Refinement for Pipelining in Event-B  by Evans, Neil




The reﬁnement of an implementation-independent speciﬁcation of an instruction set to a simple
pipelined architecture is presented to illustrate subtleties in the formal development and analysis
of pipelined hardware from such speciﬁcations. The Event-B language and its tool support (the
Eclipse-based Rodin platform) is used for this purpose. The example demonstrates that na¨ıve use
of Event-B’s superposition reﬁnement fails to expose all of the potential hazards in pipelining. This
paper introduces a form of ‘event merging’ to complete the analysis.
Keywords: Reﬁnement, Event-B, pipelined architecture.
1 Introduction
The Control Systems team at AWE is currently undertaking the formal anal-
ysis of a hardware implementation of a Java Virtual Machine (JVM). The
intention is to analyse the behaviour of the processor with respect to the
instruction set presented in the oﬃcial JVM documentation [8]. Since the
instruction set of the JVM comprises over 200 bytecodes, this paper will il-
lustrate one of the intended approaches using a considerably smaller example.
However, the example is suﬃcient to demonstrate potential hazards in the
development of pipelined hardware through reﬁnement.
The work presented in this paper uses a dedicated notation and reﬁne-
ment technique for modelling systems: Event-B [10]. This is in contrast to
other approaches, such as [9], in which specialised theories are constructed
within general-purpose theorem provers. The Event-B notation is based on
1 Email: Neil.Evans@AWE.co.uk
Electronic Notes in Theoretical Computer Science 214 (2008) 183–202
1571-0661      © 2008 Elsevier B.V. 
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2008.06.009
Open access under CC BY-NC-ND license.
action systems, and incorporates a reﬁnement technique principally based on
superposition reﬁnement [3]. Event-B is supported by the Eclipse-based Rodin
tool [14].
The example used in this paper comes from [9]. In his work, Manolios
develops theories in ACL2 [2] to implement a reﬁnement technique based on
well-founded equivalence bisimulation [12]. In this context, the ACL2 language
(i.e. Common Lisp) is used to deﬁne state models and associated computation
steps at two levels of abstraction. In order to show a reﬁnement between the
models, it is necessary to construct a reﬁnement map between the states and
show that, for any related states, the relationship is preserved by computations
performed at the two levels of abstraction (up to ﬁnite stuttering).
Informally, the ACL2 and Event-B approaches described above are similar
because the reﬁnement map in ACL2 corresponds to the gluing invariant in
Event-B. A gluing invariant relates states in a reﬁned (concrete) Event-B
model with states in the corresponding abstract model. Finite stuttering in
the ACL2 approach corresponds to the introduction of new events in an Event-
B reﬁnement (see Section 1.2).
An early incarnation of Event-B has already been used in the develop-
ment of hardware for digital signal processing [5]. A circuit is speciﬁed at an
abstract level as a recurrence relation, which is reﬁned to derive a pipelined
implementation. The pipeline is used speciﬁcally to store preceding values for
the purpose of implementing the recurrence relation. Other related work is
the separate use of classical B [7] and action systems [11] to develop pipelined
hardware. However, in both cases, their motivation seems to be somewhat
diﬀerent because they start with speciﬁc hardware implementations in mind,
which inﬂuences the form of their abstract-level speciﬁcations. In this pa-
per, the abstract-level speciﬁcation is derived from the informal description
of an instruction set. As a consequence, the subsequent reﬁnement is not as
straightforward.
The structure of the paper is as follows. Event-B and its notion of reﬁne-
ment are introduced. Then an informal description of the instruction set of
a hypothetical processor (taken from [9]) is presented in Section 2; from this,
an abstract Event-B speciﬁcation is constructed. In Section 2.2, a pipelined
hardware architecture (also taken from [9]) is introduced as a candidate pro-
cessor for the instruction set, and Event-B reﬁnement is used to formalise the
architecture and its behaviour with respect to the instruction set. A proof
of reﬁnement, described in Section 2.4, fails to highlight some potential haz-
ards in the pipelined architecture, and a novel solution (event merging) is
proposed in Section 3 as a way to overcome these problems. In Section 4, we
see how over-zealous merging can introduce further problems in a reﬁnement.
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202184
A conclusion to the work is given in Section 5.
Note that this paper is not questioning the soundness of superposition
reﬁnement. The purpose of this paper is, given an abstract speciﬁcation of
an instruction set, to propose a solution to the task of its formal reﬁnement
to hardware. Also note, the reﬁned model presented in this paper is still
relatively abstract when compared to hardware description languages such as
VHDL [6]. Hence, the paper does not propose a complete route to hardware.
However, it could be incorporated into any future approach that generates
hardware from Event-B speciﬁcations.
1.1 The Event-B Notation
An abstract Event-B speciﬁcation [10] comprises a static part called the con-
text, and a dynamic part called the machine. The machine has access to the
context via a SEES relationship. This means that all sets, constants, and
associated properties deﬁned in the context are visible to the machine. To
model the dynamic aspects, the machine contains a declaration of all of the
state variables. The values of the variables are set up using the INITIAL-
ISATION clause, and values can be changed via the execution of events.
Ultimately, we aim to prove properties of the speciﬁcation, and these proper-
ties are made explicit using the INVARIANT clause in the machine. The
tool support generates the proof obligations that must be discharged to ver-
ify that the speciﬁcation is well-deﬁned and the invariant is maintained. It
also has interactive and automated theorem proving capabilities with which
to discharge the generated proof obligations.
Events are specialised B operations [1]. In general, the deﬁnition of an







