A compositional model for synchronous VLSI systems by Gopalakrishnan, Ganesh

A Compositional Model for Synchronous VLSI Systems 
Ganesh C. Gopalakrishnan
Department of Computer Science, Univ. of Utah, Salt Lake City, Utah 84112 
(801) 581-3568; ganeshOcs.utah.edu
September 9, 1987
C o n t e n t s  •
1 Introduction 1
2 Illustration of HOP • 3
2.1 An XO R  g a te ..........................................................................................................................................................  3
2.2 A Two-phase Clocked Master-slave Flip-flop.....................................................................................................  5
2.3 A Two Bit Maximal Length Sequence (MLS) C o u n te r ..................................................................................  5
2.3.1 Expressing the MLS Counter as a Process R ea liza tion ...................................................................... 6
2.3.2 Lisp Representations of HOP Specifications........................................................................................  7
3 Overview of the Semantic Basis of HOP and PARCOMP 7
4 Illustration of PARCOMP 8
4.1 Illustration of PARCOMP on the MLS Counter............................................................................................... 8
4.2 Results of the Run from Our Im plem entation.................................................................................................. 9
4.3 Statically Detecting Synchronization F a ilu res .................................................................................................. 9
5 Work in Progress 9
A Appendix 12
A .l The Abstract Syntax of H O P ..............................................................................................................................  12
A.2 The Formal Operational Semantics of H O P .....................................................................................................  12
A.3 The Computational Model Underlying H O P .....................................................................................................  15
A.4 The Parallel Composition A lgorithm .................................................................................................................. 15
A.5 Some Details of Work in Progress........................................................................................................................ 17
A.5.1 Symbolic S im ulation .................................................................................................................................  17
A.6 Lisp Representations of HOP Specifications.....................................................................................................  17
A.7 One More Example: A S t a c k ..............................................................................................................................  20
A.8 A Pipelined Stack C on tro lle r ..............................................................................................................................  20
L i s t  o f  F i g u r e s
1 The Absproc Specification of an XOR G a t e .....................................................................................................  3
2 The HOP Processes XOR, MUX, FF, CTRLR and M L S ...............................................................................  4
3 The Circuit and Absproc Spec, of a Two-phase Clocked MS F F ................................................................... 5
4 An MLS Counter’s R ea liza tio n ...........................................................................................................................  6
5 A Realproc Specification of an MLS C o u n te r .................................................................................................. 6
6 A Tester Process for an MLS Counter, Expressed in H O P ............................................................................ 10
7 Parallel Composition of a MLS Counter and Its Tester..................................................................................  10
8 Abstract Syntax of HOP, with terminals in teletype f o n t ............................................................................  12
9 Definition of Action Product in HOP ..............................................................................................................  13
10 Operational Semantics of H O P ...........................................................................................................................  14
11 Use of Data Assertions........................................................................................................................................... 15

1 I n t r o d u c t i o n
Currently available hardware specification languages have two serious deficiencies: (i) inadequate 
protocol definition capabilities; (ii) lack of a compositional model. We now explain these in more 
detail.
1. Lack of an Interface Protocol Definition Capability: A concise and complete description of 
the usage protocols of modules cannot be stated in those hardware specification languages 
that we have come across. Some illustrative scenarios that aren’t adequately handled are: 
(i) “Consider a two-phase clocked register. The register can be requested to perform load 
during phase-a; during the same phase-a, the register’s output still reflects its old state (it is 
master/slave); during phase-b, it delivers a value equal to the loaded value” , (ii) “A domino 
logic stage provides valid output during a certain phase and this output is destroyed due to 
precharging during the next phase” . W ith these and other examples in mind, we make two 
specific observations:
(a) Events (such as control lines attaining certain combinations at certain phases, etc.) as 
well as synchronization skeletons/protocols are important notions in VLSI specification; 
however most hardware specification languages (e.g. [Bar8 l], [Cam84], [Joh84], [She85], 
[CGM86]) don’t support these notions well.
(b) Values delivered on data ports depend upon states as well as input values. It is desirable 
to be able to treat complex circuit modules encompassing large amounts of state—such 
as a stack or a CAM—as modules possessing a single high-level state at the modeling 
level as well, rather than insisting (e.g. as most of the above hardware specification 
languages do) that every storage unit be bared. Those languages that insist that every 
state and combinational unit be separated as well as bared have two shortcomings:
i. They provide very low-level “next state” and “output” equations (maybe in a func­
tional or logic style);
ii. Often such a separation is not satisfactory (a domino stage is a module with “stor­
age” but usually implements boolean functions).
Our solutions (elaborated later) are: For addressing point la, we have designed a language 
“HOP1” with emphasis on behavior and protocol specification; For point lb , we propose the 
use of abstract data types to model the states and port values resulting from them. In this 
way, we can write “state equations” as well as “output equations” in terms of larger and 
more meaningful state entities. Our past research ([GSS86], [GS87], [Gop86]) supports this 
observation, in addition to some large examples recently specified by us ([FTG88]).
2. Lack of an Underlying Compositional Model: A specification language L is defined to provide 
a compositional model for the circuits it describes if, for an associative and commutative (AC) 
circuit composition operator ‘o’ and an AC specification composition operator ‘||’ in L, and a 
mapping Beh that yields the syntactic behavioral description of a given circuit as expressed 
in L, and a suitable behavioral equivalence relation =:
Beh (Ci o C2) = ((Beh (Cj) | Beh (C2))
The availability of such a compositional model opens up several new ways of attacking familiar 
but hard VLSI design problems, as we show in this paper.
'Hardware viewed as Objects and Processes
1
In this paper,
11 . 1 We present a specification language called HOP that, we hope to show, provides an adequate (in 
terms of rigor and practical appeal) protocol and behavioral specification capability for specifying 
modern VLSI. HOP borrows many ideas from Milner’s Synchronous Calculus of Communicating 
Systems [Mil82]. We show that directly applying any of the existing Calculii of Communicating 
Systems (including SCCS) leads to problems in modeling communication through data busses. We 
introduce a new primitive for process interactions called data assertions to solve these problems.
HOP is vastly more simple than SCCS. HOP can describe only lockstep-synchronous circuits 
with deterministic behaviors under the conservative clocking [MC80] assumption. W ithin this 
framework, HOP boasts some new capabilities. Each HOP specification has two distinct sections: a 
timing protocol section written in a simple process specification notation, and a functional behavior 
section written in a first order functional programming language (that may use abstract data types). 
HOP specifications have so far proved to be easy and natural to write (and read) to us. Currently 
HOP is being used to specify an IC as complex as a Memory Management Unit that we are currently 
designing [FTG88].
12 . | We present an algorithm PARCOMP. W ith it, the above equation for compositionality becomes:
Beh (C io C 2) =  PARCOMP (Rep(o),Beh(C i),Beh(C 2 ))
where Rep maps the connectivity of the circuits to the equivalent representation (renamings and 
hidings as in CCS [Mil80]) used in HOP. Informally, PARCOMP statically computes a closed-form 
behavioral specification for an entire module from behavioral specifications of the submodules as 
well as their interconnections. The algorithm works by statically evaluating programs that use the 
operator | (our | is closest to CSP’s | used in [Hoa84, Chapter-2]). This static evaluation always 
terminates (for reasons shown later). This static evaluation also capitalizes on the event hidings (as 
in [Mil80]) to achieve a few orders of magnitude speed-up than a naive static evaluation that doesn’t. 
