Abstract -SystemC FL is a formal language for hardware/software co-design. Principally, SystemC FL is the formalization of SystemC based on classical process algebra ACP. The language is aimed to give formal specification of SystemC designs and perform formal analysis of SystemC processes. This paper, designed for the first-time user of SystemC FL , guides the reader through modeling, analyzing and verifying designs using SystemC FL . This paper illustrates the use of SystemC FL with two case studies taken from literature.
Introduction
SystemC [1] is a modeling and simulation language (without formal semantics defined) based on C++ for hardware/software co-design. Recently, SystemC has received an extreme increase in industrial acceptance for system specification and simulation.
The goal of developing a formal semantics is to provide a complete and unambiguous specification of the language. It also contributes significantly to the sharing, portability and integration of various applications in simulation, synthesis and formal verification.
SystemC FL [2] is a reasonable subset of SystemC that has a rigid formal basis (i.e. formal semantics). In principle, SystemC FL is the formalization of SystemC based on classical process algebra (the Algebra of Communicating Processes) ACP [7] . The intended use of SystemC FL is for giving formal specification of SystemC designs and performing formal analysis of SystemC processes. It was shown in [3] that SystemC FL can be reasonably efficiently used to model software, hardware and concurrency.
A key feature of SystemC FL is to have a singleformalism that is used to describe the various aspects of the system under consideration. Analysis/formal verification takes place by extracting simpler designs from SystemC FL designs that are tailored to some specific properties of interest. More precisely, various desired properties of systems/designs modeled in SystemC FL can be verified with existing formal verification tools by translating them formally into different formalisms that are the input languages of the existing formal verification tools. Hence, SystemC FL can be purportedly used for formal verification. For instance, safety properties of concurrent systems modeled in SystemC FL can be verified by translating those systems to PROMELA [12] that is the input language of the SPIN Model Checker [12] . Similarly, [5] reported that some desired properties of finite state systems described in SystemC FL can be fed into the SMV Model Checker [14] to verify them.
Also, a formal translation was defined in [4] from SystemC FL to a variant (with very general settings) of timed automata. The practical benefit of the formal translation from a SystemC FL design (describing realtime systems) to a timed automaton is to enable verification of properties of the SystemC FL design using existing verification tools for timed automata, such as Uppaal [13] .
Related Work
The simulation semantics (including watching statement, signal assignment, and wait statement) of SystemC in the form of distributed Abstract State Machine (ASM) specifications and the Denotational Semantics for a synchronous subset of SystemC were studied by [10] and [11] respectively.
It is general believed that the structured operational semantics (SOS) [8] is more intuitive [9] , and the methods of ASM specifications and denotational semantics appear to be difficult to apply to describe the dynamic behavior of processes. Therefore, the language semantics of SystemC FL was formally defined in a standard SOS style.
Organization
The remainder of this paper is organized as follows. The next section introduces the formal language SystemC FL . Section 3 and 4 present some practical applications of SystemC FL for modeling and formal verification. Section 5 contains our conclusions.
SystemC FL Language
In this section, we introduce the formal language SystemC FL . For the syntax and the formal semantics of SystemC FL , we also refer to [2] and [6] .
SystemC FL Data Types
In order to define the semantics of SystemC FL processes, we need to make some assumptions about the data types. Let Var denote the set of all variables (x 0 , . . . , x n ), and Value denote the set all possible values (v 0 , . . . , v m ) that contains at least B (booleans) and R (reals). A valuation is a partial function from variables to values (e.g. x 0 → v 0 ). The set of all valuations is denoted by Σ. The set Ch of all channels and the set S of all sensitivity lists with clocks may be used in SystemC FL processes that are assumed. Notice that the above proposed data types are the fundamental ones. Several extensions of data types (e.g., "sc bit" and "sc logic") were already introduced in [3] .
Syntax of the SystemC
FL Language
A process term P in SystemC FL is built from atomic process terms AP . SystemC FL consists of various operators that operate on process terms, and it is defined according to the following grammar:
The operators are listed in descending order of their binding strength as follows :
, Θ, || , || , ∼}, {∂, τ, π, }. The operators inside the braces have equal binding strength. In addition, operators of equal binding strength associate to the left, and parentheses may be used to group expressions.
Below is a brief introduction of the formal language SystemC FL . The formal semantics of SystemC FL is given in subsection 2.3.
Due to limitation of pages, deduction rules 1 for operational semantics of SystemC FL are not given in this paper. For those interested in more details, please read [2] and [6] .
A constant called deadlock δ is introduced, which represents no behavior. The skip process term performs the internal action τ which is not externally visible. The assignment process term x := e, which assigns the value of expression e to x (modeling a SystemC "assignment" statement). The delay process term ∆e n is able to delay the value of numerical expression e n . The unbounded delay process term ≫ (modeling a SystemC "wait" statement) may delay for a long time that is unbounded or perform the internal action τ .
