Practical verification and synthesis of low latency asynchronous systems by Stevens, Kenneth
T H E  U N IV E R S IT Y  OF C A LG A R Y
P R A C T I C A L  V E R I F I C A T I O N  A N D  
S Y N T H E S I S  O F  L O W  L A T E N C Y  
A S Y N C H R O N O U S  S Y S T E M S
B Y
K E N N E T H  S . S T E V E N S
A T H E SIS
S U B M IT T E D  TO T H E  FACULTY OF G R A D U A T E  ST U D IE S  
IN  PA R TIA L FU L FIL L M E N T  OF T H E  R E Q U IR E M E N T S  FO R  TH E  
D E G R E E  OF D O C T O R  OF P H IL O SO P H Y
D E P A R T M E N T  OF C O M P U T E R  SC IE N C E
C A L G A R Y , A LBER TA  
S E P T E M B E R , 1994
©  K E N N E T H  S. ST E V E N S 1994
T H E  U N I V E R S I T Y  O F  C A L G A R Y  
F A C U L T Y  O F  G R A D U A T E  S T U D I E S
The undersigned certify that they have read, and recommend to the Faculty of Grad­
uate Studies for acceptance, a thesis entitled: “Practical Verification and Synthesis 
of Low Latency Asynchronous Sys tems"  submitted by Kenneth S. Stevens in partial 
fulfillment of the requirements for the degree of Doctor of Philosophy
Dr. G. Birtwistle, Supervisor & Chairman 
Department of Computer Science
Dr. J. W. Haslett
Department of Electrical & Computer Engineering
Dr. J. Kendall
Dean of Science, University of Calgary
Dr. P. Kwok
Department of Computer Science
Dr. L. E. Turner
Department of Electrical & Computer Engineering
Dr. D. Edwards




A b s t r a c t
A new theory and methodology for the practical verification and synthesis of asyn­
chronous systems is developed to aid in the rapid and correct implementation of com­
plex control structures. Specifications are based on a simple process algebra called 
CCS that is concise and easy to understand and use. A software prototype GAD 
tool called Analyze was written as part of this dissertation to allow the principles of 
this work to be tested and applied. Attention to complexity, efficient algorithms, and 
compositional methods has resulted in a tool that can be several orders of magnitude 
faster than currently available tools for comparable applications.
A new theory for loose specifications based on partial orders is developed for 
both trace and bisimulation semantics. Formal verification uses these partial orders 
as the foundation of conformance between a specification and its refinement. The 
definitions support freedom of design choices by identifying the necessary behaviors, 
the illegal behaviors, and behaviors that are irrelevant. Loose specifications and their 
refinements are written using GGS semantics.
Pure GGS has been modified so that all of the common asynchronous hazard 
models -  delay-insensitive, quasi delay-insensitive, speed-independent, and burst­
mode -  can be supported by Analyze. The parallel composition semantics have 
been extended to allow conjunctive broadcast communication. These communica­
tion primitives are implemented in a mixed-mode fashion so that pure GGS evalua­
tion or hardware component modeling can be accomplished. A met a transition rule 
called computation interference is also implemented to strengthen the correctness of 
verifications under labeled transition systems such as GGS.
i i i
Congruences hold for conformance verifications in Analyze so that hierarchical 
verification is supported. A hierarchical top-down directed synthesis procedure is 
developed. Process logics are refined for practical applications of labeled transition 
systems to circuits and systems, including a new definition for liveness and dead­
lock. The target implementation methodology of this work is a parallel set of com­
municating burst-mode controllers. Burst-mode, developed earlier by the author, is 
formalized so that Analyze can verify when a specification obeys all the burst-mode 
rules and can be automatically synthesized into an implementation.
i v
A c k n o w l e d g m e n t s
As an undergraduate I was fortunate to learn about asynchronous circuits from Al 
Davis at the University of Utah. This has developed into a disease that I cannot 
shake, and over 13 years later I am still designing asynchronous circuits and systems. 
I am also indebted to Al Hayes and Kent Smith, the two advisors for my master’s 
thesis, who immersed me in VLSI, asynchronous circuits, and embedded systems.
After my master’s thesis I was fortunate to get a second chance to learn from Al 
Davis by working for him on the Mayfly project at Fairchild and Hewlett-Packard. He 
has unquestionably been my greatest mentor, both professionally and recreationally. 
The satisfaction I achieved in my research with him was easily paralleled by the thrill 
of climbing a vertical frozen waterfall as he taught me ice climbing in the Canmore 
“Junkyards”. Bill Coates, Robin Hodgson, Ian Robinson, Shane Robison, and Bic 
Schediwy deserve my thanks for their help, support, and friendship during the Post 
Office project.
Graham Birtwistle gladly took me on as a PhD student at the University of 
Calgary in spite of my rather low opinion at the time of the applicability of formal 
methods to circuit design. My “devil’s advocate” side had been considerably bruised 
by the long hours of hand VLSI design on the Post Office, so when I arrived at 
Calgary I was very open to new approaches. Graham nursed me through my first real 
exposure to greek letters other than those attached to the front of fraternity houses. 
Jo Ebergen, Rob van Glabbeek, Faron Moller, and Chris Tofts contributed invaluable 
“formal” insights. I would like to thank John Aldwinckle and Ying Liu, classmates 
at the University of Calgary, for many hours of insightful technical presentations and
v
discussions, and for pulling me out of some tight jams. I would also like to thank 
my examiners, found on the Approval page, for their contributions and time.
Never have I worked with such a scholar and gentleman as Graham. Beyond the 
philosophical, technical, and organizational lessons he introduced me to a number of 
technical people whom I highly respect that have also become my friends. This is a 
typical exchange I copied from the whiteboard in Graham’s lab, many of the entries 
coming from visitors he had brought in:
“Computer simulation is fun!"
“Sim ulation is the intelectual tool of  last resort. "
“A t  least us last resorters can spell intellectual."
‘Vl.s long as they have little drinks with umbrellas in them, you can send 
me to the last resort!"
The atmosphere at Calgary was very good for my health and leisure as well as 
my intellect. Although Graham is twice my senior in years, I can barely keep up 
with him when he is on a mountain trail. I have even survived two of his races to 
the top of Mount Bourgeau and back during his Fall workshops. I would also like to 
thank Tom Fukushima as a great friend who took me to many of his favorite fishing 
holes, and Dave Spooner for keeping me in shape by dragging me off to the gym.
I would like to thank Hewlett-Packard for supporting this research through the 
generous scholarship funding of a Resident Fellowship. In particular I would like 
to thank Dick Lampman at HP Labs in Palo Alto, who is by far the best manager 
I have ever met. I miss his friendly visits as he applied “management by walking 
around” to perfection.
v i
I would also like to thank my parents who let me and my family live in their 
cabin at beautiful Giles Flats in the Wasatch Mountains of Utah during the last 
few months of finishing my dissertation. The mountains were inspiring, but I think 
that perhaps my draw towards the fish in the creek squelched some of my literary 
inspiration.
Finally, God has blessed me with wonderful family -  Dawn, Marina, Lincoln, 
and Lance. They have backed me in all my endeavors. None of this is worthwhile 
without them, and they will never know how much I love them.
Kenneth S. Stevens 
k.stevens@ieee.org 
September 1994
Giles Flats, Wasatch Mountains
Vll
C o n t e n t s
A b stract iii 
A cknow ledgm ents v  
List o f Tables xii 
List o f F igures x iii 
1 In trodu ction  1
1.1 Asynchronous Design .................................................................................... 2
1.2 Circuit D e s ig n .................................................................................................  9
1.2.1 Asynchronous Finite State Machines ........................................  10
1.2.2 Architectural Methodologies .........................................................  11
1.2.3 Macro Module Based D e s ig n .........................................................  12
1.3 Silicon C o m p ila tio n .......................................................................................  13
1.4 Formal M e th o d s ..............................................................................................  13
1.5 Automated Formal Asynchronous Design ...............................................  14
1.6 The CCS Process Algebra .......................................................................... 16
1.6.1 Syntax and Semantics of CCS ...................................................... 18
1.7 Thesis S tru ctu re ..............................................................................................  21
1.8 Contributions .................................................................................................  23
2 M otivation  for A nalyze 25
2.1 Overview of Mayfly and the Post O f f ic e ..................................................  26
2.2 Asynchrony in M a y fly ....................................................................................  31
2.2.1 Features ..............................................................................................  31
2.2.2 P ro b lem s..............................................................................................  32
2.3 Post Office Im plem entation.......................................................................... 35
2.3.1 Datapath Components ...................................................................  35
2.3.2 Arbitration .......................................................................................  36
2.3.3 Features ..............................................................................................  37
2.3.4 Difficulties and Design F la w s .........................................................  38
2.4 Sum m ary...........................................................................................................  42
A p p r o v a l  P a g e  i i
vm
3 H azards 46
3.1 Delay Models .................................................................................................  47
3.2 Hazard Models ..............................................................................................  49
3.3 Circuit Hazards ..............................................................................................  51
3.3.1 Hazard O ccurrences.......................................................................... 53
3.3.2 Hazards in Combinational Logic ..................................................  53
3.3.3 Hazards in Sequential A u to m a ta ..................................................  58
3.3.4 Delay H a za rd s ....................................................................................  61
3.3.5 Example of Hazards in Sequential C -e le m e n t........................... 62
3.3.6 Other Potential Faults in the C -elem en t.....................................  64
3.4 Specification Complexity and H a za rd s ...................................................... 66
3.5 Hazard Summary ........................................................................................... 67
3.6 Controlling H a za rd s .......................................................................................  72
3.7 Hazard R em o v a l..............................................................................................  73
3.7.1 Signal Reordering .............................................................................  73
3.7.2 Complex Transistor Gates ............................................................  75
3.8 Sum m ary...........................................................................................................  78
4 B u rst-m od e and A FSM  C ircuit Syn thesis 80
4.1 Burst-mode ..................................................................................................... 81
4.2 CCS Burst-mode Specifications ................................................................ 83
4.3 Fundamental Mode R equirem ent................................................................ 86
4.4 Burst-mode Specifications .......................................................................... 88
4.5 Burst-mode Implementation R u le s ............................................................  88
4.6 Burst-mode Specification Rules ................................................................ 93
4.7 Post Office Design Process E x a m p le .........................................................  95
4.7.1 Asynchronous State Machine Design Example .......................  96
4.8 Sum m ary........................................................................................................... 103
5 H ardware E quivalences Form alized in CCS 105
5.1 Advantageous CCS Properties ................................................................... 107
5.2 Notational D efin ition s....................................................................................109
5.3 Equivalences and Agent Properties ......................................................... 113
5.3.1 CCS Equalities ................................................................................ 114
5.3.2 Predictability ....................................................................................116
5.4 Hardware Conformance to Specifications ...............................................119
5.5 Trace Conformance ....................................................................................... 121
5.5.1 Suitability of Trace Conformance ...............................................125
5.5.2 Strengthening Trace Verifications ...............................................127
5.5.3 Trace Failure Example ................................................................... 129
IX
5.5.4 Are Trace Systems Useful? ............................................................ 132
5.6 Logic Conformance ....................................................................................... 136
5.6.1 Logic Conformance E x a m p le ......................................................... 138
5.6.2 Properties of Logic Conform ance.................................................. 139
5.7 Sum m ary........................................................................................................... 145
6 P ractica l A pp lication s o f P rocess Logics 148
6.1 Hennessey-Milner L o g ic ................................................................................ 149
6.2 Modal-/< Calculus ...........................................................................................152
6.3 Application Independent Invariant P rop erties ........................................ 154
6.3.1 D ea d lo ck ..............................................................................................154
6.3.2 Liveness ..............................................................................................157
6.4 Application Specific Invariant Properties ...............................................160
6.4.1 Behavioral Proofs ............................................................................. 160
6.4.2 Logical Conformance ...................................................................... 160
6.4.3 Operational Safety Proofs ............................................................ 161
6.5 Conformance Applications ..........................................................................167
6.6 Performance of A n a ly z e ................................................................................ 168
6.7 Sum m ary........................................................................................................... 171
7 Syn thesis and V erification using A nalyze 173
7.1 The Concurrency W orkbench...................................................................... 175
7.2 Problems with CCS and the W orkbench.................................................. 175
7.2.1 Parallel Conjunction ...................................................................... 180
7.2.2 Analyze P a r s in g ................................................................................ 185
7.2.3 Circuit C on n ection s..........................................................................186
7.2.4 Restriction and Relabeling ............................................................ 187
7.3 Computation Interference............................................................................. 189
7.3.1 Interference in a Specification ......................................................190
7.3.2 Implementation Interference on an Output .............................. 190
7.3.3 Implementation Interference on a Restricted Signal ............. 191
7.4 Bisimulation and M inim ization................................................................... 192
7.4.1 Minimization and Equivalences .................................................. 192
7.4.2 Minimization Algorithm ................................................................193
7.5 Analyze Usage Example ............................................................................. 196
7.6 High Level Synthesis ....................................................................................203
7.7 Burst-mode State Machine Verification .................................................. 207
7.8 Sum m ary........................................................................................................... 211
x
8 C onclusions 215
8.1 Challenges ........................................................................................................ 216
8.1.1 Complexity ....................................................................................... 216
8.1.2 Tool Support ....................................................................................218
8.2 Analyze Critique ...........................................................................................219
8.3 Future Directions ...........................................................................................220
B ib liography 223
XI
L i s t  o f  T a b l e s
2.1 Mayfly Design Responsibilities ...................................................................  26
3.1 A SIC Circuit Specification .......................................................................... 54
3.2 The TOGGLE Element ................................................................................  60
3.3 One of Eight SI Delay Hazard Errors in the C-element .......................  64
3.4 Hazard Free Circuit C la s s e s .......................................................................... 68
4.1 Different Burst Specification S t y l e s ............................................................  85
5.1 Traces of Length Three for the Two Element Hybrid C ir c u it ............. 122
5.2 Traces of Length Three for the Two Element F I F O .............................. 124
5.3 Failures for Some Matching Traces of the FIFO E x a m p le .................... 128
6.1 HML Formulae Testing a C-elem ent............................................................ 150
6.2 Distributed Arbiter D efin ition ...................................................................... 157
6.3 Erroneous Distributed Arbiter Interface .................................................. 157
6.4 Specification for FIFO CSM C ontroller......................................................159
6.5 Mutual Exclusion Element Specification .................................................. 164
6.6 Mocfal-/< formulae for SI C-element Verification .....................................167
6.7 Mocfal-/< formulae for Burst-mocfe C-element V erification .................... 168
6.8 CCS Description of C-element Implementation .....................................169
6.9 Performance of Analyze and Mocfal-/< Verifications..................................f 70
7.f CCS Description of Manchester Carry Chain ......................................... f 80
7.2 Parallel Conjunction Transition R u les ......................................................... f 83
7.3 Hiding Transition Rules ................................................................................ f 84
x i i
L i s t  o f  F i g u r e s
1.1 Asynchronous Technology Spectrum ............................................................  15
1.2 CCS Communication Interaction ................................................................ 17
1.3 CCS Transition R ules.......................................................................................  19
2.1 Mayfly Processing Element Block Diagram.................................................  27
2.2 Mayfly Interconnection Topology ................................................................ 29
2.3 Photo Micrograph of the Post Office .........................................................  43
3.1 Hazards Waveforms in Combinational L o g ic ............................................ 53
3.2 SIC Covering E x a m p le ....................................................................................  55
3.3 Functional Hazard in a NAND Gate .........................................................  57
3.4 Huffman and MEAT State Machines in the Post O f f ic e .......................  58
3.5 C-element State Graph and K -m a p ............................................................  63
3.6 C-element AND-OR Implementation and Logic Symbol ....................  63
3.7 SBuf-Send-Ctl Circuit with a Transient Hazard .....................................  74
3.8 Burst-mode Hazard Free SBuf-Send-Ctl L o g ic ........................................  75
3.9 Complex Gate CMOS Transistor Implementation of C-element . . .  76
3.10 PE-Send-Ifc H azard........................................................................................... 76
3.11 PE-Send-Ifc. Hazard Removal with Complex G a t e .................................. 77
3.12 Hazard Free SIC Circuits as Complex Gate ............................................ 78
4.1 Burst-mode Conceptual Model ...................................................................  83
4.2 Burst-mode AFSM with Output B u r s t ...................................................... 86
4.3 Nacking Arbiter SIC State Machine Specification...................................... 94
4.4 SBuf-Send-Ctl Burst-mode Specification ..................................................  97
4.5 Complex Gate Schematic for SBuf-Send-Ctl Y0 .....................................102
4.6 Layout of SB uf-Send-C tl.................................................................................103
5.1 Lattice of Equality Relations ...................................................................... 113
5.2 Conformance Example with FIFO Buffers ...............................................122
5.3 Two FIFO Derivation T r e e s ..........................................................................123
5.4 Derivation Tree of FIFO-like S tru ctu re ......................................................125
5.5 Weaknesses in Trace A n a ly s is ...................................................................... 126
5.6 Weaknesses in Failures S em a n tics ................................................................129
5.7 E6 Circuit Description for Dill’s Verifier .................................................. 130
5.8 Falsely Verified Circuit E 6 ............................................................................. 131
5.9 State Graph of Example E 7 ..........................................................................139
6.1 Weakly Deadlocking H andshake................................................................... 155
xm
7.1 Manchester Garry C h a in ................................................................................ 180
7.2 Initial Bin Split for M in im ization ................................................................195
7.3 Initial Grossing Decomposition ................................................................... 199
7.4 Trace Grossing Decomposition ................................................................... 202
7.5 Correct Grossing Decomposition ................................................................203
7.6 Burst-mode Transition Graph for Train .................................................. 203
7.7 Synthesis Procedure ....................................................................................... 205
7.8 Environmental Burst C o n stra in ts ................................................................210
x i v
C h a p t e r  1
I n t r o d u c t i o n
Circuit design has undergone a tremendous explosion of progress in the last decade. 
In the early 1980’s fabrication technology with a feature size of five microns permitted 
hundreds or thousands of devices to be fabricated on an integrated circuit. Today, 
millions of devices can be placed on a single circuit of the same area as the feature 
size has shrunk to half a micron or less.
The cost of designing integrated circuits has exploded as well. Modern fabrication 
facilities cost millions of dollars, and the man hours required to design a large circuit 
can be staggering.
Full custom design cannot keep up with the exponential increase in circuit com­
plexity, as design cost and time to market will also increase dramatically, removing 
the market advantage of these designs for manufacturers. The need for improved 
tools and technologies that can rapidly produce correct circuits rivaling full custom 
performance and area advantages is clear from market and technology trends. The 
need for a designer’s workbench capable of synthesis and verification was personal­
ized for me after spending thousands of hours of manual implementation on a large, 
full custom, high performance, parallel integrated circuit.
The application of simplifying abstractions that can be upheld in implementa­
tions is the best method for supporting the explosive growth in design complexity. 
Increasing the level of abstraction lets a designer concentrate on architectural con­
cepts rather than the micromanagement of devices and low level implementation
I
details. The abstractions also facilitate the design automation and formal reasoning 
about circuit properties. The digital assumption is the most widely used abstraction 
for gates and transistors typically used in VLSI fabrication. Digital design assumes 
that the devices exist in one of two states, on or off, at high or low voltages.
Although transistors are not necessarily digital, this assumption can be accurate 
for well designed processes and circuits -  high gain devices interconnected in a low- 
load fashion. These “digital” devices can be connected in such a way as to design 
more complex combinational  functions that are themselves digital. A combinational 
function is one that solely depends on the input set to determine the output function. 
This reasoning can accurately be employed for circuit synthesis.
1 . 1  A s y n c h r o n o u s  D e s i g n
Many functions cannot be represented in a combinational fashion because they rely 
on the history of input sequences. Such logic is called sequential logic. How op­
erations are sequenced provides the first and largest distinction between digital de­
sign styles. There are two fundamental methods of sequencing these circuits -  syn­
chronously or asynchronously.
Synchronous digital circuits assume that time is divided into global, distinct, 
discrete periods that are controlled by the metronomic tick of a global clock. Control 
and data signals are stored and passed in lockstep on fixed intervals as determined 
by the clock and its phases. Storage and sequentiality is typically introduced with 
clocked latches. All logic functions between the latches must be evaluated during 
the clock period or the circuit will fail.
C H A P T E R  1. I N T R O D U C T I O N  2
C H A P T E R  1. I N T R O D U C T I O N 3
Asynchronous circuits do not base their sequencing on regular time. Rather, 
an interface is defined such that function initiation and completion are explicitly 
signaled. These interfaces always embody handshaking to ensure that both the sender 
and receiver of the communication are ready. This interface protocol is commonly 
referred to as a request/acknowledge handshake. This formal handshake protocol 
simplifies the design and verification of asynchronous circuits by breaking them into 
hierarchical modules. The difficult task of creating large parallel systems is greatly 
simplified since no global analysis is required. Such systems are created by composing 
and interconnecting the formal interfaces of parallel modules, and verified by proving 
the interface protocols are upheld. The clean, formal interfaces of asynchronous logic 
come at the cost of increasing the difficulty of module design as the handshake signals 
must be free of all glitches and hazards. Hence the more difficult system design 
aspects are simplified by asynchronous circuits, and the easier challenge of module 
design becomes more complicated.
Asynchronous circuits are not slaves to a single unifying master (the clock) as are 
synchronous systems. Clocked, or synchronous, systems can be easily and reliably 
controlled inside an asynchronous formalism. Much of my early asynchronous design 
was based on stoppable clocks we termed “Chuck clocks” in honor of their inventor 
Chuck Seitz. The controlling asynchronous logic views the clocks as request or 
acknowledge handshakes, and the clocked domain can be fully synchronous. Such 
mixed mode designs are formally termed self-tim ed . Some timing analysis must 
be done to assure that the asynchronous control is always prepared to accept the 
clock handshake given the clock circuit’s known frequency. Other delay models are 
introduced in Chapter 3.
C H A P T E R  1. I N T R O D U C T I O N 4
The task of asynchronous controllers is to correctly accept and sequence hand­
shaking signals. Datapath logic must also generate handshakes one of two ways: as 
true completion signals generated by side effect from the logic operations, or through 
delay elements that model the timing characteristics of the function. Completion sig­
nals are preferable as they accurately model the actual delays in the devices. At times 
true completion signals can be generated at very little additional complexity. For 
instance, ORing the two bit lines of precharged RAM cells will produce a handshake 
indicating the successful completion of the charging and the data valid operations. 
A good example of the use of delay approximations comes from Sutherland’s 1988 
Turing Award lecture on the micropipeline architectural style [Sut89]. A delay simu­
lates the operational time for each pipeline stage and is used to control the following 
stage. Delay approximations permit the utilization of standard (synchronous) dat­
apath components, but the designs will not be as robust. When true completion 
signals are not generated, the timing analysis can be done locally; the functional 
interfaces remain intact, supporting modular design and verification.
Data transmission is typically carried out using one of two methods: a bundled  
data protocol which requires assumptions on the transmission delays of the data 
and its associated handshake signals, or with data encoding techniques such as the 
dual rail protocol which encodes the completion signal with the data. Bundled 
data protocols contain parallel data and handshake paths, and the transmission 
delays of the two paths should be equt'potential, or nearly identical. The data is then 
transmitted before the handshake signal, with the assumption that the handshake 
will be observed at the destination following the arrival of the data. This places a 
constraint on the drivers, layout, routing, and loading of the signals. Data encoding
protocols use more than one wire per data bit to encode data validity as well as a 
digital value. This method is more robust and simplifies the layout and routing at 
the cost of doubling the number of wires required to transmit data.
The asynchronous design style results in the following advantageous circuit prop­
erties:
1. Control is localized, supporting modular hierarchical designs. Some global 
circuit issues such as the power carrying capacity of metal lines and timing 
analysis are simplified, while others such as clock skew are moot.
2. Power is actively expended only when a module is actively controlling or pro­
cessing information. Well designed modules only consume leakage current when 
idle.
3. Performance can be improved as there is no need to wait for a clock edge to 
begin processing a transaction, and latency can be the device and ambient min­
imum. Performance estimates and run times for asynchronous circuits result 
in average delays for the data values rather than requiring worst case values 
for reliability.
4. Asynchronous inputs and interrupts are a natural aspect of asynchronous de­
sign, and will not result in synchronization failures.
