Abstract Hardware/software co-specification is a critical phase in co-design. Our co-specification process starts with a high level graphical description in Statecharts and ends with an equivalent parallel composition of hardware and software descriptions in Verilog. In this paper, we first investigate the Statecharts formalism by providing it a formal syntax and a compositional operational semantics. Based on that, a semantics-preserving linking function is designed to compile specifications written in Statecharts into Verilog. The obtained Verilog specifications are then passed to a partitioning process to generate hardware and software subspecifications, where the correctness is guaranteed by algebraic laws of Verilog.
Introduction
The design of a complex control system is ideally decomposed into a progression of related phases. It starts with an investigation of properties and behaviours of the process evolving within its environment and an analysis of the requirement for its safety performance. From these is derived a specification of the electronic or program-centred components of the system. The process then may go through a series of design phases, ending in a program expressed in a high level language. After translation into a machine code of a chosen computer, it can be executed at high speed by electronic circuity. In order to achieve the time performance required by the customer, additional application-specific hardware devices may be needed to embed the computer into the system which it controls.
Classical circuit design methods resemble low level machine language programming methods. These methods may be adequate for small circuit design, but they are not adequate for circuits that perform complicated algorithms. Industry interests in the formal verification of embedded systems have been gaining ground since an error in a widely used hardware device can have adverse effect on the profits of the enterprise concerned. A method with great potential is to develop a useful collection of proven equations and other theorems to calculate, manipulate and transform a specification formula to the product.
Hardware/software co-design is a design technique which delivers computer systems comprising hardware and software components. A critical phase of the co-design process is the hardware/software co-specification, which starts from a high level system specification and ends with a pair of subspecifications representing respectively hardware and software. In our previous work [24, 25] , we proposed a formal partitioning algorithm which splits an Occam source program into hardware and software specifications. The partitioning correctness is verified using algebraic laws developed for Occam. One of the advantages of this approach is that it ensures the correctness of the partitioning process. Moreover, it optimizes the underlying target architecture, and facilitates the reuse of hardware devices.
In this paper, we first bridge the gap between the high level specification in Statecharts and the Verilog source program by defining a mapping function between the two formalisms; we then present an algebraic hardware/software partitioning process in Verilog. The overall co-specification process can thus be automated, as illustrated in Fig. 1 . We have made the following key contributions:
-We propose a formal operational semantics for a subset of Statecharts with data states, which adopts an asynchronous model and supports true concurrency. -We define a formal mapping function which transforms a specification in Statecharts into a program in Verilog. We show that the target program after mapping preserves the semantics of the source specification. This mapping is taken as the front end of our hardware/software co-specification process. -We design a collection of formal rules to partition the above-obtained Verilog specification into hardware and software subspecifications. All the rules are proved correct based on the algebraic semantics of Verilog.
The remainder of this paper is organized as follows. Section 2 gives a formal (text-based) syntax for Statecharts with data states and proposes a compositional operational semantics for it afterwards. Section 3 introduces a subset of Verilog for behaviourial specification. An operational semantics and an algebraic semantics are presented. We build a mapping function from Statecharts into Verilog and prove that it is a homomorphism between the two formalisms in Sect. 4 . Section 5 presents our hardware/software partitioning process, where the partitioning strategy and formal partitioning rules are depicted. Related work together with a simple conclusion follow in the last section.
Operational semantics for Statecharts
The graphical language of Statecharts as proposed by Harel [6] is suitable for the specification and modelling of reactive systems. While the (graphical) syntax of the language was formulated quite early, the definition of its formal semantics proved to be more difficult than originally expected. As discussed in [23] , these difficulties may be explained as resulting from several requirements that seem to be desirable in a specification language for reactive systems but yet conflict with one another in some interpretations. This may be why there exist more than 20 variants of Statecharts [2] , each of which can be regarded as a subset of the originally expected language. The version discussed in [8] for STATEMATE is rather large and powerful; however, the operational semantics is neither formal nor compositional. The work presented in [19] provides a compositional semantics for Statecharts but does not contain data states. Hooman et al. [16] propose a denotational semantics based on histories of computation. Following this line, [30] attempts to link the denotational semantics of Statecharts with temporal logic so as to support formal verification. All these works adopt a synchronous model of time, which is simpler to understand and formalize, but less powerful than the asynchronous model.
Our version of Statecharts involves data items. The model we adopt is the asynchronous model, which is more powerful for specifying and modelling complex systems. Our formal operational semantics comprises the following features.
-It is compositional, which implies that interlevel transitions and state references have been dropped. The history mechanism has also been ignored. -It adopts an asynchronous time model, in which a macrostep (comprising a sequence of microsteps) occurs instantaneously. This model supports the perfect synchrony hypothesis and also supports state refinement in top-down design. -It reflects the causality of events.
