Abstract. This paper describes a rst attempt at building design tools that amalgamate theorem proving and engineering methods. To gain acceptance such a tool must focus on the engineering task and proof steps must be hidden. From these ideas a prototype system based on the HOL proof assistant has been designed. The key features of this system are threefold. First, we use window reasoning for modelling the design process; Second, we have de ned a set of application speci c derived inference rules that implement common design tasks; Third, we have extended the design representation in logic with annotations to support e cient algorithmic reasoning.
Introduction
As production technology has continued to improve during the last decades, the complexity of digital systems has increased accordingly. This ever increasing complexity has led to digital systems having shorter life cycles and to the design task growing more di cult. At the same time, the use of digital systems in safety critical applications | such as pacemakers, aeroplane stability control, and nuclear plant control | has led to a need to be able to ensure correctness. Correctness is of course an important criteria for all designs but these applications have served to emphasise the problem. Thus, we need to reduce the design time while at the same time design more complex systems, and ensure their correctness.
These requirements have initiated a growing interest in applying formal methods to digital system design. There are two main approaches | post-design veri cation and designing by correctness-preserving transformations | where post-design veri cation was the rst but has failed to make any signi cant impact on industry practices. One reason for this is the intrinsic complexity of formal veri cation, ampli ed by the often large semantic gap between the two models to be veri ed and the lack of information sharing with the design process. By using correctness-preserving transformations we avoid these problems since the proof steps are hidden in the transformations, information sharing is automatic, and the semantic gap is bridged by taking small steps guided by the designers knowledge. The advantage of post-design veri cation is that the verication problem is separate from the design process thus making it possible to focus on one aspect at a time. A formal design method 1 on the other hand, must support both the design and the veri cation process.
The formal design method presented here uses correctness-preserving transformations and is targeted towards the rei cation of a, possibly partial, formal design speci cation in logic into a formal speci cation of a complete design that implements the initial design speci cation. Furthermore, it supports the implementation of e cient algorithmic design functions.
Previous work in this area has focused on methods where transformations are either proved correct using logic 5, 8] or stated correct according to a design algebra 6]. The issue of e cient algorithmic reasoning has however not been emphasised.
The main contribution of this paper is demonstrating the applicability of modelling the digital system design process using window inference and making the method accessible to designers by supplying a set of application speci c design transformations. A second contribution is a method to extend the design representation with information necessary to support the design task without cluttering the logical representation used for veri cation and make e cient algorithmic reasoning possible.
Our Approach
We regard design as an iterative process that progresses stepwise by transforming the design speci cation until a satisfactory design has been reached. A schematic view of this process is depicted in Fig. 1 . This is a monotone process and corrections can only be introduced at the state where the error was introduced. To support this we can traverse the window stack backwards undoing design steps in the process, and we can reuse design transformations just as we can with proofs.
To be able to use computer-assisted formal reasoning we must model the process of design in a formal system. We do this by specifying a satisfaction relation that must hold between consecutive design speci cations. This way we do not formalize the design process as such but rather a property of it.
Our model of the design process gives no guidance in choosing which design transformation to apply at a certain design state. It only rules out some choices for not satisfying the satisfaction relation or the design checks. Therefore it is important that the designer has access to a set of design analysis functions to assist him in making a good choice. This kind of algorithmic reasoning necessary in any realistic design system should be possible to perform in an e cient way. We identify the following criteria to be important for a formal design system: { enforce consistency; { computationally e cient; { support designer. When designing we must capture other aspects of the design than when we verify, e.g. physical properties and constraints. This leads to formalisms aimed at design in general being more complex than formalisms for veri cation 9]. This together with the e ciency criteria implies that only information that will be used for veri cation should be represented in logic. Our solution is a two-level design representation where we represent additional properties of the design objects outside the logic. We use annotations of the design objects (design annotations) to represent such properties. In the design annotations we record information that can be used to check and analyse designs. For example, assume the designer makes a connection between two ports. In the logic interconnection is modelled as two devices sharing the name of a port. By annotating the port as representing a line we make this information accessible for design analysis, e.g. list all unconnected ports, and design checks, e.g. that two lines with the same name are not introduced.
