”0000000000000000 ”) and
TxCRCValAvail ) ;
P26 crc va l 32 :
always ( rose ( s end crc ) and (TxCRCSel = ”10 ”) −> (TxCRCValue = R32) and
TxCRCValAvail ) ;
P 2 7 c r c v a l i n i t :
always ( rose ( crc done ) −> next ! ( TxCRCValue = ”
00000000000000000000000000000000 ”) ) ;
P28 l a s t b i t :
always ( TxLastBit −> next ! ( not TxLastBit ) ) ;
P29 T disbale :
always ( T frame va l id and ( ( f e l l ( TxEnable ) and ( l oad counte r /= ”0000 ”
) ) or ( f e l l (TxEnable ) and ( l oad counte r = ”0000 ”) and load ) ) −>
next ! ( next event ( l oad counte r = ”0111 ”) ( eo f ) ) ) ;
P30 between data :
always ( ( l oad counte r > ”0111 ”) and ( l oad counte r < ”1111 ”) and not
TxDataWr and not eo f and T frame va l id and TxEnable−> next ! ( ( (
l oad counte r = prev ( l oad counte r ) + ”0001 ”) ) ) ) ;
P31 underrun :
always ( ( l oad counte r = ”1111 ”) and not TxDataWr and not eo f and
T frame va l id and TxEnable−> next ! ( l oad counte r = ”0000 ”) and next ! (
TxUnderRun) ) ;
P32 new data :
always ( ( l oad counte r > ”0111 ”) and ( l oad counte r < ”1111 ”) and rose (
TxDataWr) and not eo f and T frame va l id and TxEnable−> next ! (
l oad counte r = ”0000 ”) ) ;
P33 not underrun :
always (TxUnderRun −> next ! (not TxUnderRun) ) ;
}
Figure B.6: Properties that describe transmitter controller
179
Chapter B : Case study: High-level Data Link Controller
B.2.1 Flag and abort detection
The receiver begins the operation by detecting the opening ﬂag through the FlagAbortDet
module. Once an opening ﬂag is detected, the receiver begins to receive the incoming
frame, while FlagAbortDet is monitoring the frame for a closing ﬂag. Figure B.7 shows
the FL properties for the FlagAbortDet module. In these properties, RxEnable and
RxData are inputs. The serial data is put on the R S Data output port. The output
signals IsFlag, IsAbort, and AbortFound indicate if a ﬂag or abort sequence is detected.
data seq is an internal signal that stores 8 consecutive bits of the incoming data.
vunit FlagAbortDet
{
P0 R FA init :
not R S Data and ( data seq = ”00000000 ”) and not AbortFound ;
P1 R FA receive data :
always (RxEnable −> ( R S Data = data seq (7 ) ) ) ;
P2 R FA store data :
always (RxEnable −> next ! ( data seq (0 ) = RxData) and next ! ( data seq (7
downto 1) = prev ( data seq (6 downto 0) ) ) ) ;
P3 R FA is abort :
always ( ( data seq = ”11111111 ”) −> IsAbort and (AbortFound until ! ( f e l l
( I sF lag ) ) ) and (next event ( f e l l ( I sF lag ) ) (not AbortFound ) ) ) ;
P4 R FA is not abort :
always ( ( data seq /= ”11111111 ”) −> not IsAbort ) ;
P5 R FA is f lag :
always ( ( data seq = ”01111110 ”) −> I sF lag and not IsAbort ) ;
P6 R FA is not f lag :
always ( ( data seq /= ”01111110 ”) −> not I sF lag ) ;
}
Figure B.7: SERE properties that describe FlagAbortDet
Figure. B.8 shows the SERE properties for FlagAbortDet.
B.2.2 Zero detection
The ZeroDetection module checks the incoming data from FlagAbortDet to verify if a
zero is inserted after ﬁve consecutive 1s. In this situation, the inserted 0 is deleted from
the incoming frame, and R zero Inserted is asserted. Figure B.9 shows the FL properties
for the ZeroDetection module. In this module, R S Data and RxEnable are inputs, and
R stall, R zero Inserted, and R zero Data are outputs. data seq is an internal signal to
buﬀer the 7 consecutive bits of the incoming data.
Figure B.10 shows the SERE properties for ZeroDetection.
B.2 : Receiver
vunit FlagAbortDet sere
{
P0 R FA init :
not R S Data and not AbortFound ;
P 1 i s f l a g :
always ({RxEnable and not R S Data ; R S Data [ ∗ 6 ] ; not R S Data} |−> {
I sF lag and not IsAbort }) ;
P2 i s abo r t :
always ({RxEnable and not R S Data ; R S Data [ ∗ 7 ] } |−> {{ IsAbort } & {
AbortFound [ ∗ ] ; f e l l ( I sF lag ) }}) ;
}
Figure B.8: SERE properties that describe FlagAbortDet
vunit ZeroDetect ion
{
P0 R Z init :
not R zero Data and not R s t a l l and not R zero In s e r t ed and ( data seq =
”0000000 ”) ;
P1 R Z rece ive data : −− P1 send data :
always (RxEnable −> ( R zero Data = R S Data ) ) ;
P2 R Z store data : −− P2 s tore da ta :
always (RxEnable −> next ! ( data seq (0 ) = R S Data ) and next ! ( data seq (6
downto 1) = prev ( data seq (5 downto 0) ) ) ) ;
P3 R Z zero inse r ted :
always ( ( data seq = ”0111110 ”) −> R zero In s e r t ed and R s t a l l ) ;
P4 R Z zero not in se r t ed :
always ( ( data seq /= ”0111110 ”) −> not R zero In s e r t ed and not R s t a l l )
;
}
Figure B.9: FL properties that describe ZeroDetection
vunit Ze roDet e c t i on s e r e
{
P0 R Z init :
not R zero Data and not R s t a l l and not R zero In s e r t ed ;
P1 ze ro de t e c t i on :
always ({RxEnable and not R S Data ; R S Data [ ∗ 5 ] ; not R S Data} |−>
R zero In s e r t ed and R s t a l l ) ;
}
Figure B.10: SERE roperties that describe ZeroDetection
181
Chapter B : Case study: High-level Data Link Controller
B.2.3 CRC checker
The CRCCheck module performs the same generator polynomial division as the transmitter
across the entire transmitted message, including the CRC ﬁeld. The remainder is then
compared to the remainder of the CRCGen module. Figure B.11 shows the speciﬁcation of
the CRC_Checkermodule (for 16-bit CRC). In these properties, RxCRCSel, poly16, R stall,
R zero Data, and R crc check are the inputs of CRCCheck. R crc data, R crc error, and
R R16 are the outputs of the module. An internal signal is also deﬁned (crc buﬀer) for
storing the incoming serial data.
B.2.4 Serial to Parallel converter
Figure B.12 shows the PSL properties for the S2P module. In this module, s2p enable,
s2p disable, R stall, and R crc data are inputs, and RxDout and s2p done are outputs.
R load counter, s2p buﬀer, and frame valid are the internal signals.
B.2.5 Receiver Controller
Figure B.13 shows the properties for synthesizing receiver controller. When the receiver
is enable, the controller waits for receiving one of these signals: IsAbort or IsFlag.
If an abort sequence is not detected (IsAbort= 0), RxAbortFound is set to 0. Otherwise,
the receiver looks for a closing ﬂag, and sets the RxAbortFound signal to 1, and this signal
remains 1 until receiving the closing ﬂag.
If a ﬂag is detected (IsFlag = 1), the receiver should specify if a detected ﬂag is an
opening ﬂag (a ﬂag sequence that is followed by a non-ﬂag sequence), or a closing ﬂag. To
detect the opening and closing ﬂags, an internal signal is deﬁned: R ﬂag counter. Initially,
this signal is set to 0. After receiving the ﬁrst ﬂag, this signal is set to 1, which indicates
a ﬂag has already been detected. So, the next detected ﬂag would be the closing ﬂag.
When a closing ﬂag is detected, R ﬂag counter is again set to 0.
When an opening ﬂag is detected, the CRCCheck module should become enable after 8
clock cycles. Then, receiver waits for the R crc error signal, and reads this signal in the
cycle in which the RxEndOfFrame is 1 to detect if an error exists in the received data.
Then, controller enables the StoP module, and wait for receiving s2p done that speciﬁes
if the S2P module has ﬁnished paralleling 8 bits of data.
B.2 : Receiver
vunit CRCCheck
{
P0 R crc in i t da ta :
always (RxEnable and rose ( R crc check ) −> not R crc e r r o r and (R R16 =
”0000000000000000 ”) and ( c r c b u f f e r = ”
00000000000000000000000000000000 ”) ) ;
P1 R crc 16 data 2 ns :
always (RxEnable and not R s t a l l and R crc check and (RxCRCSel = ”01 ”)
and R R16 (15) −> next ! ( R R16(15 downto 1) = ( poly16 (15 downto 1) XOR
(prev (R R16(14 downto 0) ) ) ) ) and next ! ( R R16 (0 ) = ( poly16 (0 ) XOR
prev ( c r c b u f f e r (15) ) ) ) ) ;
P2 R crc 16 data 2 s :
always (RxEnable and R s t a l l and R crc check and (RxCRCSel = ”01 ”) −>
next ! ( R R16 = (prev (R R16) ) ) ) ;
P3 R crc 16 data 1 ns :
always (RxEnable and not R s t a l l and R crc check and (RxCRCSel = ”01 ”)
and not R R16 (15) −> next ! ( R R16(15 downto 1) = prev (R R16(14 downto
0) ) ) and next ! ( R R16 (0 ) = prev ( c r c b u f f e r (15) ) ) ) ;
P4 R c r c 16 sh i f t n s :
always (RxEnable and not R s t a l l and R crc check and (RxCRCSel = ”01 ”)
−> next ! ( c r c b u f f e r (31 downto 1) = prev ( c r c b u f f e r (30 downto 0) ) )
and next ! ( c r c b u f f e r (0 ) = prev ( R zero Data ) ) ) ;
P5 R c r c 16 sh i f t s :
always (RxEnable and R s t a l l and R crc check and (RxCRCSel = ”01 ”) −>
next ! ( c r c b u f f e r (31 downto 1) = prev ( c r c b u f f e r (31 downto 1) ) ) and
next ! ( c r c b u f f e r (0 ) = prev ( c r c b u f f e r (0 ) ) ) ) ;
P6 R crc 16 send data :
always (RxEnable and R crc check and (RxCRCSel = ”01 ”) −> ( R crc data =
R zero Data ) ) ;
P7 R crc 16 er ro r :
always (RxEnable and R crc check and ( c r c b u f f e r (15 downto 0) /= R R16)
and (RxCRCSel = ”01 ”) −> R crc e r r o r ) ;
P8 R cr c 16 no t c r c e r r :
always (RxEnable and R crc check and ( c r c b u f f e r (15 downto 0) = R R16)
and (RxCRCSel = ”01 ”) −> not R crc e r r o r ) ;
P9 R crc d i sab l e :
always (not RxEnable or not R crc check −> R crc data = ’0 ’ ) ;
}
Figure B.11: Properties that describe CRCCheck (for 16-bit CRC)
183
Chapter B : Case study: High-level Data Link Controller
vunit S2P
{
P0 R S2P init :
not f r ame va l id and not s2p done and ( R load counter = ”0000 ”) and (
s 2p bu f f e r = ”00000000 ” and (RxDout = ”00000000 ”) ;
P1 R S2P frame :
always ( rose ( s2p enab le ) −> ( f r ame va l id until ! ( s 2p d i s ab l e ) ) ) ;
P2 R S2P frame :
always ( rose ( s 2p d i s ab l e ) −> (not f r ame va l id ) until ! ( s2p enab le ) ) ;
P3 R S2P shi ft :
always (not R s t a l l and ( f r ame va l id ) and ( R load counter < ”1000 ”)−>
next ! ( s 2p bu f f e r (7 ) = prev ( R crc data ) ) and next ! ( s 2p bu f f e r (6
downto 0) = prev ( s 2p bu f f e r (7 downto 1) ) ) and next ! ( ( R load counter
= prev ( R load counter ) + ”0001 ” ) ) ) ;
P4 R S2P no val id frame :
always (not ( f r ame va l id ) −> next ! ( s 2p bu f f e r = ”00000000 ”) and next ! ( (
R load counter = ”0000 ”) ) ) ;
P5 R S2P sta l l :
always ( R s t a l l and ( f r ame va l id ) and ( R load counter < ”1000 ”)−> next
! ( R load counter = prev ( R load counter ) ) and next ! ( s 2p bu f f e r = prev
( s 2p bu f f e r ) ) ) ;
P6 R S2P data ready ns :
always (not R s t a l l and ( R load counter = ”1000 ”) −> next ! (
R load counter = ”0001 ”) and (RxDout = s2p bu f f e r ) and s2p done and
next ! ( RxDout = ”00000000 ”) ) ;
P7 R S2P data ready s :
always ( ( R s t a l l ) and ( R load counter = ”1000 ”) −> next ! ( R load counter
= ”0000 ”) and (RxDout = s2p bu f f e r ) and s2p done and next ! (
s 2p bu f f e r = prev ( s 2p bu f f e r ) ) ) ;
P8 R S2P not done :
always ( rose ( s2p done ) −> next ! ( not s2p done ) ) ;
}
Figure B.12: Properties that describe S2P
B.2 : Receiver
vunit RContro l l e r
{
P0 R Ctr in i t :
not R crc check and not R crc e r r o r and not s2p enab le and not
s 2p d i s ab l e and not RxDataAvail and ( R f l ag counte r = ”00 ”) and not
RxEndOfFrame and not RxStartOfFrame and not RxAbortFound and (
RxCRCValue = ”00000000000000000000000000000000 ”) ;
P1 R Ctr s2p en :
always ( rose ( R crc check ) −> ( s2p enab le ) ) ;
P2 R Ctr s2p not en :
always ( rose ( s2p enab le ) −> next ! (not s2p enab le ) ) ;
P3 R Ctr open f lag :
always ( I sF lag and ( R f l ag counte r = ”00 ”) −> next ! ( R f l ag counte r = ”
01 ”) and next ! [ 8 ] ( R crc check ) ) ;
P4 R Ctr c l o s e f l a g :
always ( I sF lag and ( R f l ag counte r = ”01 ”) −> next ! ( s 2p d i s ab l e and not
R crc check ) and next ! ( R f l ag counte r = ”00 ”) ) ;
P5 R Ctr s2p not d is :
always ( rose ( s 2p d i s ab l e ) −> next ! (not s 2p d i s ab l e ) ) ;
P6 R Ctr data rdy :
always ( s2p done −> RxDataAvail ) ;
P7 R Ctr data not rdy :
always ( rose ( RxDataAvail ) −> next ! (not RxDataAvail ) ) ;
P8 R Ctr SoF :
always ( I sF lag and ( R f l ag counte r = ”00 ”) −> next ! [ 8 ] ( not IsAbort and
not AbortFound and not I sF lag −> next event ( RxDataAvail ) (
RxStartOfFrame ) ) ) ;
P9 R Ctr not SoF :
always ( rose ( RxStartOfFrame ) −> next ! (not RxStartOfFrame ) ) ;
P10 R Ctr EoF n abort :
always ( RxStartOfFrame and ( R f l ag counte r = ”01 ”) and not RxAbortFound
−> next event ( RxDataAvail and I sF lag ) (RxEndOfFrame) ) ;
P11 R Ctr EoF abort :
always ( I sF lag and R f lag counte r = ”01 ” and RxAbortFound−>RxEndOfFrame
) ;
P12 R Ctr not EoF :
always ( rose (RxEndOfFrame) −> next ! (not RxEndOfFrame) ) ;
P13 R Ctr CRC Err :
always ( ( rose (RxEndOfFrame) and R crc e r r o r ) −> (RxCRCError ) and next !
(not RxCRCError) ) ;
185
Chapter B : Case study: High-level Data Link Controller
P14 R Ctr not CRC Err :
always ( rose ( RxStartOfFrame ) −> (not RxCRCError) until ! (RxEndOfFrame
and R crc e r r o r ) ) ;
P15 R Ctr CRC value :
always (RxEndOfFrame and (RxCRCSel = ”01 ”)−> (RxCRCValue(15 downto 0) =
R R16) and next ! ( RxCRCValue = ”00000000000000000000000000000000 ”) )
;
P16 R abort found :
always ( ( R f l ag counte r /= ”00 ”) −> (next ! ( RxAbortFound = AbortFound ) )
) ;
}
Figure B.13: Properties that describe RController
AppendixC
Case study: Advanced Microcontroller Bus
Architecture
The Advanced Microcontroller Bus Architecture (AMBA) [AMB] is a chip communication
standard that has been developed to design high-performance embedded microcontrollers.
One category of AMBA bus is Advanced High-Performance Bus (AHB).
The AMBA AHB bus is used to interconnect and communicate high-clock frequency
modules, like high- performance processors or on-chip memories. A basic bus is composed
of 4 diﬀerent modules: one or multiple masters, one or multiple slaves, an arbiter and a
decoder (see Fig. C.1).
Figure C.1: The AMBA arbiter block diagram (the ﬁgure is taken from [AMB])
The masters will send an address and some control signals to indicate which slave they
want to communicate with, and which type of transfer they are going to do. The master
is the element (for example a peripheral or the control unit of a processor) that can take
control of the bus and send or request information to other elements connected to the
187
Chapter C : Case study: Advanced Microcontroller Bus Architecture
bus. To obtain the control of the bus, the master must send a request to the arbiter and
wait until it is responded with a grant signal. The role of the arbiter is to decide which
master should take the control of the bus in a speciﬁc cycle, and depending on the type
of the transfer, arbiter should also decide for how long this master has the control of the
bus. The task of the decoder is to analyze the address given by the master and decide
which slave should be selected. Each slave has a set of memory spaces available to read
or write data, if the address sent by the master corresponds to one of these spaces the
slave is selected to make the transfer. The slave should also send an answer to the master
whenever a transfer is ﬁnished to see if it was successful or not.
Figure C.2 shows the FL properties that describe AMBA arbiter. The original proper-
ties are taken from [GCH], and have been rewritten to be used in SyntHorus2. In addition
to the input/output signals shown in Fig. C.1, some internal signals have been deﬁned
and used in the properties:
• BUSREQ : becomes 1 whenever there is a request from one of the masters,
• DECIDE : indicates the cycle in which the arbiter decides who is the next master,
• GRANTED : is used for deciding the start of the new access to the bus,
• mast j : if this signal is 1, it implies that HMASTER = j.