The resultant closed-form behavioral expressions present all producer/consumer relationships very 
abstracty and readably.
The main reason for achieving this abstraction is now illustrated. Suppose module M  is triggered 
by the controller to produce a value f (E )  on output port \p at tick t. Suppose module N  is triggered 
to consume a value x on input port Ip  (ports Ip and Ip  are connected according to our conventions) 
and then use x in creating the next data-path state <7(2 ) of N  at tick t + 1 . PARCOMP first 
grinds through such low-level specifications and displays as the net result the following, much more 
succinct, representation: (i) M  produces value \p at tick t, (ii) N  attains data-path state g (f(E ))  
at tick t + 1 .
On the other hand, if PARCOMP encounters two non-synchronizing events, say el and e2, 
at tick t which are hidden (i.e. el and e2 are localized within a module), it would report an 
error, indicating a “synchronization failure” . This major side-benefit of PARCOMP therefore helps 
in detecting sequencing errors (“synchronization failures” in a high-level sense) present in user’s 
stated synchronization requirements, without any simulation. This should be contrasted with current 
practices which involve (for example) running a circuit with test data and hoping that this test data 
would cause the control-sequencer to reveal its sequencing bug, which, in turn, is very indirectly 
observed (if at all) by seeing the wrong module getting activated, two modules clashing on a bus,
We know of no other comparable work that “deduces behavior from structure” (similar to 
PARCOMP), other than in very-low level automata theoretic models that introduce one modeling- 
level state for every data path state; our technique introduces one modeling-level state only for 
every control state which are far fewer in number.
2
MODULE XOR 
PORT ?il, ?i2, !o 
PROTOCOL
XOR <= x=?il. y=?i2, !o=(x © y) — XOR 
END XOR
Figure 1: The Absproc Specification of an XO R  Gate
We also note that manual controller specification languages such as [AM84,Hen8l] could easily 
be transliterated into HOP; in addition if the data paths that these controllers control are also 
specified in HOP, current VLSI design methodologies could profit from PARCOMP.
13. | PARCOMP has been implemented in Common-Lisp. We show some results obtained in using 
it.
14. | The following additional spin-offs from PARCOMP are (briefly) discussed: (i) a new new way 
of simulating digital circuits (somewhat similar to that in [Mil85]); (ii) formal verification tech­
niques; (iii) A possibility for automating pipelining, using semantics preserving transformations 
conducted on HOP specifications; (iv) possibility of symbolically simulating VLSI (combinational 
and sequential) circuits.
The main thrust of this paper will be in presenting HOP and algorithm PARCOMP.
Roadmap
The rest of this paper is organized as follows. Section 2 presents HOP through several examples. 
Section 3 provides an overview of the semantics of HOP. Section 4 presents PARCOMP through an 
example. Section 5 outlines work in progress. Though we often indicate where missing details exist 
in the appendices, there is no need to read the appendices to follow this paper. We will present a 
detailed literature survey in a longer version of this paper.
2 I l l u s t r a t i o n  o f  H O P
Let us start with two simple modules, an XOR  gate and a flip-flop (FF), specify them both in HOP, 
and be able to read and intuitively understand their specifications. These submodules will then be 
used in an MLS counter, whose behavior we will deduce using PARCOMP.
2.1 An X O R  gate
Figure 1 shows salient excerpts from the specification of an XO R  gate written in HOP. A 
specification that specifies a hardware system as a black-box without revealing its internal structure 
is called an Absproc specification. It states enough timing details (external timing protocols) to 
permit the module to be used in a larger context. It typically includes a large amount of “code” in 
a purely functional language that specifies how states and values are created.
Though our XO R  gate is combinational and is “usable at any time” , in a synchronous digital 
system it gets used only at clock ticks. Here we assume that it is used only during phases a or b of 
a two-phase clock train.
At each time step, inputs x and y (respectively) are consumed via ports ?tl and ?i2, and a data 
assertion (xQy) is made on the output port !o. No events are declared, and the XO R  gate repeatedly 








load = Id A a
circ = -i Id A a
PROTOCOL
FF [s] ■<= load, x=?din, !dout=s —► copy —*■ FF[x]
| circ, !dout=s -> copy -> FF[s]
END FF
Figure 3: The Circuit and Absproc Spec, of a Two-phase Clocked MS FF
X O R  gate. The basic unit of time is the “tick” of one of the phases. Note: All our specifications 
have their “starting phases” as phase-a.
Similarly, a multiplexor can be specified as per figure 2(b), and a CTRLR module (which we 
will use shortly) in figure 2(c).
2.2 A Two-phase Clocked Master-slave Flip-flop
The circuit schematic of a Flip-flop and its Absproc specification are shown in figure 3. The 
events to which the Flip-flop F F  responds to are load,copy and circ. load occurs if during phase 
a the input signal Id is asserted; otherwise circ occurs, copy always occurs during phase b. In 
figure 3, we do not show the boundary control wires as well as the circuitry to generate the events 
load, copy and circ. The starting phase of FF is phase-a.
This is how to read the specification of FF: The CONTROL wires coming into FF are Id, a 
and b. The DATA wires are '!din, and !dout. The EVENTS copy, load and circ are all input events; 
we denote an “output event e” by e. Note that events are defined as logic combinations of control 
wires and CLOCK wires a,b.
Finally, the PROTOCOL section states the following. The FF  process in data-path state 
s, as represented by  FF  [s]. (The stuff inside [] is almost always a data path state.) FF[s] offers 
two “choices” of events: load and circ. These guards are to be mutually exclusive by definition 
(thereby guaranteeing determinacy). If load is asserted by the user of FF while supplying x through 
?din, !dout is held at s during phase a, during the next relevant time (—► shows passage of one tick 
of time) the copy event must occur (phase b ticks). Following this, the behavior is similar to FF[x].
Especially noticeable is the fact that the flip-flop may be read during phase a regardless of whether 
load is asserted during phase a or not. This fact is always exploited by hardware designers in 
overlapping “read” and “write” on a flip-flop—but never made explicit in any formal hardware 
specification language to our knowledge. Many such details, such as “read from cache is OK while 
write-through is progress in main-memory” , can be expressed in HOP.
2.3 A Two B it Maximal Length Sequence (MLS) Counter
The schematic and Absproc specifications of a two-bit Maximal Length Sequence (MLS) counter 
are shown in figure 4, and depicted in figure 2(e). This specification was not m anua lly  w ritten , 
b u t com puted using PARCOMP. The effect of PARCOMP is to infer the boxed process diagram 
of the MLS counter from the rest of the process diagrams in figure 2. (Details soon to be presented.)
According to the inferred behavior, initially the sel inputs of the MUX modules could be set 
to permit the loading of the Flip Flops FF l and FF2 (the data loaded is non-zero). Thereafter,
5

To give an overview of the current prototype of the HOP system, we present excerpts from the 
Absproc specification of the FF module and the Realproc specification of the MLS counter module, 
in appendix A.6.
