HOP: A formal model for synchronous circuits using communicating fundamental mode symbolic automata by Gopalakrishnan, Ganesh
HOP: A FORMAL MODEL FOR SYNCHRONOUS CIRCUITS USING 
COMMUNICATING FUNDAMENTAL MODE SYMBOLIC AUTOMATA
GANESH GOPALAKRISHNAN1
Department of Computer Science .
University of Utah 
Salt Lake City, UT 84112, USA
ganesh@cs.utah.edu ,
UUCS-92-009
A b s t r a c t
We study synchronous digital circuits in an abstract setting. A circuit is viewed as a collection of modules 
connected through their boundary ports, where each port assumes a fixed direction (input or output) over 
one cycle of operation, and can change directions across cycles. No distinction is made between cJock 
inputs and non-dock inputs. A cycle of operation consists of the application of a set of inputs followed by 
the stabilization of the module state before the next inputs are applied (I.e. fundamental mode operation is 
assumedJ. The states and inputs of a module are modeled symbolically, in a functional notation. This enables 
us to study not only finite-state controllers, but also large data paths, possibly with unbounded amounts 
of state. We present the abstract syntax for modules, well-formedness checks on the syntax, the formal 
semantics in terms of the denotation of a module, and the rule for composing two modules interconnected 
and operating in parallel, embodied in the operator par. ft is shown that par preserves well-formedness, and 
denotes conjunction. These results are applicable to virtually every kind of synchronous circuit (e.g. VLSf 
circuits that employ single or multiphase docks, circuits that employ switch or gate logic structures, circuits 
that employ uni- or bi-directional ports, etc.), thanks to the small number of assumptions upon which the 
HOP model is set up.
Submitted to a Journal.
■'■Supported in part by NSF Awards MIP-8710874 and MIP-8902558
Formal Aspects of VLSI Research Group 
University of Utah, Department of Computer Science
HOP: A Formal M odel for Synchronous C ircuits using C om m u­
nicating Fundam ental M ode Sym bolic Autom ata*
GANESH GOPALAKRISHNAN (ganesh@ cs.utah.edu)
University of Utah 
Dept, of Computer Science 
Salt Lake City, Utah 84112
Keywords: Formal Hardware Specification, Verification, Synchronous VLSI Design, Symbolic Automaton 
Models
Abstract. We study synchronous digital circuits in an abstract setting. A circuit is viewed as a collection of 
modules connected through their boundary ports, where each port assumes a fixed direction (input or output) 
over one cycle of operation, and can change directions across cycles. No distinction is made between clock 
inputs and non-clock inputs. A cycle of operation consists of the application of a set of inputs followed by 
the stabilization of the module state before the next inputs are applied {i.e. fundamental mode operation is 
assumed). The states and inputs of a module are modeled symbolically, in a. functional notation. This enables 
us to study not only finite-state controllers, but also large data paths, possibly with unbounded amounts 
of state. We present the abstract syntax for modules, well-formedness checks on the syntax, the formal 
semantics in terms of the denotation of a module, and the rule for composing two modules interconnected 
and operating in parallel, embodied in the operator par. It is shown that par preserves well-formedness, and 
denotes conjunction. These results are applicable to virtually every kind of synchronous circuit (e.g. VLSI 
circuits that employ single or multiphase clocks, circuits that employ switch or gate logic structures, circuits 
that employ uni- or bi-directional ports, etc.), thanks to the small number of assumptions upon which the 
HOP model is set up.
1 Introduction
Synchronous digital circuits axe, perhaps, one of the most widely studied forms of hard­
ware. The most common definition of a synchronous digital system is that it is globally 
clocked. This definition is often not directly applicable to all real-world synchronous hard­
ware systems because some real-world synchronous systems employ polyphase clocks, and 
their submodules use different subsets of the set of global clock phases. An obvious gener­
alization of the above definition of synchronous systems is: “a system with a logical clock 
that acts as the global time reference, and to which all the actual clock phases are aligned” . 
Though mathematically accurate, this view of synchronous systems violates the principle
"■Supported in part, by NSF Awards MIP 8710874 and 8902558 - printed 3/13/92
2 GANESH GOPALAKRISHNAN
of modularity: a. hardware module cannot be understood purely in terms of its interface 
signals; one is forced to refer to a (fictitious) global signal called the (logical) global clock, 
and relate all the actual clock signals to it. Another problem with this approach is that 
often the distinction between data and clocks blurrs - especially in switch-logic structures 
that employ level activated latches controlled by pass-transistors, and dynamic storage. It 
is then not clear how to accurately talk about global clocking. In addition, in polyphase 
clocked systems, there often exist embedded submodules that do not have an' explicit clock 
signal, but actually respond to rhythmically arriving data,. In this paper, we discuss how an 
adequate definition that promotes a modular view of synchronous systems can be set up.
A synchronous digital system is often viewed as a pair (nex tsta te .f unction, output-function).
This definition does not take into account the boundary ports of the module through which
inputs are received and outputs are generated. If the set of input and output ports are fixed
over time, there is no problem with this view; however, in many real-world synchronous sys-
\
terns, the set of input and output ports are not fixed. The directionality of ports is clearly 
a matter of concern to a digital designer who wishes to interconnect modules and wants 
to avoid errors due to two incompatible values “clashing” at a node where two ports that 
assume the output direction meet. In this paper, we discuss how to take into account varying 
port directions in a synchronous system.
One often hears “do” and “don’t ” rules about synchronous hardware. Some familiar rules 
are: “do not create combinational loops”; do not drive the same node with two sources. In 
other contexts, for example two-phase clocked designs, the following rule is often mentioned: 
“ensure that every cyclic path is clocked by both phases in an alternating fashion.” Yet, it is 
often not clear whether such usage rules are sufficient to guarantee something desirable, and 
what some of the desirable properties are. In this paper, we discuss the topic of adequacy of 
well-formedness checks.
In  a Nutshell...
In a nutshell, to accommodate the above concerns in a, formal setting, we take a fresh look 
at synchronous systems. We answer the following questions about synchronous hardware, in 
the framework of our simple, extended automaton based modeling formalism. Can we distill 
out the essential properties of synchronous hardware and capture it in a simple notation? Can 
this formalism serve as the basis of a simple HDL? Can well-formedness rules for synchronous 
hardware be formulated with respect to the syntax of a simple HDL? Are the well-formedness 
rules adequate, and if so in what sense? Would such an HDL be general enough to ignore 
differences between multiple clocking schemes, uni- vs. bi-directional ports, etc.l Ilow is time 
defined in this HDL? Is the HDL intuitive? Are descriptions able to deal with a potentially
unbounded amount of state; is this HDL suitable for describing both controllers and data 
path modules? What is tLie syntax of such ail HDL, well-formedness restrictions on the 
syntax, and syntax directed semantics? Is there a (binary) parallel composition operator 
(say par) that specifies the behavior of two modules that are interconnected? Does par 
preserve well-formedness? What is the denotation of par? Can par be implemented as an 
efficient algorithm to deduce a behavioral description from a structural description? We have 
not seen anyone else address all these questions in the context of a simple HDL.'
In this paper, we answer the above questions in the affirmative. Synchronous beha.vior is 
defined using one simple and well-known idea: that of the fundamental inode behavior.
R elated  Work
Finite automaton models were perhaps the first of the formal models to be used for study­
ing synchronous hardware [l]. Though the finite automaton models such as the Mealy 
machine model are elegant, intuitive, and practical to be used for studying small circuits 
such as finite state controllers, they prove to be inadequate for modeling large data, path 
modules such as translation lookaside buffers (TLBs), RAM  memories, or even registers of 
large widths, because these data path units have large amounts of internal state that can 
seldom be explicitly modeled. In response to the need to model larger systems, various hard­
ware description languages (HDLs) were invented; some recent examples are HardwareC [2], 
ISPS [3], VHDL [4], and Vcrilog [5],
However, most of the above HDLs are simulation oriented, and do not have a published 
formal semantic definition, nor the simplicity and the intuitiveness of an automaton model. 
Therefore the formal design community has searched for something that is expressive as well 
as semantically well specified. Many such HDLs have been proposed in the last decade. These 
formally based HDLs are deliberately kept domain specific because otherwise their semantics 
would become too involved. For example, many of these HDLs adopt a purely functional 
approach [6, 7, 8, 9, 10], while others adopt a, formal process model [11, 12, 13]; languages of 
the former category are better suited for modeling computation intensive systems while HDLs 
of the latter category are better suited for modeling control intensive systems. Most of these 
languages are designed to cater to specific needs such as writing high level specifications, 
conducting formal verification, or performing high level synthesis. They are often not well 
suited for capturing the behavior of VLSI modules a.t a detailed level; details such as single 
or multiphase clocks, switch vs. gate style circuits, the use of uni- vs. bi-directional ports, 
etc. cannot be uniformly treated in these approaches. They tend to make assumptions such 
as “single-phase clocking”, “uni-directional ports”, etc. at the very outset. This is also a 
weakness of the classical automaton model, as well as many of the “classical HDLs” such as
SYNCHRONOUS CIRCUITS MODELED USING COMMUNICATING SYMBOLIC AUTOMATA 3
ISPS, VHDL, and HardwareC.
Formalisms such as the Higher Order Logic [14] or the Boyer-Moore logic [15, 16] have 
been used for writing both high level and low level hardware descriptions. In principle, any 
hardware behavior of interest can be specified in these logics and this is one of the claimed 
advantages of these general purpose logics. For example, in [17], the use of HOL to model 
switch-logic, structures is discussed. So, in principle, approaches that use the language of 
a formal logic as the HDL are very general and expressive. Despite these advantages, the 
approach of directly using a formal logic for specifying synchronous hardware systems is 
not satisfactory because well-formed formulae in the logic of HOL that are used to describe 
actual hardware need not imply well-formedness (in the hardware sense) of the circuit de­
scribed. In  other words, what we are aim ing for is a notation where the notions 
of well-formedness of the H D L  description and well-formedness of hardware co­
incide. The approach advocated by us is to perform the well-formedness checks and then, 
if necessary, translate HDL descriptions into logic for the purposes of verification. However, 
this translation can be avoided if proof rules are directly formulated in terms of the syntax 
of the HDL itself [18, 19].