5. The circuits are extremely robust because they can adapt to the ambient en­
vironment. Changes in temperature, voltage, and implementation parameters 
will not effect the correctness of the circuit’s functions. For example, a hazard 
free asynchronous circuit designed in scalable rules can operate correctly in a
C H A P T E R  1. I N T R O D U C T I O N  5
2 micron or 0.5 micron process, at a temperature of 30°C or immersed in liquid 
nitrogen, and at varying voltages. Modifying these parameters can effect the 
power consumption and performance dramatically.
6. The interfaces can be extremely robust, including the adaption to timed pro­
tocols [MCS94],
7. Fewer constraints may be required regarding the physical placement and rout­
ing of cells, simplifying implementation details.
8. Observability may be easier to achieve using the stuck-at fault model because 
a handshake signal that cannot make a transition results in deadlock. While 
faults are commonly observable by this method in practice, a more rigorous the­
ory for fault coverage is required for the differing asynchronous design method­
ologies.
These advantages have positive ramifications for increasing the level of abstrac­
tion that is desperately needed for large high performance designs. Certain aspects 
of tool development -  such as place and route software and timing analysis -  can be 
simplified. However, several aspects of asynchronous design also present challenges.
I. Hazard free design is a difficult, complex process -  particularly when using 
unbounded delay models. Synchronous synthesis and analytical tools are typi­
cally not applicable to asynchronous designs because algorithmic assumptions 
may require the side effects of a global clock, or they do not avoid or detect 
hazards. Asynchronous designs are also more difficult to create using ad hoc 
approaches.
C H A P T E R  1. I N T R O D U C T I O N  6
C H A P T E R  1. I N T R O D U C T I O N 7
2. Although it is difficult to make accurate comparisons, asynchronous designs are 
probably larger, and therefore more expensive to fabricate, than comparable 
synchronous designs. Clock lines and drivers are not present in asynchronous 
designs. However, most implementations require hazard removal techniques 
that add logic gates. The handshake signals also add wires between logic 
components. The circuit area of VLSI designs is more sensitive to the wiring 
requirements than the number of transistors, and it is difficult to project the 
tradeoff between the reduction in wire complexity due to clock removal versus 
the increase due to handshake lines. The additional area overhead supposedly 
varies from 5%-20% for custom designs, and up to 100% for designs synthesized 
using programming techniques. The overhead is much worse for data-intensive 
architectures when data encoding techniques (such as dual rail protocols) are 
used.
3. The handshake protocol is only effective over short distances, because the delay 
of transmitting a signal is usually proportional to the distance of the transmis­
sion. One would not use handshaking protocols for satellite transmissions! 
Although functionality is not compromised, there is a significant performance 
sensitivity to the placement of modules. There may also be a performance 
degradation for level sensitive return-to-zero (or four-cycle) protocols versus 
the transition based non-return-to-zero (or two-cycle) protocols when the ad­
ditional handshake cycles cannot be hidden in the computation phase.
The greatest disadvantage comes not from any theoretical disability, but rather 
from the serious deficiency in tools tailored for asynchronous design practices and a
C H A P T E R  1. I N T R O D U C T I O N 8
lack of experience and case studies. This deficiency comes in all areas: simulation, 
synthesis, verification, and testing. The following sections discuss some of the signif­
icant progress recently achieved in asynchronous theory, architecture, and tools by 
a small core of researchers and engineers.
Research into asynchronous circuit design has been carried out sporadically since 
the early 1950’s. Most of the modern theory is founded on the early work done by 
Huffman, Muller, and Unger [Huf57, Mil65, Ung69]. Although asynchronous systems 
such as the Illiac [Geo68] had proven asynchronous technology as a viable approach, 
interest waned in asynchronous design. Clocked systems were much easier to design 
since hazards did not need to be removed or controlled. The low integration and 
complexity of the devices allowed global analysis to be carried out efficiently.
AI Davis, Charles Molnar, Chuck Seitz, and Ivan Sutherland bucked the trend 
with their pioneering work in asynchronous systems [Dav77, CM72, MFR85, MC80, 
SMSM79]. Technological trends, including the ever increasing levels of integration 
of circuits, and the maturing of logic systems and formal methods have resulted in 
a new wave of interest and applicability in these novel circuits.
I studied asynchronous circuits under AI Davis in the early I980’s and have had 
the fortune of learning from Molnar, Seitz, and Sutherland. In the mid f 980’s I joined 
a team designing a distributed memory multiprocessor called Mayfly.  This gave me 
the opportunity to take my asynchronous circuit experience out of the academic 
world into industry with the development of a high speed CMOS VLSI communica­
tion coprocessor chip called the Post  Office. The techniques at that time for hazard 
removal or control required a single input change constraint, large delays, or perfor­
mance inhibiting flip flops [Ung69, CD73]. Since the performance of the Post Office
C H A P T E R  1. I N T R O D U C T I O N 9
was critical to the success of the Mayfly project, an alternative method of producing 
low latency control was needed. This led me to develop a new asynchronous control 
methodology called b u rst-m od e which was successfully applied in all controllers of 
the Post Office.
During the development of the Post Office, interest in asynchronous designs was 
widely renewed in the academic community on three different fronts. Circuit design­
ers found it ever more difficult to cope with the global constraints of synchronous 
design and had begun to seriously investigate asynchronous approaches. Software 
engineers began taking advantage of the modularity of asynchronous circuits to build 
program based asynchronous synthesis tools. Logicians and mathematicians discov­
ered that asynchronous circuit design is a natural and useful application for their 
theories. The coming together of these three fields has resulted in a new renaissance 
of asynchronous design theory.
The next sections present some of the salient achievements of these three groups.
1 . 2  C i r c u i t  D e s i g n
One of the most challenging aspects of asynchronous circuit design is the removal 
of hazards from circuits. Since all hazards cannot be removed before layout with 
unbounded delay models, the ability to control the occurrence of the remaining 
hazards is also of paramount importance. The following general techniques have 
been applied to the direct layout of asynchronous circuits with attention to hazard 
removal and control.
C H A P T E R  1. I N T R O D U C T I O N 10
1.2.1 A synchronous F in ite  S ta te  M achines
The asynchronous finite state machine (A FSM ) based methods take operational 
descriptions as inputs and produce circuit descriptions as outputs. These methods 
are typically targeted for CMOS design, creating gate or transistor level circuits. 
The primary goal of these systems is to produce circuits that are free from as many 
hazards as possible through compilation techniques, while also minimizing the la­
tency and area of the implementation. This method is targeted for performance 
sensitive applications. While it is not possible to remove all sequential hazards using 
the unbounded delay model (see Chapter 3), these methods stand out as producing 
systems with the greatest performance with relatively few constraints required for 
hazard control.
They achieve the best performance and smallest size of all the design methods 
when moderately complex specifications are used. Unfortunately, most of the AFSM 
based tools use informal operational definitions such as state graphs, which limits 
the ability to reason about complex systems of AFSMs.
Most of these methods have adopted the burst-mode methodology to achieve 
higher performance with the smallest exposure to hazards. The most efficient circuits 
are typically created from descriptions containing from 5 to 32 burst-mode states. 
While these methods are typically used for control synthesis, they can also be applied 
to the creation of datapath logic.
The first burst-mode synthesis tool was developed by Bill Coates, Al Davis, and 
myself to aid in the design of the Post Office [CDS93a, CDS93b], The tool was 
dubbed the “Most Excellent Asynchronous Tool” (M EAT) after being inspired by
C H A P T E R  1. I N T R O D U C T I O N 11
the movie “Bill and Ted’s Excellent Adventure”. MEAT was used in the development 
of 90% of the control modules in the Post Office. A quick introduction to the AFSM 
synthesis capabilities of MEAT can be found in Section 4.7.
The MEAT prototype did not remove all combinational hazards. A flaw was 
pointed out by Steve Nowick, who in the process proved that the burst-mode method­
ology permits the synthesis of totally hazard-free combinational  logic [ND92], Nowick 
also went on to produce a burst-mode synthesis system using local clocks [ND9Ia] 
as part of his Stanford dissertation. This interaction with Stanford also resulted in 
another burst-mode synthesis system [YD92],
A widely known method for formalizing and synthesizing AFSMs was developed 
by Chu based on signal transition graphs or STG s -  which are a restricted form of 
Petri nets [Chu87]. This theory has recently been extended to support burst-mode 
specifications [Chu93].
Another interesting synthesis system was developed by Luciano Lavagno at Berke­
ley [LKSV91]. This synthesis uses timing analysis to assure that when hazards exist 
in the circuit, sufficient delays are added to ensure that they are controlled, so that 
they will not occur in the physical design. Beerel and Ming have also developed 
analysis and synthesis techniques based on bounded delay methods [BM92],
1.2.2 A rch itectu ral M eth od o log ies
Some architectural methodologies are based on design styles which can remove haz­
ards from control logic [HaySI, Hay83, Hol82], Most of these methods are of re­
stricted applicability, or do not have the performance advantages of the AFSM ap­
proach.
C H A P T E R  1. I N T R O D U C T I O N 1 2
Sutherland’s micropipeline methodology is the most efficient and successful asyn­
chronous architectural methodology [Sut89]. The micropipeline design style is based 
on transition logic where the asynchronous rendezvous, or C -elem ent, is used to 
control interaction between hierarchically compositional pipeline stages. There are 
no direct synthesis tools based on this technique despite the simplicity of the con­
trol stages. The most impressive successful application of the micropipelined design 
style is the asynchronous version of the ARM microprocessor developed by Steve 
Furber’s group at Manchester University called AMULET [FDG+93, Pav94], The 
synchronous ARM was the most widely produced RISC processor in the world in 
the 1980’s.
1 .2 .3  M acro M odule B ased  D esign
Programming language methods are not targeted for circuit synthesis on the gate and 
transistor level. Rather, as in programming language compilers, the program instruc­
tions are compiled into a set of predefined primitive operations [BS89, vBBI\+94, 
Ebe88, Mar91]. These primitives are a set of asynchronous macro module com­
ponents such as C-elements, TOGGLEs, MERGE elements, and so forth, that are 
typically associated with the semantics of the language constructs. The physical 
design of these macro cells may require an expert asynchronous circuit designer (or 
one of the AFSM based tools of Section 1.2.1). The area and efficiency of the re­
sultant circuits are very dependent on the primitives chosen. Higher level primitives 
typically result in larger, slower circuits while lower level primitives normally result 
in smaller and faster circuits. A significant advantage of this approach over the other 
two is the relative ease of porting the system to other technologies.
C H A P T E R  1. I N T R O D U C T I O N
1 . 3  S i l i c o n  C o m p i l a t i o n
13
Software engineers have made remarkable asynchronous circuit synthesis tools us­
ing variants of Hoare’s CSP programming language for specifications [AG92, Bru91, 
Bru93a, GA93, Mar91, vBKR+9f, vB92b], These techniques compile down to prim­
itive agents as described in Section 1.2.3, and interesting academic grade implemen­
tations have been built [Bru93b, MBL+89]. Brunvand’s approach is fully automated, 
whereas Martin’s approach is a directed synthesis system and requires further spec­
ification as lower level logic termed production rules. The major drawback of these 
methods is that the synthesis steps are deemed “correct by construction” so no 
formal verification is carried out between synthesized implementations and specifi­
cations. Deadlock and other properties of a faulty specification may be faithfully 
implemented, and the source of such errors will be difficult to discover without veri­
fication formalisms.
1 . 4  F o r m a l  M e t h o d s
Circuit simulation is exponential in time on the input set and device delay variations. 
Formal proof methods can greatly improve on these results because verification can 
be carried out hierarchically, values can be abstracted into functions, and regular 
designs can utilize inductive techniques. The increased complexity of VLSI circuits 
has produced the demand for logicians to create practical proof systems that can be 
applied to complex systems.
Several logic systems have been used to verify hardware, including the Boyer- 
Moore Theorem Prover [Hun86] and higher order logic (HOL) [Sys89, GM93, Gra92,
C H A P T E R  1. I N T R O D U C T I O N 14
Mel88, Coh88]. The complex fine-grain logic models have been successful in accu­
rately verifying data path and leaf cells, but are cumbersome for coarser block-level 
verifications. Hardware designers and engineers usually consider such formal tools 
of marginal use or even an impediment to the design process because of the time, 
effort, and theorem proving expertise that is required to utilize such methods.
Success in automating circuit proof systems has been achieved in the asyn­
chronous circuit domain. Ebergen, Udding, and Josephs successfully use trace theory 
for the formal design and verification of a class of asynchronous circuits that use the 
delay-insensitive hazard model [Ebe9I, Udd84, JU90] (see Section 3.2 for a descrip­
tion of the various hazard models of asynchronous circuits). Dill uses a variant of 
trace theory to verify circuits using the speed-independent hazard model [Dil89]. His 
tool was invaluable for the verification of the AFSMs in the Post Office. Process 
algebras, such as COS and Circal, have recently been applied to the verification of 
asynchronous circuits [Bai94, Liu92, MM9I, Mol9I].
While simulation systems such as VHDL and CSP-based programming languages 
have been successfully applied to the synthesis of synchronous and asynchronous 
circuits, automated synthesis has not been achieved with systems capable of formal 
verification.
1 . 5  A u t o m a t e d  F o r m a l  A s y n c h r o n o u s  D e s i g n
Figure 1.1 partitions the asynchronous design problem space into three columns 
corresponding to circuit designers, software engineers, and logicians, listing some of 
the top achievements for each group. The Post Office and the asynchronous ARM























Figure 1.1: Asynchronous Technology Spectrum
at Manchester are engineering feats achieved with almost no tool support by superb 
circuit designers. On the other end of the scale, mathematical verification has moved 
from the laboratory into practical use as automated proof systems are being used 
by engineers for the verification of small circuits and systems. In between is a set of 
excellent software and systems people who have produced a set of tools capable of 
automating the arduous task of design synthesis.
The goal of this thesis is to merge the best results from circuit designers, soft­
ware engineers, and formal mathematicians to work towards a designer’s workbench
capable of synthesis and automatic verification of asynchronous circuits in such a 
way that large, complex, parallel IGs can be rapidly prototyped and fabricated.
CHAPTER 1. INTRODUCTION 16
1 . 6  T h e  C C S  P r o c e s s  A l g e b r a
In the foreword to Milner’s book on GGS, C.A.R. Hoare states:
“Concurrency  remains one o f  the major  challenges facing  Com pute r  Sc i ­
ence, both in theory and practice. The wide variat ion in s tructure and  
architecture o f  concurrent machines  is now as great as in the early days  
o f  sequential mach in es . . . Such variat ion gives rise to con f  usion and fear  
o f  innovat ion.
Fortunately,  progress in theoretical Com pute r  Science brings understand­
ing in place o f  con f  usion, and confiden ce in place o f  fear.  A  good th eory 
reveals the essential unities in computing practice, and also classifies the 
impor tant  variat ions.  Such a theory was propounded by Robin Milner  ten 
years ago in his Calculus o f  C om m  unicating S y s t e m s . "
Hoare’s communicating sequential processes (CSP) and Milner’s calculus of com­
municating systems (CCS) are process algebras, or mathematical systems, that can 
model and analyze concurrency. This work has applied GGS to the highly concur­
rent testbed of VLSI circuits, resulting in some practical refinements. GGS is a 
theoretically satisfactory as well as a practical foundation for the work in this thesis.
GGS relies on the notion of persistent parts, or agents , that act independently of 
each other yet also synchronize. The independence of the actions of agents allows
CHAPTER 1. INTRODUCTION 17
them to proceed concurrent ly , and the synchronization of agents occurs with com­
municat ion.  The atomic actions of a system can be represented by a set of symbols 
called la b e ls . These actions can be partitioned into two sets with a “complementa­
tion” operation represented by an overbar, extended such that for action a,  a  = a.  
Assume that P , Q , . . . represents processes while a, 6,. . . (and a , / i , . . .) represent the 
actions of a system. The occurrence of an action is represented as
p  a , p > (1 .1 )
meaning that as process P  performs the action a it simultaneously evolves into the 
process P ' . These actions are represented as tr a n s it io n  relations over the processes, 
and if they are all known the behavior of the system of processes is defined.
Communication is defined as a primitive, atomic interaction between processes. 
The interaction occurs between a label and its complement. This interaction is 
further defined as handshake communicat ion  which removes the notion of active 
(performers or producers) and passive (media or consumers) pairs. If both the label 
and its complement are offered, the communication can occur; otherwise one of 
the processes may have to wait. Figure 1.2 shows how processes P  and Q can 
communicate using labels b and c. When a handshake occurs, both P  and Q evolve 
together through an atomic event r into P '  and Q'.
Figure 1.2: CCS Communication Interaction
CHAPTER 1. INTRODUCTION 18
The transitional semantics of such a language is termed a la b e led  tra n s it io n  
sy ste m . Since processes are sequential, concurrency arises when independent pro­
cesses are composed in parallel. When modeling asynchronous systems each com­
ponent, be it a state machine, register, RAM cell, ALU, or wire, can be modeled 
as a sequential process that may communicate with other processes. However, most 
processes can also be decomposed into a smaller set of communicating sequential 
processes. For example, a certain ALU process could equally be modeled as a par­
allel set of adder processes. The level of detail of interest will dictate the detail and 
hierarchy of the description.
1 .6 .1  S y n ta x  and S em a n tics  o f  C C S
CCS is a very simple language in both syntax and semantics. The syntax of a CCS 




P i  +  ? 2  +  





■ +  Pn s u m m at ion  
Pn composit ion  
restriction  
relabeling
The set of actions that an agent can perform is called its sort. The special agent 
Nil can perform no actions, therefore it is the deadlocked or stopped process and its 
sort is the empty set of actions. CCS is given semantics by induction over the above
structure for agent expressions. The semantics are in terms of the labeled transition 
system, defined as
• : n • / )i (f.2)
where S is a set of states (or processes), T is a set of transition labels, and the 
transition relation A  C S  X  S  for each a  £ T .  The transitional semantics are 
defined by inference from the transition rules of Figure 1.3 where each rule will have 
zero or more hypotheses and a conclusion.
CHAPTER 1. INTRODUCTION 19
P A  P ' def
Act a . E ^ E '  C ° n A ^ P '  (A ~  P)
e A e ' 0 F A F 'Sum ——---- a Sum,
E  +  F A E 1 ~ E  +  F 4 F '
E ^ E '  ^  F->F'
C o m !  - ^ . - C o m 2
E  | F ^ E '  | F  - E  | F ^ E  | F'
E ^ E 'Com e,
E  | F ^ E '  | F'
_  E ^ E '  , , E ^ E '
Res E \L^ > E ' \L  Rel £[/]«?£"[/]
Figure 1.3: GGS Transition Rules
The Act rule, syntactically using the operator called p refix in g , is the building 
block for sequential operations. For example, the agent req.ack .Nil can do a req 
action, followed by an ack action, and nothing more. The constant rule Con defines 
references to processes, so we can now create recursive, nonterminating agents. For
C H A P T E R  1. I N T R O D U C T I O N  
example, a TOGGLE can now be defined as:
20
TOGGLE =  a.&.a.c.TOGGLE (1.3)
This definition says that after the first a input the TOGGLE will produce a b output. 
After the second a transition a ~c transition is produced. The behavior then repeats.
Nondeterministic choice is modeled by the su m m a tio n  operator ‘ +  ’ using tran­
sitional rules Sumi and Sum2. A process with summation can behave nondetermin- 
istically like any of the summands. The O-element can now be defined by:
C-element =f a.b.~c.G-element +  b.a.~c.C-element (1-4)
The C-element can behave like either of the two parts; if the a action is taken first, 
then it evolves into the agent b.~c.C-element.
Applying the re la b e lin g  function /  to agent E  results in an agent that behaves 
like E  where the labels have been changed according to the function /  as expressed 
by rule Rel. The relabeling function is syntactically expressed as [new/ old\ where 
all occurrences of the label old have been replaced by the label new.  Relabeling is 
typically applied to library templates (such as AND gates) where the default labels 
must be instantiated to the names being used for the specific circuit interconnections.
Concurrent operation is modeled with the c o m p o s it io n  operator ‘|’ using the 
Com transition rules. Signals can transition independently, expressed by rules Comi 
and Com2, and signals with the same label can synchronize in an atomic commu­
nication (rule Com3). R e str ic t io n , syntactically represented as a set L,  is used
CHAPTER 1. INTRODUCTION 21
to prevent the restricted agent from actions in the set L,  as defined by the side 
condition to rule Res. This internalizes labels that can communicate in a parallel 
composition by allowing the internal synchronized action r to proceed uninhibited, 
and prohibiting the independent actions of the labels from rules Comi and Com2. All  
communication actions should be restricted in hardware descriptions using CCS.
1 . 7  T h e s i s  S t r u c t u r e
Chapter 2 uses the fully asynchronous Post Office chip as motivation for higher levels 
of abstraction and tools supporting asynchronous design and synthesis. The Mayf ly  
distributed memory multiprocessor developed at HP is briefly introduced, along with 
the role of the Post Office in that system. Some advantages and disadvantages of 
the asynchronous implementation of the Post Office are discussed. Some of the 
contributions that grew out of this experience of designing an industrial asynchronous 
chip are included.
Chapter 3 introduces hazards and how they impact asynchronous designs. Asyn­
chronous delay and hazard models are described. The most common combinational 
and sequential hazards are described with examples, including problems with certain 
common circuit constructs. Since no synthesis system can be hazard free, techniques 
for hazard removal and controlling unremoved hazards are discussed.
Chapter 4 formalizes burst mode, which I developed in the early stages of the Post 
Office implementation, in terms of specification and implementation requirements. 
This permits the automatic verification of terminal burst-mode specifications for the 
synthesis system presented later in this thesis.
CHAPTER 1. INTRODUCTION 22
Chapter 5 formalizes the CCS labeled transition system and defines several useful 
properties including trace equivalence, bisimulation, determinacy, and confluence. 
The weaknesses in trace semantics are pointed out, motivating the need for stronger 
bisimulation semantics. A new partial order called con fo rm a n ce  is introduced. 
Conformance is aimed at hardware verification and is formally applied to trace and 
bisimulation semantics formally, and illustrated with several examples.
Chapter 6 introduces Hennessey-Milner process logic and the Modal-/< calculus. 
Temporal logics are applied to property testing of asynchronous systems, including 
a new definition for liveness and deadlock. Other invariant properties that are nec­
essary for complete verification are formalized. A comparison between using process 
logics and conformance is made for circuit verifications.
Chapter 7 unifies this work in terms of a prototype software tool capable of auto­
matic verification and directed synthesis called A n a ly ze . The problems in the CCS 
notation that prevent CCS from modeling hardware are discussed, including solutions 
that extend CCS in such a way that retains its advantages of specification clarity. 
New transitional semantics are presented for these changes. The automated functions 
of Analyze are discussed. Minimization is an important step of efficient verification, 
and a new minimization algorithm is presented for branching tim e bisimulations. 
Computation interference is then formalized. The steps necessary to formally ver­
ify a valid burst-mode specification are shown. The high level top-down synthesis 
process is then described, including the support supplied by Analyze.
Chapter 8 contains hindsights gained from the development and limited applica­
tion of the Analyze tool, and areas of further research are discussed.
C H A P T E R  1. I N T R O D U C T I O N
1 . 8  C o n t r i b u t i o n s
23
The major contributions of this dissertation include the following:
1. A software prototype GAD tool called Analyze  was developed and described 
in this dissertation. It is the first tool to utilize multiple equivalences ap­
propriate for hardware. It also includes all of the common hazard models of 
asynchronous circuit analysis and verification. The tool is designed using com­
positional methods and is one or more orders of magnitude faster than the 
Concurrency Workbench for comparable problems.
2. A new theory for loose specifications based on partial orders is developed. Par­
tial orders sufficient for verification of asynchronous hardware systems are for­
malized using both trace and bisimulation semantics. Formal verification uses 
these partial orders as the foundation of conformance between a specification 
and its refinement (possibly as an implementation).
3. Weaknesses in the CCS labeled transition system have been formally fixed with 
new transition rules and a met a evaluation rule based on computation interfer­
ence principles which allows direct representation and analysis of asynchronous 
hardware modules as CCS processes. Analyze implements these changes in a 
mixed-mode fashion, allowing standard CCS transition rules as well as the new 
conjunctive parallel composition operator.
