Asynchronous circuit verification using trace theory and CCS by Gopalakrishnan, Ganesh





Dept  of Computer Science




We investigate asynchronous circuit veri cation using Dills trace
theory  as well as Milners CCS as mechanized by the Concur
rency Workbench Trace theory is a formalism speci cally designed
for asynchronous circuit speci cation and veri cation CCS is a gen
eral purpose calculus of communicating systems that is being recently
applied for hardware speci cation and veri cation 	 Although both
formalisms are similar in many respects
 we  nd that there are many
interesting dierences between them when applied to asynchronous cir
cuit speci cation and veri cation The purpose of this paper is to point
out these dierences
 many of which are precautions for avoiding writ
ing incorrect speci cations A longterm objective of this work is to
 nd a way to take advantage of the strengths of both the Trace The
ory veri er and the Concurrency Workbench in verifying asynchronous
circuits
  Introduction
As VLSI systems become larger  faster  and more complex  timing problems
in them become progressively more severe  and account for an ever increasing
percentage of their design and debugging expenses One emerging solution
 
Supported in part by NSF Award MIP 

to these problems lies in adopting an asynchronous style of design Asyn
chronous circuits have a number of strengths  the principle ones being that
of modularity and incremental expandability
Although asynchronous circuit design techniques have been known for
nearly four decades  and their advantages have been widely discussed  they
have not been adopted widely for several reasons The most important
reason is the inadequacy of design formalisms as well as tools to deal with the
concurrency exhibited by asynchronous circuits The situation has recently
been changing  with the development of asynchronous circuit compilers    
    	
 as well as formalisms  the principal ones being several trace theories 
notably those of Dill 
 and Ebergen 
 In addition  popularizing lectures
such as Sutherlands  Turing award lecture 
 have helped See 
 for
a survey
I have been studying Dills trace theory for some time now referred to
in the rest of this paper simply as trace theory I also am fairly familiar
with Milners Calculus of Communicating Systems For a while I believed
that trace theory  being a formalism tailored specically for studying asyn
chronous circuits  is a safer bet in terms of the direct correspondence that
its constructs have to actual circuit phenomena such as transistors going
ono  gates ring  etc This correspondence is very important because
humans are no longer able to reason directly in terms of lowlevel circuit
phenomena because of the increasing circuit complexity If there is even the
slightest risk of mismatch between the abstractions oered by the formalism
and the circuit realities  ones reasoning can go way o course before one so
realizes
The asynchronous circuits considered in this paper are assumed to follow
the transition signaling discipline 
 a module toggles the current logic level
of a wire a in order to invoke input action a of the recipient
My main reason for thinking that CCS is not a suitable formalism for
studying asynchronous circuits  in the light of what I just now said  was
based on the fundamental dierence in the way communication is modeled
in CCS versus how it is modeled in trace theory Asynchronous circuits
communicate over wires Communication over wires causes information to
ow only in one direction the receiver knows when it receives the commu
nication however  the sender does not know when the receiver receives the
communication In CCS  information ow during communication is bidi 
rectional because of the handshake or rendezvous semantics both the
sender and the receiver know that the other has received the communica
tion before they proceed Said another way  in asynchronous circuits  a

module cannot refuse an input simply because the sender does not sense the
receptiveness of the receiver before it sends a communication In CCS  since
receptiveness is explicitly checked for during handshake  the inputs oered
by the sender can be refused by a potential receiver
My opinions in this regard have recently changed as I have been notic
ing several researchers use either CCS or CCSlike formalisms for modeling
asynchronous circuits Two examples are the use of CCS by Aldwinckle 
Nagarajan  and Birtwistle 
  and the use of CIRCAL by Bailey and Milne

