We describe an operational semantics for the hardware compilation language Handel-C [10], which is a C-like language with channel communication and parallel constructs which compile down to mainly synchronously clocked hardware. The work in this paper builds on previous work describing the semantics of priority within Handel-C [9] and a denotational semantics for part of the language [8]. We describe a key subset of the language and show how a design decision for the real language, namely that default guards in prialt-statement executed in "zero-time", has consequences for the complexity of the operational semantics. We present the operational semantics, indicating clearly how it interfaces with the priority semantics of [9] . We then describe a notion of observational equivalence, and present an example illustrating how we handle the complexity of nested prialts in default guards.
Introduction
Handel-C 4 [10] is a language originally developed by the Hardware Compilation Group at Oxford University Computing Laboratory, and now marketed by Celoxica Ltd. It is a hybrid of CSP [16] and C, designed to target hardware implementations, specifically field-programmable gate arrays (FPGAs) [23] . The language has sequential and parallel constructs and global variable assignment and channel communication. The language targets synchronous hardware with multiple clock domains. All assignments and channel communication events take one clock cycle. All expression and conditional evaluations, as well as priority resolutions are deemed to be instantaneous, effectively being completed before the current clock-cycle ends.
As the Handel-C language targets hardware, it is ideal for implementing embedded systems, often in situations where high levels of assurance would be desirable [22] . There is a clear need for for both a formal semantics of Handel-C (or a reasonable subset) as well as an appropriate methodology and tool support. The research described here is part of program to provide just such an industrial-strength formal framework.
This papers describes the current state of work being done to provide Handel-C with a formal operational semantics. We also discuss language features which prove to be problematical from an operational semantics perspective.
Previous and Related Work
Early work on the formal semantics of Handel-C concentrated on a subset of the language that did not contain the prialt construct. This initial exploratory work focussed on modelling the flow of control in Handel-C constructs by tracking how "execution pointers" were created, modified and merged as parallel threads were forked, executed and terminated. This led to a formal model of a Handel-C flow-of-control "interpreter" [7] .
Work then started on exploring a denotational semantics for the same language subset, which was non-trivial as we had to deal with concurrency, message-passing, shared variables and the synchronous clock. Eventually, results based on branching sequences of functions mapping environments to environments were obtained [6] .
At this point it became clear that prialt would have to be included. It cannot be simulated using ordinary communication and switch statements, and it has a number of effects on the overall semantics. Priority in CSP-like concurrent processes is very difficult to treat formally [15, 19, 20, 21] . When occam [3] was developed, the only aspects of the language for which no formal semantics was provided were the constructs (PRI PAR and PRI ALT) which involved priority. One of the issues is that the asynchronous nature of CSP-like formalisms, make it very difficult to establish when prialts are "coming together", in order for their communication requests to be resolved. However, in Handel-C, the presence of a synchronising clock makes it very easy to establish which prialts are active at any given moment, so priority handling amounts to a static problem of resolving priorities of a known collection of prialts.
In the broader arena of process algebras in general, there has been considerable work done on priorities [11, 13, 12] . In [12] there is an overview of this area, but there is no close match between any of the priority schemes described therein, and that which features in the semantics of Handel-C.
A formal description of prialt resolution without consideration of default clauses was presented in [9] . At this stage, it had become clear that prialt resolution could be treated orthogonally to most other semantic issues, and so the denotational semantics was reworked slightly to make use of the prialt semantics [8] .
Other work involving formal techniques and Handel-C has been reported, and includes the use of the Ponder policy specification language [14] as a basis for implementing firewalls [22] , as well as techniques for performing behavioural transformations from Haskell programs into Handel-C implementations [1] . Beyond the scope of Handel-C, there is considerable work on using formal techniques to develop safety-critical embedded systems, of which the languages Esterel [5, 4, 24] and Lustre [18, 2] are two key examples.
