Goossens de ned a structural operational semantics for a subset of VHDL-87 and proved that the parallelism present in VHDL is benign. We extend this work to include VHDL-93 features such as shared variables and postponed processes that change the underlying semantic model. In the presence of shared variables, nondeterministic execution of VHDL-93 processes destroys the unique meaning property. We identify and characterize a class of portable VHDL-93 descriptions for which unique meaning property can be salvaged. Our speci cation can serve as a correctness criteria for a VHDL-93 simulator.
INTRODUCTION
VHDL has been designed to facilitate speci cation, documentation, communication and formal manipulation of hardware designs at various levels of abstraction (Bhaskar 1994) . The semantics of VHDL-93 are given in English prose in (IEEE 1993) . The goal of developing formal semantics is to provide a complete and unambiguous speci cation of the language. Adherence to this standard will contribute signi cantly to the sharing, portability and integration of various applications and computer-aided design tools; to the implementation of language processors; and for formal reasoning about VHDL descriptions. Furthermore, this exercise enhances our understanding of the various VHDL-93 constructs/features. There have been a number of proposals for a formal semantics of VHDL, almost all of them dealing with subsets of VHDL-87 , Goossens 1995 , van Tassel 1993 , Wilsey 1992 . In particular, Goossens (Goossens 1995) de nes a structural operational semantics (Hennessy 1990 ) for a subset of VHDL-87 that includes almost all the fundamental behavioral constructs in a single VHDL-87 entity. B orger et al (Chapter 4, ) provide a formal de nition of VHDL-93 features using EA-machines. However, they do not formally prove properties of their semantics.
In this paper we build on Goossens work which deals with a subset of behavioral VHDL-87. We de ne a structural operational semantics for a subset of behavioral VHDL-93 that includes features such as shared variables and postponed processes, not present in VHDL-87. These VHDL-93 constructs fundamentally change the underlying semantic model of VHDL. In particular, the unique meaning (monogenicity) property proved for the subset of VHDL-87 in (Goossens 1995) no longer holds in the presence of shared variables because of nondeterministic and asynchronous nature of process executions. However, we characterize a class of portable VHDL-93 descriptions for which the unique meaning property can be salvaged. That is, we specify VHDL-93 descriptions that will always yield the same results when interpreted by di erent simulators or by the same simulator on di erent runs. The goal is to provide an approximate but formal interpretation of the following statement in Section 4.3.1.3 in the VHDL LRM (IEEE 1993) .
A description is erroneous if it depends on whether or how an implementation sequentializes access to shared variables.
Our de nition of portability is based on the following observations: In each simulation cycle, if only one process accesses a shared variable, then the nal value of the shared variable is uniquely determined (because of the sequential execution of the statements in a process). Similarly, if a shared variable is only read by some/all processes, the value of the shared variable remains unchanged. However, if multiple processes try to access a shared variable while one of them is writing into it in the same cycle, there is potential for ambiguity in the nal value of the shared variable.
Our formalization can be viewed as a speci cation for the VHDL-93 simulators against which the correctness of an implementation can be veri ed. It speci es additional run-time machinery that can potentially be incorporated in a VHDL-93 simulator to ag VHDL-93 descriptions that cannot be \safely" ported. In course of this development we also explain and correct a few errors that have crept into the formal description of the VHDL-87 semantics given in (Goossens 1995) .
The rest of this paper is organized as follows: Section 2 presents the abstract syntax of the VHDL-93 subset and Section 4 speci es its semantics. The primary emphasis is on the changes to the semantics in (Goossens 1995) resulting from the introduction of shared variables and postponed processes. We explore the causes of non-portability and then formally de ne what we mean by portable VHDL-93 descriptions. Section 3 illustrates the portability problem. In Section 5 we prove some interesting properties of portable descriptions. Section 6 presents some conclusions.
ABSTRACT SYNTAX OF VHDL-93 SUBSET
The abstract syntax of the core subset of behavioral VHDL-93 is shown below. (IEEE 1993) . It is a collection of processes communicating with each other through signals and shared variables. k is the parallel composition operator and I is a nite index set. As mentioned earlier, a VHDL-93 description is portable if one can associate a unique meaning with it. To characterize portable VHDL-93 descriptions, we associate the identity of a process with each occurrence of a shared variable. So we have tagged the
Syntactic
The VHDL-93 concrete syntax for the process statement is: (while true do ss i ) (i : process begin ss i end process i; ) meta-variables proc, p, pp, ss, and e with subscript i representing the index of the associated process proc i .