vunit a r b i t e r {
P0 G1 1 m0 :
always (HBUSREQ 0 and mast 0 −> BUSREQ) ;
P1 G1 2 m0 :
always (not HBUSREQ 0 and mast 0 −> not BUSREQ) ;
P2 G1 1 m1 :
always (HBUSREQ 1 and mast 1 −> BUSREQ) ;
P3 G1 2 m1 :
always (not HBUSREQ 1 and mast 1 −> not BUSREQ) ;
P4 G4 m0 m1 :
always (DECIDE and (HBUSREQ 0 or HBUSREQ 1) −>next ! (GRANTED) ) ;
P5 G5 1 :
always (GRANTED and HREADY −> next ! ( not GRANTED) ) ;
P6 G5 2 :
always (GRANTED and not HREADY −> next ! (GRANTED) ) ;
P7 G6 1 m0 :
always (HREADY and HGRANT 0 −> next ! ( mast 0 ) ) ;
P8 G6 2 m0 :
always (HREADY and not HGRANT 0 −> next ! ( not mast 0 ) ) ;
P9 G6 1 m1 :
always (HREADY and HGRANT 1−> next ! ( mast 1 ) ) ;
P10 G6 2 m1 :
always (HREADY and not HGRANT 1−> next ! ( not mast 1 ) ) ;
P11 G7 m0 m1 :
always ( (HREADY and ( (HLOCK 0 and HGRANT 0) or (HLOCK 1 and HGRANT 1) )
−> next ! (HMASTLOCK) ) ) ;
P12 G8 1 1 m0 :
always ( (not HREADY or not GRANTED) and mast 0 m−> next ! ( mast 0 ) ) ;
P13 G8 1 2 m0 :
always ( (not HREADY or not GRANTED) and (not mast 0 )−> next ! ( not mast 0
) ) ;
P14 G8 1 1 m1 :
always ( (not HREADY or not GRANTED) and mast 1−> next ! ( mast 1 ) ) ;
P15 G8 1 2 m1 :
always ( (not HREADY or not GRANTED) and (not mast 1 )−> next ! ( not mast 1
) ) ;
P16 G8 2 1 m0 m1 :
always (not HREADY or not GRANTED and HMASTLOCK−> next ! (HMASTLOCK) ) ;
P17 G8 2 2 m0 m1 :
always (not HREADY or not GRANTED and not HMASTLOCK−> next ! ( not
HMASTLOCK) ) ;
P18 G9 1 m0 :
always (not DECIDE and HGRANT 0−> next ! (HGRANT 0) ) ;
P19 G9 2 m0 :
always (not DECIDE and not HGRANT 0−> next ! ( not HGRANT 0) ) ;
P20 G9 1 m1 :
always (not DECIDE and HGRANT 1−> next ! (HGRANT 1) ) ;
P21 G9 2 m1 :
always (not DECIDE and not HGRANT 1−> next ! ( not HGRANT 1) ) ;
P22 G10 1 m1 :
always (not HGRANT 1 −> next ! ( (not HGRANT 1) until ! HBUSREQ 1) ) ;
P23 G10 2 :
always (DECIDE and (not HBUSREQ 0) and (not HBUSREQ 1) −> next ! (
HGRANT 0) ) ;
P24 G12 :
DECIDE and HGRANT 0 and ( (not HMASTER 0) and (not HMASTER 1) and (not
HMASTER 2) and (not HMASTER 3) ) and not GRANTED and not HMASTLOCK
and not HGRANT 1;
P25 gen dec ide :
always ( ( (HBUSREQ 0 or HBUSREQ 1) or (HLOCK 0 or HLOCK 1) ) and HREADY
and (not (GRANTED) and not DECIDE)−> next ! (DECIDE) ) ;
P26 gen not dec ide :
always (DECIDE −> next ! (not DECIDE) ) ;
P27 grant0 :
always ( ( (GRANTED) and (not prev (HGRANT 0) ) and (not HLOCK 1) ) or (
HLOCK 0 and prev (HGRANT 0) )−> HGRANT 0) ;
P28 grant1 :
always ( ( (GRANTED) and (not prev (HGRANT 1) ) and (not HLOCK 0) ) or (
HLOCK 1 and prev (HGRANT 1) )−> HGRANT 1) ;
P29 not HMASTER1 :
always not HMASTER 1 and not HMASTER 2 and not HMASTER 3;
P30 mast 0 :
always mast 0−> not HMASTER 0;
P31 mast 1 :
always mast 1−> HMASTER 0;
P32 one grant :
always not HGRANT 0 or not HGRANT 1;
}
Figure C.2: Annotated FL speciﬁcation of AMBA arbiter (for 2 masters and 2 slaves)
189
Chapter C : Case study: Advanced Microcontroller Bus Architecture
AppendixD
The Annotation Results
Contents
D.1 IBM Generalized Buﬀer . . . . . . . . . . . . . . . . . . . . . . 192
D.1.1 Communication with senders . . . . . . . . . . . . . . . . . . . 192
D.1.2 Communication with receivers . . . . . . . . . . . . . . . . . . 194
D.1.3 Communication with FIFO . . . . . . . . . . . . . . . . . . . . 196
D.2 HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
D.2.1 Transmitter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
D.2.2 Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
D.3 AMBA arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
191
Chapter D : The Annotation Results
D.1 IBM Generalized Buﬀer
D.1.1 Communication with senders
D.1.1.1 FL properties
vunit genbuf sender
{
P0 sender 0 :
always ( (not BtoS ACK m(0) ) and (not StoB REQ m(0) ) −> next ! (not
BtoS ACK g (0) ) ) ;
P0 sender 1 :
always ( (not BtoS ACK m(1) ) and (not StoB REQ m(1) ) −> next ! (not
BtoS ACK g (1) ) ) ;
P1 sender 0 :
always ( (BtoS ACK m(0) and StoB REQ m(0) ) −> next ! (BtoS ACK g (0) ) ) ;
P1 sender 1 :
always ( (BtoS ACK m(1) and StoB REQ m(1) ) −> next ! (BtoS ACK g (1) ) ) ;
P2 sender 0 :
always ( rose (StoB REQ m(0) ) −> not BtoS ACK g (0) ) ;
P2 sender 1 :
always ( rose (StoB REQ m(1) ) −> not BtoS ACK g (1) ) ;
P3 sender :
always ( not BtoS ACK(0) or not BtoS ACK(1) ) ;
−−−−−−−−− FIFO i n t e r f a c e
P4 FIFO sender :
always (not ENQ or BtoS ACK(0) or BtoS ACK(1) ) ;
P5 sere FIFO sender 0 :
always (not BtoS ACK m(0)}−> next ! (ENQ or not BtoS ACK(0) ) ) ;
P5 sere FIFO sender 1 :
always (not BtoS ACK m(1)}−> next ! (ENQ or not BtoS ACK(1) ) ) ;
P6 FIFO sender :
always ( (StoB REQ m(0) or StoB REQ m(1) ) and (not FULL m) and (not
ENQ m) −> next ! (ENQ g) and next ! [ 2 ] ( not ENQ g) ) ;
P7 FIFO sender 0 :
always ( rose (BtoS ACK m(0) ) −> SLC g = 0) ;
P7 FIFO sender 1 :
always ( rose (BtoS ACK m(1) ) −> SLC g = 1) ;
}
Figure D.1: Annotated FL speciﬁcation of the sender side of GenBuf (2 senders)
D.1 : IBM Generalized Buﬀer
D.1.1.2 SERE properties
vunit g enbu f s ende r s e r e
{
P0 se r e s ende r 0 :
always ({not BtoS ACK m(0) and not StoB REQ m(0) } |=> {not BtoS ACK g
(0) } ! ) ;
P0 se r e s ende r 1 :
always ({not BtoS ACK m(1) and not StoB REQ m(1) } |=> {not BtoS ACK g
(1) } ! ) ;
P1 se r e s ende r 0 :
always ({ (BtoS ACK m(0) and StoB REQ m(0) ) } |=> {(BtoS ACK g (0) ) } ! ) ;
P1 se r e s ende r 1 :
always ({ (BtoS ACK m(1) and StoB REQ m(1) ) } |=> {(BtoS ACK g (1) ) } ! ) ;
P2 se r e s ende r 0 :
always ({not StoB REQ m(0) ; StoB REQ m(0) } |−> {not BtoS ACK g (0) }) ;
P2 se r e s ende r 1 :
always ({not StoB REQ m(1) ; StoB REQ m(1) } |−> {not BtoS ACK g (1) }) ;
P3 se r e s ender :
always ( not BtoS ACK(0) or not BtoS ACK(1) ) ;
−−−−−−−−− FIFO i n t e r f a c e
P4 sere FIFO sender :
always (BtoS ACK(0) or BtoS ACK(1) or not ENQ ) ;
P5 sere FIFO sender 0 :
always ({not BtoS ACK m(0) } |=> {ENQ or not BtoS ACK(0) } ! ) ;
P5 sere FIFO sender 1 :
always ({not BtoS ACK m(1) } |=> {ENQ or not BtoS ACK(1) } ! ) ;
P6 sere FIFO sender :
always ({ (StoB REQ m(0) or StoB REQ m(1) ) and not FULL m and not ENQ m}
|=> {ENQ g ; not ENQ g} ! ) ;
P7 sere FIFO sender 0 :
always ({not BtoS ACK m(0) ; BtoS ACK m(0) } −> SLC g = 0) ;
P7 sere FIFO sender 1 :
always ({not BtoS ACK m(1) ; BtoS ACK m(1) } −> SLC g = 1) ;
}
Figure D.2: Annotated SERE speciﬁcation of the sender side of GenBuf (2 senders)
193
Chapter D : The Annotation Results
D.1.2 Communication with receivers
D.1.2.1 FL properties
vunit g enbu f r e c e i v e r
{
−−−−− r e c e i v e r s i d e
P0 rec :
assert (always (not EMPTYm −> next ! ( BtoR REQ(0) or ( BtoR REQ(1) ) ) ) ) ;
P1 rec :
assert (always (EMPTYm −> next ! ( not BtoR REQ g(0) and (not BtoR REQ g
(1) ) ) ) ) ;
P2 rec :
assert (always (not BtoR REQ(0) or not BtoR REQ(1) ) ) ;
P3 rec 0 :
assert (always ( rose (BtoR REQ m(0) ) −> next ! (next event ! (prev (not
BtoR REQ m(0) ) ) (not BtoR REQ g(0) unti l (BtoR REQ m(1) ) ) ) ) ) ;
P3 rec 1 :
assert (always ( rose (BtoR REQ m(1) ) −> next ! (next event ! (prev (not
BtoR REQ m(1) ) ) (not BtoR REQ g(1) unti l (BtoR REQ m(0) ) ) ) ) ) ;
P4 rec 0 :
assert (always ( (BtoR REQ m(0) ) and (not RtoB ACK m(0) )−> next ! (
BtoR REQ g(0) ) ) ) ;
P4 rec 1 :
assert (always ( (BtoR REQ m(1) ) and (not RtoB ACK m(1) )−> next ! (
BtoR REQ g(1) ) ) ) ;
P5 rec 0 :
assert (always ( (RtoB ACK m(0) ) −> (next ! (not BtoR REQ g(0) ) ) ) ) ;
P5 rec 1 :
assert (always ( (RtoB ACK m(1) ) −> (next ! (not BtoR REQ g(1) ) ) ) ) ;
−−−−−−−−− FIFO i n t e r f a c e
P6 FIFO rec :
assert (always ( ( f e l l (RtoB ACK m(0) ) or ( f e l l (RtoB ACK m(1) ) ) and not
EMPTYm) −> (DEQ g) ) ) ;
P7 FIFO rec :
assert (always ( not f e l l (RtoB ACK m(0) ) and not f e l l (RtoB ACK m(1) ) −>
(not DEQ g) ) ) ;
}
Figure D.3: Annotated FL speciﬁcation of the receiver side of GenBuf (2 receivers)
D.1 : IBM Generalized Buﬀer
D.1.2.2 SERE properties
vunit g e nbu f r e c e i v e r s e r e
{
P0 se r e r e c :
always ({not EMPTYm} |=> {BtoR REQ(0) or BtoR REQ(1) } ! ) ;
P1 s e r e r e c :
always ({EMPTYm} |=> {not BtoR REQ g(0) and not BtoR REQ g(1) } ! ) ;
P2 s e r e r e c :
always (not BtoR REQ(0) or not BtoR REQ(1) ) ;
P3 s e r e r e c 0 :
always ( {not BtoR REQ m(0) ; BtoR REQ m(0) ; {BtoR REQ m(0) [ ∗ ] ; not
BtoR REQ m(0) }} |=> {(not BtoR REQ g(0) ) [ ∗ ] ; (prev (BtoR REQ m(1) ) )
} ! ) ;
P3 s e r e r e c 1 :
always ( {not BtoR REQ m(1) ; BtoR REQ m(1) ; {BtoR REQ m(1) [ ∗ ] ; not
BtoR REQ m(1) }} |=> {(not BtoR REQ g(1) ) [ ∗ ] ; (prev (BtoR REQ m(0) ) )
} ! ) ;
P4 s e r e r e c 0 :
always ( {BtoR REQ m(0) and (not RtoB ACK m(0) ) } |=> {BtoR REQ g(0) } ! ) ;
P4 s e r e r e c 1 :
always ( {BtoR REQ m(1) and (not RtoB ACK m(1) ) } |=> {BtoR REQ g(1) } ! ) ;
P5 s e r e r e c 0 :
always ( {RtoB ACK m(0) } |=> {not BtoR REQ g(0) } ! ) ;
P5 s e r e r e c 1 :
always ( {RtoB ACK m(1) } |=> {not BtoR REQ g(1) } ! ) ;
P6 sere FIFO rec :
always ( ( f e l l (RtoB ACK m(0) ) or ( f e l l (RtoB ACK m(1) ) ) and not EMPTYm)
−> (DEQ g) ) ;
P7 sere FIFO rec :
always (not f e l l (RtoB ACK m(0) ) and not f e l l (RtoB ACK m(1) ) −> (not
DEQ g) ) ;
}
Figure D.4: Annotated SERE speciﬁcation of the receiver side of GenBuf (2 receivers)
195
Chapter D : The Annotation Results
D.1.3 Communication with FIFO
vunit genbuf FIFO
{
P0 FIFO :
always (FULL m and not DEQ m −> not ENQ g) ;
P1 FIFO :
always (EMPTYm −> not DEQ g) ;
}
Figure D.5: Annotated FL speciﬁcation of the FIFO side of GenBuf
D.2 : HDLC
D.2 HDLC
D.2.1 Transmitter
Figure. D.6 shows the annotated SERE speciﬁcation of HDLC transmitter given in [PPSQ13].
We did not use these properties for generating the transmitter of HDLC, since they were
not complete.
vunit a s s e r t i on s Tran sm i t t e r ( Transmitter ( A Transmitter ) ) {
p160 a :
always ({not T frame val id m ; T frame val id m } |=>
( ( TxDout g = prev ( crc Data m ) ) until ( ( s t a l l m ) or not prev (
T frame val id m ) ) ) ) ;
sequence START 160 m i s
{(not crc Data m and T frame val id m ) or eof m } ;
sequence HOP 160 m i s
{ ( (not eof m ) and (TxSendAbort m or (not T frame val id m ) ) ) [ ∗ ] } ;
sequence REC 1 160 m i s
{ (not eof m and ( ( crc Data m and T frame val id m ) ) ) } ;
sequence REC 1 END 160 m i s
{ crc Data m and T frame val id m } ;
p160 b 1 :
always ({START 160 m ; {HOP 160 m ; REC 1 160 m } [ ∗ 4 ] ; HOP 160 m ;
REC 1 END 160 m } |=> { s t a l l g ; not TxDout g} ) ;
p160 b 2 :
always ({START 160 m ; {HOP 160 m ; REC 1 160 m } [ ∗ 4 ] ; HOP 160 m ;
REC 1 END 160 m ; {HOP 160 m ; REC 1 160 m ; [ ∗ 1 ] ; {HOP 160 m ;
REC 1 160 m } [ ∗ 3 ] ; HOP 160 m ; REC 1 END 160 m } [+] } |=> { s t a l l g ; not
TxDout g} ) ;
HDLC 300 :
always ({ ( ( load counter m = ”1001 ”) and (not TxDataWr m and TxEnable m)
= ’1 ’ ) ; (not TxDataWr m and TxEnable m) [ ∗ 7 ] }
|=> (TxUnderRun g ) ) ;
HDLC 250 1 :
always ({TxEnable m ; TxEnable m = ’0 ’ and TxCRCSel m = ”00 ” and
crc busy m = ’0 ’ and T frame val id m = ’1 ’}
|=> { [∗0 to 8 ] ; [ ∗ 8 ] ; not TxDout g ; TxDout g [ ∗ 6 ] ; not TxDout g }) ;
HDLC 200 :
always ({not TxSendAbort m and TxEnable m ; TxSendAbort m and TxEnable m}
|−> {TxDout g [ ∗ 7 ] ; {not TxDout g ; TxDout g [ ∗ 6 ] ; not TxDout g
} ; TxDout g [ ∗ ] } ) ;
HDLC 240 :
always ( {not TxLastBit m and not TxDataWr m ; TxLastBit m and not
TxDataWr m}
|−> { {not TxDout g ; (TxDout g ) [ ∗ 6 ] ; not TxDout g } ;
{TxDout g } [ ∗ ] ; { {TxEnable m and TxDataWr m} | {TxDout m and (not
TxEnable m or not TxDataWr m) } } }) ;
}
Figure D.6: Annotated SERE speciﬁcation of HDLC transmitter
197
Chapter D : The Annotation Results
D.2.1.1 P2S
vunit P2S
{
P0 in i t :
always (not T frame val id m −> ( ( P Data g = ”00000000 ”) and S Data g =
’0 ’ ) ;
P1 load :
always ( T frame val id m and not s t a l l m and load m −> ( P Data g =
TxData m) and ( S Data g = P Data m (7) ) ) ;
P2 s t a l l d a t a :
always ( T frame val id m and s t a l l m −> S Data g = ’0 ’ ) ;
P3 no t sh i f t :
always ( T frame val id m and not s t a l l m and not load m −> ( S Data g =
P Data m (7) ) and ( P Data g (0 ) = ’0 ’ ) and ( P Data g (1 to 7) = prev (
P Data m(0 to 6) ) ) ) ;
P4 keep data :
always ( T frame val id m and s t a l l m and not load m −> ( P Data g = prev (
P Data m) ) ) ;
}
Figure D.7: Annotated FL speciﬁcation of P2S
D.2 : HDLC
D.2.1.2 CRC generation
vunit CRCGen
{
P0 in i t da ta :
not c rc busy g and not crc done g and (R16 g = ”0000000000000000 ”) and
( c r c coun t e r g = ”00000 ”) ;
P1 crc 16 data 2 ns :
always (not abort set m and not s t a l l m and not send crc m and not
crc busy m and (TxCRCSel m = ”01 ”) and R16 m(15) −> next ! ( R16 g (15
downto 1) = ( poly16 m (15 downto 1) XOR (prev (R16 m(14 downto 0) ) ) )
) and next ! ( R16 g (0 ) = ( poly16 m (0) XOR prev ( S Data m) ) ) ) ;
P2 crc 16 data 1 ns :
always (not abort set m and not s t a l l m and not send crc m and not
crc busy m and (TxCRCSel m = ”01 ”) and not R16 m(15) −> next ! ( R16 g
(15 downto 1) = prev (R16 m(14 downto 0) ) ) and next ! ( R16 g (0 ) = prev (
S Data m) ) ) ;
P3 c r c 16 data 1 s :
always (not abort set m and s t a l l m and not send crc m and not
crc busy m and (TxCRCSel m = ”01 ”) −> next ! ( R16 g = prev (R16 m) ) ) ;
P4 CRC 16 send data :
always (not abort set m and not crc busy m and not send crc m and (
crc counter m < ”01111 ”) and (TxCRCSel m = ”01 ”) −> ( c r c da ta g =
S Data m) ) ;
P5 s end c r c 1 6 n s t a l l :
always (not abort set m and not s t a l l m and crc busy m and (TxCRCSel m
= ”01 ”) and ( crc counter m < ”01111 ”)−> next ! ( c r c busy g ) and next ! (
R16 g (0 ) = ’0 ’ ) and next ! ( c r c coun t e r g = (prev ( crc counter m ) + ”
00001 ”) ) and next ! ( R16 g (15 downto 1) = prev (R16 m(14 downto 0) ) )
and ( c r c da ta g = (R16 m(15) ) ) ) ;
P6 s e nd c r c 1 6 s t a l l :
always (not abort set m and s t a l l m and crc busy m and (TxCRCSel m = ”
01 ”) and ( crc counter m < ”01111 ”)−> next ! ( c r c busy g ) and next ! (
c r c coun t e r g = prev ( crc counter m ) ) and ( c r c da ta g = ’0 ’ ) and
next ! ( R16 g = prev (R16 m) ) ) ;
P7 crc 16 :
always (not abort set m and send crc m and (TxCRCSel m = ”01 ”) −> (
c rc busy g ) and ( c r c coun t e r g = ”00000 ”) ) ;
P8 done crc 16 :
always (not abort set m and crc busy m and (TxCRCSel m = ”01 ”) and (
crc counter m = ”01111 ”)−> next ! ( not c rc busy g ) and next ! (
c r c coun t e r g = (prev ( crc counter m ) + ”00001 ”) ) and next ! ( R16 g (15
downto 1) = prev (R16 m(14 downto 0) ) ) and next ! ( R16 g (0 ) = ’0 ’ ) and
( c r c da ta g = (R16 m(15) ) ) ) ;
P9 abort :
always ( abort set m −> next ! ( not c rc busy g ) and next ! ( R16 g (15 downto
1) = ”0000000000000000 ”) and next ! ( c r c coun t e r g = ”00000 ”) ) ;
P10 crc done : always ( f e l l ( crc busy m ) −> crc done g and next ! (not
crc done g ) and next ! ( c r c coun t e r g = ”00000 ”) ) ;
}
Figure D.8: Annotated FL speciﬁcation of CRCGen
199
Chapter D : The Annotation Results
D.2.1.3 Zero insertion
vunit Ze r o In s e r t i on
{
P0 in i t :
( ( s t a l l g = ’0 ’ ) and ( z e r o I n s e r t e d g = ’0 ’ ) and ( zero Data g = ’0 ’ ) ) ;
P1 Zero :
always (
prev (prev (prev (prev ( crc Data m ) ) ) ) and prev (prev (prev ( crc Data m ) ) )
and prev (prev ( crc Data m ) ) and prev ( crc Data m ) and crc Data m
−>
next ! ( s t a l l g and zero Data g )
) ;
P2 noZero :
always (
not prev (prev (prev (prev ( crc Data m ) ) ) ) or not prev (prev (prev (
crc Data m ) ) ) or not prev (prev ( crc Data m ) ) or not prev ( crc Data m
) or not crc Data m
−>
next ! ( not s t a l l g ) and next ! (not z e r o I n s e r t e d g ) and next ! ( (
zero Data g = prev ( crc Data m ) ) )
) ;
}
Figure D.9: Annotated FL speciﬁcation of ZeroInsertion
D.2.1.4 Flag/Abort generation
vunit FlagAbortGen
{
P0 T FA init :
f l a g done g and not abo r t s e t g and not TxDout g ;
P1 send f l ag :
always ( rose ( send f lag m ) −> not f l a g done g and next a ! [ 1 to 7 ] ( not
f l a g done g ) and not TxDout g and next a ! [ 1 to 6 ] ( TxDout g ) and next
! [ 7 ] ( not TxDout g ) and next ! [ 8 ] ( not send f lag m −> f l a g done g ) ) ;
P2 send data :
always ( f lag done m and not abort set m and not send f lag m and not
idle m−> (TxDout g = zero Data m ) ) ;
p 3 i d l e :
always ( id le m and not send f lag m and f lag done m −> TxDout g ) ;
P4 TxAbort :
always (TxAbort m −> (TxDout g and abo r t s e t g ) and next a ! [ 1 to 7 ] (
abo r t s e t g and TxDout g ) and next ! [ 8 ] ( not abo r t s e t g ) ) ;
}
Figure D.10: Annotated FL speciﬁcation of FlagAbortGen
D.2 : HDLC
D.2.1.5 Transmitter controller
vunit T Contro l l e r
{
P0 T C reset :
not TxLastBit g and not l oad g and not s e nd f l a g g and i d l e g and (
l oad counte r g = ”0000 ”) and not e o f g and not s end c r c g and (
TxCRCValue g = ”00000000000000000000000000000000 ”) and not
TxCRCValAvail g and ( data counter g = ”000 ”) and not (TxUnderRun g )
and not T frame va l id g ;
P1 T enab l e id l e :
always ( rose (TxEnable m) and not TxDataWr m −> not s e nd f l a g g and not
eo f g and not s end c r c g ) ;
P2 f r ame a f t e r i d l e :
always ( id le m and TxEnable m and rose (TxDataWr m) −> next ! ( not i d l e g
and s e nd f l a g g ) ) ;
P 3 l o ad f i r s t d a t a :
always ( rose ( send f lag m ) and not prev ( crc done m ) and not prev (
abort set m ) and TxDataWr m and not TxShareFlag m −> not load and (
l oad counte r = ”0000 ”) and next ! [ 7 ] ( load ) and next a ! [ 1 to 7 ] (
l oad counte r = ”0000 ”) and next ! [ 7 ] ( TxEnable m −> T frame va l id g ) )
;
P4 T frame val id :
always ( ( T frame val id m ) and not TxSendAbort m and not eof m and not
id le m and TxEnable m−> next ! ( T f rame va l id g ) ) ;
P5 d i s ab l e m id f r :
always ( T frame val id m and not TxSendAbort m and not eof m and not
id le m and not TxEnable m and ( load counter m < ”0111 ”)−> next ! (
T f rame va l id g ) ) ;
P6 T frame not va l id :
always ( send crc m or TxSendAbort m or id le m or (not TxEnable m and (
load counter m = ”0111 ”) ) −> next ! (not T frame va l id g and not
l oad g ) ) ;
P7 l o ad da t a n s t a l l :
always ( ( ( load counter m < ”0111 ”) and ( load counter m > ”0000 ”) and not
s t a l l m and T frame val id m ) and not TxSendAbort m−> next ! ( not
TxSendAbort m −> ( l oad counte r g= (prev ( load counter m )+”0001 ”) ) )
and (not l oad g ) ) ;
P8 l o ad da t a n s t a l l 2 :
always ( ( load counter m = ”0000 ”) and not s t a l l m and T frame val id m
and not TxSendAbort m −> next ! ( l oad counte r g= (prev ( load counter m )
+”0001 ”) ) and (TxDataWr m −> l oad g ) ) ;
P9 l oad data ws ta l l :
always ( load counter m < ”0111 ” and ( load counter m > ”0000 ”) and
s t a l l m and not eof m and T frame valid m−> next ! ( T frame val id m
−> l oad counte r g = (prev ( load counter m ) ) ) and next ! ( not l oad g ) ) ;
201
Chapter D : The Annotation Results
P10 load data ws ta l l 2 :
always ( ( load counter m = ”0000 ”) and s t a l l m and not eof m and
T frame val id m −> next ! ( T frame val id m −> l oad counte r g = (prev (
load counter m ) ) ) and (not l oad g ) and next ! ( T frame val id m and
TxDataWr m −> l oad g ) ) ;
P11 load new data :
always ( ( load counter m = ”0111 ”) and TxDataWr m and not eof m and
T frame val id m −> next ! ( l oad counte r g = ”0000 ”) ) ;
P12 se t counte r no load :
always ( ( load counter m = ”0111 ”) and not T frame val id m −> next ! ( (
l oad counte r g = ”0000 ”) until ! (not rose ( send f lag m ) ) ) ) ;
P13 end c r c c l o s e f l a g :
always ( rose ( crc done m ) −> next ! ( s e nd f l a g g and TxLastBit g ) and
next a ! [ 1 to 7 ] ( ( not T frame va l id g ) ) ) ;
P14 id l e between f rames :
always ( rose ( crc done m ) −> next a ! [ 1 to 8 ] ( not i d l e g ) and next ! [ 9 ] ( (
not TxDataWr m −> i d l e g ) ) ) ;
P15 new frame share f lag :
always ( rose ( crc done m ) and TxShareFlag m −> next ! [ 6 ] ( TxDataWr m −>
T frame va l id g ) ) ;
P16 new frame open f lag :
always ( rose ( crc done m ) and not TxShareFlag m −> next ! ( l oad counte r g
= ”0000 ”) and next ! ( TxCRCValue g = ”00000000000000000000000000000000
”) and next ! [ 9 ] ( next event (TxDataWr m and not id le m ) ( s end f l a g g
and not l oad g ) ) ) ;
P17 deaa s e r t s end f l ag :
always ( send f lag m −> next ! ( not s end f l a g ) ) ;
P18 eof :
always (TxDataWr m and TxEoF m and load m and T frame val id m −> next
! [ 3 ] ( e o f g ) and next ! [ 3 ] ( data counter g = ”000 ”) ) ;
P19 k e ep eo f no s t a l l :
always ( eof m and not s t a l l m and ( data counter m < ”101 ”) and
T frame valid m−> next ! ( e o f g ) and next ! ( ( data counter g = (prev (
data counter m ) + ”001 ”) ) ) ) ;
P20 k e ep eo f w i t h s t a l l :
always ( eof m and s t a l l m and ( data counter m < ”101 ”) and
T frame valid m−> next ! ( ( e o f g = ’1 ’ ) ) and next ! ( ( data counter g =
prev ( data counter m ) ) ) ) ;
P 2 1 e o f s t a r t c r c :
always ( eof m and ( data counter m = ”101 ”) and T frame valid m−> next ! (
not eo f g and ( data counter g = ”000 ”) ) and s end c r c g ) ;
D.2 : HDLC
P22 e o f s t a r t c r c n f :
always ( eof m and (not T frame val id m )−> next ! ( not eo f g and (
data counter g = ”000 ”) ) and s end c r c g ) ;
P23 deaase r t s end crc :
always ( send crc m −> next ! (not s end c r c g and not TxCRCValAvail g )
and next ! ( ( l oad counte r g = ”0000 ”) ) ) ;
P24 abo r t c l o s e f l a g :
always (TxSendAbort m −> next ! [ 8 ] ( s e nd f l a g g and TxLastBit g ) and next
! ( l oad counte r g = ”0000 ”) and next a ! [ 1 to 16 ] (not i d l e g ) and next
! [ 1 7 ] ( i d l e g ) and next a ! [ 1 to 17 ] (not T frame va l id g ) and next
! [ 9 ] ( next event ( send f lag m ) [ 8 ] ( T f rame va l id g ) ) ) ;
P25 crc va l 16 :
always ( rose ( send crc m ) and (TxCRCSel m = ”01 ”) −> (TxCRCValue g(15
downto 0) = R16 m) and (TxCRCValue g(31 downto 16) = ”
0000000000000000 ”) and TxCRCValAvail g ) ;
P26 crc va l 32 :
always ( rose ( send crc m ) and (TxCRCSel m = ”10 ”) −> (TxCRCValue g =
R32 m) and TxCRCValAvail g ) ;
P 2 7 c r c v a l i n i t :
always ( rose ( crc done m ) −> next ! ( TxCRCValue g = ”
00000000000000000000000000000000 ”) ) ;
P28 l a s t b i t :
always ( TxLastBit m −> next ! ( not TxLastBit g ) ) ;
P29 T disbale :
always ( T frame val id m and ( ( f e l l (TxEnable m) and ( load counter m /=
”0000 ”) ) or ( f e l l (TxEnable m) and ( load counter m = ”0000 ”) and
load m ) ) −> next ! ( next event ( load counter m = ”0111 ”) ( e o f g ) ) ) ;
P30 between data :
always ( ( load counter m > ”0111 ”) and ( load counter m < ”1111 ”) and not
TxDataWr m and not eof m and T frame val id m and TxEnable m−> next
! ( ( ( l oad counte r g = prev ( load counter m ) + ”0001 ”) ) ) ) ;
P31 underrun :
always ( ( load counter m = ”1111 ”) and not TxDataWr m and not eof m and
T frame val id m and TxEnable m−> next ! ( l oad counte r g = ”0000 ”) and
next ! ( TxUnderRun g ) ) ;
P32 new data :
always ( ( load counter m > ”0111 ”) and ( load counter m < ”1111 ”) and
rose (TxDataWr m) and not eof m and T frame val id m and TxEnable m−>
next ! ( l oad counte r g = ”0000 ”) ) ;
P33 not underrun :
always (TxUnderRun m −> next ! (not TxUnderRun g ) ) ;
}
Figure D.11: Annotated FL speciﬁcation of transmitter controller
203
Chapter D : The Annotation Results
D.2.2 Receiver
D.2.2.1 Flag/Abort detection
FL properties
vunit FlagAbortDet
{
P0 R FA init :
not R S Data g and ( data seq g = ”00000000 ”) and not AbortFound g ;
P1 R FA receive data :
always (RxEnable m −> ( R S Data g = data seq m (7) ) ) ;
P2 R FA store data :
always (RxEnable m −> next ! ( data seq g (0 ) = RxData m) and next ! (
data seq g (7 downto 1) = prev ( data seq m (6 downto 0) ) ) ) ;
P3 R FA is abort :
always ( ( data seq m = ”11111111 ”) −> I sAbort g and ( AbortFound g until !