where G(v) is a Boolean guard and S(v) is a generalised substitution (both of
which may be dependent on one or more state variables denoted by v) 2 . The
guard must hold for the substitution to be performed (otherwise the event is
blocked). A REFINES clause, which includes the name of an abstract event,
is necessary when the deﬁnition is a reﬁnement of an existing event. There are
2 The guard is omitted if it is trivially true.
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202 185
three kinds of generalised substitution in an event: deterministic, empty, and
non-deterministic. The deterministic substitution of a state variable x is an
assignment of the form x := E(v), for expression E (which may depend on
the values of state variables — including x itself), and the empty substitution
is skip. The non-deterministic substitution of x is deﬁned as
ANY t WHERE P (t, v) THEN x := F (t, v) END
Here, t is a local variable that is assigned non-deterministically according to
the predicate P , and its value is used in the assignment to x via the expression
F .
1.2 Reﬁnement in Event-B
In order to express the desired properties of a system as succinctly as possible,
an abstract speciﬁcation will dispense with many of the implementation details
in favour of a more mathematical representation. Reﬁnement is the means by
which the artefacts of an implementation can be incorporated into a formal
speciﬁcation whilst conforming to the behaviour of the abstract speciﬁcation.
A demonstration of Event-B reﬁnement will be given in Section 2.4.
Traditionally, two main kinds of reﬁnement are identiﬁed: data reﬁnement
and operational reﬁnement. In data reﬁnement, the aim is to replace abstract
state with a more concrete, implementation-like state. Operation reﬁnement
aims to replace abstract algorithms (events) comprising abstract constructs
with more program-like constructs. Operational reﬁnement addresses the re-
ﬁnement of existing events. However, reﬁnement in Event-B also allows the
introduction of new events. In many of his talks, Abrial gives a useful anal-
ogy for this form of reﬁnement: an abstract speciﬁcation is comparable to
viewing a landscape from a great height. At this level of abstraction we get a
good overview of the system without seeing many speciﬁc details. Reﬁnement
by introducing new events corresponds to moving closer to the ground: ﬁne
details that were previously out of sight are now revealed.
The context and machine of an abstract Event-B speciﬁcation can be re-
ﬁned separately. Reﬁnement of a context consists of adding sets, constants or
properties (the sets, constants and properties of the abstract context are re-
tained). The link between an abstract machine and its reﬁnement is achieved
via a gluing invariant deﬁned in the concrete machine. The gluing invariant
relates concrete variables to those of the abstract model. Proof obligations
are generated to ensure that this invariant is maintained.
The reﬁnement of an existing event is depicted in Figure 1. If, in a state
satisfying the gluing invariant J , a concrete event with (reﬁned) generalised