Scope of Handel-C Semantics
Given that our final aim is a formal semantics of a real language which was itself not formally designed, we are developing our semantic framework in a manner that allows us to separate concerns as much as possible. In particular, we see the final semantics of Handel-C as having four loosely coupled components:
types Handel-C has a range of datatypes, all of which ultimately reduce down to specifications of bit strings of fixed length. The underlying type theory is fairly straightforward.
synchronous "cores" These are regions of hardware under the control of a single clock, and constitute the primary area of concern of this paper. Here we present an operational semantics for the behaviour of these cores.
priority The communication constructs are provided in the form of prialtstatements, which requires all choices between communication events to be prioritised.
asynchronous "environment" The synchronous cores communicate with each other and the external environment via asynchronous interfaces.
These four areas can be treated separately to a large degree, as the interfaces between them are simple in character 5 . For example, the asynchronous interfaces in Handel-C involve "bus interface" constructs, rather than channels. This means that priority information and decision-making does not cross the boundaries between synchronously clocked regions.
We shall present a shorthand form, in a mathematical style, of the syntax of the Handel-C subset with which we are currently concerned. A Handel-C program (p), as written, contains the following statements: a unit delay
Here v denotes a variable, while e, s and b denote expressions, and g denotes a guard, which we describe in more detail later on. We allow the use of 0 in prialts to indicate an empty continuation process. The language is extended with the following statements not available to programmers, namely a zero delay (0) now as a fully fledged process; an ordered guard request statement ( + g i ); and a guard action statement (act(g)). We also extend the language expression syntax to include two functions on guard-lists: waiting (w g i ) and active (a g i ), as well as a function on channel identifiers (d(c)) returning the current value being communicated on that channel.
We have a mix of parallel processes and global shared variables, so Handel-C has a restriction which states that no variable should ever be assigned to by two different processes during one clock cycle. It is allowable to have different processes write to the same variable on different clock cycles. A prialt-statement can be viewed as a sequence of guard-process pairs, where the guards are either communication actions like input (c?v) or output (c!e) or a default guard to be activated if no communication guard is active. The default guard if present must be the last element of the sequence, and we shall denote it by the shorthand !?.
The sequence of guards in a prialt denotes that prialt's priority preference, considered as relative priority -it i.e. it prefer its first guard to its second, its second to its third, and so on. A key restriction imposed by Handel-C is that during any clock-cycle, all the relative priorities of all prialtsexecuting during that cycle must be consistent with one another in that no priority cycles are introduced when all their preferences are merged. We will eventually replace all prialts of the form: g i : p i by the following equivalent program:
This captures the notion that a prialt acts in three stages: (i) it submits a request (
(ii) it waits until it become active, re-submitting the request on every clock cycle (w g i * (1 ; + g i )); and (iii) once waiting is over, selects and executes the active guard and process (a g i [act(g i ) ; p i ]). The only uses of the request and action statements, as well as the wait, active and channel expressions are as a result of translating prialts as just described.
We present here a brief overview of the prialt semantics presented in [9] , with an explanation of how it can be extended to cover default clauses, and interfaced with the operational semantics described later on in this paper. If a prialt-statement is starting execution during the current clock cycle, then its guards are viewed as a prioritised sequence of requests, and if a guard (g i for instance) is deemed to be enabled or active, then it carries out its communication action during the current clock cycle. Its continuation process (p i ) then starts execution at the beginning of the next clock cycle. If no communication guard is deemed active, and the prialt has a default guard (!?), then the corresponding continuation process (p n ) starts execution immediately, i.e. during the current clock cycle. This immediate execution of a default guard's continuation process is a major reason for the complexity of the operational semantics to be presented.
In any given clock cycle, there will be zero or more prialts commencing execution. A guard is deemed to be potentially active if elsewhere there is a complementary guard in some other prialt active during the same clock cycle. The process of determining which potentially active guards, if any, are actually active, is called Resolution. If a prialt has no active guards after resolution, and no default guard, then it is blocked, and lies idle for the rest of the current clock cycle. It then proceeds to resubmit its request in the next clock cycle. This either continues until some other request elsewhere leads to it becoming active, or runs forever if no such other request ever materialises.
