Abstract. This paper describes an approach to capturing the relation between circuits and their behaviours within a formal theory. The method exploits dependent types to achieve a rigorous yet theoretically simple connection between circuits (treated as graphs) and their behavioural speci cations (treated as predicates). An example is given of a behavioural extraction function and it is shown how a type for modules can be de ned that is su ciently ne to guarantee that the behaviour of a module will satisfy its behavioural speci cation. The method is discussed in relation to VHDL and in relation to formal synthesis, (a process whereby one starts with a behavioural speci cation and, using an interactive goal-directed approach, ends up with a circuit and a formal proof that it satis es the given behavioural speci cation).
Introduction
The aim of hardware veri cation is to establish that the behaviour of a given circuit satis es a given behavioural speci cation. The problem divides naturally into two tasks:
{ Firstly, given a (well-formed) circuit and given the behavioural speci cations of each of its component parts, determining the behavioural speci cation of the overall circuit, and { Secondly, showing that this computed behavioural speci cation is stronger than the given behavioural speci cation. With most approaches to formal veri cation the structure of the circuit is represented only informally (for example, as a circuit diagram) and so this means that the rst of the above tasks can only be undertaken informally. For many purposes, for example, when working with an idealised, two-valued, voltage-driven digital logic, this approach is perfectly adequate. This is because the intension (or form) of the term whose extension (or value) describes a (well-formed) circuit's behavioural speci cation corresponds closely to the structure of the circuit. Brie y stated, the behavioural speci cation of the overall circuit (described as a predicate on the signals at the circuit's ports) may be obtained by taking the conjunction of the terms that describe the behavioural speci cations of the individual components and using existential quanti cation to hide any internal signals. Since the relation between structure and behaviour is so simple, there is little opportunity for error in inferring the relationship and so little is lost by adopting an informal approach. With other kinds of digital logic (for example, tri-state logic) and with circuit structures that are parametrized, then the relation between structures and behaviours is rather more complex and there are signi cant gains to be had in formalising the relationship.
In this paper we will be describing an approach to relating structure and behaviour that exploits the very ne type structure that a dependently-typed higherorder logic o ers. (Dependent types are explained below.) As we shall show, the particular merits of the approach are its rigorous natures and its relative theoretical simplicity. In order to place it in the context of conventional CAD methods, we will describe it using concepts and terminology taken from VHDL (such as entity, interface and implementation). Later, we will show how it relates to aspects of VHDL and how it can be mechanically translated to and from VHDL.
Background
As background to this paper we brie y 1 review two earlier approaches (with which this paper shares many features) to the problem of relating structure and behaviour within a formal framework.
The principal features of the rst approach HD86] are:
{ The formalism used is a typed higher-order logic. { Circuits (in general, hierarchically structured) are directly speci ed within the logic in terms of their essential properties.
{ The type discipline of the logic is used to enforce the well-formedness of circuits. { There is a formal link between the structure of circuits and their behaviour.
Whilst this approach is both direct and simple, it does, however, have some serious limitations, namely:
{ Circuits are speci ed by properties and not as values. This is generally inconvenient since often an exact (ie,`categorical') description of a circuit is required rather than a`loose' one.
{ The approach is valid only for idealised, voltage-driven 2-state logic. { Since the theory is axiomatic in nature, errors in speci cations may give rise to inconsistency. A very much more ambitious approach to relating structure and behaviour is described in BHY92]. The principal features of this second approach are: { A module (that is, a circuit) is represented by a constant, basically a list comprising the module name, lists of the names of its input ports and its output ports, and an occurrence list specifying the internal structure of the module. { These datastructures are similar in form to the abstract syntax of the representation of the corresponding modules in a conventional hardware description language.
{ Generic circuit modules (for example, modules parametrized by their word length) are represented by functions that, when applied to a concrete value of the generic parameter, yield a concrete module representation.
{ The formalism used is the Boyer-Moore logic (a weakly typed, rst-order system with a lisp-like syntax). Whilst the approach has been used to conduct some impressive, large-scale correctness proofs, it is, however, not without some disadvantages. Perhaps the three main ones are:
{ the complexity of its structure-to-behaviour mapping function, DUAL-EVAL (which results in a general lack of transparency and in increased complexity of proofs); { the absence of strong typing (which makes descriptions of objects and functions verbose and di cult to follow);
{ the absence of a user-accessible metalanguage by which deduction in the BoyerMoore system may be directed. It was, nevertheless, the description of this general approach and of the possibilities it opened up which reawakened our interest in formally linking structures and behaviours. The method described in the following sections inherits features from both this approach and from the earlier one outlined above.