To support the design task we de ne transformation procedures for common design tasks, thus providing the designer with a set of application speci c procedures for transforming the design or, in other words, a design algebra. These transformations are behaviourally correct by proof and incorporates design checks that checks, possibly application speci c, design constraints and make use of information from design analysis.
A Prototype System
To try out the ideas presented in Sect. 2 we have implemented a prototype system 7], a schematic view of which is depicted in Fig. 2 . It is based on the HOL proof assistant and uses the window inference package 4] extended with support for design annotations. We use the HOL proof assistant because it is a mature and well supported proof system with properties such as safe symbolic reasoning about design objects, safe extensions to the basic logic via de nitions, and a programmable interface to the logic 2]. 
Design Representation
We use predicates in higher-order logic to model behaviour in the style presented by Gordon 3] . This choice is natural since we want our satisfaction relation to ensure functional correctness, i.e. what most approaches to post-design veri cation do. An example is the de nition of the adder shown below 2
where !t. out(t + del) = (in1 t) + (in2 t) is the term specifying the behaviour of the adder, ADD del(in1,in2)out is the predicate abbreviating the speci cation, and del in1 in2 out is the list of parameters. In this approach a speci cation treats a device as a black box, i.e. the behaviour is de ned only in terms of the values that can be observed externally. A design speci cation is a conjunction of predicates specifying behaviour, P 1^: : :^P n . A partial speci cation does not specify the behaviour of a device in full detail, e.g. not for all possible values on the external variables.
Design Annotations. When reifying abstract speci cations into concrete speci cations we have to take into consideration physical attributes | such as limited resources, direction of ports, and the existence of physical carriers to transport signals on | of the concrete design objects. The tasks that are to be performed when reifying a design speci cation are scheduling, allocation, binding, and interconnection. Scheduling is the task of assigning computations to time steps. By allocation we mean the introduction of concrete resources | such as devices and lines | into our design speci cation. Binding is the mapping of the unlimited set of abstract operations onto the limited set of allocated concrete resources. Interconnection is the task of allocating and binding physical carriers to transport data between allocated devices.
To support these tasks in the prototype system we have de ned a basic set of design annotations to keep track of resources, such as devices and lines, and properties, such as direction of ports. We also de ne a set of functions to With the help of these functions we can write functions to perform design checks and analysis. We can, for example, write a boolean function to test if a variable is an input port. Such a function could look like this in ML 3 : let is input name anno = mem name (list inputs anno);;
Window Inference
A key component of our approach is the use of the window inference package in HOL to model the transformational design process. We only sketch window reasoning here. A more detailed account can be found elsewhere 4, 7] .
In window inference the state of a design is recorded in a window. Among the information recorded is a design theorem that relates two design speci cations by a relation, R, and a set of assumptions under which the design theorem holds:
?`speci cation n R speci cation 0 Where ? is the assumptions, speci cation 0 is the initial, and speci cation n the current, design speci cation. The only requirement on R is that it is a preorder 4 . A design derivation consists of a stack of windows where the top window denotes the current state of design and the bottom window denotes the initial design state. This stack can be traversed using window commands. To modify the contents of a window we can apply a window transformation command, wtc:
wtc: window theorem ! window Where theorem is the logical justi cation of the modi cation and the resulting window is pushed onto the window stack. To transform the previous window we could apply a justi cation theorem of the form:
?`speci cation n+1 R speci cation n This results, thanks to the transitivity of R, in a new window holding the following design theorem (see also Fig. 3 ):
?`speci cation n+1 R speci cation 0 3 let is a declaration of variables and mem x l returns true if some element of l is equal to x, otherwise it returns false. 4 A preorder is a re exive, transitive relation. Where is the additional set of assumptions that hold in, and r the relation preserved by, the subwindow. We transform this theorem as above in m steps giving us the following design theorem:
This process is depicted in Fig. 4 . When we are satis ed with the form of s m we close the subwindow, thus substituting s 0 for s m in speci cation n :
?`speci cation n s m ] R speci cation 0 Note that when we close a sub-derivation window, the entire sub-derivation collapses into a single design transformation at the next level of stacks. This is depicted in Fig. 5 . When we are satis ed with the current design speci cation we close the window stack. The result of the design derivation is the nal window's design theorem.