Let us consider two examples, the first straightforward, the second involving default clauses in that manner that causes most semantic difficulty. The first example has three prialts executing in parallel:
The overall priorities being expressed here can be summarized as: { a, e } < b < c < d where lesser values denote higher priorities. Only channels b and c are potentially active, and b has higher priority, and so will be actually active. The result is the first and third prialts execute, transferring value 2 across channel b to variable y. The second prialt remains blocked, waiting on either c or d (preferring c).
The second example has two prialts in parallel, with the second having a default clause which itself is a prialt:
Initially we have a situation where there are no potentially active guards, so the first prialt blocks, while the second immediately activates its default clause. This introduces another prialt to the mix, and now channel c becomes active, transferring value 7 across channel c to variable v. It is worth pointing out that the above process is in fact equivalent to c!7 : 0 d!0 : 0, c?v : 0 , but that this simplifying law does not extend to arbitrary continuation processes. This example is used later to illustrate the operational semantics at work.
In [9] resolution is viewed formally as a process (Resolve) which takes a set of Prialt Requests, and returns a pair called a Resolution, consisting of an Channel Map and the set of requests that have remained blocked (no active communication guards).
The Channel Map maps active channels to the set of requests invoking that channel which have been deemed active. A Prialt Request is simply modelled as a sequence of guards, i.e simply as the corresponding prialt-statement with the continuation processes stripped out. A channel is deemed potentially active if it occurs in a number of prialts, in both input and output forms. It becomes active if no other potentially active channels in its own prialts are of higher priority. The formal semantics in [9] does not deal with default clauses, nor elaborate on how the resolution structure interfaces to the formal semantics of the rest of the language. Briefly put, the default clauses are simply handled by scanning the set of blocked requests for any that have default clauses, and simply moving them into the channel map, under a pseudo-channel called "default".
The resolution of our first example would have got the following input: 
Operational Semantics
The operational semantics for Handel-C requires us to have an understanding of the processing that takes place during a clock-cycle. First, the atomic actions (assignment or communication) for the current clock cycle need to be determined. This involves following the flow of control from the statements which executed on the previous clock cycle, requiring the evaluation of conditional and while-loop guard expressions. We shall refer to this as the "select" (sel ) phase. At this point we have identified almost all of the assignments and prialts which are about to execute. The next phase, the "request" phase (req) involves all the selected prialts lodging their corresponding requests with the environment. At the end of this phase, the system has global knowledge of almost all the communication requests associated with this clock cycle. The third, or "resolve" phase (res) , is were the system resolves all these requests, as described in section 4 previously. The outcome of this is that we know know which communication actions are going to be executed. The final or "action" phase (act) is were all the atomic assignment and active communication actions take place, all globally synchronised to the clock. It is at this stage that permanent changes are made to the system state -i.e. ones that persist across clock boundaries. The first three phases are all implemented as combinatorial logic, and are deemed to execute in "zero-time". In other words, this logic makes these decisions well within the time allocated to the clock cycle. The last phase is effectively synchronised to the end of the cycle, and so is deemed to have taken one clock cycle to execute. The sequencing of the phases is very important, as the outcome of resolution is not well-defined until the selection and request phases are complete. As resolution determines the final communication actions and their consequent permanent state changes, is important to get this sequencing right. In the hardware implementation, this is achieved by letting the resulting combinatorial logic have enough time to settle into a consistent state, and aided by the fact that the logic contains no "combinatorial" cycles. In our formal semantics we ensure the appropriate ordering of decisions by modelling these conceptual phases explicitly.