 This trend is quite important because this way one could reuse
what is being developed in the world of CCS for example  tools such as the
Concurrency Workbench  CWB for verifying asynchronous circuits
In this paper  I report results from my preliminary studies in applying
both Dills trace theory 
 as well as Milners CCS 
 as mechanized by the
CWB to verify asynchronous circuits Although both formalisms are similar
in many respects  I nd that there are many interesting dierences between
them when applied to asynchronous circuit specication and verication
The purpose of this paper is to point out these dierences  many of which
are precautions for avoiding writing incorrect specications A longterm
objective of this work is to nd a way to take advantage of the strengths of
both the Trace Theory verier and the CWB in order to verify asynchronous
circuits
Section  is devoted to explaining trace theory  as it may not be well
known outside the area of asynchronous design Familiarity with CCS is
assumed Section  explains the problems one may face  if the fact that
asynchronous circuits cannot refuse their inputs is ignored Section  ex
plains the problems one may face if a phenomenon called autofailures is
ignored Section  presents examples where the strengths of the CWB are
pointed out In particular  we establish correctness properties of a new com
ponent that we have developed  a lockable C element Section  has our
conclusions
 Background Trace Theory
  Denitions and Trace Structures
The following denitions and notations are taken from 
 Trace theory
is a formalism for modeling  specifying  and verifying speedindependent
circuits It is based on the idea that the behavior of a circuit can be described
by a regular set of traces  or sequences of transitions Each trace corresponds

to a partial history of signals that might be observed at the input and output
terminals of a circuit
A simple prex closed trace structure  written SPCTS  is a three tuple
I  O  S where I is the input alphabet the set of input terminal names  O
is the output alphabet the set of output terminal names  and S is a prex
closed regular set of strings over   I   O called the success set I and O
are disjoint In the following discussion  we assume that S is a nonempty
set
These trace structures are more aptly called directed trace structures
because the direction input or output of every member of a trace is im
portant as will become clear as we go along Basically  information ow
among circuit modules is unidirectional as pointed out before  whereas in
CCS or in other rendezvous based languages the information ow is bidi 
rectional This distinction has  in fact  been studied extensively by Chen 
Udding and Verhoe in 
 who call it the synchronous game and the asyn 
chronous game We show later that ignoring this dierence may have dire
consequences in terms of not being able to spot certain errors
We associate a SPCTS with a module that we wish to describe Roughly
speaking  the success set of a module described through a SPCTS is the set
of traces that can be observed when the circuit is properly used
With each module  we also associate a failure set  F   which is a regular
set of strings over  The failure set of a module is the set of traces that
correspond to improper uses of the module The failure set of a module
is completely determined by the success set F  SI  S
 
 Intuitively 
SI  S describes all strings of the form xa  where x is a success and a is
an illegal input signal see below Such strings are the minimal possible
failures  called chokes Once a choke occurs  failure cannot be prevented by
future events therefore F is suxclosed
As an example  consider the SPCTS associated with a unidirectional
wire with input a  output b  and success set
fag  fbg  f  a  ab  aba    g
The success set is a record of all the partial histories including the empty
one    of successful executions of wire An example of a choke for wire is
the trace aa Once input a has arrived  a second change in a is illegal
since it may cause unpredictable output behavior
There are two fundamental operations on trace structures compose k
nds the concurrent behavior of two circuits that have some of their termi
nals of opposite directions the directions are input and output connected 

and hide makes some terminals unobservable suppressing irrelevant details
of the circuits operation A third operation  rename  allows the user to
generate modules from templates by renaming terminals Details about
these operations are reported in 
 briey  compose is like conjunction it
constructs the success set of the composite as follows It rst takes the
Kleene star of the union of the alphabets of the trace structures and then
retains from it only strings s such that the projection of s onto the alphabet
of trace structure i of the composition denoted by T
i
 is a member of the
success set of T
i
 After determining the success set of the composite this
way  the success set and the failure set are adjusted through autofailure
manifestation and failure exclusion as explained in section  Compose



































Hiding is allowed only on the output symbols If t is a member of S  
F of trace structure T   then t

is a member of hideHT  where t

is a
projection of t onto the alphabet of T  Hiding is not allowed on input symbols
mainly because a module cannot refuse an input from being applied to it and
therefore it is hard to dene what hiding an input means However  inputs
are eectively removed through compose because when an input port is
connected to an output port  the result is an output port
Rename renames the ports used in a description  mainly to model elec
trical connections two ports that are named alike are connected  provided
that they are not both outputs
We can denote the success set of a SPCTS by using statetransition
specications The success set of wire  described earlier  is captured by the
following specication  where wire is regarded as a process
WIRE  a  b WIRE
In a process description  we use j to denote choice   to denote sequenc 
ing  and a system of tail recursive equations to capture repetitive behavior
We use symbols such as a to denote incoming transitions rising or falling
and b to denote outgoing transitions rising or falling Extensions to this
syntax will be introduced as required
When we specify a SPCTS  we generally specify only its success set its