3  O v e r v i e w  o f  t h e  S e m a n t i c  B a s i s  o f  H O P  a n d  P A R C O M P
Here, we deliberately simplify the presentation of the theory behind HOP to leave more room for 
examples. The abstract syntax of HOP is presented in figure 8, appendix A .I. A HOP specification 
specifies a collection of processes interacting with each other in lockstep synchrony, at the beats 
of a (uni or multi-phase) clock. At first glance, a HOP specification can be thought to specify a 
collection of “communicating Mealy machines”. The differences are:
• The events that label the Mealy machine’s transitions have a rendezvous [Hoa84] semantics; 
that is, if machine M\ would produce an output event e on its transition TO to be taken at 
time t and machine M 2 would produce an input event e on one of its transitions T I to be 
taken at time t, then the machines can make progress via TO and TIk', else they deadlock. This 
deadlock models synchronization failure because the intended synchronization requirements 
were not met at time t. This situation is exactly as in [Mil82].
• Transitions are, in general, labeled by data queries and data assertions. It is via these that 
data value communications take place. Data assertions define port value bindings that are in 
effect for one tick. If a data query is meanwhile issued by another module, it gets the value 
binding defined by the data assertion. Data queries and assertions do not rendezvous, thereby 
giving considerable leeway in process interactions. Nevertheless proper usage of events (that 
have a rendezvous behavior) is essential for meaningful data transfers. This is one of the 
major differences between HOP and SCCS. (Note: Data assertions can also model idealised 
switches by simply asserting an equality constraint.)
The formal operational semantics of HOP is provided in appendix A.2, figures 9 and 10. Basically 
these figure defines the transition relation —► via structural induction over the syntax of HOP. 
In  more p la iner terms, this defines “what all a HOP process can do” for all HOP processes. 
We illustrate just one of these rules: Parcomp. (Note: We discuss only a simplified form of this rule):
2.3.2 Lisp Representations of HOP Specifications
p ^ p ' , q^ q '
(P\\Q)ca^ a2(P ’\\Q')
According to this definition, if process P  can participate in action cal and transform itself into 
P  , and if process Q can participate in action ca2 and transform itself into Q , then (P  | Q) can 
participate in action cal,ca2 and transform itself into P  | Q . The notation cal,ca2  stands for 
the “action product” of actions cal and ca2 (in the same way action product is defined in SCCS). 
Basically, the “action product” construct captures the process of interaction among the actions cal 
and ca2. The concept of action product is a concise way of specifying synchronizations as well as 
value communications among modules. Figure 9 defines the action product operator.
According to rule Parcomp, computing the parallel composition of two processes P  and Q 
involves:
• Starting of P  and Q at their start states Sp and Sq ;
• Clashing all possible actions of P  and Q at these states;
• Generating all pairs of next states of P  and Q;
• Continuing the above process, in the presence of value bindings generated from the previous 
clashings;
• Stopping when all pairs of reachable control states have been examined.
The procedure is superficially similar to performing a product of two synchronously working au­
tomata; pairing the respective states that are an equal number of transitions away from the re­
spective start states, and then connecting these pairs of states with transitions labeled by paired 
events. However there are two key differences.
'i) transitions are labeled by data queries as well as data assertions; their interactions lead to value 
communications among the processes; (ii) events have to synchronize, or else the process deadlocks.
The termination of PARCOMP is due to the finite number of control state pairs in a cartesian 
product. We however generate far fewer states due to: (i) the “equal distance merge” that doesn’t 
pair certain states; (ii) pruning synchronization trees [Mil80] by capitalizing on hiding information.
4  I l l u s t r a t i o n  o f  P A R C O M P
4.1 Illustration of PA R C O M P  on the MLS Counter
• To deduce the Absproc description of the MLS counter, given diagrams 2(a) through (d) and the 
interconnectivity specification among the submodules (figure 5)—actually a more detailed CONNECT 
specification as in appendix A.6. We express the goal as:
MLS [sl,s2] = Connect dnterconnections of the MLS> in Hide {copy,load,il,i2} in
(FFl[sl] | FF2[s2] | XOR | MUX1 | MUX2 | CTRLR)
where FF1 and FF2 are of type FF, and MUX1, MUX2 of type MUX.
(Hiding p hides ?p and !p; hiding e hides e and e; e is a “synchronized event”.)
• The connect specification is handled by renaming all nodes interconnected to common names. Also 
all variables within processes are renamed to avoid name clashes. Then we have:
= Hide {?copy,!copy,?load,!load,?il,!il,?i2,!i2} in 
(FFl[sl] | FF2[s2] | XOR | MUX1 | MUX2 | CTRLR)
• Observe that the event circ is not generated by any of the participant modules. Therefore the choice 
offered by FF  1 as well as FF2 on circ are satisfiable only if some module outside the boundary of 
MLS generates circ. However, circ event is hidden; that is, no module from outside can supply circ. 
Therefore, we immediately prune the arm of FF1 and FF2 labeled by circ. In practical terms this 
means that FF1 and FF2 are always used as shift registers—no recirculation of data is done! (Note: 
In our actual implementation of the parallel composition procedure, this pruning take a few more 
fixed-size simple steps.)
• The parallel composition now reduces to: (i) taking the action product of the events offered by all the 
modules for the first instant of time; (ii) continuing with the remaining instants of time. We write the 
initial events offered by each of the modules in separate lines below, followed by —► which is followed 
by the collective behavior of the system from the second time instant onwards. One may read-off these 
lines from the figure 2.
(Offered by FF1) load, x l=?il, !ol=sl,
(Offered by FF2) load, x2=?i2, !o2=s2,
(Offered by XOR) x3=?ol, y3=?o2, !xo = x3©y3,
(Offered by MUX1) x4=?dil, y4=?xo, z4=?sel, !il=if(z4,x4,y4),
(Offered by MUX2) x5=?di2, y5=?ol, z5=?sel, !i2=if(z5,x5,y5),
(Offered by CTRLR) !load
8
The following behavior under bindings B1 (defined below) :
( (icopy — FFl[xl]) | (!copy — FF2[x2]) | XOR | MUX1 | MUX2 | (!circ -► CTRLR))
• The binding B1 is generated by the action product occurring during the first time instant. It is:
{<xl «— if(z4,x4,sl0s2)>, <x2 *— if(z5,x5,sl) >,
<x3 *— sl>, <y3 <— s2>, <y4 <— sl0s2>, <y5 <— sl> }
The generation of such a binding is required by rule Data-assns of figure 10.
• The parallel composition procedure continues by: (i) unraveling the behavior starting at the second 
time instant; (ii) pruning away all unsynchronized but hidden events (there are none for the MLS); 
(iii) terminating if all control combinations have been exhausted. In the current example, after ex­
panding the behavior at the second time instant, we would be faced with:
( FF1[..] | FF2[..] || XOR | MUX1 | MUX2 | CTRLR )
for some arbitrary arguments to FF1 and FF2. At this point, our procedure can stop because it 
is the control combination <FFl,FF2,XOR,MUXl,MUX2> that we began with. We call this a control 
combination because it represents an execution control status of all the subprocesses.
• Thus, we get diagram 2(e).
4.2 Results of the Run from Our Implementation
Our implementation took the inputs given in appendix A.6 produced the listing, shown in ap­
pendix A.6 (edited for visual clarity). It says that the entry-point is control state (0 0 0 0 0 0). 