-To be more intuitive, our semantics obeys local consistency rather than global consistency. That is, the absence of an event may lead to itself directly or indirectly in the same macrostep. -Instantaneous states are allowed, but no state can be entered two or more times at the same time instant. 1 -It covers the data-state issues of Statecharts, allowing assignments in state transitions. -It supports true concurrency.
In this paper, time-out events are not included, and this aspect is left as future work.
In what follows we give a formal syntax for Statecharts and then thoroughly investigate its operational semantics.
A formal syntax of Statecharts
Quoting from [7] In order to formalize the syntax of Statecharts, we introduce the following notations.
S: a set of names used to denote statecharts which is large enough to prevent name conflicts.
e : the set of all abstract events (signals). We also introduce another set e to denote the set of negated counterparts of events in e , i.e. e = d f {e | e ∈ e }, where e denotes the negated counterpart of event e, and we assume e = e. a : the set of all assignment actions of the form v = exp. σ : Var → Val is the valuation function for variables, where Var is the set of all variables and Val is the set of all possible values for variables. A snapshot for variablesv is σ (v) .
T : the set of transitions, which is a subset of S ×2 e ∪ e × 2 e ∪ a ×B e ×S, where B e is the set of Boolean expressions.
Similar to [19, 20] , we give a term-based syntax for Statecharts. The set SC of Statecharts terms is constructed by the following inductively defined functions. 
Operational transition rules
The configuration of computation is defined by a triple p, σ, E in , where -p is the syntax of the statechart of interest, -σ gives the snapshot of data items, and -E in denotes the current environment of active events.
The behaviour of a statechart is composed of a sequence of macrosteps, each of which comprises a sequence of microsteps. A statechart may react to any stimulus from the environment at the beginning of each macrostep by performing some enabled transitions and generating some events. This may fire other state transitions and lead to a chain of microsteps without advancing time. During this chain of microsteps, the statechart does not respond to any potential external stimulus. When no more internal transitions are enabled, the clock-tick transition will occur by emptying the set of active events and advancing time by one unit.
We explore a set of transition rules comprising state transitions and time-advance transitions.
At any circumstance, what a basic statechart can do is to advance time by a clock tick:
If a transition between two immediate substates of an Orstatechart is enabled and the transition condition is true in the current circumstance, it can be performed:
where src(τ ) and tgt(τ ) denote, respectively, the source and target state of transition τ . a e (τ ) ⊆ represents all events generated by transition τ , whereas a a (τ ) denotes a single assignment action v = ex generated by τ . No loss in generality since a sequence of instantaneous assignment statements can be transformed into a single one. This changes the data state from σ to σ = σ ⊕ {v → σ (ex)}.
En( p, E) comprises all transitions among substates of p being enabled by events in E. It can be generated by the following definition:
where trig + (τ ) and trig − (τ ) represent, respectively, the positive events and the negated events from τ .
The function a2d( p) changes the active substate of p into its default substate, and the same change is applied to its new active substate:
Discussion:
In rule 2, those events which are used to trigger τ are consumed by τ and will no longer exist. This mechanism looks intuitive and reasonable and can help to prevent incorrect looping. Consider an example given in Fig. 2a . When the first event e from the environment comes, the transition τ 1 is performed and the active substate is migrated from p 1 to p 2 . This will not move back to p 1 until the next event e occurs, as under normal expectations. Earlier work [23] suggests a different treatment, where active events are kept active during all microsteps in a macrostep, where they may be reused many times.
The transitions in Statecharts are considered hierarchically. If no transitions among immediate substates of an Orstatechart are enabled, an enabled (inner) transition for the active substate may be performed instead. This consideration is carried out inductively as highlighted in rule 3:
If no transition is enabled for an Or-statechart, time advances:
The premise indicates that no transitions in p can be triggered by E. The set of transitions that are enabled at multiple levels is defined as follows:
For an And-statechart, variables are shared by all orthogonal components. However, each variable can only be modified by one component. We use WVar( p) to denote the set of variables that can be modified by a statechart p.
It is natural and intuitive to accept that several transitions allocated in orthogonal components may be fired simultaneously. This implies that they can be performed in a truly concurrent way. However, we have to write the transition rule for parallel charts carefully. Let us look at the statechart in Fig. 2b . Suppose the external stimulus is E = {a, b, c}, which will fire both τ 3 and τ 4 at the same moment. Under rule 2, performing either of them will prevent another from happening since the common event b is consumed by the performed transition. This contradicts the above intuitive explanation.
