The full-text may be used and/or reproduced, and given to third parties in any format or medium, without prior permission or charge, for personal research or study, educational, or not-for-prot purposes provided that:
Introduction
The design of a complex control system is ideally decomposed into a progression of related phases. It starts with an investigation of properties and behaviours of the process evolving within its environment, and an analysis of the requirement for its safety performance. From these is derived a specification of the electronic or program-centred components of the system. The process then may go through a series of design phases, ending in a program expressed in a high level language. After translation into a machine code of a chosen computer, it can be executed at a high speed by electronic circuity. In order to achieve time performance required by the customer, additional applicationspecific hardware devices may be needed to embed the computer into the system which it controls.
Classical circuit design methods resemble the low level machine language programming methods. These methods may be adequate for small circuit design, but not adequate for circuits that perform complicated algorithms. Industry interests in the formal verification of embedded systems are gaining ground since an error in a widely used hardware device can have adverse effect on profits of the enterprise concerned. A method with great potential is to develop a useful collection of proven equations and other theorems, to calculate, manipulate and transform a specification formulae to the product.
Hardware/software co-design is a design technique which delivers computer systems comprising hardware and software components. A critical phase of the co-design process is the hardware/software co-specification, which starts from a high level system specification and ends with a pair of sub-specifications representing resp. hardware and software. Our previous work ( [17] ) proposes a formal partitioning algorithm which splits a Verilog source program into hardware and software specifications. The partitioning correctness is verified using algebraic laws developed for the Verilog hardware description language. This algebraic approach has also been demonstrated in our earlier work [15, 16] . One of advantages of this approach is that it ensures the correctness of the partitioning process. Moreover, it optimises the underlying target architecture, and facilitates the reuse of hardware devices.
In this paper, we bridge the gap between the high level specification in Statecharts and the Verilog source program by defining a mapping function between the two formalisms. Through this work, the overall co-specification process can be automated, as illustrated in Fig.1 . Two key contributions of the present paper are:
-we propose a formal operational semantics for a subset of Statecharts with data states, which adopts an asynchronous model and supports true concurrency; -we define a formal mapping function which transforms a Statechart specification into a Verilog program. We show that the target program after mapping preserves the semantics of the source specification.
S t a t e c h a r t s S p e c i f i c a t i o n M a p p i n g V E R I L O G R a w S p e c i f i c a t i o n
A l g e b r a i c T r a n s f o r m a t i o n
R e f i n e d V E R I L O G S p e c i f i c a t i o n H a r d w a r e -S o f t w a r e P a r t i t i o n i n g S o f t w a r e S p e c i f i c a t i o n H a r d w a r e S p e c i f i c a t i o n H a r d w a r e -S o f t w a r e C o -S y n t h e s i s P e r f o r m a n c e E s t i m a t i o n & S i m u l a t i o n
F o r m a l P a r t i t i o n i n g R u l e s
Fig. 1. HW-SW Co-Specification
The mapping process can be integrated with our previous formal partitioning algorithm so as to form an automated hardware-software co-specification process for hardware-software co-design, as summarised in Fig.1 . The remainder of this paper is organised as follows. Section 2 first gives a formal (text-based) syntax for Statecharts with data states and proposes a compositional operational semantics for it afterwards. Section 3 introduces a subset of Verilog for behaviourial specification. We build a mapping function from Statecharts into Verilog and prove that it is a homomorphism between the two formalisms in Section 4. Related works together with a simple discussion and conclusion follow afterwards.
Operational Semantics for Statecharts
The graphical language of Statecharts as proposed by David Harel ([4] ) is suitable for the specification and modeling of reactive systems. While the (graphical) syntax of the language has been formulated quite early, the definition of its formal semantics proved to be more difficult than originally expected. As discussed in [14] , these difficulties may be explained as resulting from several requirements that seem to be desirable in a specification language for reactive systems, but yet conflict with one another in some interpretations. This may be why there exist more than twenty variants of Statecharts ( [21] ), each of which can be regarded as a subset of the originally expected language. The version discussed in [6] for STATEMATE is rather large and powerful; however, their operational semantics is neither formal nor compositional. The work presented in [11] provides a compositional semantics for Statecharts, but does not contain data states. Hooman et.al ( [9] ) proposes a denotational semantics based on histories of computation. Following this line, [20] attempts to link the denotational semantics of Statecharts with temporal logic, so as to support formal verification. All these works adopt a synchronous model of time, which is simpler to understand and formalise, but less powerful than the asynchronous model.
