Abstract. This paper gives operational semantics for a subset of VHDL in terms of abstract machines. Restrictions to the VHDL source code are the niteness of data types, and the absence of quantitative timing informations. The abstract machine of a design unit is built by composition of the abstract machines for its embedded processes and blocks. The kernel process in our model is distributed among the composed machines. One transition of the nal abstract machine models a VHDL delta cycle. This model can be used for symbolic model checking and equivalence veri cation.
Introduction
Giving a formal de nition of the semantics of VHDL 7] is of highest importance for synthesis and formal veri cation. Many di erent approaches have been proposed to ful ll this need, see eg 1, 3, 4, 5, 8, 9, 10, 11] . A rst conclusion can be drawn from a study of these works: one has to trade o the number of VHDL features modeled, and the practical usefulness of the semantics. VHDL is a very complex language and the models that capture all the features are almost inherently not applicable to produce design automation tools. On the other hand, if some aspects of the language are deliberately discarded, it becomes possible to deal with it e ciently, on a formal basis.
In the approach we present, we restrict ourselves to a subset of VHDL such that design descriptions can be mapped to nite state representations: objects must be of a nite type (no access nor le types, no unconstrained arrays, no generics) and quantitative timing informations are not accepted (no`after' clauses in assignment statements, no`for' clauses in wait statements). Under these restrictions, the elaboration of VHDL design entities in terms of our semantics produces abstract machines that are suitable for veri cation by symbolic methods (equivalence proof, model checking). By means of symbolic simulation techniques, a single execution of the generated abstract machines represents all possible executions of the corresponding VHDL script.
The research e orts that are closest to our work are the semantics presented by Damm et al. 2] , that serve as a formal basis to feed VHDL designs to a model checker. Our approach mainly di ers in the fact that a state in our model represents a point in the simulation where the current statement of all processes is a wait statement, whereas in 2] a state represents a point where the current statement of each process is any statement. Using programming terminology, a program counter in our case goes from a wait statement to the next wait statement, whereas in 2] it goes from a sequential statement to the next sequential statement. Thus, the main advantage of our approach is that a single transition represents a whole simulation cycle, which is not the case in 2], where several transitions are needed.
Overview of the Article : Section 2 presents the target model towards which we shall map VHDL design entities. Section 3 gives the general principles that drive the di erent aspects of the semantics: the elaboration of models and their composition. These two aspects are presented in detail respectively in Sections 4 and 5. Section 6 gives a short conclusion and presents future developments of this work.
Abstract Machines
The VHDL semantics presented in this paper are expressed in terms of a class of models called abstract machines. These abstract machines are composed of a nite state machine and a boolean condition on the state space of this machine. 
General Principles
Given a VHDL design D, an abstract machine A is elaborated. The requirement put on A is that it has the same observable behavior as D. By observable behavior, we mean that the response of outputs of A to stimuli on its inputs should be the same as the response of the out ports of D to its assignments to its in ports. Both the behavior at the level of the delta cycle and the behavior at the level of stable states are considered.
Principles of Composition
The semantic rules give a formal de nition to the translation of any VHDL design unit to the class of abstract machines. Since process statements are the atomic components of a design entity, an abstract machine is associated to each process of the considered design unit. The resulting machines are composed to obtain the semantics of the design unit, as illustrated in Fig. 1 . These compositions also take into account the kernel activity: update of e ective values, elaboration of implicit signals, etc.
Hence, one can identify three main parts to de ne these semantics: { the semantic rules for elaboration, that associate an abstract machine to a VHDL process statement within some declaration environment, { the semantic rules associated to the concurrent composition of concurrent statements, that corresponds to the parallel composition of abstract machines, { the semantic rules associated to the declaration encapsulation mechanism that occurs in`block' statements and`architecture bodies', that corresponds to the hiding operator (or declaration encapsulation) on abstract machines. As any VHDL concurrent statement that is not a block statement has a corresponding equivalent process statement, this discussion focuses on the semantics of process and block statements.