The work reported here is a direct outgrowth of work reported by us over the past several 
years based o i l  an HDL called “HOP”. Two key tools we have developed centered around 
are PARCOMP [20, 21], and PCA [22, 23]. PARCOMP is used to infer the behavior of a 
structural description. PCA is used to infer the behavior of regular array structures. These 
algorithms, especially PARCOMP, has been applied to large systems also. HOP has been 
used to describe many real-world systems [24, 25, 26], to study composition and abstraction 
[27, 20], for high-level simulation and test generation [28, 29, 22, 30], and formal verification 
[31]. All this work has convinced us of the utility of an extended automaton model to describe 
hardware. HOP is an extended automaton model in the sense that its state variables are 
tuples of individual variables and its transitions are guarded by first order formulae. The 
questions we have posed in this paper try to identify those aspects that are fundamental to 
synchronous hardware regardless of the notation in which they are described nor variations 
in their clocking scheme or circuit implementation style.
Similar automaton models, as well as simple HDLs for modeling hardware have been 
proposed: Behavioral FSMs [32], Transfer Formulae [33], Lustre [34], and LCF-LSM [35], 
to name a few. These automaton models do not provide well-formedness conditions and 
composition rules for synchronous systems. Hoioever, the emergence of such models is ample 
evidence to the following fact: designers are leaning towards extended automaton models 
which are, on the one hand, more powerful than the classical automaton models, but, on the 
other hand, are much simpler than most HDLs available today, and hence are much more
4 GANESH GOPALAKRISHNAN
SYNCHRONOUS CIRCUITS MODELED USING COMMUNICATING SYMBOLIC AUTOMATA 5
amenable to formal analysis, verification, and even design synthesis.
It is also interesting to compare our work with that reported in [36, 37]. In their approach, 
they have defined a simple form of Propositional Temporal Logic. Formulae in this logic are 
used to make assertions about circuits that are to be designed and simulated in the COSMOS 
[38] system. Simulation can be carried out in the scalar mode, using ground values, or in 
the symbolic mode, using Boolean values. The logic reflects some of the features of the 
COSMOS model, including the treatment of inputs and outputs, and the way X values are 
handled. The HOP model can be viewed as a higher level model that can be built on top 
of their model - in l'act, we have successfully verified many synchronous systems using the 
COSMOS model for low-level verification and the HOP model for high level verification [30].
Although many compositional models for transistors are under active research [39, 40, 41], 
they are too complex to be applied directly to synchronous VLSI modeling. Our work can 
be viewed as a continuation of these works in a sense; for example, in [39], the behavior of 
a sequential system over a phase of activity has been very precisely captured using a non- 
deterrninistic iterative process that has a deterministic outcome of stable node values. The 
net effect achieved by a computation over several sequential phases has not been studied; nor 
have phase level interactions between a collection of modules, and their collective behavior 
over several sequential phases studied.
What we focus on is precisely these aspects of sequential system behavior. We abstract 
away from the activities within a phase, and capture only the deterministic outcome of 
computations within a phase that result in the next state of the system. This reduces the 
complexity of the specification. We also propose a parallel composition algorithm PAR- 
COMP that deduces the collective behavior of systems across multiple phases. In the past, 
we have shown that PARCOMP has numerous applications, including error checking across 
symbolic execution paths, behavioral inference prior to formal verification, and in test gener­
ation. The provision of an efficient, parallel composition algorithm, the definition of structural 
well-formedness rules, and the ability to handle a wide variety of examples and problem sizes 
are some of the key features of our work.
W hy another autom aton  m odel?
One of the shortcomings of the HOP model we have used so far in our work, as well 
the extended automaton models used by others (cited above) is that they make several 
assumptions about synchronous hardware which make the model restrictive. Some of the 
restrictions are the following:
J . System clocks axe either not explicitly modeled, or are assumed to be of some standard 
variety (such as a single phase clock). It is awkward to study interactions among
systems clocked with different (synchronized) clocks.
2. Ports are assumed to be either always inputs or always outputs.
3. Well-formedness conditions are not syntactically characterized. Therefore, many com­
mon varieties of errors have to be detected in the semantic domain (e.g. in the process 
of a, laborious designer guided proof of correctness in a, system such as the Boyer- 
Moore [16] system or HOL [18]), rather than much more cheaply detected by means of 
well-formedness checks.
4. Parallel composition is either not defined, or inadequately characterized (this remark 
does not apply to LCF-LSM or HOP).
5. Control/data separation is not adequately supported, or this separation is too rigidly 
enforced. What we have found desirable is a system where control/data separation is 
supported, but not enforced. By doing so, various “modes of behavior” of a module— 
the various threads of control flow pertaining to the execution of “operations” as well 
as sub-cases that arise within operations— can be studied effectively. Often, during 
PARCOMP, several modes of behavior of a. module ca.n be pruned away when it can 
be predicted that the environment will not invoke these capabilities.
Features o f th e  new m odel, and C ontributions
In the work presented here, we study synchronous digital circuits in an abstract setting. 
A circuit is viewed as a collection of -modules connected through their boundary ports, where 
each port assumes a fixed direction (input or output) over one cycle of operation, and can 
change directions across cycles. No distinction is made between clock inputs and non-clock 
inputs. A cycle of operation consists of the application of a set of inputs followed by the 
stabilization of the module state before the next inputs are applied (i.e. fundamental mode 
operation is the only assumption explicitly made). The states and inputs of a module are 
modeled symbolically, in a. functional notation. This enables us to study not only finite-state 
controllers, but also large data paths, possibly with unbounded amounts of state.
We base virtually our entire work on one assumption: that fundamental mode behavior 
has to be guaranteed. This assumption, in a sense, captures the essence of synchronous 
system operation. Virtually all the well-formedness checks relate to this single assumption, 
and, to the best of our knowledge, are being pointed out for the first time in a cohesive 
manner.
6 GANESH GOPALAKRISHNAN
Approach to Formal Semantics
H O P specifications can be written for a black-box, or a network of black-boxes connected 
through their interface ports. The former are called behavioral descriptions, and the latter 
are called structural descriptions. Our approach to the presentation o f H O P  in this paper 
consists o f first specifying the formal syntax of HOP, then the well-formedness conditions 
011 the syntax, and finally, syntax-directed specification o f the formal semantics. This is 
similar to the approach taken in presenting formal logics or the semantics of programming 
languages, and in writing System Semantics [8]. Our approach differs from the approach 
taken in “classical automata theory” [42] in which an automaton is d irectly specified in 
terms of semantic objects— the domain of states, and the next-state function on states, for 
instance. W e do not follow the latter approach because of many reasons. First o f all, “ H O P 
automata.” are more general machines; they are not finite-state. Secondly, much of our work 
involves the syntactic manipulation of "automaton specifications” , studying their interaction 
through connected ports, performing parallel composition, and verifying the correctness of 
specifications given at a syntactic level. For doing all this satisfactorily, in a maimer that 
will help guide a software implementation of HOP, a formal syntactic specification is felt 
necessary. Therefore, we shall deviate from the classical automata theory notation.
Organization
Section 2 presents our notations. Section 3 presents the syntax and informal semantics
01 behavioral descriptions. Section 4 presents well-formedness checks defined on behavioral 
descriptions. Section 5 presents the clenotational semantics of behavioral descriptions. Sec­
tion 6 discusses structural descriptions, and parallel composition, PAR.COM P. Section 7 
proves that P A R C O M P  preserves well-formedness. Section 8 provides the denotation of par. 
Section 9 presents several examples illustrating HOP, and relating our view  of synchronous 
hardware with existing views. Implementation notes and conclusions follow in 10.
2 Notations
We use =  to denote semantic equality (based on fam iliar rules of the underlying functional 
calculus). In the following presentation, we adopt the idea that numbers can be viewed as 
sets. 0 represents the em pty set, and /V represents the set containing 0 . . .  N  — 1. {x{  \ 1 £ N }  
is the set { x 0, . . for example, N  — 3 gives {1 ,2 ,3 }.  # {.To, • • •} obtains the cardinality of 
a set; for example, # {1 ,2 ,3 }  =  3. {.;•, | i £ N }  U { x 3 \ j  £ M ]  obtains the union of the sets; 
for example, {1 ,2 ,3 } U {4 ,6 ,5 } gives {1 , 2, 3, 4,5, 6 }.
SYNCHRONOUS CIRCUITS M ODELED USING COMMUNICATING SYM BOLIC A UTOMATA 7
Here are the operations on tuples, (.t; | i £ N )  gives an A'”-tuple (a:0, . . . ) ;  for example,
N  =  3 gives (1 ,2 ,3 ). (.t; | i € 1) gives a one-tuple (xo ), where (x 0) =  .x'o- I f  t is a fc-tuple, tn, 
n 6 k is the n-th entry o f t. #(.x’o, • • •) returns the arity o f the tuple; example: # (1 ,2 ,  3) =  3. 
(.Tj | i £ Ar) U ( x j  | j  € M )  denotes tuple concatenation; example: (1 ,2 ,3 ) U (4 ,5 ,6 ) gives 
(1 ,2 ,3 ,4 ,5 ,6 ).
W e write
x as (e t | i (E N )
for some natural number N  to denote an TV-tuple x. Further, x is “ pattern matched” with 
the tuple pattern (e0, . . . , e ^ _ i).  e*. denotes the fc-th field of x, for k € N .
Here are the operations on lists. [x,- | i € N ]  denotes an A^-list [x’o,. . •]; example: N  =  3 
gives [1,2,3]. I f  / is a fc-list, l„, n G k is the n-th entry of I. #[a'o, ■ • •] returns the length of 
a list; example: # [1 ,2 ,3 ] =  3. [;r, | i G N ]  U [:t7- | j  6 M ]  concatenates the lists; example: 
[1,2, 3] U [4,5, 6] gives [1,2, 3. 4,5, 6].
m ap  is a, higher order function that applies the function given as its first argument to 
a list/set/tuple given as its second argument, and returns a list/bag/tuple, respectively. 
Notice that bags are returned as a result o f applying m ap  to a set. This perm its smoother 
definitions. Example:
map(successor,  [1, 2]) =  [2,3].
Another example:
map(square,  { 3 ,2 })  =  {9 ,4 } .
A  third example:
map(odd , {3 ,2 ,1 } )  =  { T r u e ,  T ru e ,  Fa lse } .
W e will often om it explicit conversions between lists and sets. W here necessary, however, 
the conversion functions l ist2set and tuple2set w ill be used.
The notation Ar [[ E /D  ], where E  =  (ej | i € k) is a fc-tuple o f expressions and D  =  (dt \ 
i € k) is a /c-tuple of variables denotes the simultaneous replacement o f dt occurring in X  by 
et.