The conditional composition p b q operates as a SystemC "then if else" statement, where b denotes a boolean expression and p, q ∈ P . The watching process term b p is used to model a SystemC "watching" statement. The sequential composition p • q models the process term that behaves as p, and upon termination of p, continues to behave as process term q. The alternative composition pΘq models a non-deterministic choice between process terms p and q. The timeout process term p d q (modeling a SystemC "time out" construct) behaves as p if p performs a time transition 1 These rules (of the form premises conclusions ) have two parts: on the top of the bar we put premises of the rule, and below it the conclusions. before a time d ∈ R >0 ; otherwise, it behaves as q. The watchdog process term p d q behaves as p during a period of time less than d, at time d, q takes over the execution from p in p d q; if p performs an internal cancel χ action, then the delay is canceled, and the subsequent behavior is that of p after χ is executed. The repetition process term * p (modeling a SystemC "loop" construct) executes p zero or more times.
The parallel composition p || q, the left-parallel composition p || q and the communication composition p ∼ q are used to express parallelism (actions are executed in an interleaving manner, with the possibility of communication of actions). The encapsulation of actions is allowed using ∂ H (p), where H represents the set of all actions to be blocked in p. The abstraction τ I (p) behaves as the process term p, except that all actions names in I are renamed to the internal action τ . The maximal progress π(p) assigns action transitions a higher priority over time transitions. This operator is needed to establish a desired communication behavior. That is, both the sender and the receiver must be able to perform time transitions, but if two of these can communicate (i.e. performing action transitions), they should not perform time transitions. The grouping of actions and executing them in one step can be done by using (p).
Informal semantics of SystemC states that SystemC incorporates both point-to-point communication and multi-party communication mechanisms for the interaction amongst processes. However, there are no (implicit) statements in SystemC for modeling these communication mechanisms. In order to capture these facts in SystemC FL , operators ||, || , ∼, ∂ H , τ I , and π are introduced to give formal specification for point-to-point communication and multi-party communication mechanisms. Two valuations (e.g., previous accompanying valuation and current valuation) are defined (as arguments) in the quintuple, so that the change of valuation of variables in the sensitivity list of the quintuple can be observed. This is needed for defining the deduction rules of some SystemC FL operators (e.g. the watching ).
Semantics of the

Modeling with SystemC
FL
In this section, we apply SystemC FL to give the formal specification of a case study taken from literature. 
Synchronous D Flip Flop
Purportedly Used for Formal Verification
In the section, we present the application of SPIN to verify the mutual exclusion algorithm of Dekker modeled in SystemC FL , by translating theSystemC FL design to PROMELA.
Dekker's Mutual Exclusion
The mutual exclusion algorithm of Dekker is used by two processes (A and B) which communicate through shared variables. It is intended to prevent the processes being simultaneously entered in their critical section. Since Dekker's Mutual Exclusion is a well-known case study of the concurrency theory, we do not further give the description and explanation of this algorithm. We only give the formal specification of it in SystemC FL . In order to increase the readability, we introduce syntactic sugars for various process terms. The syntactic sugars for the process terms A and B of the mutual exclusion algorithm of Dekker are as follows:
Since the process terms A and B execute concurrently, the parallel composition is used to model the complete system. The complete system with initial value for variables is modeled as follows:
A || B , σ , σ, ∅, ∅ for some σ , where σ = {x →⊥, y →⊥, t →⊥, A t → 0, B t → 1}, ∅ and ⊥ denote empty element and the undefinedness respectively.
Note that the variable mu is introduced as a flag. In this case study, if mu = 2, which indicates that process terms A and B enter simultaneously in their critical section.
Presenting the formal translation scheme from SystemC FL to PROMELA, and the syntax and semantics of PROMELA are far beyond the scope of this paper, therefore we do not show them. Nevertheless, the translation of the above-given formal specification of Dekker's Mutual Exclusion algorithm from SystemC FL to PROMELA model is straightforward and it is shown as follows: / * declaration * / bit x, y; byte t, mu; proctype A() { x = 1; t = Bt; ((y == 0)||(t == At))-> / * critical section * / mu ++; mu --; x = 0; } proctype B() { y = 1 t = At; ((x == 0)||(t == Bt))-> / * critical section * / mu ++; mu --; y = 0; } proctype monitor() { assert (mu ! = 2); } init { run A(); run B(); run monitor() } Notice that the process monitor is introduced and needed in the PROMELA model to check whether mutual exclusion is valid. If the condition of the assert statement (i.e., mu! = 2) does not hold, SPIN will produce an error report. The process init is used to start processes.
Conclusions
In this paper, the main aspects of the current status of the formal language SystemC FL are presented. Then, the use of the SystemC FL through some case studies taken from literature is illustrated. Also, some practical applications of SystemC FL are shown that can be purportedly used for formal verification.