We propose a more reasonable way by which simultaneously enabled transitions are allowed to occur concurrently within And-charts. In the following rule, we suppose 
In this rule, the overall transition that the And-chart p performs involves several simultaneously enabled transitions
A time-advance transition will take place if all orthogonal components agree to do so.
Verilog and its formal semantics
Hardware description languages (HDLs) are widely used to express designs at various levels of abstraction in modern hardware design. A HDL typically contains a high level subset for behaviour description, with the usual programming constructs such as assignments, conditionals, guarded choices and iterations. It also has appropriate extensions for real-time, concurrency and data structures for modelling hardware. VHDL and Verilog [17] are two contemporary HDLs that have been used for years, where Verilog HDL has been standardized and widely adopted in industry [17] . Verilog programs can exhibit a rich variety of behaviours, including event-driven computation and shared-variable concurrency. In our hardware/software partitioning process, the non-trivial subset of Verilog we adopt contains the following categories of syntactic elements.
1. A Verilog program can be a sequential process or a program paralleled by several sequential processes, with or without local variable declaration.
2. A sequential process in Verilog can take any of the following forms.
where
| ↓ v (value falling) | e (a set of abstract events).
To facilitate algebraic reasoning, the language is enriched with
and -a non-deterministic choice P Q.
Although it is reported that Verilog has been much more widely used in industry than VHDL [4] , the formal semantics of Verilog has not been fully studied. Gordon [5] tries to relate the event semantics of Verilog to its trace semantics. He and Zhu [14, 34] explore an operational and a denotational semantics for Verilog and investigate some algebraic laws from them. Zhu et al. [33, 32, 35 ] establish a formal consistency between the two above-mentioned presentations. Iyoda and He [18] successfully apply simple algebraic laws of Verilog to the hardware synthesis process. In [9] , He explores a collection of algebraic laws for Verilog by which a wellformed Verilog program can be transformed into head normal forms. In what follows, we first present an operational semantics for the subset of Verilog that we adopt and then explore some algebraic laws for it. The operational semantics will be used to build the formal link between Statecharts and Verilog, while the algebraic semantics will play a fundamental role in our hardware/software partitioning process. The discussion on the consistency between the operational and algebraic semantics is beyond the scope of this paper; readers can refer to [31] for a detailed discussion on unifying different semantics.
Operational semantics
The subset of Verilog we adopt is quite similar to that proposed by He [9] . However, there are some different treatments between our version and that in [9] . We include explicitly the possible context environment of active events in our configuration and change the operational rules for the parallel constructs. This facilitates the semantic mapping from Statecharts into Verilog and does not change the observable behaviour of a program.
In our operational semantics of Verilog, transitions are of the form S l −→ S . The configuration S describes the state of an executing mechanism of Verilog programs together with the environment of active events before an action l, whereas S describes that immediately after. They are identified as triples P, σ, E , where -P is a program text, representing the rest of the program that remains to be executed;
-σ : Var → Val records the data state; -E is the current set of active events.
A label l denotes a transition from state S to S . It can be a clock-tick event √ or a compositional event possibly with three conjunctive parts: b&g i &g o representing the enabling condition, the set of events consumed, and the set of events generated respectively. Now we present a critical subset of transition rules which are relevant to our transformation from Statecharts into Verilog.
The primitive sink can do nothing but advance time by a clock tick:
The guarded choice construct
can take a guarded transition if that guard is enabled:
, where E g i indicates that the input guard g i is enabled by E. This is defined as
Also, e c (g i ) extracts all "positive" events from the input guard g i (to be consumed when enabling the guard), i.e.
and e g (g o ) records the set of events generated by the output guard g o . Given an output guard g o =→ e&@(x = v), the generated events are
If no guard is enabled, the clock tick can be performed:
where P is the same as P if no time delay guards (#1) appear in P. Otherwise, it is the guarded choice obtained from P by eliminating all time delay guards. A parallel construct of guarded choices P is of the form G 1 · · · G n , where
This can be transformed into a guarded choice construct by algebraic laws [9] . Here, we give the transition rules for the parallel construct directly. It can perform a (compositional) guarded transition if some threads agree, where i 1 , . . . , i n denotes a permutation of 1, . . . , n:
and
If no threads can take a guarded transition, then the clocktick event can take place, as follows:
Note that P is the same as P if no time-delay guards (#n) appear in P. Otherwise, it is the guarded choice obtained from P by reducing all time-delay guards by 1 [from #n to #(n − 1), or eliminating it if n = 1].
A sink thread does not block the behaviour of its partners.
Algebraic laws
We discuss the algebraic semantics of Verilog in this section, which will be useful in later discussions. Before presenting the algebraic laws, we define a triggering predicate as follows.