W e write (e^ e-2) to denote the application of the function denoted by ej on the argument 
denoted by e2.
Types are regarded as sets, v (E r  denotes a value o f a. type r; example: 5 6 Nat ;  
t rue € B o o l : X € Bit .
Let function p o r t s ( X )  returns the ports used in X ,  where X  is an expression or a formula. 
Let ua?,.s (X ) denote the set o f free variables in expression/formula X .
8 GANESH GOPALAKRISHNAN
SYNCHRONOUS CIRCUITS M ODELED USING COMM UNICATING SYM BOLIC AU TO M ATA 9
= (D D , ___  , D )
0, l nd(M) - 1
Figure 1: A  Generic State Diagram 
3 Behavioral Descriptions
M od u le : M  =  ( P , N )
Figure 1 shows the general nature of the state transition graph of a H O P  module. Much of 
the term inology to be introduced is illustrated in this picture. Though this picture brings out 
some relationships with classical automata, H O P  is an extended symbolic automaton model 
tailored for the description of synchronous systems viewed as fundamental mode machines. 
In the rest o f this paper, we avoid drawing such pictures because they become unwieldy for 
large examples.
A  hardware module M  is as a pair ( P , N ) .  P  is a possibly em pty set of boundary ports 
o f M . A  port p in P  can serve as an input port during certain cycles, and as an output port 
during other cycles. The type o f values carried by a port remains the same throughout. (W e 
assume that the types of objects that ports can carry are bit-vectors of length >  1.)
10 GANESH GOPALAKRISHNAN
N  is a non-empty finite set of nodes1 of M .  By convention, module M  starts its execution 
at node n0. The nodes in N  are connccted by transitions (as explained below) and thus 
forms an “automaton diagram” . W e introduce selectors P and N to select the components 
P  and N  o f M . Also, n0( M )  selects the starting node o f M .
Each n G N  is, informally, a tree of height 1 whose root is a symbolic state, and whose 
leaves are the next-states that are reached through transitions that form  the tree edges. 
Transitions are guarded by first order formulae. Formally, a node n G N  is a lambda 
expression
X D n. ( P O n, {(< /?, < , £ ? )  | i G n t r ( n ) } )
that takes a tuple o f values for the data, states D n and returns a, pair (por t -outputs,  s e t . o f  .moves)  
where the port outputs made at node n are P O n and the zth move made out of node n is 
described by (</.", n}1, E f )  -  to be explained below. The lambda, expression is closed in the 
sense that all occurrences o f variables in its body are bound by D n and port identifiers that 
occur in its body belong to P .
The starting (sym bolic) state for node n is D n. I ) "  is a tuple of variables that denotes the 
internal data state:
D "  — (v{ | i G n d ( M ) ) ,
where n d ( M ) is the number o f data path state elements o f M — an a priori fixed quantity 
( i .e. the module doesn’ t, for example, “dynam ically allocate m em ory” ). Vi belong to Var ,  
the universe of variables. (Note: W e will om it the superscript n, writing D n, etc., as D,  
rii, etc., when the node in question, n, is clear from  the context.)
The first action performed by the module while in state D n is to generate port outputs 
P O n. P O n is a set of port outputs (port-expression pairs):
P O n =  { ( P l , e , )  I Pi G P, et G E X P 1’ }
such that if ( p i , e t) G P O ,  there exists no other (p j,e ?) G P O .  Selectors p and e are used to 
select the components o f a, port-expression pair. Define
i p o r t s ( P O n) =  U ie # (po») por ts (e i )  s.t. (p ,;,e t ) G P O n
to be the input ports, the values coming through which are used to generate the port outputs 
on ports pi.
E X P p are expressions defined over ports P :
E X P f  : : =  V a r  \ P  \ f k( E X P f  \ i G k)
'In  the sense o f a graph node.
SYNCHRONOUS CIRCUITS MODELED USING COMM UNICATING SYM BOLIC AU TO M ATA 11
where V  ar denotes the universe of variables, and (according to the notation introduced so 
far) f k( E X P f  | i £ k) represents a k-ary function applied to k >  0 arguments. An example 
is plus ( l ,  x,p) .  This expression evaluates to the sum of 1, the value denoted by variable x, 
and the value incoming into the module through port p.
There are n tr (n )  transitions outgoing from D'\ each of them guarded by guard gt. Guards 
gi belong to the language GuardF and have the syntax
Guardsp : :=  B V  ar \ B P  \ pk( E X P tP \ i £ k) \ bk (Guards7* \ i £ k)
where B V  ar  are Boolean variables ( B V  ar C Var) ,  B P  are Boolean ports ( B P  C P ),  pk 
are first-order predicate constants of various arities k >  0, and bk are boolean connectives of 
various arities k >  0.
The ith next-state is specified by the pair (ii™, E? )  thus: ??" is the node reached via 
the ith transition out o f n, and E " are the “actual parameter expressions” corresponding 
to the lambda-abstracted “formal parameters” o f node nf.  Suppose the actual parameter 
expressions E-1 when evaluated yield values Vtn. Then, after taking the ith transition, the 
module resumes execution as per (n™ Vtn) (the lam bda expression n™ applied to the value 
tuple V]n). We call a form  (n V )  a node instance.
The arities o f n™ (the number of formal parameters) and E (the number of actual pa­
rameters) are required to be the same. We require that each m odule have at least one 
transition going from n back to ?/; by convention, this is the zeroth transition. In other 
words, n tr (n )  >  0 for any node ??., and n„ is the same as node n.
We define
inp (n )  =  (U ient,(n) ports (g f )  U po r ts (E ” )) U ip o r ts (P O n) 
to be the set of ports that are configured in the input direction while at node n. Also define
outp(n)  =  map p P O n
to be the set of ports configured as outputs while at node n.
It is clear that inp(n)  fl outp(n)  must be equal to the empty set, for every n. However this 
is not enough: those ports that are, at the present time (while at node n) used as inputs 
must not be configured to be outputs during the next time (while at any successive node). 
This restriction arises because o f the fundamental m ode behavior: external inputs are held 
stable until the system stabilizes in its next state; the external world, if it chooses to do so, 
should be allowed to continue to drive the external inputs even after the system attains the 
next state. In other words, after reaching the next state, the input ports must not suddenly 








Figure 2: A M odulo Counter 3
m odify the above requirement to the following two requirements:
inp(n)  H (outp(n)  U outp(n^) )  =  0 f o r  every i £ n t r (n )  (1)
outp(n)  D (U ienlr(n)m p(7i")) =  0 (2)
Condition 1 says that those ports that are configured as inputs in the present state must not 
be configured as outputs either in the present state or in any of the next states. Condition 2 
says that those ports that are configured as outputs in the present state must not be config­
ured as inputs in any of the next states. Notice that we do not require inp (n )  U outp{n)  =  P  
because there may be ports that are neither used as inputs nor as outputs. Some of these 
ports may be in the process of changing their previously assigned directions; in fact, this is 
exactly how ports change their directions -  they go through a “neutral state” before changing 
their directions.
3.1 A n  E xam p le  o f  H O P  Spec ifica tion
The example in figures 2 and 3 specifies a counter operating under a two-phase clocking 
discipline. The specification is provided in two syntaxes: one corresponding to the above 
mathematical definitions, and the latter being a readable version of the former. We shall 
discuss the latter syntax as it is more readable. This syntax is based on familiar programming 
language syntax instead of the lambda notation.
SYNCHRONOUS CIRCUITS M ODELED USING COMM UNICATING SYM BOLIC A U TO M ATA 13
c t r  = (P ,M )
P = { p h i l , p h i2, l o a d ,  d i n d o u t }
N -  {n O ,  n l }
nO = la m b d a (D O ,D0UT0) .
( ( d o u t , D 0UT0) ,
{  ( ' p h i l , nO , (DO , DOUTO) ) ,
( p h i l  / \  ' p h i 2 A l o a d , n l , ( d i n  , X d t ) ) ,
( p h i l  A  ~ p h i2 A " lo a d  A  DCKMAX , n l , (DO+1, DO) ) ,
( p h i l  A  ~ p h i2 A " lo a d  A  DO=MAX, n l , ( 0, DO) )
>
)
n l  = l a m b d a ( D l , D 0UT1) .
( ( d o u t , D 0UT1) ,
{  ( ~ p h i2, n l  , ( D l , D0UT1) ) ,
( " p h i l  A  p h i2, n O , ( D l , D l ) )
>
)
MODULE c t r ( s i z e ) ( *  macro p a r a m e t e r s  -  can be o f  any ty p e
-  t h e  macro i s  expanded ft th e n  t y p e - c h e c k e d  * )
TYPE
dT : v e c t o r  s i z e  o f  b i t
PORT
IHPUT p h i l ,  p h i2, lo a d  : b i t ;
B ID IR  d i n  : d T ; ( *  D e l i b e r a t e l y  s p e c i f i e d  as B ID IR  *)
OUTPUT d o u t :  dT
BEHAVIOR
c t rO (D O ,D O U T O ) ; {dout=DOUTO>
= {  " p h i l -> c trO (DO,D OUTO)
1 p h i l  A  ~ p h i2 A
{  lo a d - >  C t r l ( d i n , X d T )
1 ' l o a d  A  { DO<MAX - >  c t r l ( D O + l , D 0)




C t r l ( D l , D 0UT1) ; {d ou t=D D U T l>
-  {  ~ p h i2 - >  C t r l ( D l , D0UT1)
1 " p h i l  A  p h i2 - >  c t r O ( D l , D 1)
>
END c t r
Figure 3: A  Modulo Counter in Formal and High-level Syntaxes
The first aspect oi’ the high level syntax is that it allows fixed direction ports to be 
separately specified in the INPUT and OUTPUT sections, and ports that can change their 
directions in the BIDIR section. Directions are specified in this manner to permit better 
static checks. The types o f ports can also be defined. From now on, we focus on the 
BEHAVIOR section.
The counter begins its operation in control state ctrO, in data state (DO ,D0UT0) , and with 
its only output port dout holding the value DOUTO. Control states ( “c s ” ) are names given 
to nodes. They are shown as the names of tail-recursive functions, whose formal arguments 
are the data states ( “ds " ) .  Port outputs are written as “p o r t = e x p r e s s i o n , . . denoting 
a set of p o r t , e x p r e s s io n  pairs. In the textual order, these port outputs are specified after 
the term c s ( d s )  and a semi-colon.