The set of processes has been partitioned into postponed processes (pp) and non-postponed processes (p). The predicate postponed? is true of all postponed-process indices. A process is a sequence of statements that can be executed repeatedly. The statements include assignments, wait statements, and control statements. In wait statements, whenever \on S", \for e", or \until e" are omitted, \on S ue " (where S ue is the set of signals in the until clause), \for 1", or \until true" respectively are assumed. In signal assignments, whenever the after-clause is omitted, \after 0" is assumed. The expression syntax is standard and includes logical and arithmetic expressions.
With regards to the static semantics, we assume that the VHDL-93 descriptions are well-typed, and all the signals with multiple drivers have a suitable resolution function associated with them. For instance, the expression e in \for e" is assumed to be of integer type, while that in \until e" is of boolean type.
We now explore the semantic complications caused by the introduction of shared variables into VHDL. Example 1. The following VHDL description is not portable as the value of sx after t-ns (> 0) can be either 1 or 2 (due to inherent nondeterminism In what follows, we develop the structural operational semantics for the given VHDL-93 subset by extending the work of Goossens (Goossens 1995 
Semantic Entities
The state of a computation is captured by the history of values of each signal, the value bound to each variable and each shared variable, and the \activity" status of each postponed process.
Each process has a local store LStore that models the persistent value bindings of the variables and the signals. Without loss of generality, we assume that each variable implicitly holds an integer or a boolean value. V al = Z B. Each signal s is interpreted as a partial function f : Z 7 ! V al ? (representable as a subset of Z V al ? ) satisfying the following constraints (Goossens 1995) : for n < 0, f(n) is the value of the signal n time steps ago; f(0) is the current value of the signal s; for n 0, f(n + 1) is the projected value for n time steps into future. f(1) contains the value scheduled for the next delta cycle. f contains at least h?1; ii and h0; vi for initial value i and current value v of s. Note that only for n 0 is h(n + 1); ?i a valid pair in f and encodes a null transaction for time n.
The domain SStore models the value bindings of the shared variables. To guarantee portability of VHDL-93 descriptions, access to shared variables must be restricted. In any simulation cycle, all processes may read a shared variable, or exactly one process may read and write a shared variable, without jeopardizing portability. However, one cannot permit arbitrary reads and writes across processes. To characterize portable VHDL-93 descriptions, we Z stands for the set of integers and B for the set of booleans.
6
A portable subset of VHDL-93 associate with each shared variable, its current value, the type of last access (read/write) and the index of the process accessing it. The distinguished constants ? and > denote unde ned and all respectively. The constant ?
represents the case where a shared variable has not yet been accessed in the current cycle, while the constant > represents the case where all processes are permitted to access the shared variable.
It is also necessary to remember whether or not a postponed process is active, ready to be run at the end of the last delta cycle for the current time. Thus, the domain PPStat is de ned as a subset of (postponed) process indices I .
Thus, the signatures of the semantic domains are : LStore = (V ar 7 ! V al) (Sig 7 ! P(Z V al?)) SStore = (SV ar 7 ! (V al (I f?;>g) P(fr;wg))) P P Stat = P(I) (a) Handling of Shared Variables for Portability
We now propose a scheme to ensure that the value bound to each shared variable in every cycle is well-de ned (unique) in spite of the nondeterministic execution of the processes. For this purpose, we tag each shared variable with two additional pieces of information | the index of the process accessing it and the type of last access (read/write). One can capture the constraints for portability by de ning a suitable transition function on the \states" of the shared variable as explained below:
At the beginning of each simulation cycle, the state of a shared variable can be denoted by hv; ?; ;i, where ; signi es that the variable has not yet been accessed. Assume that a read by process i is denoted by i, while the action of writing u is denoted by hi; ui.
If process i issues a read, the state of the shared variable changes to hv; i; frgi. The corresponding state transition is written as: hv; ?; ;i i 7 ?! hv; i; frgi.