Our version of Statecharts involves data items. The model we adopt is the asynchronous model, which is more powerful for specifying and modeling complex systems. Our formal operational semantics comprises the following features.
-It is compositional, which implies that inter-level transitions and state references have been dropped. The history mechanism has also been ignored. -It adopts an asynchronous time model, in which a macro-step (comprising a sequence of micro-steps) occurs instantaneously. This model supports perfect synchrony hypothesis and also supports state refinement in top-down design. -It reflects the causality of events.
-To be more intuitive, our semantics obeys local consistency, rather than global consistency. That is, the absence of an event may lead to itself directly or indirectly in the same macro-step. -Instantaneous states are allowed, but each state cannot be entered twice or more at the same instant of time.
1
-It covers the data-state issues of Statecharts, allowing assignments in state transitions. -It supports true concurrency.
In this paper, timeout events are not included and this aspect is left as future work. In what follows we give a formal syntax for Statecharts, and afterwards investigate its operational semantics thoroughly.
A Formal Syntax of Statecharts
Quoting from [5] In order to formalise the syntax of Statecharts, we introduce the following notations. : a set of names used to denote Statecharts which is large enough to prevent name conflicts.
: the set of all abstract events (signals). We also introduce another set to denote the set of negated counterparts of events in , i.e. , where denotes the negated counterpart of event , and we assume . : the set of all assignment actions of the form exp.
Var
Val is the valuation function for variables, where Var is the set of all variables, Val is the set of all possible values for variables. A snapshot for variables is . : the set of transitions, which is a subset of , where is the set of boolean expressions. Similar to [12, 11] , we give a term-based syntax for Statecharts. The set SC of Statecharts terms is constructed by the following inductively defined functions. is an And-statechart named , which contains a set of orthogonal (concurrent) substates .
Operational Transition Rules
The configuration of computation is defined by a triple , where
-is the syntax of the statechart of interest.
-gives the snapshot of data items.
denotes the current environment of active events.
The behaviour of a statechart is composed of a sequence of macro-steps, each of which comprises a sequence of micro-steps. A statechart may react to any stimulus from the environment at the beginning of each macro-step by performing some enabled transitions and generating some events. This may fire other state transitions and lead to a chain of micro-steps without advancing time. During this chain of micro-steps, the statechart does not respond to any potential external stimulus. When no more internal transitions are enabled, the clock tick transition will occur by emptying the set of active events and advancing time by one unit.
We explore a set of transition rules comprising state transitions and time advance transitions.
At any circumstance, what a basic statechart can do is to advance time by a clock tick.
1.
If a transition between two immediate substates of an Or-statechart is enabled and the transition condition is true in current circumstance, it can be performed.
2.
En tgt trig a where src and tgt denote, respectively, the source and target state of transition . a represents all events generated by transition , whereas a denotes a single assignment action generated by . No loss of general results since a sequence of instantaneous assignment statements can be transformed into a single one. This changes the data state from to . En comprises all transitions among substates of being enabled by events in . It can be generated by the following definition. The function changes the active substate of into its default substate, and the same change is applied to its new active substate.
The substitution for an Or-statechart is defined by Discussion: in rule 2, those events that are used to trigger are consumed by and will no longer exist. This mechanism looks intuitive and reasonable and can help to prevent incorrect looping. Consider an example given in Fig. 2 (a) . When the first event from the environment comes, the transition is performed and the active substate is migrated from to . This will not move back to until next event occurs, as under normal expectation. Earlier work ( [14] ) suggests a different treatment, where active events are kept active during all micro-steps in a macro-step, where they may be reused many times. For a parallel statechart, variables are shared by all orthogonal components. However, each variable can only be modified by one component. We use WVar to denote the set of variables that can be modified by a statechart .
It is natural and intuitive to accept that several transitions allocated in orthogonal components may be fired simultaneously. This implies that they can be performed in a truly concurrent way. However, we have to write the transition rule for parallel statecharts carefully. Let us look at the statechart in Fig. 2 (b) . Suppose the external stimulus is , which will fire both and at the same moment. Under rule 2, performing either of them will prevent another from happening since the common event is consumed by the performed transition. This contradicts the above intuitive explanation.
We propose a more reasonable way in which simultaneously enabled transitions are allowed to occur concurrently within And-charts. In the following rule, we suppose is a permutation of .
5.
all In this rule, the overall transition that the And-chart performs involves several simultaneously enabled transitions which are performed respectively by components . Other components ( ) are not involved in this transition.
A time advance transition will take place if all orthogonal components agree to do so.