Extended Window Inference. Since the window inference package does not support the use of design annotations we must extend the de nition of a window in the package. We do this by implementing the design annotations as an abstract data type in ML and add this to the de nition of a window together with interface functions for accessing and updating annotations in a window. Note that it is essential that we keep design annotations on the window stack in order to keep the design state consistent when traversing the window stack. To begin reasoning with the extended window inference system the user creates a window stack as before. Creating a window stack to transform our speci cation under the assumptions ?, while preserving R, now results in a single window containing:
?`speci cation 0 R speci cation 0 and annotation 0 Modifying the design must now result in a transformation of the current design speci cation while preserving R, and in an update of the design annotation.
?`speci cation 1 R speci cation 0 and annotation 1 After the transformation the window theorem records the proof that achieves the initial speci cation, and the window annotation records the current design annotation.
Satisfaction Relation. Since we want to do design rei cation we must use a weaker satisfaction relation than equality. Unfortunately, this means that we do not get the total correctness property inherent in equational reasoning.
In the prototype system we have chosen to use logical implication as satisfaction relation. The motivation for this is that implication is a simple, well understood relation that intuitively ts the role of satisfaction relation for design and there already exists much support for proving theorems about implication in HOL.
Window Transforms
To facilitate formal design we have de ned a set of derived inference rules corresponding to basic design steps, and we use the name window transforms to denote them. Every window transform applies a built-in or derived justi cation theorem to the current design theorem, and an update to the current design annotation to create a new design state. If either the justi cation or the update fails, the transform fails. This way the design state is kept consistent.
We can build libraries of window transforms to support di erent needs| such as applications, technologies, design styles, and company rules. The fact that the small set implemented here is enough for the designs we have experimented with indicates that a library of basic transforms need not have an intimidating size.
Apart from these application speci c window commands we also make use of built-in window commands as well as many theorems and inference rules in HOL. The basic transforms are presented next.
Allocation and Binding of Devices. In the prototype system there are three kinds of devices | computational devices, multiplexors, and delays | each of which have their own set of transforms for allocation and binding.
Allocation is modelled by introducing a predicate de ning a physical resource and annotating this as a device with a unique name. The justi cation is created by specializing the theorem 8t 1 t 2 :t 1^t2 t 2 . Allocation only fails if the given name is already used in the design. The generic window transform for allocation is ALLOC TRANS.
Binding is modelled by associating an operator with a device in the design speci cation. The association has the form of a set of constraints on the ports of the device that results from matching the body of the device with the current design speci cation. If the matching succeeds the current design speci cation is replaced by the resulting set of constraints. The justi cation is a simple proof of equivalence. Every time we bind a computational device to an operator a new (unique) variable is introduced to denote the time at which the device will perform the operation. This variable is later used for scheduling. The window transforms for binding are BIND TRANS, BIND MUX TRANS, and BIND DELAY TRANS.
Often we want to perform allocation and binding in one step, i.e. we introduce a device and bind it to the current design speci cation. The window transforms for allocation and binding are ALLOC BIND TRANS, MUX TRANS, and DELAY TRANS.
To further automate the design task we have de ned a transform that traverses a design speci cation and allocates and binds a delay wherever possible. This window transform is named MAP DELAY TRANS. Scheduling. We model scheduling the computations by placing them on a common time frame. To do this we have written a procedure to analyse the data-ow of the current design speci cation using the design annotations and come up with a schedule according to the asap (as soon as possible) strategy. This procedure returns a mapping from the unique variables denoting time that was introduced by the binding to a common time variable. If this succeeds then the variables in the design speci cation is renamed according to this mapping. This is justi ed by the rule INST in HOL. This rule instantiates free variables in a theorem. The window transform for scheduling is SCHEDULE TRANS.
Interconnection. Interconnection is modelled as two devices sharing the name of a port variable which is annotated as being a line. This is implemented by replacing the names of the original ports with the line name in the current design speci cation. This is justi ed by the rule INST in HOL. The annotation update fails when we try to create a line with a name that is already used in the design or if we try to extend a line that does not exist in the design. It will also fail if we try to connect two output ports. The window transforms for interconnection are CONNECT TRANS that creates a new line from a set of ports and ATTACH TRANS that adds a port to an existing line.
To further automate the design task we have de ned a transform that traverses a design speci cation and interconnects ports wherever possible. We name this MAP CONNECT TRANS.