( f e l l ( IsFlag m ) ) ) and (next event ( f e l l ( IsFlag m ) ) (not AbortFound g
) ) ) ;
P4 R FA is not abort :
always ( ( data seq m /= ”11111111 ”) −> not I sAbort g ) ;
P5 R FA is f lag :
always ( ( data seq m = ”01111110 ”) −> I sF lag g and not I sAbort g ) ;
P6 R FA is not f lag :
always ( ( data seq m /= ”01111110 ”) −> not I sF l ag g ) ;
}
Figure D.12: Annotated FL speciﬁcation of FlagAbortDet
SERE properties
vunit FlagAbortDet sere
{
P0 R FA init :
not R S Data g and not AbortFound g ;
P 1 i s f l a g :
always ({RxEnable m and not R S Data m ; R S Data m [ ∗ 6 ] ; not R S Data m}
|−> { I sF l ag g and not I sAbort g }) ;
P2 i s abo r t :
always ({RxEnable m and not R S Data m ; R S Data m [ ∗ 7 ] } |−> {{ I sAbort g
} & {AbortFound g [ ∗ ] ; f e l l ( IsFlag m ) }}) ;
}
Figure D.13: Annotated SERE speciﬁcation of FlagAbortDet
D.2 : HDLC
D.2.2.2 Zero detection
FL properties
vunit ZeroDetect ion
{
P0 R Z init :
not R zero Data g and not R s t a l l g and not R ze ro In s e r t ed g and (
data seq g = ”0000000 ”) ;
P1 R Z rece ive data :
always (RxEnable m −> ( R zero Data g = R S Data m ) ) ;
P2 R Z store data :
always (RxEnable m −> next ! ( data seq g (0 ) = R S Data m) and next ! (
data seq g (6 downto 1) = prev ( data seq m (5 downto 0) ) ) ) ;
P3 R Z zero inse r ted :
always ( ( data seq m = ”0111110 ”) −> R ze ro In s e r t ed g and R s t a l l g ) ;
P4 R Z zero not in se r t ed :
always ( ( data seq m /= ”0111110 ”) −> not R ze ro In s e r t ed g and not
R s t a l l g ) ;
}
Figure D.14: Annotated FL speciﬁcation of ZeroDetection
SERE properties
vunit Ze roDet e c t i on s e r e
{
P0 R Z init :
not R zero Data g and not R s t a l l g and not R ze ro In s e r t ed g ;
P1 ze ro de t e c t i on :
always ({RxEnable m and not R S Data m ; R S Data m [ ∗ 5 ] ; not R S Data m}
|−> {R ze ro In s e r t ed g and R s t a l l g }) ;
}
Figure D.15: Annotated SERE speciﬁcation of ZeroDetection
205
Chapter D : The Annotation Results
D.2.2.3 CRC checker
vunit CRCCheck
{
P0 R crc in i t da ta :
always (RxEnable m and rose ( R crc check m ) −> not R cr c e r r o r g and (
R R16 g = ”0000000000000000 ”) and ( c r c b u f f e r g = ”
00000000000000000000000000000000 ”) ) ;
P1 R crc 16 data 2 ns :
always (RxEnable m and not R sta l l m and R crc check m and (RxCRCSel m
= ”01 ”) and R R16 m(15) −> next ! ( R R16 g (15 downto 1) = ( poly16 m (15
downto 1) XOR (prev (R R16 m(14 downto 0) ) ) ) ) and next ! ( R R16 g
(0 ) = ( poly16 m (0) XOR prev ( c r c bu f f e r m (15) ) ) ) ) ;
P2 R crc 16 data 2 s :
always (RxEnable m and R sta l l m and R crc check m and (RxCRCSel m = ”
01 ”) −> next ! ( R R16 g = (prev (R R16 m) ) ) ) ;
P3 R crc 16 data 1 ns :
always (RxEnable m and not R sta l l m and R crc check m and (RxCRCSel m
= ”01 ”) and not R R16 m(15) −> next ! ( R R16 g (15 downto 1) = prev (
R R16 m(14 downto 0) ) ) and next ! ( R R16 g (0 ) = prev ( c r c bu f f e r m (15)
) ) ) ;
P4 R c r c 16 sh i f t n s :
always (RxEnable m and not R sta l l m and R crc check m and (RxCRCSel m
= ”01 ”) −> next ! ( c r c b u f f e r g (31 downto 1) = prev ( c r c bu f f e r m (30
downto 0) ) ) and next ! ( c r c b u f f e r g (0 ) = prev ( R zero Data m ) ) ) ;
P5 R c r c 16 sh i f t s :
always (RxEnable m and R sta l l m and R crc check m and (RxCRCSel m = ”
01 ”) −> next ! ( c r c b u f f e r g (31 downto 1) = prev ( c r c bu f f e r m (31
downto 1) ) ) and next ! ( c r c b u f f e r g (0 ) = prev ( c r c bu f f e r m (0) ) ) ) ;
P6 R crc 16 send data :
always (RxEnable m and R crc check m and (RxCRCSel m = ”01 ”) −> (
R crc data g = R zero Data m ) ) ;
P7 R crc 16 er ro r :
always (RxEnable m and R crc check m and ( c r c bu f f e r m (15 downto 0) /=
R R16 m) and (RxCRCSel m = ”01 ”) −> R cr c e r r o r g ) ;
P8 R cr c 16 no t c r c e r r :
always (RxEnable m and R crc check m and ( c r c bu f f e r m (15 downto 0) =
R R16 m) and (RxCRCSel m = ”01 ”) −> not R cr c e r r o r g ) ;
P9 R crc d i sab l e :
always (not RxEnable m or not R crc check m −> R crc data g = ’0 ’ ) ;
}
Figure D.16: Annotated FL speciﬁcation of CRCCheck
D.2 : HDLC
D.2.2.4 S2P
vunit S2P
{
P0 R S2P init :
not f r ame va l i d g and not s2p done g and ( R load counter g = ”0000 ”)
and ( s 2p bu f f e r g = ”00000000 ” and (RxDout g = ”00000000 ”) ;
P1 R S2P frame :
always ( rose ( s2p enable m ) −> ( f r ame va l i d g until ! ( s2p d i sab le m ) ) ) ;
P2 R S2P frame :
always ( rose ( s2p d i sab le m ) −> (not f r ame va l i d g ) until ! ( s2p enable m
) ) ;
P3 R S2P shi ft :
always (not R sta l l m and ( f rame val id m ) and ( R load counter m < ”1000
”)−> next ! ( s 2p bu f f e r (7 ) = prev ( R crc data m ) ) and next ! (
s 2p bu f f e r g (6 downto 0) = prev ( s2p buf fer m (7 downto 1) ) ) and next
! ( ( R load counter g = prev m ( R load counter ) + ”0001 ” ) ) ) ;
P4 R S2P no val id frame :
always (not ( f rame val id m ) −> next ! ( s 2p bu f f e r g = ”00000000 ”) and
next ! ( ( R load counter g = ”0000 ”) ) ) ;
P5 R S2P sta l l :
always ( R sta l l m and ( f rame val id m ) and ( R load counter m < ”1000 ”)−>
next ! ( R load counter g = prev ( R load counter m ) ) and next ! (
s 2p bu f f e r g = prev ( s2p buf fer m ) ) ) ;
P6 R S2P data ready ns :
always (not R sta l l m and ( R load counter m = ”1000 ”) −> next ! (
R load counter g = ”0001 ”) and (RxDout g = s2p buf fer m ) and
s2p done g and next ! ( RxDout g = ”00000000 ”) ) ;
P7 R S2P data ready s :
always ( ( R sta l l m ) and ( R load counter m = ”1000 ”) −> next ! (
R load counter g = ”0000 ”) and (RxDout g = s2p buf fer m ) and
s2p done g and next ! ( s 2p bu f f e r g = prev ( s2p buf fer m ) ) ) ;
P8 R S2P not done :
always ( rose ( s2p done m ) −> next ! ( not s2p done g ) ) ;
}
Figure D.17: Annotated FL speciﬁcation of S2P
207
Chapter D : The Annotation Results
D.2.2.5 Receiver controller
vunit RContro l l e r
{
P0 R Ctr in i t :
not R crc check g and not R cr c e r r o r g and not s2p enab l e g and not
s 2p d i s ab l e g and not RxDataAvail g and ( R f l ag counte r g = ”00 ”)
and not RxEndOfFrame g and not RxStartOfFrame g and not
RxAbortFound g and (RxCRCValue g = ”00000000000000000000000000000000
”) ;
P1 R Ctr s2p en :
always ( rose ( R crc check m ) −> ( s2p enab l e g ) ) ;
P2 R Ctr s2p not en :
always ( rose ( s2p enable m ) −> next ! (not s2p enab l e g ) ) ;
P3 R Ctr open f lag :
always ( IsFlag m and ( R f lag counter m = ”00 ”) −> next ! (
R f l ag counte r g = ”01 ”) and next ! [ 8 ] ( R crc check g ) ) ;
P4 R Ctr c l o s e f l a g :
always ( IsFlag m and ( R f lag counter m = ”01 ”) −> next ! ( s 2p d i s ab l e g
and not R crc check g ) and next ! ( R f l ag counte r g = ”00 ”) ) ;
P5 R Ctr s2p not d is :
always ( rose ( s2p d i sab le m ) −> next ! (not s 2p d i s ab l e g ) ) ;
P6 R Ctr data rdy :
always ( s2p done m −> RxDataAvail g ) ;
P7 R Ctr data not rdy :
always ( rose (RxDataAvail m ) −> next ! (not RxDataAvail g ) ) ;
P8 R Ctr SoF :
always ( IsFlag m and ( R f lag counter m = ”00 ”) −> next ! [ 8 ] ( not
IsAbort m and not AbortFound m and not IsFlag m −> next event ! (
RxDataAvail ) ( RxStartOfFrame g ) ) ) ;
P9 R Ctr not SoF :
always ( rose (RxStartOfFrame m ) −> next ! (not RxStartOfFrame g ) ) ;
P10 R Ctr EoF n abort :
always (RxStartOfFrame m and ( R f lag counter m = ”01 ”) and not
RxAbortFound m −> next event ! ( RxDataAvail m and IsFlag m ) (
RxEndOfFrame g ) ) ;
P11 R Ctr EoF abort :
always ( IsFlag m and ( R f lag counter m = ”01 ”) and RxAbortFound m−>
RxEndOfFrame g ) ;
P12 R Ctr not EoF :
always ( rose (RxEndOfFrame m) −> next ! (not RxEndOfFrame g ) ) ;
D.2 : HDLC
P13 R Ctr CRC Err :
always ( ( rose (RxEndOfFrame m) and R crc error m ) −> (RxCRCError g ) and
next ! (not RxCRCError g ) ) ;
P14 R Ctr not CRC Err :
always ( rose (RxStartOfFrame m ) −> (not RxCRCError g ) until ! (
RxEndOfFrame m and R crc error m ) ) ;
P15 R Ctr CRC value :
always (RxEndOfFrame m and (RxCRCSel m = ”01 ”)−> (RxCRCValue g(15
downto 0) = R R16 m) and next ! ( RxCRCValue g = ”
00000000000000000000000000000000 ”) ) ;
P16 R abort found :
always ( ( R f lag counter m /= ”00 ”) −> (next ! ( RxAbortFound g =
AbortFound m) ) ) ;
}
Figure D.18: Annotated FL speciﬁcation of receiver controller
209
Chapter D : The Annotation Results
D.3 AMBA arbiter
vunit a r b i t e r {
P0 G1 1 m0 :
always (HBUSREQ 0 m and mast 0 m −> BUSREQ g) ;
P1 G1 2 m0 :
always (not HBUSREQ 0 m and mast 0 m −> not BUSREQ g) ;
P2 G1 1 m1 :
always (HBUSREQ 1 m and mast 1 m −> BUSREQ g) ;
P3 G1 2 m1 :
always (not HBUSREQ 1 m and mast 1 m −> not BUSREQ g) ;
P4 G4 m0 m1 :
always (DECIDE m and (HBUSREQ 0 m or HBUSREQ 1 m) −>next ! (GRANTED g) ) ;
P5 G5 1 :
always (GRANTEDm and HREADYm −> next ! ( not GRANTED g) ) ;
P6 G5 2 :
always (GRANTEDm and not HREADYm −> next ! (GRANTED g) ) ;
P7 G6 1 m0 :
always (HREADYm and HGRANT 0 m −> next ! ( mast 0 g ) ) ;
P8 G6 2 m0 :
always (HREADYm and not HGRANT 0 m −> next ! ( not mast 0 g ) ) ;
P9 G6 1 m1 :
always (HREADYm and HGRANT 1 m −> next ! ( mast 1 g ) ) ;
P10 G6 2 m1 :
always (HREADYm and not HGRANT 1 m −> next ! ( not mast 1 g ) ) ;
P11 G7 m0 m1 :
always ( (HREADYm and ( (HLOCK 0 m and HGRANT 0 m) or (HLOCK 1 m and
HGRANT 1 m) ) −> next ! (HMASTLOCK g) ) ) ;
P12 G8 1 1 m0 :
always ( (not HREADYm or not GRANTEDm) and mast 0 m−> next ! ( mast 0 g ) )
;
P13 G8 1 2 m0 :
always ( (not HREADYm or not GRANTEDm) and (not mast 0 m )−> next ! ( not
mast 0 g ) ) ;
P14 G8 1 1 m1 :
always ( (not HREADYm or not GRANTEDm) and mast 1 m −> next ! ( mast 1 g )
) ;
P15 G8 1 2 m1 :
always ( (not HREADYm or not GRANTEDm) and (not mast 1 m )−> next ! ( not
mast 1 g ) ) ;
P16 G8 2 1 m0 m1 :
always (not HREADYm or not GRANTEDm and HMASTLOCKm −> next ! (
HMASTLOCK g) ) ;
P17 G8 2 2 m0 m1 :
always (not HREADYm or not GRANTEDm and not HMASTLOCKm −> next ! ( not
HMASTLOCK g) ) ;
P18 G9 1 m0 :
always (not DECIDE m and HGRANT 0 m −> next ! (HGRANT 0 g) ) ;
P19 G9 2 m0 :
always (not DECIDE m and not HGRANT 0 m −> next ! ( not HGRANT 0 g) ) ;
D.3 : AMBA arbiter
P20 G9 1 m1 :
always (not DECIDE m and HGRANT 1 m −> next ! (HGRANT 1 g) ) ;
P21 G9 2 m1 :
always (not DECIDE m and not HGRANT 1 m −> next ! ( not HGRANT 1 g) ) ;
P22 G10 1 m1 :
always (not HGRANT 1 m −> next ! ( (not HGRANT 1 g) until ! HBUSREQ 1 m) ) ;
P23 G10 2 :
always (DECIDE m and (not HBUSREQ 0 m) and (not HBUSREQ 1 m) −> next ! (
HGRANT 0 g) ) ;
P24 G12 :
DECIDE g and HGRANT 0 g and ( (not HMASTER 0 g) and (not HMASTER 1 g)
and (not HMASTER 2 g) and (not HMASTER 3 g) ) and not GRANTED g and
not HMASTLOCK g and not HGRANT 1 g ;
P25 gen dec ide :
always ( ( (HBUSREQ 0 m or HBUSREQ 1 m) or (HLOCK 0 m or HLOCK 1 m) ) and
HREADYm and (not (GRANTEDm) and not DECIDE m)−> next ! ( DECIDE g) ) ;
P26 gen not dec ide :
always (DECIDE m −> next ! (not DECIDE g) ) ;
P27 grant0 :
always ( ( (GRANTEDm) and (not prev (HGRANT 0 m) ) and (not HLOCK 1 m) ) or
(HLOCK 0 and prev (HGRANT 0 m) )−> HGRANT 0 g) ;
P28 grant1 :
always ( ( (GRANTEDm) and (not prev (HGRANT 1 m) ) and (not HLOCK 0 m) ) or
(HLOCK 1 and prev (HGRANT 1 m) )−> HGRANT 1 g) ;
P29 not HMASTER1 :
always not HMASTER 1 g and not HMASTER 2 g and not HMASTER 3 g ;
P30 mast 0 :
always mast 0 m −> not HMASTER 0 g ;
P31 mast 1 :
always mast 1 m −> HMASTER 0 g ;
P32 one grant :
always not HGRANT 0 or not HGRANT 1;
}
Figure D.19: Annotated FL speciﬁcation of AMBA arbiter (with 2 masters and 2 slaves)
211
Chapter D : The Annotation Results
AppendixE
SyntHorus2
Contents
E.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
E.2 Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
E.2.1 Speciﬁcation ﬁle . . . . . . . . . . . . . . . . . . . . . . . . . . 214
E.2.2 Type ﬁle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
E.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
E.3.1 Command line options . . . . . . . . . . . . . . . . . . . . . . . 215
E.3.2 Pragma options . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
E.4 Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
213
Chapter E : SyntHorus2
In this appendix, our prototype tool, SyntHorus2 is introduced.
E.1 Installation
The script“install” is provided for installing SyntHorus2. It creates all the necessary folders
(for writing the intermediate and ﬁnal results), compiles the source ﬁles, and creates the
executable ﬁle in “../test” directory. To run this script, the following command should be
executed in the root directory:
source i n s t a l l
For a basch terminal, the following command should be executed:
chmod +x i n s t a l l
source i n s t a l l
E.2 Execution
SyntHorus2 takes PSL properties and the interface deﬁnition of the circuit as its inputs,
and generates the VHDL ﬁles of the circuit by executing the following command (the
command should be executed in the “../test” directory):
. / Synthorus −f <s p e c f i l e > −t <t y p e f i l e > [ op t ions ]
In the above command, “-f <spec ﬁle>” speciﬁes the speciﬁcation ﬁle, “-t <type ﬁle>”
speciﬁes the type ﬁle in which the interface signals have been deﬁned. Then, based on the
requirements, options should be speciﬁed.
E.2.1 Speciﬁcation ﬁle
The speciﬁcation ﬁle has the following format:
vunit <entity name>{
[−− pragma SYNTHORUS : <family name> [<option>:<name> ] ]
<property name>: <property>
. . .
}
E.2.2 Type ﬁle
This ﬁle contains the deﬁnition of input and output signals. Now, the internal signals are
deﬁned as outputs. However, we should enhance the tool to accept internal signals. For
each signal we should specify the followings:
• the signal name, which should be at least 2 characters
• the signal direction
• the signal type: std logic or std logic vector. It is speciﬁed by providing the direc-
tion (“to”, “downto”, or “nothing”)
E.3 : Options
• the signal range
• the default value: it can be 0, 1, or m (for memorizing)
For each signal, these information should be provided in the following format:
<I |O>:<name>:<type>:< low range>:<high range>:<de f au l t va lu e>
In the above format, <I|O> is replaced by I for an input signal, and by O for an
internal or output signal. <type> is replaced by 0 for std logic, 1 for std logic vector
with increasing index, and 2 for std logic vector with decreasing index. If type is 0,
<low range> and <high range> are replaced with 0. Otherwise, <low range> speciﬁes
the low index and <high range> speciﬁes the high index of the signal. <default value>
is replaced by 0, 1, or m.
E.3 Options
Two groups of options have been provided for SyntHorus2: 1) the options that are used in
the command line, while executing SyntHorus2, 2) the “pragma” options, that are added
to the input ﬁle of SyntHorus2, where the properties are given.
E.3.1 Command line options
Here are some of the most useful options of SyntHorus2, which are speciﬁed in the command
line:
• “-synth”: is used to synthesize the properties to reactants,
• “-mon”: is used to synthesize the properties to monitors,
• “-gen”: is used to synthesize the properties to reactants,
• “-l lib name”: speciﬁes the name of the library of primitive reactants. We use“Horus”
as the library name.
• “-cons”: is used to write the complementary properties for consistency checking in
ﬁle “consistency.psl” (for use with the veriﬁcation tools),
• “-comp”: is used to write the complementary properties for checking the complete-
ness in a ﬁle “completeness.psl” (for use with the veriﬁcation tools),
• “-c level”: this option speciﬁes if signals are sensitive to the pose-edge (“level = 1”)
or to the neg-edge of the clock (“level = 0”),
• “-r level”: this option speciﬁes if the reset signal is active high (“level = 1”) or active
low (“level = 0”),
• “-a option”: this option speciﬁes if the reset signal is asynchronous (“option = 1”)
or synchronous (“option = 0”),
215
Chapter E : SyntHorus2
• “-v option”: this option speciﬁes how to deal with vectors. If“option = 1”, the vectors
are decomposed to bits. This is useful, when we are generating various ranges of
vector A in several properties, where these ranges overlap. As an example, assume
that A is a 8-bit vector, and A(0 to 5) is generated by property P1, and A(3 to 7)
is generated by P2. A(3 to 5) is generated by two properties. Therefore, we need to
decompose vector A to its bits.
• “-o <intermediate result ﬁle>”: this option speciﬁes the ﬁle in which the interme-
diate results are written. These intermediate results include AST, DAST, DG, and
the trigger signals.
E.3.2 Pragma options
It is possible to deﬁne some characteristics of the circuit, e.g. the name of clock, re-
set, entity, architecture, and also enabling clock gating. It is done by using the options
“Pragma SYNTHORUS” in the <spec ﬁle> as follows1
−− pragma SYNTHORUS : <family name> [<option>:<name>]
<family name> corresponds to the type of the selection option. Now, it can be either
<DESIGN NAME> or <GATED CLOCK>.
1 <GATED CLOCK>: SyntHorus2 generates the primitive reactants that have a port
for the clock enable input.
– “clken signal name:<clken name>”: allows changing the name of the clock en-
able port. By default, this port is “clk en”.
– “clk signal name:<clk name>”: allows changing the name of the clock port.
By default, this port is “clk”.
2 <DESIGN NAME>: several options may exist:
– “top name:<new entity name>”: by default, the name of the top entity is
speciﬁed in <spec ﬁle>, in front of keyword “vunit”. Using this option allows
changing the name of the top entity to “new entity name”.
– “architecture:<arch name>”: this option speciﬁes the name of the architecture.
Without this option, the name of the architecture is “top” by default.
– “reset name:<reset name>”: this option speciﬁes the name of the reset signal.
Without this option, the name of the reset signal is “reset” by default.
For example, consider the following pragma option:
−− pragma SYNTHORUS : DESIGN NAME top name : GenBuf reset name : r s tn
It means that the entity name is “GenBuf”, and the name of the reset signal is “rstn”.
1These options have been provided based on the industrial demand.
E.4 : Output
E.4 Output
The outputs are generated, and placed in “../test/results” directory. The top module
is put in “../test/results/Top”, the properties are put in “../test/results/Property”, and
the solvers (if they exist) are put in “../test/results/Solver”. All the library elements
(synchronous, asynchronous, and with clock enable) are available at the root directory.
217
Chapter E : SyntHorus2
References
[AAH+03] M.S. Abadir, K.L. Albin, J. Havlicek, N. Krishnamurthy, and A.K. Martin.
Formal veriﬁcation successes at Motorola. Formal Methods in System Design,
22(2):117–123, March 2003.
[ABBSV00] A. Aziz, F. Balarin, R.K. Brayton, and A.L. Sangiovanni-Vincentelli. Se-
quential synthesis using S1S. IEEE Trans. on Computer-Aided Design of
Integrated Circuits and Systems, 19(10):1149–1162, 2000.
[ABC] ABC: A System for Sequential Synthesis and Veriﬁcation,
http://www.eecs.berkeley.edu/˜alanmi/abc/, accessed 2015.
[ABG+00] Y. Abarbanel, I. Beer, L. Gluhovsky, S. Keidar, and Y. Wolfsthal. FoCs–
automatic generation of simulation checkers from formal speciﬁcations. In
Computer Aided Veriﬁcation, pages 538–542. Springer, 2000.
[ACA] Acacia, http://lit2.ulb.ac.be/acaciaplus/, accessed 2015.
[AFF+02] R. Armoni, L. Fix, A. Flaisher, R. Gerth, B. Ginsburg, T. Kanza, A. Land-
ver, S. Mador-haim, E. Singerman, A. Tiemeyer, M.Y. Vardi, and Y. Zbar.
The ForSpec Temporal Logic: A New Temporal Property-Speciﬁcation Lan-
guage. In Tools and Algorithms for Construction and Analysis of Systems,
2002.
[AMB] AMBA Speciﬁcation Rev 2.0 (1999), http://www-micro.deis.unibo.it/ mag-
agni/amba99.pdf, accessed 2015.