Dependent Types
The main theme of this paper is the way in which a dependently-typed logic may be used to allow the structure and behaviour of circuits to be intimately related to each other within a strongly-typed formal logic. The concepts we describe were actually tested using the Veritas logic and so we begin by summarising, very brie y, its main features. We note, however, that the same approach could equally well be developed in other dependently-typed logics such as NuPRL C86] or Isabelle PT90] and even (though with some limitations) by modelling a dependently-typed logic within an ordinary polymorphically-typed one, as in JM92].
Veritas HDL90, HD92] is a higher-order logic whose distinctive feature is that its type structure includes dependent types, subtypes and datatypes. It is computationally implemented HDH92] and the notation used in this paper is, with a few minor exceptions, identical to that which the logic both accepts and generates. In the remainder of this section we develop the various de nitions and concepts we shall need later on.
Datatypes The natural numbers, nat, may be introduced as a datatype by datatype nat = 0 j nat 0 Here, the so-called successor function has been introduced as a post xed operator (prime). Thus, the rst few numbers may be de ned by 1= 0 0 , 2= 1 0 , and so on. All terms in the logic are total. Function may be de ned by primitive recursion over datatypes. For example, the addition function (de ned as a binary operator +') may be de ned by de ne n + 0 = n j n + m 0 = (n + m) 0 end Functions may also be de ned by abstraction as for example in twice n= n + n.
Subtypes may be de ned by specifying their characteristic predicate. For example, the subtype bit of nat may be de ned as bit= fn: nat j n < 2g Types Types are themselves terms and hence functions may take types as arguments or yield types as their result. For example, the function N de ned by N n= fm: nat j m < ng takes a number n and yields the subtype of nat that comprises numbers in the range 0 to n ? 1. Since types are terms, they themselves have types. The type of all ordinary types is U0, the universe of (small) types.
Terms in the logic do not have unique types | rather, the term formation rules of the logic specify that certain term-type combinations (sometimes called`judgments') are well-formed. For example, all of the following typed terms are well formed: 1: nat, 1: bit, 1: N (2 + 2).
Vectors Vectors, that is, one-dimensional arrays, may be represented as functions over their index types. For example, the type byte de ned by byte= N 8 ! bit describes the type of 8-bit binary words. If B is a symbol of type byte, then the elements of B may be accessed by application, thus B 0, B 1, up to B 7. Application in Veritas may alternatively be denoted by subscription, and so the same collection of bits may also be expressed as B 0 , B 1 , up to B 7 .
Whilst vectors can easily be de ned by -abstraction, it is convenient to be able to describe literal vectors using conventional mathematical notation. Thus, we will often write 2 , for instance, either v= An application consisting of a function f: ( x: S] ! T x ) applied to a term a: S is a term f a whose type is T a . Thus, the type of an application depends on the value of the argument. If, as a special case, the type T x is independent of x, then an ordinary (i.e., non-dependent) function type results.
In a similar way, dependent product types may be de ned. These have the form x: S] T x . A term of this type has two components; the rst is of the form a: S and the second (whose type depends on the value of the rst) is of the form b: T a . A typical example of a dependent product type is the type n: nat] N n, and a typical element of this type is (5; 3), since 5: nat and 3: N 5.
Records In addition to vectors whose elements are all of the same type one can also, by using dependent types, de ne vectors whose elements are of heterogeneous types. Such vectors we term records. Suppose that f: (N n ! U0) is the function that de nes the type f i of the i th element of a record with n components. Then the type of the overall record is i: N n] ! f i. Notice that this type itself is rather similar 3 2
The \vertical" form of vector notation is not at present supported by computational implementations of the logic.
to a vector and so we introduce the notation h: : :i to abbreviate such types. For example, given three typed terms, a: s; b: t and c: u, the type of the record ha; b; ci may be written as hs; t; ui.