Definition 1
Given an event control eg, we define those simple events that enable eg as follows:
Given an output event → η, and an event control eg, we adopt a triggering predicate, denoted as η Y eg, to describe the condition under which the former enables the latter:
and adopt the predicate, η Y eg, to denote the condition when the former cannot trigger the latter:
By this definition, we can define the well-formedness of guarded choice constructs: Definition 2 A guarded choice [] i∈I g i P i is well-formed if and only if all its input guards are disjoint, i.e. for any input guards g k , g l from {g i | i ∈ I }, if tr(g k ) ∩ tr(g l ) = ∅, then g k = g l , and P k and P l are exactly the same process.
All guarded choice constructs are well-formed in later discussions. Now, we explore a collection of useful algebraic laws for Verilog programs.
Successive assignments to the same variable can be combined to a single one:
In an assignment to a list of variables, the order of variables is irrelative.
Variables not occurring on the left side of an assignment remain unchanged during the assignment.
skip does not change the value of any variable.
Sequential composition is associative and has left zero ⊥. It distributes backward over conditional, internal and external choices.
By the following law, we can transform a sequential composition of an output event and a guarded choice into a guarded process (g P), where output guard g will no longer fire guards of P. (seq-6) Let S = [] i∈I (g i P i ), and g is the disjunction of all input guards of S.
For a general guarded choice G, we can also transform it by this law into a guarded choice [] i∈I (g i P i ), where no output guard in {g i | i ∈ I } will enable any guards of the process following it. Without loss of generality, from now on, we assume all guarded choices meet this property.
Assignments distribute forward over conditionals.
Iteration is subject to the fixed-point theorem.
Non-deterministic choices are idempotent, symmetric and associative.
(nond-1)
A parallel operator is symmetric and associative and has ⊥ as zero.
Local variable declaration enjoys the following laws.
We will denote var x • var y • · · · • var z as var x, y, . . . , z.
The following is a set of expansion laws which enables us to convert a parallel process into a guarded choice. We assume that
where all g i and h j are input guards (like η); all e v k and e u l are respectively output events with respect to variables v k and
(par-7) An assignment thread is involved.
The parallel operator is disjunctive.
In some special cases, the parallel operator distributes over a conditional.
(
provided guards in G are either event controls with respect to variables in {v 1 , . . . , v n } or time-delay guards. Time-delay guards are involved in the following law.
The guarded choice is idempotent, symmetric and associative.
(guard-1)
The construct always S executes S forever.
(always-1) always S = S; always S Note that skip is not a left zero of sequential composition in general cases, because it might filter some signal. Hereby, the following in-equation is obvious:
The following definition will capture those cases where skip is a left zero of sequential composition.
Definition 3 (Event control insensitive)
A process P is event control insensitive if ski p; P = P.
Proposition 1
The following processes are event control insensitive. From those basic algebraic laws mentioned above, we investigate the following lemma, which will be very useful in later discussions.
Lemma 1 Let
and suppose sequential programs P 1 , P 2 , Q 1 are event control insensitive and variables u and v do not occur in P 1 or Q 1 ; then
Proof The proof is given in the appendix.
We introduce an ordering relation between programs before further investigation. Definition 4 (Refinement) Let P, Q be Verilog processes employing the same set of variables. We say Q is a refinement of P, denoted as P Q, if P Q = P is algebraically provable.
Mapping Statecharts into Verilog
In this section, we build a link between Statecharts and Verilog, by which a statechart description can be mapped to its corresponding Verilog program. We show such a mapping preserves the semantics and can be conducted in a compositional manner.
Mapping function
Before constructing the mapping function called L, we address some subtle issues and introduce some notations. There exist two features which complicate the definition of L on an Or-chart. One is the hierarchical feature of Statecharts and the priority of transitions, whereas the stems from the fact that an And-chart can be a subchart of an Or-chart. This feature differentiates Statecharts from conventional programming languages. The former indicates that transitions in an outer level (rule 2) has higher priority than those in an inner level (rule 3). The possible transitions are considered hierarchically, starting from the current active state and progressing into inner active substates where applicable. By enumerating these transitions in accordance with the hierarchy, we can cope with the different priorities for transitions occurring in distinct levels.
To deal with the above features, we prepare the following formal notations. We first give a function or-depth : SC → N to calculate the "or-depth" of a statechart, which is defined as follows: The or-depth of an Or-chart just records the deepness of the path transitively along its active Or-substates. We stop going further once an And-state is encountered. The or-depth of an And-chart is simply 1.