Suppose for a trace structure I  O  S with failure set F   x  S but xo  F
where o  O Intuitively  after having seen x  the module has an output o
which it can autonomously perform  leading to a failure It is also possible
that after x another output o

is enabled which can evade this failure ie
xo

is a success Likewise  an input i can also be enabled which  if applied
soon enough can also evade failure ie xi is a success Nevertheless 
having seen x  there is a denite possibility that the module can perform
o and fail Keeping this in mind  we remove x from S and add it to F 
Remember that F has to be made suxclosed x is called an autofailure
The process of removing x from S and adding it to F is called autofailure
manifestation After autofailure manifestation  S is set to S n F  this step
is called failure exclusion
The trace structures considered in the rest of this paper are already
assumed to have been subject to autofailure manifestation
  Conformance The Ability to Perform Safe Substitutions
A trace structure specication  T
S
  can be compared with a trace structure
description  T
I













 The inputs and outputs of
the two trace structures must be the same This relation is a preorder and
is called conformance Conformance holds when T
I



















has no failures  either Intuitively  T
I






could fail in a context where T
S
would have succeeded and
b must not produce an output unless T
S
produces it otherwise  T
I
could cause a failure in the surrounding circuitry when T
S
would not
We illustrate these two facets of conformance  rst considering restric
tions on input behavior case a Consider a join element
J  a b c J
j b a c J
Now  consider a modied join
J  a b c J

Notice that the success set of J leaves out the trace b a c Clearly it is not
safe to substitute J for J  J cannot accept a transition on b as its rst
input  whereas the environment is allowed to generate a b as its rst output
transition  because this would have been acceptable for J  Formally  we say
J  J   since the implementation cannot accept an input transition which
the specication can receive
However  note that it is safe to substitute J for J  since J can handle
every input and more which J can handle so J  J Trace theory
allows an implementation to have more general input behavior than its
specication
Next  consider the case of restrictions on output behavior case b
above We begin with a simple case










Note that the success set of SEQNTL MOD omits the trace a c It is not
safe to substitute CONCUR MOD for SEQNTL MOD some environ
ment of SEQNTL MOD may not accept a transition on c after producing
an a Therefore  CONCUR MOD  SEQNTL MOD intuitively  imple
mentation CONCUR MOD is too concurrent
However  SEQNTL MOD can be safely substituted for CONCUR MOD
in any environment Any environment accepting outputs fromCONCUR MOD
will also accept outputs generated by SEQNTL MOD  so SEQNTL MOD 
CONCUR MOD Trace theory allows an implementation to have more
constrained output behavior than its specication
This point can be illustrated more dramatically We return to the earlier
join and a new implementation
AlmostWood  a b c AlmostWood
j b a AlmostWood
The reason why J can be safely substituted by AlmostWood in any context
is the following So long as the environment and the component keep gen
erating the sequence abcabcabc     both J and AlmostWood behave alike
Suppose the environment generates the string ba and awaits a c J does
generate a c after seeing ba  thereby allowing the environment to proceed
AlmostWood  on the other hand  outputs nothing  and awaits a further a or
a b at the same time as the environment is awaiting a c in this case  the
result is a deadlock
	