Relating Structures and Behaviours
Our aim is to be able to describe, with clarity and precision, the structures of circuits, the behaviour of circuits and the relation between structures and behaviours. We will do this by developing, within the Veritas logic, a strongly-typed Theory of Structures and Behaviours (abbrev. TSB).
The relation between structures and behaviours is, of course, strongly in uenced by the particular kind of digital technology by which the circuit is implemented. In order to illustrate the general principles in as simple a setting as possible, we shall describe the development of the theory for an ideal two-level, voltage-driven, fully synchronous technology. We note, however, that the real gains from this approach only become manifest when working with non-ideal, tri-state technologies. We have developed the theory for such a technology; it is alluded to in a later section.
Logic levels We will take the two logic levels to be identi ed with the values 0 and 1 of type bit. We will assume that all inputs are two-level signals and that all latches are in a two-level state at time t = 0. Given these assumptions, and under the further assumption that the circuit is well-formed (a property that we will be formally de ning) then we can assume that all signal levels within the circuit remain as two-level ones. Throughout, we will identify time with the natural numbers, that is, time= nat.
Relation to VHDL So as to allow the TSB approach to be related to contemporary engineering practice, we will adopt certain features of VHDL 4 and, later, we shall describe how TSB may be translated into a dialect of VHDL. The ability to undertake such translation is essential B92] if a formal method is ever to be able to be used in industrial design.
Following the general VHDL approach, we shall work in terms of design entities (or entities for short) which we will consider as having two aspects, an interface that describes an entity's external aspects, and an implementation that describes its internal structure. We shall extend VHDL, however, by requiring the interface to describe not only the entity's structural aspects but also its behavioural speci cation.
Interfaces
The interface that an entity (in a voltage-driven technology) presents to the external world consists of a set of ports each of which has a mode (that speci es whether it is an input or output port) and has a base type and which carries a signal. If the base type of the port is b, then the signal at the port will be of type time ! b. The behaviour of the entity is characterised by a predicate de ned on the signals at its ports.
We formalise the notion of an interface by introducing a type interface. In framing the de nition for this type we shall aim (by exploiting dependent types) to capture the exact relationship between, on the one hand, the number and types of the ports of the entity and, on the other hand, the type of its behavioural predicate. Formally, an entity interface is a 4-tuple consisting of: { A number, np, specifying the number of ports. Given this number we shall assume that the ports are identi ed with elements of the set N np and that we refer to ports by their indices rather than by their names. Thus if, for example, np had the value 4, then the ports would be labelled by indices 0 through to 3. { A port-mode mapping, pm, from the port index set N np to the two-element type mode de ned by the declaration datatype mode = input j output. { A port-type mapping, pt, from the port index set N np to the type U0 of (small) types. This mapping will represent the types of the signal levels (eg, bit) at the ports. Thus, the type of the signal (as distinct from the type of the signal levels) at port 2 would be time ! pt 2 . { A behavioural speci cation, spec, that takes the form of a predicate over the signals at the ports of the entity. The de nition we are about to present of the type of spec provides a particularly interesting illustration of the use of dependent types. Indeed, without dependent types it would not be possible to express this type at all. We build up the de nition in stages. For a second example, this time illustrating a more diverse collection of types, consider the interface (Figure 1(B) ) for an ALU unit. Assume the declaration datatype op code = add j sub j mult j div, and assume that a behavioural predicate alu behav has been de ned. The interface for the ALU is then de ned as The rst element of this pair speci es that the context contains some 4 interfaces; the second element (a vector) of the pair speci es the actual interfaces themselves. As usual, the elements of the vector are accessed by application. For example, the 0 th element (a not-gate interface) of the context would be referenced by the application (snd std cxt) 0 .
Circuits
We use the term circuit to mean a set of components connected, via their ports, to a set of nodes. Circuits are thus essentially labelled, directed graphs. Figure 2 shows a typical circuit. We formalise the notion of a circuit by introducing a type circuit. As with the de nition of the type interface above, we aim, by the use of dependent types, to capture the notion with precision. Formally, we de ne a circuit to be a 6-tuple consisting of: This type de nition is not nearly as complicated as it may, at rst sight, seem! For example, the TSB representation of the circuit shown in Figure 2 . is given by the tuple (cxt; nc; nn; ck; nt; w), where This array describes the way that the ports of each component are connected to the nodes. In this case it indicates that port 0 of component 0 is connected to node 0 and port 1 to node 1, and that port 0 of component 1 is connected to node 1, port 2 to node 3, and so on. 7 Well-formed Circuits So far, the de nition of the type circuit has ensured that the circuits being described are well-formed in a graph-theoretic sense. However, before we can reason about the behaviour of circuits, we need to ensure that they are also well-formed with respect to a particular technology.