Fig. 1. Reﬁnement of an Existing Event
substitution S ′ and variable v′ causes a transition to a new state, then the
new state is related (via J) to a new state in the abstract world (i.e. a state
resulting from the abstract event with generalised substitution S with abstract
variable v). Note, the multiple arrows in the diagram indicate that generalised
substitutions can be non-deterministic. Also note that it is not necessary for
transitions in the abstract world to correspond to transitions in the concrete
world (i.e. reﬁnement can reduce the non-determinism).
New events introduced during Event-B reﬁnement are allowed on the pro-
viso that they cannot diverge (i.e. execute forever). This is necessary to en-
sure that new events cannot take control of the machine indeﬁnitely, thereby
maintaining the visibility of existing events. Formally, divergence freedom is
achieved by deﬁning a variant which strictly decreases with the execution of
each internal event. Since the variant is a natural number, the execution of
internal events must eventually terminate to allow the execution of one or
more existing events (after which internal activity may resume) 3 . Of course,
the desired properties of newly introduced events can be incorporated into the
invariant, and a proof is required to show that these additional properties are
maintained.
3 Since the concrete events only operate on the state variables of the reﬁned model, this
form of reﬁnement corresponds to a classical B reﬁnement in which the newly introduced
events simply reﬁne the abstract (empty) event skip.
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202 187
2 A Simple Example
This example of a pipelined processor is taken from [9] (which itself was taken
from [13]). At the most abstract level, we have to consider the instructions ac-
cepted by the processor, and their eﬀect on the state of the processor (ignoring
how this behaviour is implemented). The state of the processor includes a pro-
gram counter which records the index of the next instruction to be performed,
and a collection of registers that hold values during the execution of a sequence
of instructions (i.e. a program). We shall consider three instructions: an addi-
tion instruction, a conditional branch instruction and an unconditional branch
instruction. According to the informal description, each instruction comprises
four elements: the opcode (in this case: add, bez or jump), the identity of the
target register, and the identities of two source registers. The instructions are
deﬁned informally as follows:
• the add instruction adds the values held in the two source registers and
then stores the result in the target register. Also, the program counter is
incremented in order to perform the next instruction;
• the bez instruction sets the program counter to the value held in the second
source register if the value held in the ﬁrst source register is 0. If this value
is not 0 then the program counter is simply incremented;
• the jump instruction unconditionally sets the program counter to the value
held in the ﬁrst source register.
2.1 An Abstract-level Model
At the abstract level (which we call the instruction set architecture (ISA)
level), each instruction will be modelled in Event-B as an event which executes
instantaneously. This is the most natural way to formalise the instructions
listed above because, at this level of abstraction, we are only interested in the
eﬀects of the instructions on the state of the processor rather than the method
by which the instructions are executed.
A context holds the declaration of all types and constants used in the for-
mal model. This is shown in Figure 2. Note that Opcode is an enumerated
type consisting of elements add, bez and jump. The set Reg contains the iden-
tities of the value registers (in this case we only consider two registers ra and
rb). Finally, the set Instruction contains all 4-tuples comprising one opcode,
the identity of a target register, and the identities of two source registers. The
constant functions ins opcode, ins target, ins source1 and ins source2 are
deﬁned to access the components of an instruction (via the projections of the
4-tuples).





















Reg = {ra, rb}
ra = rb
Instruction = Opcode×Reg ×Reg ×Reg
ins opcode ∈ Instruction→Opcode
ins target ∈ Instruction→Reg
ins source1 ∈ Instruction→Reg
ins source2 ∈ Instruction→Reg
∀i·(i ∈ Instruction ⇒
ins opcode(i) =
prj1(Opcode×Reg)(prj1(Opcode×Reg×Reg)(prj1(Opcode×Reg×Reg×Reg)(i))))
∀i·(i ∈ Instruction ⇒
ins target(i) =
prj2(Opcode×Reg)(prj1(Opcode×Reg×Reg)(prj1(Opcode×Reg×Reg×Reg)(i))))
∀i·(i ∈ Instruction ⇒
ins source1(i) = prj2(Opcode×Reg ×Reg)(prj1(Opcode×Reg ×Reg ×Reg)(i)))
∀i·(i ∈ Instruction ⇒ ins source2(i) = prj2(Opcode×Reg ×Reg ×Reg)(i))
END
Fig. 2. The abstract context
The dynamic behaviour of the model is deﬁned in a machine. This is
shown in Figure 3. To be fully general, a program is modelled as a variable
(called program) which is a (partial) function that maps instruction indices
to instructions, and the variable PC holds the value of the current instruction
index. Hence, when PC is in the domain of program, the function application
program(PC) returns the next instruction to be executed. The variable regs
records the entries in all value registers. These variables are initialised to arbi-
trary values of the appropriate type by using the non-deterministic assignment
operator :∈.
The guard of an event is enabled only when the instruction indexed by PC
contains the appropriate opcode. For example, the event add inst is enabled
only when ins opcode(program(PC)) = add. Note that there are two events
corresponding to the bez instruction: one event for the zero case (i.e. when the
ﬁrst source register is 0) and one for the non-zero case; the guards determine
which of these events is enabled by examining the value held in the ﬁrst source
register.