Going to the extreme  we nd that
BlockOfWood  a  BlockOfWood
j b  BlockOfWood
conforms to J 
In summary  conformance allows an implementation to be a renement of
a specication an implementation may have more general input behavior
or more constrained output behavior than its specication However  we
want to show not only that an implementation does no harm  but that it
also does something useful Unfortunately  prexclosed trace theory cannot
distinguish constrained output behavior from deadlock In spite of the
usefulness of trace theory  this is its greatest practical weakness
  On Establishing Conformance
A verier has been developed by Dill to establish conformation Relation 
is established in this verier as follows we use T   T
S
  etc to denote trace
structures
 The verier constructs a trace structure  T
S




 originally proposed in 
 T
S
is the same as T
S
 
but with input and output sets reversed The mirror is the worstcase




 The verier then generates the parallel composition of the implemen
tation  T
I

























is free of failures This
check can be performed by simulating the parallel behavior of the
two trace structures  presented in Figure 
As an example of the above simulation  consider the simulation of J
against J   where J is the mirror of specication J 
J  a  b c J
j b a  c J
We can see that J is the only module capable of performing the rst
output action either a or b The production of b will cause J to choke

 	 Conformation Equivalence
We have seen that while conformance captures the notion of renement 
it cannot capture the notions of deadlock and livelock There is another
relation that can be considered conformation equivalence Trace structures
A and B are conformation equivalent A
conf
	 B if A  B and B  A see


Unfortunately  just as conformance is too weak a relation for our pur
poses  conformation equivalence is often too strong Often  for a specica
tion Spec and implementation Imp  where Imp  Spec  we cannot establish
that Imp
conf
	 Spec For example  Imp commonly is overbuilt in the sense
that it accepts more inputs than necessary
Such an implementation gives rise to the following problems In showing
Imp  Spec  no problem arises  because Imp will accept all the inputs that
Spec can However  in trying to show that Spec  Imp  we simulate
Imp k Spec Since Imp can accept more inputs than it needs to  Imp ends
up generating more outputs than it needs to some of these outputs go
beyond what Spec can accept  and thus the test Spec  Imp fails
How do we rescue the situation The answer lies in not attempting








success set of M  We have identied precisely such a relation  called strong
conformance 
 This relation is now briey explained
 
 Strong Conformance
De nition We dene T v T

  read T conforms strongly to T








 The algorithm to check for strong conformance is omitted
to conserve space
The strong conformance relation is safe in that it guarantees confor
mance However  it is not guaranteed to catch all liveness failures but for a
number of examples  a verier based on strong conformance provides much
better error detection capabilities 

 Examples Motivating Nonrefusal of Inputs
Having studied Dills trace theory  we now proceed to experiment with the
CWB  and compare our observations with those observed in Dills trace
theory verier

Consider the process WIRE dened on page  Suppose we specify this
process in CCS as
Wire   abWire
Here  following the syntax of the Concurrency Workbench 
  an action of
the form  x is a co name output action and an action of the form x is an
input action Let us pose the question does Wire conform to Spec  where
Spec   abSpec  aSpec
In other words  we are asking whether Wire is a safe substitution in the sense
of conformance  for Spec  in any context The most liberal environment in
which Spec can be operated is obtained by taking its mirror
Specmirror   abSpecmirror  aSpecmirror
Though the above process is the mirror  for practical reasons  we modify it
to Specmirror given below Since CCS converts synchronizing actions to a
silent action  tau written t in our syntax  we add marker actions aout
and bout to Specmirror so that its execution can be more meaningfully
observed from outside We thus obtain
Specmirror   aaoutbboutSpecmirror  aaoutSpecmirror
Now consider the system
SpecmirrorWire    Specmirror  Wire	 
abaaoutbbout
In the combined system  after accepting an a  Wire can be subject to
another a from Specmirror however  Wire can refuse this a and proceed
to do a b Therefore  the combined system does not exhibit a deadlock as




If the above specications are transliterated into tracetheoretic specica
tions and we ask if Wire conforms to Spec  the answer will be false  meaning
that a choke aa can occur
In other words  when modeling asynchronous circuits  it can be danger
ous in the sense of not being able to detect certain chokes not to take into
account the fact that asynchronous circuits can ignore their inputs
How do we model a real wire The fact that an actual wire cannot
refuse an input is easily captured by amending the specication of Wire to
Realwire  below Then we dene Specmirror Realwire  also dened be
low  which indeed reveals precisely the choke discovered by the trace theory
verier
Realwire   abRealwire  aChoke
Choke   nil
SpecmirrorRealwire    Specmirror  Realwire	 
abaaoutbbout
fd SpecmirrorRealwire
 t a t a  Specmirror  Choke	
abaaoutbbout
This shows that Specmirror Realwire deadlocks by going into state
Choke The denition of state Choke helps us spot these deadlocks more
easily Also the above deadlock is merely a way to model actual chokes in
circuits we could very well have modeled a choke through any other error
situation that is easily detectable in the CWB
Thus  it appears that Realwire models an electrical conductor more
faithfully We shall conrm this through another experiment presented later
 Dealing With Autofailures
To motivate the importance of directionality in trace theory  as well as the