Principles of Elaboration
The process statement is the smallest piece of VHDL that can be simulated: consider an architecture body with a single process statement, and whose entity declaration in ports (resp. out ports) are the signals read (resp. assigned) within this process statement. It is quite clear that the input, output, and state variables of the abstract machine that corresponds to a process statement should be elaborated from the signals read, the signals assigned, and the variables declared in the process statement. State transition and output functions should be elaborated from the assignments to variables and signals. The initial state should correspond to the initial values of the process variables. And the stability condition should be true whenever the di erent clauses of the current wait statement are not satis ed.
However, there are practical problems to do this: { In a process statement, assignment statements are executed sequentially, and thus are dependent of each other; the source expression of an assignment, as well as the condition of a conditional statement, depends on the previous variable assignments. But in the abstract machine, state transition and output functions occur simultaneously (in parallel), and are independent. { A process statement may have several wait statements, and the elaboration of the stability condition has to be carefully performed to handle this. The following section 4 provides a method to resolve these problems.
Elaboration
Throughout this section, the elaboration principles will be illustrated on a running example, shown in Fig. 2 , where F, N, M are boolean signals. The elaboration is based on the analysis and the modi cation of the execution ow in the process statement. Thus, for sake of clarity, we base the discussion on a ow graph representation of the statement part of the process, as brie y depicted in section 4.1. In section 4.2, we present a method to merge wait statements as well as the subsequent modi cations on the ow graph representation, such that the process behavior and reactivity to changes on signals' values are not modi ed. Following, section 4.3 relates to the problem of making the evaluation of expressions independent of the assignments that occured previously in the same simulation cycle. A solution to this problem is given in section 4.4, where the ow graph is transformed into a tree and simpli ed. The obtained simpli ed execution tree is used to derive a decision diagram for each object, signal or variable, assigned within the process, as explained in section 4.5. Finally section 4.6 deals with the elaboration of the abstract machine. The method presented herein can be applied to any process whose statement part is (or could be rewritten into) any combination of if statements, wait statements, and signal and variable assignment statements.
Representation of the Process Statement Part
The representation of the statement part of a process statement P is the owgraph G(P) of the syntactic structure of the sequence of statements. Let P be a process statement, G(P) = (V; A) is a directed graph such that: { V is the set of vertices, each vertex corresponds to either an assignment statement, a wait statement or an if statement. { A V V is the set of arcs, arcs are labeled with VHDL conditions. For instance, the statement part of the process of Fig. 2 is represented by the graph of Fig. 3 .
Non-accepted Process Statements: Let P be a process statement. If, in the graph G(P), there is a cycle such that there is no vertex carrying a wait statement, and such that the conjunction of the conditions that label the arcs is not equal to false, then we do not know how to elaborate an abstract machine. This characteristic arises in a statement part that contains an execution path without wait statement (also in a loop whose body does not contain a wait statement). These situations can lead to a non-terminating simulation cycle, and therefore cannot be handled in a nite state model. 
Merging Wait Statements
Given the set of wait statements of a process, we replace all of them by a single wait statement that resumes if and only if the initial process resumes its activity from the current wait statement. From now on, we refer to this resulting wait statement as the merged wait statement.
Proposal 4.1 (Wait counter) In order to transform a process statement P into a process statement R with a single wait statement, it is necessary to introduce a variable, named CW (for Current Wait), of type natural, that ranges from 0 to the number n of wait statements in P, and to label each wait statement of P with a di erent natural number between 1 and n. The value of CW is equal to 0 when P is at the beginning of a simulation, and to i (1 i n) if P is suspended at the i th wait statement. Suppose that the process has n wait statements, with (possibly implicit) sensitivity list s i and condition clause c i . The process resumes its activity on the i th wait statement if there is an event on one of the signals of s i , and the condition c i is valid. Hence, the condition under which the process resumes its execution is:
This general expression is used to derive the condition clause of the merged wait statement, where an explicit sensitivity clause is no longer useful, since all the signals the di erent waits are sensitive to appear as primary in the condition clause. The condition CW = 0 exhibits the fact that the process is active at the beginning of the simulation. In the example, the di erent wait statements are: The ow-graph representation has to be modi ed to replace the original wait statements by the merged wait statement, and to update the variable CW. An assignment to variable CW is inserted before each wait statement, the assigned value is the label of this wait statement. An if statement is added at the beginning of the process statement part and directs the execution ow to the appropriate set of statements, according to the current resumption condition. The graph representation of these sets of statements are the connected elements of the original ow graph, where the vertices carrying wait statements have been removed. Each one of these sets of connected elements is called a zone; all zones are inserted as the di erent branches of the added if statement. The i th zone, 1 i n (resp. 0), is the zone executed after the i th wait statement (resp. when the simulation starts).
