Abstract. Since the advent of model checking it is becoming more common for languages to be given a semantics in terms of transition systems. Such semantics allow to model check properties of programs but are usually difficult to formally reason about, and thus do not provide a sufficiently abstract description of the semantics of a language. We present a set of transition system combinators that allow abstract and compositional means of expressing language semantics. These combinators are then used to express the semantics of a subset of the Verilog hardware description language. This approach allows reasoning about the language using both model checking and standard theorem proving techniques.
Introduction
Various benefits can be gained through the formal definition of the semantics of a language: documentation of the language semantics, enabling of formal reasoning, and automatic machine reasoning using techniques which allow (relatively) efficient automatic property checking. Giving a semantics through which we benefit from all these is usually difficult to achieve. For example, documenting the full semantics of an industrial strength language tends to yield inelegant semantics that are difficult to reason about, while aiming at automatic machine reasoning one tends to construct semantics which are impractical for interactive formal reasoning which may be necessary to verify large systems. Hardware description languages, such as Verilog and VHDL have a very complex semantics defined in terms of their simulation behaviour. A lot of work has been done on the formalisation of these languages but most work manages to satisfactorily address only one of the desirable aspects of a formal semantics as listed earlier. Commercial tools for formal verification work only on register transfer level (RTL) descriptions. Furthermore, the semantics they use is usually not formally documented. In this paper, we identify a formal domain which allows us to document the semantics of these languages reasonably elegantly without sacrificing formal reasoning or model checking. We are particularly interested in automatic machine verification through the use of model checking using BDDs [4] , or SAT based techniques [1, 12] . The formal domain we use is a variant on standard transition systems since a wide variety of techniques have been developed to check properties of transition systems efficiently and automatically. A number of transition system combinators permit us to express the semantics of languages compositionally and also allow effective reasoning about programs it the language.
To illustrate the effectiveness of this approach, we present the semantics of a subset of Verilog [11] , which we call VeriSmall. The techniques used for VeriSmall readily scale up for larger subsets of Verilog. A more complete subset of behavioural Verilog has been formalised and implemented in a translator into SMV [8] , details of which can be obtained from the author.
Notation
A relation between sets A and B is a set of pairs (a, b) where a ∈ A and b ∈ B.
The type of such a relation will be written as A ↔ B. If 
VeriSmall
Verilog is a large and complex language. Documenting the detailed semantics of the whole language is beyond the scope of this paper. We thus work with a syntactic subset of Verilog, which we call VeriSmall. The sub-language is chosen such that the complexities of Verilog semantics are exposed. It is, however, sufficiently small to be presented in its entirety and reasoned about in this paper. The syntax of VeriSmall is given in figure 1.
VeriSmall is a concurrent language with steps made along parallel threads nondeterministically. The #0 construct (read zero delay) blocks a thread until all other threads are finished or are similarly blocked. The behaviour of the rest of the language should be intuitively clear.
To illustrate the effect of zero delays, consider the program (initial v = 1 initial v = 0). Note that this program is non-deterministic and v can finish with either value 1 or 0. On the other hand, (initial v = 1 initial begin Despite the fact that we have stripped Verilog down to its bare essentials, VeriSmall is still a substantially complex language.
The Simulation Cycle
The official documentation of Verilog describes the behaviour of a program in terms of how it should be interpreted by a simulator. This is also how we will informally describe the behaviour of VeriSmall programs. VeriSmall is a concurrent language with a scheduling algorithm which manages the order of execution of concurrent threads. Each thread can be in one of three modes: enabled, delayed(0), waitfor(v) or finished. If a state is in mode waitfor(v) and the value of v is high, the thread is put into enabled mode. If no such threads exist, then the scheduler executes an enabled thread and the process is repeated. When no enabled threads are available, all threads in delayed(0) mode are made enabled and the process repeated from the beginning. The values of variables are also stored by the simulator. In VeriSmall, variables range over the values 1 (high), 0 (low), z (high impedance) and × (unknown). The simulation cycle is shown in figure 2 . The actions performed when moving along a thread depend on the instruction currently pointed at by the thread pointer.