W hile in state c t rO (D O , DOUTO), so long as guard ~ p h i l  is true, the sta/te is maintained 
at ctrO (DO , DOUTO). Both the clock inputs must not be simultaneously made true in state 
ctrO. If the inputs are changed so as to satisfy p h i l/ \ ~ p h i2 / \ lo ad  and held steady at that 
state, the execution reaches control state c t r l ,  with data state (D l  ,D0UT1) set to ( d i n , X d t )  
where Xdt is the value acquired through the input port din, and XdT is an unknown value 
of type dT. (This behavior is shown purely for illustration, and need not correspond to an 
actual counter.)
In state c t r l  ( D l , D0UT1) , so long as ~phi2 holds, the system stays in the same state, 
producing the output D0UT1 011 port dout. Thus, notice that the condition that brought the 
system into state c t r l — namely ph i l/\~ph i2/\Y  where Y is some formula, is stronger than 
the condition necessary to hold the attained state— i.e. only the condition ~phi2 need exist 
once the state c t r l ( D l , D0UT1) has been attained. This property will be discussed further 
in section 4.
In this state, the counter is prepared only to recognize one other condition: ~ph i l/\ph i2 .  
For example, if both clocks were to be found high. 110 “move” is defined, indicating that this 
combination is not meant to be supplied from outside. W hen  the allowed combination ( p h i l  
low and phi2 high) occurs, the stale ctrO is attained. In state ctrO notice how the guards 
D0<MAX and D0=MAX are used to guide the execution to proceed to two different states.
Guards capture the dependence of control flow on data. Thus, in our sym bolically specified 
“generic autom ata” , the execution is classified into a small number of classes (=  paths) by the 
guards, and within each class, the next-state and output functions are sym bolically specified 
using a functional notation, thus specifying many actual executions very com pactly.
The above specification of the counter allows the com bination p h i2 = l  and p h i 1=0 to 
immediately follow the com bination p h i2 —0 and p h i l  =  l. If the clocks have to be forced to
14 GANESH GOPALAKRISHNAN
SYNCHRONOUS CIRCUITS M ODELED USING COMMUNICATING SYM BOLIC AUTO M ATA 15
go through the com bination phi2=0 and phi 1=0 before assuming the com bination phi2=l 
and phil =0, the specification can be suitably modified.
Before we examine other examples, it is appropriate to know about the exact details of 
execution of HOP processes, and how it corresponds to the fundamental m ode execution 
model. It is also appropriate to know about well-formedness conditions formulated at the 
HOP syntax level that, in turn, im ply the well-formedness of the hardware being m odeled. 
These are now presented. "
4 Well-formedness •
In this section, we discuss all the well-formedness conditions on HOP modules. The well- 
formedness conditions explained in section 3 as part o f the definition o f modules are first 
repeated below:
W F1: n tr (n )  >  0 lor any node n.
W F2: =  n for any node n.
W F3: A node is a. closed lambda, term. ■
W F4: The arities o f ??" and i?" are equal.
W F5:
inp(n )  Pi (ouLp(n) U outp (n f ) )  =  0 f o r  every i £ n tr (n )  
outp(n)  n (Uientr(„)Z72p(n” )) =  0
W F6: If (p,-, e,-) £ P O , there exists no (p ;,e ,j  £ P O  such that e, ^  e
Additional well-formedness conditions are now presented and explained:
W F7: g? ^ g ? l E ? / D n }
In other words, every guard that is true at node n before a transition must remain true 
after the transition. Or, the transition must not disable the guard.
Consider a guard g that gets disabled by a transition. In terms of circuits, we have 
a boolean circuit C  that evaluates guard g " and produces output on an internal port
o. The outputon o is true before the transition and false after the transition. Since 
the true output oil o is used to generate the next state which, when shifted into the 
“present state” latches causes output o to becom e false again, certainly an internal
16 GANESH GOPALAKRISHNAN
combinational loop must have formed. This is being ruled out by insisting that o 
remain true even after the transition.
It is assumed that if </” is true, then all the transient intermediate states that the data 
state goes through in the process of changing from  D n to E™ also preserve the truth
o f  g ? .
Usually the stability o f the guards g™ is guaranteed by the fact that g "  does not use 
any data state component that changes: i.e., g f  does not use D% if  D £ ^  { E f ) k  (i.e., 
the /cth component of the tuple ( E ] 1) ) ,  for k 6 n d ( M ) .
W F8: g ? = > g f l E ? I D n l
In other words, if ports in inp (n )  are held steadily at values V  that make the guard 
true, the system will attain the next-state corresponding to node n " (the ith  next-node 
from node n)  and then remain in that state by taking the zeroth  transition from h ™
. . » . n 11 . .
back to itself (the “self loop” ). Therefore guard g0’ that guards this self loop w ill have 
to be true under the very same inputs, V.  I f  the module cannot remain in state n " 
under the inputs V,  this state proves to be a “ transient state” which we do not model 
as a H O P  automaton state.
The im plication sign signifies that some of the external inputs may actually turn out 
to be don ’ t cares after the transition, because of the change of state. In short, “ the 
perturbation condition for node n is stronger, or at worst, as strong as the holding 
condition for the next node attained, n " ” .
W F9: Vi, j.  i ^ j = >  ->(g? A g j ) ;
i.e., the guards o f transitions going out of a state are mutually exclusive. This means 
that H O P  processes specify determ inistic computations.
W F10: V i£ntr(n) V? “  <ru<;
i.e., the guards are exhaustive. Some o f the transitions may lead to error states, though. 
Thus the behavior is totally specified.
The following is a useful (pessim istic) error checking procedure that covers many o f the 
above well-formedness conditions: every guard must involve at least one input, por t ; i.e., 
ports (g^ )  ^  0. The argument in favor of this check proceeds as follows. Assume </£ has no 
port identifiers occurring in it. There are three cases:
1. g™ — fa lse :  in this case the guard, and the transition it guards can be elim inated. 
The next two cases assume g% =  t rue  for some value assignment of D n.
2. k =  0: then, the module, after reaching node n remains stuck in the self-loop going 
from n back to n. (Recall that if g  ^ is true, no other guard g '1 can be true.) W h ile 
a module remains stuck in the self-loop going from  n back to n, it can still serve as a 
combinational unit, because the P O n component of a node is a set of combinational 
functions specifying values for output ports outp {n ) in terms of input ports inp (n ) .  
However, the situation o f a module remaining stuck in a state is unusual, and calls for 
a warning to be issued. '
3. k ^  0: the module, after reaching node n can imm ediately slip away to the next node 
nk- However, this would violate W F9  because after reaching node ??,, by W F8, gq must 
also be true.




First we examine the informal semantics of a module. Consider a module M  — ( P , N )  
at node instance (n  V ) .  It provides output values corresponding to P O 11. Suppose the 
environment applies input values through ports p o r ts (g f )  such that g" is made true. Then, 
the module evaluates E ] 1 at the current tim e, yielding values Vtn and resumes its behavior 
at node instance ( n'[l V™).
. . . . nn .
Since, by W F8, the inputs applied are guaranteed to satisfy g0' , the module w ill be held 
in state ??." until the next external perturbation comes along.
The “execution” of Ad thus proceeds in discrete steps. Each such step measures one t ick  of 
tim e on ail abstract tim e scale. A ll the modules in the system use the same tim e scale because 
we require a collection o f interconnected modules also to respond to one perturbation, attain 
a steady state collectively, and then only accept the next perturbation.
T im e t begins with the /tli application of the external perturbation, and lasts through the 
attainment of stead}’ state by M  following the perturbation. A  move through </q , for any n, 
also constitutes one tick.
“’The term “denotational semantics” is used in a. broader sense, to mean ‘'semantics in terms o f abstract
semantic domains such as sets, relations, etc.” - similar to Boute’s System Semantics [8].
SYNCHRONOUS CIRCUITS MODELED USING COMMUNICATING SYM BOLIC A U TO M ATA  17
Formal Semantics
W e define the behavior of a module M  as its behavior when started at node n0(M ) .  W e 
associate with each module M  its boundary waveforms, W .  W  is a mapping from  a port 
name p and a tim e t to the value held by the port at t. ( W  p)  w ill be defined for all those 
points in tim e, /,, where p is configured as an output port. For the remaining p o m  is in time, 
( W  p) is to be supplied by the external world, in the form  of input values, or is undefined, 
if the value at this tim e is o f no interest.
W e use the valuation relation M m for determ ining the meaning o f a module, valuation 
relation M n for the meaning o f a node, and valuation function ( M o  W  I ) for the basis 
case o f expressions and formulae. The evaluator M o  takes the waveforms W  and tim e t to 
become a “specialized evaluator” that can then evaluate expressions E  w ith respect to W  
and at tim e I. We indicate this by the application ( M o W  t ) { E ) .  The value tuple V  used 
in the form al argument list o f M m is the starting state of module M .  In the following, let 
Pred be the meaning of preclN and Fn be the meaning o f f N .
M m { M  as [l>. .Vi. 1/ W, i )  =  M n {  n0(A/), V; W , t )
M n(n as AD . ( P O ,  { ( g ^ n ^ E , )  \ i G n t r ( n ) } ) , V , W , t )  =  
le t  ( P O \  { {g'i, E'{ ) | i G n t r ( n ) } )  =  (n V )  
in
A (p„ e, )ePo' W ( p i , t )  =  ( M 0 W t ) ( e i)
A 
Kientr(n) ( M 0 W  t) (g\) M n(n't , { M u  W  t ) ( E \), W , t  +  1) 
end 
( M o  W  t ) ( - i l i t e r a l ) =  n o t ( ( M o  W  t ) ( l i t e r a l ) )
{ M u  W  l ) ( p re d N (term-i \ i G iV )) =  Pred {map ( M o  W  t )  ( terni i  \ i G A^))
( M q  W  t ) ( l i t e r a l  A f m l a )  =  a n d ( ( M o  W  t ) ( l i t e r a l ) ,  ( M o  W  t ) ( f m l a ) )  
( M o  W  / )(/ A ( terrni \ ? G N ) )  =  Fn (map ( M o  W  t) (term-i \ '■ £ N ) )  
( M o  W  l ) ( p o r t )  =  W ( p o r t , t )
The meaning of a module M  starting at node instance (no V )  is defined with the help of 
the M n function. The construct
le t  ( P O \  | i G n t r ( n ) } )  =  (n  V )
18 GANESH GOPALAKRISHNAN
SYNCHRONOUS CIRCUITS M ODELED USING COMMUNICATING SYM BOLIC AU TO M ATA 19
specifies that (n V )  is to be pattern-matched with the pattern specified to the left of the 
equals sign.