The resulting if statement is followed by the merged wait statement that ends the process statement part. The new ow graph of the example, after performing these transformations, is depicted in Fig. 4 , where: { the rst statement is a conditional statement (on the current value of CW) and its branches do not hold wait statements, this statement is referred as the transition statement, { the second and last statement is the unique wait statement of the process.
Resolving Dependencies
During simulation, an object that occurs in an expression is evaluated, and in the case of a variable, it evaluates to its current value. Thus, if this variable has been previously assigned in the same simulation cycle, its current value depends on this assignment. This dependency has to be eliminated in order to elaborate an abstract machine, where the atomic transitions must be independent of each other.
Thus, we need to distinguish the occurrences of variables in expressions that depend on some previous assignment executed in the same simulation cycle (these are called reducible occurrences) from the occurrences of variables whose current value has been assigned at a previous simulation cycle (these are called irreducible occurrences). The occurrence of a variable in a vertex statement (resp. in an arc condition) is reducible, if there is a path from the merged wait statement to this vertex (resp. arc), that passes through a vertex that carries an assignment to this variable. As a side e ect, if all occurrences of a variable in a process are reducible, the variable is not necessary to compute the value of the other objects. It is therefore not useful to generate a state variable in the abstract machine to represent it. The occurrence of a variable in a vertex statement (resp. in an arc condition) is irreducible, if there is a path from the merged wait statement to this vertex (resp. arc), that does not pass through a vertex carrying an assignment to this variable.
The problem is that some occurrences happen to be both reducible and irreducible, as there might be several paths that go from the merged wait statement to a given vertex or arc (eg, in the assignment F <= (V = 8); of the example).
Derivation of the Execution Tree
In order to correctly process variable assignment statements and identify irreducible variables, we need a representation in which variable occurrences are either reducible or irreducible but never both at the same time for a particular execution path. Thus, we transform the graph of the process transition statement into an execution tree. The root of the execution tree is the initial vertex. sition statement. The leaves of the tree are implicitly followed by the merged wait statement. Figure 5 shows the execution tree that represents the transition statement of the example of Fig .2 . On any path of the execution tree a variable occurrence is either reducible, or irreducible, but never both. This is a direct consequence of the fact that, in a tree, for every vertex and arc, there is a unique path that goes from the root to this vertex or arc. If a variable occurs in a vertex or in an arc label, and if there is an assignment statement to the variable on the path that leads to this expression, this occurrence is reducible, otherwise it is irreducible.
Simpli cation of an Execution Tree : The execution tree is simpli ed with two operations: { reduction of reducible variable occurrences, by a simple traversal of the graph; { pushing the`if' vertices toward the root, and assignment statements towards the leafs of the execution tree. The algorithm is a rewrite system on the tree representation, schematically de ned as: 6 presents the result of applying these reductions to the example. One can notice that, since reducible occurrences of variables have been replaced, there is no more dependency of expressions with respect to assignment statements. Now, when a variable occurs in an expression, it is evaluated to the value it had at the start of the zone, i.e. at the end of the previous simulation cycle, as it happens in the abstract machine.
Decision Diagrams for Assignments to Objects
In the simpli ed execution tree, assignments to objects (signals or variables) are independent of each other. Thus, in order to determine their characteristic function, it is su cient to create, for each assigned object O, a copy of this tree and to remove all vertices that contain assignments to other objects to get a simple decision diagram that gives the value assigned to O. Fig. 7 shows the result of this operation on the example. 