Secondly, we extend some notations from Or-charts to And-charts. p 1 ), . . . , active( p n )) . We use T (c) to denote all possible (perhaps compositional) transitions of the And-chart c. Given , and i 1 , . . . , i n is a permutation of 1, . . . , n, we define its source state and target state respectively as follows: 2 src
Thirdly, we need to know the resulting statechart after a transition is taken. When a transition τ occurs, any involved statechart can have changes in its (transitive) active substates. We use a function resc : T × SC → SC to return the modified statechart after performing a transition in a statechart. It is defined inductively with regard to the type of the statechart. 
-For an And-chart c = |[s : {p 1 , . . . , p n }]|, and a transition τ ,
The definition of L is split into three cases in accordance with the type of the source statechart. 
structed by Or, we define L by exhaustively figuring out the first possible transitions of c if any; otherwise it sinks.
where is the overall action performed by τ k , which has the form →e&@(x = v), where e comprises all abstract events out of a e (τ k ), and the assignment action x = v is from a a (τ k ).
For each statechart, we always assume each of its variables has a bounded range and the set of possible events is finite, which implies that the set of its configurations is finite. Therefore, the set of configurations (under transition relation) forms a well-founded quasi order, which indicates the mapping function L is terminating.
The following example deals with the transformation of statecharts in Fig. 2 . Fig. 2 can be described as p:
Example 1 Statechart (a) in
After applying the mapping function L onto it, statechart (a) becomes the following process: µX • (e (e X)), which just waits to be fired by an event e from the environment.
Statechart (b) can be described as q: It is mapped into the following parallel construct:
where the two parallel processes are mapped from q 1 and q 2 respectively.
Example 2
The statechart in Fig. 3 is more complicated than those in Fig. 2 
After applying L to it, we obtain the following recursive process:
Let us illustrate a more practical example: a simple remote controller for an air conditioner. Fig. 4 . It is composed of five orthogonal components: Fan, Temperature, Timer, TempDisplay, and TimerDisplay. They will be respectively mapped to Verilog programs pFan, pTemperature, pTimer, pTempDisplay, and pTimerDisplay.
After applying the mapping function L to the statechart in Fig. 4 , we obtain the following target program pon:
pTimer pTempDisplay pTimerDisplay.
The five component programs are respectively
Correctness
The following theorem shows that the mapping function from Statecharts into Verilog is a homomorphism between the two formalisms. Fig. 5 .
Theorem 1 (Homomorphism) Given any statechart C and any of its possible transitions τ which leads to statechart C , there exists a Verilog transition l for L(C) which arrives at P , such that P = L(C ); on the other hand, for any Verilog transition of L(C) leading to P , there exists a transition in Statecharts from C to C , such that L(C ) = P , as illustrated in
Proof By case analysis on the type of C.
C = |[s]| is constructed by Basic.
What C can do is perform the clock tick and remain as C after the transition. On the other hand, from Definition 5 we know L(C) = sink, which just performs the clock tick and remains as sink after that.
In the case where T * (C) = ∅, it can be proved similar to the first case. Now suppose T * (C) = ∅; C can (1) perform a transition τ ∈ T (active k (C)) for some k ≥ 0 if not all transitions of the outer levels (if any) are available, which changes the active substate of active k (C) from its source state to its target state and results in resc(τ, C); (2) otherwise, it can take a clock tick and remain in its From Definition 5 we know . . , τ m respectively in the current environment, whereas others cannot. From the operational semantics of parallel constructs of Verilog, a parallel transition corresponding to τ can take place, and after the transition the program becomes
Given any possible transition τ ∈ T (C), we assume
This exactly agrees with L(resc(τ, C)).
The case for a clock-tick transition is trivial. The second part is also straightforward, since any transition of the resulting parallel construct L(C) in Verilog either involves several threads or a single thread. From the definition of L we can conclude, in either case, that there exists a corresponding Statechart transition for C, which yields C , and L(C ) = P holds.
The following theorem shows the soundness of the mapping function.
Theorem 2 (Soundness) The mapping function L in Definition 5 transforms any specification in Statecharts into a Verilog program with the same observable behaviour as the original chart.
Proof In addition to the results from Theorem 1, we need to show that, given a statechart C and its image L(C) in Verilog, any possible pair of their corresponding steps (a Statechart transition and a Verilog transition), starting from the same execution environment (the same σ and E in the corresponding configurations), consume the same set of events, generate the same set of events, and bring the updates of data state into accord. These follow directly from the construction of the mapping function L.
Hardware/software partitioning

Partitioning strategy
This section introduces our hardware/software partitioning strategy, which can be described in four steps (Fig. 6 ).