Entering there, we see that the process generates no events, generates a few data assertions that 
specify ports and expressions (D I and DO). (The strange variable names are obtained after renam­
ings to avoid name clashes.) The next control state is (1 1 0 0 0 l)  and the next data path state 
is also specified. At control state (1 1 0 0 0 1 ) ,  we perform some actions and come back to control 
state (0 0 0 0 0 0). This corresponds to figure 2(e). The computation takes a few seconds of elapsed 
time on a HP-Bobcat running HP Common Lisp.
Roughly ten times more time is taken, on the average, if we do not capitalize on the event 
hiding information. For another larger example (a FIFO queue), not using the hiding information 
resulted in the generation/re-examination of roughly a hundred times more control states.
4.3 Statically Detecting Synchronization Failures
We plugged in a bad CTRLR module that has copy and load switched with respect to figure 2(c). 
The parallel composition yielded a process with no transitions at all (STOP of [Hoa84]).
Any finite process— a process that has a finite sequence of actions leading to a deadlock— is 
useless for building digital systems. A module, after all, has to run forever! Upon detecting a 
deadlock our system reports the cause for it; in this case, revealing that the user made a high-level 
sequencing error, thereby preventing the event load from getting synchronized. No simulation was 
performed to reveal this synchronization error.
We can similarly detect this, and other errors such as: (i) errors due to omission of data port 
interconnections, causing UNKs to propagate; (ii) two syntactically different values clashing on a 
port, for the MLS, and much larger examples.
5 W o r k  i n  P r o g r e s s
This section touches on many design automation issues centered around HOP. Due to the page 
lim its, we present only one in detail. The rest are in appendix A.5.
9
TESTER <= !sel=l !dii=0 !di2=l — C0UNT[4]
COUNT[N] <= if (N=0) then PRINT.N.STOP ‘
else !sel=0 — C0UNT[N-1]
PRINT.N.STOP print(“Counting test over") —*• STOP
Figure 6: A Tester Process for an MLS Counter, Expressed in HOP
(MLS[sl,s2] || TESTER) <=
( !sel=l, !dil=0, !di2=l, !ol=sl, !o2=s2, !xo=sl0s2 —►
( !xo=UNK, MLS[if(z4,x4,sl0s2), if(z5,x5,sl)] ) | COUNT[4] )
under bindings '
{< x4 *— 0 >, < x5 *- 1 >, < z4 +— 1 >, < z5 +— 1 >}
If we start FFl and FF2 in states 0 and 1 respectively, and unravel the parallel composition via the simulator, 
we can obtain the following:
( (!ol=0, !o2=l, !xo=l —► <some outputs> —*• COUNT[2]) || MLS[1,0]) 
and then
( (!o l= l, !o2=0, !xo=l —► <some outputs> —► COUNT[l]) | MLS[1,1]) 
and then
( (!o l= l, !o2=l, !xo=0 —► <some outputs> —► COUNT[0]) | MLS[0,1]) 
thus completing one cycle.
As will be seen shortly, this is also the basic technique for symbolic simulation.
Figure 7: Parallel Composition of a MLS Counter and Its Tester
A New Approach to Simulation
A great advantage of HOP is that we do not need a separate simulation command language; 
HOP itself suffices! Example: the tester process defined in HOP to test the MLS counter figure 6. 
This tester process sets the !sel port to 1 (to permit loading the flip-flops), !d il to 0 and !di2 to 1 
(the data items to be loaded), all during the first time instant. Starting at the second time instant, 
the behavior of TESTER is the same as that of C0UNT[4]. The COUNT[N] process counts N times 
in a loop. Until N gets to zero, the !sel line is kept at 0, thereby permitting data to flow among 
the submodules. When the count runs out, a message is printed (an event only for humans) and 
the simulation halts. Halting is simply achieved by virtue of the fact that STOP is a process that 
is capable of no actions at all.
In order to simulate a circuit: (i) statically compute the parallel composition of the module to 
be tested with a “tester” process; some errors could surface now; if not we get (we believe) faster- 
to-simulate functional expressions; (ii) simply “unravel” the result of the parallel composition. The 
result of taking such a parallel composition is given in figure 7.
Pipelining
Some languages (e.g. SLIM [Hen8l]) have the ability to specify automata, and additionally state 
that certain outputs be generated earlier or later relative to other events. These help in pipelining 
systems, albeit manually. In HOP, we can model the idea of pipelining used in SLIM. The idea 
is to substitute one controller for another in a subsystem and check that the overall behavior is 
unaffected, except for the gained speed. We have some examples that support our research in this 
direction. One example is given in appendix A.8.
10
We have currently completed the formal verification of a large ASIC that we are designing. We could
present excerpts from this in the final paper. Some details of the latter are in appendix A .5.1.
R e f e r e n c e s
[AM84] P. Agrawal and M. J. Meyer. Automation in the Design of Finite-State Machines. VLSI design, 
5(9), September 1984.
[Bar81] Mario R. Barbacci. Instruction Set Processor Specifications (ISPS): The Notation and Its Appli­
cations. IEEE Transactions on Computers, C-30(l):24-40, January 1981. '
[Cam84] Raul Camposano. Automatic Datapath synthesis from DSL specifications. In Proceedings Inter­
national Conference on Computer Design: VLSI in Computers, pages 630-635, 1984.
[CGM86] Albert Camilleri, Michael C. Gordon, and Tom Melham. Hardware Specification and Verification 
using Higher Order Logic. In Proceedings of the International Working conference From HDL 
Descriptions to Guaranteed Correct Circuit Designs, Grenoble (IFIP), North-Holland, 1986.
[FTG88] Richard Fujimoto, Jya-Jang Tsai, and Ganesh Gopalakrishnan. The Roll Back Chip: Hardware 
Support for Distributed Simulation Using Time Warp. In (Accepted for publication in) The Dis­
tributed Simulation Conference, San Diego, CA, 1988.
[GFK87] Ganesh Gopalakrishnan, Richard Fujimoto, and Jed Krohnfeldt. A Language for Specifying 
Lockstep-synchronous Deterministic Processes: New Communication Mechanisms and Applica­
tions to Hardware Design. In (Submitted to) ACM Principles of Programming Languages, 1988, 
1987.
[Gop86] Ganesh C. Gopalakrishnan. From Algebraic Specifications to Correct VLSI Systems. PhD thesis, 
State University of New York, December 1986.
[GS87] Ganesh C. Gopalakrishnan and Mandayam K. Srivas. Implementing Functional Programs Using 
Mutable Abstract Data Types. Technical Report, Dept of Computer Science, Univ. of Utah, Salt 
Lake City, UT 84112, May 1987. (Also submitted to Information Processing Letters.).
[GSS86] Ganesh C. Gopalakrishnan, Mandayam K. Srivas, and David R. Smith. From Algebraic Specifi­
cations to Correct VLSI Circuits. In Proceedings of the International Working conference From 
HDL Descriptions to Guaranteed Correct Circuit Designs, Grenoble (IFIP), North-Holland, 1986.
[Hen81] John Hennesey. SLIM: A Simulation and Implementation Language for VLSI Microcode. Lambda, 
1981. Second Quarter.
[Hoa84] C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1984.
[Joh84] Steven D. Johnson. Synthesis of Digital Designs from Recursion Equations. The MIT Press, 1984. 
An ACM Distinguished Dissertation-1983.
[MC80] C. A. Mead and L. Conway. An Introduction to VLSI Systems. Addison Wesley, 1980.