System   Test  Driver	
cd
System   Test  Driver	
cd

The only dierence between System and System is that their constituent
processes use dierent directions for their ports c and d Doing so has no
observable eect on the computations of System and System because the
ports c  c   d  and d  synchronize in the same fashion as before  and they
are unobservable In other words  we could show that System and System
are observationally congruent
Now  suppose we transliterate these specications into the input syntax
of Dills verier In other words 
Test  c d e Test
Driver  c d Driver
Test  c d e Test
Driver  c d Driver
System  hidec  dcomposeTest  Driver
System  hidec  dcomposeTest  Driver
We nd that System exhibits a choke while System doesnt
Here is the reason Consider System First Driver applies a c onto
Test causing both the modules to make progress then Test applies a d
onto Driver  causing Driver to return to its top state  while Test is in a
state where it can only generate output e If Test were to now generate
e soon enough  it would return to its toplevel state  and all would be
well both processes resume their behavior however if Test were a bit slow
relative to Driver  the latter  since it is now in its top level state  would
apply a c which Test cannot accept The simulation of System is safe
because after Driver is back in its top level state  it only awaits an input
c  and this input can only come from Test because the output port c of
Test is connected to input port c of Driver	 and there can be no further
drives onto this node see the restrictions on compose
How do we make the CCS specications manifest these errors There are
two approaches The rst approach consists of the following steps  con
nect a Realwire to the input ports of every component  then assemble
the system For example  dene
Driver    Driver rwbdd  Realwire drwa rwbdrwb  	 rwbd





  rwbc t e rwbc t t t e rwbc t t t e rwbc t e rwbc 
deTestrwbcc  Chokerwbcrwbcrwa  Driverrwbdd 
Chokedrwarwbdrwb	rwbd	
cd
  rwbc t e rwbc t t t e rwbc t e rwbc t  deTestrwbcc 
Chokerwbcrwbcrwa  dDriverrwbdd  Chokedrwarwbdrwb	rwbd	
cd
  rwbc t e rwbc t e t t  deTestrwbcc 





Notice that we can now detect a choke in System  but not in System 
The second approach which is automatable and more ecient in prac
tice is to redene the processes as follows  which then gives the indicated
simulation results
Test   ccChoke  dcChoke  eTest
Driver   dChoke  cdDriver
Test   dChoke  cddChoke  eTest
Driver   ccChoke  dDriver
System   Test  Driver	
cd









The way in which we have modied Test  etc  to Test    etc is as
follows for every agent  for every reachable state of the agent  if that state

has outgoing transitions on inputs I
m

 I where I are all the inputs of the
agent  add transitions on inputs I n I
m
to state Choke This transformation
helps reveal autofailures through the nd deadlock fd command We
call this step adding failure paths
To sum up  in this section  we have shown the following
 We have shown how autofailures can be detected in the context of the
CWB
 We have shown how conformance can be checked for by explicitly creat
ing themirror of the given specication for example  see Specmirror
Actually  in eect  strong conformance is checked for if the CWB com
mand eq is used
To simulate the eects of Dills trace theory in CCS and to then use the
CWB to detect errors  a few additional transformations are required on
CCS agent denitions Since CCS agent connections are pointtopoint
ie a matching name and a coname are turned into a  whereas Dills
trace theory takes the point of view of having innite fanout ie an
output connected to an input is retained as an output  explicitly use ForkN
modules in order to fanout the transition of an electrical signal For example 
for a fanout of two  we use the Fork module
Fork   abbFork  bbFork
 Assorted Examples
In this section we rst discuss the verication of a Lockable C Element
Then we discuss some examples pertaining to the detection of deadlocks
	 A Lockable C element
Mullers C element is a very widely used component in asynchronous circuits
It is very close to the join element  J   introduced on page  Its specication
can be expressed in CCS before the step of adding failure paths to avoid
clutter as