program ∈ N → Instruction





program :∈ N → Instruction





ins opcode(program(PC)) = add
THEN
regs(ins target(program(PC))) :=
regs(ins source1(program(PC))) + regs(ins source2(program(PC)))





ins opcode(program(PC)) = bez
regs(ins source1(program(PC))) = 0
THEN





ins opcode(program(PC)) = bez
regs(ins source1(program(PC))) = 0
THEN





ins opcode(program(PC)) = jump
THEN
PC := regs(ins source1(program(PC)))
END
END
Fig. 3. The abstract machine
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202190
PROGRAM LATCH 1 LATCH 2 ALU
regs
PC
Fig. 4. A three-stage pipeline
2.2 An Implementation
At the implementation level, a pipelined architecture shall be used to execute
programs. This is depicted in Figure 4. The solid arrows in the diagram
indicate the three stages in the pipeline, whereas the dashed arrows indicate
the ﬂow of data to and from the registers and program counter. The ﬁrst
stage of the pipeline fetches the next instruction from memory and puts it
in LATCH1. The next stage replaces the identities of the source registers
(of the instruction held in LATCH1) with their actual values. This is stored
in LATCH2 in readiness for the third stage which performs the necessary
ALU operation for the instruction to complete. Note that add and bez require
the arithmetic and logic capabilities of the ALU and, hence, will traverse the
entire pipeline. However, the jump instruction does not require the ALU and
can be completed after reaching LATCH1.
Since several instructions can be in the pipeline at any one time, our aim
is to prove that the implementation-level architecture faithfully executes the
instructions as described at the abstract level. However, even without per-
forming a formal analysis, it is not too diﬃcult to see that, without adequate
control mechanisms, it is possible for conﬂict to arise within the pipeline.
For example, consider the following program fragment consisting of two add
instructions:
add ra ra rb
add rb ra rb
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202 191
The ﬁrst instruction adds the values of registers ra and rb and stores the
result in ra. The second instruction performs the same addition and stores
the result in rb. If both instructions are in the pipeline at the same time then
the values of the source registers in the second instruction will be substituted
for their register names before the ﬁrst addition (and subsequent update of
ra) has been completed. Hence the addition in the second instruction would
be performed on ‘old’ values. This problem is typically overcome by stalling
the second instruction’s entry into the pipeline. We therefore expect a formal
analysis of the pipeline to expose this hazard.
2.3 An Implementation-level Model
The approach taken in this paper models an implementation-level description
as a reﬁnement of the abstract-level description. At the implementation level,
the stages of the pipeline will be modelled as distinct events. Hence, to model
the execution of a single instruction, an event at the abstract level will be
reﬁned to a sequence of events. This is a typical reﬁnement step in Event-
B: single atomic events are reﬁned into multiple (i.e. non-atomic) lower-level
events. However, as we shall see, in order to model pipelining faithfully, this
simple approach is insuﬃcient.
In order to show that the pipeline correctly implements the abstract-level
instructions, we construct a reﬁnement of the ISA machine and introduce
further events to model the stages of the pipeline. Recall from Section 1.2 that
reﬁnements of existing events must preserve the behaviour of their abstract
counterparts, as dictated by the gluing invariant. In the implementation-level
model, we continue to use the variable regs and, hence, the gluing invariant
is implicitly an identity relation on the values of this variable. Therefore,
our deﬁnitions of the concrete events add inst, bez inst, bez inst2 and
jump inst must preserve the behaviour of their abstract counterparts with
respect to regs. However, as we shall see, these events will be deﬁned in
terms of other variables, and this will require us to make assertions about
these newly-introduced variables in the implementation-level invariant. Before
we introduce the reﬁnement to the ISA machine, a reﬁnement of the Types
context is necessary. This is because the second stage of the pipeline replaces
instructions containing the identities of two source registers with instructions
containing the values of the two source registers. Hence, a new set called
Substitution is introduced which contains all 4-tuples comprising an opcode,
a (target) register identity and two natural numbers, i.e.:
Substitution = Opcode×Reg × N×N