Skip:
The thread pointer is moved forward. Assignments: If the first instruction is an assignment v = e, then the expression e is evaluated in the current state and v set to the value calculated. Zero delays: To move along a thread pointing at #0 P we set the thread's state to delayed(0) and move the thread pointer to P . Conditionals: To move along the statement if (e) P else Q, e is evaluated and depending on its value, the thread pointer is moved to point at P or Q.
initialise all variables to × set all thread states to enabled forever do if (there are threads waiting on a true variable) then set them enabled elsif (there are enabled threads) then choose one non-deterministically move one step along the thread elsif (any delayed by 0 modules) then enable all such modules end and the thread pointer is moved forward. Loops: To move along the statement while (e) P , e is evaluated and depending on its value, the thread pointer is set to point at P or the first instruction after the loop instruction. Blocks: The instruction pointer is moved to the first instruction in the block.
The top level module instructions are simply syntactic sugar, with always P corresponding to while (1) P and initial P to P .
Layered Transition Systems
Hardware description languages, the languages we are mainly interested in expressing the semantics of, usually have an inherent concept of priority of execution. In the case of VeriSmall, for instance, threads blocked by a zero delay get lower priority than enabled ones.
With this specification in mind, we add extra priority information by placing all states in one of an ordered set of layers -the higher the the layer, the higher priority given to that state when composing systems in parallel. We also use standard transition system combinators such as union and sequential composition, as intermediate language constructs. It is important to note that the layering information is only necessary to compose systems and can be hidden away when we want to check properties of a transition system.
Formal Definition
Since we would like to be able to compare the layering information in one machine to that in another, we will assume the existence of a fixed set of layers LAYER over which the total ordering ≥ is defined. 
Transition System Combinators
Definition 2: Given a FLTS and a predicate r i : Q → bool, then domain restricted to r i , is defined by:
and a predicate r f : Q → bool, then range restricted to r i , is defined by:
Given two FLTS 1 and 2 , we define the union of the two systems 1 ∪ 2 as follows:
Note that the two transition systems must agree on the layer of any common states.
Definition 5: Given two FLTS 1 and 2 and a relation jn between the final states of 2 and the initial of 1 (jn : F 1 ↔ I 2 ), we define the catenation of the two systems 1 jn ;
2 :
Thus, whenever a transition can take us from a state σ to state σ which is related (via jn) to σ , we add the direct transition from σ to σ . States in 2 related to initial states in 1 are also initial.
Since we have catenation, we can similarly define the reflexive transitive closure of a FLTS.
Definition 6: Given a FLTS and a relation jn between the final states and initial states (jn : F ↔ I, with disjoint domain and range) we define the reflexive transitive closure of -written as * -as follows:
Given a FLTS we sometimes need to re-map the states -this can be seen as a form of data abstraction. Given a relation r between the old and the new states, we can use this relation to create a new FLTS such that there is a transition between two new states σ and σ if and only if they are related (by r) to two old states between which there was a transition. r r Definition 7: Given a FLTS and relation r : Q ↔ Q we can define the remapping of with r, written as r( ), as follows: r( ) def = Q , r(I), r(F ), r −1 ; →; r, λσ · max(r −1 ; layer(σ)) Note that in some cases, r may relate several old states with a new one. In this case the new state assumes the highest priority of its related states.
Parallel Composition
To compose two systems in parallel we need to define what the result of joining two states is. It is tempting to always take the Cartesian product of the old state spaces to be the new state space. However, this will complicate matters when we have states with overlapping domains. We thus choose to explicitly express this operation as two relations 1 and 2 which join two states together giving priority to the first and second state respectively.
When we do not care which state is given priority, we will use defined as 1 ∪ 2 . We will also need to decompose states into separate parts:
Note that all the following FLTS combinators are parametrised by these functions.
Given two FLTS, we can construct a FLTS acting like the coupling of the two FLTS -this corresponds to running the two systems together, where for every transition one system makes, the other also performs exactly one transition.
Definition 8: Given two FLTS 1 and 2 , we can define the synchronous parallel composition of the two systems 1 2 as follows:
(where max 2 relates a pair of numbers with the maximum of the two)
We will write this transition relation as (
Sometimes it is necessary to allow the processes to stutter -while one of the processes carries out a transition, the other remains in the same state.