4. The burst-mode model remains an important foundation of this work even 
though its invention preceded the work in this thesis. The specification and
CHAPTER 1. INTRODUCTION 24
implementation requirements are formalized and the requirements for the ver­
ification of terminal specifications is laid out. Completely automating the val­
idation of a burst-mode specification is not always possible because of the 
constraints on the environment.
5. A high level synthesis procedure, supported by the Analyze tool, is developed. 
These steps can be used to test different approaches and can, with supporting 
module layout and place and route software, rapidly produce verified industrial 
strength low latency asynchronous systems.
6. New definitions for liveness and deadlock for parallel processes is formalized. 
Other logic macros are defined that simplify the process of total verification. 
These logics can be applied to a previously available tool called the Concurrency 
Workbench.
Chapter 2
In the late 1970s and early 1980s asynchronous circuits and systems, such as the DDM  
machines [Dav77], were built out of small scale integrated components on wire wrap 
boards. State machines were built using gates, EPROMs, muxes, and other devices 
where the handshake signals were all accessible. Switch and light panels that could 
intercept handshake signals and logic probes usually sufficed as test jigs. The added 
complexity and inaccessibility of signals in integrated LSI circuits ( [Ste84, Hay83]) 
increased the difficulty of testing and designing asynchronous systems, but their low 
level of integration coupled with the modularity of asynchronous protocols made 
implementations feasible. Even so, the primary goal of all these circuits was to 
demonstrate operational feasibility and supply academic proofs of concept; circuit 
performance was not an issue.
However, performance was critical to the success of the full-custom CMOS VLSI 
Post  Office chip begun in 1987 [SRD86, ODS93b], The complete chip is the largest 
and most complex fully asynchronous integrated circuit in published work. It con­
sists of approximately 300,000 transistors and over 95 different finite state machine 
controllers with an external bandwidth of 300 megabytes per second.
I was responsible for the architectural design and implementation of this chip. 
The sheer level of integration available coupled with performance requirements cre­
ated problems which could not be hidden by the modularity of asynchronous inter­
faces. Many lessons were learned as design techniques were rationalized, mechanized,
M o t i v a t i o n  f o r  A n a l y z e
25
CHAPTER 2. MOTIVATION FOR ANALYZE 26
and formalized. Hindsight proved to be a valuable tutor in many areas, leading to 
the more advanced and integrated tool Analyze developed herein.
This chapter uses experiences from the design of the Post Office, including small 
design vignettes, to demonstrate the need for the improved methodologies and tools 
presented in this thesis.
2 . 1  O v e r v i e w  o f  M a y f l y  a n d  t h e  P o s t  O f f i c e
The Mayfly architecture is a general purpose parallel processor, often called a dis­
tributed ensemble architecture [DCH+89, Dav92], Multiple processing elements (or 
P E s ) cooperate to solve single complex problems which have been broken into smaller 
parallel computations. There is no globally shared memory. Task spawning and com­
munication between processes on different PEs are carried out via message passing. 
The Post Office chip is the communication coprocessor which supports this internode 
message passing.
Al Davis General architecture, processor board, & context cache
Bill Coates I-Cache, Post Office interface board, & PO RAM cells
Robin Hodgson Runtime software & debugging
Richard Schediwy Data cache
Ken Stevens Post Office design & implementation
Table 2.1: Mayfly Design Responsibilities
The Mayfly team consisted of five people with responsibilities as shown in Ta­
ble 2.1. The top level architecture and programming principles were developed by Al 
Davis at Fairchild/Schlumberger and Hewlett-Packard in the mid to late 1980s. The
CHAPTER 2. MOTIVATION FOR ANALYZE 27
programming language and compiler is a parallel variant Scheme (a Lisp language) 
developed at the University of Utah under the direction of Bob Kessler. The Mayfly 
hardware was built at Hewlett-Packard. Figure 2.1 shows the major components of 
a single Mayfly PE. A Mayfly PE consists of two Hewlett-Packard Precision Archi­
tecture (or HP-PA)  RISC processors. One processor is responsible for executing user 
code (the E P  or evaluation processor), while the other processor is responsible for 
all system overhead (the M P  or maintenance processor). MP tasks include setting 
up the run list and packetizing messages for delivery. These two processors execute 
in parallel.
Figure 2.1: Mayfly Processing Element Block Diagram.
The circuits used in the Mayfly design consisted of custom HP-PA processor 
chips, programmable logic devices, glue logic, memory components, and the full 
custom Post Office chip. Al Davis designed and built the processor motherboard 
and novel context cache. Parallel data structure access is facilitated by a 4-page 
dual ported data cache, built by Richard Schediwy. Bill Coates designed and built 
the instruction cache and Post Office interface board.
The Post Office architecture and communication topology were designed by my­
self [Ste86]. The design was taken from concept to a complete VLSI implementation
between 1985 and 1991. The Post Office handles all physical communication aspects 
of message passing in the Mayfly processor. It includes subsystems for handling 
adaptive routing, buffering, transmissions and retransmission, congestion and dead­
lock avoidance. First silicon was complete in February 1991. The final version was 
completed at the University of Calgary and fabricated in November 1992.
The topology (shown in Figure 2.2) and architectural design were created during 
1985 and 1986. Helios [Kra85], a distributed simulation tool which ran on networked 
Symbolics Lisp machines, was used for register transfer level simulations. The Post 
Office was implemented as a single VLSI integrated circuit, and was laid out entirely 
by hand using the Electric system [Rub87]. I designed and implemented the entire 
chip, including the pads, with the exception of the RAM cells and driver circuitry 
which were laid out by Bill Coates. Simulations of the layout used COSMOS [Car], 
a switch-level simulator. I tested all the fabricated chip fragments on an IMS tester. 
The complete chip was tested in a single Mayfly node. Robin Hodgson wrote device 
drivers and runtime system software. He tested the Mayfly and first and final silicon 
of the Post Office extensively, although I did much of the initial testing of the first 
silicon.
The Mayfly interconnection network is a hexagonal mesh wrapped as a twisted 
torus resulting in the provably minimal diameter [Ste86]. This creates what is known 
as a processing surface. Surfaces have hexagonal boundaries themselves and can be 
interconnected by abutment in a hexagonal mesh to form a two-level “recursive” 
topology. The Post Office is therefore a seven ported device. It physically connects to 
six other adjacent processing nodes in the surface via six 8-bit bidirectional external 
ports. There is also an internal 32-bit word-wide PE port through which the Post
CHAPTER 2. MOTIVATION FOR ANALYZE 28
CHAPTER 2. MOTIVATION FOR ANALYZE 29
Office can access the processor cache and local memories for message retrieval and 
delivery. The Post Office design permits simultaneous transmission on all seven 
ports. Measured performance in a seven node Mayfly prototype indicates that all 
six external ports can sustain transfers at an average rate of 50 megahertz, for an 
aggregate network delivery bandwidth of 300 megabytes per second.
Performance is critical to the Post Office since communication latency is key to 
the distributed memory Mayfly system. Bandwidth utilization of the links between 
the Post Office chips must be optimized to achieve a performance that scales with 
the architecture. Hence a packet switched system was chosen. Virtual cut-through 
[KK79] was employed because it allows packets to be forwarded to the next destina­
tion as soon as the header is received, resulting in a “pipelined” delivery across many 
chips. Packets which cannot be forwarded immediately are buffered centrally in the
Post Office chip in order to free the external link for other packet traffic. When the 
destination ports are free, the packet will be forwarded through one of those links. 
Out-through is not used in the source and destination Post Office chips; the packets 
are placed directly into the buffer pool. Although this increases message latency, it 
insulates packets from any delays that may be encountered in the software protocols 
that load and unload packets from the Post Office and the Mayfly PE. This results 
in better utilization on the communication links, and permits the implementation of 
the external ports to use the smaller dynamic logic (as opposed to the static logic 
required for the PE interface and the central buffer pool and logic).
The Post Office effort was challenging for several reasons:
1. It was a pioneering coprocessor for distributed ensemble routing architectures. 
Its design preceded CalTech’s wormhole routing [DS87] and multi-queue archi­
tectures [TF92],
2. The design is massively parallel, with a complex control structure.
3. The Post Office is an asynchronous chip placed into a synchronous environment.
4. It is the most complex fully asynchronous single integrated circuit in published 
work.
5. It was built in a commercial environment where performance was an important 
aspect.
CHAPTER 2. MOTIVATION FOR ANALYZE 30
CHAPTER 2. MOTIVATION FOR ANALYZE 31
2 . 2  A s y n c h r o n y  i n  M a y f l y
2 .2 .1  F eatu res
The Post Office is an island of asynchrony in an otherwise fully synchronous ar­
chitecture. The processors in the Mayfly are synchronous HP-PA machines using 
synchronous bus protocols. The decision to design the Post Office as a fully asyn­
chronous part was based on a number of factors, including the robustness of asyn­
chronous interfaces, scalability, and the desire to build a practical, complex device 
which is superior to synchronous techniques. The scalability of the Mayfly architec­
ture is probably the single most important argument in favor of an asynchronous 
Post Office design. The physical extent of the Mayfly architecture is formally un­
bounded, and the size of an implementation is only limited by the size of the address 
word. The current Post Office chip supports instantiations of up to 519,841 PEs. 
The ability to arbitrarily scale the architecture poses serious technical problems if a 
global clock is necessary to synchronize operations. Clock skew can be a problem in 
itself for synchronous design as technology progresses [Bak90]. For extensible sys­
tems such as the Mayfly where the PE count is unbounded, synchronizing all of the 
nodes with a single clock becomes intractable.
The robustness of functional, asynchronous interfaces removes the problems of 
clock skew and simplifies link arbitration and transfer synchronization. Mayfly pro­
cessors are composed by simply plugging the Post Office links together (subject to 
topological constraints). Each PE in the multiprocessor contains a local crystal and 
a clock generator that runs at its own clock speed. Processor speeds for communi­
cation between PEs are irrelevant due to the asynchronous interface. One PE in the
HP prototype running at an internal clock speed of 16 MHz communicates perfectly 
well with another running at 64 MHz via the Post Office chips.
Additionally, the arrival times of packets from the external ports and the PE can 
be completely random. In a synchronous system, these arrivals would have to be 
normalized to the system clock, resulting in slower delivery. Receptive asynchronous 
systems begin processing packets as soon as data arrives [NDDH93]. This robustness 
of interfaces is also being investigated for commercial applications in noisy environ­
ments [MGS 94],
The low power nature of asynchronous architectures was one further advantage 
demonstrated in the Post Office. Asynchronous circuits contain fine grain, dynamic 
power management due to the handshake protocols. Each idle Mayfly PE requires 
30 amperes of current at 5 volts. By way of contrast, the Post Office, which is the 
only asynchronous part in the system, uses only 2 milliamps when idle.
2 .2 .2  P ro b lem s
In a clocked system, care must be taken to assure that the clock signal has a short rise 
and fall time, that noise is minimized (ringing, overshoot and undershoot, etc.), and 
that the clock is driven to the power and ground rails. The same restrictions exist 
on the handshake signals in asynchronous systems. Although there are many more 
handshake signals than clocks, handshakes are generally localized between pairs of 
controllers, on the same integrated circuit, with low capacitive loading. For example, 
the clock and drivers inside the synchronous alpha chip are global and highly loaded 
taking up 30% of the chip area and nearly 60% of the power, resulting in considerable 
technical problems [Com92], When asynchronous handshake signals are not local,
CHAPTER 2. MOTIVATION FOR ANALYZE 32
such as between processing elements in the Mayfly, care must be taken to assure that 
failures do not occur due to violations of the assumption that signals are “digital”.
In the Mayfly prototype, each processor had a separate clock generator and power 
supply. Mayfly PEs are easily composable through the Post Office because the func­
tional interface scales well and is not subject to failures due to synchronization, 
arbitration, or device speed or clock speed variations. However, communication was 
susceptible to failures when (i) voltages varied significantly between nodes, (ii) when 
crosstalk was a significant problem, (iii) when the impedance of the drivers and 
receivers were not matched such that ringing occurred, and (iv) due to current vari­
ations that cause power supply noise. These faults are all due to physical properties 
that violate the digital assumption, and they can be cumulative. As an example, the 
request handshake signal, driven from the power supply of one Post Office PE, may 
be received by another Post Office chip with a different power supply. If there is a 
significant difference in voltages, switching thresholds may not be reached, and very 
small amounts of noise on the line could cause the receiver to perceive unintended 
changes in the binary value on the line.
Noise perceived as a switch in logic levels on handshake signals in asynchronous 
systems and in clocked systems can both result in failures, but they may be more 
severe in asynchronous machines. Illegal voltage changes to a state machine can 
result in the circuit deadlocking or switching to an improper state. This generally 
will result in illegal outputs which can ripple the effect if the outputs are also control 
lines. Noise can result in similar effects in the controllers of a synchronous system.
The final version of the Mayfly prototype solved noise and voltage problems 
between different processing elements. The most significant design concept was to use
CHAPTER 2. MOTIVATION FOR ANALYZE 33
devices with a high noise margin [WE85], such as Schmitt triggers, on all handshake 
lines between IGs (or anywhere noise or slow rise tim e might cause problems). This 
technique increases the immunity of the chips to noise and voltage variations at the 
cost of a minor degradation in performance. Other techniques that reduced voltage 
variations and noise included wiring a common ground to all the processors, using 
impedance matched shielded cable for intra-PE communications, assuring that the 
power supplies drive a similar voltage, and lowering the resistance on the power and 
ground supply lines.
Asynchronous systems can easily control synchronous systems, and locally clocked 
subsystems are common to asynchronous designs [ND91b], However, due to the un­
yielding global tim e domain, many difficulties can arise when the synchronous system  
is the master of an asynchronous subsystem.
The HP-PA processors in the Mayfly node use a synchronous bus protocol. This 
presented a major challenge because the Post Office design had to ensure that the 
interface to the local GPU would not cause any synchronization failures. Two major 
failure scenarios exist; one of processing interrupts and one of mapping variations in 
processing speeds of the asynchronous part to the global clock. There is no guarantee 
that interrupts or status communication between the Post Office and MP processor 
will be safely aligned with the clock. Spice simulation and performance analysis of 
the silicon shows that the worst-case delays of the asynchronous Post Office protocols 
are significantly less than the synchronous transfer requirements for both reads and 
writes to the PE registers. In practice, none of the communication faults that have 
arisen in the Mayfly prototype have been attributed to synchronization failure even 
though the potential exists.
CHAPTER 2. MOTIVATION FOR ANALYZE 34
CHAPTER 2. MOTIVATION FOR ANALYZE 35
2 . 3  P o s t  O f f i c e  I m p l e m e n t a t i o n
2 .3 .1  D a ta p a th  C o m p o n en ts
The Post Office contains two major logic classes -  datapath logic and controllers. 
The datapath logic includes the ALUs for routing calculations, counters, adders, 
registers, RAM, and so forth. The controllers are all burst mode AFSMs. These 
controllers communicate with each other and cooperate to control the datapath logic 
using request/acknowledge handshake signals. The AFSMs typically have all haz­
ards removed under the burst-mode hazard model using unbounded delays, and are 
described further in Chapter 4.
The primary responsibility of the Post Office is to transport data from one loca­
tion to another. Data paths vary in width from five to 128 bits. The performance 
oriented design style uses the bundled data protocol to reduce the area and control 
circuitry and achieve greater performance. The bundled protocol assumes that all 
the data and associated handshake signals are in an equipotential region where sig­
nal propagation delay is similar for all lines [MC80]. Standard request/acknowledge 
handshaking is used with the bundled data protocols. The data signals must be valid 
before the request is driven.
Most Post Office datapath logic senses the completion of an operation and then 
asserts the acknowledge line, signaling completion to the requester. For example, the 
RAM blocks are the size of a packet (1152 bits) organized in 128 X  9 arrays. Write 
completion is easily detected by sensing when the word line has been driven. The 
acknowledge indicating data validity and precharge status for reading a RAM block 
is accomplished by sensing the voltages on a single bit line pair.
CHAPTER 2. MOTIVATION FOR ANALYZE 36
Some datapath circuits and communication lines are also controlled in a clocked 
manner with stoppable clocks. The clocks are generated by a burst mode AFSM con­
currently with asynchronous handshake signals with sufficient delay for the clocked 
datapath circuitry to complete its operations. The minimum delay of these hand­
shake signals is greater than the maximum delay required by the clocked logic.
The external port interfaces contain two “clocked” counters that track the num­
ber of transfers. A state machine is signaled when the correct number of transfers 
has completed to load or unload the RAM and register blocks. The counters are 
implemented with eight-transistor two-phase dynamic shift register stages. They are 
clocked at the RAM ’s access speed (using the bit line or word line completion signals 
as the clock). The ports also contain routing ALUs and latches. The control cir­
cuitry “clocks” these ALU circuitry at the same speed as the external asynchronous 
handshake transfers across the port.
2 .3 .2  A rb itra tio n
All control circuitry in the Post Office is implemented with custom AFSMs with the 
exception of the arbitration logic which requires analog mutually exclusive behavior 
not easily built into state machines using current technology. Arbitration logic must 
be used whenever concurrent access to a shared resources is possible.
Standard arbitration serializes access in a nondeterministic fashion. The winner 
of the arbitration utilizes the resource while the loser waits until the resource is freed. 
An example of this type of arbitration is the serialized assignment of bus mastership. 
A second type of arbitration was required in the Post Office, whereby if the resource 
is allocated to another user, the loser will proceed with other tasks rather than wait
for the busy resource to be freed. Naching  or nonblocking  arbitration is required 
in the Post Office when multiple packets want to utilize the same external port for 
packet delivery. When the port is busy, the packet should not wait for it to become 
idle; it should be forwarded out a different port or placed in the central buffer pool.
The Post Office contains 13 nacking arbiters. I found this to be an intriguing 
circuit with no previous published reference, and posted it as a design and imple­
mentation exercise to our peers who are designing asynchronous circuits and tools 
[ND89, JU90]. The circuit in the Post Office consists of a SEQUENCER (built out 
of mutual exclusion elements and a few NANDs) and a small state machine.
2 .3 .3  F eatu res
The Post Office corroborates the benefits of the modularity and composability of 
asynchronous circuits, particularly considering that this 300,000 transistor full cus­
tom circuit was designed and implemented by a single individual. The 300 megabytes 
per second transfer rate is comparable with communication networks by today’s in­
dustrial standards. The low standby power of the device is an artifact of the chip’s 
asynchronous design.
The burst-mode constraint and its associated design tool, MEAT, reduced the 
design tim e of Post Office AFSMs tenfold. When coupled with D ill’s verifier and 
the complex gate generator, most of the implemented AFSMs were hazard free, 
increasing the confidence in the correctness and robustness of the design. COSMOS 
was used to simulate modules as well as the entire chip from pad to pad after I made 
minor modifications that allowed it to accommodate an asynchronous regime.
CHAPTER 2. MOTIVATION FOR ANALYZE 37
2 .3 .4  D ifficu ltie s  and  D es ig n  F law s
The lack of integrated design tools comparable in quality and scope to synchronous 
tools became apparent in the Post Office project, as a majority of the implementation 
effort was spent on tasks that can be automated. Problems with a “synchronous” 
architecture style based on busses also became evident. This section discusses some 
of the lessons that were learned in hindsight after embarking on a large asynchronous 
VLSI implementation project.
L ayou t. Completion of the Post Office implementation was greatly delayed by 
hand layout. Automated layout of burst-mode state machines is being developed by 
Bill Coates and the Stetson project at Stanford University [MCS94],
H ierarch ica l v er ifica tio n . I was unable to verify the correct implementation of 
multiple burst-mode state machine modules using D ill’s verifier. This was partially 
due to the lack of tool support for burst-mode and the specification style.
Simulation was the only viable technique to check for correct implementation 
of module interfaces and system behavior. Simulation is too weak a technique for 
asynchronous circuit certification as the results are only as good as the timing model 
and fault coverage of the generated vectors. Pathological failures are difficult if not 
impossible to discover using the unit delay simulation model employed.
Formal verification is an improvement over simulation as it can test for invariant 
properties which must hold for the circuit to function properly. The most important 
invariants are conformance to the specification, safety, deadlock and liveness [Liu92], 
Many of these verification tests can be checked automatically and are independent 
of any particular circuit implementation.
CHAPTER 2. MOTIVATION FOR ANALYZE 38
Two serious flaws in the Post Office first silicon were missed by COSMOS simu­
lations but would have been detected by the verification tool Analyze. A dynamic 0 
hazard existed on the ack line of the external ports at the end of a packet transfer. 
This was due to a race in the enable and tristate logic to the bidirectional ack con­
trol circuitry. Fortunately the receiving logic was robustly designed so that it was 
not adversely affected by the spurious wobbling of the ack line at the end of the 
cycle. A second problem resulted in part of the chip interfaces becoming deadlocked 
while other parallel interfaces continued to operate uninhibited. This was not ob­
served in the initial simulations, yet occurred regularly in the first silicon. This error 
required an expensive refabrication of the chip because it disabled the chip from 
operating correctly once the deadlock had occurred. The source of the failure was 
extremely difficult to discover using simulation techniques; it was only found after 
several months  of work.
Lack o f  to o ls . The lack of design and analysis tools resulted in a bottom-up 
implementation of the Post Office. Although the register transfer level Helios sim­
ulations were top-down, there was no way to annotate the Helios model or use it 
to direct or check the implementation process. The register transfer model did not 
specify all interface signals, and efficient VLSI designs also required some modifica­
tions to the initial design. This resulted in some incompatibilities in the interfaces 
between several modules which added months of work to the design. Due to design 
inertia the incompatibilities were usually “fixed” by adding a “wart” module to the 
design which mapped between the interface differences of the modules because this 
was simpler than going back and entirely redesigning one or more modules. Design 
time, area, and performance suffered from this bottom-up design style. The top down
CHAPTER 2. MOTIVATION FOR ANALYZE 39
synthesis driven nature of Analyze can be the foundation for an effective synthesis 
system that documents and verifies changes in a design.
E ffect o f  m o d ific a tio n s . Slight modifications to architecture and design choices 
can greatly alter area and performance of a chip. The original Post Office design 
called for packets half the size of the final implementation. The ballooning packet 
size resulted in an incompatible floor plan, and a large, slow spine bus. Fabrication 
requirements forced the larger spine bus to be segmented into three communicating 
busses. Data for the external ports was extracted from the center of the chip rather 
than the edge of the active portion. These flaws added 20-40% overall delay to the 
circuit.
T esta b ility . No builtin self-test or scan path analysis method has been developed 
for burst-mode state machines. The only method of determining internal state of the 
chip under failed conditions was to image voltage changes with a scanning electron 
microscope (or SE M ). A consistent failure was easily reproduced in the first silicon 
with a short test vector, but could not be reproduced by the simulator. I was able 
to get an image of wire excitations with a SEM by repeatedly resetting the chip and 
exercising it with the vectors which caused the failure, thus uncovering the fault. 
Two gates in a module were not physically connected in an AFSM even though the 
layout tool claimed otherwise. This problem was fixed in the layout tool, and in the 
circuit by sputter etching a connection to allow further testing of the first silicon.
Although SEM testing can be used in restricted instances, it is not a general test­
ing scheme. For example, the deadlock occurrence was dependent on event timings, 
and was irreproducible under SEM constraints.
CHAPTER 2. MOTIVATION FOR ANALYZE 40
CHAPTER 2. MOTIVATION FOR ANALYZE 41
Each large module was fabricated and tested as a separate fragment before com­
posing them to form the complete circuit. The external port interfaces, although 
they passed all simulation tests as stand alone devices, did not function properly 
when composed together to form the entire chip. This flaw occured due to dynamic 
charge storage lossage on an internal node. Dynamic logic was used throughout the 
Post Office chip for increased performance and decreased area when static charge 
storage was not necessary. When a device remained idle, it was held in the reset 
state until its operation was again required. The external port controllers contained 
some modulo-n counters which determined when an entire packet had been delivered 
[EP92], These were designed out of dynamic shift registers where one of the bits con­
tained a high voltage and the rest a low voltage. The emergence of the high voltage 
from the end of the shift register indicated completion. (The shift registers were 
cascaded to multiply the depth for large counts). The reset port of a counter had 
been mistakenly connected to the global reset rather than the port idle reset signal. 