The behavior at node n is specified by M .n in two parts: for every port-expression pair 
{pi, ei) £ P O  , the value of e,; is asserted on port p,-. Then, for every transition guarded by 
if this guard is true, the meaning of the next state is asserted, again using the M .n function. 
Notice that the E[  are evaluated at time t. Thus, the next state is determined as a function 
of the current state and the current inputs.
Finally, the meaning function (j\4o W  t)  is specified through structural induction over the 
expression syntax.
5.1 Adequacy of Well-formedness Conditions
Are the well-formedness checks WF1 through WF10 adequate in an intuitive sense? In 
this section, we examine this issue, using the notion of a functional execution sequence for 
hardware modules. A functional execution sequence specifies that the next-state, current 
outputs, and the present port-directions are all functionally determined by the current state 
and the current inputs. In most formulations, hardware modules denote stream functions 
[6] where each stream is associated with either an input port or an output port. Since ports 
retain their directions over time in these models, many of the well-formedness checks we 
prescribe do not apply in their models. A functional execution sequence is a generalization 
of the idea of stream functions because different ports are used as inputs and outputs at 
different time steps.
We show that a module M  started at node instance (n0( M )  Vo) denotes the functional 
execution sequence
I J >  0],
i f  and only i f  M  is well-formed according to WF1 through WF10. Here,
• rij is a node, V, are the values bound to D n’ , u t are the input values fed through the 
input ports inp(ri j ) ,  and Vj are the values produced on the ports outp(n:i).
•  viq — n0(M ) ,  — Ju( i t j• Vj , !1j )• Vj _)_i — _/vr(?ij, Vj, u,j). and vj fv(n,j. Vj. n-j)-
Functions /V, and J\, are (respectively) the next-node, next-state, and present- 
output functions. These functions are specified by the lambda expression iij itself, 
as follows: the P O Hj component of iij specifies the present-output function, and each 
(g™3 ,n ” '', E '^ )  specifies the next-node and next-state functions.
• The next set of input and output ports are also functionally determined from the 
present state and present inputs.
• For j  >  0 if
( i i j ,V j ,U j ,V j ) ,  and
(n3+i , Vj+1, Uj+1, vj+1) _
are such that Uj =  a,+i, then V]+ \ =  VJ+2 and nJ+1 =  ??.,•+2- In other words, if the 
inputs Uj that cause node n 1+\ to be reached are held steady ( u 1+1 =  Uj), the self-loop 
is taken, holding the node, the data state, and the outputs also steady.
• Further, if 'ttj+i =  Uj+2 then Vj+ i — Vj+2 also. This is because Vj is a function f v of
The definition of a junctional execution sequence captures many intuitive properties of 
synchronous system behavior that are well known. Our remarks about synchronous sys­
tem behavior are based 011 the denotational semantics presented earlier. We now provide 
arguments to support the necessity and sufficience of the well-formedness conditions.
Not Well-formed => Non-functional Execution
If WF1 is violated, there are dead-end nodes, which truncate the execution sequence. If 
W F2 is violated, i.e. if there are no “self-loop” transitions for a node n, a module will be 
forced to exit n the moment it is entered, thus making n a transient state, even though the 
same inputs are held. W F3 and W F4 capture the syntactic well-formedness of the lambda 
expressions. If W’F5 is violated, the same port can end up being driven by both the module 
and the environment, as described in section 4. If W F 6 is violated, two different output ports 
can produce “clashing” values. If W F7 is violated, a state transition can inhibit itself; then, 
the next-state function is not defined. I f W F 8 is violated, a. module cannot stay at the same 
node despite the same inputs being provided from the external world. If W F9 is violated, the 
behavior is non-deterministic. If WF10 is violated, the behavior is only partially specified. 
Thus, if any of WF1 through WF10 are violated, a functional execution sequence will not 
result.
Well-formed => Functional Execution
If all the well-formedness checks are passed, and a module is started at a node instance 
(n V ) ,  its current outputs are determined by the port outputs P O n functionally, without 
causing any input and output port values to clash (W F5 ) or two output port values to clash 
(W F 6); there will be always one transition (W F 1) and exactly one true guard (W F9 and
20 GANESH GOPALAKRISHNAN
WF10) -  say the /1b guard; the module will evaluate EJ1 and bind the values to n}1 (W F4), 
and successfully complete its transition (W F7). While in the new state, if the same inputs 
are held, the module continues to retain the same node, and data state (W F 8). Thus, given 
that all the well-formedness conditions are satisfied, a module exhibits a functional execution 
sequence.
6 Structural Descriptions, and Parallel Composition
Two modules M °  and M 1 interconnected at a subset of their boundary ports forms a 
new module parm( M ° , M J). This function is defined with the help of function par which 
composes two nodes:
parm(M ° ,  M 1) =  (P ( M 0) U P ( M 1) , N )  
where
n° E N(A/0) A n1 E N( M\ ) => par(n0,n i )  E N  
N  is the least such set
par [n°  as AD ° . ( P O ° ,  {(</?,«?,£?) \ i € n tr(n0) } ) ,  
n l a s X D \ ( P O \ { { g ^ n ) , E } )  \ j  E ntr {-n})} ) )
=  \ {D°  U D l ).
( { ( P,G(e)) | (P, t ) e P O " u P O ' } .
{G ( « , ° A !, ‘ ) , (p o r ( „ » , n ‘ ) , G (£ “ U £ ; j ) )  I ( i , j )  6
G  is undefined i f  c. lashing(PO° U P O 1) V cyc l ic (PO°  U P O 1) 
else G is as def  ined below 
c lash ing (PO )  [ />,.(,) E P O  A 3[j>,. < , j E P O  s.t. e, 7^  
cy c l i c (PO )  =  3 (p, e) 6 P O  s.t. p 6 ports(e)
The definition of parm specifies that the ports are unioned and N  is inductively defined 
in terms of N (M o) and N(iV/x) via par. par takes the two nodes n° and n l and returns the 
resulting node (denoted by a, lambda expression).
The main step performed by par is to determine a function G  and then apply G  to the 
expression component e of port-expression pairs, to the conjunction of the individual guards, 
9i A g*, and to the concatenation of the actual parameters, E °  U E j  corresponding to the 
next-state.
SYNCHRONOUS CIRCUITS M ODELED USING COM MUNICATING SYM BOLIC AU TO M ATA 21
G  is defined through the following algorithm:
G  =  f la t t e n (P O °  U P O 1, # (P O °  U P O 1)) 
f l a t t e n (P O  as {(p,:,et) | i e # P O } , j )
=  P O ,  i f  j  =  0
=  uncle f ined, i f  P j -\  G p o r ts (e j - 1 ) or c lash ing (PO )
=  f  latten({(pi , e.,-[ e ^ / p j ^  ] )  | i G # P O } , j  -  1)
Algorithm f la t ten  successively eliminates each occurrence of port P for which there is a (p, e) 
pair in P O , from every e such that (p, t )  G P O .  It terminates in as many steps as there are 
elements in P O , and returns uncle f ined  only if cyclic or clashing are violated.
Applying G to gf A g) and E f  U E ■ is tantamount to symbolically propagating port values 
into the places where these values get used. This step has been found to be quite valu­
able in hardware verification, as explained in [20, 31]. Some of the benefits are that the 
inferred behavioral description becomes intuitively clearer and the errors in the specification 
(combinational loops for instance) are revealed during f latten.
7 par Preserves Well-formedness
Given well-formed modules, par produces a well-formed module, as the following steps 
argue:
W F1,W F2,W F3,W F4: Trivially true.
WF5: par first of all unites the input ports and the output ports from the individual 
nodes. Since the individual modules are well-formed, the result of uniting the ports 
is also well-formed as per WF5. The substitution performed using G  only eliminates 
zero or more input ports from gf A </.- and E f  U E j ,  and this cannot violate WF5.
W F 6 : The check clash ing  done during par assures this.
WF7: If the substitution referred to in W F7 were to be [ ( E f  U E j ) / ( D °  U D 1) ], for 
the composite module, then the composite module satisfies WF7. However, the actual 
substitution applied during composition is [ G ( E f  U E^)/ (D°  U D 1) ].
As G  merely replaces each occurrence of a port in ( E f  U E j )  with the expression 
associa.ted with this port in P O ,  substitution using G does not violate WF7. (A  port p 
occurring in an expression E  indicates that any value that may come through p can be 
substituted for the occurrence of p in E.  Thus, the application of G  merely specializes
22 GANESH GOPALAKRISHNAN
SYNCHRONOUS CIRCUITS MODELED USING COM MUNICATING SYM BOLIC AUTO M ATA 23
the expression ( E f  U E j ) . )  Note: The check during par that P O  is not cycl ic  makes 
sure that G  is not undef ined.
W F8, W F9, WF10: Since they are true for the individual modules, they w ill end up 
being true for the composite module, as can be easily shown.
8 The Meaning of par .
W e argue that parm denotes conjunction; in other words,
M m{ p a r ( M \ M l ), V ° U V \ W ,  t )  =
M m{ M °  as (P ° , N ° ) , V ° , W , t )  A M ^ M 1 as (P \  TV1), V 1, W, t )  
where W  maps ports over ( P °  U P 1) to ( t im e  h-> values)
The following lemma will be used in our proof of the above:
Ai'gjV (f)i —^  C*i) =  V t'gjV (^/i A C-i)
where >  0 is an index set, and gi, i G N  are mutually exclusive and exhaustive, and C x 
are any boolean formulae. The proof is straightforward from the definition of im plication 
(=>■) and the conditions mutually exclusive and exhaustive.
Using this lemma, we can rewrite the denotation of a module (defined in section 5) as 
given below:
W e actually prove a more general fact: that the conjunction of the meanings of two nodes 
n° and n l is equivalent to the meaning o f the node p a r ( n ° , n l ). W e determ ine the values of 
the nodes at and { D l , W , t )  instead of at ( V ° , W , t )  and { V l , W , t ) .  W e first write
the conjunction of the meanings of two nodes n° and n l (called LHS below ), as
M n(n° as \ D ° , ( P 0 ° , { { g ? ,n ? ,E ? )  \ i e  n t r { n ° ) } ) , D ° , W , t )
A  .