Definition 9: Given two FLTS 1 and 2 , we define the parallel composition with stuttering of the two systems 1 ι 2 as follows:
We will write this composition of transition relations as (
Sometimes we would like to compose two systems concurrently, with only one system performing a transition at a time.
Definition 10: Given two FLTS 1 and 2 , we define the interleaving of the two systems 1 ||| 2 as follows:
We will write this composed transition relation as (
Layered Parallel Composition
Definition 11: Given two FLTS 1 and 2 and a function which determines how the layers will be composed: + : LAYER → { , ι , |||}, we define the layered parallel composition of the two systems 1 + 2 as follows:
This means that if one of the state components has a higher priority, the other component is not allowed to perform any transitions (lines 1 and 2) while, if both components have the same priority, then the transition relation is determined by the layer in which they lie (line 3).
FLTS Combinator Expressions
Definition 12: We define TS ≡ to be the language of all valid combinator expressions over layered transition systems with basic transition systems as terminals.
TS
V ≡ is the similar language but which may also have variables (elements of V ) as terminals. A context C(X) is an expression in TS {X} ≡ . Given an expression ∈ TS ≡ , C( ) is the same as C(X), but with instances of X replaced by .
Laws of FLTS
The FLTS combinators presented in the previous section allow us to specify the semantics of VeriSmall and similar languages in a concise and readable manner. They also satisfy a number of laws which will enable us to reason about VeriSmall programs more easily. In this section we present a number of such laws.
Reachability and Inclusion
In this paper the only semantic property of FLTS we are concerned with is reachability:
Definition 13: Given a FLTS , we define the set of reachable states from states Σ as follows:
If we only care about the reachable states in a particular FLTS (starting from the initial states), we write this as:
∀σ :
; layer 2 -A member of Q 2 must be able to emulate (up to π) all transitions of π-equivalent members of Q 1 :
Transition system inclusions guarantee containment of reachable states.
Lemma 1: If 1 π 2 then, for any set of states Σ, reachable 1 (Σ) ⊆ π reachable 2 (Σ).
Monotonicity
Provided that π obeys a number of properties (dictating how it distributes over the relations used in FLTS construction) expressions in TS ≡ are monotone with respect to π . These proofs follow almost exclusively from the monotonicity of relational mapping, relational composition and set union. A frequently used property of functions is π; π −1 ; π = π. 
Proof:
The proofs of the different cases are very similar and thus, we just present the proof of case ix.
States:
Transitions: π; π −1 ; (transition relation of 1 ||| 3 ) = { definition of interleaving } π; π −1 ; ≺; (id, Initial and final states information and the layer information proofs proceed similar to the ones above.
Proof: This follows directly using structural induction and lemma 2. 2
Formal Semantics of VeriSmall
We now document the formal semantics of VeriSmall in terms of FLTS. Note that the use of layers allows us to avoid having worry about the details of the complex simulation cycle when describing the semantics of sequential programs.
The state of the transition system corresponds to the state of the simulator: the values stored by variables, the position in the different threads and the state of each thread.
The state will be be a store: a 'function' from variable names to values 1 . σ(v) is the value of variable in state σ. We extend this notation to expressions. Thus, for example, σ(e and f ) will be defined to be σ(e) and σ(f ). Special variable names pos and grd (are used to represent the position in the thread and its state respectively. σ var is the store restricted to Verilog variables (that is excluding the position and state variables).
σ[v := e] is the state just like σ but with the value of variable v changed to σ(e).
The set of all states with Verilog variables in V , the value of pos ranging over P and that of grd over G will be referred to as Σ V,P,G .
In the course of the language semantics definition, we will sometimes need to know the size of a statement or statement block. Given a statement P we can define size(P ) using primitive recursion over the structure of P : It can be proved that the value of pos in any state of the transition system produced from a sequential program P will never reach or exceed size(P ).
Similarly we can define the function vars(x) which returns the set of variables occuring in program or expression x.