When the external ports remain idle for large periods of time, the high voltage dis­
sipates. This resulted in the counter never indicating completion. The problem was 
discovered through layout inspection, and repaired in the circuit with micro-surgery 
by cutting the global reset line with a laser and connecting the port idle reset to the 
counter reset with sputter etching.
Unfortunately the application of process logics and formal methods cannot un­
cover dynamic logic flaws. Nor can they be used to weed out circuits with fabrication 
faults, which is a second important application of scan path analysis. Builtin self-test 
of burst-mode asynchronous systems, an important aspect of commercial designs, is 
a topic in need of future research.
2 . 4  S u m m a r y
Some of the environment, architecture, implementation, features, and flaws of the 
Post Office, a 300,000 transistor full-custom chip that serves as a message coprocessor 
for a distributed multiprocessor, have been described. The Post Office was fabricated 
through the MOSIS service on an HP 1.2 micron CMOS process and has an area of
11 X  8.3 111111. The control portion consists of 95 different asynchronous finite state 
machines, most of which operate concurrently and occupy 19% of the chip area. 
Datapath circuitry accounts for 45%), pads cover 11%), wire routing occupies 22%) of 
the chip area, and the remaining 3%) of the space is unused on the rectangular 84 
pin die.
There are seven complete ALUs for routing calculations. The part scales up to 
a distributed processor containing a maximum of 519,841 PEs (limited by the size 
of the address word). Each chip has a measured throughput of 300 Megabytes per 
second external network bandwidth, plus a local GPU transfer bandwidth of 150 
Megabytes per second. Figure 2.3 is a photo of the final silicon.
Testing of fabricated chip fragments was done entirely by myself. Hodgson did 
most of the testing of the final silicon once it was part of a Mayfly processing element. 
A majority of the tool development (the complex gate tool, MEAT, and COSMOS 
modifications) was done by myself during the project as well.
The design effort of the Post Office influenced fresh work in a number of areas and 
has contributed significantly to researchers in the asynchronous design community. 
Some of these contributions include:
CHAPTER 2. MOTIVATION FOR ANALYZE 42
CHAPTER 2. MOTIVATION FOR ANALYZE 43
n  ^  ' r  ---------------------  r : ----------------------
». U L« R C3*3dnC3C3 ^  ^  *3 *»
Figure 2.3: Photo Micrograph of the Post Office
1. I developed a new formalism for state machine design and synthesis called 
burst-mode to cope with parallelism and hazard avoidance in Post Office state 
machines. This is a significant contribution as it has become the first formal­
ism widely applied for the synthesis of multiple input and output change state 
machines. Burst-mode also uses a representation that is natural to engineers. 
Because of these advantages, burst-mode specifications and synthesis is gain­
ing widespread popularity in the research and industrial asynchronous design 
communities. See under (4,5) below.
2. The lack of tool support is a major impediment to the acceptance and use of 
an asynchronous design style. Burst-mode synthesis was automated with the 
MEAT GAD tool. I initiated development on the tool and wrote or redesigned 
for efficiency a majority of its code. This tool was one of the pioneering asyn­
chronous synthesis systems.
3. Design vignettes of the Post Office are available to the asynchronous community 
for tool benchmarking and design challenges, including a set of Post Office 
state machine specifications [Chu93, LKSV91, SMD93], novel CMOS device 
implementations, and design problems such as the nonblocking arbiter [JU90].
4. Other design and synthesis projects have been spawned as a direct result of 
the Post Office work. This includes research done at the HP science center at 
Stanford University. Several dissertations emanate from there [ND91b, YD92, 
SMD93],
5. Improved algorithms and methods for hazard-free design have been developed 
as a result of this project [ND92],
During the implementation phases of the Post Office project it became evident 
that automated synthesis tools are a necessary and viable alternative to hand layout 
for low latency asynchronous circuits. Once completed, MEAT produced circuit 
designs comparable in area and performance to the hand designs. D ill’s verifier 
further aided in the AFSM design as it contributed to the removal of all hazards 
under burst-mode in a majority of the leaf cells. The utility of MEAT and the 
verifier resulted in a larger portion of the effort to be directed toward the layout and
CHAPTER 2. MOTIVATION FOR ANALYZE 44
simulation of the chip, two additional areas that can be supported by software tools.
The need for a stronger means of assuring correct system behavior became ap­
parent after the first silicon was fabricated and the deadlock was discovered. Sim­
ulation techniques proved ineffective and inefficient in discovering the cause of the 
deadlock, motivating a stronger formalism for validating system behavior. Although 
formal methods cannot detect all the failures (such as the dynamic logic error) in 
the Post Office, the need to make stronger assertions about the properties of a large 
parallel circuit is a great motivator for the end goal of this thesis: to produce an 
asynchronous workbench capable of the practical synthesis and verification of asyn­
chronous circuits.
CHAPTER 2. MOTIVATION FOR ANALYZE 45
Chapter 3
Hazards
“but it has been delayed unt il  I  am indif ferent  and cannot  enjoy it"
Life of Johnson, volume 11, page 262 
Boswell 1755
Delays are inherent in signal generation and transmission. A hazard exists in a 
circuit if its output behavior depends on both the internal stray delays of the circuit 
and on its logic components. A hazard occurs when delays in the circuit cause an 
unplanned output transition. When hazards are present in a circuit, the spurious 
signal transitions they engender wreak havoc with the chip control logic (and can 
surface as deadlock). It is thus of paramount importance that asynchronous circuits 
be hazard free. Since every transition in an asynchronous system counts, spurious 
hazards become a failure point. Unfortunately creating circuits that are immune 
to hazards is one of the most difficult and misunderstood aspects of asynchronous 
design.
Hazards fall into two categories: those that can be removed pre-layout by modi­
fying the logic, and those that can only be controlled post-layout by examining and 
engineering delays in the physical layout to ensure that the hazard will not occur. 
No synth esis m ethodology can create hazard free syst ems  completely independent ly  o f  
the physical  imp lementat ion parameters .
46
The analysis of the source of hazards and methods of hazard removal is complex 
and not well understood by the design community as a whole. This chapter discusses 
the various delay and hazard models that are in standard use, categorizes the various 
types of hazard that can arise in asynchronous circuits, and where possible, shows 
how to circumvent them. Analyze points out hazards to the designer for removal 
or control (see Chapter 7). The inability to use syntactic constraints or synthesis 
techniques to produce circuits free of all hazards necessitates tools for identifying 
hazards that must be controlled during the layout phase. Analyze is the first tool 
that can apply multiple hazard models, uses the best methods for spotting them  
with multiple equivalences, points out more hazard types than other verifiers, and 
supports hierarchical application so that hazard removal can be deferred to a different 
environment.
3 . 1  D e l a y  M o d e l s
All logic devices and interconnections introduce stray delays of some magnitude. 
The magnitude of the delay can be modeled as taking on any value ranging from 
zero to some upper bound. The unbounded delay model assigns an arbitrarily 
large value for the upper bound. Any canonical circuit description that is hazard 
free using the unbounded delay model can be implemented hazard free in other 
technologies, because physical circuits do not exhibit unbounded delays. Engineering 
delay models, called bounded delay models, assign discrete upper bounds on delays. 
The magnitude of the delays are based on an engineering analysis of the parameters 
of a target technology and its variations.
CHAPTER 3. HAZARDS 47
Well placed realistic delay assumptions can result in much smaller, simpler, and 
faster circuits. However, there is a danger that hazard analysis using bounded mod­
els can overlook some hazards because of variations in device performance, circuit 
placement and stray delays, and the ambience. This occurs when deviations in the 
physical implementation stray outside the parameters of the analysis. Bounded delay 
systems must be coupled with the physical technology mapping and device layout 
process to ensure their constraints are upheld. This can pose significant difficulty, 
particularly when detailed layout and delay information is unavailable. Overstating 
the delay assumptions can result in larger, slower circuits, which is also a danger of 
the unbounded delay model.
Circuits designed using the bounded delay model may be less robust than those 
where all of the hazards have been removed in the pre-layout steps and can only be 
completely validated after the circuit has been implemented and shown to adhere to 
the delay assumptions. Unbounded delay hazard analysis creates circuits that are 
more robust. However, it may not be possible to synthesize the desired functions 
free of all hazards in the unbounded model.
A reasonable approach is to make asynchronous circuits as robust as possible 
by removing as many hazards in an implementation independent fashion before 
the layout steps. Once all hazards have been removed, the implementation stage 
must control the hazards by using a bounded delay assumption. This model is used 
throughout the thesis, and unless noted all hazard analysis assumes the technology 
independent unbounded delay model.
CHAPTER 3. HAZARDS 48
CHAPTER 3. HAZARDS 49
3 . 2  H a z a r d  M o d e l s
A number of hazard models have been designed to meet varying needs, ranging 
from elegant mathematical models to those that are designed for implementation 
sim plicity Since the goal of hazard analysis is to create working circuits, one must 
be consistent and careful in the use of hazard models and in judging their effect on 
the final implementation.
Each hazard model can be used with the unbounded or bounded delay model. 
These models assign delay values to devices and interconnect ions.  The intercon­
nections are typically aluminum, polysilicon, or diffusion wires, but may be optical, 
infrared, or other communication channels. Accurate hazard modeling requires that 
the devices be the smallest canonical function units in the technology, such as transis­
tors, AND and OR gates. Grouping smaller components together as macro devices 
can hide hazards internal to the devices, creating an inconsistencies between the 
physical circuit and the analysis model.
The delay-insensitive  (or DI) model considers delays on the devices as well 
as the interconnections. Multiple paths in the interconnection are considered to be 
independent.
The isochronous fork assumption1 states that the difference in stray delays on 
a given set of electrically connected wires is insignificant. Hence a signal driven on 
an isochronous wire set propagates across the interconnection in such a way that it
reaches its destination devices “simultaneously”2.
1 Isochronous m eans “uniform  in tim e” , or “having equal dura tion” .
2The probability  of two independent events occurring sim ultaneously is negligible. Their tem ­
poral separation could always be m easured by a finer instrum ent. However, for this discussion, two 
events are considered sim ultaneous if their order cannot be distinguished by the logic devices.
The equipotentia l region assumption requires that a set  of independent wires 
has indistinguishable stray delays. This model is similar to the isochronous fork 
assumption. If the stray delays and drivers of the independent wires are approxi­
mately equal, and they are driven the same time, then the receivers will not be able 
to distinguish a difference in the arrival times of the signals.
The Quasi delay-insensitive  (or QDI) model is a DI model where some of 
the forked interconnections must be isochronous for the circuit to be hazard free. 
Even when the unbounded delay model is used, these circuits are implementation 
dependent because a forked signal from a fixed circuit structure in one environment 
may be DI whereas it can require the isochronous assumption forcing QDI modeling 
in another environment.
The speed -ind ep en dent (or SI) model assigns all stray delays to the devices, 
assuming that interconnections have negligible delays.
The burst-m ode model assigns all stray delay to the devices (like the SI model) 
and additionally requires each module to be stable after each output burst and before 
the subsequent inputs arrive. A module is stable if no outputs or internal signals are 
able to make a transition.
The isochronous fork assumption can remove from consideration hazards associ­
ated with stray delay in the interconnections. The speed independent model is similar 
to the delay-insensitive model where all interconnections are modeled as isochronous 
forks. The equipotential region assumption is typically used to remove from consid­
eration hazards that would otherwise be present in the bundled data protocol. The 
burst-mode model allows multiple output change modules to be verified.
CHAPTER 3. HAZARDS 50
The delay-insensitive model is the most robust and mathematically elegant model 
for asynchronous design, but is a mathematical dream as truly DI implementations 
are typically unrealizable [BE92]. However, when delay assumptions can be localized 
and contained internal to modules whose layout is controlled, building blocks that are 
burst-mode, SI, or asynchronous can be supplied which can be assembled according 
to DI constraints.
Utilizing a speed-independent or burst-mode model throughout the system results 
in better circuit density and performance as is shown through a typical Post Office 
circuit in [CDS93b], There a tenfold reduction in area and twofold reduction in 
propagation delay in the example was achieved by convolving a group of macro 
module components into a single burst-mode circuit. For area and performance 
reasons burst-mode implementations are used throughout this thesis.
3 . 3  C i r c u i t  H a z a r d s
Hazards occur as an interaction between a circuit and its environment. Although 
hazards are created by devices and delays internal to a circuit, the way the envi­
ronment interacts with a module can play a major role in the ability to design well 
behaved circuits. The interaction of the environment and a circuit is so basic that 
all but one class of hazards is defined using environmental constraints.
Circuits that operate in Fundam ental m od e  constrain the environment so that 
it must hold the inputs into a circuit stable sufficiently long to allow the changes 
to propagate through the logic, produce the desired outputs, and stabilize internally 
before a new input set is applied. Asynchronous methods utilize handshake protocols
CHAPTER 3. HAZARDS 51
CHAPTER 3. HAZARDS 52
to indicate to the environment when the circuits are in a receptive state and new 
inputs can be supplied. Detecting receptiveness is straightforward using single input 
change (SIC) and single output change (SOC) handshaking. Multiple input change 
(MIC) and multiple output change (M O C ) handshaking cannot as readily detect 
when the input or output change has completed, or allow the environment to restrain 
its response until the circuit is receptive. For example, an early response to a partially 
complete multiple output change will violate the fundamental mode assumption if 
new input signals are presented to the circuit before it has completed the output 
change and stabilized.
Hazards can result and operation is ambiguous when inputs are supplied to a 
circuit when it is in an unreceptive state. For this reason all but one of the hazards 
are defined under fundamental mode constraint. When handshaking protocols are 
insufficient to assure receptiveness and circuit stability and this results in hazards, 
the layout must be examined to verify that the physical devices have sufficient time 
to stabilize before new inputs arrive.
There are two broad classes of circuits which may be designed -  com binational  
and sequential. A logic function is combinational if its outputs can be determined 
solely from the input values supplied. Outputs from sequential logic are a function of 
the current inputs as well as the history of previously applied input signals. Sequen­
tial logic requires m e m o r y  to record the input history because the outputs cannot 
be calculated from the inputs alone. The following section defines the occurrence of 
a hazard in a circuit. Section 3.3.2 deals with hazards in combinational logic, and 
Section 3.3.3 discusses hazards in sequential logic.
3.3.1 Hazard Occurrences
The occurrence of a hazard can be measured at the output of a logic device. Fig­
ure 3.1 shows the output waveforms of the two classes of hazards, which are classified 
solely by the effect of the hazard, not by its cause.
A static  hazard occurs when the steady-state output function remains the same 
when a new set of inputs is received, but a momentary change occurs in the circuit 
output due to internal delays. Static hazards are classified as either static 0 hazards 
as shown in Figure 3.1(a) where the steady state is a logical 0, and static 1 hazards as 
shown in Figure 3.1(b). A static hazard which doesn’t drive a signal the full voltage 
amplitude is called a runt pulse.
(a )  (b ) (c)
S ta tic  0 H a z a rd  S ta tic  1 H a z a rd  D y n am ic  H a z a rd
Figure 3.1: Hazards Waveforms in Combinational Logic
The second class of hazard, called a dynam ic hazard, is shown in Figure 3.1(c). 
Dynamic hazards occur when a new set of input values produce a change on the 
output, and the output oscillates before settling to the steady state value.
3.3.2 Hazards in Com binational Logic
Combinational hazards in a circuit are transitory if no new inputs are applied until 
the circuit stabilizes. Once the circuit has stabilized it will produce the correct 
output for the current inputs.
CHAPTER 3. HAZARDS 53
CHAPTER 3. HAZARDS 54
Logic Hazards
A logic hazard exists in a combinational circuit if, under the fundamental mode 
assumption, the delays in the circuit result in a hazard. Logic hazards are the most 
commonly discussed cause of combinational hazards. Such hazards are the result of 
the particular logic network that is used to implement the output function. Changing 
the circuit implementation can remove logic hazards -  as well as introduce them.
Unger showed that under a single input change constraint it is always possible to 
synthesize all transitions in a combinational circuit to be free of logic hazards [Ung69]. 
This is accomplished by adding redundant covers, making the implementation larger. 
Table 3.1 contains the definition of a contrived specification that demonstrates logic 
hazard removal techniques for SIC implementations. Figure 3.2(a) contains the Kar­
naugh map generated from the specification and Figure 3.2(b) shows two implemen­
tations. Both circuits contain the ac and be implicants, and one circuit adds the ab 
AND gate by including the dotted interconnections.
E l
d e f b . z . E l  1
E l  1 d e f c. 'z.a. ' z.El 3 +  a . E l  2
E l  2
d e f
c . E l  3
E l  3 d e f b . c . z . a .E l
Table 3.f: A SIC Circuit Specification
As can be seen by examining the Karnaugh map in Figure 3.2, there are three 
prime implicants, be, ac, and ab [McC86]. The two essential prime implicants, ac 
and be, are circled in the K-map. A logic hazard exists in the circuit designed using 
only the essential prime implicants. Assume the implementation is in state E l  2 
(abc:IfO) and input c arrives. At this point the implicant be is keeping the output
CHAPTER 3. HAZARDS 55
.ab
00 01 11 10
0 0 (1 0
1 0 C : 1)
/  =  - 
(a)
Figure 3.2: SIC Covering Example
high. The arrival of c turns that implicant off, and the implicant ac on. If b~c turns 
off faster than ac turns on, then a static 1 hazard may occur on the output.
Unger showed that including all prime implicants into SIC combinational logic is 
sufficient to remove all its logic hazards. The third prime implicant, ab , is shown in 
the K-map with the dashed box, and connected to the circuit with the dashed lines. 
During the c transition from state E l  2 the implicant ab keeps the output ~ asserted.
Removing logic hazards from combinational logic in multiple input change cir­
cuits is more complex. Including all prime implicants removes all static hazards for 
outputs that must remain stable during a properly designed MIC transition, as is 
the case in the SIC covering example of Figure 3.2. However, other methods must 
be used to assure that no “intervening” implicants are temporarily asserted during a 
transition when a signal does not remain stable. Such intervening implicants create 
dynamic hazards. For example, from state abc: 101 in Figure 3.2 when both signals 
a and b change in a MIC transition to state abc:011 a dynamic hazard exists. The 
ac implicant will unassert during the transition, whereas the ab implicant can tem ­
porarily assert, depending on input trajectories and delays. The hazard occurs when 
the ac implicant and the OR gate become unasserted, and then the ab implicant
L
temporarily asserts long enough to drive the OR gate. Refer to [ND92] for more 
details on designing logic hazard free combinational logic.
L esson  1 Combinat ional  logic can be synthesized free o f  logic hazards under the 
input  and output  constraints  o f  burst-mode.
F u n ction  H azard s
A fu n ctio n  hazard  exists in a MIG circuit if and only if an output changes more 
than once along a minimum length path of an input transition. Function hazards are 
caused by the specified functional behavior of a circuit. Unlike logic hazards, function 
hazards cannot  be removed by changing the circuit design. This type of hazard does 
not exist for SIO implementations, and can only arise in a MIG transition which 
passes through a “cube” of multiple states in a Karnaugh map. Unger showed that 
with MIG combinational logic, every function with more than one prime implicant 
may contain function hazards that cannot be circumvented through logic design 
alone.
Even native logic devices can contain function hazards. Figure 3.3 shows the 
function specification for a NAND gate. If there is a multiple input change from 
ab:10 to 01 as shown by the arrow in the Karnaugh map, then a static 1 function 
hazard exists. If the intermediate state a b :ll is reached, the output may temporarily 
become a 0, causing the hazard.
The remedies for function hazards include constraints or modifications to the 
environment or the circuit behavior, and include:
1. Require that the environment provides the inputs simultaneously so that a 
direct jump to the destination state is achieved.
CHAPTER 3. HAZARDS 56






/  =  c
Figure 3.3: Functional Hazard in a NAND Gate
2. Enforce SIG signal ordering by the environment in such a way that a hazard 
free minimum path is taken for the transition.
3. Redesign the specification so that it will work in all environments by removing 
the function hazard.
The first two solutions attempt to control the environment so that the hazard will 
not occur in practice. Neither is a good solution, and the first is generally unrealiz­
able. The hazard is avoided in the second solution if a always lowers before b asserts 
as the transition will proceed along the path ab:10 —> 00 —> 01. If the environment 
provides the signals in either order in parallel, an expensive SIG sequencing unit 
must be designed to constrain the order of the signals from the environment. This 
may introduce other hazards as well.
MIG specifications can be designed without function hazards. More restrictive 
implementation rules can guarantee that the ab:10 —> 01 transition is hazard free. 
Burst-mode is such a system because it restrict specifications in such a way that 
function hazards cannot arise. As long as the outputs are identical in the cube 
covering the transition from the start state up to (but not necessarily including) the 




CHAPTER 3. HAZARDS 58
the states ab {00 ,10 ,11} evaluate to 1 in order to avoid function hazards, clearly an 
impossibility for a NAND gate implementation.
L esson  2 Funct ion hazards can be avoided in M I C  circuits by implementa t ion con­
straints.
3 .3 .3  H azard s in S eq u en tia l A u to m a ta
Sequential logic is formed by adding memory to combinational logic. Most practical 
circuit implementations contain sequential logic. The state machines discussed in this 
thesis are low latency Huffman machines unless otherwise noted, whose construction 
is shown in Figure 3.4. The sequentiality -  and memory -  in these circuits is created 
by feeding the state outputs back in as inputs to the combinational logic. These 
are the asynchronous finite state machines (or A F S M s) produced by MEAT. The 
hazards discussed in this section are present in Huffman machines as well as all other 





Figure 3.4: Huffman and MEAT State Machines in the Post Office
The hazard discussion of this section assumes that all sequential logic is derived 
from combinational logic free of hazards by techniques discussed in the previous 
section. However, combinat ional  circuits free o f  logic and func t io n  hazards used as 
the b uilding blocks o f  .state machines  do not  guarantee a hazard free sequential circ uit!
Almost all state machines contain seq u en tia l h azards, which are generally caused 
by two signals arriving at a decision element from two types of paths: one from 
inputs or combinational logic only, and one from a storage signal (a state variable in 
a Huffman machine).
The first three classes of sequential hazards that will be discussed in this section 
assume deterministic combinational logic operating in fundamental mode. The final 
type of hazard, the delay hazard, does not assume fundamental mode and can occur 
in both combinational and sequential circuits.
E ssen tia l H azard s
E ssen tia l hazards can be present in a sequential circuit if and only if from a 
starting state, when an input is changed three times, the final stable state is different 
from the stable state reached after the input is changed only once. Essential hazards 
can lead the AFSM into an erroneous state. This occurs when the input causes a 
change in a state variable that leads to the desired stable state. If this state change 
is perceived by a second state variable before the input then the second state variable 
logic may react to the new state and old input value and switch into an erroneous 
state.
Essential hazards are similar to function hazards in that they are part of the 
definition of a function and there is no known automated technique for removing 
essential hazards, including logic redesign or state variable reassignment.
The TOGGLE element is a classic example of a circuit with essential hazards. 
Table 3.2 shows the COS definition, flow table, and logic symbol of a TOGGLE. 
From any stable state, no trio of transitions will return you to the same stable state. 
There is a possible essential hazard for each transition. Assume, for instance, that
CHAPTER 3. HAZARDS 59







( - ) 1,-
2 ,b
/" \










Vi =  b 
Vo =  a
Table 3.2: The TOGGLE Element
from state 0-0 of the flow table the input a has makes the transition 0 —> 1, which 
should move the AFSM into state 0-1. This is an unstable state, so the state is 
changed by moving to row 1. The output b will also change, moving the AFSM into 
the stable state 1-1. The hazard occurs when the state change is processed before 
the input change in an implementation, sending the state machine through the state 
sequence 0-0 —> 1-0 —> 2-0 —> 2-1 —> 3-1, arriving at an erroneous state. 