M n i n 1 as X D \ ( P O \  { ( g } , n } , E l )  \ i G n t r i n 1) } ) ,  D \ W , t )
( V
i6nfr(u°)
A (Pa-^a- )G ^ o W ( Pkj )  =  ( M o W t ) ( e k) 
A ( M 0 W t ) ( g ° )




A (Pi,ei)e/5o 1 W { P h t )  =  { M o  W  t ) ( e t)
A ( M 0 W i ) ( g ] )  
A M n( n } , { M 0 W  t ) ( E } ) , W , t +  I ) )
This can be rewritten (by taking the product of the two disjuncts) as
24 GANESH GOPALAKRISHNAN




The meaning of pa r (n ° ,n l ) (called RHS, below) is




^(p^^efpoouPO1) W (p , t )  — ( M o  W  t ) (G (e ) )  
A { M o  W  t) (G(g® A </]))





w l i tre
G  =  f l a t t e n ( P O °  U P O \ # ( P O °  U P O 1)) (9)
We will argue that the pairs of formulae 3, 4, and 5 are (respectively) equivalent to the 
formulae 6 , 7, and 8 . Consider the pair of formulae 3, and the formula 6:
^(Pk,ek)6PO° W ( p k, t )  — ( M o  W  i ) ( e k)
A
A {pt,ei)ePO' W(pi,  t) — ( M o  W  t ) (e i )  ---- (Same as 3 above)
A(Pie)6(jpO0upoi) W ( p , t )  =  ( M o  W  t ) ( G ( e ) ) -----(Same as 6 above)
If, for every pair (pk,£k) £ P O 0 and a pair (p i ,e i )  £ P O 1, if pk por ts (e i )  and pi (fc 
por ts (ek ) , then G  is the identity function, and then equations 3 and 6 are identical. Suppose 
pi occurs in ; then, we have
( ( M o W t )  ek)
=  {  By the def in it ion o f  M o  }
26 GANESH GOPALAKRISHNAN
( ( M 0 W t )  ekl W ( Pt, t )/P l })
— { B y  the de f  init ion o f  II }
((yVf0 W  t)  ek{ ( M o  ei t)/pi ]])
=  {  By the def in it ion o f  }
( ( M o W t )  e , [  et/p,})
Thus, we can see that the conjunction of definitions for W  as captured by equation 3 can 
be captured by ail equivalent definition where ports pi occurring in e*. can be eliminated by 
means of the substitution e/.[ ei/pi ]]. If we carry this process to'the limit, eliminating every 
such occurrence oi a port such as pi from e ,^ the effect would be the same as applying G  to 
expression e, as done by equation 6. Thus, the equations 3 and 6 capture the same effect. 
A  detailed proof based on induction is omitted.
Now consider the proof that the conjunction of the meaning of the guards (equation 4) is 
equivalent to the meaning of the conjunction of the guards to which function G  is applied 
(equation 7). From the definition of ,M0, it is clear that the pair of conjuncts 4 is equivalent 
to
. ( M , W t ) ( g ^ g ) ) .
Now, notice that the above pair of conjuncts is conjoined with the pair of conjuncts 3; the 
pair of conjuncts 3 is equivalent to
a (?j,c)£(po°upo1) W ( p , t )  =  (M q W  i)(G '(e )).
Thus, for every occurrence of a port p in gf A gj,  the value of the port from W  can be 
substituted. This is tantamount to applying function G  to </° A g 1- before its meaning is 
computed, as the formula 7 indicates.
The arguments for the equivalence between 5 and 8 are similar, and hence are omitted.
9 Illustration of HOP
In this section we specify an assortment of examples, each illustrating a different aspect 
of the HOP model.
9.1 The Specification of a Nand Gate
The HOP description of a Nand gate is given in Figure 4. Process nand starts in state 
nand() and makes a transition back to itself. Its output out is combinationally generated 
from in i  and in 2 according to the expression n a n d (in l, in 2 ) .
SYNCHRONOUS CIRCUITS MODELED USING COMM UNICATING SYM BOLIC AUTO M ATA 27
MODULE nand()
PORT
INPUT ini, in2 : bit;
OUTPUT out : bit 
FUNCTION
fun nand(x,y) = not(x andalso y);
BEHAVIOR






Figure 4: The Specification of a Nand Gate
9.2 S pec ifica tion  o f  G a te -s ty le  C ircu its
The specification of traditional gate-style circuits that use components with unidirectional 
ports, single or m ultiple phase clocks, and (possibly) large amounts o f internal state is not 
a challenge at all. For example, a least recently used (L R U ) unit can be specified as shown 
in Figure 5, using the user defined abstract data type “ lru type” to model the internal data 
state, LS. Single-phase clocking is assumed.
In state lru, when the clock is high and a suitable combination of inputs is applied to 
trigger an operation, the operation is carried out and the circuit goes to state lrul, where 
it awaits the clock to go low before reverting back to state lru. The line
I ck / \  l e a s t  / \  " r e s e t  / \  "use  - >  l r u l ( l r u - u s e ( L S , l r u - l e a s t ( L S ) ) ,  I r u - l e a s t ( L S ) )
is now explained, and all the other lines are similar. W hen the combination ck and least 
are true and the rest o f the control inputs are false, the system goes into control state lrul 
with data, state modified to lru-use(LS, lru-least (LS) )  (where lru-use is a constructor 
and lru-least is an observer on lru type), and the output least set to lru-least (LS).
In the rest of this section, we examine how more un-conventional synchronous circuits -  
circuits that use bidirectional ports, multiphase clocks, etc. -  are specified using HOP.
28 GANESH GOPALAKRISHNAN
l r u ( L S , d l e a s t ) ; {  l e a s tout  = d l e a s t  }
{  ck /\ " r e s e t  /\ "use /\ " l e a s t  - >  l r u l ( L S ,
1 ck /\ r e s e t  /\ "use /\ " l e a s t  - >  l r u l ( l r u -  
1 ck /\ use /\ " r e s e t  /\ " l e a s t  - >  l r u l ( l r u -  
1 ck /\ l e a s t  /\ " r e s e t  /\ "use - >  l r u l ( l r u -  
>
undef ined)
- r e s e t ( L S ) ,  undef ined)
- u s e ( L S , a ) ,  undef ined)
-u s e (LS , l r u - l e a s t ( L S ) ) ,  l r u - l e a s t ( L S ) )
l r u l ( L S ,  d l e a s t ) ;  {  l e a s tou t  = d l e a s t  }
{  ck - >  l r u l ( L S , d l e a s t )  
1 "ck - >  l r u ( L S , d l e a s t )
>
Figure 5: An LRU unit
9.3 Specifying Transistor/S witch-level Circuits
The HOP model is suitable for modeling many kinds of switch-level circuits. In this section, 
we discuss how circuits such as a “sta.ck multiplexor” shown in Figure 7 (which is instantiated 
as SM in Figure 8 -  adapted from [43]) can be described. The stack multiplexor multiplexes 
the data inputs and data outputs of the stack cell described in [43] onto a common wire.
Though transistors can often be viewed as idealized switches (having zero resistance, 
threshold drop, and gate capacitance), many VLSI circuits actually rely, for their correct 
operation, on transistors having non-zero on resistance, threshold drop, gate capacitance, 
and/or delay. Examples of these circuits are ratioed designs, interlock elements [43, Chapter 
7], and dynamic memories. All existing abstract transistor models that are employed in high 
level simulators or in verification systems are designed to specify only a proper subset of the 
circuits that can be realized using transistors. Likewise, the model that we use in HOP can 
only specify a small subset of transistor circuits.
One attractive feature of our transistor model is that it is based on one notion— that of 
signal drive (inspired by [39]). Associated with each port p are two propositional variables: 
pi, and p i  called drive variables. In a state, if port p is treated as an output, the propositional 
variable jj\ is assumed to be true ; else it is false. This means: “ the module M  to which p 
belongs is driving p as an output in the current state” . Variable p i  has the interpretation: 
“the module connected to M  via, p is driving p " . Variable p'1 is typically used in Boolean 
guards. It is assumed that the LIOP preprocessor will automatically add drive variables of 
the form p\ and p i  variables to user-given specifications, depending upon which ports are
SYNCHRONOUS CIRCUITS MODELED USING COMMUNICATING SYM BOLIC AU TO M ATA 29
Figure 6: Multiplexor used in a Stack
being treated as outputs and which as inputs at each moment (i.e. in each state). See 
Figure 7 for examples.
Drive variables are used to select a direction of conduction for bilateral devices such as 
pass-transistors. This is illustrated through the specification given in figures 6 and 7
9.3.1 Explanation of the Stack Multiplexor
Process stack_mux responds to the push command conveyed through the encoding push/\~pop, 
or the pop command conveyed through the encoding ~push/\pop. It decides to treat port 
data either as input or as output, depending on the values on push and pop, and also how 
the modules connected to stack_mux try to use it. If it finds a drive matching its guard 
literal data?, namely d a ta ! , coming from the environment, it selects the first branch. The 
selection of the pop branch is similar. When neither the push nor the pop combination ar­
rives, stack_mux essentially performs a ‘no operation’ . Other combinations will result in an 
error state being entered. Notice that stack_mux changes over to control state stack_muxl 
when it drives stack_in  and to stack_mux2 when it drives data. This is in accordance with 
our convention that the set of ports configured to be outputs is determined by the state.
9.3.2 Illustration of Well-formedness Conditions
We can illustrate some of the well-formedness conditions on this example. Suppose the 
specification of the “stack multiplexor” were (incorrectly) written as shown in Figure 9. 
Consider the first guard in state stack_mux2. In this guard, port data is used as an input.