Layers and Other Preliminaries
The subset of Verilog we present uses four layers: unblocking states waiting on a variable takes highest priority, followed by transitions on enabled threads are of highest priority, then threads delayed by zero time and finally, the finished threads. Thus:
These layer names will also be overloaded with the related constant functionfor example ena will also be used for λσ · ena. We will often need to combine together different automata but making sure that the states are disjoint. This will be done by modifying the pos values using a remapping of the FLTS. If pos +n is the function pos +n (σ) = σ[pos := pos + n], then the remapping pos +n ( ) is the renaming we require.
Each FLTS produced will handle a particular set of variables. To increase the set of variables handled by a transition system we use interleaving composition. If S is Σ V,∅,∅ then add V ( ) def = S, S, S, ∅, fin ||| The relations used for this composition are the minimal relations satisfying:
Expressions such as add V (pos +n ( )) will be written as V,+n . [
] vars(P ),+size(P ) jn relates states with the same store: σ(jn)σ if and only if σ var = σ var (and σ ∈ F 1 and σ ∈ I 2 ).
Blocks: It is tempting to define the semantics of a block simply by removing the outer begin end keywords. Note, however, that the simulator takes one cycle to proceed to the first instruction. An accurate description of the semantics is thus:
The semantics of conditionals can be expressed using restriction of initial states. However, the semantics are slightly more complex due to the fact that the simulator takes one cycle to evaluate the condition:
where V = vars(if (e) P else Q) and the jn relation is the same as the one used in sequential composition. While loops: The semantics of while loops are similar:
Again note that the simulator takes a cycle to evaluate the expression and that the jn relation is the same as the one used in sequential composition. Parallel composition: Parallel composition can now be defined in terms of layered composition:
= [[P ]] + [[Q]] This layered composition uses:
+ fire = + ena = ||| + del 0 = + fin = The state constructor relations are:
The state decomposition relation is simply the inverse of these two:
Reasoning about VeriSmall
Finally, we show how these semantics can be used to prove general theorems about programs. These may later be used to aid or simplify automatic verification of programs. Programs are usually built in different parts which are eventually joined together. It is therefore important to be able to show that individual parts satisfy certain properties whatever is plugged into them. The question thus arises: How can we prove such properties of our programs using model checking?
The scenario depicted in the previous paragraph corresponds to a program being a context with variables pointing out where other programs are to be plugged in. Thus, for example, one may be given the program context C(P ): initial begin x=0; P ; x=!y end and be asked to prove that if P is a program using only variable y, then x and y are never high at the same time.
The technique we use is to substitute P with the most non-deterministic program possible and prove the property of this new program. If we can prove that: σ ∈ reachable([[C(chaos({y}))]]) =⇒ σ(x = 1 ∨ y = 1) then it should follow that for any program P which has alphabet {y}:
σ ∈ reachable([[C(P )]]) =⇒ σ(x = 1 ∨ y = 1) Note that if we define the FLTS semantics of chaos(V ), the first statement can be checked automatically using standard reachability techniques.
Chaos
The semantics of chaos(V ), where V is a set of variables, is straightforward to define. The states are:
The initial states are those enabled: {σ : Q | σ(grd) = enabled} The final states are those which are finished: {σ : Q | σ(grd) = finished} States can do anything, but once finished they must remain so:
id ∪ ((Q \ F ) × Q) The layer can be deduced from the mode: 
The Theorem
It is quite easy to formulate the result we desire incorrectly. For example, in the example given earlier, the safety condition that the thread position never exceeds 4 can be proved of C(chaos(V )) but this will not be true for long enough instances of P . It is thus important to restrict safety conditions to variables and guards. Similarly we must make sure that P uses no variables other than those in V .