[MilSO] Robin Milner. A Calculus of Communicating Systems. Springer-Verlag, 1980. LNCS 92.
[Mil82] Robin Milner. Calculii for Synchrony and Asynchrony. Technical Report CSR-104-82, Univ. of 
Edinburg, 1982. Internal Report.
[Mil85] George J. Milne. Simulation and Verification: Related Techniques for Hardware Analysis. In Pro­
ceedings of the Seventh International Conference on Computer Hardware Description Languages, 
pages 404—417, North-Holland, 1985.
[She85] Mary Sheeran. muFP... In Proceedings of the Functional Programming and Computer Architecture 
Conference, Springer-Verlag, LNCS 201, September 1985. Nancy, France.
Formal Verification and Symbolic Simulation
11
Notes: The abstract syntax has to be augmented with the following rules:
• A choice (|) may not be offered among different output events. Essentially, being in a control state 
determines the output events generated uniquely.
• Choices must contain mutually exclusive input events in their input guards (initials citeCSP-book). In 













processed [ parameters ] = rename.process 
rename.function hide.process 
| hidejprocess
| i f  (condition, rename.process, rename.process ) 
rename event.pori.names to event.pori.names in  
hide.function par.process \ parjprocess 
hide event.pori.names in  
deterministic.choice 
| deterministic.choice \ \ parjprocess 
| process.id [ actuals ]
| process.id [ actuals ] I I par.process 
| rename.process 
| par.process I I rename.process 
( rest.of.choices ) 
seq.process
| seq.process I rest-of.choices 
process.id
| process.id [ actuals ]
| compound.event -> seq.process 
simple.event
| simple.event , compound.event 
| dataio.assertion
| dataio.assertion , compound.event 
eventid \ eventid \ eventid \ idle 
variable = ?portid | !poriid = expression
Figure 8: Abstract Syntax of HOP, with terminals in te le type  font
A  A p p e n d i x
A . l  T he  A b s tr a c t  S y n tax  o f H O P
See figure 8.
A .2 T he  F o rm a l O p e ra t io n a l S em an tics  o f H O P
See figures 9 and 10. Some explanations are now presented.
Separately defined processes with different event and port names may be made to interact with each 
other by renaming their interface events and ports to common names. A processes may be prevented from 
interacting with another through an event or a data port by hiding that event or data port.
We have found that having three kinds of events input, output and synchronized is helpful both seman­
tically and pragmatically in the following ways:
• Specifications are made to relate to practical reality (driven signals .vs. input signals) better. In 
addition, our definition of event products (figure 9) is based on our intuition of how synchronous 
hardware systems work. In order to capture this intuition faithfully, we have found it necessary to 
have these three kinds of events.
• to have broadcast semantics for events (e behaves like e as far as event product goes; both of them 
can “meet and annihilate” an input event.
12
e, e => e (i)
e, e => e (2)
e, e => € (3)
e, e => e (4)
e, e => ? (5)
e, e => € (6)
= port => port = E, with binding [E/x ] (7)
Figure 9: Definition of Action Product in HOP
• to distinguish a synchronized action (?) from an unsynchronized action '(e) with respect to hiding; 
Hiding an unsynchronized event causes deadlock whereas hiding a synchronized event is equivalent to 
replacing that event with an idling event.
• to define a function interpret that takes a process and reveals its execution history, by traversing 
that path (unique due to determinacy) of the synchronization tree [Mil80] that is labeled solely by 
synchronized events and data assertions. The third precondition of rule for parallel composition as 
well as the notes given in figure 8 guarantee the determinacy of HOP.
In figure 9 we provide the action product axioms of HOP. They define the way in which we wish to 
see simultaneously occurring events and data assertions interact. Specifically: synchronization is defined; 
unsynchronized simultaneous events are allowed, hoping that under future parallel compositions these events 
would get synchronized. The relation => may be read as “may be simplified to”. The action product operator 
V is commutative and associative with identity element idle.
In figure 10, we present the operational semantics of HOP as a labeled transition system. For each 
compound action ca, the relation — ► is the smallest relation closed under the rules given in figure 10. These 
rules are to be applied only after a canonical representation for action products defined by figure 9 has been 
obtained.
Action and Det-choice These are basis cases of the transition relation, with Action being a special case 
of Det-choice. The rule Det-choice says that a process defined as a deterministic choice of compound actions 
ca, can evolve to P, via caj.
Parcomp This rule defines the parallel composition of two processes. Consider the first two precondi­
tions of this rule (for ease of understanding). If P  and Q can evolve via cal and ca2, P  | Q can evolve via 
cal,ca2, the action product of cal and ca2. The third precondition of this rule is what guarantees determi­
nacy; if Q can disrupt the mutually exclusive nature of the choices offered by P, the parallel composition of 
two processes P  and Q doesn’t have any transitions defined.
This rule captures how individual data assertions interact upon parallel composition andData-assns
impart a binding to variables present in the receiving process. The cases of contradicting assertions (two 
modules driving a data bus with different values) is handled naturally; a port identifier would be equated to 
two different values. By admitting a value HIZ (to model open busses) and suitable resolutions of bindings 
such as port =  H IZ , port = 22 => port = 22 “wired functions” also can be modeled. Likewise modeling 
bidirectional flow of information, such as in a pass transistor, is easy; both ends of the pass transistor are 
asserted to have the same value.
Hiding-sync When event e is hidden from process P, all synchronized events e in P  are replaced with
idle, the identity event for action products.
Hiding-unsync When an unsynchronized event cal is hidden from P, the branch of the synchronization 
tree of P  labeled by cal (as well as the subtree following cal) is pruned.
Obvious.Iliding-dout, Hiding-din and Renaming
Conditionals and Recursion The rule for recursion is essentially that defined on [Mil82, page 8],
13
Action (ca —+ P) — ► P  
Det-choice (|,- ca,- —► P,) Pj
„  Co 1 i „  ca 2 ' . „ e l , ca 1 i „e2  ,ca2 „/> _  SSL . _ -  S ,  , « e 5 ,e 4 ,c o 3 „ / .,P a rco m p-’ Q— ' Q  '  ^ —" ’ ---  ’ e36<e1' ^ ’ e4e{e2,72}z> not(Q —► Q ))
ca 1 ,c a 3 . / 1| _  / .
(p IIQ) ( P W )
p (,=rt,ea lp , (P=£),ea2
Daca-assns ---
JTidiflg-syjic
(P I, g) (P . | .j.) [C/I]
___________ P - ^ P '___________
Hide e in  P ea^ l£l/^ Hide e in  P'
D  n 1 n  •  _  4_■ i• P  — ► P  , P  — ► P  , e or e G cal Jfjajng-unsync ------------ -------------
(Hide e in  P) (Hide c in P") 
p  C0 'P = g  p '
Hiding-dout ---------- —----------
Hide p in  P  — ► Hide p in  P'
Hiding-din
p  p >
Hide p in  P  — ► Hide p in  P'with x unbound
Renaming-e ------------- —— -——--------------
. Rename e to el in  P  — ► Rename e to el inP '
Renaming-e ------------- ——_ ^ --------------
Rename e to el in  P Rename e to el inP*
„  . P P  , da uses pRenaming-port
Conditional
Rename p to p i in  P <,al£ l^  Rename p to pi inP '
P I -^Up
( if  true then P i else P 2) — P'
ca
( if  /a/se then P I else P2) — ► P' 
P, [/ix T .P/X] P'caf k i  n r  a h' i a i .Recursion
fix i X . P - ^ P '
Notes: The transition for Parcomp may be strengthened to include: (i) clashing outputs on a bus; (ii) two 
modules generating an output event (seldom happens, and skews make this dangerous!).