 A C element that allows double clutching eg two successive as cancel

C   aAseen  bBseen
Aseen   aC  bABseen
Bseen   bC  aABseen
ABseen   cC
 A C element that has seen a b
Cb   Bseen
In typical applications  a C element allows two threads of control to ren
dezvous One common use of a C element is to build a micropipeline stage
as shown in gure 
We have recently developed a lockable version of the C element called
LockC Its specication is now given
LockC   aAseen  bBseen  locklackLocked
Aseen   aLockC  bABseen  locklackAseenLocked
Bseen   bLockC  aABseen  locklackBseenLocked
Locked   locklackLockC  aAseenLocked  bBseenLocked
ABseen   aBseen  bAseen  locklackABseenLocked  clackLocked
 cLockC
ABseenLocked   locklackABseen  aBseenLocked  bAseenLocked
AseenLocked   aLocked  locklackAseen  bABseenLocked
BseenLocked   bLocked  locklackBseen  aABseenLocked
 LockC that has seen a b
LockCb   Bseen
The basic application of LockCb is in building stallable micropipelines as
described in 
 It diers from Cb in that it oers the possibility of being
locked via a lock signal  and acknowledges locking via lack it is then
unlocked via lock and it acknowledges the unlocking also via lack
Suppose LockCb is used in place of Cb  with the lock and lack of LockCb
connected to a driver process  as shown in gure 
LockCDriver   locklacklocklackLockCDriver
Further assume that lock and lack are restricted Then we expect the
circuit using LockCb to behave exactly the same as the one using Cb We
could conrm this using the CWB  using the eq command

We could also apply the diveq command which checks whether both the
processes are observationally equivalent  also respecting divergence  this
proved to be false  because the circuit using LockCb can diverge through a
sequence of lock  lack actions  LockCDriver can be so fast that it causes
the circuit using LockCb to diverge in a tau loop  eectively preventing
LockCb from making any progress
Finally  we could check the following propositions about the circuit us
ing the CWB after every lock   lack will eventually happen and vice
versa These model checking commands are quite valuable in verifying asyn
chronous circuits Currently this facility is not available in Dills trace theory
verier
	  Detecting Deadlocks and Livelocks
Consider the circuit shown in gure  The components used in this circuit 
before the step of adding failure paths  have the following behaviors
Gselector   ainboutGselectorcoutGselector
Merge   acMerge  bcMerge
We connect bout to the external output b  cout to x  the b input of Merge
to x  the c output of Merge to x  and the ain input of Gselector to
x Then  after applying a transition at the A input  the circuit can engage
in a sequence of XXX actions of arbitrary length before it emits
a B depending upon the fairness of selection of unit Gselector shown
as GS in the Figure Dills verier is incapable of pointing out that the
circuit can diverge the CWB is able to do this If we now consider the circuit
shown in gure   the conformance check passes the deadlockable wire
as a safe substitution for a wire  the strong conformance check rightly
points out that the deadlockable wire is not a safe substitution for a wire
and  the CWB is able to detect a deadlock
 Conclusions
We have identied some of the precautions necessary to be observed be
fore CWB can be applied for verifying asynchronous circuits We have also
presented two approaches  the addition of a Realwire component at every
modules input  or alternately  the process of adding failure paths  to con




By taking one of these approaches  the CCSCWB combination becomes
a powerful tool that is capable of detecting circuit errors  and also permit
checking for divergences  deadlocks even those other than the ones caused
by Chokes  and also usergiven modal properties Note there is ongoing
work at the Carnegie Mellon University to study the use of both trace theory
and various temporal logics for asynchronous circuit verication Another
advantage we see with the CCSCWB approach is that it permits both high
level protocols as well as lowlevel implementations of these protocols to be
reasoned about using the same tool
Currently the CWB is not very ecient  even moderately sized circuits
take a long time to run Dills verier  on the other hand  executes much
faster Perhaps the CWB can be recoded to solve this
In conclusion  we believe that we have identied some useful connections
between Dills trace theory and the CCS model from the point of view of
asynchronous circuit verication
Acknowledgements Graham Birtwistle and his group at the University
of Calgary taught me about CWB  and the use of CCS for asynchronous
circuit verication  for which I am grateful Thanks also to Steve Nowick 
Nick Michell  and Erik Brunvand for valuable discussions
References