An Example
To illustrate formal design with the prototype system, we sketch the derivation of an in nite input response (IIR) lter. A detailed presentation of this example can be found elsewhere 7] .
We start by entering the initial design speci cation at the top-level of a window stack with the BEGIN STACK window command. The resulting output from the system is: ==> * (output m = 0) /\ (output(SUC(t + m)) = (a * (input t)) + (b * (output(t + m))))
The notation used in the example is as follows. The current design speci cation is denoted by ?, and the relation that the current window preserves is denoted by ==> which is the ASCII representation of implication in HOL. In the speci cation m is the latency of the system which will be generated during the design and a and b are constants we instantiate the speci cation with. The latency tells us how many time units we have to wait for the rst output to appear whereas the delay tells us with which frequency we will generate new results after the initial latency. In this example, the delay of the speci cation is xed to 1 time unit by the use of Suc in the speci cation of the lter. The number of time units it takes for an input to have an e ect on the output is thus determined by the sum of the latency and the delay.
Since the delay of the lter speci cation is 1 time unit and the devices we will use to implement the lter have delays of 2 and 4 time units (arbitrary choice) we realise that the (macro) time unit used in the speci cation and the (micro) time unit used in the implementation can not be the same. Thus we have used a more abstract notion of time when we de ned the lter than what we did when we speci ed the behaviour of the adder and the multiplier. The use of abstract notions of time is a convenient method to specify the temporal ordering of events in situations where the time between events is not important. In the case of the lter we have speci ed that the current output of the lter will depend on the previous input and the previous output with out saying anything about how long ago previous was. To be able to design by re nement from such abstract speci cations we need a method to relate two notions of time. We do this with abstraction predicates:
Refine n abs ref = (abs = t: ref (n t)) This predicate relates two functions of time with a variable n. By introducing this predicate with one argument bound to a port variable and the other argument bound to a new variable of the same type, we can use the de nition of the predicate to rewrite the macro time speci cation to be expressed in terms of micro time. We introduce a Refine predicate and instantiate it so that it relates output to a new variable, out. Note that Refine does not represent a device but a timing constraint. We introduce an abstraction predicate for the input too and rewrite our original speci cation with the bodies of the abstraction predicates: ==> * Refine n input in /\ Refine n output out /\ ((\t. out(n * t))m = 0) /\ ((\t. out(n * t))(SUC(t + m)) = (a * ((\t. in(n * t))t)) + (b * ((\t. out(n * t))(t + m)))) After applying beta conversion to all subterms and expanding the successor function we have the following design: ==> * Refine n input in /\ Refine n output out /\ (out(n * m) = 0) /\ (out(n * ((t + m) + 1)) = (a * (in(n * t))) + (b * (out(n * (t + m)))))
When we look at the design speci cation we see that the output is de ned by two conjuncts that together form a conditional statement on the value of the time variable. This is easier to see if we state it in the following way: out (n (t+m)) = ((t = 0) ! 0 j (a in(n (t?1)))+(b out(n ((t?1)+m)))) We have de ned one possible implementation of this behaviour, using a Mux device, as a design transform, INIT MUX TRANS. We apply this to the design speci cation: ==> * Refine n input in /\ Refine n output mux1_out /\ MUX(mux1_sel,mux1_in1,mux1_in2)mux1_out /\ (mux1_sel(n * m) = T) /\ (mux1_sel(n * ((t + m) + 1)) = F) /\ (mux1_in1(n * m) = 0) /\ (mux1_in2(n * ((t + m) + 1)) = (a * (in(n * t))) + (b * (mux1_out(n * (t + m)))))
We have now completed the initialization phase of the design. A graphical representation of the current design can be seen in Fig. 6 where constraints on ports are denoted by dotted lines. The next design phase will be to synthesise the data path speci ed by the last conjunct in the current design speci cation. We start by opening a subwindow on that conjunct, and proceed to allocate computational resources. Since we can identify the outermost operator in the conjunct to be an addition we need a device that can perform addition. We use the adder de ned in Sect. 3.1. In order to use this device we must allocate a device of this kind and bind it to this instance of addition. We do this in one step with the window transform ALLOC BIND TRANS`add1`"ADD 2" where`add1`is the string annotating this device instance and \ADD 2" identi es and partially instantiates the parametrized device de nition. The introduced device is scheduled to perform the operation at some time point denoted by a new variable. The new design speci cation is: ! Refine n input in ! Refine n output mux1_out ! MUX(mux1_sel,mux1_in1,mux1_in2)mux1_out ! mux1_sel(n * m) = T ! mux1_sel(n * ((t + m) + 1)) = F ! mux1_in1(n * m) = 0 | input = (\t. in(n * t)) | !t. mux1_out t = (mux1_sel t => mux1_in1 t | mux1_in2 t) ==> * ADD 2(add1_in1,add1_in2)add1_out /\ (mux1_in2(n * ((t + m) + 1)) = add1_out(t_2 + 2)) /\ (a * (in(n * t)) = add1_in1 t_2) /\ (b * (mux1_out(n * (t + m))) = add1_in2 t_2)