Figure 11: Use of Data Assertions
A .3 The Computational Model Underlying HOP
A collection of processes Pi, P2, ..., Pjv, share a global clock and interact with each other on each clock beat 
through a finite set of named events e*, ej, etc. At each time step, a process P: waits for one of several 
mutually exclusive events ei,...,em to come true (offers a ’’deterministic choice” in the sense of cite[Chapter- 
2]Hoare-book) or idles. A process that idles has no effect on the other processes. A process P  offering a 
choice £  = ej, ...,em at time step t deadlocks if none of £  = rf, are produced by some other process
during time step t. If, however, ej £ £  is produced, P synchronizes on ej and continues to behave like some 
process, Pj. Each output event ej can synchronize with more than one input event ej. Non-synchronizing 
events ei,e7 , etc. may occur simultaneously, too.
So far our computational model has resembled that of SCCS citeMilner-sccs except for determinacy and 
broadcast semantics for output events. But now we start differing. Each process possesses a finite set of 
named data input and data output ports p,-. A set of ports can be regarded to be connected if they have 
the same name. Such a connection is called a node. At each time step a process can make data assertions 
on its output ports or query data from its input ports. A data assertion is written Ip = E  where \p is a port 
(! to indicate it is an output port) and E  is an expression denoting some value (such as integers). A data 
query is written x =?p where a: is a variable that has not been used so far in the lexical scope of the process 
description (? to indicate input direction). Data assertions and data queries on a set of connected ports are 
meant to interact; therefore if data assertion Ip = E  is true at time t, a data query x =?p binds * to E  in 
the process making the query. However, data assertions may be made without any contemporaneous queries 
going on; or queries may be properly contained in the interval in which assertions are made. In this sense, 
value communications (as opposed to synchronization signals) between processes is not through rendezvous, 
unlike all existing Calculii of Communicating Systems.
Also note that the synchronization behavior of a process is solely determined by events. A proper 
synchronization skeleton of events is vital for meaningful data communications. Yet there is considerable 
flexibility in the manner in which data assertions can meaningfully interact (see figure 11). We could not 
find any way to satisfactorily model such situations modularly in existing Calculii of Communicating Systems 
(“CCSes”) or other process specification languages. In existing CCSes a process performing an output action 
cannot make progress without another process performing a matching input. Also, using existing CCSes 
we had to explicitly wire in timings into process descriptions. Despite this extension, we have a simple and 
elegant operational semantics for HOP A.2, much like that for SCCS citeMilner-sccs. HOP also provides 
conditional expressions of the form P[x] ■<= i f  p(x) then P[f(x)] else Q[x]. This then is HOP’s underlying 
computational model.
A .4 The Parallel Composition Algorithm
Input: An expression Hide HS in | {Pj[Xj],..., Cj[Xj],...} for i € {l..m}, j  £ {l..n}. Cj are 
conditional processes of the form C,[X7] = i f  qj then 7}[<7j(Xj)]else Fj[hj(Xj)] and P, are non­
conditional processes of the form P,[Xi] = 2/i : initialsi —► i2j(y,); Each P* offers a set of initial
15
choices initiahi and for each choice j/j that is offered, the future behavior of Pi is Ri(x/i). HS is the 
Hidden Set, the set of events and ports hidden from the parallel composition.
Output: A behaviorally identical process P[Xi, ..., X j , ...].
A done-list is maintained for each parallel composition | {Pj[X7|,...} that has already beenMethod:
computed. Upon getting a call for performing parallel composition, the done-list is first consulted.
• If the requested parallel composition is in the done-list, return. Else enter it in the done-list and 
proceed as follows.
• Combine all conditional processes into one conditional process C. Combining two conditional processes 
is done as follows:
= if  9 ithen 7i[ffi(^D]else *i[M^D]
C2[^2] = i f  92 then T2[g2 (X2)] else
Cif^T] || C,2 [A’2] =  i f  (9 1 A q2) then |
else i f  (91 Ano<(}2)) then Ti[0i(Xi)] | i?2[/i2(X^)] 
else ...etc. (all four combinations)
• Now we are left with the task of computing Hide HS in | {PjfxT],..., C). Let C be of the form
i f  qi then Ci[</i(Xi)]else i f  q2 then C2[j2(X 2)]e<c.
| {.PjfXi],..., C) reduces to a conditional process with g,- as the conditions. This conditional has in 
it parallel compositions of the form | {.PjfXi],..., C,}. that is (recursively) computed. Eventually we 
are faced with composing non-conditional processes in parallel. We take this up next. „
• Consider | {Pj[Xi],...}. Let each P, be
PifiQ  = ca\
ca? -  R?V?'(X7)}
• Generate tuples
T = <  ca*1, ca^, >
i.e. a tuple of the Xith initial compound action offered by P\, the x2th initial compound action offered 
by P2 , etc. This tuple T is assumed to be the irreducible form arrived at after applying the action 
product rules of figure 9. According to the rule for parallel composition (Parcomp of figure 10), all 
such tuples would become the initial choices of the resultant process. Following such choices, the 
resultant process would continue to behave like | {72*1 [/f1 (Xi)]Pfa[/2 ...}. However using the 
hiding information HS, we can prune many of these choices. In particular,
- those tuples T that contain unsynchronized events e or e that belong to HS are dropped, and 
the corresponding arm of the synchronization tree is pruned;
- those tuples T that contain synchronized events e that belong to HS are replaced by T[idle/fj.
In computing
the bindings generated by taking action products of the members of T are taken into account. Specif­
ically, we construct a let block containing these bindings. □
16
A .5 Some Details of W ork in Progress
A.5.1 Symbolic Simulation
Symbolic simulation requires us to carry around non-ground (with free variables) expressions in “unravel­
ling” the behavior of the result of parallel composition. Handling non-ground functional expressions during 
symbolic simulation has the following problems:
• Simplification of the functional expressions that arise during simulation is not an easy problem. In 
general it involves reasoning in various mathematical theories. Fortunately, we observe (from the 
examples in [Gop86]) that many such theories are simple and therefore reasoning in them can be 
automated.
• More challenging is the problem of deciding the path to be followed upon encountering a conditional 
branch (the “«/’ process in non-terminal rename_process, figure 8).
At present we have the following ideas: when a conditional expression (such as (N=0) in the specification of 
process COUNT) is encountered, the user is queried for a suitable decision. The user’s response (say “true”) 
is recorded and the simulation proceeds along the prescribed direction. It is then the responsibility of the 
simulator to make sure that future evaluations (including future queries from the user) are checked against 
past responses of the user for consistency. A mixed approach of actual and symbolic simulation is also a 
possible solution.