latch1 status ∈ Status
latch1PC ∈ N
latch2 status ∈ Status
latch2PC ∈ N
commitPC ∈ N
Fig. 5. Implementation-level variables
The functions sub opcode, sub target, sub source1 and sub source2 are de-
ﬁned to access the ﬁelds of the 4-tuple. We also introduce a set called Status
which contains the elements vacant and occupied to record the status of each
latch in the pipeline.
The implementation-level reﬁnement of the ISA machine is called MA (for
micro-architecture). The variables introduced at this level, and their types, are
shown in Figure 5. The variable latch1 models the ﬁrst stage of the pipeline
(i.e. the box labelled LATCH1 in Figure 4). If it is occupied (according to
the variable latch1 status) then latch1 contains the instruction that has just
entered the pipeline. The variable latch1PC records the index of the instruc-
tion held in latch1. Similarly, latch2 models the second stage of the pipeline
(i.e. the box labelled LATCH2 in Figure 4). At this stage, the identities
of the source registers are replaced by their values. Hence, latch2 is of type
Substitution. Since the pipeline can hold a number of partially completed
instructions, we record the index of the next instruction to enter the pipeline
(fetchPC) and the index of the next instruction to complete (commitPC).
Recall that the variable PC records the index of the next instruction to com-
plete at the abstract level. Hence, we can make this observation explicit by
adding the following equality to the gluing invariant:
commitPC = PC
As well as the events add inst, bez inst, bez inst2 and jump inst, we
deﬁne two further events at the implementation level which correspond to the
ﬁrst two stages of the pipeline: the event fetch loads instructions into latch1,
and set up alu op loads instructions from latch1 into latch2 (and substitutes
the identities of the source registers with their values). These are shown in
Figure 6.




latch1 status = vacant
THEN
fetchPC := fetchPC + 1
latch1 := program(fetchPC)
latch1 status := occupied
latch1PC := fetchPC
END
EVENT set up alu op
WHEN
latch1 status = occupied
latch2 status = vacant
ins opcode(latch1) ∈ {bez, add}
THEN
latch2 := (ins opcode(latch1) → ins target(latch1) →
regs(ins source1(latch1)) → regs(ins source2(latch1)))
latch1 status := vacant
latch2 status := occupied
latch2PC := latch1PC
END
Fig. 6. New events
2.4 A Proof of Reﬁnement
The reﬁned events add inst, bez inst, bez inst2 and jump inst are de-
ﬁned in terms of the new latch variables. Examples of these are given in
Figure 7. Note that the event add inst uses latch2 because it requires the
ALU, whereas jump inst does not require the ALU and, hence, can be com-
pleted on reaching latch1 (but only if latch2 is vacant).
On submitting the implementation-level model to the Rodin tool, proof
obligations are generated in order to show that MA is a reﬁnement of ISA.
The tool will discharge any proof obligations that it can automatically, leaving
the rest for the user. Discharging all proof obligations requires a strengthening
of the gluing invariant to capture the implementation-speciﬁc relationships
between the variables. For completeness, this is shown in Figure 8. Although
this invariant appears to be non-trivial, it is quite straightforward to derive
this from the outstanding proof obligations.




sub opcode(latch2) = add
latch2 status = occupied
THEN
regs(sub target(latch2)) := sub source1(latch2) + sub source2(latch2)
latch2 status := vacant