En

Verilog and Its Operational Semantics
Hardware description languages (HDLs) are widely used to express designs at various levels of abstraction in modern hardware design. A HDL typically contains a high level subset for behaviour description, with the usual programming constructs such as assignments, conditionals, guarded choices and iterations. It also has appropriate extensions for real-time, concurrency and data structures for modeling hardware. VHDL and Verilog ( [10] ) are two contemporary HDLs that have been widely used for years. Although the formal semantics of VHDL has been studied quite thoroughly, that of Verilog has been ignored until recently ( [3, 7, 8, 22, 23] ). However, it is reported that Verilog has been more widely used in industry (especially in US)( [3] ).
What we shall use is a simple version of Verilog with some notational extension (as discussed in [7] ) which contains the following categories of syntactic elements. Although Verilog has been standardised ( [10] ) and widely used in industry, its precise semantics is still lacking. Some recent work ( [7, 8, 22, 23] ) attempted to address its formal semantics issues from different points of views. The most recent work ( [7] ) discussed these distinct views, especially the algebraic and operational semantics for Verilog, and explored the underlying links between them.
The subset of Verilog we adopt is quite similar to that proposed by He ([7] ). However, there are some different treatments between our version and He's version. We include explicitly the possible context environment of active events in our configuration, and change the operational rules for the parallel constructs. This facilitates our semantic mapping from Statecharts into Verilog, and does not change the observable behaviour of a program.
In our operational semantics of Verilog, transitions are of the form . The configuration describes the state of an executing mechanism of Verilog programs together with the environment of active events before an action , whereas describes that immediately after. They are identified as triples , where -is a program text, representing the rest of the program that remains to be executed.
Var Val records the data state. -is the current set of active events.
A label denotes a transition from state to . It can be a clock tick event , or a compositional event possibly with three conjunctive parts: representing the enabling condition, the set of events consumed, and the set of events generated, respectively. Now we present a critical subset of transition rules which are relevant to our transformation from Statecharts into Verilog.
The primitive sink can do nothing but advance time by a clock tick.
sink sink
The guarded choice construct can take a guarded transition if that guard is enabled.
for some where indicates that the input guard is enabled by . This is defined as:
Also, extracts all "positive" events from the input guard (to be consumed when enabling the guard), i.e., and records the set of events generated by the output guard . Given an output guard , the generated events are
if if otherwise
If no guard is enabled, the clock tick can be performed.
where is the same as if no time delay guards ( ) appear in . Otherwise, it is the guarded choice obtained from by eliminating all time delay guards.
A parallel construct of guarded choices is of the form where This can be transformed into a guarded choice construct by algebraic laws ( [7] ). Here, we give the transition rules for the parallel construct directly. It can perform a (compositional) guarded transition if some threads agree, where denotes a permutation of .
where , and
If no threads can take a guarded transition, then the clock tick event can take place, as follows:
Note that is the same as if no time delay guards ( ) appear in . Otherwise, it is the guarded choice obtained from by eliminating all time delay guards.
A sink thread does not block the behaviour of its partners.
sink sink
Mapping Statecharts into Verilog
In this section, we build a link between Statecharts and Verilog, by which a Statecharts description can be mapped to its corresponding Verilog program. We show such a mapping preserves the semantics and can be conducted in a compositional manner.
Mapping Function
Before constructing the mapping function called , we address some subtle issues and introduce some notations. There exist two features which complicate the definition of on an Or-chart, one is the hierarchical feature of Statecharts and the priority of transitions, whereas the other lies in that an And-chart can be a sub-chart of an Or-chart. This feature differentiates Statecharts from conventional programming languages. The former indicates that transitions in an outer level (rule 2) has higher priority than those in an inner level (rule 3). The possible transitions are considered hierarchically, starting from the current active state, and progressing into inner active substates where applicable. By enumerating these transitions in accordance with the hierarchy, we can cope with the different priorities for transitions occurring in distinct levels.
To deal with the above features, we prepare the following formal notations. We first give a function or-depth SC to calculate the "or-depth" of a statechart, which is defined as follows: For each statechart, we always assume each of its variables has bounded range, and the set of possible events is finite, which implies that the set of its configurations is finite. Therefore, the set of configurations (under transition relation) forms a wellfounded quasi order, which indicates the mapping function is terminating.
The following example deals with the transformation of statecharts in Fig. 2 . 
Correctness
The following theorem shows that the mapping function from Statecharts into Verilog is a homomorphism between the two formalisms. Fig. 5 .