A .6 Lisp Representations of HO P  Specifications
EX CER P TS FROM T H E  ABSPROC S P E C IF IC A T IO N  O F F F
( (nam e . f f )
( k i n d  . a b s p r o c )
( p o r t  . ( ( d i n . ( I  . B I T ) )  j p o r t  n a n e , d i r e c t i o n ,  t y p e
(d o u t . (0  . B I T ) )  ) )
(e v e n t  . ( (c o p y • I )  : e v e n t  name a n d  d i r e c t i o n
( l o a d . I )
( c i r c . I ) ) )
( p r o t o c o l . (  ( f f . (  (p a r a n  . ( ( s . s t a t e )  )  )
( i o v a r  . (  ( i  . B I T )  )  )
(b o d y  .
(C H O IC E
(S E Q  (S IM U L T  ( I  lo a d )  ( D I  x  d i n )  (DO s  d o u t ) )
(S IM U L T  ( I  c o p y ) )
(BECOM E f f  ( i ) ) )
(S E Q  (S IM U L T  ( I  c i r c )  (DO s  d o u t ) )
(S IM U L T  ( I  c o p y ) )
(BECOM E f f  ( s ) ) )
))))))
(d e f u n  . n i l  )  ; no  f u n c t i o n s  a r e  d e f in e d  h e r e .
)  ; i f  a n y  a r e  n e e d e d , s u p p ly  nam e, a r g s  a n d
; a  la m b d a  e x p r e s s i o n .
EX CER P TS FROM T H E  REALPROC S P E C IF IC A T IO N  O F  T H E  MLS COUMTER
( (nam e . m is )
( k i n d . r e a l p r o c ) ; p a r a m ,c o n s t . t y p e  s e c t i o n s  a r e  a l s o  u s a b le  i n  a n  A b s p ro c  s p e c
(p a r a n  . n i l  ) ; S i z e  p a r a m e te r s  ( e . g .  w o r d le n g t h )  c a n  be s p e c i f i e d
(c o n s t . n i l  ) ; c o n s t a n t s  sis i n  P a s c a l
( t y p e . n i l  ) ; t y p e  d e f i n i t i o n s  a s  i n  P a s c a l




( c o l  
(c o 2  
n i l  )  
. (  (F F 1  . 




( c d i 2  . ( I  . B I T ) )
( c s e l  . ( I  . B I T ) )
( 0  . B I T ) )
( 0  . B I T ) ) ) )
( f f  ) )
( f f  ) )
( m u  ) )
( m u  ) )
( x o r  ) )
FF1  a n d F F 2  a r e  in s t a n c e s  o f  f f .  
one may s u p p l y  a c t u a l  s i z e  
p a r a m e te r  a l s o  w hen i n s t a n t i a t i n g  
th e s e  s u b m o d u le s . e . g .  v o r d l e n g t h  =  1 6 . 
HOP s p e c s ,  c a n  t h u s  h a v e  a  n i c e
( p r o t o c o l  
(C O N N E C T
(d a te m o d e
( c t r l r  . ( c t r l r ) ) ) )  ; t a i l o r a b l e  s t r u c t u r a l  h i e r a r c h y .  
(  (m is  .
S p e c i f y  t h e  f o l l o w i n g  f o r  e a c h  d a t a  n o d e  a n d  e v e n t  n o d e :
I n t e r n a l  nam e, e x t e r n a l  nam e, h id d e n  o r  n o t ,
l i s t  o f  s u b m o d u le s  a n d  t h e i r  p o r t s  t h a t  m eet a t  t h i s  n o d e .
(e v e n tn o d e
. (  
(n m i l  
)
(n m i l
)
( n s e l
)
( n o l
)
(n o 2  
)




(n x o  
)))
. (  ( n l o a d  U N K -E V E N T  h id d e n  (  (C T R L R  . l o a d )  (F F 1  . l o a d )
c d i l n i l ( (MUX1 .. m i l )  )
c d i 2 n i l ( (MUX2 .. m i l )  )
c s e l n i l ( (MUX1 ,. B e l )  (MUX2 . s e l )  )
c o l n i l ( (F F 1  .. d o u t )  (MUX2 . m i2 )
(X O R  .. i l  )  )
co2 n i l ( (F F 2  ., d o u t )  (X O R  . i 2  )  )
U N K -P O R T h id d e n  (  (MUX1 . mo) (F F 1  . d i n )  )  
U N K -P O R T h id d e n  (  (MUX2 . mo) (F F 2  . d i n )  )  
U N K -P O R T h id d e n  (  (XO R  . x o )  (MUX1 . m i2 )  )
(F F 2  . l o a d )  )
(n c o p y  U N K -E V E N T  h id d e n  (  (C T R L R  . c o p y )  (F F 1  . c o p y )




( n c i r c l  U N K -E V E N T  h id d e n  (  (F F 1  . c i r c )  ) )  
( n c i r c 2  U N K -E V E N T  h id d e n  (  (F F 2  . c i r c )  ) )
)
))))))
TH E  R ES U LT O F P A R A LLE L  C O M P O S ITIO N  Y IE L D IN G  T H E  MLS PROCESS
E x p l a n a t i o n :
P ro c e s s e s  a r e  r e p r e s e n t e d  a s  a  s t r u c t u r e  w i t h  t h e  i n d i c a t e d  f i e l d s  (E N V IR O N M EN T, e t c . ) .
EN V IR O N M EN T, E V E N T S , D A TA -A S S N S , N E X T -C T R L -S T A T E  a n d  N E X T -D P -S T A T E
a r e  “ p a r a l l e l  l i s t s ’ ’ , i . e .  t h e i r  i t h  e n t r i e s  c o r r e s p o n d  t o  e a c h  o t h e r  f o r  a l l  i .
A p r o c e s s  may be v ie v e d  as a  f u n c t i o n  fro m
e v e n t s  t o  p r o c e s s e s  (a s  i n  [ H o a 8 4 ] . )  S u c h  f u n c t i o n s  c a n
be c o n v e n i e n t l y  s p e c i f i e d  u s i n g  a r r a y s .  T h i s  i s  w h a t we d o .
A t  e a c h  a r r a y  i n d e x ,  s p e c i f y  t h e  ‘ ‘ c u r r e n t  s t a t e ’ ’ a c t i o n s ;  th e n  
s p e c i f y  t h e  n e x t  c o n t r o l  s t a t e  (a n o t h e r  in d e x  i n t o  t h e  a r r a y )  a n d
18
th e  n e x t  d a t a  p a t h  s t a t e .  T h e  d a t a  p a t h  s t a t e  c a n  be m o d if ie d  
o n ly  d u r i n g  p r o c e s s  c a l l s  ( t h e  ‘ ‘ BECOM E”  c o n s t r u c t  i n  t h e  L i s p  
r e p r e s e n t a t i o n ) .
L e t  in d e x  ( 0 0 0 0 0 0 )  ( c o n t r o l  s t a t e )  c o r r e s p o n d  t o  t im e  t .
Ue n o s  s t u d y  t h e  f o l l o s i n g  l i s t i n g .
A t  t im e  t  t h e  ENVIRONM ENT s p e c i f i e s  t h e  b i n d in g s  i n  e f f e c t  
f o r  t h e  d a t a -p a t h  s t a t e  v a r i a b l e s  as v e i l
a s  t h e  I/ O  v a r i a b l e s .  T h e r e  a r e  no e v e n ts  o n  s h ic h  t h e  MIi> s i l l  
r e n d e z v o u s ;  i t  v i l l  s i m p ly  s c o o p  u p  a l l  t h e  d a t a  a s s e r t i o n s  p r e s e n t  
a t  t h a t  t im e  a n d  m a rc h  a h e a d . T h e r e  a r e  some d a t a  a s s e r t i o n s  made 
a t  t im e  t .  A t  t im e  t + 1 ,  Be e n t e r  c o n t r o l  s t a t e  (1  1 0  0 0 1 ) .