V < 8 h h h h h h h h h h h h V >= 8 F <= (V = 8); if t t V < 8 h h h h h h h h h h h h

Generation of the Abstract Machine
In order to elaborate the abstract machine, we suppose the existence of a morphism (see e.g. 6]), from the VHDL value domains to the value domains of the abstract machine. To simplify this presentation, we use on type names as well as on expressions. In the following, types, operators and objects of VHDL are written using the typewriter style. For instance: ( Given a process statement, we elaborate an abstract machine according the following general guidelines: 1. every signal S that appears in an expression within the process statement part elaborates an input variable (eff(S)) that carries its e ective value, a signal that appears in a sensitivity list elaborates a boolean input variable (ev(S)), true whenever an event occurs on this signal, 2. every variable V of the process statement part, that has not been eliminated, elaborates a state variable (V) that carries its current value, 3. every signal S that appears as a target of a signal assignment statement within the process statement part elaborates (dr val(P, S)), an output variable that carries the current value of its driver, 4. initial values of the elaborated variables (point 2) elaborate the initial state, 5. decision diagrams associated to the elaborated variables (point 2) elaborate the transition function, 6. decision diagrams associated to the elaborated outputs (point 3) elaborate the output function, 7. the condition clause of the unique wait statement elaborates the stability condition.
The elaboration of the transition functions is based on an interpretation = of the decision diagrams of the assigned objects using the morphism . = takes into account the fact that when an object is not assigned, it keeps its previous value.
= interprets decision diagrams in terms of case-based function de nitions. It is inductively de ned in terms of the structure of the decision diagrams:
{ the base case is the assignment statement vertex, its interpretation is de ned by: O := E; = ? ! (E) { the general case is an if vertex, its interpretation is de ned by:
1. if the object is a variable:
2. if the object is a signal:
The stability condition sc is elaborated from the wait statement. The wait statement being wait until cond, the stability condition is sc = : (cond)
Principles of Composition
We have presented the principles that guide the elaboration of abstract machines from a process statement. In this section, we give an informal presentation of the composition mechanism that applies to such elaborated abstract machines, and correspond to the following compositions of concurrent statements: { parallel composition of abstract machines, corresponding to VHDL concurrent composition, { declaration encapsulation mechanism that occurs in`block' statements and architecture bodies', { hierarchy with component instantiation statements. These compositions are not associative: when elaborating a block statement or an architecture body, the whole instruction part must be elaborated (by means of parallel compositions) before the declaration encapsulation is done. We conclude this section by giving an evaluation of the complexity of the generated model. be the empty set. 4. s 0 = s 01 s 01 , is the concatenation of the initial states of the composed abstract machines. 5. NS = NS 1 NS 2 , the transition function of the composition is the product of the transition functions of the composed abstract machines. 6. NO = NO 1 NO 2 , the output function of the composition is the product of the output functions of the composed abstract machines. 7. sc = sc 1^s c 2 , states of the product machine are stable if the states of both machines are stable.
Declaration Encapsulation
Declaration encapsulation of signals occurs in block statements and architecture bodies.
Block Statement : Let M = hI; S; O; s 0 ; NS; NO; sci be the abstract machine elaborated from the statement part of the block statement, S d the set of signal declarations of its declarative part. The abstract machine elaborated from the block statement is M e = hI e ; S e ; O e ; s 0e ; NS e ; NO e ; sc e i. The variables in M that correspond to elements of S d should not belong to the interface but to the internal variables of the result abstract machine M e . Furthermore, the kernel activity that corresponds to the update of the e ective values of these local signals is modeled at the level of the block statement, by their transition function. We say that the kernel activity is distributed along the hierarchy in the design entities.
M e is such that: NS (eff(S)) = NO i . The atomic transition function associated to a variable (eff(S)), for some local resolved signal S, states that the next e ective value is equal to the resolution function < of S applied to the values of the n corresponding (dr val(P,S)) output variables of M: NS (eff(S)) (I e ; S e ) = <(NO 1 (I; S); : : :NO n (I; S)):
6. the output function NO e is the function equal to NO where all the atomic output functions of the encapsulated output variables are removed.
Furthermore, the formula (eff(S)) 6 = (p eff(S))) replaces each occurrence of a variable that represents (ev(S)) for some local signal S in the output and transition functions.
Architecture Body : In the case of an architecture body, the ports and signals of the corresponding entity declaration have also to be considered. The signal declarations of the entity declaration and the architecture body are encapsulated like the signal declarations that occur in a block declarative part (see above). Once these signal declarations have been encapsulated, the result abstract machine should have as remaining input and output variables those that correspond to the ports of the entity.