[BBDE+01] I. Beer, S. Ben-David, C. Eisner, D. Fisman, A. Gringauze, Y. Rodeh, and
Yoav. The temporal logic Sugar. In Computer Aided Veriﬁcation, pages
363–367. Springer, 2001.
[BCC+99] A. Biere, A. Cimatti, E.M. Clarke, M. Fujita, and Y. Zhu. Symbolic model
checking using SAT procedures instead of BDDs. In Proc. of the 36th Annual
ACM/IEEE Design Automation Conference, (DAC’99), pages 317–320, New
York, NY, USA, 1999. ACM.
[BCE+04] R. Bloem, R. Cavada, C. Eisner, I. Pill, M. Roveri, and S. Semprini. Manual
for property simulation and assurance tool (deliverable 1.2/4-5). Technical
report, PROSYD Project, January 2004.
219
References
[BCG+10] R. Bloem, A. Cimatti, K. Greimel, R. Koenighofer, M. Roveri, V. Schuppan,
and R. Seeber. RATSY - a new requirements analysis tool with synthesis. In
Proc. of the 22nd International Conference on Computer Aided Veriﬁcation
(CAV’2010), pages 425–429. Springer-Verlag, July 15-19 2010.
[BdFR04] S. Ben-david, D. Fisman, and S. Ruah. Automata construction for regular
expressions in model checking. In IBM research report H-0229, 2004.
[BEK+14] R. Bloem, U. Egly, P. Klampﬂ, R. Ko¨nighofer, and F. Lonsing. SAT-based
methods for circuit synthesis. In Proc. of the 14th Conference on Formal
Methods in Computer-Aided Design, pages 31–34. FMCAD Inc, 2014.
[BFH05] D. Bustan, D. Fisman, and J. Havlicek. Automata construction for PSL. In
https://www.research.ibm.com/haifa/projects/veriﬁcation/RB Homepage/ps/
automta construction TR.pdf, 2005.
[BGJ+07a] R. Bloem, S. Galler, B. Jobstman, N. Piterman, A. Pnueli, and M. Wei-
glhofer. Specify, compile, run: Hardware from PSL. Electronic Notes in
Theoretical Computer Science (ENTCS), 190:3–16, 2007.
[BGJ+07b] R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli, and M. Wei-
glhofer. Automatic hardware synthesis from speciﬁcations: a case study.
In Proc. of the conference on Design, Automation and Test in Europe
(DATE’2007), pages 1188–1193, April 16-20 2007.
[BJP+12] R. Bloem, B. Jobstmann, N. Piterman, A. Pnueli, and Y. Saar. Synthesis of
reactive(1) designs. Journal of Computer and System Sciences, 78(3):911–
938, May 2012.
[BL69] J.R. Bu¨chi and L.H. Landweber. Solving sequential conditions by ﬁnite-state
strategies. Trans. of the American Mathematical Society, 138:295–311, 1969.
[BL88] G. M. Brown and M. E. Leeser. Synthesizing correct sequential circuits. In
Proc. of the International Conference on Systolic Arrays, 1988.
[Bor97] Arne Bora¨lv. The industrial success of veriﬁcation tools based on Stalmarck’s
method. In Orna Grumberg, editor, Computer Aided Veriﬁcation, volume
1254 of Lecture Notes in Computer Science, pages 7–10. Springer Berlin
Heidelberg, 1997.
[BP63] J.A. Brzozowski and J.F. Poage. On the construction of sequential ma-
chines from regular expressions. IEEE Trans. on Electronic Computers, EC-
12(4):402–403, August 1963.
[Brz64] J.A. Brzozowski. Derivatives of regular expressions. Journal of the ACM,
11:481–494, 1964.
[Brz65] J.A. Brzozowski. Regular expressions for linear sequential circuits. IEEE
Trans. on Electronic Computers, EC-14(2):148–156, April 1965.
[BUG] BugScope, http://www.atrenta.com/pg/9/, accessed 2015.
References
[BY96] R.S. Boyer and Y. Yu. Automated proofs of object code for a widely used
microprocessor. Journal of the ACM, 43(1):166–192, January 1996.
[BZ05] M. Boule´ and Z. Zilic. Incorporating eﬃcient assertion checkers into hardware
emulation. In Proc. of IEEE International Conference on Computer Design:
VLSI in Computers and Processors (ICCD’2005), pages 221–228, October
2005.
[BZ07] M. Boule´ and Z. Zilic. Eﬃcient automata-based assertion-checker synthe-
sis of SEREs for hardware emulation. In Asia and South Paciﬁc Design
Automation Conference (ASP-DAC’2007), pages 324–329, January 2007.
[BZ08a] M. Boule´ and Z. Zilic. Assertion checkers - enablers of quality design. In
1st Microsystems and Nanoelectronics Research Conference (MNRC’2008),
pages 97–100, October 2008.
[BZ08b] M. Boule´ and Z. Zilic. Automata-based assertion-checker synthesis of PSL
properties. ACM Trans. on Design Automation of Electronic Systems (ACM-
TODAES), 13(1):Article 4, January 2008.
[BZ08c] M. Boule´ and Z. Zilic. Generating Hardware Assertion Checkers. Springer,
2008.
[CAD] Incisive Formal Veriﬁer,
http://www.cadence.com/products/fv/formal veriﬁer/Pages/default.aspx,
accessed 2015.
[CBE+92] L. Claesen, D. Borrione, H. Eveking, G. Milne, J.L. Paillet, and P. Prinetto.
Charme: towards formal design and veriﬁcation for provably correct
VLSI hardware. In Correct-Hardware-Design-Methodologies.-Proc.-of-the-
Advanced-Research-Workshop., pages 3–25. North-Holland, Amsterdam,
Netherlands, 1992.
[CE82] E.M. Clarke and E.A. Emerson. Design and Synthesis of Synchronization
Skeletons Using Branching Time Temporal Logic. Springer, 1982.
[CES86] E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic veriﬁcation of ﬁnite-
state concurrent systems using temporal logic speciﬁcations. ACM Trans.
on Programming Languages and Systems (TOPLAS), 8(2):244–263, 1986.
[CGZ99] E.M. Clarke, S.M. German, and X. Zhao. Verifying the SRT division algo-
rithm using theorem proving techniques. Formal Methods in System Design,
14(1):7–44, January 1999.
[Chu57] A. Church. Applications of recursive arithmetic to the problem of circuit
synthesis. Summaries of the Summer Institute of Symbolic Logic, 1:3–50,
1957.
[Chu62] A. Church. Logic, arithmetic and automata. In Proc. of International
Congress of Mathematicians, pages 23–25, 1962.
221
References
[Cim08] A. Cimatti. Beyond Boolean SAT: Satisﬁability modulo theories. In Proc. of
the 9th International Workshop on Discrete Event Systems (WODES’2008),
pages 68–73, May 2008.
[CRST06] A. Cimatti, M. Roveri, S. Semprini, and S. Tonetta. From PSL to NBA: a
modular symbolic encoding. In Formal Methods in Computer Aided Design
(FMCAD’2006), pages 125–133, November 2006.
[Cur68] H.A. Curtis. Polylinear sequential circuit realizations of ﬁnite automata.
IEEE Trans. on Computers, C-17(3):251–259, March 1968.
[DB95] D. De´harbe and D. Borrione. Symbolic model checking with past and future
temporal modalities: Fundamentals and algorithms. In Berge´, Jean-Michel,
Levia, Oz, and Jacques Rouillard, editors, Model Generation in Electronic
Design, volume 1 of Current Issues in Electronic Modeling, pages 105–126.
Springer US, 1995.
[EBM] EBMC, http://www.cprover.org/ebmc/, accessed 2015.
[EF06] C. Eisner and D. Fishman. A Practical Introduction to PSL. Springer, 2006.
[EFP09] F. Eibensteiner, R. Findenig, and M. Pfaﬀ. SynPSL: Behavioral synthesis of
PSL assertions. In R. Moreno-Diaz, F. Pichler, and A. Quesada-Arencibia,
editors, Computer Aided Systems Theory - EUROCAST 2009, volume 5717
of Lecture Notes in Computer Science, pages 69–74. Springer Berlin Heidel-
berg, 2009.
[Ehl11] R. Ehlers. Unbeast: Symbolic bounded synthesis. In P.A. Abdulla and K.R.
Leino, editors, Tools and Algorithms for the Construction and Analysis of
Systems, volume 6605 of Lecture Notes in Computer Science, pages 272–275.
Springer Berlin Heidelberg, 2011.
[EKH12] R. Ehlers, R. Ko¨nighofer, and G. Hoﬀerek. Symbolically synthesizing small
circuits. In Proc. of Formal Methods in Computer Aided Design (FM-
CAD’2012), pages 91–100, October 22-25 2012.
[FG05] H. Foster and Working Group. IEEE standard for property speciﬁcation
language (PSL). pub-IEEE-STD, 2005.
[FJR09] E. Filiot, N. Jin, and J.F. Raskin. An antichain algorithm for LTL realiz-
ability. In Proc. of the 21st International Conference on Computer Aided
Veriﬁcation: (CAV’2009), pages 263–277, July 2009.
[FJR11] E. Filiot, N. Jin, and J.F. Raskin. Antichains and compositional algorithms
for LTL synthesis. Form. Methods Syst. Des., 39(3):261–296, December 2011.
[FKL03] H. Foster, A. Krolnik, and D. Lacey. Assertion-Based Design. Kluwer Aca-
demic Publishers, June 2003.
[FKTMo86] M. Fujita, S. Kono, H. Tanaka, and T. Moto-oka. Tokio: Logic programming
language based on temporal logic and its compilation to Prolog. In Proc.
of the 3rd International Conference on Logic Programming, volume Lecture
Notes in Computer Science 225, pages 695–709. Springer, 1986.
References
[Fos08] H. Foster. Applied assertion-based veriﬁcation: An industry perspective.
Foundations and Trends in Electronic Design Automation, 3(1):1–95, 2008.
[Fos15] H.D. Foster. Trends in functional veriﬁcation: A 2014 industry study. In
Proc. of the 52nd Annual Design Automation Conference (DAC’2015), pages
1–6, New York, NY, USA, 2015. ACM.
[FU82] R.W. Floyd and J. D. Ullman. The compilation of regular expressions into
integrated circuits. Journal of the ACM, 29(3):603–622, 1982.
[Gas05] E. Gascard. From sequential extended regular expressions to deterministic ﬁ-
nite automata. In Enabling Technologies for the New Knowledge Society: ITI
3rd International Conference on Information and Communications Technol-
ogy, pages 145–157, December 2005.
[GCH] Y. Godhal, K. Chatterjee, and T.A. Henzinger. Synthesis of AMBA AHB
from formal speciﬁcation: a case study. International Journal on Software
Tools for Technology Transfer.
[GG05] S.V Gheorghita and R. Grigore. Constructing checkers from PSL proper-
ties. In Proc. of the 15th International Conference on Control Systems and
Computer Science (CSCS’2015), volume 2, pages 757–762, 2005.
[GHS03] M. Gordon, J. Hurd, and K. Slind. Executing the formal semantics of the
Accellera property speciﬁcation language by mechanised theorem proving.
In E. Tronci D. Geist, editor, Correct Hardware Design and Veriﬁcation
Methods, volume 2860 of Lecture Notes in Computer Science, pages 200–
215. Springer Berlin Heidelberg, 2003.
[Gor88] M.J.C Gordon. HOL: A proof generating system for higher-order logic. In
G. Birtwistle and P.A. Subrahmanyam, editors, VLSI Speciﬁcation, Ver-
iﬁcation and Synthesis, volume 35 of The Kluwer International Series in
Engineering and Computer Science, pages 73–128. Springer US, 1988.
[Gre04] D. Greaves. Automated hardware synthesis from formal speciﬁcation using
SAT solvers. In Proc. of the 15th IEEE International Workshop on Rapid
System Prototyping (RSP’2004), pages 15–20, 2004.
[Gup92] A. Gupta. Formal hardware veriﬁcation methods: A survey. Formal Methods
in System Design, 1(2-3):151–238, October 1992.
[HIL04] Haifa-IBM-Laboratories. RuleBase Parallel Edition. IBM, November 2004.
[HNV05] S. Heymans, D.V. Nieuwenborgh, and D. Vermeir. Synthesis from temporal
speciﬁcations using preferred answer set programming. 3701:280–294, 2005.
[IBM] IBM Generalized Buﬀer,
https://www.research.ibm.com/haifa/projects/veriﬁcation/RB Homepage/
tutorial3/GenBuf english spec.htm, accessed 2015.
223
References
[JB06] B. Jobstman and R. Bloem. Optimizations for LTL synthesis. In Formal
Methods in Computer Aided Design (FMCAD’2006), pages 117–124, Novem-
ber 2006.
[KAB06] K.Morin-Allory and D. Borrione. Proven correct monitors from PSL speci-
ﬁcations. In Proc. of conference on Design, Automation and Test in Europe
(DATE’2006), pages 1–6, March 2006.
[KM96] M. Kaufmann and J.S. Moore. Acl2: an industrial strength version of Nqthm.
In Proc. of the 11th Annual Conference on Computer Assurance, Systems
Integrity, Software Safety, Process Security (COMPASS’1996), pages 23–34,
June 1996.
[KMB97] M. Kaufmann, J. S. Moore, and O. Boyer. An industrial strength theo-
rem prover for a logic based on common Lisp. IEEE Trans. on Software
Engineering, 23:203–213, 1997.
[Kro99] T. Kropf. Introduction to Formal Hardware Veriﬁcation. Springer, 1999.
[KS00] J.H. Kukula and T.R. Shiple. Building circuits from relations. In E. Allen
Emerson and A. Prasad Sistla, editors, CAV, volume 1855 of Lecture Notes
in Computer Science, pages 113–123. Springer, 2000.
[LJ88] W. Luk and G. Jones. The derivation of regular synchronous circuits. In
Proc. of the International Conference on Systolic Arrays, pages 305–314,
May 1988.
[LT10] L. Li and M.A. Thornton. Digital System Veriﬁcation: A Combined Formal
Methods and Simulation Framework. Morgan and Claypool, 2010.
[MABBZ08] K. Morin-Allory, M. Boule´, D. Borrione, and Z. Zilic. Proving and disproving
assertion rewrite rules by automated theorem proving. In IEEE International
High Level Design Validation and Test Workshop (HLDVT’2008), pages 56–
63, November 2008.
[MAGB07] K. Morin-Allory, E. Gascard, and D. Borrione. Synthesis of property moni-
tors for online fault detection. Journal of Circuits, Systems and Computers,
16(06):943–960, 2007.
[MAJB15] K. Morin-Allory, F.N. Javaheri, and D. Borrione. Eﬃcient and correct by
construction assertion-based synthesis. IEEE Transactions on Very Large
Scale Integration (VLSI) Systems, DOI. 10.1109/TVLSI.2014.2386212:1–12,
2015.
[MB08] L. De Moura and N. Bjørner. Z3: An Eﬃcient SMT Solver, volume
4963/2008 of Lecture Notes in Computer Science, pages 337–340. Springer
Berlin, April 2008.
[McC03] W. McCune. OTTER 3.3 reference manual. In http://www.cs.unm.edu/ mc-
cune/otter/Otter33.pdf, 2003.
References
[McM93] K.L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers,
Norwell, MA, USA, 1993.
[Mil72] R. Milner. Logic for computable functions: Description of a machine imple-
mentation. Technical report, Stanford, CA, USA, 1972.
[Mil94] G. Milne. Formal Speciﬁcation and Veriﬁcation of Digital Systems. McGrow-
Hill, 1994.
[MIN] MiniSAT, http://minisat.se/Papers.html, accessed 2015.
[MJML14] Ruben Martins, Saurabh Joshi, Vasco Manquinho, and Ineˆs Lynce. Incre-
mental cardinality constraints for MaxSAT. In Barry O’Sullivan, editor,
Principles and Practice of Constraint Programming, volume 8656 of Lecture
Notes in Computer Science, pages 531–548. Springer International Publish-
ing, 2014.
[MS95] Joao Marques-Silva. Search algorithms for satisﬁability problems in combi-
national switching circuits. PhD thesis, University of Michigan, 1995.
[MY60] R. McNaughton and H. Yamada. Regular expressions and state graphs for
automata. In IEEE Trans Comput, volume C9, pages 39–47, March 1960.
[O¨be99] J. O¨berg. ProGram : A Grammar-Based Method for Speciﬁcation and Hard-
ware Synthesis of Communication Protocols. PhD thesis, KTH, Sweden,
1999.
[Odd09] Y. Oddos. Veriﬁcation semi-formelle et synthe`se automatique de circuits
a partir de speciﬁcations temporelles ecrites en PSL. PhD thesis, Univ. of
Grenoble, Nov 2009.
[OH02] M.T. Oliveira and A.J. Hu. High-level speciﬁcation and automatic generation
of IP interface monitors. In Proc. of the 39th Design Automation Conference
(DAC’2002), pages 129–134, 2002.
[OLP85] Orna O. Lichtenstein and A. Pnueli. Checking that ﬁnite state concur-
rent programs satisfy their linear speciﬁcation. In Proc. of the 12th ACM
SIGACT-SIGPLAN Symposium on Principles of Programming Languages
(POPL’1985), pages 97–107, New York, NY, USA, 1985. ACM.
[OMAB07] Y. Oddos, K. Morin-Allory, and D. Borrione. Prototyping generators for on-
line test vector generation based on PSL properties. In Design and Diagnostic
of Electronic Circuits and Systems (DDECS’2007), pages 1–6, April 2007.
[OMAB08] Y. Oddos, K. Morin-Allory, and D. Borrione. Assertion-based design with
Horus. In 6th ACM-IEEE International Conference on Formal Methods and
Models for Codesign (MEMOCODE’2008), pages 75–76, June 2008.
[OMAB09] Y. Oddos, K. Morin-Allory, and D. Borrione. SyntHorus: Highly eﬃcient
automatic synthesis from PSL to HDL. In Proc. of the 17th IFIP Interna-
tional Conference on Very Large Scale Integration (VLSI-SoC’2009), pages
83–88, October 2009.
225
References
[ONE] OneSpin360DV, http://www.onespin-solutions.com/index.php/assertion-
synthesis.html, accessed 2015.
[ORS92] S. Owre, J.M. Rushby, and N. Shankar. PVS: A prototype veriﬁcation sys-
tem. In Automated Deduction—CADE-11, pages 748–752. Springer, 1992.
[OVA] OpenVera Assertion,
http://www.synopsys.com/Tools/Veriﬁcation/Documents/ova wp.pdf,
March 2003.
[OVL] Accellera Standard OVL V2, https://eda-
playground.readthedocs.org/en/latest/ downloads/ovl lrm.pdf, March
2014.
[PH09] D.K. Pradhan and I.G. Harris. Practical Design Veriﬁcation. Cambridge
University Press, 2009.
[PLN05] M. Pellauer, M. Lis, and R. Nikhil. Synthesis of synchronous assertions
with guarded atomic actions. In Proc. of the 3rd ACM and IEEE Interna-
tional Conference on Formal Methods and Models for Co-Design, (MEM-
OCODE’2005), pages 15–24, July 2005.
[PPS06] N. Piterman, A. Pnueli, and Y. Sa’ar. Synthesis of reactive(1) designs. In
E.A. Emerson and K. Namjoshi, editors, Veriﬁcation, Model Checking, and
Abstract Interpretation, volume 3855 of Lecture Notes in Computer Science,
pages 364–380. Springer Berlin Heidelberg, 2006.
[PPSQ13] L. Pierre, F. Pancher, R. Suescun, and J. Quevremont. On the eﬀectiveness
of assertion-based veriﬁcation in an industrial context. In C. Pecheur and
M. Dierkes, editors, Formal Methods for Industrial Critical Systems, volume
8187 of Lecture Notes in Computer Science, pages 78–93. Springer Berlin
Heidelberg, 2013.
[PR89] A. Pnueli and R. Rosner. On the synthesis of a reactive module. In Proc. of
the 16th ACM SIGPLAN-SIGACT symposium on Principles of programming
languages (POPL’1989), pages 179–190, New York, NY, USA, 1989. ACM.
[Rab72] M.S. Rabin. Automata on Inﬁnite Objects and Church’s Problem. American
Mathematical Society, Boston, MA, USA, 1972.
[RAT] Rat, http://rat.fbk.eu/ratsy/, accessed 2015.
[Ray96] P. Raymond. Recognizing regular expressions by means of dataﬂow networks.
In Proc. of the 23rd International Colloquium on Automata, Languages, and
Programming, (ICALP’1996), pages 336–347. Springer Verlag, 1996.
[SAT] SATRennesPA, http://satrennespa.irisa.fr/WebContent/, accessed 2015.
[SB94] A. Seawright and F. Brewer. Clairvoyant: A synthesis system for production-
based speciﬁcation. IEEE TVLSI, pages 172–185, June 1994.
References
[SDG] SLED SDG (Synthesizable Detector Generator),
http://www.dolphin.fr/index.php/eda solutions/applications/assertion based
veriﬁcation, accessed 2015.
[Sif82] J. Sifakis. A uniﬁed approach for studying the properties of transition sys-
tems. Theoretical Computer Science, 18(3):227–258, 1982.
[SM02] R. Siegmund and D. Mu¨ller. Automatic synthesis of communication con-
troller hardware from protocol speciﬁcations. IEEE Design & Test of Com-
puters, 19(4):84–95, 2002.
[SMB+05] J. Srouji, S. Mehta, D. Brophy, K. Pieper, S. Sutherland, and Work Group.
IEEE Standard for SystemVerilog - Uniﬁed Hardware Design, Speciﬁcation,
and Veriﬁcation Language. pub-IEEE-STD, November 2005.
[SMDC06] S.Das, R. Mohanty, P. Dasgupta, and P.P Chakrabarti. Synthesis of system
verilog assertions. In Proc. of the conferance on Design, Automation and
Test in Europe (DATE’2006), volume 2, pages 1–6, March 2006.
[SNBE07] M. Schickel, V. Nimbler, M. Braun, and H. Eveking. An eﬃcient synthe-
sis method for property based design in formal veriﬁcation. In Advances in
Design and Speciﬁcation Languages for Embedded Systems (Selected Contri-
butions from FDL’2006), pages 163–181. Kluwer, 2007.
[SP01] R. Sidhu and V.K. Prasanna. Fast regular expression matching using FPGAs.
In Proc. of the 9th Annual IEEE Symposium on Field-Programmable Custom
Computing Machines, FCCM’2001, pages 227–238, Washington, DC, USA,
2001. IEEE Computer Society.
[Tho68] K. Thompson. Programming techniques: Regular expression search algo-
rithm. Commun. ACM, 11(6):419–422, June 1968.
[TRA] Transistor count, http://en.wikipedia.org/wiki/Transistor count, accessed
2015.
[UNB] Unbeast, http://www.react.uni-saarland.de/tools/unbeast/, accessed 2015.
[WVS83] P. Wolper, M.Y. Vardi, and A.P Sistla. Reasoning about inﬁnite computation
paths. In Proc. of the 24th Annual Symposium on Foundations of Computer
Science, pages 185–194, November 1983.
[YAP10] J. Yuan, A. Aziz, and C. Pixley. Constraint-Based Veriﬁcation. Springer,
2010.
[Zha97] Hantao Zhang. SATO: An eﬃcient prepositional prover. In William McCune,
editor, Automated Deduction—CADE-14, volume 1249 of Lecture Notes in
Computer Science, pages 272–275. Springer Berlin Heidelberg, 1997.
227
Acronym
Acronym
A
ABA Alternating Bu¨chi Automaton
ABV Assertion Based Veriﬁcation
ABS Assertion Based Design
AMBA Advanced Microcontroller Bus Architecture
AST Abstract Syntax Tree
ASIC Application Speciﬁc Integrated Circuit
ASP Answer Set Programming
AP Atomic Proposition
AIGER
B
BDD Binary Decision Diagram
BMC Bounded Model Checking
BNF Backus-Naur Form
C
CNF Conjunctive Normal Form
CRC Cyclic Redundancy Check
CTL Computational Tree Logic
D
DAG Directed Acyclic Graph
DAST Directed Abstract Syntax Tree
DES Data Encryption Standard
DFA Deterministic Finite Automaton
DG Dependency Graph
DI Delay Insensitive
DIMS Delay Insensitive Min-term Synthesis
DTS Discrete Transition System
DUV Design Under Veriﬁcation
F
FIFO First In First Out
FPGA Field Programmable Gate Array
FSM Finite State Machine
229
Acronym
FL Foundation Language
FBDD Free Binary Decision Diagram
FPA Fast Prototyping From Assertions
G
GDL General Description Language
GenBuf Generalized Buﬀer
H
HDL Hardware Description Language
HDLC High-level Data Link Controller
HLS High Level Synthesis
HOL Higher Order Logic
I
IEEE Institute of Electrical and Electronics Engineers
IP Intellectual Property
L
LCF Logic for Computable Functions
LTL Linear Temporal Logic
LUT Look Up Table
N
NFA Non-deterministic Finite Automaton
O
OBE Optional Branching Extension
OCP Open Core Protocol
OVA Open Vera Assertion
OVL Open Veriﬁcation Library
P
PFG Protocol Flow Graph
PLA Programmable Logic Array
PSL Property Speciﬁcation Language
PSLsimple PSL Simple Subset
PVS Prototype Veriﬁcation System
R
RAT Requirement Analysis Tool
RTL Register Transfer Level
RE Regular Expression
S
SERE Sequential Extended Regular Expression
SoC System on Chip
SVA SystemVerilog Assertions
SAT boolean SATisﬁability problem
SRGA Self Reconﬁgurable Gate Array
Acronym
SDG Synthesizable Detector Generator
V
VHDL Very high speed integrated circuit Hardware Description Language
231
Acronym
Publications
Journal paper
• K. Morin-Allory, F.N. Javaheri, and D. Borrione, Eﬃcient and correct by construc-
tion assertion-based synthesis. IEEE Transactions on Very Large Scale Integration
(VLSI) Systems, PP(99):1–1, 2015.