T h e  d a t a  p a t h  s t a t e  r e m a in s  th e  seme (F F 1  a n d  F F 2  a r e  e s s e n t i a l l y  
a t  ‘ ‘ s ” ) .  A t  t im e  t + 1 , . . .  r e a d  o n  a g a i n s t  (1  1 0 0 0 1 ) .  We come 
b a c k  t o  c o n t r o l  s t a t e  ( 0 0 0 0 0 0 )  a f t e r  t h a t .
T h e  N E X T -D P -S T A T E  h a s  some N IL s  i n d i c a t i n g  t h a t  XOR, MUX1 a n d  MUX2 
d o n ’ t  h a v e  d a t a  p a t h  s t a t e s .
EN TR Y C TR L  S T A T E (0 0 0 0 0 0)
PROCESS MLS I S
F F 2 $ F F $ S )
(X 0 R -F N  X0R$X0R$X X 0 R $ X 0 R $ Y ))
(M U X -F N  MUX1$MUX$MX MUX1$MUX$MY M UX1$MUX$MS)) 
F F 1 $ F F $ S )
F F 1 $ F F $ S )
(M U X -F N  MUX2$MUX$MX MUX2$MUX$MY M UX2$MUX$MS)) )
NM02)
(0 0 0 0 0 0):
ENVIRONM ENT ((X 0 R $ X 0 R $ Y
(MUX1$MUX$MY 
(F F 1 $ F F $ X  
(MUX2$MUX$MY 
(X0R $X0R $X 
(F F 2 $ F F $ X  
E V EN TS  n i l
D A TA -A S S N S  ( ( ( D O  (M U X -F N  MUX2$MUX$MX MUX2$MUX$MY MUX2$MUX$MS) 
( D I  MUX2$MUX$MS C S E L )
(DO F F 1 $ F F $ S  C 0 1 )
( D I  MUX2$MUX$MX C D I2 )
(DO (M U X -F N  MUX1$MUX$MX MUX1$MUX$MY MUX1$MUX$MS) 
( D I  MUX1$MUX$MS C S E L )
(DO (X 0 R -F N  X0R$X0R$X X 0R $X0R $Y) H X0 )
( D I  MUX1$MUX$MX C D I1 )
(DO F F 2 $ F F $ S  C 0 2 ) ) )
N E X T -C T R L -S T A T E  ( ( 1 1 0 0 0 1 ) )
N E X T -D P -S T A T E  ( ( ( F F 1 $ F F $ S )  (F F 2 $ F F $ S )  N I L  N I L  N IL  N I L ) ) )
NM01)
(1 1 0 0 0 1): 
ENVIRONM ENT
EV EN TS
D A TA -A S S N S
(M U X -F N  MUX2$MUX$MX MUX2$MUX$MY M UX2$MUX$MS))  
F F 1 $ F F $ S )
F F 1 $ F F $ S )
(M U X -F N  MUX1$MUX$MX MUX1$MUX$MY MUX1$MUX$MS)) 
F F 2 $ F F $ S )
(X O R -F N  X0R$X0R$X X 0 R $ X 0 R $ Y )))
( (F F 2 $ F F $ X  
(X0R $X 0R $X  
(MUX2$MUX$MY 
(F F 1 $ F F $ X  
(X 0R $X 0R $Y 
(MUX1$MUX$MY 
n i l
( ( S I M U L T ) )
( ( ( D I  MUX1$MUX$MS C S E L )
(DO (M U X -F N  MUX1$MUX$MX MUX1$MUX$MY MUX1$MUX$MS) NM01) 
( D I  MUX2$MUX$MX C D I2 )
( D I  MUX2$MUX$MY C 0 1 )
( D I  MUX2$MUX$MS C S E L )
(DO (M U X -F N  MUX2$MUX$MX MUX2$MUX$MY MUX2$MUX$MS) NM02)
19
load, x = cdi, cdo = s —► CT7i[x]
up, cdo = s —► CT7Z[up(s)]
down, cdo = s —► CT7i[doum(s)]
cde/, cdo = s —► CT7i[s]
read, a = cdo —► M£M l[s, a]
write, a = cdo, d = mdi —► Mi?Af[u>ritfe(s, a, d)]
mdef —► Mi?Af[s]
read, mdo = read(s, a), a = addr —► M £M l[s, a]
write, mdo = read(s,a), a = cdo, d — mdi
—*• MEM[write(s,a,d)]
mdef, mdo = read(s, a) —► Mi?Af[s]
reset, mdef, cdef —► /oad, mdef —► SCTL
push, mdef, cdef —► up, mdef —► cde/, write —► SCTL
pop, mdef, cdef —► down, mdef —► SCTL
top, mdef, cdef —► cde/, read —► SCTL
sdef, mdef, cdef —► SCTL
Hide {load, up,down,cdef,read, write, mdef, cdo] in  
CTJ?[cs] | M£M[ms] | SCTL
Figure 12: Realization of a Stack 
( D I  x o r $ x o r $ x  c o i )
( D I  X0R$X0R$Y C D 2 )
(DO (X O R -F N  XOR$XOR$X X 0R $X0R $Y) KXO)
( D I  MUX1$MUX$MX C D I 1 ) ) )
K E X T -C T R L -S T A T E  ( ( 0 0 0 0 0 0 ) )
N E X T -D P -S T A T E  ( (F F 1 $ F F $ X  F F 2 $ F F $ X  N I L  N I L  N IL  N I L ) ) )
A .7 One More Example: A Stack
From the definitions in figure 12, we deduced the definition in figure 13.
ST/fPA/^cs, ms] = reset —► x = cdi —► ST/CPAR^, ms]
1 pus/i —► d = mdi —► idle
—► ST.fi_P.A.R[up(cs), write(ms, read(cs), d]
| pop —► idle —► ST7fPAR[doum(cs), ms]
1 top —► id/e —► STTfP-APlfcs, ms, cs]
1 sde/ —► STTfP-APlcs, ms]
ST/v P-AJ?l[cs, ms, a] = (mdo = read(ms, a)), STKP AR[cs, ms]







NCTL = reset, mdef, cdef —► load, mdef —► NCTL
1 push, mdef, cdef —► up, mdef —► NCTLl
1 pop, mdef, cdef —^ NCTL2
1 top, mdef, cdef —► cdef, read —* NCTL
1 sdef, mdef, cdef —*■ NCTL
NCTL1 = write, NCTL 
NCTL2- down, NCTL
Figure 14: Realization of a Stack
A .8 A Pipelined Stack Controller .
Figure 14 shows a pipelined stack controller. Using this controller makes the stack operate faster. (NCTL 
has more control states than SCTL though.) The notation “write, NCTL” means: generate write during all 
the initial transitions of NCTL. We would like to automatically derive NCTL from SCTL by a technique 
that rearranges events without disrupting the meaning of the parallel composition. A suitable denotational 
model has been proposed by us for HOP to define process equivalence (see [GFK87]).
21