T ran sien t H azard s
T ran sien t hazards exist if from a given starting state, when the input is changed 
the second tim e the starting state is reached but a static hazard is possible on any 
of the outputs. Transient hazards occur in a circuit when a state variable change is 
perceived by the output logic before the input change is perceived. These hazards 
are similar to combinational logic hazards because they are transient. Transient 
hazards are also similar to essential hazards because they are part of the function 
definition and cannot be removed by logic design; the difference being that the hazard 
is produced in the output logic rather than the state logic. This hazard is extremely 
common in MIG AFSMs.
a
a
D -tr io  H azard s
D -tr io  hazard s may occur if from a given starting state, when the input is 
changed three times, the final state is the same as the internal state after one change 
in the input set, but the second state is different from the initial state. If any outputs 
change in those three states, a d-trio hazard can occur.
3 .3 .4  D e la y  H azard s
The techniques for defining and synthesizing circuits free of combinational and se­
quential hazards assumes the fundamental mode stability requirement. However, 
other than the burst-mode model, none of the hazard models of Section 3.2 assume 
the fundamental mode of operation. This inconsistency between hazard definitions 
and analysis can result in hazards that slip through synthesis techniques. Delay haz­
ards arise due to this inconsistency and are extremely common in sequential circuits.
A D e la y  hazard  can be present when more than one implicant enables a function 
output in any circuit state. The hazard occurs when multiple implicants are to assert 
and hold the output high, but only a subset of these implicants stabilize, and the 
subsequent inputs unasserts the stable implicants before the unstable implicants have 
stabilized.
For example, the SIG circuit of Figure 3.2 from Page 55 has delay hazards. We 
will look at the following delay hazard pointed out by Analyze (in the SI analysis 
mode) using the circuit implemented with all prime implicants.
; ; ;  I m p l e m e n t a t i o n  d o e s n ' t  c o n f o r m  t o  s p e c i f i c a t i o n !
; ; ;  I m p l e m e n t a t i o n  g e n e r a t e s  a n  i l l e g a l  o u t p u t !
CHAPTER 3. HAZARDS 61
; ; ;  I l l e g a l  S i g n a l :  ’ z  v a l i d  s p e c  s i g n a l s :  ( b )
; ; ;  S i g n a l  t r a c e :  ( b  ' b e *  ’ z  a  c  ' c *  ' b e *  ’ z )
CHAPTER 3. HAZARDS 62
The implementation behaves correctly until it moves into state El-2 in Table 3.1. 
At this point the ab implicant is unstable but does not assert. When the c input 
arrives, the ac implicant also becomes unstable. If the inverter and the b~c implicant 
each make a transition before the ab and ac implicants, then the hazardous output 
that is pointed out above occurs.
This example points out that delay hazards can occur even when using the most 
restrictive logic class (combinational logic) and environmental constraints (SIC and 
SOC). It will also occur in sequential logic and with other environmental constraints, 
and can be exacerbated by the addition of coverings used to remove logic hazards!
L esson  3 Synthesis  syst ems  do not  remove all sequential hazards.
3 .3 .5  E x a m p le  o f  H azard s in S eq u en tia l C -e lem en t
The Muller C-element is a standard building block used by many asynchronous 
systems. This section points out hazards and problems that may occur even in this 
simple component. A CCS specification of the C-element is shown in Equation 3.1.
C-element =f a. b. ~c. C-element +  b. a.~c. C-element (3-1)
The C-element specification conforms to all syntactic requirements for any asyn­
chronous synthesis system, and can be translated into the state graph and Karnaugh
CHAPTER 3. HAZARDS 63
map shown in Figure 3.5. The standard C-element implementation is shown in 
Figure 3.6 and is synthesized from the K-map coverings.
<n







0 0 0 | T | 0
1 0 ( i I s i )




Figure 3.6: C-element AND-OR Implementation and Logic Symbol
This simple circuit obeys all semi-modular and burst-mode constraints. The logic 
used in the C-element is free of all combinational and sequential hazards including 
logic, function, essential, d-trio, or transient hazards. Assuming that this results in 
a hazard free sequential circuit is incorrect. Analyze pointed out eight instances of 
computation interference in the circuit caused by delay hazards, resulting in static 1 
hazards on the output. Table 3.3 is a transcript of one of the error traces of Analyze 
and is used as an example. Inputs a and b became asserted, setting implicant ab. 
This asserted the output "c, which in turn enabled the other two implicants, and 
the C-element arrived in state a b c : ll l  in the K-map of Figure 3.5. However, only
c
CHAPTER 3. HAZARDS 64
the be implicant asserted before the b input became unasserted. After arriving in 
state abc:101, the implicants ab and be became unasserted, allowing the output ~c to 
transition, resulting in the occurrence of the static 1 hazard. The other seven delay 
hazard errors are similar, and occur after arriving in state a b c : ll l  without all three 
implicants becoming asserted before an input changes.
; ; ;  ERROR! C o m p u t a t i o n  i n t e r f e r e n c e  e n c o u n t e r e d !
; ; ;  S i g n a l  ’ c  i n  a g e n t  C-ELEMENT*
; ; ;  T r a c e :  ( b  a  ' a b  ' c  ' b e  b  ' a b  ' b e  ’ c )
Table 3.3: One of Eight SI Delay Hazard Errors in the O-element
Although the O-element contains eight errors using the SI hazard model, it is 
verified in Analyze as correctly implementing the specification under the burst-mode 
hazard model. The fundamental mode assumption ensures that the three terms 
asserting the output are stable before the next input set arrives. This result is 
logical because the hazard definitions, with the exception of the delay hazard, assume 
fundamental mode, and the O-element doesn’t have any of these hazards in its design.
3 .3 .6  O th er  P o te n tia l F au lts in th e  C -e lem en t
This section examines other potentially serious problems with the O-element design 
of Figure 3.6, which are also common to many asynchronous synthesis systems and 
designs.
Figure 3.6 shows that the output ~c is fed directly back into the circuit as a 
state variable. Faster circuit response can be achieved by using state variables as 
direct outputs. However, this creates an isochronous fork that conjoins the external 
environment and the internals of the state machine, destroying the modularity of
an AFSM as internal state signals pass directly on to the spatially unconstrained 
environment. This is an undesirable location for an isochronous fork for the following 
two reasons:
1. The funda m e n ta l  mode assumpt ion  can easily be violated. The environment 
can act on the output concurrently with the internal logic of the AFSM re­
ceiving the state change. A quick response from the environment can violate 
the stability requirement. Infinitely fast environment response is achieved by 
feeding the forked output directly back into the state machine. This always  
violates the fundamental mode assumption and nearly always results in circuit 
failure. Analyze can detect when a direct output to input connection results 
in circuit failure, but post layout timing analysis must still be carried out.
2. Global circuit  analysis is required. As can be seen from Figure 3.6, the forked 
signal ~c is passed directly to the environment as well as internal to the circuit 
as a state variable. The modularity of the circuit is compromised as the load on 
the state variable depends on the external circuits it drives and their placement. 
Timing analysis of the C-element and its env ironment  is required to assure 
fundamental mode is not violated by the fork. Kees van Berkel showed that 
even when the output of a C-element passes through logic, and the load on the 
output is greater than the feedback delaying the signal externally, it still can 
fail as a result of this fork [Rob6I, vB92a],
These problems can be controlled and localized by buffering forked outputs that 
feed back as state variables. That is one function of the driver box in Figure 3.4. 
This solution usually comes at the cost of a slightly larger and slower circuit, but
CHAPTER 3. HAZARDS 65
can improve performance when the outputs are heavily loaded (but this depends on 
the circuit environment). Localizing the fork using the above technique is essential 
if the circuit is to be used as a building block in a macro module library.
Burst-mode implementations permit the rendezvous operation of the C-element 
to be convolved into AFSMs. This can result in better aggregate performance, as 
well as the removal of the isochronous fork on the signal outputs. For these reasons 
C-elements were rarely used the Post Office designs.
3 . 4  S p e c i f i c a t i o n  C o m p l e x i t y  a n d  H a z a r d s
The difficulty of implementing a circuit free of hazards increases rapidly with the 
complexity of the behavior. As implementations grow over 32 minimized burst­
mode states, the additional coverings required to remove logic hazards create delay 
hazards. The likelihood of delay hazards increases with the complexity of a design. 
Conversely, Very small specifications -  those consisting of less than 5 minimized 
states -  are usually undesirable because of the logarithmic scaling of the binary 
state representation.
The difficulty of building large hazard-free implementations arises mainly due 
to the difficulty of removing hazards from the feedback signals. As the number of 
state variables and logic devices that must share the feedback signals increases, so is 
the probability of creating hazard-free covers greatly reduced due to the difficulty of 
covering all cubes and assuring there are no interfering covers [ND92],
Some synthesis systems attempt to reduce the number of dedicated state variables 
by feeding the outputs back into the circuit as state variables [Chu87, Chu93]. This
CHAPTER 3. HAZARDS 66
CHAPTER 3. HAZARDS 67
results in isochronous forks, with their attendant analytical problems, at nearly all 
outputs! This trick can decrease the number of dedicated state variables (since the 
outputs need to be produced in any case), but the total  number of feedback signals 
(state variables) usually increases dramatically The probability of sequential hazards 
(essential, transient, and d-trio), as well as delay hazards, may increase by adding 
to the total number of state variables, particularly when the excitation pattern of 
many of the state variables is inflexible.
AFSMs in the Post Office were all characterized by burst-mode state machines. 
Given a correctly constructed burst-mode description and system behavior, MEAT 
and other synthesis tools can generate physical device descriptions suitable for in­
tegrated circuit fabrication. A graphical burst-mode description that will easily fit 
on a piece of paper is typically very easy for engineers to specify and understand 
(its appearance is similar to a Mealy state machine), and is usually of the correct 
implementation complexity for automatic implementation (from 5 to 32 minimized 
states).
3 . 5  H a z a r d  S u m m a r y
General implementation independent techniques for hazard removal in MIG combina­
tional circuits have only recently been developed. There is no method of syntactically 
restricting specifications or designing them in such a way as to remove all sequential 
hazards using the implementation independent unbounded delay assumption. For 
example, simple asynchronous building blocks such as the TOGGLE cannot be syn­
thesized without hazards using current technology, and the O-element can only be
designed hazard free with great effort3. That few combinational asynchronous cir­
cuits can be built without hazards has been the topic of some recent papers [Mar90]. 
Brzozowski and Ebergen discussed the delay sensitivity of asynchronous implemen­
tations, and proved that it is theoretically impossible to design many simple circuits 
without hazards using logic gates [BE92], This results in the following rule of thumb 
of asynchronous design:
O b serv a tio n  1 Hazard free sequential circuit  synthesis  is not  always possible, and  
hazard free syst ems  are extremely rare.
Applying the Speed-independent hazard model with unbounded delays reveals 
that transient, essential, and delay hazards abound in sequential asynchronous cir­
cuits that are built from locally hazard free combinational logic. Table 3.4 lists 
the hazards discussed herein and the current ability to guarantee that synthesized 
circuits are free of such hazards.
CHAPTER 3. HAZARDS 68
G u a ra n teed  H azard  Free S y n th e sis
H azard T y p e C ircu it C lass
logic hazard combinational most circuits
function hazard combinational most circuits
essential hazard sequential semi-modular circuits
transient hazard sequential semi-modular circuits
d-trio hazard sequential semi-modular circuits
delay hazard no circuits
Table 3.4: Hazard Free Circuit Glasses
Automated techniques are available that can synthesize most combinational cir­
cuits free of all logic and function hazards. There may be some simple constraints
3A hazard free DI implementation of the C-element exists, but is a mystery to me how it was 
coined!
that assure, for example, that a function hazard is not contained in the specification. 
There is only a limited class of circuits that is guaranteed to contain no sequen­
tial hazards. These circuits, called semi-modular circuits, were described by Muller 
[Mil65]. Such circuits are confluent  in every state (see Section 5.3.2). There is no 
class of circuit that can be synthesized with modern techniques that is guaranteed 
to be free of delay hazards.
A lot of confusion has resulted both within and outside the asynchronous com­
munity regarding claims of so-called hazard free synthesis systems. Although these 
systems may remove certain classes of hazards based on the fundamental mode as­
sumption, such as logic hazards in combinational logic, no system is capable of gen­
eral hazard free circuit synthesis under the implementation independent unbounded 
delay models. Because bounded delay models require implementation dependent in­
formation, they are difficult to evaluate without the circuit layout and parameters. 
More rigorous and honest reporting must be employed regarding the assumptions 
used, the weaknesses, and constraints of synthesis systems because it is unlikely that 
there can be a single hazard model that can be applied from high level descriptions 
on down to circuit implementations. For example, the DI model, although math­
ematically elegant and useful for coarse high level evaluation, cannot be applied 
to physical implementations. Other hazard analysis, removal, and control methods 
must be used at the physical circuit level. The way in which any particular synthesis 
methodology treats this dichotomy of hazard modeling must be made evident.
The following actions are necessary to design safe burst-mode circuits, which like 
any other class of circuits cannot be guaranteed to be synthesized free of all hazards.
CHAPTER 3. HAZARDS 69
A c tio n  1 Synthes is  syst ems  can be created which remove combinat ional  hazards and  
most  sequential hazards.
• Designing sub-circuits free of all combinational hazards m a y  or may not in­
crease the likelihood of a final hazard free implementation.
• Many sequential circuits can be synthesized hazard free, but not all hazards 
are removed by synthesis constraints.
• Function hazards can be avoided with implementation and specification con­
straints. This step must be a pre-synthesis procedure because modifying the 
circuit structure or state assignments cannot remove such hazards.
Burst-mode was developed to assure that designs are free of function hazards and 
to aid in the development of compact, low latency hazard free AFSMs.
A c tio n  2 Hazard analysis is required follo wing circuit  synthesis  to point  out  where 
delay hazards and unremovable sequential hazards exist.
• It may not be possible to specify certain behaviors without sequential hazards 
(such as the TOGGLE).
• Some or all potential sequential hazards (such as essential hazards) may not 
be present in a particular design.
• No synthesis tool creates hazard free sequential circuits.
Essential and transient hazards will not be present in an implementation where 
there is no buffering or inversions of the input signals. However, this logic constraint
CHAPTER 3. HAZARDS TO
is impossible in practice and some of the unremovable hazards due to the behavior of 
the specification will occur. Delay hazards are always possible even after removing 
all other hazards.
A c tio n  3 Hazards m a y  be removed using techniques unique to the implementat ion  
media.
Hazards that were not removed in the specification and synthesis stages can be 
flagged for special treatment and removal. Section 3.7 discusses two techniques used 
in the Post Office design for removing hazards from synthesized logic.
A c tio n  4 Rem ain ing  unremoved  hazards mus t  be controlled in the circuit  layout.
When hazard removal fails, hazards can be controlled at the tim e of circuit lay­
out because hazards are created by stray delays. Implementation technology and 
layout may require additional investigation to assure that the requirements of the 
assumptions made by the hazard models used in verifying an implementation have 
not been violated. For example, the isochronous fork assumption has resulted in real 
circuit failures [Mar89]. Flagging potential hazards in a circuit for special layout 
consideration allows one to:
1. attempt to create a layout where the delays will not result in a hazard, and
2. analyze the layout to assure this is the case.
The design methodology of the Post Office successfully took this approach to 
controlling hazards. Hazards in the AFSMs were all localized to the state machine 
itself where hazards are easily controlled. Model assumptions such as the isochronous 
fork and fundamental mode were also restricted to local areas whenever possible.
CHAPTER 3. HAZARDS 71
C H A P T E R  3. H A Z A R D S
3 . 6  C o n t r o l l i n g  H a z a r d s
72
All hazards are not removed during circuit synthesis under the unbounded delay 
model using any of the hazard models presented in Section 3.2. Further, all these 
hazard models, with the exception of the DI model, contain abstractions which 
remove certain hazards from consideration. Care must be taken in the layout to 
assure that the hazards that remain or have been removed from consideration do not 
occur in the circuit.
Since hazards are caused by stray delays, engineering techniques exist which can 
organize the delays of a circuit to preclude the occurrence of the hazards. Controlling 
of hazards is implementation dependent and if the circuit is implemented in another 
technology or with different parameters the hazard may not be controlled using the 
same techniques. Logic or electrical circuit diagrams are not proof that a hazard 
is controlled -  the physical properties of the devices and layout must be examined. 
Technology mapping that does not add additional hazards only prevents the increase 
of layout restrictions. Technology mapping does not control the potential problems 
that already exist and must be passed information regarding these hazards for reliable 
implementations to be created. Even so, the layout restrictions for asynchronous 
circuits are much looser than for synchronous circuits. Implementations can also be 
made smaller and faster, as will be shown in Section 3.7.2, if some knowledge of the 
actual delays of the physical device are considered since no physical devices used in 
circuit fabrication actually demonstrate unbounded delay.
Many synthesis systems control hazards by adding delay to the output of the 
state logic [Ung69], a solution which is not satisfactory for low latency circuits. A
better solution (used in the Post Office) is to use careful layout and circuit design 
coupled with an inequality timing analysis to assure that the hazards will not occur 
given the delays in the circuit. Unger presented an inequality on page 179 of [Ung69] 
which assures that hazards caused by delays hidden with the fundamental mode 
assumption are controlled. A similar inequality was used in the Post Office and is 
described in [Ste92],
3 . 7  H a z a r d  R e m o v a l
This section presents two methods used in the Post Office to remove hazards once 
state machines have been synthesized with MEAT. These techniques have some weak­
nesses since they may not remove all hazards, have not been automated, and will 
not work for all classes of logic or circuits. Further study is necessary to generalize, 
strengthen, and automate these techniques.
3.7.1 Signal R eordering
Figure 3.7 shows the MEAT implementation of the Post Office state machine SBuf- 
Send-Ctl. Refer to Section 4.7.1 for an explanation of this circuit and its specification. 
This circuit contains a transient hazard because the Req-Send  output combinational 
logic can process a change in the Yd  state variables before noting the change in the 
Begin-Send  input signal if the inverter is slower than the OR gate, causing a static 0 
hazard. The hazard path is indicated by the dotted line, and occurs in state 2 of the 
specification (in Figure 4.4) as Begin-Send  becomes asserted.
CHAPTER 3. HAZARDS 73
CHAPTER 3. HAZARDS 74
Figure 3.7: SBuf-Send-Ctl Circuit with a Transient Hazard
The first hazard removal technique reorders the sequence that signal transitions 
are evaluated by adding inverters to a signal path. The transition on Begin-Send  
must arrive at the Req-Send logic before the YO state logic to remove the hazard. 
“Double inverting” Begin-Send  to the YO state logic forces the output logic and state 
blocks to evaluate input transitions in a fixed order using burst-mode or SI analysis 
so that the Begin-Send  is accepted by the Req-Send logic prior to the YO logic.
Figure 3.8 shows SBuf-Send-Ctl with the hazard removed by adding an inverter 
to double buffer the Begin-Send  signal. Removing the hazard in this manner comes 
at the cost of additional inverters and a slightly larger circuit. Output latency is not 
usually increased by this method of hazard removal if the hazard is static, as is the 
case in this circuit.
CHAPTER 3. HAZARDS 75
Figure 3.8: Burst-mode Hazard Free SBuf-Send-Ctl Logic 
3 .7 .2  C o m p lex  T ran sistor  G a tes
Races between gates can be removed by combining the gates into a single complex 
functional unit designed with transistors. Such transistor structures are referred to 
as c o m p le x  ga tes . This is the second hazard removal technique used in the Post 
Office. The rules for creating these complex gates are part of a tool I developed that 
interfaces with Electric [R.ub87] and produces transistor schematics. Applying the 
AND-OR implementation of the C-element shown in Figure 3.6 to the complex gate 
tool produces the single complex gate in Figure 3.9.
This implementation is free of all hazards using SI analysis. The delay hazard in 
the circuit of Figure 3.6, caused by unequal delay of the three AND gates, is removed 
by convolving the independent gates into the single complex device.
CHAPTER 3. HAZARDS 76
Figure 3.9: Complex Gate CMOS Transistor Implementation of C-element
Another example of complex gate hazard removal is demonstrated with the PE- 
Send-Ifc AFSM. This state machine controls the external handshake lines on the 
PE port when an outbound packet is being loaded into the Post Office registers. 
This state machine is fairly complex, and is not shown here in its entirety. A piece 
of the burst-mode specification is shown in Figure 3.10(a). The MEAT implemen­
tation for the TAck  signal requires seven AND terms. Only the two terms active 







TAck =  YOx Rd-IQ xTReq +  Y Ix Rd-IQ xTReq
AND/OR Implementation with Hazard
(b)
Figure 3.10: PE-Send-Ifc Hazard
c
The dynamic 1 hazard present in this implementation is shown by the signal 
values on the wires in the figure. This hazard exists because a term (in the bottom  
AND gate) can become temporarily asserted during the input and state change burst. 
The top AND gate becomes asserted and remains stable. If the top AND gate is 
significantly slower than the bottom AND gate, and the Y1 logic is slower than the 
inverter, then the bottom AND gate can turn on then off before the top AND gate 
ever fires, producing the hazard as the output can bounce O f O f before stabilizing.
CHAPTER 3. HAZARDS 77
Figure 3 .f f : PE-Send-Ifc. Hazard Removal with Complex Gate
Combining the two AND gates into a single complex gate removes the hazard 
and the final circuit is smaller and faster. Figure 3 .f f shows the complex gate used 
in the Post Office chip. This gate was created by the MEAT back end complex gate 
generator. As can be seen, the complex gate removes the hazard because the TAck  
signal cannot be pulled low until both the Y1 and R d - IQ  signals have changed.
Note that this hazard exists in the sum-of-products form because the combina­
tional logic is not entirely hazard free for MIC logic. The bottom AND gate becomes 
asserted because it is an “intervening” gate that turns on at an intermediate part
C H A P T E R  3 .  H A Z A R D S 7 8
o f t h e  M IG  t r a n s i t io n .  T h is  h a z a r d  m a y  b e  r e m o v e d  w i th  c a re fu l  s y n th e s is  a n d  a d ­
d i t io n a l  lo g ic  a n d  s ta te s .  T h is  e x a m p le  sh o w s t h a t  e x t r a  lo g ic  r e q u i r e d  to  re m o v e  
h a z a r d s  in  t h e  s u m -o f -p ro d u c ts  fo rm  m a y  n o t  b e  n e c e s s a ry  if  t h e  f u n c t io n  w ill b e  
im p le m e n te d  as a  c o m p le x  g a te .
T h e  e x a m p le  o f  F ig u r e  3 .2  c o n f irm s  t h a t  a t  t im e s  t h e  a d d i t io n a l  c o v e r in g s  a re  
n e c e s s a ry  to  c r e a te  a  h a z a r d  f re e  c o m p le x  g a te  im p le m e n ta t io n .  U s in g  o n ly  th e  
e s s e n t ia l  p r im e  im p l ic a n ts  ab a n d  b~c p ro d u c e s  a  c o m p le x  g a te  o f  F ig u r e  3 .1 2 (a )  t h a t  
d o e s  n o t  r e m o v e  a ll o f  t h e  h a z a r d s  in  t h e  c o m p le te  c i r c u i t  as  t h e  in v e r te r  d e la y  c r e a te s  
s t a t i c  h a z a r d s  o n  th e  o u tp u t .  N o  h a z a r d s  a re  in t r o d u c e d  w i th  c o m p le x  g a te s ,  a n d  
th e  c i r c u i t  o f  F ig u r e  3 .1 2 (b )  is a  h a z a r d  f re e  im p le m e n ta t io n .
F ig u r e  3 .12 : H a z a r d  F re e  S IG  C ir c u i ts  as C o m p le x  G a te
z z
3 . 8  S u m m a r y
T h is  s e c t io n  p r e s e n te d  a  d e s c r ip t io n  o f  d e la y  m o d e ls  a n d  h a z a r d  m o d e ls  c o m m o n ly  
u s e d  to  d e s c r ib e  a n d  a n a ly z e  a s y n c h ro n o u s  c i r c u i ts .  T h e  d e f in i t io n  a n d  c a u se s  o f
c o m m o n  h a z a r d s  a n d  th e i r  a v o id a n c e  w as  a lso  p r e s e n te d  w i th  e x a m p le s .  M o s t h a z ­
a rd s  a re  d e f in e d  b a s e d  o n  a  f u n d a m e n ta l  m o d e  r e q u i r e m e n t ,  y e t  m o s t  h a z a r d  a n a ly s is  
m o d e ls  d o  n o t  u se  t h e  f u n d a m e n ta l  m o d e  s t a b i l i ty  r e q u i r e m e n t .