ins opcode(latch1) = jump
latch1 status = occupied
latch2 status = vacant
THEN
fetchPC := regs(ins source1(latch1))
latch1 status := vacant
latch2 status := vacant
commitPC := regs(ins source1(latch1))
END
Fig. 7. Reﬁned events
Once constructed, the invariant can be used to discharge all remaining
proof obligations, thereby proving that MA is a reﬁnement of ISA. This
is somewhat disturbing because Section 2.2 described a situation in which
conﬂict could arise within the pipeline. The conﬂict does not arise in the
Event-B model because the events will vacate the latches before they are re-
occupied by subsequent instructions. To see why the conﬂict does not arise,
recall the simple example program from Section 2.2:
add ra ra rb
add rb ra rb
If this program begins executing in a state in which ra = 1 and rb = 2 then
the resulting ﬁnal state should be ra = 3 and rb = 5. The following table
shows the steps in the execution using the events deﬁned in MA. Note that
we begin in a state in which the ﬁrst add instruction has reached latch2 and
the second add instruction has reached latch1.
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202 195
latch2 status = occupied⇒ latch2PC = commitPC
latch1 status = occupied∧latch2 status = vacant⇒ latch1PC = commitPC
latch1 status = vacant ∧ latch2 status = vacant⇒ fetchPC = commitPC
latch2 status = occupied ∧ latch1 status = vacant ⇒ fetchPC =
commitPC + 1
latch1 status = occupied ∧ latch2 status = vacant ⇒ fetchPC =
commitPC + 1
latch2 status = occupied ∧ latch1 status = occupied ⇒ latch1PC =
commitPC + 1
latch2 status = occupied ∧ latch1 status = occupied ⇒ fetchPC =
commitPC + 2
latch2 status = occupied⇒ ins opcode(program(PC)) = sub opcode(latch2)
latch1 status = occupied∧ latch2 status = vacant⇒ program(PC) = latch1
latch2 status = occupied ∧ latch1 status = occupied⇒ program(PC + 1) =
latch1
latch2 status = occupied ∧ sub opcode(latch2) = add⇒
sub target(latch2) = ins target(program(PC))
latch2 status = occupied⇒
sub source1(latch2) = regs(ins source1(program(PC)))
latch2 status = occupied⇒
sub source2(latch2) = regs(ins source2(program(PC)))
Fig. 8. Implementation-level invariant
event latch1 latch2 ra rb
· · · add rb ra rb add ra 1 2 1 2
add inst add rb ra rb — 3 2
set up alu op — add rb 3 2 3 2
add inst — — 3 5
In this initial state, the only enabled event is add inst, which takes the
(substituted) instruction in latch2, performs the addition and updates the
registers. Only after this has happened and latch2 has been vacated can
the set up alu op event perform the substitution to move the instruction in
latch1 to latch2.
The conﬂict only arises because an (unconstrained) pipeline would perform
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202196
the two steps at once, and we would observe the following behaviour:
event latch1 latch2 ra rb
· · · add rb ra rb add ra 1 2 1 2
add inst/set up alu op — add rb 1 2 3 2
add inst — — 3 3
Here we can observe an incorrect ﬁnal state.
3 Merging Events
In order to expose this conﬂict in the formal model, it is possible to deﬁne extra
events. In addition to the events deﬁned earlier, we deﬁne events that merge
the stages of the pipeline. Examples of merging are shown in Figure 9. The
combined event set up alu op and fetch uses the events shown in Figure 6.
Note that we have not simply combined the guards and actions of the two
events because it is possible to eliminate some redundant features. For exam-
ple, in this deﬁnition we have not included the guard latch1 status = vacant
from fetch because one of the actions of set up alu op vacates latch1. Sim-
ilarly, we can eliminate the action latch1 status := occupied from fetch be-
cause the guard of set up alu op assumes this to be true. The combined
event add inst and fetch illustrates the combination of newly introduced
events (in this case fetch) with reﬁned events (add inst). Hence, this com-
bined event is deﬁned to be a reﬁnement of the abstract add inst event.
Conﬂict is exposed when we cannot discharge all proof obligations gener-
ated by the merged events. Note that during this process we keep the invariant
ﬁxed: merged events must continue to maintain the same invariant. This elim-
inates an additional level of complexity in the merging process. Conﬂict, in
this case, arises when we try to combine add inst with set up alu op. By
following the same approach, the combination add inst and set up alu op
is shown in Figure 10. Since this is deﬁned to be a reﬁnement of the abstract
add inst event, we are required to prove that its behaviour is preserved (as
depicted in Figure 1). Within the invariant shown in Figure 8 are the follow-
ing two clauses:
latch2 status = occupied ∧ sub opcode(latch2) = add ⇒
sub source1(latch2) = regs(ins source1(program(PC)))
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202 197
EVENT set up alu op and fetch
WHEN
latch1 status = occupied
latch2 status = vacant
fetchPC ∈ dom(program)
ins opcode(latch1) ∈ {bez, add}
THEN
latch1 := program(fetchPC)
latch2 := (ins opcode(latch1) → ins target(latch1) →
regs(ins source1(latch1)) → regs(ins source2(latch1)))
fetchPC := fetchPC + 1