Publications in Refereed International Conference Pro-
ceedings
• K. Morin-Allory, F.N. Javaheri, and D. Borrione, Design Understanding with Fast
Prototyping from Assertions. 1st Workshop on Design Automation for Understand-
ing Hardware Designs (DUHDe 2014, Friday workshop at DATE 2014), Dresden,
Germany, Mar 2014.
• K. Morin-Allory, F.N. Javaheri, and D. Borrione, Fast Prototyping from Assertions:
a Pragmatic Approach. Proceeding of the 11th ACM-IEEE International Conference
on Formal Methods and Models for Codesign (Memocode’13), US, Oct 2013.
• K. Morin-Allory, F. Javaheri, and D. Borrione, SyntHorus-2: Automatic Prototyping
from PSL. Proceeding of the 21st IFIP/IEEE International Conference on Very
Large Scale Integration (VLSI-SoC’13), Istanbul, Turkey, Oct 2013.
Posters
• F. Javaheri, K. Morin-Allory, and D. Borrione, Revisiting Regular Expressions in
SyntHorus2: from PSL SEREs to Hardware. submitted as work in progress in Forum
on speciﬁcation & Design Languages (FDL), 2015.
• F. Javaheri, K. Morin-Allory, and D. Borrione, SyntHorus2: A Tool for Assertion-
based Synthesis. presented at the PhD Forum of 18th Design, Automation and Test
in Europe Conference (DATE’15), Grenoble, France, March 2015.
• F. Javaheri, K. Morin-Allory, and D. Borrione, Designing from Assertions: from
PSL Properties to a Compliant Hardware Prototype. presented at the PhD Forum
233
Publications
of 17th Design, Automation and Test in Europe Conference (DATE’14), Dresden,
Germany, March 2014.
• F. Javaheri, K. Morin-Allory, A. Porcher, and D. Borrione, Automatic Prototyping of
declarative properties on FPGA. presented by D. Borrione at the Electronic System
Level Synthesis Conference as invited presentation, Austin, US, June, 2013.
• F. Javaheri, K. Morin-Allory, A. Porcher, and D. Borrione, Synthorus-2: Automatic
Prototyping on FPGA from PSL. presented at the University Booth of 16th Design,
Automation and Test in Europe Conference, Grenoble, France, 2013.
Abstract– The work presented in this thesis aims at automatically prototype commu-
nication and control designs from declarative temporal speciﬁcations. From a set of PSL2
properties, we produce a synthesizable RTL design automatically. The proposed method
is modular, in contrast to previously published methods that were based on automata
theory. From each property, we produce a component that observes some operands and
generates waveforms for the other operands: the reactant.
First, a library of primitive reactants has been provided for FL3 and SERE4 operators.
To this goal, a dependency relation is deﬁned for each operator that expresses the depen-
dency among its operands using the operator’s semantics. Then, the dependency relation
of each operator is interpreted as a hardware component that implements the operator:
the operator’s primitive reactant.
Using this formalization, a method is proposed to automatically decide which signals of
a property are observed and which are generated. In the cases when specifying the signal
direction is not possible, a solver is implemented to identify the signal value. In addition,
the way of identifying the value of the signal that is generated in several properties is
addressed.
The ﬁnal circuit is the interconnection of the properties’ reactants and solvers.
A prototype tool SyntHorus2, which is an extension to HORUS, has been developed.
It takes PSL properties as its inputs, and generates the synthesizable VHDL code of the
circuit. In addition, it generates some complementary properties to verify if the set of
speciﬁcation is coherent and complete.
The method is eﬃcient, and synthesizes control circuits in a few seconds. Results
obtained on classical benchmarks show that our technique compiles properties more eﬃ-
ciently than previous prototype tools.
Keywords. PSL, assertion-based design, reactant, automatic synthesis, dependency
graph, annotation, resolution, solver.
2Property Speciﬁcation Language
3Foundation Language
4Sequential Extended Regular Expression
Re´sume´– Les travaux pre´sente´s dans cette the`se visent a` produire automatiquement
des prototypes de circuits de communication et de controˆle a` partir de spe´ciﬁcations
temporelles de´claratives. Partant d’un ensemble de proprie´te´s e´crites en langage PSL,
nous produisons un mode`le RTL synthe´tisable automatiquement. La me´thode propose´e
est modulaire, contrairement aux me´thodes publie´es ante´rieurement qui e´taient fonde´es
sur la the´orie des automates. Pour chaque proprie´te´, nous produisons un composant qui
observe certains ope´randes et ge´ne`re des chronogrammes pour les autres ope´randes : le
module re´actif.
Tout d’abord, une bibliothe`que des modules re´actifs primitifs a e´te´ de´veloppe´e pour les
ope´rateurs FL et SERE. Pour ce faire, une relation de de´pendance a e´te´ de´ﬁnie pour chaque
ope´rateur : fonde´e sur la se´mantique de l’ope´rateur, elle exprime la de´pendance entre ses
ope´randes. Ensuite, la relation de de´pendance de chaque ope´rateur est interpre´te´e comme
un composant mate´riel qui met en œuvre l’ope´rateur : c’est le module re´actif primitif de
l’ope´rateur.
A` l’aide de cette formalisation, nous proposons une me´thode pour de´terminer automa-
tiquement quels signaux d’une proprie´te´ sont observe´s et lesquels sont ge´ne´re´s. Dans le
cas ou` il n’est pas possible de de´terminer le sens du signal, un solveur est ajoute´ pour
identiﬁer la valeur du signal. Le solveur sert aussi a` de´terminer la valeur d’un signal
ge´ne´re´ par plusieurs proprie´te´s. Le circuit ﬁnal est l’interconnexion des modules re´actifs
et des solveurs pour l’ensemble des proprie´te´s.
Un outil prototype, SyntHorus2, qui est une extension d’HORUS, a e´te´ mis de´veloppe´.
Il prend les proprie´te´s PSL comme entre´es et ge´ne`re le code VHDL synthe´tisable du
circuit. En outre, il ge´ne`re des proprie´te´s comple´mentaires pour ve´riﬁer si l’ensemble des
spe´ciﬁcations est cohe´rent et complet.
La me´thode est eﬃcace et synthe´tise des circuits de commande en quelques secon-
des. Les re´sultats que nous avons obtenus sur des jeux d’essais classiques montrent que
notre technique compile les proprie´te´s plus eﬃcacement que les outils prototypes qui l’ont
pre´ce´de´e.
Mots-cle´s. PSL, conception base´e sur les assertions, module re´actif, synthe`se automa-
tique, graphe de de´pendance, annotation, re´solution, solveur.
THÈSE
Pour obtenir le grade de
DOCTEUR DE L’UNIVERSITÉ GRENOBLE ALPES
Spécialité : Nanoélectronique et Nanotechnologies
Arrêté ministériel : 7 août 2006
Présentée par
Fatemeh (Negin) JAVAHERI
Thèse dirigée par Mme. Dominique BORRIONE
et codirigée par Mme. Katell MORIN-ALLORY
Préparée au sein du Laboratoire TIMA
Dans l’École Doctorale Electronique, Electrotechnique, Automatique&
Traitement du Signal (E.E.A.T.S)
Synthèse automatique de circuits
numériques à partir de spéciﬁcations
temporelles
Thèse soutenue publiquement le 1 octobre 2015,
devant le jury composé de :
M. Philippe COUSSY
Professeur, Université de Bretagne Sud, Président
M. Paolo PRINETTO
Professeur, Politecnico di Torino, Rapporteur
M. Rolf DRECHSLER
Professeur, Universität Bremen, Rapporteur
Mme. Dominique BORRIONE
Professeur, Université Joseph Fourier, Directrice de thèse
Mme. Katell MORIN-ALLORY
Maître de Conférences, Grenoble INP, Co-Directrice de thèse

Table des matie`res
1 Introduction 1
1.1 Le ﬂot de conception propose´e . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 La ve´riﬁcation a` base d’assertions 3
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Techniques de ve´riﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.1 Ve´riﬁcation par simulation . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.2 La ve´riﬁcation formelle . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3 Langages d’Assertions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3.1 Language de Spe´ciﬁcation de Proprie´te´s (PSL) . . . . . . . . . . . . 4
2.3.2 System Verilog Assertion (SVA) . . . . . . . . . . . . . . . . . . . . 5
3 E´tat de l’art 7
3.1 Synthe`se de proprie´te´ sous forme de moniteurs . . . . . . . . . . . . . . . . 7
3.1.1 L’approche base´e sur l’automate . . . . . . . . . . . . . . . . . . . . 7
3.1.2 L’approche modulaire . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Synthe`se de proprie´te´ comme circuits corrects par construction . . . . . . . 8
3.2.1 L’approche base´e sur l’automate . . . . . . . . . . . . . . . . . . . . 8
3.2.2 L’approche modulaire . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.3 Outils existants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4 Prototypage rapide d’assertions : le ﬂot global de synthe`se 11
4.1 Synthe`se de composants re´actifs . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2 Exemple d’Exe´cution : le Generalized Buﬀer . . . . . . . . . . . . . . . . . 11
4.2.1 Pre´sentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2.2 Communication avec les re´cepteurs . . . . . . . . . . . . . . . . . . 13
5 Synthe`se FLs 17
5.1 Formalisation de l’annotation . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.1.1 Relation de de´pendance : de´ﬁnition et notations . . . . . . . . . . . 17
5.1.2 Relation de de´pendance entre les ope´randes de ope´rateurs FL . . . 18
5.2 La synthe`se de la relation de de´pendance . . . . . . . . . . . . . . . . . . . 18
5.2.1 Principes de construction d’un composant re´actif primitif . . . . . . 18
5.2.2 Format ge´ne´rique d’un ope´rateur FL . . . . . . . . . . . . . . . . . 19
iii
Table de matie`res
6 Synthe`se des SEREs 23
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.2 De´ﬁs et motivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.3 Formalisation de l’annotation . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.3.1 Relation de de´pendance : de´ﬁnition et notations . . . . . . . . . . . 24
6.3.2 Relation de de´pendance entre les ope´randes des ope´rateurs de SERE 24
6.4 La synthe`se de la relation de de´pendance . . . . . . . . . . . . . . . . . . . 25
6.4.1 Principes de la construction des composants re´actifs primitifs . . . . 25
6.4.2 Mise en œuvre des composants re´actifs primitifs des ope´rateurs de
SERE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
6.5 Sous-ensemble synthe´tisable de SEREs . . . . . . . . . . . . . . . . . . . . 29
7 Annotation des signaux 31
7.1 Construction de l’arbre syntaxique abstrait de la proprie´te´ (AST) . . . . . 31
7.2 Construction de l’arbre syntaxique abstrait oriente´ (DAST) . . . . . . . . . 31
7.2.1 DAST des ope´rateurs FL simples . . . . . . . . . . . . . . . . . . . 32
7.2.2 DAST des ope´rateurs de SERE non borne´s . . . . . . . . . . . . . . 32
7.2.3 DAST de directives et de fonctions PSL . . . . . . . . . . . . . . . 33
7.2.4 L’algorithme d’annotation . . . . . . . . . . . . . . . . . . . . . . . 33
8 Re´actif Complexe 35
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
8.2 Construction intuitive d’un composant re´actif de la proprie´te´ . . . . . . . . 35
8.2.1 Construction intuitive d’un re´actif FL . . . . . . . . . . . . . . . . 35
8.2.2 Construction intuitive d’un re´actif SERE . . . . . . . . . . . . . . 35
9 Re´solution des signaux 39
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
9.2 Contraintes calcule´es a` partir de DASTs annote´s . . . . . . . . . . . . . . . 39
9.3 Constraintes calcule´es a` partir de DASTs partiellement annote´s . . . . . . 39
9.4 Graphe de de´pendance (DG) . . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.5 Construction du graphe de de´pendance . . . . . . . . . . . . . . . . . . . . 41
9.6 Fonction de re´solution : le composant dere´solution . . . . . . . . . . . . . . 41
9.6.1 Re´solution des signaux duplique´s : composant simple . . . . . . . . 41
9.6.2 Re´solution de sigaux non annote´s : les composants complexes . . . 42
9.7 Le circuit ﬁnal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
9.7.1 Ve´riﬁcation de la cohe´rence . . . . . . . . . . . . . . . . . . . . . . 43
9.7.2 Ve´riﬁcation de la comple´tude . . . . . . . . . . . . . . . . . . . . . 44
10 Les expe´riences et les re´sultats pratiques 45
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
10.2 Prototypage du mate´riel et les re´sultats de synthe`se . . . . . . . . . . . . . 45
10.2.1 Generalized Buﬀer (GenBuf)d’IBM . . . . . . . . . . . . . . . . . . 45
10.2.2 AMBA arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
10.2.3 D’autres exemples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
10.2.4 Comparaison entre FLs et SEREs . . . . . . . . . . . . . . . . . . . 49
11 Conclusion et travaux a` venir 53
11.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
11.2 Travaux a` venir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Bibliographie 55
v

Chapitre1
Introduction
Jour apre`s jour, l’inﬂuence des syste`mes e´lectroniques sur nos vie augmente. Toutefois,
construire un circuit nume´rique correcte du premier coup est un objectif diﬃcile lorsque
l’on conside`re les architectures actuelles.
Le travail pre´sente´ dans cette the`se propose une me´thode et un outil prototype pour
aider a` la ve´riﬁcation des protocoles de controˆle et de communication entre les modules.
Un inconve´nient des me´thodes de ve´riﬁcation formelle est qu’elles ne peuvent eˆtre uti-
lise´es qu’apre`s la conception du syste`me. L’objectif principal de ce travail est de proposer
des me´thodes pour ge´ne´rer un syste`me a` partir de ses spe´ciﬁcations et de ve´riﬁer son
exactitude au cours du processus de production de mate´rielcorrect par construction.
La ﬁgure 1.1 montre une vue tre`s abstraite du ﬂot de conception traditionnelle.
Un processus de conception typique commence par conside´rer le comportement infor-
mel du syste`me. Ensuite, les e´quipes de conception de´veloppent une premie`re imple´menta-
tion. Lors de l’e´tape suivante, l’imple´mentation doit eˆtre ve´riﬁe´e pour conside´rer si elle est
conforme aux spe´ciﬁcations. Apre`s ve´riﬁcation, plusieurs ame´liorations du circuit peuvent
eˆtre ne´cessaires en raison des erreurs de´tecte´es.
Une quantite´ importante de temps au cours du processus de conception est de´pense´e
pour de´couvrir des erreurs, ge´ne´ralement par simulation ou e´mulation.
System behavior:
Informal speciﬁcation
Hardware
veriﬁcation
Formal
speciﬁcation
Manual hardware 
development
Hardware 
reﬁnement
Figure 1.1 – Flot de conception classique
1
Introduction
1.1 Le ﬂot de conception propose´e
Les diﬃculte´s du ﬂot de conception classique nous ont amene´s vers la synthe`se a`
partir d’assertions (Assertion Based Synthe`se, ABS) : la production directe de modules
conformes (controˆle et communication) a` un ensemble d’assertions. Chaque proprie´te´ est
conside´re´e comme la spe´ciﬁcation d’un module a` concevoir. L’objectif est alors de concevoir
directement un code RTL synthe´tisable a` partir de ses assertions.
En ABS, les proprie´te´s sur le comportement d’un composant (assertions) ou de son
environnement (hypothe`ses) spe´ciﬁent les caracte´ristiques fonctionnelles d’entre´e-sortie des
modules et les communications entre les parties du syste`me.
Dans le ﬂot de conception propose´e nous commenc¸ons la conception a` partir d’un
niveau plus abstrait, et inte´grons la ve´riﬁcation dans le processus de conception (voir
ﬁg. 1.2). Dans cette me´thode, les taˆches de conception et de ve´riﬁcation ont e´te´ uniﬁe´es ; un
circuit correct par construction est ge´ne´re´ directement a` partir des spe´ciﬁcations formelles.
System behavior:
Informal speciﬁcation
Formal
speciﬁcation
Automatic
correct-by-construction
hardware development SyntHorus2
Figure 1.2 – Le ﬂot de conception propose´
Le circuit ge´ne´re´ est appele´ composant reactif : il re´agit aux stimuli sur ses entre´es et
produit des stimuli sur ses sorties, conformes aux assertions.
Chapitre2
La ve´riﬁcation a` base d’assertions
2.1 Introduction
Ge´ne´ralement, une assertion (proprie´te´) sur le circuit exprime le comportement du
circuit, et se re´fe`re a` des proprie´te´s qui doivent eˆtre ve´riﬁe´es.
Les assertions peuvent eˆtre ve´riﬁe´es a` la fois en simulation et en ve´riﬁcation formelle.
Les assertions peuvent eˆtre exprime´es en utilisant un langage de proprie´te´s temporelles.
Dans les sections suivantes, nous examinons les techniques de ve´riﬁcation.
2.2 Techniques de ve´riﬁcation
2.2.1 Ve´riﬁcation par simulation
La ve´riﬁcation par simulation est applique´e a` un sous-ensemble repre´sentatif des va-
leurs de signaux et des comportements d’un circuit, pour ve´riﬁer si l’imple´mentation se
comporte correctement par rapport a` sa spe´ciﬁcation [Kro99].
En utilisant ce proce´de´, des erreurs peuvent eˆtre masque´es en raison des stimuli ; elles
peuvent apparaˆıtre en utilisant un autre stimulus, ou en exe´cutant la simulation pendant
plus de cycles.
2.2.2 La ve´riﬁcation formelle
L’objectif de la ve´riﬁcation formelle est de conside´rer formellement si une imple´men-
tation satisfait la spe´ciﬁcation.
Dans la ve´riﬁcation formelle, a` la fois les spe´ciﬁcations et les imple´mentations sont
converties en mode`les mathe´matiques.
En utilisant le mode`le mathe´matique du circuit et son comportement, la ve´riﬁcation
formelle doit prouver mathe´matiquement que la conception satisfait la spe´ciﬁcation de
son comportement, ou qu’une relation existe entre les deux. Si il existe un bug de concep-
tion, les techniques de ve´riﬁcation formelle produisent un contre-exemple pour faciliter le
processus de de´bogage.
3
Chapitre 2 : La ve´riﬁcation a` base d’assertions
2.2.2.1 Model checking
La ve´riﬁcation de mode`le (model checking) a e´te´ de´veloppe´e a` l’origine en 1981 par
Clarke, Emerson et Sifakis [CE82, CES86, Sif82]. Le model checking est une technique
automatique pour la ve´riﬁcation des syste`mes re´actifs a` e´tats ﬁnis, tels que les circuits
se´quentiels et les protocoles de communication. Le model checking consiste en un mode`le
du syste`me, une logique temporelle, et un algorithme de ve´riﬁcation.
Le model checking peut eˆtre explicite (tout l’espace d’e´tat est e´nume´re´) ou impli-
cite (l’espace d’e´tat est mode´lise´ avec des structures de donne´es symboliques telles que
BDD).Le model checking implicite (symbolique) est ge´ne´ralement plus puissante.
Bounded model checking
Le model checking borne´ a e´te´ introduit par Biere et al. dans [BCC+99]. Il est base´
sur les me´thodes de satisﬁabilite´ (SAT) . L’ide´e essentielle pour ve´riﬁer une proprie´te´ sur
un syste`me de transition ﬁni est de rechercher des contre-exemples dans l’espace de toutes
les exe´cutions de longueur k du syste`me.
2.2.2.2 Equivalence checking
La ve´riﬁcation d’e´quivalence (Equivalence checking) est un proce´de´ base´ sur un mode`le
qui ve´riﬁe si deux descriptions d’une conception spe´ciﬁent le meˆme comportement, ce qui
signiﬁe qu’ils produisent des se´quences de sorties identiques pour toutes les se´quences
d’entre´e valides. Ces descriptions peuvent eˆtre dans diﬀe´rents niveaux d’abstraction.
2.3 Langages d’Assertions
Une spe´ciﬁcation formelle est une description concise et abstraite du comportement et
des proprie´te´s d’un syste`me. Cette description est e´crite dans un langage mathe´matique
et indique ce qu’un syste`me est cense´ faire.
2.3.1 Language de Spe´ciﬁcation de Proprie´te´s (PSL)
Le language de spe´ciﬁcation de proprie´te´s PSL (Property Speciﬁcation Language)
[FG05] est la normalisation par Accelera, puis par l’IEEE, du language “Sugar” de´veloppe´
par IBM [BBDE+01].
Une proprie´te´ PSL se compose de quatre couches : Boole´enne, temporelle, ve´riﬁcation
et mode´lisation (voir ﬁg. 2.1).
Nous nous concentrons sur la couche temporelle PSL.
2.3.1.1 Couche temporelle de PSL
La couche temporelle est utilise´e pour de´ﬁnir les proprie´te´s qui de´crivent le compor-
tement de la conception ou de l’environnement au cours du temps. Elle est utilise´e pour
de´crire les comportements temporels construits a` partir d’expressions boole´ennes et d’ope´-
rateurs temporels.
La ﬁgure 2.2 montre les quatre couches d’une proprie´te´ PSL.
2.3 : Langages d’Assertions
Boolean layer
Temporal layer
SERE FL
LTL-based
OBE
CTL-based
Veriﬁcation layer
Modeling layer
Figure 2.1 – Les couches PSL
wire req;
req = req0 or req1;
assert always ( req -> next_a[1 to 4](busy and not gnt) )
Modeling layer
Veriﬁcation layer
Temporal layer
Boolean layer
{
Figure 2.2 – Diﬀe´rentes couches d’une proprie´te´ PSL
2.3.1.2 Sous-ensembles simple de PSL (PSLsimple)
Le sous-ensemble simple de PSL, PSLsimple, est un sous-ensemble qui est conforme a`
la notion de progression monotone de temps, de gauche a` droite a` travers la proprie´te´. Les
proprie´te´s situe´es dans le sous-ensemble peuvent eˆtre simule´es facilement.
2.3.2 System Verilog Assertion (SVA)
Les assertions SystemVerilog [SMB+05] sont inte´gre´es dans SystemVerilg, elles peuvent
eˆtre utilise´es avec d’autres structures de langage. SVA a e´te´ de´ﬁni en meˆme temps que
PSL, e´galement a` partir de “Sugar”, mais est limite´ aux expressions re´gulie`res Seres. Il
partage la plupart des primitives de base de PSL, mais sa syntaxe est diﬀe´rente.
5
Chapitre 2 : La ve´riﬁcation a` base d’assertions
Chapitre3
E´tat de l’art
3.1 Synthe`se de proprie´te´ sous forme de moniteurs
Un moniteur observe les signaux qui sont des ope´randes d’une proprie´te´, et sort le
statut de la proprie´te´. Par conse´quent, tous les ope´randes sont des entre´es du moniteur.
Il existe deux me´thodes pour synthe´tiser des moniteurs : soit a` partir d’automates, soit
une me´thode modulaire. Les deux me´thodes prennent en charge les FLs et des expressions
re´gulie`res.
3.1.1 L’approche base´e sur l’automate
Les moniteurs sont des machines a` e´tats ﬁnis qui acceptent ou rejettent certaines traces
de simulation.
Traduire des expressions re´gulie`res (RE) en automates a e´te´ fait dans [MY60] et
[Tho68]. La traduction de LTL vers les automates a e´te´ prise en compte dans [WVS83].
Sidhu et Prasanna ont pre´sente´ une imple´mentation mate´rielle d’adaptateurs de RE
pour les FPGA [SP01]. Cette approche utilise la me´thode de McNaughton-Yamada [MY60]
pour construire des NFAs a` partir de REs.
Gascard dans [Gas05] propose une me´thode pour transformer les SEREs en DFA. Le
travail est base´ sur les de´rive´es d’expressions re´gulie`res introduites par Brzozowski dans
[Brz64].
Le travail pre´sente´ dans [GG05] traite de la traduction d’un sous-ensemble de PSL
SEREs en moniteurs. Pour chaque ope´rateur de ce sous-ensemble, une fonction est imple´-
mente´e qui construit l’automate non-de´terministe correspondante.
A notre connaissance, l’approche la plus eﬃcace dans la synthe`se de moniteurs de PSL
SEREs se fait par Boule´ et Zilic [BZ07, BZ08b, BZ08c].
3.1.2 L’approche modulaire
L’imple´mentation PSL des Seres en utilisant l’approche modulaire a e´te´ eﬀectue´e par
Morin-Allory et al. dans [MAGB07] pour la de´tection de fautes en ligne.
L’approche modulaire introduite par Morin-Allory et Borrione dans [KAB06] ge´ne`re
des moniteurs pour les proprie´te´s temporelles PSL. Dans ce proce´de´, le sous-ensemble
simple de PSL est conside´re´. Chaque ope´rateur de PSL dans ce sous-ensemble est im-
ple´mente´ en tant que module VHDL synthe´tisable, avec une interface ge´ne´rique. Une
7
Chapitre 3 : E´tat de l’art
proprie´te´ PSL est ge´ne´re´ par l’interconnexion des sous-modules des ope´rateurs en suivant
l’arbre syntaxique abstrait de la proprie´te´. Un prototype d’outil, HORUS, a e´te´ de´ve-
loppe´ pour la construction automatique d’un environnement de test pour la conception
[OMAB08, Odd09].