-Before performing the partitioning process, the programmer either (1) directly codes the kernel specification for the system in our source language (a sequential subset of Verilog which will be explained in detail in the next section) or (2) designs the kernel specification using Statecharts and passes it to the mapping function to generate the Verilog description. -Then, assisted by program analysis techniques (discussed in [25] ), the programmer carries out the hardware/software allocation task, i.e. marks out those parts that should be implemented by hardware and divides the variables employed by the kernel specification into two disjoint sets. -Our hardware/software partitioning algorithm will take such a marked program as input and deliver as output the corresponding hardware and software kernel specifications. In this step, we design and prove a collection of syntax-based splitting rules, which ensure the correctness of the partitioning process and make automated partitioning possible. -Finally, hardware/software partitioning results for the whole environment-driven system are derived from the results in the third step.
We have proposed an algebraic approach to hardware/ software partitioning, which ensures the correctness of the hardware/software partitioning process and facilitates the automatic partitioning.
In what follows, we will first investigate our partitioning framework and then explore the algebraic partitioning rules.
Hardware/software partitioning framework
In this section, we introduce our hardware/software partitioning framework. We depict source language and investigate the underlying target hardware-software architectures. 
The source language
The source language we adopt is a sequential subset of Verilog. For clarity, we list the syntax as below.
The assignment statement with time constraint (v := e) n does not appear explicitly in Verilog's syntax introduced in Sect. 3, but it is in fact a well-formed Verilog program since
Moreover, the block notation in S has no semantical meanings. Based on the customer's requirements, the programmer can work out the Statecharts specification and pass it to the mapping function. A Verilog specification in the above source language is then generated and will be taken as the input for the partitioning process. Alternatively, the programmer can also describe directly the kernel specification for the system to be designed in the above source language if he/she is more familiar with Verilog than Statecharts. After appropriate hardware/software marking and allocation, a marked source program is then passed to the partitioning process.
Underlying target architecture
The underlying target hardware and software components from the kernel specification will have specially chosen forms. We adopt an event-trigger mechanism to synchronize behaviours between hardware and software and use a sharedvariable mechanism to cope with interactions between hardware and software.
The kernel part of the software specification is a member of C P(r, a), a subset of Verilog programs, which is constructed by the following inductive rules.
1. An event-control-insensitive process not containing variables r, a; 2. → η r ; C; η a , where C is a member of C P(r, a) not mentioning r, a;
We introduce another set C P ε (r, a) comprising those processes in C P(r, a) not mentioning variable ε.
As mentioned in the last section, our splitting task is divided into two steps. Firstly, we design a collection of algebraic rules to refine any source program S (the kernel specification for the system) to its hardware/software decomposition
where the software component C 0 is of the form (C; →η ε ), C is a member of C P ε (r, a), the special event → η ε is adopted for the purpose of synchronization between hardware and software, and the hardware component D 0 is subject to the following equation:
is a case construct not containing r, a, ε.
We denote as D P ε (r, a) the set of processes with the same form as D 0 .
To avoid any possible loss of signals at the moment when the fixed-point construct (equation) is expanded, we naturally claim that an abstract event only takes place at the moment when there are no other active events.
Secondly, given the kernel specification S of a system, rather than considering its hardware/software partition, we deal with the decomposition for the whole system's specification:
which is driven by the environmental process The software component has the form
where C is a process from C P (r, a) ; the hardware component D is of the form
We denote by D P(r, a) the set of processes of the same form as D.
The following theorem ensures the synchronized termination between the kernel hardware and software specifications.
Theorem 3 We have
Proof By structural induction on C 1 .
Case 1 C 1 is event control insensitive and does not mention r or a.
(1.1) C 1 is an atomic command. C 1 = ⊥, the proof is trivial. C 1 = tg, where tg is @(x := e) or → η x or #n,
(1.6.1) S 1 is a non-deterministic choice or conditional or guarded choice construct. We can respectively convert C 1 to a non-deterministic choice or conditional or a guarded choice construct by Laws (seq-3), (seq-5) and (seq-4), which are the cases we have dealt with in (1.2), (1.3) and (1.4). (1.6.2) S 1 is an atomic command. It is trivial when S 1 is ⊥. We only demonstrate the proof when S 1 is a timing guard tg.
The following corollary is directly from Theorem 3.
Corollary 1 Given C ∈ C P ε (r, a) and D
0 ∈ D P ε (r, a), we have (b * C; →η ε ) D 0 = b * ((C; →η ε ) D 0 )
Hardware/software partitioning
This section specifies our hardware/software partitioning process in detail. As mentioned in Sect. 5.1, the task is divided into two steps: hardware/software partitioning for kernel specification and decomposition of the whole system's specification. The process will be investigated in detail in the following two subsections.