EVENT add inst and fetch
REFINES add inst
WHEN
sub opcode(latch2) = add
latch2 status = occupied
latch1 status = vacant
fetchPC ∈ dom(program)
THEN
regs(sub target(latch2)) := sub source1(latch2)+sub source2(latch2)
latch2 status := vacant
commitPC := latch2PC + 1
fetchPC := fetchPC + 1
latch1 := program(fetchPC)
latch1 status := occupied
latch1PC := fetchPC
END
Fig. 9. Merged events
latch2 status = occupied ∧ sub opcode(latch2) = add ⇒
sub source2(latch2) = regs(ins source2(program(PC)))
These state that the operands of the add instruction in the implementation and
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202198
EVENT add inst and set up alu op
REFINES add inst
WHEN
sub opcode(latch2) = add
latch2 status = occupied
latch1 status = occupied
ins opcode(latch1) ∈ {bez, add}
THEN
regs(sub target(latch2)) := sub source1(latch2)+sub source2(latch2)
commitPC := latch2PC + 1
latch2 := (ins opcode(latch1) → ins target(latch1) →
regs(ins source1(latch1)) → regs(ins source2(latch1)))
latch2PC := latch1PC
latch1 status := vacant
END
Fig. 10. A conﬂicting combination
abstract models match. By introducing the event add inst and set up alu op,
these clauses yield two proof obligations which, after simpliﬁcation, require
proofs to the following:
regs(ins source1(latch1)) =
(regs − {sub target(latch2) → · · ·})(ins source1(latch1))
regs(ins source2(latch1)) =
(regs − {sub target(latch2) → · · ·})(ins source2(latch1))
where − overrides a function with new values. These two proof obliga-
tions are, in fact, asking us to prove that there is no conﬂict between latch1
and latch2 because the equality of the function applications can be proven
only if sub target(latch2) = ins source1(latch1) and sub target(latch2) =
ins source2(latch1). Indeed, by adding these inequalities to the guard of
add inst and set up alu op the proof obligations are discharged automat-
ically. As a consequence, by strengthening the guard in this way, the event
will not be enabled in a conﬂicting situation, and the previously-deﬁned events
add inst and set up alu op will have to be called separately so that the con-
ﬂicting instructions make progress along the pipeline. This has revealed the
stalling mechanism that is necessary to delay the second add instruction until
the ﬁrst one has completed.
The merging step presented in this section is very similar to the synchro-
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202 199
nised parallel composition of event systems in [4], in which B machines (rep-
resenting system components) are combined into a single machine: events
are merged and guards are strengthened according to an accompanying syn-
chronisation speciﬁcation. It would be possible to achieve some of the results
described in this section using the approach presented in [4], and it would
be advantageous to have a synchronised speciﬁcation to declare which events
should be merged. In particular, it would be possible to combine a machine
with itself in order to merge events contained in the same machine. However,
the pipeline example demonstrates how merging through reﬁnement can be a
useful way to determine which guards need to be strengthened (as illustrated
in the reﬁnement of add inst by add inst and set up alu op). The main
result in [4] shows that their synchronisation step is monotonic with respect to
reﬁnement, but does not consider synchronisation as a reﬁnement step itself.
As far as the author is aware, there are currently no plans to implement the
results of [4] in the Rodin tool.
4 A Step too far
In [9], the reﬁnement is capable of performing an add instruction and a jump
instruction in the same step because (as stated in Section 2.2) the jump in-
struction can be performed when it reaches latch1. If we attempt to do this
using the merging technique then we get the deﬁnition shown in Figure 11.
The ﬁrst question that arises is which of the abstract operations does it reﬁne?
It does not reﬁne add inst because, among other things, this abstract event
increments the program counter PC (see Figure 3). Similarly, it does not re-
ﬁne jump inst because, unlike add inst and jump inst, this abstract event
does not change the values held in the registers. However, whether Event-B
is used or any other approach, it is diﬃcult to see how such a combination
can be considered to be a reﬁnement at all, because add inst and jump inst
exist as distinct observable events at the abstract level, and the merged event
does not preserve this level of granularity. It is, therefore, unclear how this is
permitted in the ACL2 example of [9] since this anomaly is not speciﬁc to the
Event-B model 4 .
5 Conclusion
This paper has demonstrated an approach to the formal development of pipelined
hardware in Event-B. It has shown that it is possible to overlook potential haz-