We now explain the frequent use in the previous few paragraphs of the phrase "almost all". The problem here is the existence of default clauses in prialts, which execute in "zero-time". As a consequence of this, the corresponding continuation process starts execution in the current clock cycle. This continuation process can be any legal Handel-C process so may contain conditionals, parallel branches, while-loops and more prialts. This means that we have to redo the select, request and resolve phases. The prialts can be nested to an arbitrary but finite depth in this fashion (via default guards). Given a prialt nesting depth of d, in general we need to iterate the first three phases d + 1 times. This complication is a consequence of the decision that default guards take zero-time. The presence of arbitrary Handel-C processes as continuations after communication guards is not a problem, as they don't start execution until the subsequent clock cycle. So, our operational semantics needs to model these four phases by (i) classifying statements according to the phase in which they participate
(ii) providing transitions of different types for each phase (iii) providing special transitions to manage the switch between phases.
Transition Types
A Transition type (TType) is one of state-selection (sel ), comms-request (req), comms-resolution (res) or state update action (act), ordered as just listed.
We classify statements by associating a transition type set (tts(p)) with them, and use ttype(p) to denote min(tts(p)):
1, v := e, act(c!e), act(c?v), w g i * p { act } (w is true)
The anomalous situation regarding the classification of w g i * p is explained when the transition rules are described. In addition to the four transition types mentioned above, we have special transitions between those types: sel 2req, req2res, res2sel , res2act, and act2sel (a.k.a tick ). The system state is larger than just p and t, comprising a tuple (p, t, ρ, γ, , τ ) where: p : P is the process state; t : TType is the current transition type; ρ : Id : P(G + ) are the requested/blocked prialts; and τ : N is the current clock value. Note that holds the resolution input data during the req phase, and (γ, ) holds the resolution result obtained during the res phase.
Given an initial program p 0 , the initial system state is (p 0 , sel , θ, θ, ∅, 0) and a program has terminated if p ever reduces to 0. To get the terminating clock transition we shall strengthen this to say that a program terminates once p is 0 and t is sel .
Transition Events
We associate events with some transitions, denoting a transition of type t engaging in event e by t −→ e , except for the special transitions were the event is fixed. All events describe some form of system state change, in addition to that already described above, as detailed below: transition event notation changes
Here we use the notation e as shorthand for [[e] ] ρ , i.e the evaluation of expression e w.r.t. the environment ρ. If any variable v in e is not in the domain of ρ (i.
e not yet assigned to), the the lookup ρ(v) returns zero, as this is how Handel-C initialises all variables. Note also that the act action can be an empty simultaneous assignment, denoted by leaving it blank. Given (γ , ) = Resolve( ) we always have that
Formally we can view all events as functions on global state:
In some rules, we merge events, using the event merge operator ♦, which is associative and commutative, with the null event as identity. In effect ♦ merges disjoint assignments into a simultaneous assignment and multiple prialt requests into one large request with a set of the prialts involved:
If assignments are not disjoint, then ♦ is not defined, but this matches Handel-C which outlaws this situation.
Transition Conditions
The conditional expressions (s,b) associated with the select and while constructs are evaluated w.r.t. the environment ρ. We use the same shorthand
as is used for assigment rhs expressions. When we evaluate the wait predicate w g i and the active guard selector expression a g i , we do so with respect to the and γ state components, using two of the observer functions as follows: by the fact that no priority conflicts arise. None of the prialt priorities are attached to transitions or states an any obvious way, and are, as asserted earlier, treated orthogonally to the transition system being described here. Here however, we have present a second notion of priority, notably that between different types of transitions in our transition system. These priorities are similar in character to the static and global priorities of [12] , except that while initially sel transitions have highest priority, and act transitions have lowest, we have a dynamic priority switch at the end of the clock cycles when act transitions become highest priority. Apart from this, the theory of [12] is not applicable here as we have no silent actions and no synchronisation between most transitions of any given type/priority. Rules have the form:
where cond and antecedents⇒ are optional. The consequent transition is enabled if and only if: (i) its transition type is enabled by the global state; (ii) the condition, evaluated against the global state, is also true; and (iii) the antecedent transitions, if any, are themselves enabled. We first present general transition rules dealing with sequential and parallel composition, where the phase is irrelevant (Figure 1) .