Let M = hI; S; O; s 0 ; NS; NO; sci be the abstract machine elaborated from the architecture statement part. Let P in , P out , P inout be the set of ports of the entity declaration, according to their direction, and S d the set of signals declared locally to the architecture and the entity. 4 . the initial state s 0e is de ned as for a block statement, 5. the transition function NS e is de ned as for a block statement, 6. the output function NO e is the vector of the atomic output functions of the abstract machine outputs. For a port P, for which no output variable has been elaborated in machine M (the port is neither assigned nor the output of an internal component), the output function is NO (dr val(A,P) ) (I e ; S e ) = (E); where E is the initial value of P. For an unresolved port P, for which a single output variable has been elaborated in machine M and whose associated output function was NO i , the output function in M e is equal to NO i .
For a resolved port P, for which one or more output variables have been elaborated in machine M and whose associated output functions were NO 1 ,... ,NO p , the output function in M e is:
(dr val(A,P) ) (I e ; S e ) = <(NO 1 (I; S); : : :NO n (I; S)): As for block statements, the formula (eff(SIG)) 6 = (p eff(SIG))) replaces each occurrence of a variable that represents ev(S) for some local signal S in the output and transition functions.
Component Instantiation Statements : The elaboration of a component instantiation statement directly derives from the previous section. The component is con gured to an architecture A and an entity E. A copy of the abstract machine elaborated from design unit E(A) is brought to the statement part of the block or architecture in which the component is instantiated. All the local objects of the component instance are renamed by pre xing them with the label of the component instantiation statement.
Formal ports which are associated to an actual signal in the port map aspect are renamed with the name of the actual signal. Formal ports which are open in the port map aspect are renamed by pre xing the component formal name with the label of the component instantiation statement. For a formal port P of mode in which is associated to an expression E, all occurrences of the variable (eff(P)) are replaced by the value (E) of this expression, all occurrences of the variable (ev(P)) are replaced by the value false, and these variables are removed from the inputs of the abstract machine.
Complexity of the Generated Abstract Machine : The kind of elaborated abstract machines is very likely to serve as a basis for BDD-based veri cation techniques. Therefore, a good measure to evaluate the complexity of the model is the number of boolean propositions needed to encode the di erent variables of the abstract machine.
A { The number of input variables is: P n k=1 dlog ji k'TYPEje+jfi k j trig(i k)gj.
The rst term of this sum represents the number of variables needed to encode the VHDL in ports, the second term is the number of variables needed to encode events on the in ports the processes of the design are sensitive to. The rst term of this sum represents the number of variables needed to encode the VHDL local signals, the second term is the number of variables needed to encode the previous e ective values of the signals to which the processes of the design are sensitive, the third term is the number of variables needed to encode wait counters, and the last term is the number of variables needed to encode the variables declared within process statements.
These are worst case gures. For instance, a process statement with a single nal wait statement need not have a wait counter variable. This situation occurs quite frequently, since it corresponds to processes with sensitivity list and to concurrent signal assignments.
Conclusion
In this article, we have presented the semantics of a core VHDL that has the following theoretical restrictions with respect to the full language: types and executions must be nite, and no quantitative timing informations are allowed. Other restrictions in this paper (such as the non-inclusion of composite types) are not fundamental in nature and were made only to focus on the fundamental aspects of our approach. These semantics show how VHDL design units can be used to elaborate an abstract machine that can be considered as a symbolic model. This model is composed of a nite state machine where each transition captures one VHDL simulation cycle, and a stability condition that represents the states of the model that correspond to quiet states of the VHDL model. Under this form, the abstract machine behaves like a zero-delay reactive system. Hence, it is possible to verify strictly qualitative temporal properties (by means of symbolic model checking) or observational equivalence, at the level of delta cycles or at the level of quiet states. Under the current form, the model is applicable to synchronous as well as asynchronous circuits where propagation delays are abstracted to evaluation cycles.
In addition to an on-going realization of a symbolic model checker based on these semantics, it is our intention to investigate how this model can be used to study the reachability of stability conditions based on the stability of inputs in order to verify sequential circuits synchronized by one or more clocks. We have the intuition that a previous nite state machine model 4] which assumed strict restrictions on signals assigned under the condition of a clock pulse could be derived as a special case of the abstract machine model presented here. This could lead to a hierarchy of models where this model could serve as a validation of the simplifying assumptions made in the other one. More work is needed to bring formal justi cations to the above statements.