where red(σ) 
A Small Example
The following example shows how the techniques shown in this paper can be applied to a small example. Consider the following VeriSmall program:
initial begin v=0; P1; v=1; wait(w); P2; end; initial begin w=0; Q1; w=1; wait(v); Q2; end; It should be intuitively clear that if programs P1, P2, Q1 and Q2 do not write to variables v and w, the programs P1 and Q2 are never executed at the same time. Similarly for P2 and Q1. A proof of this property for Verilog programs is given in [9] using Duration Calculus. However, we can obtain this result more easily by using theorem 1. Using the semantics given in this paper we obtain a FLTS for the following program: The FLTS is encoded in SMV using a translator we have written (recall that the semantics of a FLTS are independent of the layer information), through which we check that it satisfies the CTL safety property: AG(¬(inQ1 ∧ inP2) ∧ ¬(inP1 ∧ inQ2)) -"In every reachable state, inQ1 and inP2 are mutually exclusive. Similarly for inP1 and inQ2" 2 . The desired result then follows for programs which use no variables other than a, b and c from theorem 1. This is not more than a toy example. It is clear that for the actual result we desire, we need a stronger theorem -namely that the programs we replace chaos(V ) by, may also use variables which are not used in the program context. This example only serves to demonstrate how chaos(V ) can be used to provide more than a simply unconstrained global environment.
Our Verilog-to-SMV translator can handle a much larger subset of Verilog than VeriSmall. In particular it handles non-blocking assignments and edge guards (eg @(posedge v)) which allow more interesting examples to be constructed. Some other examples specified and verified include counters, simple arithmetic circuits and small algorithms like the one shown above.
Related Work
A number of model checkers come together with an abstract language in which transition systems can be specified. Thus, for example, the SMV [8] input language provides a number of high level mechanisms which can be used to specify transition systems. However, while the language allows means of describing complex transition relations, it is rather limited when it comes to means by which transition systems can be combined together. Similarly, Verus [2] provides a high level language in which transition systems can be specified. However, due to the high level nature of the language, one is then left unsure as to whether the semantics specified match those of a Verilog simulator precisely. Since we also view our language semantics specification as a documentation of the semantics, this is undesirable. Another problem is that the the priority levels inherent in Verilog would have to be encoded within the language, introducing another possible source of errors.
The concept of layers corresponds very closely to the idea of priority in process algebra [5] . Usually, however, priorities are associated to transitions or particular language operators, as opposed to particular states. It would be useful to compare our approach to these alternative ones.
The semantics of Verilog have been expressed in terms of a number of variants of transition systems. It is important to note that Verilog has two different semantic interpretations: simulation semantics (which we deal with) and synthesis semantics (which is used in tools which synthesise Verilog code into hardware). Fiskio-Lasserer et al [6] express the simulation semantics in terms of an operational semantics while Sasaki [10] has expressed the semantics in terms of abstract state machines. Both provide an excellent documentation of the semantics of the language but do not seem to be particularly suited for proofs about large programs. Gordon et al [7] gives the synthesis semantics of the language in terms of transition systems, and the end result of the interpretation is very similar to the one we present. However, the semantics are expressed in terms of a rather complex compilation process which would be rather difficult to prove that it is semantic preserving with respect to other published semantics. The same problem can be found in [3] , where a compilation procedure is given to translate programs into finite state machines.
We have presented a set of combinators for enriched transition systems. The most important features of our approach are the compositionality and the abstraction which allowed us to express the semantics of VeriSmall so easily. Also, the full semantics of Verilog are just a scaled up version of the semantics of VeriSmall we give here, which is encouraging when one considers the intricate semantics the language has. This work offers us a myriad of opportunities to explore. One of the priorities is the derivation of a number of laws which allow a guaranteed correct implementation of the combinators used. We have implemented a Verilog-totransition-system translator based on these semantics, which is available upon request from the author. The translator supports a substantially larger subset of Verilog than the one presented in this paper, including non-blocking assignments and guards.
It is generally accepted that any realistic verification of Verilog or VHDL semantics can only be effectively performed at the synthesis level. It is however the case, that simulation is used extensively, and synthesis semantics are different from the related simulation semantics. We are not advocating the verification of large designs at simulation level, but attempt to provide a framework in which the simulation semantics of languages like VHDL and Verilog can be formally reasoned about.
As can be seen from the main theorem in this paper, certain problem solving techniques seem to recur in different languages. The use of a chaos constructor, for example, seems to be applicable to most languages. Furthermore, the proof of correctness of the theorem corresponding to the one we give would, in most cases follow the exact same steps. We hope this also to be the case with other results, especially ones related to the generation of a compiler from the source language to transition systems from a given semantics.