ards if Event-B’s notion of reﬁnement is used na¨ıvely. The approach presented
4 An answer to this question was requested but not received.
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202200
EVENT add inst and jump inst
REFINES ?
WHEN
sub opcode(latch2) = add
latch2 status = occupied
latch1 status = occupied
ins opcode(latch1) = jump
ins source1(latch1) = sub target(latch2)
THEN
regs(sub target(latch2)) := sub source1(latch2)+sub source2(latch2)
latch2 status := vacant
fetchPC := regs(ins source1(latch1))
commitPC := regs(ins source1(latch1))
latch1 status := vacant
END
END
Fig. 11. A bad combination
in this paper of merging events gives a more accurate model of pipelined be-
haviour, and reveals conﬂicts within the pipeline by generating unprovable
proof obligations. By strengthening guards, it is possible to circumvent such
conﬂicts, and introduces explicit constraints in the pipeline to guarantee cor-
rect execution. An alternative solution could be achieved by redeﬁning the
abstract-level speciﬁcation, but this would obscure the relationship between
the formal speciﬁcation and the informal description of the instruction set.
Even though Event-B’s superposition reﬁnement did not expose all of the
possible problems of the pipeline example, there are deﬁnite advantages to
modelling and reﬁning using this technique: in general, it enables the intro-
duction of speciﬁc parts of a system in a stepwise manner without having
to consider the global view of the system. However, since we have demon-
strated that is possible to overlook potential hazards, we must conclude that
awareness of ‘global’ behaviour is also necessary when using this approach.
The merge step presented in Section 3 introduces another level of complex-
ity to formal modelling: for a given set of events, the number of possible merge
events is considerable. However, not all combinations are ‘meaningful’. For ex-
ample, whilst it is meaningful to have events such as set up alu op and fetch,
which moves instructions from latch1 to latch2 and then loads latch1 in a sin-
gle step, it does not make sense to have a fetch and set up alu op event
because this would load an instruction into latch1 and immediately move it
into latch2.
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202 201
Keeping the invariant ﬁxed during the merging step is another way in
which complexity is reduced. It should not be necessary to modify the in-
variant during merging because the merged events do not add anything new
— they merely allow several existing events to occur in a single step. Hence,
the invariant should continue to capture the properties of the system. Any
unprovable proof obligations will be a direct result of conﬂict within a merged
event and, hence, reveal a hazard on the pipeline.
Acknowledgement
The author is grateful to the reviewers for their valuable comments.
References
[1] Abrial J. R.: The B Book: Assigning Programs to Meaning, CUP (1996).
[2] ACL2, http://www.cs.utexas.edu/users/moore/acl2/ .
[3] Back R. J., Sere K.: Superposition Reﬁnement of Reactive Systems. In Formal Aspects of
Computing, Springer (1996).
[4] Bellegarde F., Julliand J., Kouchnarenko O.: Synchronised Parallel Composition of Event
Systems in B. In ZB 2002: Formal Speciﬁcation and Development in Z and B, Springer (2002).
[5] Hallerstede S., Zimmermann Y.: Circuit Design by Reﬁnement in EventB. In FDL’04, Forum
on Speciﬁcation and Design Languages (2004).
[6] IEEE Standard VHDL Language Reference Manual, IEEE Computer Society (2000).
[7] Iﬁll W.: The Formal Development of an Example Processor in AMN, C and VHDL, MSc thesis,
Royal Holloway, University of London (1999).
[8] Linderholm T., Yellin F.: The JavaTM Virtual Machine Speciﬁcation, Second Edition, Addison-
Wesley (1999).
[9] Manolios P.: Reﬁnement and Theorem Proving, International School on Formal Methods for the
Design of Computer, Communication, and Software Systems: Hardware Veriﬁcation, Springer
(2006).
[10] Me´tayer C., Abrial J. R., Voisin L.: Event-B Language, Rodin deliverable 3.2,
http://rodin.cs.ncl.ac.uk (2005).
[11] Plosila J., Sere K.: Action Systems in Pipelined Processor Design. Proc. of the International
Symposium on Advanced Research in Asynchronous Circuits and Systems, IEEE Computer
Science Press (1997).
[12] Namjoshi K. S.: A Simple Characterisation of Stuttering Bisimulation. Proc. of the 17th
Conference on Foundations of Software Technology and Theoretical Computer Science, LNCS
(1997).
[13] Sawada J.: Veriﬁcation of a Simple Pipelined Machine Model. In M. Kaufmann, P. Manolios
and J. S. Moore (editors) Computer-Aided Reasoning: ACL2 Case Studies, Kluwer Academic
Publishers (2000).
[14] Voisin L.: User Manual of the Rodin Platform, version 2.2 (2007).
N. Evans / Electronic Notes in Theoretical Computer Science 214 (2008) 183–202202