H a z a rd s  c a n n o t  b e  r e m o v e d  f ro m  a ll c i r c u i ts  in  a  te c h n o lo g y  in d e p e n d e n t  m a n ­
n e r .  S p e c if ic a t io n  a n d  s y n th e s is  p ro c e d u re s  c a n  b e  u s e d  to  a u to m a t ic a l ly  s y n th e s iz e  
c o m b in a t io n a l  c i r c u i ts  f re e  o f  a ll  b u t  d e la y  h a z a r d s .  S e q u e n t ia l  c i r c u i ts  c a n n o t  b e  a u ­
to m a t ic a l ly  s y n th e s iz e d  f re e  o f  h a z a r d s  u n d e r  t h e  u n b o u n d e d  d e la y  m o d e l.  F o r  so m e  
c i r c u i t  s p e c if ic a t io n s ,  h a z a r d  f re e  im p le m e n ta t io n s  h a v e  b e e n  p ro v e n  im p o s s ib le ,  a n d  
fo r  o th e r s  h a z a r d  f re e  s y n th e s is  c a n n o t  b e  a c c o m p lis h e d  w i th  c u r r e n t  te c h n o lo g y . 
M a n y  in s ta n c e s  a r is e  d u e  to  t h e  d iv e rg e n c e  b e tw e e n  h a z a r d  d e f in i t io n s  t h a t  a s s u m e  
s ta b i l i ty  a n d  a n a ly s is  m e th o d s  w h ic h  d o  n o t .  H a z a rd s  a re  s e n s i t iv e  to  c i r c u i t  s t r u c ­
tu r e s ,  a n d  A F S M s  o f m o d e r a te  c o m p le x i ty  w i th  fe w e r  im p l ic a n ts  a n d  s t a t e  fe e d b a c k  
s ig n a ls  ty p ic a l ly  e a se  h a z a r d  re m o v a l w h ile  a llo w in g  low  la te n c y .
A n a ly s is  to o ls  a re  n e c e s s a ry  to  id e n t i f y  u n re m o v e d  h a z a r d s  b y  a  p o s te r io r i  e v a lu ­
a t io n .  T w o  m e th o d s  fo r  r e m o v in g  h a z a r d s  fo llo w in g  c i r c u i t  s y n th e s is  w e re  p r e s e n te d .  
W h e n  th e  h a z a r d s  c a n n o t  b e  r e m o v e d  w i th  th e s e  a n d  o th e r  te c h n iq u e s ,  d e la y s  in  th e  
p h y s ic a l  la y o u t  m u s t  b e  o rg a n iz e d  so t h a t  t h e  o c c u r r e n c e  o f  t h e  h a z a r d s  w ill b e  p r e ­
v e n te d .  A s s u m p t io n s  o f  t h e  h a z a r d  m o d e l  m u s t  a lso  b e  v e r if ie d . D e la y  in e q u a l i t ie s ,  
lik e  t h e  o n e  u s e d  w i th  t h e  C M O S  A F S M s  in  t h e  P o s t  O ffice  im p le m e n ta t io n ,  c a n  
e n s u re  t h a t  t h e  r e m a in in g  h a z a r d s  h a v e  b e e n  c o n tro lle d .
D e la y - in s e n s i t iv e  m a c r o  m o d u le  s y n th e s is  s y s te m s  u se  m a n y  c o m p o n e n ts ,  s u c h  as 
t h e  O -e le m e n t,  t h a t  c o n ta in  h id d e n  is o c h ro n o u s  fo rk s  a n d  h a z a r d s .  H o w e v e r , w h e n  
th e  h a z a r d s  a n d  fo rk s  a re  lo c a liz e d  to  A F S M s  th e n  c o m p a c t ,  low  la te n c y  b u r s t - m o d e  
d e s ig n s  c a n  b e  s y n th e s iz e d  w h ic h  a re  as r e l ia b le  a n d  r o b u s t  as D I  c ir c u i ts .
C H A P T E R  3 .  H A Z A R D S  7 9
C h a p t e r  4
B u r s t - m o d e  a n d  A F S M  C ir c u it  S y n th e s is
K e y  to  a n y  h a r d w a r e  d e s ig n  is t h e  c o r r e c t  c o n s t r u c t io n  o f p h y s ic a l  d e v ic e s . A  m a jo r  
c h a lle n g e  in  c r e a t in g  th e  f in a l c i r c u i t  is t h e  p ro c e s s  o f  u n ify in g  th e  p h y s ic a l  b e h a v io r  
o f  c o m p o n e n ts  w i th  a  s u i ta b ly  a b s t r a c t  c o n c e p t  o f  t h e  d e s ire d  e x te r n a l  o p e r a t io n s .  
B u r s t - m o d e  s im p lif ie s  th i s  p ro c e s s  b y  r e s t r i c t in g  s p e c if ic a t io n s  in  a  w a y  t h a t  m a k e s  
t h e m  e a s ie r  to  b u i ld  c o r r e c t ly  as  i t  t e n d s  to  m o re  c lo se ly  m a tc h  th e  d e s ig n e r ’s m e n ta l  
m o d e l  o f  t h e  h a r d w a r e .  O n e  o f t h e  m o s t  s ig n if ic a n t  c o n t r ib u t io n s  o f  b u r s t - m o d e  is 
t h e  a b i l i ty  to  d e s ig n  h a z a r d  f re e  m u l t ip le  i n p u t  c h a n g e  c o m b in a t io n a l  lo g ic .
T h is  c h a p te r  b e g in s  b y  d is c u s s in g  b u r s t - m o d e  s p e c if ic a t io n s  in  S e c tio n  4 .2  fo l­
lo w e d  b y  th e  im p le m e n ta t io n  a n d  s p e c if ic a t io n  r e q u ir e m e n ts .  T h e  s p e c if ic a t io n  r e ­
q u i r e m e n ts  a re  f o rm a liz e d  in  t e r m s  o f  C O S . T h is  fo r m a l is m  a llo w s th e  v e r i f ic a t io n  
o f  a  C O S  a g e n t  d e s c r ip t io n  as a  v a lid  b u r s t - m o d e  s p e c if ic a t io n  w h ic h  is s u i ta b le  fo r  
im p le m e n ta t io n  b y  M E A T  o r  o th e r  to o ls . I f  b e h a v io r a l  d e s c r ip t io n s  c a n  b e  v a l id a te d  
t h e n  th e  s y n th e s is  p ro c e s s  c a n  fo rm a l ly  p ro v e  c o r r e c tn e s s  f ro m  a  h ig h  le v e l sp e c if i­
c a t io n  o n  d o w n  to  t h e  s p e c if ic a t io n  o f  e a c h  s t a t e  m a c h in e . T h e s e  s p e c if ic a t io n s  c a n  
t h e n  b e  p a s s e d  d i r e c t ly  to  M E A T  o r  a n  a n a lo g o u s  to o l  to  g e n e r a te  m a s k s  w h ic h  a re  
u l t im a te ly  f a b r ic a te d .  T h is  c h a p te r  c o n c lu d e s  w i th  a  d e s ig n  e x a m p le  f ro m  th e  P o s t  
O ffice .
8 0
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S 8 1
4 . 1  B u r s t - m o d e
B e fo re  b u i ld in g  th e  P o s t  O ffice  I h a d  d e s ig n e d  m a n y  s m a ll  a s y n c h ro n o u s  s y s te m s , 
a n d  o n e  m o d e r a te ly  s iz e d  a s y n c h ro n o u s  i n te g r a te d  c i r c u i t  [S te 8 4 ] . H o w e v e r , th e  
c o m p le x ity ,  low  la te n c y  r e q u i r e m e n ts ,  a n d  in h e r e n t  p a r a l le l i s m  o f t h e  P o s t  O ffice  
m a d e  m o s t  o f  m y  p re v io u s ly  u s e d  a s y n c h ro n o u s  d e s ig n  s ty le s  im p r a c t ic a l .  W h ile  
s in g le  i n p u t  c h a n g e  (o r  S I C )  t e c h n iq u e s  w e re  w e ll d e v e lo p e d , t h e y  w e re  n o t  d i r e c t ly  
a p p l ic a b le  to  P o s t  O ffice  c o n tro l  d u e  to  t h e  a m o u n t  o f  p a r a l le l i s m  p r e s e n t .  W h e n  
se v e ra l  in p u t s  to  a  S IG  A F S M  m a y  c h a n g e  s im u lta n e o u s ly ,  t h e y  m u s t  b e  f i l te r e d  o r 
c o m b in e d  w i th  i n p u t  c o n d i t io n in g  w h ic h  m a k e s  t h e  d e s ig n  m o re  d if f ic u lt ,  a n d  a r e a  
a n d  p e r f o r m a n c e  su ffe r. S o m e  M IG  te c h n iq u e s  o v e r ly  r e s t r i c t e d  t h e  a r r iv a l  t im e  o f 
s ig n a ls . T h e  s to r e d  s t a t e  m o d e l  I u s e d  p re v io u s ly  fo r  i n te g r a te d  c i r c u i ts  w as  a  f a i r ly  
u n r e s t r i c t e d  m u l t ip le  i n p u t  c h a n g e  (o r  M I C )  m o d e l ,  b u t  i t s  im p le m e n ta t io n s  w e re  
a lso  v e ry  la rg e  a n d  th e  r e s p o n s e  t im e  w as  slow  [H a y S l] . O th e r  M IG  m e th o d s  r e q u ir e d  
in e r t i a l  d e la y s  (d e la y s  t h a t  c a n  f i l te r  o u t  s m a ll  d u ty  c y c le  t r a n s i t io n s )  o r  d e la y s  o n  
th e  f e e d b a c k  lin e s  w h ic h  w e re  a lso  u n s u i t a b le  fo r  p e r f o r m a n c e  o r ie n te d  d e s ig n s .
M y  s o lu t io n  fo r  im p le m e n t in g  low  la te n c y  s t a t e  m a c h in e s  d e s ig n e d  fo r  p a r a l le l  
p ro c e s s  fo rk in g  a n d  s y n c h r o n iz a t io n  w as  to  in v e n t  t h e  b u r s t - m o d e  d e s ig n  s ty le  [S te9 2 , 
C D S 9 3 a ] , P e r f o r m a n c e  w as  f u r th e r  im p ro v e d  b y  t r a n s f o r m in g  s u m -o f -p ro d u c ts  d e ­
s c r ip t io n s  in to  c o m p le x  g a te  C M O S  im p le m e n ta t io n s .  B u r s t - m o d e  p e r m i t s  a  r e ­
s t r i c t e d  fo rm  o f M IG  s ig n a lin g  w h ic h  s u p p o r t s  h a z a r d  f re e  s e q u e n t ia l  lo g ic  a n d  s im ­
p lif ie s  t h e  im p le m e n ta t io n  o f h a z a r d - f re e  c o m b in a t io n a l  lo g ic  in  a s y n c h ro n o u s  f in i te  
s t a t e  m a c h in e s .  I t  a lso  r e s u l ts  in  s m a ll ,  i n tu i t iv e  s p e c if ic a t io n s .
T h e r e  e x is te d  a  s e r io u s  la c k  o f  d e s ig n  to o ls  a t  t h e  s t a r t  o f  t h e  P o s t  O ffice  p r o je c t .  
O u r  to o l  s e t  c o n s is te d  o f o n ly  a  h a n d  la y o u t  e d i to r  a n d  d e s ig n  ru le  c h e c k e r , a n d  
r e g is te r  t r a n s f e r  le v e l a r c h i t e c tu r a l  s im u la to r .  T h e  n e e d  fo r  so m e  s y n th e s is  to o ls  
b e c a m e  m o re  e v id e n t  as t h e  p r o je c t  w o re  o n . I c o u ld  s p e n d  a  w e e k  o r  m o re  d e s ig n in g , 
la y in g  o u t ,  a n d  c h e c k in g  a  s in g le  b u r s t - m o d e  s t a t e  m a c h in e . T h is  t im e  w o u ld  d o u b le  
if  e r ro r s  w e re  fo u n d , a n d  th e  h a n d  p ro c e s s  w as  h ig h ly  e r r o r  p ro n e .
I p r o d u c e d  a  to o l  t h a t  w o u ld  ta k e  s u m -o f -p ro d u c ts  f u n c t io n  s p e c if ic a t io n s  a n d  
p r o d u c e  a  C M O S  c o m p le x  g a te  im p le m e n ta t io n .  T h e  to o l  p ro d u c e s  a  C O S M O S  n tk  
f o r m a t  h ie , o r  a  s c h e m a t ic  in  E le c t r ic  w h ic h  c a n  b e  p r in te d .
F o llo w in g  th e  su c c e ss  o f  t h e  c o m p le x  g a te  to o l ,  I a p p r o a c h e d  A I D a v is  w i th  th e  
c o n c e p t  o f  w r i t in g  a  b u r s t - m o d e  s y n th e s is  to o l  as th e r e  w e re  n o  to o ls  a v a ila b le  a t  th e  
t im e  w h ic h  f i t t e d  o u r  n e e d s . D a v is , C o a te s  a n d  m y s e lf  t h e n  e m b a r k e d  o n  th e  M E A T  
to o l  to  a u to m a te  t h e  s y n th e s is  o f  low  la te n c y  A F S M s .
T h is  p r o to ty p e  to o l  g r e a t ly  d e c re a s e d  d e s ig n  t im e  a n d  o p e n e d  u p  o th e r  d e s ig n  
is su e s  w h ic h  h a d  p re v io u s ly  b e e n  h id d e n  b y  th e  c o m p le x i ty  o f  h a n d  A F S M  s y n th e s is .  
D a v id  D ill h a d  j u s t  c o m p le te d  h is  d i s s e r t a t io n  a t  th i s  t im e  a n d  w e w e re  f o r tu n a t e  
e n o u g h  to  g e t  o n e  o f h is  s tu d e n t s ,  S te v e  N o w ic k , to  m o d ify  h is  t r a c e  s t r u c tu r e  v e r if ie r  
to  m o d e l  b u r s t - m o d e  A F S M  v e r if ic a t io n . W e c o u ld  n o w  s y n th e s iz e  a n d  v e r ify  A F S M  
m o d u le s !  N o w ic k  a lso  d is c o v e re d  a  p ro b le m  w i th  o u r  s y n th e s is  a p p r o a c h  w h ic h  c o u ld  
g e n e r a te  h a z a r d s  u n d e r  c e r t a in  c i r c u m s ta n c e s .  T h is  d is c o v e ry  a n d  th e  a lg o r i th m  to  
a v o id  t h e  h a z a r d  w e re  k e y  c o n t r ib u t io n s  to  h is  th e s is .
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  8 2
C H A P T E R  4. B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S
4 . 2  C C S  B u r s t - m o d e  S p e c i f i c a t i o n s
8 3
E a s i ly  sp e c ify in g  a n d  e x p lo i t in g  p a r a l le l  o p e r a t io n s  is h ig h ly  d e s ir a b le  fo r  a s y n ­
c h ro n o u s  s t a t e  m a c h in e  c o n tro l le r s  b e c a u s e  c o n c u r re n c y  is “f r e e ” in  h a r d w a r e  if  th e  
c o m p o n e n ts  m u s t  e x is t  fo r  b e h a v io r a l  re a s o n s . T h e r e  is n o  c o s t o th e r  t h a n  c o m p le x ­
i ty  o f  c o n tro l  a n d  in c re a s e d  p o w e r  c o n s u m p t io n  fo r  o p e r a t in g  t r a n s i s to r s  in  p a r a l ­
le l. In v o k in g  o p e r a t io n s  in  p a r a l le l  a n d  s y n c h ro n iz in g  m u l t ip le  p ro c e s s  c o m p le t io n s  
s h o u ld  b e  as n a t u r a l  as  s e q u e n c in g  fo r  th e s e  s y s te m s . T h e  d is t in g u is h in g  f e a tu r e  
o f  b u r s t - m o d e  is i t s  a b i l i ty  to  c o n tro l  p a r a l le l  a c t iv i ty  w h ile  c o n s t r a in in g  i t  to  e a se  
im p le m e n ta t io n  c o m p le x i t ie s  a n d  te s ta b i l i ty .
R u l e  1 I n p u t  bursts  a n d  o u tp u t  bursts  m a y  n o t  over lap
F ig u r e  4 .1 : B u r s t - m o d e  C o n c e p tu a l  M o d e l
T h e  m o s t  s a l ie n t  f e a tu r e  o f  b u r s t - m o d e  s p e c if ic a t io n s  is t h e  c o n s t r a in t  t h a t  in ­
p u t s  a n d  o u tp u t s  a re  s e p a r a te d  in to  d i s t in c t  s ta g e s  o f  p a r a l le l  a c t iv i ty  as sh o w n  in  
F ig u r e  4 .1 . W h e n  th i s  c a n n o t  b e  a c c o m p lis h e d , t h e  s p e c if ic a t io n  m u s t  b e  d e c o m ­
p o s e d  in to  a  m u l t ip l ic i ty  o f  c o m m u n ic a t in g  A F S M s . T h e  s t a n d a r d  s y n ta x  fo r  C C S  
a n d  th e  C o n c u r r e n c y  W o rk b e n c h  d o e s  n o t  a llo w  a  c o n v e n ie n t  b u r s t - m o d e  s y n ta x .  
A ll o rd e r in g s  o f  s ig n a l in te r le a v in g s  m u s t  b e  e x p re s s e d  e x p lic i t ly .  F o r  la rg e  b u r s t s ,  
th i s  c a n  b e  v e ry  te d io u s  a n d  e r r o r  p ro n e . T h e  fo llo w in g  d e f in i t io n s  d e s c r ib e  a n  e x ­
te n d e d  n o ta t io n a l  c o n v e n ie n c e  t h a t  w ill b e  u s e d  fo r  b u r s t - m o d e  b e h a v io r .  I t  is u s e d
t h r o u g h o u t  t h e  r e m a in d e r  o f  t h e  t e x t  a n d  b y  th e  so f tw a re  a n a ly s is  a n d  v e r i f ic a t io n  
to o ls  d e v e lo p e d  as p a r t  o f  th i s  th e s is .
D e f i n i t i o n  1  F or  « i ,  • • • , a n £  A ,  n >  1, where  o ;  are all d ist inc t,  the i n p u t  b u r s t
( o i ,  • • • , a n ) . P  is a se t  o f  events  def ined recursively as fo l lows:
{ ) . P  =  E R R O R  
(Q l ) .P = f Q l . P  
( f t l ,  1 • • , • ( ^ 1 1 i — 11 ^ z '+ l1 ' ' ' i ) • P  ( ^  ^  f  )
D e f i n i t i o n  2 F or  cFj“, ■ ■ ■ ,~a^ G ^4,?? >  0, where  o ;  are all d ist inc t,  the o u t p u t  
b u r s t  (cFf, • • • , ~a^).P is C  the se t  o f  events  def ined recursively as fo l lows:
Q . P  =  P
( « 1 ,  * * * i * * * i i * * * > QLn)'P ^  0)
A  n o ta t io n a l  e x te n s io n  is a p p l ie d  to  C C S  in  th i s  th e s is  (b y  D e f in i t io n  fO) w h e re  
t h e  s e t  o f  n a m e s  A  is d e f in e d  as  in p u t s  a n d  th e  s e t  o f  c o n a m e s  A  is d e f in e d  as a c t iv e ly  
d r iv e n  o u tp u t s .  I n p u t  b u r s t s  w ill o n ly  c o n ta in  i n p u t  s ig n a ls , a n d  o u tp u t  b u r s t s  w ill 
o n ly  c o n ta in  o u tp u t  s ig n a ls . T h e  in p u t  b u r s t  is f u r th e r  r e s t r i c t e d  to  b e  a  n o n e m p ty  
s e t o f  t r a n s i t io n s .  A  s e c o n d  i m p o r t a n t  c o n c e p t  o f  b u r s t - m o d e  is t h a t  t h e  o r d e r  a n d  
t im e  o f a r r iv a l  o f  e v e n ts  in  a  b u r s t  a re  u n c o n s t r a in e d .
T h e  C -e le m e n t  o r  re n d e z v o u s  is a  g o o d  e x a m p le  o f  a  s im p le  m u l t ip le  i n p u t  c h a n g e  
b u r s t - m o d e  s t a t e  m a c h in e . T h e  tw o  in p u t s ,  a a n d  b a r r iv e  in  a  b u r s t .  T h e  o r d e r  a n d  
t im e  o f a r r iv a l  o f  th e s e  tw o  s ig n a ls  is u n c o n s t r a in e d .  A f te r  t h e  in p u t s  h a v e  a r r iv e d , 
t h e  o u tp u t  ~c w ill b e  d r iv e n , a n d  th e  c i r c u i t  w ill t h e n  a c c e p t  a n o th e r  i n p u t  b u r s t .  T h e  
e x te n d e d  b u r s t - m o d e  n o ta t i o n  d e s c r ib e d  in  D e f in it io n s  f  a n d  2 is c o m p a r e d  a g a in s t  
C C S  s y n ta x  in  T a b le  4 . f  fo r  t h e  s im p le  C -e le m e n t .
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  8 4
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S 8 5
C - e le m e n t  S p e c i f ic a t io n s
B u r s t - m o d e : G -e lt
def
( a ,  b ) . c . G -e lt
“S ta n d a r d ” C C S : G -e lt
def
a .& .'c .C -e lt +  b. a.~c. G -e lt
B a r r ie r  s y n c h ro n iz a t io n : G -e lt
def
(A  B  S ) \{ p ,( /}
A
def g .a .p .  A
B
def
g.b .p .  B




T a b le  4 .1 : D if fe re n t B u r s t  S p e c if ic a t io n  S ty le s
S ta n d a r d  C C S  s y n ta x  r e q u ir e s  t h a t  a ll  s ig n a l in te r le a v in g s  b e  e x p l ic i t ly  s t a t e d ,  
in c lu d in g  a ll t h e  p a r a l le l  c h o ic e  s p a c e . T h is  r e s u l ts  in  a  s p e c if ic a t io n  w i th  ??.! s ig n a l 
t r a c e s ,  w h e re  n  is t h e  n u m b e r  o f  s ig n a ls  in  t h e  b u r s t .  B u r s t s  q u ic k ly  b e c o m e  e x ­
t r e m e ly  d if f ic u lt  to  sp e c ify  c o r r e c t ly  a n d  h a r d  u n d e r s t a n d  in  t h e  p u r e  C C S  n o ta t io n .
A  g e n e ra l  s o lu t io n  u s in g  s t a n d a r d  C C S  n o ta t i o n  a n d  “b a r r i e r  s y n c h r o n iz a t io n ” 
d o e s n ’t  r e q u ir e  e n u m e r a t in g  a ll  o f  t h e  s ig n a l  in te r le a v in g s  b u t  r e q u ir e s  n  +  2  a g e n ts . 
E a c h  o f  t h e  s ig n a ls  in  t h e  b u r s t  a re  p la c e d  in  a  s e p a r a te  a g e n t  a n d  th e  s ig n a l is 
b o u n d e d  b y  s y n c h r o n iz a t io n  s ig n a ls  w h ic h  e n a b le  t h e i r  t r a n s i t i o n ,  g,  a n d  s ig n a l th e  
t r a n s i t i o n  h a s  f ire d , p.  T h is  is c le a r e r  t h a n  e n u m e r a t in g  th e  in te r le a v in g s ,  b u t  su c h  
d e s c r ip t io n s  a re  d if f ic u lt  fo r  s y s te m s  to  e v a lu a te  c o m p o s i t io n a l ly  d u e  to  t h e  lo c a l 
n a t u r e  o f  t h e  p a r a l le l  c o m p o s i t io n s  o f  in te r d e p e n d e n t  p ro c e s s e s  i t  r e q u ir e s .  B a r r ie r  
s y n c h r o n iz a t io n  a lso  r e s u l ts  in  a n  u n s a t i s f a c to r y  c i r c u i t  d e f in i t io n  b e c a u s e  i t  re lie s  
o n  C C S  h a n d s h a k e  s y n c h r o n iz a t io n  t h a t  r e s u l ts  in  c o m p u ta t io n  in te r f e r e n c e  (a s  w i th  
s ig n a l g in  T a b le  4 .1 )  o r  m u l t ip le  o u tp u t s  d r iv in g  th e  s a m e  s ig n a l (a s  w i th  s ig n a l p) .  