30 GANESH GOPALAKRISHNAN
MODULE stack_mux()
PORT INPUT stack_out ,  push, pop : b i t ;
OUTPUT stack_ in  : b i t ;
BIDIR data  : b i t
BEHAVIOR
stack_mux()
= {  push /\ "pop /\ data? - >  stack_muxl (da ta )
I "push /\ {  pop /\ stack_out? - >  stack_mux2(stack_out)
I "pop - >  stack_mux()
>
>
stack _m ux l (D ) ; { s t a c k _ in  = D, s tack_ in!  = 1} ( *  s ta ck_in !  added by preprocessor  * )
= {  push /\ "pop /\ data? - >  stack_muxl (da ta )
I "push /\ "pop - >  stack_mux( )
>
stack_mux2(D) ; { d a t a  = D, data! = 1} ( *  data!  added by preprocessor  * )
= 'push /\ {  pop /\ stack_out? - >  stack_mux2(stack_out )
I 'pop - >  stack_mux()
>
END stack mux
Figure 7: Illustration of “Drive”s on the Stack Multiplexor
PI  P2
Figure 8: A  Stack
32 GANESH GOPALAKRISHNAN
s t a c k _ m u x ( )
= { push A  'p o p  A  d a ta ? - >  s t a c k . m u x l ( d a t a )
'p u s h  / \  {  pop A  s t a c k _ o u t ? - >  s ta c k _ m u x2( s t a c k _ o u t )
1 'P ° P
}
- >  s ta c k _ m u x ( )
>
s t a c k _ m u x l ( D ) ; { s t a c k _ i n  = D, s t a c k _ i n !  = 1}  ( *  s t a c k _ i n !  added by p r e p r o c e s s o r  * )
= { push / \  ~pop / \  d a ta ? - >  s t a c k _ m u x l ( d a t a )  -
“push / \  {  pop / \  s t a c k . o u t ? - >  s ta c k _ m u x2( s t a c k _ o u t )
1 -po p
>
- >  s ta c k _ m u x ( )
> ‘
s ta c k _ m u x2( D ) ; { d a t a  = D, d a t a !  = 1}  ( *  d a t a ! added by p r e p r o c e s s o r  * )
= { push / \  “ pop / \  d a ta ? - >  s t a c k _ m u x l ( d a t a )
“push / \  {  pop / \  s t a c k _ o u t ? - >  s ta c k _ m u x2( s t a c k . o u t )
1 ” P°P
}
- >  s ta c k _ m u x ( )
>
EHD s t a c k .m u x
. Figure 9: A Specification of the Stack Multiplexor Violating Well-formedness
However, since data is used as an output in state stack_mux2, the first clause of W F5 is 
violated.
While in state stack_muxl, port data is being treated as an input. Now consider the 
second guard in state stack_muxl, which is ~push/\pop/\stack_out?. It makes the system 
go to state stack_mux2 where the system drives port data. This again violates the first 
clause of W F5 because an input port “turns around” and drives the external world before the 
external world had a. chance to turn off its drive. If we remove the choice of a move through 
~push/\pop/\stack_out?, we force the system to make a transition from push/\~pop/\ . . . 
to ~push/\~pop/\. . . which is a “neutral state” ; changing over from push/\~pop/\. . . to 
“ push/\pop/\ . . . can be seen to be in violation of W F5 -  in fact, the requirement of non­
overlap between push and pop is what is getting violated!
The specification in Figure 7 satisfies all the well-formedness checks.
9.3.3 Preprocessing’s Before par
Before we can compose two modules M q and M\ using par, where M 0 and M\ have drive 
variables, the drive variables must be preprocessed as described below, to take into account 
their intended meaning. The desired semantics of pi  is to specify that p must be driven from
outside. Thus, if p £ P (M 0) and q £ P (M i) are connected (by being renamed to a common 
name r0(p) =  r  =  n ( q ) ,  and if this connection is not exported from p a r ( M 0, M i ) ,  we know 
that p i  means ql, and q l  means pi. Thus, for every such use of p i ,  we substitute ql , and for 
every such use of q l , we substitute pi.
If, however, p  and q are connected, i.e., if r 0(p)  =  r  =  T’i(tf), and if r  is exported from 
p a r ( M 0, M i ) ,  then p i  means ql V r l , and likewise q l  means pi V r l ,  meaning that p can be 
driven from “outside” by either M i driving p via q, or the external world driving p via r. 
These preprocessings are also performed.
Occurrences of port outputs of the form “p!” are also subject to'preprocessing. If p and 
q are connected and the connection is not exported, every occurrence of pi =  1 in M 0 is 
replaced with two port assertions, pi — 1 and ql — 0 -  this says “since p is being driven by 
Mo, q may not be driven by M i” . Likewise, every occurrence of ql =  1 in M i is replaced 
with ql =  1 and pi =  0. On the other hand, if the connection is exported via r, r! =  1 is 
also asserted. The purpose of asserting ql =  0 in M 0 and pi =  0 in M i is to check for the 
consistency of drives during par: each node must be subject to at most one drive; hence we 
are adding extra drive assertions that prevent the “other port” from driving the same node. 
After performing the above transformations, par can be invoked as described before.
9.4 The Stack Cell, SC
The operations of the stack cell are described in Figure 10.
The additions by the preprocessor are o u t l ! = 1 and ou tr ! = 1. Also, wherever ports 
“p” are used, the drive variables “p?” will be added by the preprocessor in the guard ex­
pression. They are not shown for brevity. For example, the line
SYNCHRONOUS CIRCUITS MODELED USING COMMUNICATING SYM BOLIC AU TO M ATA 33
O  do push * )  | s h r  / \  " t r l  / \  “ s h l  / \  ~ t r r  - >  s c l ( i n l , S 2)
would actually look like
O  do push * )  | s h r  / \  s h r?  / \  ~ t r l  / \  t r l ?  / \  ' s h l  / \  s h l?
/ \  ‘ t r r  / \  t r r ?  / \  i n i ?  - >  s c l ( i n l , S 2)
9.5 The Stack Controller, SC
The last component type used in the stack, the stack controller, is described in Figure 11. 
The controller is driven by a two-phase clock brought in through the inputs p i and p2 . 
Depending on the clock combinations and the starting state of the system (the values of
34 GANESH GOPALAKRISHNAN
s c l ( S l , S 2 ) ;  { o u t l  = "S I ,  outr  = "S2, o u t l ! = 1, outr !  = 1}
{
( *  i s o l a t e  * )  "shr  /\ ' t r l  /\ " sh l  /\ " t r r  - >  s c l ( S l , S 2 )
( *  do push * )  I shr /\ " t r l  /\ " sh l  /\ " t r r  - >  s c l ( i n l , S 2 )  '
( ♦ r e p l e n i s h * )  I "shr  /\ " t r l  /\ " sh l  /\ t r r  - >  s c l ( S l , i n v ( S l ) )
( *  do pop * )  I "shr  /\ " t r l  /\ sh l  /\ " t r r  - >  s c l ( S l , i n r )
( ♦ r e p l e n i s h * )  I "shr  /\ t r l  /\ " sh l  /\ " t r r  - >  s c l ( i n v ( S 2 ) , S 2 )
>
Figure 10: A Stack Cell
SYNCHRONOUS CIRCUITS MODELED USING COMMUNICATING SYM BOLIC AU TO M ATA 35
s c O ( s 1 , s 2 , d t r r , d s h l , d t r l , d s h r ) ; { t r r = d t r r , s h l = d s h l , t r l = d t r l , s h r = d s h r }
{  "p i  /\ "p2 - >  s c 0 ( s l , s 2 ,  0 , 0 , 0 , 0 )
I p i  /\ -p2 ->  s c l ( o p , s 2 ,  0 , 0 , " s 2 , s 2 )
>
s c l ( s l , s 2 ,  d t r r , d s h l , d t r l  , d sh r ) ;  { t r r = d t r r , s h l = d s h l , t r l = d t r l , shr=dshr }
{  “pi  /\ "p2 ->  s c l ( s l , s 2 ,  0 ,0 , 0 , 0 )






Figure 11: A Stack Controller
s l , s 2 , d t r r  ,dsh l , d t r l  ,dshr), the stack controller generates the sequence described in 
[43, Page 73].
9.6 A  Dynamic Multiphase Clocked Circuit
Interactions among multiphase clocked systems as well as dynamic storage are illustrated 
on the example in Figure 12. Shown in this figure are two ‘half-latches’ that are typically 
cascadcd to form a full latch. We will describe module l a t c h  that describes how one of these 
half-latchcs works. We omit the subscripts 1 and 2 when presenting la t ch .
Process l a t c h  starts in state l a t c h (D ) ,  with its output having value D, its present state.
If phi is found true, and if in? ( i n  is driven from outside), the next steady state is one 
where out=~in ;  else if ~in  or ~phi, the old state D is held out. Notice that the inverter delay 
is not captured. This is because the system is assumed to attain steady state— however long 
it takes— before the next excitation is applied. If in  is not driven from outside ( ~? in )  then 
the charge on the gate node is retained, as evidenced by the execution going back to state 
l a t c h ( D ) .
If 11 and 12 are cascaded, and the clock sequence ~phi/\~phi2 , ph i/\~ph i2 , ~ph il/\~ph i2 , 
~ph il/\p h i2 , . . ., is applied, 11 and 12 respond to clock wires cw of their own concern (p h il 
and p h i2 , respectively). For example, while 12 is making a p h i2 move, 11 would be making 
a ~ph il move. In this manner, in a, multi-phase clocked system described in HOP, a subset 
of the modules can be making 'useful’ moves, whereas the others are making ‘useless’ (idling, 
or “self loop” ) moves.
10 Summary, and Conclusions
We have described the HOP automaton model and presented its syntax directed semantics. 
We have attempted to clarify many of the notions underlying formal modeling of synchronous 
hardware, and make a coherent presentation of the formal semantics of synchronous hard­
ware, stating well-formedness conditions, as well as the adequacy thereof. This work can 
open up new opportunities to build synchronous hardware design and debugging tools that 
check for as many errors as possible at the syntactic level, infer the behavior of a structural 
description, and assist in the formal verification of system descriptions.
HOP was first implemented using Common Lisp and FRORS [21]. par was realized as 
an algorithm PA R C O M P that has since been used with great success in debugging several 
designs (see [31] for example). Earlier versions of PAR C O M P suffered from the following 
problems: ( 1) the simplification of guard expressions was ad hoc; (2 ) well-formedness checks 
were not incorporated into PARCO M P; (3) the implementation was based on a notion of
36 GANESH GOPALAKRISHNAN
Figure 12: Multiphase interactions
global clocking. We plan to re-implement PAR C O M P based on the new HOP model. A 
related implementation effort [33] proposes the use of extended BDD models to make syn­
chronous system verification more efficient. These ideas will be incorporated into the HOP 
system.
A ckn ow ledgem en ts : Helpful discussions with Professor Eduard Cerny of the University of 
Montreal and Professor Steven Johnson of the University of Indiana are gratefully acknowl­
edged.
References ■
1. Zvi Kohavi. Switching and Automata Theory. Tata McGraw Hill, 1978.
2. David Ku and Giovanui De Micheli. HardwareC - A  Language for Hardware Design, 
Version ‘2.0. Technical Report CSL-TR-90-419, Computer Science Laboratory, Stanford 
University, April 1990.