The basic phase-specific transition rules are shown in Figure 2 , presented largely in order of transition type. The first set of rules dealing with sel transitions are Par-End, Select, Whl-False, Whl-True, and Next. The rules for the conditional and while constructs are straightforward. The rules for the parallel and sequential constructs manage the fact that all parallel threads must end before a subsequent process can start execution. The 0 construct (the process that does nothing in "zero-time") pays a key role in managing this synchronisation.
The next set of rules dealing with req transitions are PriAlt and Request. The prialt-statement simply lodges its request ( + g i ) and then evolves into the sequential composition of a wait loop and a subsequent conditional to select the active action. The wait loop resubmits the request in following clock cycles, which is why the loop body starts with 1, i.e. to force a wait until the next clock cycle. The request transition deals with the additional requests lodged by the wait loop. The third set of transitions handle transitions which occur when evaluating the resolution observer functions w g i and a g i . Most of these are res transitions, except for Wait, which is an act transition. This is to ensure these transitions, which initiate a one cycle wait, followed by resubmission of their request, are held over until all default clauses have been handled. If this rule was a res transition, we would have a race between its firing, and the firing of a Continue rule, which may be as a result of a default guard elsewhere. The result of that default guard's execution might be a change in the status of a blocked prialt. It is very important that we ensure that all Continue transitions occur before any Wait transitions are allowed to proceed.
Par-End
The final set of transitions are the act transitions, all of which change the state. The delay statement state change is simply that it lets time pass. The assignment statement has the expected effect of updating the relevant variable. The output statement acts like a delay, while the input statement uses the resolution observable d(c) to update its variable value.
Observational Equivalence
An execution trace of a Handel-C program is a sequence of transitions occurring with the following structure:
where ; denotes concatenation, and x * and x + denote zero-or-more xs and one-or-more xs, respectively. As the subsequences of act transitions can be collapsed into one such transition, using the ♦ operator, the overall effect is that of a single act transitions, one per clock cycle, separated by some mix of other transition types:
As the key function of these other transition types is to determine what act transitions occur, and as only the act transitions have persistent effects on the state, we shall choose to ignore the other transition types. Hence we shall declare two execution traces to be Observationally Equivalent if they are identical once non-act transitions are removed, and all act transitions in one clock cycle have been merged.
An example
To show the importance of requiring Wait to be a act transition, consider the following example:
For brevity we shall omit 0 when it occurs either before or after ";". Initially it engages in Prialt transitions to become:
If Wait was a res transition then the top process could evolve at this point to something which would start with 1; + c!7 . This process would now wait until the mode was act, to do a Delay transition. In particular, if events elsewhere suddenly made channel c active in this clock cycle, this process would miss the event because it is no longer "listening". Instead, the Wait transition is blocked, but the lower process can do a Continue transition to become: Finally the Input and Output transitions fire, v is assigned 7, the clock is advanced, and we get 0 0 which reduces in the next clock cycle to 0. It is interesting to note that a prialt with a default guard will never wait so we can omit the wait-loop giving the law: 
Conclusions and Future Work
We have presented an operational semantics for a key subset of the Handel-C hardware compilation language. In particular our semantics handles prialts properly, coping with the issues raised by the zero-time execution behaviour of default clauses. Another key feature of the work presented here is that it exploits a clean separation of concerns between various key aspects of the language: types, priority, flow of control and asynchronous interfacing. The key goal of this work is to have a formal development methodology from a suitable specification notation down to Handel-C code, with appropriate tool support. We envisage a methodology based on refinement, using an appropriate refinement calculus. To reach this goal we need to achieve a number of key milestones: an appropriate formal model of the asynchronous interfaces, and the type system; the integration of all aspects into a unified whole; an appropriate generalisation of Handel-C to produce a specification language; and the development of refinement laws that enable correct programs to be developed. Given the need to unify the four aspects, we propose to formulate the semantics of both Handel-C and its specification language within the unifying theories framework [17] . This will facilitate refinement, as a refinement calculus (Circus) for this paradigm has been developed [25] .