3.2 Synthe`se de proprie´te´ comme circuits corrects
par construction
Dans cette section, une proprie´te´ est conside´re´e comme la spe´ciﬁcation du module a`
concevoir. L’objectif est alors de produire la conception RTL synthe´tisable de ses assertions
directement.
3.2.1 L’approche base´e sur l’automate
Le proble`me a d’abord e´te´ traite´ par Bu¨chi [BL69], puis par Rabin [Rab72]. Ces ap-
proches construisent les automates des proprie´te´s, et re´duisent le proble`me de la synthe`se
au proble`me de la vacuite´ des automates. Si un automate non-vide peut eˆtre trouve´ pour
les spe´ciﬁcations, son circuit correspondant est produit.
Bien suˆr la synthe`se automatique a` partir des spe´ciﬁcations n’est pas une nouveaute´,
elle a re´cemment e´te´ applique´e a` des circuits re´els, a` travers le de´veloppement d’outils de
prototypes [PPS06, BGJ+07a, RAT, FJR11, EKH12].
Bloem et al. de´ﬁnissent un sous-ensemble de LTL (“Generalized Reactivity(1)”) dont les
proprie´te´s sont converties en automates [BGJ+07a, BGJ+07b]. Ils utilisent la me´thode de
jeu a` deux joueurs. Les algorithmes de la the´orie des jeux calculent tous les comportements
corrects du circuit pour toutes les interactions possibles avec l’environnement. Le travail
est plus tard e´tendu et ame´liore´ dans [BJP+12], pour obtenir de plus petits circuits.
Ces me´thodes ont e´te´ mises en œuvre et des outils de prototypes ont e´te´ fournis pour
la synthe`se de la proprie´te´. Brie`vement, Lily et Anzu ont e´te´ mis en œuvre sur la base des
recherches dans [JB06, PPS06], puis ame´liore´ pour ratsy.
3.2.2 L’approche modulaire
Le sujet a e´te´ examine´ par Oddos et al. dans [OMAB09], et une solution provisoire a e´te´
propose´e pour synthe´tiser les circuits de controˆle de proprie´te´s temporelles PSL [Odd09].
La me´thode est modulaire, chaque proprie´te´ est transforme´e en un composant combinant
les caracte´ristiques des moniteurs et ge´ne´rateurs : le ge´ne´rateur e´tendu. Un sous-module
VHDL synthe´tisable est pre´vu pour chaque ope´rateur dans PSLsimple. Chaque proprie´te´
est l’interconnexion des sous-modules de ses ope´rateurs. Le conception ﬁnale est l’inter-
connexion des modules de proprie´te´, et il est correct par construction.
3.3 Outils existants
Il y a une grande varie´te´ d’outils de ve´riﬁcation formelle. Selon l’outil utilise´, les pro-
prie´te´s peuvent eˆtre exprime´es en PSL, LTL, ou CTL. OneSpin [one], Mentor Graphics
0-In, Cadence Incisive [cad] et RuleBased d’IBM [HIL04] sont parmi les outils les plus
connus qui peuvent eˆtre utilise´s pour la ve´riﬁcation formelle.
3.3 : Outils existants
Pour la compilation des assertions en moniteurs, des outils industriels existent : IBM
FOCS [ABG+00], BugScope [Bug] de´veloppe´ par Atrenta, SLED SDG (synthesizable Detec-
tor Generator) de´veloppe´ par Dolphin Inte´gration. En plus des outils industriels mention-
ne´s, il existe des outils acade´miques pour compiler des assertions en moniteurs : MBAC
de´veloppe´ par Boule´ [BZ08a] a` l’universite´ McGill, Horus [OMAB08] de´veloppe´ dans le
groupe VDS de TIMA Lab.
Dans le cadre dela synthe`se correcte par construction, il y a peu d’outils.
Acacia+ [ACA] est base´ sur les travaux dans [FJR09, FJR11]. Il saisit les spe´ciﬁcations
de LTL, et e´met un design dans le format dot .
Unbeast [UNB] est base´ sur les travaux dans [EKH12]. Il saisit les spe´ciﬁcations de LTL
dans une syntaxe XML et produit un ﬁchier interme´diaire NuSMV qui est transforme´ en
un format AIG par AIGER.
Ratsy (Requirements Analysis Tool with Synthesis) [RAT, BCG+10] est une mise a`
jour de Rat qui est de´veloppe´ par Bloem et al. a` l’Universite´ de Gratz. Ratsy entre les
proprie´te´s en GR (1) PSLsimple. Les proprie´te´s doivent eˆtre partitionne´es en un ensemble
d’assertions (garantee) et un ensemble d’hypothe`ses (assume). Il produit une conception
Verilog.
SyntHorus est la version e´tendue de Horus qui est de´veloppe´e dans le laboratoire
TIMA[Odd09]. Au contraire d’autres me´thodes existantes, l’outil est base´ sur l’approche
modulaire, et pourrait synthe´tiser des proprie´te´s FL PSLsimpleen VHDL.
Dans cette the`se, SyntHorus a e´te´ ame´liore´ pour SyntHorus2. Cette nouvelle version
prend des proprie´te´s PSL et ge´ne`re automatiquement le circuit de VHDL synthe´tisable.
Il supporte les proprie´te´s FLs, et prend e´galement en charge partiellement les SEREs.
9
Chapitre 3 : E´tat de l’art
Chapitre4
Prototypage rapide d’assertions : le ﬂot global
de synthe`se
Dans ce chapitre, notre ﬂot de synthe`se global est explique´, et un exemple de fonction-
nement est introduit.
4.1 Synthe`se de composants re´actifs
Dans ce travail, une me´thode correcte par construction est propose´e pour produire
directement une conception RTL synthe´tisable a` partir de ses assertions. La me´thode est
modulaire ; i.e. le composant re´actif de chaque proprie´te´ est l’interconnexion des modules
de ses ope´rateurs. Par conse´quent, les modules des ope´rateurs sont appele´s composants
re´actifs primitifs.
Ensuite, le circuit ﬁnal est l’interconnexion des composants re´actifs des proprie´te´s.
La ﬁg. 4.1 montre le ﬂot de synthe`se globale qui produit un circuit a` partir d’un
ensemble de proprie´te´s.
Nous avons fourni un prototype d’outil, SyntHorus2 qui met en œuvre le processus
de synthe`se ci-dessus : il faut un ensemble de proprie´te´s PSL en entre´e, et il ge´ne`re le
circuit ﬁnal en VHDL. Il ge´ne`re e´galement des proprie´te´s comple´mentaires aﬁn de ve´riﬁer
si l’ensemble des proprie´te´s est complet et cohe´rent (voir ﬁg. 4.1). La me´thode propose´e
est applicable aux parties controˆles d’une conception.
4.2 Exemple d’Exe´cution : le Generalized Buﬀer
Ici, nous introduisons le Generalized Buﬀer d’IBM [IBM] (GenBuf ).
4.2.1 Pre´sentation
GenBuf est un arbitre qui se´quentialise les demandes provenant de nbsend e´metteurs,
et les transmet a` un moment a` nbrec re´cepteurs (nbsend et nbrec sont des parame`tres
ge´ne´riques). Chaque e´metteur a son propre bus, et les re´cepteurs partagent le meˆme bus.
Une FIFO (de profondeur 4 sur 32 bits de donne´es) stocke les donne´es entrantes en attente
d’envoi vers les re´cepteurs.
11
Chapitre 4 : Prototypage rapide d’assertions : le ﬂot global de synthe`se
Figure 4.1 – Flot global de synthe`se
4.2 : Exemple d’Exe´cution : le Generalized Buﬀer
Un controˆleur communique avec tous les modules et la FIFO : il applique une politique
de se´lection par tourniquet du coˆte´ des re´cepteurs, il bloque les e´metteurs lorsque la
FIFO est pleine, et bloque les re´cepteurs lorsque la FIFO est vide. La ﬁgure 4.2 aﬃche
l’architecture du syste`me et les signaux de commande d’interface qui sont utilise´s pour la
communication.
GenBuf 
Controller
(Automatically 
generated
by SyntHorusII)
sender#0 receiver#0
FIFO
StoB_REQ(0)
BtoR_REQ(0)BtoS_ACK(0)
RtoB_ACK(0)
EN
Q
DE
Q
EM
PT
Y
FU
LL
sender#i
StoB_REQ(i)
BtoS_ACK(i) receiver#jBtoR_REQ(j)
RtoB_ACK(j)
Figure 4.2 – Interface de circuit GenBuf
4.2.2 Communication avec les re´cepteurs
Le GenBuf interagit avec les re´cepteurs a` travers un protocole 4 phases. Le me´canisme
d’arbitrage qui est utilise´ par GenBuf est le tourniquet : GenBuf ne demande pas le meˆme
re´cepteur deux fois conse´cutives. La ﬁgure 4.3 montre un chronograme par poigne´e de
main entre le re´cepteur et le GenBuf.
0 1 2 3 4 5 6 7 8
clock
EMPTY
BtoR REQ(i)
RtoB ACK(i)
DEQ
Figure 4.3 – Un exemple de chronogramme pour le re´cepteur
4.2.2.1 Spe´ciﬁcation formelle FL
L’ensemble des proprie´te´s FL qui spe´ciﬁent la communication entre le controˆleur Gen-
Buf, les re´cepteurs et la FIFO sont pre´sente´es ﬁgure 4.4 (pour 2 re´cepteurs).
13
Chapitre 4 : Prototypage rapide d’assertions : le ﬂot global de synthe`se
vunit g enbu f r e c e i v e r
{
−−−−− r e c e i v e r s i d e
P0 rec :
always (not EMPTY −> next ! ( BtoR REQ(0) or ( BtoR REQ(1) ) ) ) ;
P1 rec :
always (EMPTY −> next ! ( not BtoR REQ(0) and (not BtoR REQ(1) ) ) ) ;
P2 rec :
always (not BtoR REQ(0) or not BtoR REQ(1) ) ;
P3 rec 0 :
always ( rose (BtoR REQ(0) ) −> next ! (next event ! (prev (not BtoR REQ(0)
) ) (not BtoR REQ(0) unti l (BtoR REQ(1) ) ) ) ) ;
P3 rec 1 :
always ( rose (BtoR REQ(1) ) −> next ! (next event ! (prev (not BtoR REQ(1)
) ) (not BtoR REQ(1) unti l (BtoR REQ(0) ) ) ) ) ;
P4 rec 0 :
always ( (BtoR REQ(0) ) and (not RtoB ACK(0) )−> next ! (BtoR REQ(0) ) ) ;
P4 rec 1 :
always ( (BtoR REQ(1) ) and (not RtoB ACK(1) )−> next ! (BtoR REQ(1) ) ) ;
P5 rec 0 :
always ( (RtoB ACK(0) ) −> (next ! (not BtoR REQ(0) ) ) ) ;
P5 rec 1 :
always ( (RtoB ACK(1) ) −> (next ! (not BtoR REQ(1) ) ) ) ;
−−−−−−−−− FIFO i n t e r f a c e
P6 FIFO rec :
always ( ( f e l l (RtoB ACK(0) ) or ( f e l l (RtoB ACK(1) ) ) and not EMPTY) −> (
DEQ) ) ;
P7 FIFO rec :
always (not f e l l (RtoB ACK(0) ) and not f e l l (RtoB ACK(1) ) −> (not DEQ) ) ;
}
Figure 4.4 – Spe´ciﬁcation FL de la communication GenBuf avec des re´cepteurs, dans le
cas de deux re´cepteurs
4.2 : Exemple d’Exe´cution : le Generalized Buﬀer
4.2.2.2 Spe´ciﬁcation formelle SERE
L’ensemble des proprie´te´s en expressions re´gulie`res qui spe´ciﬁent la communication
entre le controˆleur GenBuf, les re´cepteurs et la FIFO sont pre´sente´es dans la ﬁg. 4.5.
vunit g e nbu f r e c e i v e r s e r e
{
P0 se r e r e c :
always ({not EMPTY} |=> {BtoR REQ(0) or BtoR REQ(1) } ! ) ;
P1 s e r e r e c :
always ({EMPTY} |=> {not BtoR REQ(0) and not BtoR REQ(1) } ! ) ;
P2 s e r e r e c :
always (not BtoR REQ(0) or not BtoR REQ(1) ) ;
P3 s e r e r e c 0 :
always ( {not BtoR REQ(0) ; BtoR REQ(0) ; {BtoR REQ(0) [ ∗ ] ; not BtoR REQ
(0) }} |=> {(not BtoR REQ(0) ) [ ∗ ] ; (prev (BtoR REQ(1) ) ) } ! ) ;
P3 s e r e r e c 1 :
always ( {not BtoR REQ(1) ; BtoR REQ(1) ; {BtoR REQ(1) [ ∗ ] ; not BtoR REQ
(1) }} |=> {(not BtoR REQ(1) ) [ ∗ ] ; (prev (BtoR REQ(0) ) ) } ! ) ;
P4 s e r e r e c 0 :
always ( {BtoR REQ(0) and (not RtoB ACK(0) ) } |=> {BtoR REQ(0) } ! ) ;
P4 s e r e r e c 1 :
always ( {BtoR REQ(1) and (not RtoB ACK(1) ) } |=> {BtoR REQ(1) } ! ) ;
P5 s e r e r e c 0 :
always ( {RtoB ACK(0) } |=> {not BtoR REQ(0) } ! ) ;
P5 s e r e r e c 1 :
always ( {RtoB ACK(1) } |=> {not BtoR REQ(1) } ! ) ;
P6 sere FIFO rec :
always ( ( f e l l (RtoB ACK(0) ) or ( f e l l (RtoB ACK(1) ) ) and not EMPTY) −> (
DEQ) ) ;
P7 sere FIFO rec :
always (not f e l l (RtoB ACK(0) ) and not f e l l (RtoB ACK(1) ) −> (not DEQ) ) ;
}
Figure 4.5 – Spe´ciﬁcation SERE de la communication GenBuf avec des re´cepteurs, dans
le cas de deux re´cepteurs
15
Chapitre 4 : Prototypage rapide d’assertions : le ﬂot global de synthe`se
Chapitre5
Synthe`se FLs
Dans ce chapitre, nous expliquons comment synthe´tiser un ope´rateur temporel FL, et
nous fournissons une bibliothe`que de composants re´actifs primitives pour les ope´rateurs
FL.
5.1 Formalisation de l’annotation
5.1.1 Relation de de´pendance : de´ﬁnition et notations
Pour prouver les relations de de´pendance, nous utilisons les de´ﬁnitions se´mantiques de
PSL dans l’annexe B de la norme IEEE [FG05].
— w |= property (“property” est vrai sur le mot w) : la se´mantique des proprie´te´s
FL est de´ﬁnie par induction structurelle.
De´ﬁnition 1. Soit w une trace, A et B deux formules FL. La relation de de´pendance
entre A et B est de´ﬁnie comme suit :
�A�B�w ⇐⇒ w |= B ⇒ w |= A
Lorsque ∀w, �A�B�w on peut e´crire : A�B.
Proprie´te´ 1. �A�B�w ∧ �A�C�w ⇔ �A�(B orC)�w
Proprie´te´ 2. �A�B�w ∨ �A�C�w ⇔ �A�(B andC)�w
Proprie´te´ 3. �(A andB)�C�w ⇔ �A�C�w ∧ �B�C�w
Proprie´te´ 4. �(A orB)�C�w ⇔ �A�(C ∧ ¬B)�w
Proprie´te´ 5. �A�B�w ⇔ �¬B�¬A�w
De´ﬁnition 2. Soit ϕ une formule FL. A et B sont deux ope´randes de ϕ. Soit w une trace.
A de´pend de B dans ϕ si : ∀w, �ϕ� true�w ⇔ �A�B�w.
17
Chapitre 5 : Synthe`se FLs
5.1.2 Relation de de´pendance entre les ope´randes de ope´rateurs
FL
5.1.2.1 Always
Re`gle de de´pendance 1. Always
ϕ = alwaysA, puis
�ϕ� true�w iﬀ ∀i < |w|, �A� true�wi...
5.1.2.2 Famille Next
Re`gle de de´pendance 2. Next ![k]
ϕ = next![k]A, puis
�ϕ� true�w iﬀ �A� true�wk...
Re`gle de de´pendance 3. Next a !
ϕ = next a![i to j]A, puis
�ϕ� true�w iﬀ ∀k ∈ [i..j], �A� true�wk...
5.1.2.3 Famille Until
Re`gle de de´pendance 4. Until !
ϕ = A until! B, puis
�ϕ� true�w iﬀ ∃k < |w|, �B� true�wk... ∧ ∀i < k, �A�¬B�wi...
Dans cette relation de de´pendance, si A et B sont boole´ens, la relation de de´pendance
�A�¬B�wi... peut eˆtre inverse´e (voir la proprie´te´ 5).
Re`gle de de´pendance 5. Until
ϕ = A until B, puis
∀w,
� ∃k < |w|, �B� true�wk... ∧ ∀i < k, �A�¬B�wi...
or
∀i < |w|, �A� true�wi...
5.2 La synthe`se de la relation de de´pendance
Nous donnons une interpre´tation mate´rielle de la relation de de´pendance �ϕ� true�w,
ou` ϕ signiﬁe un appel a` l’un des ope´rateurs de FL, et Ω repre´sente l’ope´rateur temporel
FL.
5.2.1 Principes de construction d’un composant re´actif primitif
Les composant re´actifs primitifs ont une interface ge´ne´rique : ils prennent clock et
reset comme signaux de synchronisation. Chaque composant re´actif primitif a un signal
de start pour son activation (voir ﬁg. 5.1).
La sortie d’un composant re´actif n’est pas la valeur d’un signal, mais le trigger qui sert
a` commencer le composant mate´riel primitif en charge de la ge´ne´ration ou de l’observation
de la valeur du signal (voir ﬁg. 5.1).
5.2 : La synthe`se de la relation de de´pendance
observed
Figure 5.1 – Interface ge´ne´rique d’un composant re´actif primitif
Le circuit C est le circuit qui met en oeuvre un composant re´actif primitif. Dans ce
chapitre, nous examinons comment synthe´tiser C pour des composant re´actifs primitifs
FL.
5.2.1.1 Composant Re´actif Boole´en
La ﬁgure 5.2 montre les quatre mises en oeuvre diﬀe´rentes pour un composant re´actif
boole´en.
Figure 5.2 – Composant Re´actif Boole´en
5.2.2 Format ge´ne´rique d’un ope´rateur FL
Nous avons propose´ un format ge´ne´rique pour tous les ope´rateurs de FL [MAJB15].
Ce format est base´ sur la de´ﬁnition de la se´mantique de l’ope´rateur.
Chaque de´pendance est un cas particulier de l’un des deux expressions suivantes ge´-
ne´ralise´es :
1 la famille“forall”comprend : : always, until, next!, next a, next event, next event a.
2 la famille “exists” comprend : : eventually!, before, next e, next event e.
Les expressions “forall” et “exists” ge´ne´ralise´es ont le format suivant :
∀i ∈ [kmin , kmax ], �exp� cond�wki (5.1)
∃i ∈ [kmin , kmax ], �exp� cond�wki (5.2)
19
Chapitre 5 : Synthe`se FLs
Dans les formules ci-dessus, exp et cond sont deux boole´ens, et min et max sont deux
naturels tels que max ≥ min. Kmin et Kmax sont calcule´s en utilisant une fonction de
comptage, Ith. Le fonction Ith renvoie le nombre de fois que son ope´rande, une formule F
calcule´e sur la trace w, a e´te´ true sur w0..k.
Ith(�F � true�wki ) = i ∧ �F � true�wki , ∀i ∈ N
La se´quence {k0, k1, ..., ki...} est l’ensemble de ces points dans le temps (voir ﬁg. 5.3).
0 1 2 3 4 5 6 7 8 9
k1 k2 k3
clock
F
Ith(. . . ) 0 1 2 3
Figure 5.3 – Illustration de la fonction Ith(�F � true�wki )
Les valeurs de min,max , exp, cond et F de´pendent de l’ope´rateur temporel. Le ta-
bleau 5.1 donne leur valeur pour chaque ope´rateur PSL FL.
Temporal Operator F min max cond exp opt. opt. !
alwaysA true 0 | w | true A no no
A untilB (1) B 0 1 ¬B A yes yes
A beforeB (1) ¬B 0 1 ¬A ¬B yes yes
next![i]A true i i true A no yes
next a[i to j]A true i j true A no yes
next event[i](B)A B i i B A no yes
next event a[i to j](B)A B i j B A no yes
eventually!A A 0 1 true A no no
A untilB (2) B 0 1 ¬A B no yes
A before B (2) ¬B 0 1 B A no yes
next e[i to j]A true i j true A no yes
next event e[i to j](B)A B i j true A no yes
Table 5.1 – Valeurs des parame`tres pour forall (en haut) et existe (en bas) expressions
5.2.2.1 Mise en œuvre d’un ope´rateur du groupe “forall”
La ﬁgure 5.4 illustre la mise en oeuvre de l’expression de “forall”.
— Le composant Dep (pour la de´pendance �) est une simple porte “AND” qui imple´-
mente l’expression �exp� cond�Wk . Il de´clenche l’e´valuation de exp en fonction de
la valeur de cond .
— Le composant ForAll imple´mente l’expression ∀i ∈ �Kmin, Kmax�. Le signal ForAll.Trig
est actif en tout temps entre lb et ub. Selon que l’ope´rateur chevauche ou non, deux
versions sont utilise´es (voir ﬁg. 5.5).
— Le composant Min(Max) prend start et cond en entre´e. Le signaux de start lance
le comptage des occurrences de F sur son entre´e Min.cond (Max.cond).
5.2 : La synthe`se de la relation de de´pendance
ForAll Dep
Figure 5.4 – La mise en oeuvre de l’expression de “forall”
(a) non overlapping (b) overlapping
Figure 5.5 – La mise en oeuvre de ∀i ∈ [lb, ub]
21
Chapitre 5 : Synthe`se FLs
5.2.2.2 Mise en œuvre d’un ope´rateur du groupe “exist”
La ﬁgure 5.6 illustre la mise en oeuvre de l’expression de “exist”. Les composants
Min et Max observent la formule F , et comptent le nombre d’occcurence dans l’interval
[Kmin, Kmax].
Figure 5.6 – La mise en oeuvre de l’expression de “exist”
Figure 5.7 – La mise en oeuvre de ∃i ∈ [lb, ub]
Chapitre6
Synthe`se des SEREs
6.1 Introduction
Dans ce chapitre, nous examinons les principes de synthe`se de SEREs. Les SEREs
sont tre`s similaires aux se´quences dans SVA. Les SEREs sont une fac¸on commode d’ex-
primer les formes d’ondes de signaux, en e´crivant de simples proprie´te´s de la forme :
{observe} |=> {observe}
ou
{observe} |=> {generate}
Ces proprie´te´s peuvent repre´senter le comportement de l’environnement ou d’un pro-
tocole de communication.
6.2 De´ﬁs et motivations
Les SEREs ne peuvent pas toujours eˆtre traduites en FLs. En outre, certains com-
portements ou speciﬁcations en langue naturelle peuvent eˆtre exprime´s plus facilement en
utilisant des SEREs, et de manie`re plus compacte.
Exemple 1.
Conside´rez la proprie´te´ P1, ou` a, b, et c sont boole´ens :
P1 : always {a} |=> {b [ ∗ ] ; c}
Supposons que a est observe´ et nous ge´ne´rons b et c. Alors, la question est : “quand
devrions-nous arreˆter de contraindre b a` 1, et commencer a` contraindre c a` 1 ”? Si nous
voulons ge´ne´rer c, la proprie´te´ n’est pas de´terministe puisque c peut eˆtre contraint a` 1
dans un cycle apre`s a = 1. Si nous observons b et ge´ne´rons c, quand c doit il eˆtre contraint
a` 1 ? Cela peut de´pendre d’autres proprie´te´s.
Si nous observons c et ge´ne´rons b, b n’est plus contraint de`s que c devient 1.
23
Chapitre 6 : Synthe`se des SEREs
6.3 Formalisation de l’annotation
Deux relations de de´pendance sont introduites pour chaque ope´rateur de SERE : une
relation de de´pendance pour exprimer quand une se´quence est active, et une relation de
de´pendance pour exprimer lorsque la se´quence est satisfaite.
6.3.1 Relation de de´pendance : de´ﬁnition et notations
De´ﬁnition 1. Soit ϕ une SERE, et Endedϕ un boole´en qui devient 1 lorsque ϕ est
satisfaite. w est une trace, et � est la jth lettre de w (� = wj), telle que � � Endedϕ.
Ensuite, pour chaque se´quence ϕ, nous pouvons dire :
∀w, �ϕ� true�wi...j ⇔ �Endedϕ� true�wj
La relation �Endedϕ� true�wj est ce qu’on appelle EϕRelation.
6.3.2 Relation de de´pendance entre les ope´randes des ope´ra-
teurs de SERE
Dans cette section, deux relations de de´pendance sont donne´es pour chaque ope´ra-
teur SERE. La premie`re relation de de´pendance est appele´e “ϕRelation”, et exprime la
de´pendance entre sous-se´quences de ϕ aﬁn que ϕ soit satisfaite. La deuxie`me relation de
de´pendance est appele´e “EϕRelation” et exprime la de´pendance entre les sous-se´quences
de ϕ au cycle qui ϕ comple`te. Cette de´pendance est de´ﬁnie en utilisant ���wi (voir la
de´ﬁnition 1).