For the present case (a two-state, voltage-driven synchronous technology) this involves establishing that: { Each node is driven by exactly one output port. { The type of each port is identical to the type of the node to which it is connected. { There are no asynchronous loops (that is, if all latches are removed, then the remaining circuitry is purely combinational). Predicates may be de ned to check each of these conditions. For example, a good way to test the rst condition is to assert the existence of a`back-wiring' function, bw: node ! c: comp] cp c such that, for any node n, the value of bw n is a pair (c; p) de ning a component c and a port p on that component with the property that: (a) the port p is an output port, and (b) that port is connected (as speci ed by the wiring function w) to node n. Speci ed formally, this predicate, Checking the second of the above conditions (viz, that interconnected ports and nodes have identical types) is trivial. Checking the third condition (absence of asynchronous loops) is a more interesting task. A good way to test for this property is to assert the existence of a labelling (using elements of nat) on the nodes such that no asynchronous component (that is, any component apart from a latch) has an input port connected to a node labelled with a number greater than or equal to the number labelling a node to which any of its output ports are connected. Such a predicate is not di cult to de ne.
Given the collection of well-formedness predicates for the technology, we de ne a subtype wf circuit of the type circuit that comprises only those circuits that are deemed to be well-formed wf circuit= fc: circuit j well formed cg
Behavioural Extraction
The real payo from the TSB approach with its use of dependent types comes when we consider the task of relating a circuit's behaviour to its structure. Informally, we wish to de ne a function behaviour of type wf circuit ! behav spec where the type behav spec signi es a predicate over the record of signals at the nodes of the circuit. Thus, to a closer degree of approximation we require the function to have the type wf circuit ! record of signals ! bool. Formally, however, we need to capture the relation between the collection of signal base types (as described within wf circuit) and the type record of signals. We achieve this by giving behaviour the dependent type That is, it takes a well-formed circuit with nn nodes (whose base types are de ned by the vector nt) and it yields a predicate over a record of signals type. For example, if the node base types for a two-node circuit were hbit; bytei then the individual signal types would be (time ! bit) and (time ! type) and so the type of this record would be h(time ! bit); (time ! byte)i. The penultimate line introduces s as being the record of signals at the ports of component c. It is obtained from r (the record of signals at the nodes of the overall circuit) by using the wiring function w to specify to which node that port j of component c is connected. The nal line, spec s, asserts that this record of signals s must satisfy the behavioural speci cation spec (of component c).
A signi cant fact to notice about this de nition is its entire de nition is given here | it does not rely upon any subsidiary functions at all.
Implementations
In general, the internal structures of circuits are not visible; only their interface is seen. Thus we now need to discuss how to encapulate circuits to give interfaces. This involves no more than de ning an association between the ports of the interface and the nodes of the circuit. Formally, we do this by introducing a new type, Port to node wiring function That is, an implementation is an interface (with np ports), a circuit (with nn nodes) and a function associating ports with nodes. As with circuits, we need to de ne a subtype wf implementation of well-formed implementations (essentially identical considerations as before apply) before we can reason about behavioural aspects of implementations.
Actual behaviour of an implementation
Given that an implementation is well-formed, we can infer its behaviour by using the following function, behav. This function is de ned in terms of behaviour (the function that operates on well-formed circuits). Its de nition is not particularly complex 
Entities
We now have two de nitions for the behaviour of a (well-formed) implementation: { Its behavioural speci cation (as given by the spec component of its interface); { Its actual behaviour (as inferred by the above function, behav, from its internal structure). In order to bring these two de nitions into line, we introduce the notion of an entity (as a subtype of implementation). An entity is de ned to be an implementation whose actual behaviour satis es the behavioural speci cation of its interface. Thus we introduce the de nition entity= fimpl: implementation j well behaved implg where the predicate well behaved is de ned by The rst two lines of this de nition extract the component parts of the interface, intf , the next line quanti es over the appropriate signal types and the nal line asserts that the behaviour of the implementation satis es the behavioural speci cation of the interface. This de nition for the type entity is perhaps the most important concept in this paper. This type describes both the structural and behavioural properties of an interface and it also describes the structural properties of an implementation whcih is guaranteed, by the type discipline of the logic, to satisfy the interface speci cations. The interface type, by virtue of describing both structural and behavioural properties of an interface, provides the means to achieve a complete separation between the concerns of the implementor of an entity and the users of that entity.