Syntax-based splitting rules for kernel specification
This subsection is meant to illustrate the design of program partitioning rules. We explore a set of splitting rules which demonstrate how to construct the hardware and software components of a program construct from those of its constituents. Meanwhile, we show how to split atomic commands.
We introduce a predicate Split which plays a vital role in formalizing the splitting rules.
Definition 6 (Split) Let V = {r, a, ε, id}. Given a program S in the source language, its hardware/software partition ((C; →η ε ), D 0 ) is specified by the following predicate:
where OccVar(P) denotes the set of variables occurring in the program P.
We design two sets of syntax-based splitting rules in two different styles: the bottom-up style and the top-down style. The programmer can choose either of them to conduct hardware/software partitioning.
Bottom-up splitting rules The bottom-up approach builds the hardware component from a marked program in one step before partitioning, i.e. all services the hardware should provide are integrated at the beginning. However, it constructs the software component from those of its constituents using the following rules.
Bottom-up rule for sequential composition
.
Bottom-up rule for conditional
Bottom-up rule for non-deterministic choice
Bottom-up rule for guarded choice
Bottom-up rule for iteration
The top-down splitting rules In the top-down style, both the hardware and software components of the source program are integrated from those of its constituents.
Before investigating the top-down splitting rules, we introduce the notion of mergable on hardware components from D P ε (r, a).
Definition 7 Let
), for i = 1, 2, D 1 and D 2 are said to be mergable, denoted by
In such a case, we define
where 
}.
Firstly, we present a basic rule for hardware augmentation, from which and the bottom-up rules in the former section we directly obtain the corresponding top-down rules in all cases. Rule for hardware augmentation
Proof The proof can be found in the appendix.
The following top-down splitting rules are then straightforward based on the corresponding bottom-up rules and the rule for hardware augmentation above. D 2 ) ) . D 2 ) ) . D 2 ) ) . D 2 ) ) .
Top-down rule for sequential composition
Split V (S i , C i , D i ) V ar(S 1 ) = V ar(S 2 ) mergable(D 1 , D 2 ) Split V (S 1 ; S 2 , C 1 ; C 2 , int (D 1 ,
Top-down rule for conditional
Split V (S i , C i , D i ) V ar(S 1 ) = V ar(S 2 ) mergable(D 1 , D 2 ) Split V (S 1 ¡ b £ S 2 , C 1 ¡ b £ C 2 , int (D 1 ,
Top-down rule for non-deterministic choice
Split V (S i , C i , D i ) V ar(S 1 ) = V ar(S 2 ) mergable(D 1 , D 2 ) Split V (S 1 S 2 , C 1 C 2 , int (D 1 ,
Top-down rule for guarded choice
The top-down rule for iteration has the exact same form as its bottom-up rule. Splitting atomic commands The details for specific blocks' partitioning are similar to discussions in [25] .
For the timed assignment (v := f (x, c)) n , we concentrate only on the cases where both the hardware and software participate in the update of v.
Case 1 f is a busy function, and x is allocated to hardware.
Case 2 f is a busy function, but x is allocated to software. Split B (S = ((v := f (x, c)) := f (lx, c) 
Case 3 f is not a busy function, but x is allocated to hardware.
Deriving hardware/software partition for an environment-driven system
Now we investigate hardware/software partitioning for the whole system. The partitioning process is illustrated in Fig. 7 .
As discussed in Sect. 5.2, suppose the whole system is specified by
which is driven by environmental process
where S is the kernel specification for the system to be designed, η s is the start signal, and η f is the end signal.