The window inference interface precedes the assumptions of a subdesign by ! and lemmas derived from the assumptions by j. In this case the new variable denoting time is t 2. The resulting design speci cation can not as a whole be bound to a device even though it still holds unbound operators. To proceed we focus on subexpressions with unbound operators and allocate and bind devices to them just as we did above with the add operation. In this case the unbound operators are multiplications in conjuncts three and four. We allocate one multiplier for each of these and terminate all subdesigns which results in the following design speci cation: An alternative implementation would be to let the two multiplications share one multiplier. This would save one multiplier at the cost of additional multiplexors and delays. Such an example can be found elsewhere 7] .
We have now allocated a computational resource for every operator in the speci cation, and the data-path design phase is thereby concluded. The result can be seen in Fig. 7 . Having scheduled all computations, the retiming variable n and the latency variable m can be xed. From the current design speci cation we extract the following constraints on these variables: n ((t + m) + 1) = (n (t + m)) + 6 n t = n (t + m) Solving the rst constraint gives the value 6 to n and solving the second give the value 0 to m. We rst instantiate n to 6 but due to the fact that the latency variable is used in the original speci cation we cannot instantiate it. Instead we introduce a predicate constraining its value. (mux1_in2((6 * t) + 6) = add1_out((6 * t) + 6)) /\ MUL 4(mul1_in1,mul1_in2)mul1_out /\ (add1_in1((6 * t) + 4) = mul1_out((6 * t) + 4)) /\ (a = mul1_in1(6 * t)) /\ (in(6 * t) = mul1_in2(6 * t)) /\ MUL 4(mul2_in1,mul2_in2)mul2_out /\ (add1_in2((6 * t) + 4) = mul2_out((6 * t) + 4)) /\ (b = mul2_in1(6 * t)) /\ (mux1_out(6 * t) = mul2_in2(6 * t)) All computations are now scheduled and all constraints on ports are in a form making interconnection possible. We connect ports together by repeated applications of CONNECT TRANS that annotate some port variables as lines and rewrite judiciously. At this stage we also allocate and bind devices to represent constants with the CONST TRANS transform: The design is now completed and can be seen in Fig. 8 . Lines are denoted as lled-in lines between ports. The resulting design theorem held by the window, rewritten on the form: constraints`implementation speci cation is then: The fact that we get as a result of the data-path design a speci cation of the requirements necessary for the derived device implementation to satisfy the speci cation is an example of how well this method applies to digital system design.
Conclusions
In this paper we have demonstrated the applicability of window inference reasoning to digital system design and we have proposed an architecture for such a system based on the concepts of design transformations and annotations. We conjecture that window inference reasoning has some important properties for design applications: { Supports partitioning of the design task. { Allows the de nition of application speci c design transformations. { Supports the preservation of arbitrary re exive and transitive relations when transforming expressions. We have also presented a two-level design representation to support both formal reasoning and the e cient implementation of design algorithms. Although the annotations used in this example were basic they still proved to be valuable both to avoid making trivial errors in using the window transforms as well as in writing the algorithms underlying the more complex window transforms. We argue that in order for formal design techniques to become acceptable for realworld designers, an appropriate balance between formal proof and less strict but computationally e cient reasoning must be established and both types of reasoning supported. The list of possible future work includes:
{ Implement more analysis functions, e.g. a critical path analyser 9] and a pipeline extraction tool 1].
{ Use design representations that better capture algorithmic synthesis tasks 9]. { Use design annotations for storing redundant instead of additional information, i.e. information deduced from the logical representation.