Translation to VHDL
There is a su cient degree of correspondence between this TSB notion of \entity" and the VHDL one to be able to expresss a TSB entity into a VHDL-liek notation. We have written a function (in Standard ml, the metalanguage in which Veritas is de ned rather than in Veritas itself) that performs this translation. As an example, the translation of a (very simple) TSB entity (a nand-gate realised using an and gate and a not gate) into VHDL looks like: entity nandgate is port (p1 : input bit; p2 : inputbit; p3 : outputbit); spec (8t: time: (p3 t) = 1 ? (p1 t) (p2 t)) end; end nandgate; architecture nand impl of nandgate is signal p4 : bit; begin G0; andgate portmap (p1; p2; p4); G1; notgate portmap (p4; p3); end nand impl; (The alphameric names are speci ed as separate inputs to the translation function; the TSB notation does not at present include alphameric strings.)
Discussion
The development of the TSB approach has been described relative to an ideal, voltage-driven, two-state technology. Whilst this has allowed us to focus on the type-theory aspects of the approach, it also tends to somewhat trivialise it. Its full potential only becomes apparent when dealing with tri-state technologies and with parameterized circuitry (a point emphasised in BHY92] in connection with their HDL notation).
We have developed a \fairly rigorous" TSB theory for tri-state technologies. Its main di erences from the present approach is that the signals at the ports are no longer plain voltages but are instead (voltage, Thevenin-impedance) pairs, and are bi-directional in nature. In fact, there is no reason why the same approach should not also be used to reason about properties of completely analogue circuits.
All of the functions described in this paper have (with minor changes) been type-checked using a computational implementation of the Veritas system. Doing this involved the development of many new \tactics" (functions used for guiding the process of type-checking and theorem proving) and their development was a far from trivial task. However, given these tactics, many de nitions of the general kind described in this paper can now be type-checked almost entirely automatically.
As noted in HLD89, F90] there are many advantages in combining the processes of design and of formal veri cation, yielding an approach known as formal synthesis. We have been exploring using the TSB approach with a formal synthesis design editor. Early signs are that the combination will be a fruitful one. The design process starts o with the proof editor being provided with a TSB context (alias VHDL library) and a TSB interface speci cation. The user, by interactively selecting techniques (alias tactics), re nes the original interface into an interconnected set of simpler ones, and ultimately into primitive ones that can be found in the context. At each stage the proof editor generates the necessary theorems to justify the re nement. The end result of the process is a TSB entity | that is, an interface (identical to the original one) and an implementation whose structure and behaviour are guaranteed to satisfy the interface speci cation.
An important aspect of formal veri cation is the idea of relating behaviours at di ering levels of abstraction. We believe that similar notions of abstraction will be equally valuable in the structural domain. For example, one may wish to relate the structural views of an adder at the level of individual bits and at the level of busses. There is also interesting work to be done in studying how structural and behavioural abstraction interact with each other.
The comparison between the present approach and its antecedents described earlier in this paper is an interesting one; features are inherited from both. Even if one concedes that the use of higher-order logic with dependent types does bring about aesthetic gains over the development of a similar approach in a simpler logic (for example, Boyer-Moore), it is still, in the authors' opinion, a very open question as to whether these theoretical gains can be translated into practical ones. Thus far, our own computational trials have been limited to very simple circuits and it is not clear how both the computational load and the amount of human guidance required will scale with increasing size of circuit.
As a nal point, we note that it may be that the greatest gains arising from developing approaches such as the TSB one described here will not be in supporting formal veri cation but rather in providing the theoretical framework that will allow future generations of hardware design languages to be developed on a less ad hoc basis that at present. If this can be achieved, the gains could be signi cant.