For a kernel specification S, suppose we have obtained its hardware/software decomposition as follows by applying the rules in Sect. 5.3.1: 
Related work
Statecharts semantics Due to the involvedness of formal semantics for Statecharts, there have been so many related works that we can hardly discuss them all here. Some of them are presented in [2, 8, 16, 19, 20, 23] . Many of these works adopt the simpler synchronous model. The work in [8] takes into account a very large subset of Statecharts, but the semantics is neither compositional nor formal. In contrast, our operational semantics is formal and compositional and supports asynchronous model. Verilog semantics Although it is reported that Verilog has been widely used in industry (especially in the United States) for years, its precise semantics has been ignored until recently. The results [13, 33, 35, 9] are all based on Gordon's interpretation of simulation cycles [4] . A simple operational semantics is given in [13] . Zhu et al. [33, 35] investigate the consistency between Verilog's operational and denotational semantics, while He [9] explores a program algebra for Verilog and its connection with both operational and denotational semantics. Most recently, Zhu [31] has provided a more complete investigation on unifying different semantic models for Verilog-like languages. Linking Statecharts with other formalisms Some related works on connecting Statecharts with other formalisms are presented in [1, 3, 21, 28, 30, 27] . Beauvais et al. [1] and Seshia et al. [28] translate STATEMATE statecharts to synchronous languages Signal and Esterel respectively, aiming to use supporting tools provided in the target formalisms for formal verification purposes. However, all these translations are based on the informal semantics [8] lacking correctness proofs. The authors of [3, 21] transform variants of Statecharts into hierarchical timed automata and use tools (UP-PAAL, SPIN) to model check Statechart properties. Also, [30] , based on the denotational semantics [16] , aims to connect a subset of Statecharts with temporal logic FNLOG to theoretically prove Statecharts' properties. More recently, a translation from statecharts to B/AMN is reported in [27] . However, no correctness issues have been addressed. In comparison, the translation from Statecharts to Verilog in this paper aims at code generation for system design. Our mapping function is constructed based on formal semantics for both the source and target formalisms and has been proven to be semantics preserving. Algebraic approach to hardware/software partitioning The algebraic approach advocated in this paper to verify the correctness of the partitioning process has been successfully employed in the ProCoS project. The original ProCoS project [12] concentrated almost exclusively on the verification of standard compilers of a high-level programming language based on Occam down to a microprocessor based on Transputer [11] . Sampaio showed how to reduce the compiler design task to program transformation [26] . Towards the end of the first phase of the project, Page and Luk [22] made rapid progress in the development of hardware compilation techniques using an Occam-like language targeted at FPGAs, and He et al. provided a formal verification of the hardware compilation scheme within the algebra of Occam programs [10] . Some works have suggested the use of formal methods for the partitioning process [25, 29] . In [29] , Silva et al. provide a formal strategy for carrying out the splitting phase automatically and present an algebraic proof for its correctness. However, the splitting phase delivers a large number of simple processes and leaves the hard task of clustering these processes into hardware and software components to the clustering phase and the joining phase. Furthermore, additional channels and local variables introduced in the splitting phase increase the data flow between hardware and software components. In our former work [25] , an algebraic approach was proposed to partition a specification into hardware and software in one step as well as verify the correctness of the partition process. However, that approach is based on algebraic laws of the high-level communicating language Occam, which leaves a rather long distance to go in the hardware/software co-synthesis phase. In this paper, the distance has been shortened by adopting Verilog as the language.
Conclusion
In this paper we present a formal approach to hardware/ software co-specification, starting with the Statechart visual formalism. We have made the following main contributions.
-Compositional operational semantics for Statecharts. We have explored a compositional operational semantics to Statecharts which contains many powerful features that Statecharts owns but proved to be difficult to be combined into a uniform formalism. -A semantics-preserving linking between Statecharts and Verilog. We have defined a syntax-directed function to map statecharts to Verilog programs. Based on the operational semantics for Statecharts and Verilog, we have proved the linking function is a semantics-preserving homomorphism. -An algebraic approach to hardware/software partitioning in Verilog. We have worked out a collection of formal rules to split a specification (in Verilog) into hardware and software subspecifications. The partitioning process has been proved sound using Verilog algebra. We adopt a sequential imperative subset of Verilog as our source language and allow it to contain time constraints so as to describe timing specifications. We confine target hardware and software specifications in specially chosen subsets of Verilog and use Verilog's event-trigger mechanism to synchronize behaviours between them. Communications between hardware and software are based on Verilog's shared-variable mechanism, which will facilitate the subsequent hardware/software co-synthesis and make it possible to adopt bus techniques to implement interactions between hardware and software. Moreover, this paper not only develops a collection of splitting rules to partition a source program into hardware and software components but also discusses a method of hardware/software partitioning for the whole system which takes the source program as its kernel specification. The system is specified by Verilog's always constructs, and its execution is driven by an environment process. Such systems are pervasive in our daily lives, e.g. embedded systems. Developing a partitioning rule for such systems will be very helpful for us in investigating the correctness-preserved design of embedded systems.
{(seq-5)} = RHS. For n ≥ 0 we define 3. By structural induction on P 1 . (3.1) P 1 is an atomic command. The proof can be done by a structural induction on Q 1 . Similar to the proof of (2). Then, apply structural induction on Q 1 . The proof is similar to the proof in (2). (3.5) P 1 = b * S. Let
For n ≥ 0 we define 11 ). By laws (seq-3) (seq-5), and (seq-4), we can convert P 1 to non-deterministic choice, conditional, guarded choice, respectively. The proof then follows from (3.2)-(3.4). (3.6.2) S 1 is an atomic command. It is obvious when S 1 is ⊥ or stop. For the case S 1 = tg, the proof follows from a structural induction on Q 1 . The proof is similar to that in (2) . For n ≥ 0, we define 