If process i now writes a u, the state of the shared variable changes to hu; i; fr; wgi and the state transition is written as: hv; i; frgi hi;ui 7 ?! hu; i; fr; wgi. If the current state of the shared variable is hv; i; frgi and process j issues a read, all subsequent accesses to the shared variable can only be reads, to ensure portability. This is because, a subsequent write to the shared variable by a process i (resp. j) can potentially a ect the value of the shared variable read by the remaining statements in process j (resp. i). If process i issues a read, then only i should be allowed subsequent access, for portability. However, if process j issues a read, the code is not portable, because there is potential for ambiguity in the value that process j reads. In particular, it could be v or the value the shared variable had prior to v. We crystallize and complete the above description by formally de ning a deterministic nite state automaton that keeps track of accesses to a shared variable, to distinguish access-sequences that are portable from those that are potentially non-portable. A deterministic nite-state automaton (DFA) is a 5-tuple (Hopcroft and Ullman 1979) : (Q, ,?,F, q 0 ), where Q is the set of possible states, is the alphabet, ? is the transition function (? : Q 7 ! Q), F is the set of accepting states ( Q), and q 0 is the initial state (2 Q). We customize these sets for the problem at hand as follows: Q = V al (I f?; >g) P(fr; wg):
Recall that the shared variable value is tagged with the index of the process that accesses it and the type of last/allowed access. The possible types of accesses are: ;, frg, fwg and fr; wg representing no access yet, read-access, write-access, and read/write-access respectively. The ? value for the index signi es that no process has yet accessed the shared variable in the given simulation cycle, while the > value means that all processes are allowed access.
I is nite, but Val is in nite. However, for our purposes, we make the simplifying but realistic assumption that Val is arbitrarily large but nite. (Over ow will trigger a run-time error.) The state of a shared variable changes when it is accessed. A read-action is represented by the index of the process from which the read has been issued, while a write-action is represented by a pair consisting of the value to be written and the index of the process from which the write has been issued. The deterministic transition function ? is given below: (a) Every action in the string is a read action, that is, it is in I. Furthermore, the value of the shared variable remains unchanged. (c) Every action in the string is a write action with the same value component, that is, it is in I ffvgg. Furthermore, the nal value of the shared variable is the value written.
Proof Sketch: It is easy to see the result by starting from the nal states and tracing all the relevant transitions in reverse. The function T transforms a Store as follows:
The (local) variables are unchanged: T ( i )(x) = i (x). For signals: T ( i )(s) = fhn?1; vi j hn; vi 2 i (s)g fh0; i (s)(2) else i (s)(0)ig:
Here x else y means \if x is de ned then x else y". Note that there is an error in (Goossens 1995) since it has 1 in place of 2, and as shown later, i (s)(1) is always unde ned when T is applied. For shared variables: T ( )(sx) = hv; ?; ;i; where (sx) = hv; ; i. For the status of the postponed-processes: T ( ) = ;. (Store SSt) An expression is evaluated with respect to the local/shared store and it returns a value and a (possibly modi ed) shared store. A program (resp. statement) and a store evolve into a new program (resp. statement) and an (resp. unique) updated store. (IEEE 1993) .) For correct handling of delayed-attribute we also need to store the previous value of each signal in the LStore.
Semantics of Expressions
Theorem 41 The meaning of an expression is independent of the order of evaluation of its subexpressions.
Proof Sketch: The meaning of an expression consists of its value and the shared store. As the expressions only inspect (read) the values bound to variables, shared variables and signals, and never modify (write) them, the value component is independent of the order of evaluation. So the result follows from Lemma 42 and structural induction.
Semantics of Statements
The semantic rules for all but the signal assignment statement and the wait statement are more or less standard.
For concreteness, the rules for assignment to a shared variable and for while- The signal assignment statement changes the value of a signal by adding a time-value pair and eliminating all other pairs that are scheduled for a later time. Let update( ; s; v; t) = ( (s) n fhn; (s)(n)i j n > tg) fht + 1; vig.
(There is a minor error in (Goossens 1995) 
Semantics of Processes and Programs
The semantic rules for processes/postponed processes (that is, for ! proc ) are similar to those for statements (that is, ! ss ). A process unwinds into a potentially in nite sequence of statements.