S ee S e c tio n  7 .2  m o re  d e ta i l s  o n  c o r r e c t  c i r c u i t  c o n s t r u c t io n s  in  C C S .
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S 8 6
L e s s o n  4  Segregating inp uts a n d  o utp uts allo ws clear, concise  con trol  o f  parallelism,  
f r o m  a sequent ia l  agent.
L e s s o n  5 The behaviors o f  m o s t  nat ive  e l em en ts  used f o r  a syn c h r o n o u s  des ign such  
as the C-element ,  M E R G E ,  T O G G L E ,  etc. segregate inpu t s  a n d  outputs .
4 . 3  F u n d a m e n t a l  M o d e  R e q u i r e m e n t
M u lt ip le  o u t p u t  c h a n g e  c i r c u i ts  lo se  t h e  v e r i f ic a t io n  s im p l ic i ty  a n d  so m e  o f t h e  r o ­
b u s tn e s s  o f  d e la y - in s e n s i t iv e  a n d  s p e e d - in d e p e n d e n t  c i r c u i ts .  F ig u r e  4 .2  is a n  e x a m ­
p le  o f  s u c h  a  c i r c u i t .
(  ^  "l
L a c
/ E 2 1  b d
F ig u r e  4 .2 : B u r s t - m o d e  A F S M  w i th  O u tp u t  B u r s t
B o x  E 2 o f F ig u r e  4 .2  h a s  tw o  in p u t s  a a n d  6 , a n d  tw o  o u tp u t s  ~c a n d  d.  A s s u m e  
t h a t  t h e  n o n - in v e r t in g  b u ffe r  h a s  t h e  o b v io u s  b e h a v io r  w h e re  a  t r a n s i t i o n  o n  th e  
i n p u t  w ill b e  fo llo w e d  b y  a  t r a n s i t i o n  o n  th e  o u tp u t .  A lso , a s s u m e  t h a t  E 2 h a s  th e  
fo llo w in g  b e h a v io r  w i th  a n  o u tp u t  b u r s t :
E 2  = f b.(~c, d ) . a . d . E 2
T h e  e n v ir o n m e n t  s h o u ld  p ro v id e  a  t r a n s i t i o n  o n  s ig n a l 6 , a t  w h ic h  p o in t  th e  
i n p u t  b u r s t  is c o m p le te .  T h e  o u tp u t  b u r s t  w ill t h e n  b e  e n a b le d  to  f ire . A s s u m in g  a n  
u n b o u n d e d  g a te  d e la y  m o d e l ,  E 2  c a n  p r o d u c e  a  t r a n s i t i o n  o n  s ig n a l ~c a t  w h ic h  p o in t
t h e  b u ffe r  c a n  th e n  p r o d u c e  a  t r a n s i t i o n  o n  s ig n a l a. T h is  r e s u l ts  in  co m p u ta t io n  
in ter ference  b e c a u s e  E 2  h a s  n o t  c o m p le te d  i t s  o u tp u t  b u r s t  a n d  is n o t  in  a  r e c e p t iv e  
s t a t e  fo r  t h e  a t r a n s i t io n .
T h u s  M O G  b u r s t - m o d e  c i r c u i ts  a re  n o t  in  th e m s e lv e s  e i th e r  s p e e d - in d e p e n d e n t  
o r  d e la y - in s e n s i t iv e  m o d u le s .  H o w e v e r , if  t h e  s t a b i l i ty  f u n c t io n  o f  f u n d a m e n ta l  m o d e  
h o ld s , as is ty p ic a l ly  t h e  c a se , t h e n  a ll o u tp u t s  ("c a n d  d)  in  t h e  b u r s t  w ill f ire  b e fo re  
t h e  n e x t  i n p u t  a r r iv e s .  B u r s t - m o d e  a s s u m e s  f u n d a m e n ta l  m o d e  as a n  e n g in e e r in g  
a b s t r a c t io n  t h a t  is r e la t iv e ly  e a s y  to  u p h o ld  a n d  is m o re  c o n s is te n t  w i th  h a z a r d  
d e f in i t io n s .
A F S M  E 2 m a y  b e  p la c e d  in  a  d if fe re n t  e n v ir o n m e n t  f ro m  F ig u r e  4 .2 . I f  a  t r a n ­
s i t io n  o n  s ig n a l a w ill n o t  b e  g e n e r a te d  u n t i l  a f te r  b o th  s ig n a ls  ~c a n d  d  h a v e  b e e n  
d r iv e n  a n d  a c c e p te d  b y  th e  e n v ir o n m e n t  th e r e  w ill b e  n o  c o m p u ta t io n  in te r f e r e n c e . 
T h e re fo re  i t  is p o s s ib le  to  p la c e  b u r s t - m o d e  m a c h in e s  in  a n  e n v ir o n m e n t  w h e re  th e y  
c a n  o p e r a te  in  a  d e la y - in s e n s i t iv e  o r  s p e e d - in d e p e n d e n t  f a s h io n .
T h e  w in d o w  o f v u ln e r a b i l i ty  to  c o m p u ta t io n  in te r f e r e n c e  is v e ry  s m a ll  in  H u ffm a n  
m a c h in e s .  F o r  e x a m p le ,  in  t h e  P o s t  O ffice  d e s ig n , n o n e  o f t h e  s t a t e  m a c h in e s  r e q u ir e d  
e x t r a  d e la y  to  e n s u re  t h a t  f u n d a m e n ta l  m o d e  d e la y  a s s u m p t io n  h o ld . S o m e  m e th o d s ,  
su c h  as  t h e  3 -D  m e th o d  [Y D 92], h a v e  b e e n  d e v e lo p e d  w h ic h  r e d u c e  th e  w in d o w  to  
w h e re  i t  is p r a c t ic a l ly  n o n e x is te n t  if  t h e  c o m p le x i ty  o f  o u tp u t  g e n e r a t io n  is s im ila r  
fo r  a ll  s ig n a ls .
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  8 7
4 . 4  B u r s t - m o d e  S p e c i f i c a t i o n s
B u r s t - m o d e  s p e c if ic a t io n s  in  t h e  P o s t  O ffice  d e s ig n  u s e d  a  g ra p h ic a l  r e p r e s e n ta t io n  
w h ic h  w as  a  v a r ia n t  o f  M e a ly  s t a t e  g r a p h s . T h is  f o r m a t  h a s  t h e  a d v a n ta g e  t h a t  i t  
is f a m il ia r  to  h a r d w a r e  d e s ig n e rs  a n d  is a  s im p le  w a y  to  e n c a p s u la te  c o n c u r re n c y , 
c o m m u n ic a t io n ,  a n d  s y n c h ro n iz a t io n .  F u r th e r ,  th e s e  s p e c if ic a t io n s  c a n  e a s i ly  b e  
m a p p e d  to  a  t e x t u a l  f o r m a t  fo r  s y n th e s is  to o l  i n p u t  ( s u c h  as M E A T  o r  S te ts o n ) .
A lth o u g h  th e r e  a re  e x p l ic i t  ru le s  fo r  t h e  c o r r e c t  c o n s t r u c t io n  o f  a  b u r s t - m o d e  
s p e c if ic a t io n , t h e  a b o v e  m e n t io n e d  to o ls  d o  n o t  e n fo rc e  o r  c h e c k  m a n y  o f t h e  c o n ­
s t r a in t s .  E n s u r in g  t h a t  t h e  b e h a v io r ,  p r o p e r t ie s ,  a n d  m o s t  b u r s t - m o d e  s p e c if ic a t io n  
ru le s  a re  c o r r e c t  is le f t  as  a n  e x e rc is e  fo r  t h e  d e s ig n e r . T h is  c a n  r e s u l t  in  p h y s ic a l  
im p le m e n ta t io n s  t h a t  w ill n o t  o p e r a te  p re d ic ta b ly .
T h e  r e m a in in g  s e c tio n s  o f  th i s  c h a p te r  w ill d is c u s s  t h e  b u r s t - m o d e  r e q u i r e m e n ts ,  
a n d  fo rm a liz e  t h e m  so t h a t  b u r s t - m o d e  A F S M  s p e c if ic a t io n s  c a n  b e  p ro v e n  c o r re c t  
in  a  la rg e r  s y n th e s is  s y s te m . T h e  m e c h a n is m  fo r  th i s  is d e v e lo p e d  l a t e r  in  th i s  th e s is .  
T h e  c o r r e c t  s p e c if ic a t io n s  c a n  th e n  b e  p a s s e d  to  a n  A F S M  s y n th e s is  a n d  la y o u t  
s y s te m .
4 . 5  B u r s t - m o d e  I m p l e m e n t a t i o n  R u l e s
B u r s t - m o d e  t r a n s i t io n s  c a n  b e  d e f in e d  in  t e r m s  o f  flow  t a b le  s p e c if ic a t io n s . A  flow  
t a b le  is a  tw o  d im e n s io n a l  a r r a y  s t r u c tu r e  w h ic h  c a p tu r e s  t h e  i n te r n a l  a n d  e x te r n a l  
s t a t e s  o f  a  c i r c u i t  [U ng69]. T h e  ro w s o f t h e  t a b le  c o r r e s p o n d  to  t h e  in te r n a l  s t a t e  o f 
t h e  c i r c u i t ,  a n d  th e  c o lu m n s  to  t h e  s t a t e  o f  t h e  in p u ts .  T a b le  e n t r ie s  a re  o r d e r e d  p a ir s  
c o n ta in in g  th e  n e x t  s t a t e  a n d  c u r r e n t  o u tp u t  in f o r m a t io n .  W h e n  th e  n e x t  s t a t e  in  a n
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  8 8
e n t r y  c o r re s p o n d s  to  t h e  c u r r e n t  s t a t e ,  t h e  flow  t a b le  is in  a  s t a b l e  s ta te ;  o th e rw is e  
t h e  c u r r e n t  s t a t e  is u n s ta b le  a n d  a n  in te r n a l  s ta te  t rans i t ion  w ill o c c u r . A  s im p le  
w a y  o f u n d e r s t a n d in g  th e  flow  t a b le  is to  n o te  t h a t  h o r iz o n ta l  m o v e m e n t  w i th in  a  
ro w  r e p r e s e n ts  c h a n g e s  in  t h e  v a lu e s  o f  i n p u t  s ig n a ls , w h ile  v e r t ic a l  m o v e m e n t  w i th in  
a  c o lu m n  r e p r e s e n ts  a  s t a t e  t r a n s i t io n .
D e f i n i t i o n  3  L e t  P  =  { 0 ,1 } .  E a ch  s ta te  m a c h in e  cont ai ns  an in p u t  se t  X o f  I m 
variables  where the value o f  I m £  P . E a ch  s ta te  m a c h in e  also cont ai ns  a se t  o f  
o u tp u t  s ignals O o f  O n var iables  where the value o f  O n £  P .
I B
D e f i n i t i o n  4  A n  i n p u t  b u r s t  IB  f o r  the t rans i t ion  o b  consis ts  o f  the n o n e m p t y  se t  
o f  inpu t  s ignals  V I  £  X  which change value du r ing the t rans i t ion .
I B
D e f i n i t i o n  5 A n  o u tp u t  b u r s t  O B  f o r  the t rans i t ion  o b  consis ts  o f  the se t  o f  o utp ut 
s ignals  V O  £  O  which change value du r ing the t ransi t ion .
D e f i n i t i o n  6  A  bu rs t -m ode s ta te  m a c h in e  B S M ,
I B
(.S', »S'o,X, 7 0 , O ,  O o , { o b  : I I I  C I  A O B  C  O } ) ,  consis ts  o f
•  a se t  S  o f  s t a t e s ,  where So is the in i t ia l  s tate.
•  a se t  X o f  i n p u t s ,  where I 0 is the in i t ia l  values  o f  the inputs .
•  a se t  O o f  o u tp u t s ,  where Oo is the in i t ia l  value o f  the outputs .
I B
•  a t r a n s i t i o n  r e la t io n  o b  C  S  X S  pot en t ia l l y  f o r  each value o f  I B  a n d  O B  
where I B  is the  i n p u t  b u r s t  a n d  O B  is the  o u tp u t  b u r s t .
R u l e  2 E a ch  inpu t  burs t  m u s t  con ta in  at  least  one s ignal  t rans i t ion .  A n  o u tpu t  
burs t  m a y  be em pty .
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  8 9
T h e  s ig n a ls  in  t h e  i n p u t  b u r s t  m a y  n o t  b e  e m p ty  as  a t  le a s t  o n e  i n p u t  m u s t  c h a n g e  
fo r  a  t r a n s i t i o n  to  o c c u r . T h e  v a lu e s  o f  t h e  in p u t s  a n d  o u tp u t s  a re  s ig n if ic a n t ,  as 
th e s e  v a lu e s  a re  m a p p e d  to  v o lta g e s  in  a n  im p le m e n ta t io n .  T h e  ty p ic a l  m e th o d  fo r  
r e p r e s e n t in g  t r a n s i t io n s  in  a  b u r s t - m o d e  d e s c r ip t io n  in c lu d e  u p  o r  d o w n  a rro w s  fo r  
t h e  v a lu e  t r a n s i t i o n  o f  a n  i n p u t  o r  o u tp u t .  F o r  e x a m p le ,  s ig n a l a c h a n g in g  f ro m  
h ig h  to  low  is r e p r e s e n te d  b y  J, a . T h is  c a n  b e  t e x tu a l ly  r e p r e s e n te d  as a~  ( a n d  f  a 
r e p r e s e n te d  as a ) .
D e f i n i t i o n  7  The  e n t r y  p o in t  o f  a t rans i t ion  corresponds  to the locat ion in a f l o w  
table with the in i t ia l  row (s ta te)  a n d  inpu t  (c o l u m n ) values  before a n y  inpu t s  in the  
t rans i t ion  have  occured.
D e f i n i t i o n  8  The  e x i t  p o in t  o f  a t rans i t ion  corresponds  to the locat ion in a f l o w  
table wi thin the in i t ia l  row (s ta te)  o f  the t rans i t ion .  The  co lum n  value consis ts  o f  
the f i n a l  s ta te  o f  the t rans i t ion  where all i npu t s  in the burs t  I  £  I B  have  thei r  new  
values.
I B
R u l e  3  G iven the se t  o f  b u rs t -mod e tr a n s i t io n s  T  =  { o b  : I B  C  X  A O B  C  O } ,
V T; £  T  the exit  p o in t  o f  I m/ust have  the equivalent  co lum n  locat ion ( inpu t  values)  
o f  an en t r y  p o in t  i  . Further ,  the d es t ina t io n  s ta te  o f  I m/ust be equivalent  to the  
s ta r t i ng  .state o f T j  a n d  Ti  ^  Tj .
R u l e  4  The en t r y  p o in t  E i  m/ust be stable. Further ,  all f l o w  table s ta te s  in the cube 
cover ing en t r y  p o in t  to but  no t  necessar ily inc luding  the exit  p o in t  o f  the t rans i t ion  
m/ust be stable a n d  will con ta in  the  .same o u tp u t  values  a n d  .state m a rk in g s  as the  
en t r y  point .
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  9 0
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S 9 1
R u l e  5 The exit  p o in t  will con ta in  the d e s t ina t io n  s ta te  m arki ng.  The m a r k in g  
o f  the exit  p o in t  will con ta in  e i ther  the s a m e  o u tp u t  m a r k i n g  as the en t ry  po in t  
or  the m a r k i n g  o f  the new  o u tp u t  values  fo l low ing the completed  o u tp u t  burst .  I f  
the im p l e m e n ta t i o n  uses a single t rans i t ion  t i m e  im p l e m e n ta t i o n  technique,  then  all 
s ignals in the inpu t  burs t  can be don ' t  cares in the exit  point .
B u r s t - m o d e  is d e f in e d  u s in g  c lo se d  flow  ta b le s .  S ta te  t r a n s i t io n s  a re  d e f in e d  w i th  
i n p u t  a n d  o u tp u t  s ig n a l t r a n s i t io n s  t h a t  a re  s e g re g a te d  in to  in d e p e n d e n t  b u r s t s  o f 
a c t iv i ty .  R e q u i r e m e n ts  fo r  f illin g  in  flow  t a b le  v a lu e s  a re  d e s c r ib e d  w h ic h  e l im in a te  
f u n c t io n  h a z a r d s ,  a n d  d o  n o t  a llo w  th e  s t a t e  c h a n g e  o r  o u tp u t  b u r s t  to  p ro c e e d  u n t i l  
t h e  i n p u t  b u r s t  is c o m p le te .  T h e  o u tp u t  b u r s t  c a n  c h a n g e  c o n c u r r e n t ly  w i th  th e  
s t a t e  c h a n g e  o r  m a y  b e  d e la y e d  u n t i l  t h e  s t a t e  c h a n g e  is c o m p le te .  T h e  c h o ic e  is 
le f t  to  t h e  d e s ig n e r , a n d  r e s u l ts  in  a  s l ig h t  t r a d e o f f  b e tw e e n  p e r f o r m a n c e ,  a r e a ,  a n d  
p o s s ib ly  t h e  a b i l i ty  to  r e m o v e  h a z a rd s .
E a c h  in p u t  b u r s t  r e s u l ts  in  a  p a r t i c u l a r  p a t h  t h r o u g h  th e  flow  t a b le  a n d  A F S M  
s t a t e  s p a c e , s t a r t i n g  a t  t h e  s ta b le  e n t r y  w h e re  t h e  b u r s t  b e g in s . A t le a s t  o n e  in p u t  
c h a n g e  is r e q u i r e d  to  g e n e r a te  a  t r a n s i t i o n  as th e r e  is n o  c lo ck . T h e  c i r c u i t  r e m a in s  
in  s ta b le  s ta te s ,  a n d  s t a t e  c h a n g e s  in  t h e  flow  t a b le  c a n  o n ly  m o v e  h o r iz o n ta l ly  u n t i l  
a ll  in p u t s  in  t h e  i n p u t  b u r s t  h a v e  b e e n  a c c e p te d .  A t th i s  p o in t  a  s t a t e  c h a n g e  a n d  
o u tp u t  g e n e r a t io n  m a y  o c c u r .
T h e  e x i t  p o in t  o f  a  t r a n s i t i o n  in  a  p r i m i t i v e  flow  t a b le  a lw a y s  m o v e s  to  a  n e w  ro w  
o f t h e  flow  t a b le  fo rc in g  a  s t a t e  c h a n g e . M in im iz a t io n  o f  t h e  flow  ta b le s  c a n  r e s u l t  
in  m e rg in g  o f  ro w s (o r  s t a t e s  in  t h e  A F S M ) , a n d  m a y  r e s u l t  in  t r a n s i t io n s  w h ic h  
r e m a in  in  t h e  s a m e  s t a t e  (o r  ro w  o f t h e  flow  ta b le ) .  T h e s e  ru le s  a p p ly  to  m in im iz e d
as w e ll as p r im i t iv e  flow  ta b le s  a n d  m a y  f u r th e r  r e s t r i c t  t h e  w a y  a  s t a t e  m a c h in e  is 
m in im iz e d .
T h e o r e m  1 F u n c t io n  hazards  in com b in a t io n a l  logic are n o t  possible in burs t -mod e  
design.
P r o o f  A  f u n c t io n  h a z a r d  c a n  o n ly  e x is t  fo r  a  t r a n s i t i o n  A  —> B  iff th e r e  e x is ts  
a  m in im u m  le n g th  p a t h  b e tw e e n  A  a n d  B  w h e re  t h e  o u tp u t  f u n c t io n  v a lu e  c h a n g e s  
m o re  t h a n  o n c e . A c c o rd in g  to  R u le  4 a n d  5, a ll  o u tp u t s  a n d  s t a t e  v a r ia b le s  c a n  o n ly  
c h a n g e  fo llo w in g  a  c o m p le te d  in p u t  b u r s t ,  o r  in  s t a t e  B  fo r  o u tp u t s .  H e n c e  th e r e  is 
n o  p o s s ib le  m in im a l  p a t h  t h a t  c a n  c o n ta in  m u l t ip le  f u n c t io n  c h a n g e s . □
E x a c t ,  m in im a l ,  h a z a r d  f re e  s u m -o f -p ro d u c ts  c i r c u i t  im p le m e n ta t io n s  c a n  b e  
fo u n d  fo r  in c o m p le te ly  sp e c if ie d  b o o le a n  fu n c t io n s  g e n e r a te d  f ro m  b u r s t - m o d e  s p e c ­
if ic a t io n s . F u n c t io n  h a z a r d s  w ill n o t  e x is t  in  t h e  c o m b in a t io n a l  o u tp u t  o r  s t a t e  lo g ic  
p r o d u c e d  b y  M IG  b u r s t - m o d e  s p e c if ic a t io n s . A ll v a r ia n ts  o f  s t a t i c  a n d  d y n a m ic  h a z ­
a rd s  c a n  b e  r e m o v e d  f ro m  th e  c o m b in a t io n a l  lo g ic  n e c e s s a ry  to  b u i ld  b u r s t - m o d e  
s t a t e  m a c h in e s .
R u l e  6  The b u r s t - m o d e  s t a b i l i t y  req u i rem en t  does no t  allow a new  inpu t  burs t  to 
arr ive unti l  the o u tp u t  burs t  has  com ple ted  a n d  all c ircui t  e l em en ts  have  stabilized.
A s sh o w n  in  S e c tio n  4 .3 , th i s  s t a b i l i ty  r e q u i r e m e n t  is n e c e s s a ry  fo r  M O G  c i r c u i ts  
to  a v o id  h a z a r d s  a n d  c o m p u ta t io n  in te r f e r e n c e .
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  9 2
4 . 6  B u r s t - m o d e  S p e c i f i c a t i o n  R u l e s
T h is  s e c t io n  d e s c r ib e s  t h e  ru le s  fo r  c o r r e c t  c o n s t r u c t io n  o f  b u r s t - m o d e  s t a t e  m a c h in e s .  
A  s t a t e  g r a p h  in te r f a c e  w as  u s e d  in  t h e  P o s t  O ffice , b u t  t h e  s p e c if ic a t io n s  w e re  n o t  
c h e c k e d  fo r  c o r r e c t  u s a g e  a n d  c o n s t r u c t io n .  T h e  f o r m a l iz a t io n s  t h a t  fo llo w  a llo w  th is  
c h e c k in g  to  b e  a u to m a te d  w i th  C O S  s p e c if ic a t io n s .
R u l e  7  A l l  input s  a n d  o u tpu t s  m u s t  s tr ic t ly  a l ternate  between r is ing a n d  fa l l ing  
t ra n s i t io n s  f o r  a n y  val id path  o f  inpu t  bursts  in the s ta te  mach in e .
T h e  n e c e s s i ty  to  u n a m b ig u o u s ly  m a r k  t r a n s i t io n s  f ro m  th e  s t a t e  o f  s ig n a ls  in  th e  
i n p u t  s e t  c a u se s  t r a n s i t io n in g  in p u t s  a n d  o u tp u t s  to  c h a n g e  a n  e v e n  n u m b e r  o f  t im e s  
w h e n  th e r e  a re  lo o p s  in  t h e  s t a t e  g r a p h .  T r a n s i t io n  le v e ls  a n d  v o l ta g e  in i t i a l iz a t io n  
v a lu e s  a re  n e c e s s a ry  fo r  b u r s t - m o d e  b e c a u s e  i t  d e s c r ib e s  h a r d w a r e  im p le m e n ta t io n s .  
S ig n a l a b e c o m in g  a s s e r te d  f ro m  a  low  v o l ta g e  to  a  h ig h  v o l ta g e  is r e p r e s e n te d  w i th  
|  a in  g r a p h ic a l  s p e c if ic a t io n s  u s e d  in  t h e  P o s t  O ffice . S o m e  m a p p in g  f ro m  a  m o re  
a b s t r a c t  m o d e l ,  s u c h  as C O S  o r  o n e  b a s e d  so le ly  o n  t r a n s i t io n s ,  m u s t  b e  c a r r ie d  o u t  
b e fo re  a  c i r c u i t  is im p le m e n te d .  In  g e n e ra l ,  t h e  t r a n s f o r m a t io n s  r e q u i r e d  c a n  d o u b le  
t h e  s ize  o f  t h e  s p e c if ic a t io n  (s u c h  as fo r  t h e  O -e le m e n t d e s c r ip t io n  o f  E q u a t io n  3 .1 ) , 
b u t  i t  is g e n e ra l ly  a n  e a s y  t r a n s f o r m a t io n .