6.3.2.1 Les cas de base
exp est une expression boole´enne, et A est une SERE :
�exp� true�w ⇔�exp� true�w0 ∧ �Endedexp � true�w0
�{A}� true�w ⇔�A� true�w
6.3.2.2 Concate´nation
Re`gle de de´pendance 1. ϕRelation pour la concate´nation
ϕ = A;B , puis :
�ϕ� true�w iﬀ ∃i < |w|, �EndedA� true�wi ∧ �B � true�wi+1...
Re`gle de de´pendance 2. EϕRelation pour la concate´nation
ϕ = A;B , puis :
∃j < |w|, �Endedϕ� true�wj iﬀ ∃k < j, �EndedA� true�wk ∧ �EndedB � true�wj
Dans le cas particulier ou` B est un boole´en, alors j = k + 1.
6.4 : La synthe`se de la relation de de´pendance
6.3.2.3 conjonction de deux se´quences de meˆme longueur
Re`gle de de´pendance 3. ϕRelation pour la conjonction de meˆme longueur
ϕ = A && B , puis
�ϕ� true�w iﬀ �A� true�w ∧ �B � true�w
Re`gle de de´pendance 4. EϕRelation pour la conjonction de meˆme longueur
ϕ = A && B , puis
∃j < |w|, �Endedϕ� true�wj iﬀ �EndedA ∧ EndedB � true�wj
6.3.2.4 Cloˆture de Kleene
Re`gle de de´pendance 5. ϕRelation pour l’e´toile
ϕ = A[∗0], puis
�ϕ� true�w iﬀ |w| = 0
ϕ = A[∗], puis
�ϕ� true�w iﬀ |w| = 0 ∨ ∃i < |w|, �EndedA� true�wi ∧ �ϕ� true�wi+1...
6.3.2.5 Plus
Re`gle de de´pendance 6. ϕRelation pour le plus
ϕ = A[+], puis
�ϕ� true�w iﬀ ∃i < |w|, �EndedA� true�wi ∧ �A[∗]� true�wi+1...
Re`gle de de´pendance 7. EϕRelation pour le plus
ϕ = A[+], puis
∃j < |w|, �Endedϕ� true�wj iﬀ �EndedA� true�wj
6.4 La synthe`se de la relation de de´pendance
Aﬁn de construire une bibliothe`que de composants re´actifs primitifs pour les ope´rateurs
SERE, nous donnons une interpre´tation mate´rielle des deux relations de de´pendance
ϕRelation (�ϕ� true�w), et EϕRelation (�Endedϕ� true�wi).
6.4.1 Principes de la construction des composants re´actifs pri-
mitifs
Les composants re´actifs primitifs ont une interface ge´ne´rique. Le circuit correspondant
pour chaque ope´rateur de SERE est l’interconnexion des circuits des relations ϕRelation
et EϕRelation de´pendance. Cette interconnexion est repre´sente´e sur la ﬁg. 6.1.
Le circuit a` gauche sur la ﬁg. 6.1, C1, imple´mente la ϕRelation.
Ensuite, le circuit droit C2, qui met en œuvre EϕRelation, ge´ne`re un signal qui indique
si ϕ est satisfaite.
Le circuit C est le circuit qui met en oeuvre un composant re´actif primitif, et l’inter-
connexion de C1 et C2.
Ici, nous expliquons chaque cate´gorie de SERE brie`vement, puis nous discutons de la
fac¸on de construire leur mate´riel correspondant intuitivement.
25
Chapitre 6 : Synthe`se des SEREs
Figure 6.1 – Interface ge´ne´rique d’un ope´rateur de SERE
6.4.1.1 SEREs simple
L’ensemble des ope´rateurs de SERE simples est note´ SimSERE = {; , :}. Pour un
ope´rateur de SERE simple, nous avons les relations de de´pendances suivantes :
∃i < |w|, �EndedA� true�wi ∧ �B � true�wi+1... for ‘ ;’
∃i < |w|, �EndedA� true�wi ∧ �B � true�wi... for ‘ :’
6.4.1.2 SEREs compose´es
Un ope´rateur compose´ SERE est un ope´rateur binaire, dont les sous-se´quences gauches
et droites de´marrent en meˆme temps. L’inte´gralite´ de la se´quence de´pend de l’ope´rateur.
L’ensemble des ope´rateurs de SERE compose´es est note´ CompSERE = {&&,&, |}. Pour
les ope´rateurs de SERE compose´es, nous avons les relations de de´pendance suivantes :
�A� true�w ∧ �B � true�w for ‘&&’
∃i < |w|, (�A� true�w ∧ �B � true�w0...i) ∨ (�A� true�w0...i ∧ �B � true�w) for ‘&’
�A�¬B�w ∨ �B �¬A�w for ‘|’
6.4.1.3 SEREs illimite´es
Un ope´rateur de SERE illimite´e est un ope´rateur unaire. L’ensemble des Seres illimite´es
est de´ﬁni comme UnbSERE = {∗,+}.
6.4.2 Mise en œuvre des composants re´actifs primitifs des ope´-
rateurs de SERE
Dans cette section, nous expliquons comment un composant re´actif SERE primitif
peut eˆtre mis en œuvre de manie`re intuitive a` l’aide d’un exemple simple pour chaque
cate´gorie SERE.
6.4.2.1 SEREs simples
Exemple 2. Imple´mentation de ϕ = {b1; b2}
6.4 : La synthe`se de la relation de de´pendance
Si ϕ est ge´ne´re´ (voir ﬁg. 6.2), trig l contraint b1 (Trigb1 = trig l), et dans le cycle
suivant, trig r constraint b2 (Trigb2 = trig r), et la se´quence se termine.
Figure 6.2 – Imple´mentation de {b1; b2} (b1 et b2 sont ge´ne´re´s)
Exemple 3. Imple´mentation de ϕ = {q; b}
Supposons que nous voulons ge´ne´rer ϕ ; par conse´quent, nous ge´ne´rons q et b.
Circuit for q Wait for q 
to complete
Figure 6.3 – Imple´mentation de {q; b} (q et b sont ge´ne´re´s)
On suppose que q = {b1; b2}. La ﬁgure 6.4 montre la trace correspondante.
6.4.2.2 SEREs compose´es
Exemple 4. Imple´mentation de ϕ = {q}&{b}
Nous voulons ge´ne´rer ϕ, par conse´quent, les deux sous-se´quences devraient eˆtre ge´ne´-
re´es, et elles devraient commencer en meˆme temps (trig l = trig r = start). La ﬁgure 6.5
montre l’imple´mentation.
Exemple 5. Imple´mentation de ϕ = {q1}&{q2}
Si on souhaite ge´ne´rer ϕ, nous devrions ge´ne´rer a` la fois q1 et q2. La ﬁgure 6.6 montre
l’imple´mentation.
6.4.2.3 SEREs non borne´es
Exemple 6. Imple´mentation de ϕ = b[+]
27
Chapitre 6 : Synthe`se des SEREs
0 1 2 3 4
clock
start
start reg
b1
b2
trig l
b
trig r
ended
Figure 6.4 – Chronogramme de {{b1; b2}; b}
Circuit for q
Wait for q 
to complete
Figure 6.5 – Imple´mentation de {q}&{b} (q et b sont ge´ne´re´s)
Circuit for q1
Circuit for q2
Wait for the
longer 
sequence 
to complete
Figure 6.6 – Imple´mentation de {q1}&{q2}
6.5 : Sous-ensemble synthe´tisable de SEREs
On suppose que b est ge´ne´re´. L’imple´mentation est repre´sente´e dans la ﬁg. 6.7. Dans
cette ﬁgure, le trig l contraint b. Le signal interne once more devient 1, un cycle apre`s
chaque occurrences de b. b doit eˆtre ge´ne´re´ une (quand start = 1) ou plusieurs fois (quand
once more = 1).
Figure 6.7 – Imple´mentation de b[+]
Exemple 7. Imple´mentation de ϕ = b1[∗]; b2
Dans cet exemple, nous observons b2, et arreˆtons de ge´ne´rer b1 lorsque b2 devient 1.
La ﬁgure 6.8 montre le circuit correspondant.
Circuit for concat
Figure 6.8 – Imple´mentation de b1[∗]; b2
Exemple 8. Imple´mentation de ϕ = q[∗]; b
La ﬁgure 6.9 montre le circuit correspondant.
6.5 Sous-ensemble synthe´tisable de SEREs
Le “sous-ensemble synthe´tisable de SEREs” pris en charge dans cette the`se sont les
SEREs sous la forme suivante :
29
Chapitre 6 : Synthe`se des SEREs
Circuit for concat
Circuit for q Wait for q to complete
Figure 6.9 – Imple´mentation de q[∗]; b
SEREsynth =BoolExpr.
| {SEREsynth}
| SERE|–>SEREsynth
| SERE|=>SEREsynth
| SEREsynth;SEREsynth
| SEREsynth : SEREsynth
| SEREsynth&SEREsynth
| {BoolExpr} | {BoolExpr}
| SEREsynth[∗n]
| SEREsynth[∗];BoolExpr
| SEREsynth[+];BoolExpr
| [+];BoolExpr
| [∗];BoolExpr
Chapitre7
Annotation des signaux
7.1 Construction de l’arbre syntaxique abstrait de la
proprie´te´ (AST)
Pour synthe´tiser une proprie´te´, il est essentiel de pre´ciser le sens des signaux implique´s
dans la proprie´te´. Ce processus est appele´ annotation.
La de´pendance �A�B� peut eˆtre repre´sente´e comme le montre la ﬁg. 7.1. Comme le
montre cette ﬁgure, la valeur de B devrait eˆtre observe´e et A est ge´ne´re´ base´ en fonction
de la valeur de B .
A B
Figure 7.1 – La repre´sentation de �A�B�w
L’arbre syntaxique abstrait (AST) d’une proprie´te´ est un arbre binaire non oriente´
classique. Les feuilles sont les signaux de conception qui peuvent eˆtre observe´s ou ge´ne´re´s ;
les autres nœuds sont les ope´rateurs temporels et logiques. On note AST = (V,E), ou` :
— V est l’ensemble des nœuds (ou sommets) de l’arbre. L est l’ensemble des feuilles
(les ope´randes de la proprie´te´), et N = V \L est l’ensemble des nœuds internes (les
ope´rateurs).
— E ⊂ V ×V est l’ensemble des arreˆtes de AST. (v1− v2) repre´sente une arreˆte entre
deux nœuds v1 et v2 ; v1 est le parent et v2 est un enfant.
Trois fonctions partielles sont de´ﬁnies sur V : P(v), Lch(v), Rch(v) retournent le
parent, l’enfant gauche et l’enfant droit du nœud v.
7.2 Construction de l’arbre syntaxique abstrait oriente´
(DAST)
Pour chaque ope´rateur PSL, une ou plusieurs re`gles de de´pendance ont e´te´ de´ﬁnies
entre ses ope´randes, conforme´ment a` la se´mantique formelle de l’ope´rateur (voir les cha-
pitres 5 et 6).
Aﬁn de de´terminer les variables qui sont lues par une proprie´te´, et qui sont ge´ne´re´es,
nous traduisons les relations de de´pendance en un graphe oriente´, et construisons l’ arbre
31
Chapitre 7 : Annotation des signaux
syntaxique abstrait oriente´ (DAST) de chaque AST. DAST = (V,E�) repre´sente la de´pen-
dance entre les signaux de la proprie´te´, en passant par ses ope´rateurs. Il est construit en
utilisant :
— la direction d’entre´e/sortie des signaux de l’interface du module,
— l’imple´mentation des re`gles de de´pendance comme une direction entre le nœud d’un
ope´rateur et de ses enfants.
Chaque arc dans E � est une arreˆte oriente´e de E. La direction d’une arreˆte est consi-
de´re´e a` partir du nœud parent, elle est dite entrante ou sortante. Pour chaque ope´rateur
PSL et SERE, nous avons de´ﬁni la direction des arreˆtes du parent et les enfants base´e sur
leur relation de de´pendance. Ici, nous montrons que deux exemples.
7.2.1 DAST des ope´rateurs FL simples
Cette cate´gorie contient les ope´rateurs always, never, eventually!, et next! (ainsi que
leurs versions faibles). Tous ces ope´rateurs sont annote´s de la meˆme manie`re. Conside´rez
l’ope´rateur next!, et supposons que ϕ = next!(A) ; puis :
�ϕ� true�w iﬀ �A� true�w1...
De la relation de de´pendance �A� true�w1... , nous pouvons en de´duire qu’il y aura une
arreˆte sortante de next! a` A (ﬁg. 7.2).
next!
A
Figure 7.2 – La direction des arreˆtes pour next!
7.2.2 DAST des ope´rateurs de SERE non borne´s
Cette cate´gorie contient les ope´rateurs ‘∗’ et ’+’.
Comme on l’a vu au chapitre 6, chaque re´pe´tition non borne´e devrait eˆtre suivie par
une expression boole´enne. On suppose que ϕ = A[∗];B . Nous avons cette relation de
de´pendance :
�ϕ� true�w iﬀ ∃i < |w|, �B � true�wi... ∧ ∀k < i, �A[∗]�¬B�wk...
La de´pendance �B � true�wi... implique que B devient enﬁn true. De la de´pendance
�A[∗]�¬B�wk... , nous pouvons conclure qu’il y a un chemin sortant a` partir de B a` A
(ﬁg. 7.3).
7.2 : Construction de l’arbre syntaxique abstrait oriente´ (DAST)
A
;
BREP
*
Figure 7.3 – La direction des arreˆtes pour ‘∗’
7.2.3 DAST de directives et de fonctions PSL
Outre les ope´rateurs FL et SERE, nous annotons les signaux de certaines des fonctions
de l’ope´rateur boole´en et des couches de ve´riﬁcation de PSL. En outre, nous annotons les
ope´randes de certains ope´rateurs de la couche de mode´lisation de PSL (VHDL).
7.2.4 L’algorithme d’annotation
Le processus d’annotation marque chaque instance de signal dans chaque proprie´te´ en
observe´ ou ge´ne´re´.
Initialement, tous les arreˆtes ne sont pas oriente´es. Le processus d’annotation est ef-
fectue´ en deux e´tapes.
Tout d’abord, nous partons de la direction des signaux d’interface, et annotons tous
les signaux d’entre´e ‘m’, et donnons une direction a` son arreˆte correspondante.
Ensuite, le fonction re´cursive Annotation prend en entre´e un DAST partiellement
oriente´ ; il retourne un DAST avec plus d’arreˆtes oriente´es. Il commence a` partir de la
racine de l’arbre, et base´ sur son ope´rateur, donne la direction aux arreˆtes correspondantes.
33
Chapitre 7 : Annotation des signaux
Chapitre8
Re´actif Complexe
8.1 Introduction
Dans ce chapitre, nous expliquons comment construire le composant re´actif complexe
d’une proprie´te´,en ayant les composants re´actifs primitifs et les directions des signaux.
Nous utilisons l’arbre syntaxique abstrait (DAST) de chaque proprie´te´ pour interconnecter
les composants re´actifs primitifs et construire le composant re´actif complexe.
8.2 Construction intuitive d’un composant re´actif de
la proprie´te´
Le DAST de chaque proprie´te´ est soit entie`rement oriente´, soit peut avoir quelques
sous-arbres non oriente´s. Le composant re´actif est construit pour le sous-arbre entie`re-
ment oriente´ du DAST. Chaque nœud non terminal est remplace´ par une instance du
composant primitif re´actif (i.e. mise en œuvre du mate´riel pour un ope´rateur temporel)
ou une porte logique (pour un ope´rateur boole´en) interconnecte´e a` ses enfants. Pour une
porte logique, l’interconnexion est e´vidente. Pour un composant re´actif primitif, les prin-
cipes d’interconnexion sont examine´s selon l’ope´rateur.
8.2.1 Construction intuitive d’un re´actif FL
Pour interconnecter les composants re´actifs primitifs FL correspondant a` chaque nœud
v d’un DAST nous devrions conside´rer la direction des arreˆtes correspondantes de v.
— Si la direction est (P(v) → v), la sortie trig de P(v) est relie´e a` l’entre´e start de
v. Si v est une feuille, le DAST dont la racine est v est aﬀecte´ a` la sortie trig ; trig
contraint v.
— Si la direction est (P(v)← v), le signal observe´ (pour une feuille) ou le sortie trig
de v (pour un nœud interne) est connecte´ a` l’entre´e cond de P(v).
8.2.2 Construction intuitive d’un re´actif SERE
Pour interconnecter les composants SERE re´actifs primitifs, nous devrions envisager
diﬀe´rentes cate´gories d’ope´rateurs de SERE. D’apre`s le chapitre 6, le composant re´actif
35
Chapitre 8 : Re´actif Complexe
primitif d’un ope´rateur de SERE a les entre´es start , cond1, et cond2 en plus des signaux
de synchronisation. Il dispose e´galement de trois sorties : trig l, trig r, et ended . La sortie
de ended devient 1 lorsque la se´quence est satisfaite.
8.2.2.1 SERE simple
Dans une se´quence de SERE simple, par exemple ϕ = A;B , le composant re´actif
primitif de ‘ ;’ et sa sous-se´quence gauche (A) de´marre en meˆme temps ; par conse´quent,
ils partagent le meˆme signal de start . Base´ sur les directions des arreˆtes entre l’ope´rateur
de SERE simple et ses enfants, nous avons :
— Si v est l’enfant de gauche (v = Lch(P(v))) :
— Si v est un nœud interne :
— l’entre´e start de P(v) est relie´e a` l’entre´e start de v.
— la sortie ended de v est relie´e a` l’entre´e cond1 de P(v).
— Si v est une feuille :
— Si la direction est (P(v)← v), v est relie´ a` l’entre´e cond1.
— Si la direction est (P(v)→ v), cond1 est relie´ ‘1’, et trig l contraint v.
— Si v est l’enfant droit (v = Rch(P(v))), les meˆmes re`gles que pour l’enfant de
gauche s’appliquent, en remplac¸ant :
— cond1 par cond2
— trig l par trig r
8.2.2.2 SEREs compose´es
Dans une se´quence compose´e, les deux sous-se´quences commencent en meˆme temps.
— Si v est l’enfant de gauche (v = Lch(P(v))) :
— Si v est un nœud interne :
— la sortie ended de v est relie´e a` l’entre´e cond1 de P(v).
— la sortie trig l de P(v) est relie´e a` l’entre´e start de v.
— Si v est une feuille :
— Si la direction est (P(v)← v), v est relie´ a` l’entre´e cond1 de P(v).
— Si la direction est (P(v)→ v), cond1 est relie´ ‘1’, et trig l contraint v.
— Si v est l’enfant droit (v = Rch(P(v))), les meˆmes re`gles que pour l’enfant de
gauche s’appliquent, en remplac¸ant :
— cond1 par cond2
— trig l par trig r
8.2.2.3 Unbounded SERE
Comme il a e´te´ mentionne´ dans le chapitre 6, une re´pe´tition illimite´e devrait eˆtre suivie
par une expression boole´enne. Soit v un nœud et REP la racine du sous-arbre de re´pe´tition
non-borne´e.
— Si Lch(v) n’est pas une feuille :
— La sortie trig l du composant re´actif primitif de ‘∗’ est connecte´e a` l’entre´e start
de Lch(v).
— La sortie ended de Lch(v) est connecte´e a` l’entre´e cond1 du composant re´actif
primitif de ‘∗’.
— Si Lch(v) est une feuille :
8.2 : Construction intuitive d’un composant re´actif de la proprie´te´
— La sortie trig l de ‘∗’ contraint le signal de Lch(v).
— L’entre´e cond1 de ‘∗’ est connecte´e a` ‘1’.
— l’expression boole´enne associe´e au fre`re de v (Rch(P(v))) est connecte´e a` l’entre´e
cond2 de ‘∗’.
37
Chapitre 8 : Re´actif Complexe
Chapitre9
Re´solution des signaux
9.1 Introduction
Dans ce chapitre, nous expliquons comment re´soudre la valeur des signaux duplique´s
et non annote´s. Nous exprimons la de´pendance parmi toutes les proprie´te´s en utilisant
un Graphe de De´pendance. Pour cela, nous partionons le DAST des proprie´te´s en sous
arbre comple`tement annote´oriente´ et non annote´ semi-oriente´. Ensuite, nous conside´rons
le DAST oriente´ pour extraire les de´pendances pour un signal duplique´, et nous analysons
les DAST semi-oriente´s pour extraire les de´pendances pour les signaux non annote´s.
9.2 Contraintes calcule´es a` partir de DASTs annote´s
Soient Trig i¬z , 0 ≤ i ≤ nb0 − 1 les nb0 signaux triggers des composants re´actifs qui
contraignent le signal z a` 0, et soient Trig jz , 0 ≤ j ≤ nb1 − 1 les nb1 signaux triggers qui
contraignent z a` 1. Alors :
T 0 z = (Trig0¬z,Trig1¬z, . . . ,Trignb0−1¬z )
T 1 z = (Trig0z,Trig1z, . . . ,Trignb1−1z )
Pour chaque signal z, les signaux T0 z et T1 z sont de´ﬁnis par :
T0 z =
�
i
Trig i¬z , and T1 z =
�
j
Trig jz
9.3 Constraintes calcule´es a` partir de DASTs partiel-
lement annote´s
Comme vu dans le chapitre 7, de nombreux signaux de l’arbre sont non annote´s.
Commenc¸ons par un exemple :
Pour chaque DAST de l’ensemble SEMIDIRECTED , les sous-arbres semi-oriente´s sont
e´lague´s, et un composant re´actif est construit pour les sous-arbres oriente´s en utilisant la
me´thode vue chapitre 8.
39
Chapitre 9 : Re´solution des signaux
Soit Etrig j le signal de sortie d’un tel composant re´actif, et Expr j les expressions boo-
le´enes e´lague´es. Les expressions E = (Expr 0, . . . ,Exprm) sont conditionne´es par Etrig0, . . . ,Etrigm.
9.4 Graphe de de´pendance (DG)
Le graphe de de´pendance DG d’un ensemble de proprie´te´s (P0, . . . , Pk−1) est un graphe
e´tiquete´ semi-oriente´. Notons DG = (V,E), avec :
— V = V 1 ∪ V 2 est l’ensembre des nœuds :
— V 1 = L0∪· · ·∪Lk−1, ou` L0, . . . , Lk−1 sont les ensembles de feuilles de DAST0, . . . ,DASTk−1
— V 2 est l’ensemble de toutes les sorties trig de toutes les proprie´te´s.
— E = E1 ∪E2, ou` E1 est l’ensemble des arreˆtes oriente´es, et E2 est l’ensemble des
arreˆtes non oriente´es, et :
— E1 ⊂ V 2× V 1, e.g. e = (Trig l → l)
— E2 ⊂ V 1× V 1, e.g. e = (l1–l2)
— Chaque arreˆte e du graphe a une arreˆte w = (id, val, type), ou` :
— id identiﬁe la proprie´te´ qui cre´e l’arreˆte e ; ainsi 0 ≤ id ≤ k − 1
— val : si e est oriente´, val spe´ciﬁe la valeur du nœud de destination, si la valeur du
nœud source est 1. Si e n’est pas oriente´e, val vaut -1. Ainsi, val ∈ {0, 1,−1}.
— type spe´ciﬁe si une arreˆte est oriente´e ; ainsi, type ∈ {d, u}, ou`‘d’ signiﬁe oriente´,
et ‘u’ non-oriente´.
Le graphe de de´pendance peut avoir plusieurs composantes fortement connexes, cha-
cun repre´sentant un ensemble de signaux ge´ne´re´s interde´pendants Z = {z1, . . . zn} (voir
ﬁg. 9.1).
Exemple 1. Graphe de de´pendance du GenBufRec
DEQ(6, 1, d) (7, 0, d)
BtoR_REQ(0) BtoR_REQ(1)
(0, -1, u)
(2, -1, u)
(1, 0, d)
(3, 0, d)
(5, 0, d)
(4, 1, d)
(1, 0, d)
(3, 0, d)
(5, 0, d)
(4, 1, d)
Figure 9.1 – Graphe de de´pendance de GenBufRec
9.5 : Construction du graphe de de´pendance
9.5 Construction du graphe de de´pendance
Le graphe de de´pendance se construit en deux e´tapes a` partir des DASTs des proprie´-
te´s.
1 Pour chaque DAST oriente´, DASTk :
1-1 Pour chaque feuille ge´ne´re´e l of DASTk (i.e. (P(l)→ l)) :
1-1-1 Ajouter l aux nœuds de DG (si elle n’est pas dans V )
1-1-2 Ajouter le signal trigger correspondant (Trig il ou Trig
j
¬l) a` V
1-1-3 Cre´er une arreˆte e du nœud trigger node jusqu’au nœud signal, e =
(Trig il → l)
1-1-4 Si le signal correspondant a` l est contraint a` 0 : ajouter l’e´tiquette w =
(k, 0, d), sinon w = (k, 1, d)
2 Pour chaque DAST semi-oriente´, DASTk :
2-1 Elaguer le sous-arbre comple`tement oriente´, et garder uniquement les sous-
arbres non-oriente´s.