 David L Dill Trace Theory for Automatic Hierarchical Verication of
Speed independent Circuits MIT Press   An ACM Distinguished
Dissertation

 John Aldwinckle  Rajagopal Nagarajan  and Graham Birtwistle An
introduction to modal logic and its applications on the concurrency
workbench preliminary version Technical Report 	  Univer
sity of Calgary  February 

 Venkatesh Akella and Ganesh Gopalakrishnan Static analysis tech
niques for the synthesis of ecient asynchronous circuits Technical
Report UUCS  Dept of Computer Science  University of Utah 
Salt Lake City  UT    To appear in TAU 
  Workshop
on Timing Issues in the Specication and Synthesis of Digital Systems	
Princeton	 NJ	 March 	 
 
We are working on a formal argument to support this claim
	

 Venkatesh Akella and Ganesh Gopalakrishnan hopcp A concurrent
hardware description language Technical Report UUCSTR 
Dept of Computer Science  University of Utah  Salt Lake City  UT
  

 Erik Brunvand Translating Concurrent Communicating Programs into
Asynchronous Circuits PhD thesis  Carnegie Mellon University  

 Alain J Martin Programming in VLSI From communicating processes
to delayinsensitive circuits In editor CAR Hoare  editor  UT Year of
Programming Institute on Concurrent Programming AddisonWesley 

	
 C H van Berkel  C Niessen  M Rem  and RW J J Saeijs VLSI
programming and silicon compilation a novel approach from Philips
Research In Proc ICCD  New York  

 Jo C Ebergen Translating Programs into Delay Insensitive Circuits
Centre for Mathematics and Computer Science  Amsterdam   CWI
Tract 

 Ivan Sutherland Micropipelines Communications of the ACM  June
 The  ACM Turing Award Lecture

 Ganesh Gopalakrishnan and Prabhat Jain Some recent asynchronous
system design methodologies Technical Report UUCSTR 
Dept of Computer Science  University of Utah  Salt Lake City  UT
   Being revised based on comments from the acm Comput 
ing Surveys

 George G Milne and Mauro Pezze Typed circal A high level frame
work for hardware verication In Proc  IFIP WG  Interna 
tional Working Conference on The Fusion of Hardware Design and
Verication	 Univ of Strathclyde	 Glasgow	 Scotland  pages  
July 

 Robin Milner Communication and Concurrency PrenticeHall Inter
national  Englewood Clis  New Jersey  

 Wei Chen  Jan Tijmen Udding  and Tom Verhoe Networks of com
municating processes and their decomposition In Jan LA van de

Snepscheut  editor  Springer Verlag Lecture Notes in Computer Sci 
ence	 No	 Mathematics of Program Construction  pages 		
Springer Verlag  

 Ganesh Gopalakrishnan  Nick Michell  Erik Brunvand  and Steven M
Nowick A correctness criterion for asynchronous circuit verication
and optimization IEEE Transactions on Computer Aided Design 
  November 

 Rance Cleveland  Joachim Parrow  and Bernhard Steen The concur
rency workbench A semantics based tood for the verication of con
current systems Technical Report ECSLFCS  Laboratory for
Foundations of Computer Science  Univ of Edinburgh  August 

 Ganesh Gopalakrishnan Micropipeline wavefront arbiters using lock
able celements IEEE Design and Test of Computers   
 Winter  Issue

Notations




is closed each output of
T
S
matches an input of T
I



























 Dene nexts  x to be the next state attained from state s upon pro
cessing inputoutput x
























for each T  T
 
for each enabled output x of T





  nextst  x  nextst  x













C element used as Cb
a b
c

















x1    ainc
x2
bout  a b
Figure  A Livelockable Wire








Figure  A Deadlockable Wire