3. Mario R. Barbacci. Instruction set processor specifications (isps): The notation and its 
applications. I E E E  Transactions on Computers, C-30(l):24-40, January 1981.
4. Vhdl language reference manual, August 1985. Intermetr ics Report  IR -M D -04 5 -2 ;  See 
also I E E E  Design and Test, Apr i l  1986.
5. Donald E. Thomas and Philip Moorby. The Verilog Hardware Descr ipt ion Language. 
Kluwer Academic Publishers, 1991. ISBN 0-7923-9126-8.
6. Steven D. Johnson. Synthesis o f  Digi tal  Designs f rom  Recursion Equations. The M IT  
Press, 1984. An AC M  Distinguished Dissertation-1983.
7. Mary Sheeran. mufp, a language for vlsi design. In Proceedings o f  the A C M  Symposium 
on Lisp and Functional  Programming , pages 104—112, 1984.
8 . Raymond Boute. System semantics: Principles, applications, and implementation. A C M  
Transactions on Programming Languages and Systems ( T O P L A S ) ,  10( 1): 118—155, Jan­
uary 1988.
9. P. Caspi, D.Pilaud, N.Halbwachs, and J.A.Plaice. LUSTRE: A declarative language for 
programming synchronous systems. In Proceedings o f  the l^th Annual Symposium on 
Principles o f  Programming Languages, pages 178-188. ACM , 1987.
38 GANESH GOPALAKRISHNAN
SYNCHRONOUS CIRCUITS MODELED USING COM MUNICATING SYM BO LIC AU TO M ATA 39
10. Gerard Berry and Laurent Cousserat. The ESTEREL synchronous programming lan­
guage and its mathematical semantics. In S.D.Brookes, A.W .Roscoe, and G.Winskel, 
editors, Seminar on Concurrency, L N C S  197, pages 389-448. Springer-Verlag, 1984.
11. C. A. R. Iioare. Communicat ing Sequential Processes. Prentice-Hall, Englewood Cliffs, 
New Jersey, 1985.
12. Occam programming manual, 1983. "
13. Vincenza Carchiolo, Alberto Faro, Orazio Mirabella, Giuseppe Pappalardo, and 
Giuseppe Scollo. A  LOTOS specification of the PRO W A Y highway service. I E E E  Trans­
actions on Computers, C-35( 11):949—968, November 1986.
14. Michael Gordon. LIOL: A proof generating system for Higher Order Logic. In Graham 
Birtwistle and P.A.Subrahmanyam, editors, V L S I  Specification, Verification and Syn­
thesis, pa,ges 73-128. Kluwer Academic Publishers, Boston, 1988. ISBN-0-89838-246-7.
15. Boyer and Moore. A Computational  Logic. Academic Press, 1979.
16. Warren A. Hunt Jr. The mechanical verification of a microprocessor design. In D. Bor- 
rione, editor, From H D L  Descriptions to Guaranted Correct Circuit  Designs. Elsevier 
Science Publishers B.V. (North Holland), 1987. (Proc of the IF IP  W G  10.2 Working 
Conference with the same title.).
17. I.S.Dhingra. Formal verification of a design style. In Graham Birtwistle and 
P.A.Subrahmanyam, editors, V L S I  Specification. Verification and Synthesis, pages 293­
321. Kluwer Academic Publishers, Boston, 1988. ISBN-0-89838-246-7.
18. Michael J.C. Gordon. Mechanizing programming logics in higher order logic. In 
G.Birtwistle and P.A.Subrahmanyam, editors, 1988 Banff Hardware Verification Work­
shop, Banff, June 1988, 1988. Invited Paper, to appear as a chapter in a forthcoming  
Springer-  Verlag book.
19. Albert John Camilleri. Mechanizing the failures model of csp in hoi. I E E E  Transactions 
on Software Engineering, (9), September 1990.
20. Ganesh C. Gopalakrishnan, Richard Fujimoto, Venkatesh Akella, and Narayana Mani. 
HOP: A  process model for synchronous hardware, semantics, and experiments in process 
composition. Integration: The V L S I  Journal, pages 209-247, August 1989.
21. Narayana Mani. Behavioral simulation from high level specifications. Master’s thesis, 
Dept, of Computer Science, University of Utah, Salt Lake City, U T  84112, May 1989.
22. Prabhat Jain, Ganesh Gopalakrishnan, and Prabhakar Kudva. Verification of regular 
arrays by symbolic simulation. Technical Report UUCS-TR-91-022, University of Utah, 
Department of Computer Science, October 1991. Submitted to the B r o w n / M IT  Advanced 
VLS I  Workshop.
23. Prabhakar Kudva. PC A : An algorithm for the Parallel Composition of regular Arrays, 
1991. Implementat ion in Standard M L ,  plus software documentation. _
24. Ganesh C. Gopalakrishnan, Richard M. Fujimoto, Venkatesh Akella, N.S. Mani, and 
Kevin N. Smith. Specification-driven design of custom architectures in hop. In 
G.Birtwistle and P.A.Subrahmanyam, editors, Current Trends in Hardware Verification 
and Automated Theorem Proving , chapter 3, pages 128-170. Springer-Verlag, 1989.
25. Ganesh C. Gopalakrishnan, Narayana Mani, and Venkatesh Akella. A design validation 
system for synchronous hardware based on a process model: A case study. In Proceedings 
o f  the I M E C - 1 F I P  Workshop on Applied Formal Methods f o r  Correct V L S I  Design, 
Leuven, Belgium , pages 721--740, November 1989.
26. Ganesh C. Gopalakrishnan. Specification and verification of pipelined hardware in HOP. 
In Proc.  Ninth International Symposium on Computer Hardware Descript ion Languages, 
pages 117-131, 1989.
27. Ganesh C. Gopalakrishnan, Narayana S. Mani, and Venkatesh Akella. Parallel compo­
sition of lock-step synchronous processes for hardware validation: Divide-and-conquer 
composition. In J.Sifakis, editor, Springer Verlag Lecture Notes in Computer  Science, 
N o .407 (A u tom at i c  Verification Methods for  Fin i te-State Systems, Internat ional  Work­
shop, Grenoble, France, June 1989), pages 374-382. Springer-Verlag, 1989.
28. Ganesh Gopalakrishnan, Prabhat Jain, Venkatesh Akella, Luli Josephson, and Wen-Yan 
Kuo. Combining verification and simulation. In Carlo Sequin, editor, Advanced Research 
in V L S I  : Proceedings o f  the 1991 University of  California Santa Cruz Conference. The 
M IT  Press, 1991. I S B N  0-262-19308-6.
29. Venkatesh Akella and Ganesh Gopalakrishnan. High level test generation via process 
composition. In Designing Correct Circuits, Oxford, 1990, pages 99 119. Springer Ver­
lag, 1990. Proceedings o f  the D C C  Workshop, Oxford, September, 1990, published in 
Spr inger ’s new series ‘Workshops in Computing
30. Prabhat Jain and Ganesh Gopalakrishnan. Towards making symbolic simulation based 
verification efficient, November 1991. Submitted to the I E E E  Transactions on C A D .  An  
earlier version has been submitted to the Design Automation Conference, 1992.
40 GANESH GOPALAKRISHNAN
31. Ganesh Gopalakrishnan and Richard Fujimoto. Design and verification of the rollback 
chip using hop: A case study of formal methods applied to hardware design. Technical 
Report UU-CS-TR-91-015, University of Utah, Department of Computer Science, 1991.
32. Wayne Wolf, Andres Takach, and Tien-Chien Lee. Architectural optimization meth­
ods for control-dominated machines. In High-Level V L S I  Synthesis, chapter 10. Kluwer 
Academic Press, 1991. .
33. Michel Langevin and Eduard Cerny. Comparing generic state machines. In Proc.  o f  the 
Workshop on Computer-Aided Verification, Aalborg, Denmark.  J.uly 1991.
34. Ghislaine Thuau and Daniel Pilaud. Using the declarative language lustre for circuit 
verification. In Designing Correct Circuits, Oxford, 1990, pages 313-331. Springer Ver­
lag, 1990. Proceedings o f  the D C C  Workshop, Oxford, September. 1990, published in 
Spr inger ’s new series ‘Workshops in Computing ’.
35. Michael Gordon. Register transfer systems and their behavior. In Proc. o f  the 5th 
International Conference on Computer Hardware Descr ipt ion Languages, 1981.
36. Randal E. Bryant and Carl-Johan Seger. Formal verification of digital circuits using 
ternary system models. Technical Report CMU-CS-90-131, School of Computer Science, 
Carnegie Mellon University, May 1990. Also in the Proceedings o f  the Workshop on 
Computer-Aided Verification, Rutgers University, June, 1990.
37. Carl-Johan Seger and Jeffrey Joyce. A two-level formal verification methodology using 
HOL and COSMOS. Technical Report 91-10, Dept, of Computer Science, University of 
British Columbia, Vancouver, B.C., June 1991.
38. Randal E. Bryant, Derek L. Beatty, Karl Brace, Kyeongsoon Cho, and T. Sheffler. Cos­
mos: A compiled simulator for mos circuits. In Proc. A C M / I E E E  24th Design Au toma­
tion Conference, pages 9-16, June 1987.
39. Zhou Chaochen and C .A .R . Hoare. A  model for synchronous switching circuits and 
its theory of correctness, 1990. Proceedings o f  the D C C  Workshop. Oxford, September, 
1990, published in Spr inger ’s new series ‘Workshops in Comput in g ’.
40. Glynn Winskel. A compositional model of mos circuits. In Graham Birtwistle and 
P.A.Subrahmanyam, editors, V L S I  Specification, Verification and Synthesis, pages 323— 
348. Kluwer Academic Publishers, Boston, 1988. ISBN-0-89838-246-7.
SYNCHRONOUS CIRCUITS MODELED USING COMM UNICATING SYM BOLIC AU TO M ATA 41
41. David Musser, Paliath Narendran, and W illiam  Premerlani. Bids: A method for specify­
ing and verifying bidirectional hardware. In Graham Birtwistle and P. A.Subrahmanyam, 
editors, V L S I  Specification, Verification and Synthesis, pages 217-233. Kluwer Academic 
Publishers, Boston, 1988. ISBN-0-89838-246-7.
42. John E. Hopcroft and Jeffrey D. Ullman. Introduction to Automata Theory, Languages, 
and Computation.  Addison Wesley, 1979.
43. C. A. Mead and L. Conway. An Introduction to V L S I  Systems. Addison Wesley, 1980.
42 GANESH GOPALAKRISHNAN