Theorem 1 (Homomorphism
C ' C P ' P t L L l
Fig. 5. Mapping function
Proof By case analysis on the type of . is constructed by Basic. What can do is to perform the clock tick and remains as after the transition. On the other hand, from Definition 1 we know sink, which does nothing but performs the clock tick and remains as sink after that. 2.
is constructed by Or. In case that , it can be proved similar to the first case. Now suppose , can (1) 
It exactly accords with resc
. The case for a clock tick transition is trivial. The second part is also straightforward, since any transition of the result parallel construct in Verilog either involves several threads or a single thread. From the definition of , we can conclude, in either case, there exists a corresponding Statecharts transition for , which yields and holds.
The following theorem shows the soundness of the mapping function.
Theorem 2 (Soundness). The mapping function in Definition 1 transforms any Statecharts specification into a Verilog program with the same observable behaviour as the original chart.
Proof In addition to the results from Theorem 1, we need to show that, given a statechart and its image in Verilog, any possible pair of their corresponding steps (a statechart transition and a Verilog transition), starting from the same context environment(the same and in the corresponding configurations), consume the same set of events, generate the same set of events, and bring the updates of data state into accord. These follow directly from the construction of the mapping function .
Discussion and Related Work
In our co-specification process, we conduct the partitioning task after a Verilog behaviour specification has been generated from the higher level system description in Statecharts. We use this approach because the semantics of Verilog has been well investigated and a collection of algebraic laws ( [7] ) can be used as the fundamental support of the partitioning algorithm. In contrast, most work on Statecharts' semantics focuses on its operational rules since it has proved to be quite difficult to present a simple denotational model from which algebraic laws of Statecharts can be derived. Due to this difficulty, the partitioning problem is currently not addressed at the Statecharts level. Although it may seem unnatural to obtain a software specification in Verilog after partitioning, it is still reasonable in the sense that the behaviour subset of Verilog is very similar to C programming language and can be readily transformed into C code.
Due to the involvedness of formal semantics for Statecharts, there have been so many related works that we can hardly discuss all here. Some of them are presented in [6, 9, 11, 12, 14, 21] . Many of these works adopt the simpler synchronous model. The work in [6] takes into account a very large subset of Statecharts, but the semantics is neither compositional nor formal. In contrast, our operational semantics is formal, compositional and supports asynchronous model.
Although it is reported that Verilog has been widely used in industry (especially in United States) for years, its precise semantics has been ignored until recently. The results [8, 22, 23, 7] are all based on Gordon's interpretation on simulation cycles [3] . A simple operational semantics is given in [8] . Zhu, Bowen and He [22, 23] investigate the consistency between Verilog's operational and denotational semantics, while He [7] explores a program algebra for Verilog and its connection with both operational and denotational semantics.
Some of related works on connecting Statecharts with other formalisms are presented in [1, 2, 13, 19, 20, 18] . Beauvais et.al. [1] and Seshia et.al. [19] translate STATE-MATE Statecharts to synchronous languages Signal and Esterel respectively, aiming to use supporting tools provided in the target formalisms for formal verification purposes. However, all these translations are based on the informal semantics [6] lacking correctness proofs. The authors of [2, 13] transform variants of Statecharts into hierarchical timed automata and use tools (UPPAAL, SPIN) to model check Statecharts properties. Also, [20] based on the denotational semantics [9] aims to connect a subset of Statecharts with temporal logic FNLOG for theoretically proving Statecharts' properties. More recently, a translation from Statecharts to B/AMN is reported in [18] . However, no correctness issue has been addressed. In comparison, the translation from Statecharts to Verilog in this paper aims at code generation for system design. Our mapping function is constructed based on formal semantics for both the source and target formalisms and has been proven to be semantics-preserving.
Conclusion
This paper proposes a mapping function which transforms a high level specification in visual formalism Statecharts into a behaviour description in Verilog HDL. We explore a compositional operational semantics to Statecharts which contains many powerful features that Statecharts owns, but proved to be difficult to be combined into a uniform formalism. Based on this semantics and an operational semantics for Verilog, we show our mapping function provides as a semantic link between the two formalisms. Moreover, we combine this transformation process with our previous formal partitioning approach yielding a hardware/software co-specification process that can be automated. However, the translation from Statecharts to Verilog can also be used in pure hardware design. After translating into a behaviourial description in Verilog, existed Verilog synthesizer can be used to obtain low level descriptions, like netlists, for direct implementation in hardware (ASICs or FPGAs).
As an immediate future work, the obtained guarded choice specification should be transformed into simplified behaviourial description in Verilog using algebraic laws [7] . An implementation for this mapping from graphical descriptions in Statecharts to Verilog specifications is also being considered.