A program (that is, fully elaborated behavioral VHDL-93 description) consists of a collection of sequential processes that execute independently. Global synchronization and (synchronous) communication through (common) signals takes place when all the processes reach a wait-statement. Otherwise, these processes execute asynchronously between wait-statements and can commu- In the presence of shared variables, the nondeterministic execution of processes embodied in this rule may yield di erent results. However we can de ne restrictions that ensure that all possible executions are \equivalent", as explained later.
If no processes can resume (and there are no postponed processes that can run in the last delta cycle), then the global simulation time is advanced by one. To achieve this, the store is updated using T and the timeout value in the wait-statment is decremented by one. We use ws i te i ; be i ] for (wait on S i for te i until be i ). E ectively, the timeout expression is evaluated only once in the rst deltacycle, while the condition in the wait-statement is evaluated in every delta cycle in which there is an event on a signal that the process/condition is \sensitive" to. Whether or not a postponed process can run in the last delta cycle is determined as follows. 
PROPERTIES OF THE OPERATIONAL SEMANTICS
We are now ready to formally de ne the notion of portability. Let ! pgm be the re exive transitive closure of ! pgm , and (Q, ,?,F, q 0 ) be the DFA described in Section a. From Lemma 41 this implies permitting arbitrary interleaving of statementexecutions as long as each shared variable is accessed either by all processes in read-mode, or by all processes in write-mode and the same value is written in, or by the same process in read/write mode, between two successive synchronization points.
We now investigate properties about the semantics of the portable VHDL-93 descriptions, to gain deeper understanding and to increase our con dence in the formalization of the semantics.
Theorem 51 A process that does not contain a wait-statement loops forever. As a consequence of this nonlocality it is not possible to incrementally check VHDL-93 descriptions for portability.
Theorem 57 Given a VHDL-93 description, it is not possible to determine statically (that is, at compile time) whether or not it is portable.
Proof Sketch: If the VHDL-93 description contains a \free" shared variable whose value is not known at compile-time, then it is obvious that portability check cannot be made statically. The program PS and the shared variable s ag given in the proof of Theorem 56 exemplify this situation.
Interestingly, the result holds even when all the variables, shared variables and signals are completely de ned. The test for portability can then be reduced to determining whether or not two programs compute the same function. while true do ( . . . sx := Func1(x1) . . . ; x1 := x1 + 1; wait for 1 ns;) k while true do ( . . . sx := Func2(x2) . . . ; x2 := x2 + 1; wait for 1 ns;) Let x1 and x2 be initially 0; Func1 and Func2 abbreviate the e ect of the code that computes sx from x1 and x2 . The above program is portable if and only if the value written into sx by the two processes in every step is identical. That is, Func1 and Func2 stand for the same function. However, since equivalence problem for Turing-complete languages is undecidable, the portability cannot be determined at compile-time.
In order to detect lack of portability at run-time, the simulator can be augmented with additional information speci ed in the DFA described in Section a. One can view this as a new implementation of the abstract data type shared variable.
CONCLUSIONS
The designers of VHDL-93 extended VHDL-87 by introducing shared variables and postponed processes into the language. Here, we developed a structural operational semantics for a behavioral subset of VHDL-93 along the lines of Goossens' work. In particular, we extended the underlying semantic model to accomodate new VHDL-93 features. This formal speci cation can serve as a guide to the implementor and as a correctness criteria for the VHDL-93 simulator. Furthermore, VHDL-93 LRM stipulates that the VHDL-93 descriptions that generate di erent behaviors on di erent simulators are erroneous. In this paper, we explored causes of non-portability through examples and later proposed su cient conditions for a VHDL-93 behavioral description with shared variables and postponed processes to have unique meaning. We also speci ed how a simulator can be augmented with additional information to detect and ag non-portability. We then stated some basic properties about VHDL-93 descriptions, and showed that test for portability is neither local nor static.
Pragmatically, our approach has some limitations compared to the recent proposal for introducing protected types into the language to deal with shared variables (Willis 1996) . In this proposal, Hoare's monitors are used as the basis for implementing shared variable mutual exclusion semantics. Each procedure de ned in the monitor can be thought of as encapsulating \atomic" sequence of reads and writes. Any arbitrary permutation of these procedure calls from various processes in a simulation cycle is assumed to be acceptable to the designer as long as each call is executed atomically. Thus, this construct enables expression of algorithmic nondeterminism (Willis 1996) .