2-2 Ajouter toutes les feuilles des sous-arbres non oriente´s dans V ( si elles ne sont
pas dans V )
2-3 Pour chaque pair de nœuds l1 et l2 partant de DASTk :
2-3-1 Ajouter une arreˆte entre l1 et l2
2-3-2 Cre´e´r l’e´tiquette w = (k,−1, u)
9.6 Fonction de re´solution : le composant dere´solution
Maintenant nous discutons comment utiliser le graphe de de´pendance DG pour ge´ne´rer
des composants de re´solution. Nous construisons deux types de composants de re´solution :
les composants simples et les complexes. Le premier spe´ciﬁe la valeur des signaux duplique´s,
le second spe´ciﬁe la valeur des signaux non annote´s.
9.6.1 Re´solution des signaux duplique´s : composant simple
Dans DGi, nous conside´rons chaque arreˆte e = (v → z). Si l’e´tiquette w = (i, 0, d),
nous ajoutons le signal trigger qui est repre´sente´ par le nœud v a` T 0 z ; si l’e´tiquette
w = (i, 1, d), nous ajoutons le signal trigger a` T 1 z. Apre`s avoir trouve´ T 1 z et T 0 z, la
valeur de z doit eˆtre calcule´.
Les signaux T0 z et T1 z sont les entre´es du composant de re´solution. La sortie sera la
valeur ﬁnale de z (voir ﬁg. 9.2).
simple
solver
Figure 9.2 – Interface d’un composant de re´solution simple pour des signaux duplique´s
Dans notre imple´mentation, si ni T0 z ni T1 z ne sont actifs, l’utilisateur peut choisir
de de´cider si z garde sa valeur pre´ce´dente ou prend une valeur par de´faut. La fonction de
41
Chapitre 9 : Re´solution des signaux
re´solution est l’une des :
z =�0� when T0 z =� 1� else z =�0� when T0 z =� 1� else
�1� when T1 z =� 1�; �1� when T1 z =� 1� else
default value;
9.6.2 Re´solution de sigaux non annote´s : les composants com-
plexes
Supposons que Z = (z1, . . . , zn), alors tous les signaux zi sont non annote´s dans au
moins une proprie´te´. Nous pouvons dire que les signaux zi, . . . , zn sont les ope´randes des
expressions Expr 0, . . . ,Exprm−1 active´es par Etrig0, . . . ,Etrigm−1.
9.6.2.1 Imple´mentation des composants de re´solution complexes
Un composant complexe prend (Etrig0, . . . ,Etrigm−1), (T1 z1 , . . . ,T1 zn), et (T0 z1 , . . . ,T0 zn)
comme entre´es, et il ressort les valeurs de (z1, . . . , zn).
simple
solver
simple
solver
FindMatch
ComplexSolver
Figure 9.3 – Interface des composants de re´solution complexes pour des signaux non
annote´s
Le proble`me est de re´soudre l’ensembre des e´quations suivantes :
...
Etrig j → Expr j(z1, . . . , zn) = 1
...
L’ide´e brutale est de construire une Look Up Table (LUT) pour le sous-module Find-
Match (ﬁg. 9.3) en e´nume´rant toutes les valeurs de Z pour chaque valeur t de TZ . Alors,
nous se´lectionnons la ligne approprie´e de cette LUT.
Nous conside´rons les 2m valeurs de ce vecteur TZ = (Etrig0, . . . ,Etrigm−1). Chaque
valeur t of TZ correspond a` l’ensembre des triggers qui sont actifs simultane´ment. Nous
associons a` cet ensemble de signaux trigger actifs, l’expression boole´ene qui est la conjonc-
tion des Expr j correspondant aux Etrig j = 1.
9.7 : Le circuit ﬁnal
9.7 Le circuit ﬁnal
Le circuit ﬁnal est l’interconnexion des composants re´actifs des proprie´te´s (voir Cha-
pitre 8) et des composants de re´solution.
Exemple 2. Le circuit ﬁnal de GenBufRec.
La ﬁgure 9.4 montre l’interconnexion de tous les composants re´actifs avec les compo-
sants de re´solution GenBufRec.
clock reset
R2B_ACK(0) RtoB_ACK(1)
BtoR_REQ(0)
DEQ
BtoR_REQ(1)
P7_FIFO_rec
P6_FIFO_rec
P0_rec
P1_rec
P2_rec
P3_rec_0
P3_rec_1
P4_rec_0
P4_rec_1
P5_rec_0
P5_rec_1
simple
solver
complex
solver
EMPTY
Figure 9.4 – Circuit ﬁnal de GenBufRec
9.7.1 Ve´riﬁcation de la cohe´rence
La de´ﬁnition de z est cohe´rente ssi dans tous les cycles :
T1 z ∧ T0 z = 0
43
Chapitre 9 : Re´solution des signaux
9.7.2 Ve´riﬁcation de la comple´tude
La de´ﬁnitionde z est comple`te ssi dans tous les cycles :
T1 z ∨ T0 z = 1
Nous pouvons bien suˆr ge´ne´rer toutes ses proprie´te´s comple´mentaires automatiquement
pour ve´riﬁer les conditions ci dessus.
Chapitre10
Les expe´riences et les re´sultats pratiques
10.1 Introduction
Nous avons applique´ notre me´thode de synthe`se a` plusieurs e´tudes de cas : GenBuf 1,
AMBA 2 Arbiter, HDLC 3, CRC 4, et SDRAM 5. Les circuits ge´ne´re´s sont synthe´tise´s a` la
fois pour un circuit FPGA 6 et un circuit ASIC 7. Les re´sultats sont compare´s aux re´sultats
d’un autre outil, Ratsy.
10.2 Prototypage du mate´riel et les re´sultats de syn-
the`se
La table 10.1 re´sume les caracte´ristiques des outils de ABS existants : les formats
d’entre´e et de sortie, et le sous-ensemble de PSL que chacun d’eux accepte.
Table 10.1 – Outils d’ABS
Tool Input Output FL SERE
Acacia LTL dot � no
Unbeast LTL in XML format NuSMV � no
Ratsy LTL Verilog GR(1) subset of PSL no
SyntHorus2 PSL VHDL and PSL properties PSLsimple partially (see Chapter 6)
Unbeast et Acacia peuvent travailler seulement sur des exemples tre`s simples et petits ;
Par conse´quent, nous avons exclu les re´sultats des tableaux.
Ici, nous donnons les re´sultats de synthe`se pour le cas e´tudie´.
10.2.1 Generalized Buﬀer (GenBuf)d’IBM
La ﬁgure 10.1 compare le temps de ge´ne´ration de mate´riel pour SyntHorus2 et pour
Ratsy pour le GenBuf (avec plusieurs re´cepteurs et 2 e´metteurs).
1. IBM Generalized Buﬀer
2. ARM Advanced Microcontroller Bus Architecture
3. High-level Data Link Controller
4. Cyclic Redundancy Check
5. Single Data-rate Random Access Memory
6. Field Programmable Gate Array
7. Application Speciﬁc Integrated Circuit
45
Chapitre 10 : Les expe´riences et les re´sultats pratiques
Figure 10.1 – Le temps de ge´ne´ration HW : GenBuf avec 2 e´metteurs, plusieurs re´cepteurs
et FIFO
Il est important de pre´ciser que SyntHorus2 n’eﬀectue pas la ve´riﬁcation, tandis que
Ratsy inte`gre la ve´riﬁcation dans le processus de ge´ne´ration. Ainsi, la comparaison des
temps d’exe´cution des deux outils n’est pas pertinente si l’on souhaite eﬀectuer une ve´ri-
ﬁcation.
10.2.1.1 Synthe`se de circuits sur FPGA
Tout d’abord, nous avons synthe´tise´ les circuits ge´ne´re´s par SyntHorus2 et par Ratsy
en utilisant Quartus II aﬁn de les mettre en œuvre sur une carte FPGA (EP4CE30F23C6
de l’appareil de la famille de l’appareil Cyclone IV).
Plusieurs re´cepteurs et deux e´metteurs, avec FIFO
La table 10.2 donne les re´sultats de synthe`se pour SyntHorus2 et Ratsy.
Table 10.2 – Quartus II : re´sultat de synthe`se pour le controˆleur GenBuf avec FIFO,
plusieurs re´cepteurs, et 2 e´metteurs
SyntHorus2 Ratsy
# # # # F # # # F
rec prop. reg. LUTs (MHz) prop. reg. LUTs (MHz)
3 28 37 98 756.4 56 24 2092 130.4
4 31 45 119 781.2 63 27 2587 140.2
5 34 53 146 609.0 70 30 4251 121.6
6 37 61 166 745.7 77 34 10408 92.5
7 40 99 196 616.5 84 36 15191 89.8
8 46 77 215 647.7 91 40 18180 83.6
SyntHorus2 ge´ne`re des circuits plus rapides avec moins de LUT que Ratsy, mais avec
plusieurs registres.
10.2 : Prototypage du mate´riel et les re´sultats de synthe`se
10.2.1.2 Synthe`se pour la mise en oeuvre sur ASIC
Nous avons synthe´tise´ l’ensemble des circuits ge´ne´re´s par SyntHorus2 et Ratsy avec
Design Vision selon les meˆmes conditions.
Plusieurs re´cepteurs et deux e´metteurs, avec FIFO
Table 10.3 donne les re´sultats de nos expe´riences sur Genbuf avec une FIFO, pour 3 a`
8 re´cepteurs et 2 expe´diteurs, exe´cutant SyntHorus2 et Ratsy.
Table 10.3 – Design Vision re´sultat de synthe`se pour le controˆleur GenBuf avec FIFO,
plusieurs re´cepteurs, et deux expe´diteurs
SyntHorus2 Ratsy
# # # comb. # seq. Total F # #comb. # seq. Total F
rec prop. cells cells area (MHz) prop. cells cells area (MHz)
3 28 414 102 57876 568 56 2781 24 259796 96
4 31 467 118 66715 565 63 3285 27 306134 80
5 34 546 134 76961 555 70 5146 30 475880 67
6 37 624 150 87188 555 77 12970 34 1198182 57
7 40 714 175 100559 555 84 17934 36 1647189 56
8 46 860 191 114564 555 91 20828 40 1894378 65
Figure 10.2 compare le nombre total de portes pour les circuits qui sont ge´ne´re´s par
SyntHorus2 et Ratsy.
Figure 10.2 – Le nombre total de portes : GenBuf avec plusieurs re´cepteurs et 2 expe´di-
teurs
10.2.2 AMBA arbiter
La ﬁgure 10.3 compare le temps de ge´ne´ration de mate´riel par SyntHorus2 et par Ratsy.
10.2.2.1 Synthe`se de mise en œuvre sur FPGA
La table 10.4 montre les re´sultats de synthe`se par Quartus II pour AMBA arbitre.
47
Chapitre 10 : Les expe´riences et les re´sultats pratiques
Figure 10.3 – Temps de ge´ne´ration HW : AMBA arbitre
Table 10.4 – Quartus II re´sultat de synthe`se pour AMBA arbitre avec 2 esclaves et
plusieurs maˆıtres
SyntHorus2 Ratsy
# # # # F # # # F
masters prop. reg. LUTs (MHz) prop. reg. LUTs (MHz)
2 35 24 59 795.5 77 21 382 199.2
3 46 33 113 852.5 96 29 2941 131.1
4 56 42 119 923.4 114 29 6085 106.9
5 66 51 150 795.5 133 34 3091 130.45
6 77 60 181 758.1 151 37 4355 115.8
10.2 : Prototypage du mate´riel et les re´sultats de synthe`se
10.2.2.2 Synthe`se pour la mise en oeuvre ASIC
La table 10.5 donne nos re´sultats pour 2 esclaves et des nombres diﬀe´rents de maˆıtres.
Table 10.5 – Design Vision re´sultats de la synthe`se pour AMBA arbitre
SyntHorus2 Ratsy
# # # comb. # seq. Total F # #comb. # seq. Total F
masters prop. cells cells area (MHz) prop. cells cells area (MHz)
2 33 303 90 45165 637 77 515 21 51985 164
3 46 513 132 71915 621 96 3867 29 362589 92
4 56 567 159 82522 606 114 7712 29 721363 67
5 66 725 194 102762 629 133 3920 34 370179 82
6 77 660 228 121855 625 151 5855 37 552310 62
Figure 10.4 compare le nombre total de portes des circuits qui sont ge´ne´re´s par Syn-
tHorus2 et Ratsy.
Figure 10.4 – Le nombre total de portes : AMBA arbitre
10.2.3 D’autres exemples
Nos trois derniers exemples sont pre´sente´s dans la table 10.6.
Table 10.6 – Design Vision les re´sultats de la synthe`se pour HDLC, SDRAM, et CRC
SyntHorus2
Circuit # Hw. gen. # comb. # seq. Total Total # F
prop. time (s) cells cells area of gates (MHz)
HDLC 120 1.06 2646 1433 600527 9588 429
SDRAM 9 0.2 1045 769 295107 4765 513
CRC 14 0.14 641 293 131122 2401 406
10.2.4 Comparaison entre FLs et SEREs
Pour montrer l’applicabilite´ de notre me´thode de synthe`se en Seres, les proprie´te´s
SERE sont fournies pour GenBuf, l’ arbitre AMBA et le HDLC, les conceptions VHDL
49
Chapitre 10 : Les expe´riences et les re´sultats pratiques
correspondantes sont ge´ne´re´es en utilisant SyntHorus2, et sont synthe´tise´es en utilisant
Design Vision.
10.2.4.1 GenBuf : plusieurs re´cepteurs
Les proprie´te´s FLs de GenBuf sont converties en SEREs. La table 10.7 montre les
re´sultats de synthe`se pour le GenBuf avec plusieurs re´cepteurs et deux e´metteurs.
Table 10.7 – Design Vision : les re´sultats de la synthe`se pour GenBuf avec multiples
re´cepteurs (pour les proprie´te´s de SERE)
# # HW gen. # comb. # seq Total Total # Freq.
receivers prop. time (s) cells cells area of gates (MHz)
3 27 0.19 529 119 720701 1123 308
4 30 0.25 651 146 901106 1392 320
5 33 0.35 775 175 108083 1669 290
6 36 0.61 905 206 127124 1963 296
7 42 0.26 1052 248 150525 2325 296
8 45 0.29 1215 287 174253 2691 280
La ﬁgure 10.5 compare le nombre total de portes pour les circuits ge´ne´re´s a` partir de
FLs et SEREs.
Figure 10.5 – Le nombre total de portes : GenBuf avec plusieurs re´cepteurs et 2 e´metteurs
(ge´ne´re´s a` partir de FLs et SEREs)
10.2.4.2 AMBA Arbiter
Pour l’arbitre de bus AMBA, nous avons e´crit la spe´ciﬁcation en SERE base´e sur sa
description de protocole en anglais et les proprie´te´s FL. La table 10.8 re´sume les re´sultats
de synthe`se pour 2 esclaves et de 2 a` 6 maˆıtres.
10.2 : Prototypage du mate´riel et les re´sultats de synthe`se
Table 10.8 – Design Vision re´sultats de la synthe`se pour AMBA arbitre (pour les pro-
prie´te´s SERE)
# # HW gen. # comb. # seq. Total Total # F
masters prop. time (s) cells cells area of gates (MHz)
2 28 0.14 223 62 33614 523 368
3 41 0.24 341 95 50146 777 324
4 52 0.32 429 120 63209 978 307
5 63 0.41 520 145 76471 1181 296
6 74 0.63 628 170 90546 1394 266
10.2.4.3 HDLC
Pour le HDLC, nous avons fourni deux ensemble de proprie´te´s :
— SERE1 : toutes les proprie´te´s FL sont converties sous forme de proprie´te´s SERE
e´quivalentes.
— SERE2 : trois modules, FlagDetection, ZeroDetection et ZeroInsertion, sont
directement exprime´s en utilisant les proprie´te´s SERE. Ces SEREs sont e´crites
depuis le protocole, elles n’ont pas e´te´ obtenues par la re´e´criture FLs.
La table 10.9 re´sume le re´sultat de la synthe`se.
Table 10.9 – Design Vision re´sultats de la synthe`se pour HDLC (pour les proprie´te´s
SERE)
# HW gen. # comb. # seq. Total Total # F
prop. time (s) cells cells area of gates (MHz)
SERE1 120 1.22 3238 1157 614507 9700 82
SERE2 108 1.51 3017 839 516363 8050 59
51
Chapitre 10 : Les expe´riences et les re´sultats pratiques
Chapitre11
Conclusion et travaux a` venir
Dans cette the`se, nous avons pre´sente´ une me´thode modulaire pour synthe´tiser la
partie controˆleur des circuits, en composants re´actifs et non en moniteurs, a` partir de
leurs proprie´te´s temporelles e´crites en PSL.
11.1 Contributions
Les principales contributions de ce travail sont re´sume´es ci-apre`s :
— A partir de la se´mantique de traces de PSL, nous avons de´ﬁni formellement une
relation de de´pendance entre les ope´randes des ope´rateurs temporels de SERE 1. En-
suite, nous avons donne´ une interpre´tation mate´rielle des relations de de´pendance,
ce qui constitue la base sur laquelle est construite la bibliothe`que des composants
re´actifs primitifs (voir chapitre 6).
— Ces relations de de´pendance, accompagne´es de la relation de de´pendance formelle
des FLs, sont le mode`le formel sur lequel l’algorithme d’annotation est e´crit(voir
chapitre 7).
— Si l’on conside`re la de´pendance entre toutes les proprie´te´s, les composants de re´so-
lution ont e´te´ ge´ne´re´s pour re´soudre la valeur des signaux duplique´s et non-annote´s
(voir chapitre 9).
— Nous ge´ne´rons des proprie´te´s comple´mentaires pour ve´riﬁer la cohe´rence et la com-
ple´tude de l’ensemble des proprie´te´s.
— L’outil prototype SyntHorus2 a e´te´ mis en œuvre, base´ sur les principes de´crits dans
cette the`se. Il est en cours d’adaptation, sur la base des exigences de l’industrie.
— SyntHorus2 a e´te´ teste´ sur un ensemble de jeux d’essai, et e´galement sur des circuits
grandeur nature comme l’arbitre de bus AMBA-AHB et le controˆleur HDLC. Com-
parer SyntHorus2 avec d’autres outils ABS est diﬃcile, car chaque outil requiert son
propre sous-ensemble de LTL ou de PSL qui doit eˆtre adapte´ pour chaque outil.
Compare´ a` d’autres outils, SyntHorus2 ge´ne`re des conceptions plus petites et plus
rapides sur les exemples les plus gros.
Les re´sultats interme´diaires de SyntHorus2 permettent de de´boguer une spe´ciﬁcation,
et de ve´riﬁer si elle est cohe´rente et comple`te. Les assertions ge´ne´re´es automatiquement
sur les signaux de“trigger”peuvent eˆtre ve´riﬁe´es par un simulateur, ou par model checking
1. Sequential Extended Regular Expression
53
Chapitre 11 : Conclusion et travaux a` venir
a` l’aide d’un outil de ve´riﬁcation formelle. De plus, SyntHorus2 peut fournir un prototype
d’environnement conforme aux spe´ciﬁcations, aﬁn de tester un autre module de circuit.
11.2 Travaux a` venir
A pre´sent, SyntHorus2 ne traite que des signaux scalaires et des vecteurs boole´ens
dans les proprie´te´s. Les travaux a` venir incluent la reconnaissance de types de donne´es
plus complexes, comme les types e´nume´re´s et entiers.
SyntHorus2 supporte partiellement la couche mode´lisation de PSL. Il supporte les ope´-
rateurs de comparaison et arithme´tiques. Cependant, il ne supporte pas la de´ﬁnition de
signaux locaux. Cette capacite´ devrait eˆtre ajoute´e a` SyntHorus2.
Comme explique´ au Chapitre 6, notre sous-ensemble synthe´tisable de SEREs connaˆıt
des limitations. Par exemple, nous ne pouvons pas avoir de re´pe´tition non-conse´cutive. Par
conse´quent, le sous-ensemble synthe´tisable de SEREs devrait eˆtre e´tendu et les limitations
devraient eˆtre alle´ge´es. Pour surmonter quelques une des limitations, par exemple en
observant ϕ = A&B ou` A et B sont des se´quences, nous pouvons proﬁter des me´thodes
base´es sur les automates. Nous pouvons combiner les me´thodes base´es sur les automates
et les modulaires, puis utiliser la me´thode base´e sur les automates pour la partie gauche
d’une implication, qui devrait eˆtre observe´e, et la me´thode modulaire pour la partie droite
d’une implication qui devrait eˆtre ge´ne´re´e.
De plus, nous devrions optimiser les modules re´actifs primitifs pour les SEREs. Comme
de´montre´ dans le Chapitre 10, si nous re´e´crivons une proprie´te´ FL dans son e´quivalent
de proprie´te´ SERE, le circuit obtenu depuis une SERE est plus gros et plus lent. Nous
devrions optimiser a` la fois les modules re´actifs des SEREs et leurs interconnections.
Nous avons fourni des lignes directrices sur comment e´crire des proprie´te´s aﬁn de
ge´ne´rer des circuits plus petits : ils devraient eˆtre ame´liore´s. Nous pouvons fournir des sous-
ensembles pre´de´ﬁnis de proprie´te´s pour exprimer certains comportements des signaux, par
exemple l’exclusion mutuelle, le tourniquet, le protocole poigne´e de main a` 4 phases, etc. . .
La mise en œuvre des composants de re´solutions complexes peut eˆtre ame´liore´e pour
ge´ne´rer des composants plus petits. Comme discute´ au Chapitre 9, certaines lignes de LUT
ne devraient pas eˆtre utiles, car certaines combinaisons de signaux Etrig n’apparaissent
jamais. Ces lignes peuvent eˆtre e´limine´es par la ve´riﬁcation de mode`le sur les proprie´te´s.
Cela n’a pas e´te´ automatise´.
Comme discute´ au Chapitre 9 , aﬁn de calculer la valeur des signaux non-annote´s, il
pourrait y avoir plusieurs choix obtenus a` partir de LUT. A pre´sent, nous se´lectionnons
la premie`re ligne de LUT qui satisfait notre exigence. D’autres politiques de se´lection
peuvent eˆtre envisage´es.
A ce stade, des composants de re´solutions complexes sont fournis pour les signaux
scalaires. Ils devraient eˆtre e´tendus aux vecteurs. De plus, des composants complexes ne
peuvent pas eˆtre utilise´s dans les cas ou` les signaux non-annote´s de´pendent d’ope´rateurs
et fonctions du niveau mode´lisation. Nous devrions pouvoir re´soudre ce proble`me.
Notre me´thode est modulaire ; pour chaque proprie´te´, elle instancie tous les modules
re´actifs primitifs des ope´rateurs de la proprie´te´. Cela conduit a` des composants redondants.
Cela ressemble aux de´buts de la synthe`se : chaque instance d’un ope´rateur dans le design
RTL produisait un ope´rateur mate´riel distinct. Une e´tape d’optimisation est ne´cessaire
pour partager des modules re´actifs primitifs dans le circuit ge´ne´re´.
Re´sume´– Les travaux pre´sente´s dans cette the`se visent a` produire automatiquement
des prototypes de circuits de communication et de controˆle a` partir de spe´ciﬁcations
temporelles de´claratives. Partant d’un ensemble de proprie´te´s e´crites en langage PSL,
nous produisons un mode`le RTL synthe´tisable automatiquement. La me´thode propose´e
est modulaire, contrairement aux me´thodes publie´es ante´rieurement qui e´taient fonde´es
sur la the´orie des automates. Pour chaque proprie´te´, nous produisons un composant qui
observe certains ope´randes et ge´ne`re des chronogrammes pour les autres ope´randes : le
module re´actif.
Tout d’abord, une bibliothe`que des modules re´actifs primitifs a e´te´ de´veloppe´e pour les
ope´rateurs FL et SERE. Pour ce faire, une relation de de´pendance a e´te´ de´ﬁnie pour chaque
ope´rateur : fonde´e sur la se´mantique de l’ope´rateur, elle exprime la de´pendance entre ses
ope´randes. Ensuite, la relation de de´pendance de chaque ope´rateur est interpre´te´e comme
un composant mate´riel qui met en œuvre l’ope´rateur : c’est le module re´actif primitif de
l’ope´rateur.
A` l’aide de cette formalisation, nous proposons une me´thode pour de´terminer automa-
tiquement quels signaux d’une proprie´te´ sont observe´s et lesquels sont ge´ne´re´s. Dans le
cas ou` il n’est pas possible de de´terminer le sens du signal, un solveur est ajoute´ pour
identiﬁer la valeur du signal. Le solveur sert aussi a` de´terminer la valeur d’un signal
ge´ne´re´ par plusieurs proprie´te´s. Le circuit ﬁnal est l’interconnexion des modules re´actifs
et des solveurs pour l’ensemble des proprie´te´s.
Un outil prototype, SyntHorus2, qui est une extension d’HORUS, a e´te´ mis de´veloppe´.
Il prend les proprie´te´s PSL comme entre´es et ge´ne`re le code VHDL synthe´tisable du
circuit. En outre, il ge´ne`re des proprie´te´s comple´mentaires pour ve´riﬁer si l’ensemble des
spe´ciﬁcations est cohe´rent et complet.
La me´thode est eﬃcace et synthe´tise des circuits de commande en quelques secon-
des. Les re´sultats que nous avons obtenus sur des jeux d’essais classiques montrent que
notre technique compile les proprie´te´s plus eﬃcacement que les outils prototypes qui l’ont
pre´ce´de´e.
Mots-cle´s. PSL, conception base´e sur les assertions, module re´actif, synthe`se automa-
tique, graphe de de´pendance, annotation, re´solution, solveur.