R u l e  8  V T.;,Tj  £  T  i f  the en t r y  p o in t  o f  t rans i t ion  Ti is equivalent  to the en t ry  po in t  
o f  t rans i t ion  Tj  then  I B t I B j  a n d  I B j  I l i  i
N o  t r a n s i t i o n  b u r s t  is a  s u b - t r a n s i t io n  o f o th e r s  f ro m  s a m e  s t a r t i n g  s t a t e ,  a n d  
u n s p e c if ie d  s ig n a l t r a n s i t io n s  a re  ille g a l.
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  9 3
R u l e  9  V T.;,Tj  £  T ,  i f  the en t r y  p o in t s  o f  the two t ra n s i t io n s  are equivalent  then  
there m u s t  be at  least  one p a i r  o f  inpu t s  i £  I B 8 a n d  j  £  I B 3 such tha t  i ^  j  a n d  the  
en v ir o n m  ent  will not  prov ide  both i a n d  j . Otherwise ,  the s ta te  m a c h in e  B S M  m u s t  
operate in single i n p u t  change mode.
W h e n  m u l t ip le  e d g e s  e x i t  a  s in g le  s t a t e ,  th e r e  m u s t  b e  a t  le a s t  o n e  p a i r  o f  m u tu a l ly  
e x c lu s iv e  s ig n a ls  fo r  a ll  p a i r  o f  e d g e s  e x i t in g  th e  s t a t e  [M il65]. I f  th e r e  is n o  p a i r  o f 
m u tu a l ly  e x c lu s iv e  s ig n a ls  fo r  a ll  p a i r  o f  e d g e s  t h e n  th e  s t a t e  m a c h in e  c a n  o n ly  o p e r a te  
in  s in g le  i n p u t  c h a n g e  m o d e . T h is  c o n s t r a in s  t h e  b e h a v io r  o f  t h e  e n v ir o n m e n t .
J,r2 /J ,n 2  ^ r l / ^ n l
f  J ,r l /4 ,a l  f r 2 / f n 2  t r l / t a l L & t 2 / t a 2  f r l / f n l  4 -r2 /J ,a2 )
m *  , ( T T  , ( T T  ; m , * t T ) , * 0 ,
t r l / t a l  J,r2 /J ,n 2  J , r l / J ,a l  J,r2 /J ,a2  J , r l / J ,n l  t r 2 / t a 2  
F ig u r e  4 .3 : N a c k in g  A r b i t e r  S IC  S ta te  M a c h in e  S p e c if ic a t io n .
T h e  s t a t e  m a c h in e  fo r  t h e  n o n b lo c k in g  (n a c k in g )  a r b i t e r  o f  F ig u r e  4 .3  u s e d  in  th e  
P o s t  O ffice  is a n  e x a m p le  o f  a  s t a t e  m a c h in e  t h a t  m u s t  o p e r a te  in  S IO  m o d e  b e c a u s e  
t h e  e n v ir o n m e n t  p e r m i t s  b o th  r l  a n d  r2  to  t r a n s i t i o n  c o n c u r re n t ly .  T h e s e  s ig n a ls  
a re  p a s s e d  th r o u g h  a  S E Q U E N C E R  w h ic h  c o n v e r ts  M IC  s ig n a ls  in to  S IC  s ig n a ls .
N o n d e te r m in is t ic  b e h a v io r  is n o t  p o s s ib le  in  a  b u r s t - m o d e  s t a t e  m a c h in e . H o w ­
e v e r , n o n d e te r m in is t ic  b e h a v io r  c a n  b e  a c h ie v e d  w h e n  m u tu a l  e x c lu s io n  e le m e n ts  
( M E s )  a re  u s e d  to  c o n d i t io n  in p u t s  to  a  s t a t e  m a c h in e ,  s u c h  as b y  u s in g  th e  S E ­
Q U E N C E R . to  c o n d i t io n  th e  r l  a n d  r2  s ig n a ls  to  t h e  n o n b lo c k in g  a r b i t e r .  M E s  a re  
a n a lo g  d e v ic e s , a n d  a re  t h e  o n ly  “l i b r a r y ” d e v ic e  t h a t  m a y  b e  r e q u i r e d  to  im p le m e n t  
b u r s t - m o d e  c o n tro l  f u n c t io n s .  T h e y  a re  e a s i ly  f a b r ic a te d  in  m o s t  V L S I  te c h n o lo g ie s , 
r e q u ir in g  1 2  t r a n s i s to r s  in  C M O S .
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  9 4
4 . 7  P o s t  O f f i c e  D e s i g n  P r o c e s s  E x a m p l e
T h e  im p le m e n ta t io n  o f  c o n tro l  c i r c u i t r y  c o n s is te d  o f  t h e  fo llo w in g  s te p s  o n c e  th e  
M E A T  to o ls e t  w as  in  p la c e . T h e  b e h a v io r  a n d  a lg o r i th m s  o f t h e  P o s t  O ffice  h a d  
b e e n  s im u la te d  a t  t h e  r e g is te r  t r a n s f e r  le v e l. T h e  c o n tro l  b e h a v io r  w as  c o n v e r te d  in to  
b u r s t - m o d e  s t a t e  m a c h in e  s p e c if ic a t io n s . E a c h  s t a t e  m a c h in e  s p e c if ic a t io n  w as  fe d  
in to  t h e  M E A T  to o l .  I n d iv id u a l  A F S M  im p le m e n ta t io n s  w e re  v e r if ie d  w i th  a  v e rs io n  
o f  D i l l ’s v e r if ie r  w h ic h  h a d  b e e n  c o n v e r te d  to  t h e  b u r s t - m o d e  m o d e l .  I f  h a z a r d s  w e re  
fo u n d , t h e y  w e re  r e m o v e d  if  p o s s ib le  v ia  c o m p le x  g a te s  a n d  in v e r te r  r e s t r u c tu r in g ,  
a n d  th e  c i r c u i t  w as  re v e r if ie d . T h e  f in a l v e r if ie d  h a z a r d - f re e  b u r s t - m o d e  su m -o f-  
p r o d u c ts  fo rm  w as  fe d  in to  t h e  c o m p le x  g a te  to o l  w h ic h  w o u ld  g e n e r a te  s c h e m a tic s .  
E a c h  s t a t e  m a c h in e  w as  t h e n  la id  o u t  b y  h a n d  f ro m  th e  s c h e m a tic s  a n d  s im u la te d  
w i th  C O S M O S .
D a t a p a t h  c i r c u i t ry ,  s u c h  as la tc h e s ,  s h if t  r e g is te r s ,  a n d  A L U s  w e re  d e s ig n e d  a n d  
la id  o u t  in  a  s im i la r  f a s h io n  to  s y n c h ro n o u s  c o m p o n e n ts .  T h e y  w e re  s im u la te d  w i th  
S P IO E  a n d  C O S M O S . T h e s e  w e re  t h e n  c o m p o s e d  w i th  t h e  c o n tro l l in g  s t a t e  m a ­
c h in e s , a n d  th e  la rg e  b lo c k s  w e re  s im u la te d  w i th  C O S M O S .
T h e  d a t a p a t h  a n d  b u r s t - m o d e  A F S M  b lo c k s  w e re  in te r c o n n e c te d  to  fo rm  la rg e r  
a s y n c h ro n o u s  m o d u le s .  N o  v e r i f ic a t io n  w as  p o s s ib le  a t  th i s  p o in t  w i th  o u r  to o ls e t  
fo r  tw o  re a s o n s . T h e r e  w as  n o  in te r m e d ia te  fo rm  t h a t  c o u ld  c o m p a re  t h e  to p -d o w n  
r e g is te r  t r a n s f e r  le v e l d e s ig n  s im u la t io n  w i th  t h e  b o t to m - u p  p h y s ic a l  im p le m e n ta t io n .  
F u r th e r ,  e v e n  s y s te m s  o f s t a t e  m a c h in e s  c o u ld  n o t  b e  v e r if ie d  w i th  D i l l ’s v e r if ie r . T h is  
w as  d u e  to  b o th  t h e  b o t to m - u p  d e s ig n  s ty le  a n d  d if fe re n c e s  in  t h e  b u r s t - m o d e  m o d e l  
a n d  h is  v e r i f ic a t io n  to o l.
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  9 5
T h e  s to c k  v e rs io n  o f C O S M O S  c o u ld  n o t  b e  u s e d  to  s im u la te  t h e  e n t i r e  P o s t  
O ffice  c h ip . T h e  e v e n t  q u e u e  w as  d e s ig n e d  s u c h  t h a t  n e w  e v e n ts  c o u ld  n o t  b e  in je c te d  
b e tw e e n  cycles.  A  C O S M O S  c y c le  is n o t  c o m p le te  u n t i l  t h e  c i r c u i t  h a s  s ta b i l iz e d  -  
th e r e  a re  n o  m o re  p e n d in g  e v e n ts  in  t h e  e v e n t  q u e u e . T h is  b e h a v io r  m o d e ls  a  c lo c k e d  
s y s te m , w h e re  t h e  c i r c u i t  m u s t  s ta b i l iz e  b e tw e e n  e a c h  c lo c k  p h a s e .  A s y n c h ro n o u s  
e v e n t  in je c t io n  b e tw e e n  C O S M O S  c y c le s  w as  n e c e s s a ry  in  c e r t a in  s i tu a t io n s  in  th e  
P o s t  O ffice . F o r  e x a m p le ,  s t a t e  m a c h in e s  c o n t in u o u s ly  a t t e m p t  to  fo rw a rd  c e n tr a l ly  
b u f fe re d  p a c k e ts  o u t  a v a ila b le  p o r t s .  I f  t h e  d e s t in a t io n  p o r t s  a re  b u s y  th e  p a c k e ts  
c a n n o t  b e  fo rw a rd e d ; t h e  s t a t e  m a c h in e s  lo o p  c o n t in u o u s ly  a t t e m p t i n g  to  fo rw a rd  
th e  p a c k e ts .  I m o d if ie d  C O S M O S  to  a llo w  a s y n c h ro n o u s  e v e n ts ,  a t  w h ic h  p o in t  i t  
c o u ld  b e  u s e d  to  s im u la te  t h e  e n t i r e  P o s t  O ffice  c h ip , in c lu d in g  th e  p a d s . T h is  w as 
a  c r i t i c a l  a s p e c t  o f  t h e  d e s ig n  p ro c e s s  b e c a u s e  i t  w as  t h e  o n ly  m e th o d  a v a ila b le  fo r  
v a l id a t in g  th e  im p le m e n ta t io n .  F o r tu n a te ly  C O S M O S  w as e ff ic ie n t e n o u g h  to  p e r m i t  
t h e  p a d  to  p a d  s im u la t io n  o f t h e  e n t i r e  c ir c u i t .
4 . 7 . 1  A s y n c h r o n o u s  S t a t e  M a c h i n e  D e s i g n  E x a m p l e
T h e  s t a t e  m a c h in e  f ro m  th e  P o s t  O ffice  c h ip  c a l le d  S B u f - S e n d - C t l  w ill b e  u s e d  as 
a  d e s ig n  e x a m p le .  T h is  s t a t e  m a c h in e  i n i t i a t e s  t h e  fo rw a rd in g  o f  a  p a c k e t  t h a t  h a s  
b e e n  p la c e d  in  t h e  c e n t r a l  b u ffe r  p o o l  o u t  a n  id le  p o r t .  T h is  is o n e  o f  t h e  b u r s t - m o d e  
e x a m p le s  I m a d e  p u b l ic ly  a v a ila b le  w h ic h  h a v e  b e e n  u s e d  as s y n th e s is  b e n c h m a r k s  
b y  to o l  d e s ig n e rs  [C h u 9 3 ]. R e p o r te d  im p le m e n ta t io n s  o f  th i s  s t a t e  m a c h in e  g e n e r ­
a te d  f ro m  o th e r  to o ls e ts  c a n  b e  f o u n d  in  [L K S V 9 0 , N D 9 1 b ], W h e n  I d e s ig n e d  th is  
c i r c u i t ,  t h e  f ir s t  s te p  w as  to  c r e a te  t h e  b u r s t - m o d e  s p e c if ic a t io n  o f  t h e  s t a t e  m a c h in e  
g ra p h ic a l ly ,  w h ic h  c a n  b e  s e e n  in  F ig u r e  4 .4 .
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  9 6
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  9 7
T h e  g r a p h ic a l  r e p r e s e n ta t io n  o f t h e  s p e c if ic a t io n  w as  t h e n  c o n v e r te d  in to  a  t e x ­
t u a l  d e s c r ip t io n  s u i ta b le  fo r  i n p u t  to  M E A T . T h e  :fsm  d i r e c t iv e  n a m e s  th e  s t a t e  
m a c h in e ,  a n d  th e  :in a n d  :o u t d ir e c t iv e s  d e c la re  t h e  n a m e s  o f t h e  i n p u t  a n d  o u tp u t  
s ig n a ls  o f  t h e  s t a t e  m a c h in e . T h e  r e m a in d e r  o f  t h e  t e x t  d e s c r ib e s  t h e  b e h a v io r a l  
s p e c if ic a t io n . T r a n s i t io n s  a re  s p e c if ie d  as a  f o u r - tu p le  fo llo w in g  th e  : s ta te  d ir e c t iv e .  
T h e  c u r r e n t  s t a t e  a p p e a r s  f i r s t ,  fo llo w e d  b y  th e  i n p u t  b u r s t  in  p a r e n th e s is .  T h e  
n e x t  s t a t e  is e n te r e d  fo llo w e d  b y  th e  o u tp u t  b u r s t  in  p a r e n th e s is .  T h e  c o n ju n c t io n  
o f  s ig n a l  t r a n s i t io n s  in  a  b u r s t  is r e p r e s e n te d  w i th  t h e  s y m b o l, w h ile  d is ju n c t iv e  
ch o ic e  is r e p r e s e n te d  b y  th e  ‘ +  ’ s y m b o l. A c t iv e  h ig h  t r a n s i t io n s  o n  s ig n a l a ( sh o w n
as f a  in  F ig u r e  4 .4 )  a re  t e x tu a l ly  e n te r e d  as  a , w h e re a s  low  t r a n s i t io n s  o n  
a re  t e x tu a l ly  e n te r e d  as a~ . T h e  t e x t u a l  c o n v e rs io n  is as fo llow s:
:fsm  S B u f-S en d -C tl
:in (R e j-P k t B eg in -S end  A ck -S en d )
:o u t (L a tc h -A d d r IdleB A R  R eq -S en d )
:s ta te  0 (R e j-P k t)
1 (Id leB A R  * L a tch -A d d r)
:s ta te  1 (R e j-P k t~ )
2( )
:s ta te  2 (B e g in -S e n d )
3 (L a tc h -A d d r~ )
:s ta te  3 (B e g in -S e n d ~ )
4 (R e q -S e n d )
:s ta te  4 (A ck -S en d )
5 (R e q -S e n d ~ )
:s ta te  5 (A ck -S en d ~ )
0 (ld leB A R ~ )
:s ta te  4 (R e j-P k t)
6( )
:s ta te  6  (R e j-P k t~  * A ck -S en d )
7 (R eq -S en d ~  * L a tch -A d d r)
:s ta te  7 (A ck -S en d ~ )
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S
2 ( )
9 8
a ,  ( i a )
M E A T  is e x e c u te d  to  p ro c e s s  t h e  s p e c if ic a t io n  c o n ta in e d  in  t h e  h ie . T h e  su m -o f-  
p r o d u c ts  s e q u e n t ia l  lo g ic  r e q u i r e d  to  p r o d u c e  th e  o u tp u t s  is g e n e r a te d ,  a lo n g  w i th  
n e c e s s a ry  s t a t e  v a r ia b le s  u s e d  fo r  f e e d b a c k . M E A T  p r o d u c e d  a n  im p le m e n ta t io n  fo r  
S B u f -S e n d -C tl  t h a t  r e q u i r e d  tw o  s t a t e  v a r ia b le s ,  YO a n d  Y 1 . A n  e d i te d  t r a n s c r ip t  o f 
t h e  M E A T  se ss io n  fo llo w s. ( T h e  u s e r  w as  r e q u i r e d  to  e n te r  t h e  m a x im a l  c o m p a t ib le s  
in  t h e  v e rs io n  o f  M E A T  u s e d  to  d e s ig n  th e  P o s t  O ffice . S ee  [S te9 2 , C D S 9 3 a ] fo r  m o re  
d e ta i l s  o n  M E A T .)
> (m e a t  " s b u f - s e n d - c t l . d a t a " )
Max C o m p a t i b l e s :  ( ( 0  5 )  (1  2 7 )  (3  4 )  ( 6 ) )
> E n t e r  S t a t e  s e t :  ' ( ( 0  5 )  ( 1 2  7 )  (3  4 )  ( 6 ) )
SOP f o r  " Y l " :
1 8 :  R E J-P K T  + Y1*BEGIN-SEND~
SOP f o r  "Y O ":
2 8 :  BEGIN-SEND + Y0*ACK-SEND~ + Y 0*R E J-PK T  
SOP f o r  LATCH-ADDR:
1 2 : Y1*Y0 
SOP f o r  IDLEBAR:
3 0 :  BEGIN-SEND + YO + Y l 
SOP f o r  REQ-SEND:
1 2 : Y0*BEGIN-SEND~
HEU RISTIC  TOTAL FOR T H IS  ASSIGNMENT: 100
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  9 9
T h e  c o m b in a t io n a l  lo g ic  g e n e r a te d  f ro m  th e  a b o v e  t r a n s c r ip t  is f re e  o f  h a z a rd s .  
H o w e v e r , h a z a r d  f re e  im p le m e n ta t io n s  c a n n o t  b e  g u a r a n te e d  w i th  s e q u e n t ia l  lo g ic . 
H a z a rd s  d u e  to  t h e  fe e d b a c k s  in  s e q u e n t ia l  lo g ic  w e re  r e m o v e d  w h e n e v e r  p o s s ib le  in  
t h e  P o s t  O ffice  d e s ig n . T h e  P o s t  O ffice  d e s ig n  s ty le  lo c a liz e s  u n re m o v a b le  h a z a r d s  
in te r n a l ly  to  t h e  A F S M s . T h e  u n re m o v a b le  h a z a r d s  c a n  b e  v e r if ie d  a n d  a n a ly z e d  
u s in g  th e  p h y s ic a l  p r o p e r t ie s  a n d  v a r ia t io n s  o f  t h e  d e v ic e s  a n d  la y o u t ,  r a t h e r  t h a n  
a n  a s y n c h ro n o u s  a n a ly s is  u s in g  u n b o u n d e d  d e la y s . T h is  c a n  r e s u l t  in  f a s te r ,  s m a lle r  
c i r c u i ts  w i th  f u n c t io n a l ly  c o r r e c t  a s y n c h ro n o u s  in te r fa c e s .
T h e  M E A T  g e n e r a te d  c i r c u i ts  in  t h e  P o s t  O ffice , in c lu d in g  th e  o n e  in  th i s  d e s ig n  
e x a m p le ,  w e re  a ll  v e r if ie d  to  d e te r m in e  if  h a z a r d s  e x is te d  in  t h e  im p le m e n ta t io n ,  a n d  
if  t h e y  c o u ld  b e  r e m o v e d  b y  d e s ig n  t r ic k s .  F o llo w in g  is t h e  t r a n s c r ip t  o f  t h e  v e r if ic a ­
t io n  o f  S B u f -S e n d -C tl  u s in g  D i l l ’s v e r if ie r  p o r t e d  b y  N o w ic k  fo r  b u r s t - m o d e  A F S M s . 
T h e  v e r if ie r  r e a d s  t h e  s p e c if ic a t io n  a n d  th e n  c a lls  M E A T  to  g e n e r a te  t h e  im p le m e n ­
t a t i o n  u s in g  th e  v e r i f  i e r - r e a d - f  sm c o m m a n d . T h e  d e f in i t io n  o f  t h e  s p e c if ic a t io n  
is p la c e d  in  t h e  g lo b a l  v a r ia b le  * sp ec* , a n d  th e  im p le m e n ta t io n  in  *im pl* .
D i l l ’s v e r if ie r  a s s u m e s  t h a t  e a c h  c o m b in a t io n a l  f u n c t io n ,  in c lu d in g  s ig n a l in v e r ­
s io n , u t i l iz e s  d i s t in c t  d e v ic e s . H e n c e , in  t h e  e x a m p le ,  a  s e p a r a te  in v e r te r  is c r e a te d  
fo r  t h e  begin-send  s ig n a l  to  t h e  Y1 a n d  R eq -S en d  lo g ic . T h is  m u l t ip l ic i ty  o f  p h y s ­
ic a l  in s ta n c e s  o f  t h e  “s a m e ” s ig n a l n e a r ly  a lw a y s  r e s u l ts  in  h a z a r d s  in  b u r s t - m o d e  
s p e e d - in d e p e n d e n t  a n a ly s is .  M e rg in g  a ll in v e r te r s  w i th  t h e  s a m e  s o u rc e  s ig n a l t o ­
g e th e r ,  a n d  f a n n in g  th e  o u tp u t  o f  t h e  s in g le  d e v ic e  to  t h e  d e s t in a t io n  lo g ic  b lo c k s  
ty p ic a l ly  re m o v e s  th e s e  h a z a r d s  a n d  c r e a te s  a  s m a lle r  f a s te r  c i r c u i t .  In  th i s  e x a m p le , 
t h e  tw o  B eg in -S end  in v e r te r s  a re  m e rg e d , a n d  th e i r  o u t p u t  f a n n e d  o u t  to  b o th  lo g ic  
b lo c k s . T h e  m e rg e  a n d  f a n o u t  o p e r a t io n s  a re  e x e c u te d  in  t h e  v e r if ie r  b y  is s u in g  th e
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  1 0 0
m e r g e - g a t e s  f u n c t io n  b e lo w . T h e  v e r i f  y - m o d u le  f u n c t io n  is t h e n  c a lle d  to  a n a ly z e  
t h e  c i r c u i t  fo r  h a z a rd s :
> ( v e r i f i e r - r e a d - f s m  " s b u f - s e n d - c t l . d a t a " )
Max C o m p a t i b l e s :  ( ( 0  5 )  (1  2 7 )  (3  4 )  ( 6 ) )
> E n t e r  S t a t e  s e t :  ' ( ( 0  5 )  ( 1 2  7 )  (3  4 )  ( 6 ) )
> ( s e t q  * im p l*  ( m e r g e - g a t e s  ' ( 1  1 1 )  * i m p l * ) )
> ( v e r i f y - m o d u l e  * im p l*  * s p e c * )
10 20  3 0  4 0  50
E r r o r :  I m p l e m e n t a t i o n  p r o d u c e s  i l l e g a l  o u t p u t .
T h e  v e r if ie r  p o in ts  o u t  a n  im p le m e n ta t io n  e r ro r ,  a  t r a n s i e n t  h a z a r d  [U ng69]. T w o  
t r a n s f o r m a t io n s  w e re  u s e d  in  t h e  P o s t  O ffice  p r o je c t  to  r e m o v e  h a z a r d s .  T h e  re m o v a l 
o f  th i s  h a z a r d  w i th  s ig n a l r e o r d e r in g  is d e s c r ib e d  in  S e c tio n  3 .7 .1  b y  th e  a d d i t io n  
o f  a n  in v e r te r  u s in g  th e  v e r i f ie r ’s c o n n e c t - i n v e r t e r  f u n c t io n .  T h e  c i r c u i t  w as  t h e n  
v e r if ie d  f re e  o f  h a z a r d s  as sh o w n  w i th  t h e  fo llo w in g  t r a n s c r ip t .
> ( s e t q  * im p l*  ( c o n n e c t - i n v e r t e r  1 7 * i m p l * ) )
> ( v e r i f y - m o d u l e  * im p l*  * s p e c * )
10 20  3 0  4 0  50  60  70  7 9  s t a t e s .
T h e  im p le m e n ta t io n  h a s  n o w  b e e n  v e r if ie d  as h a z a r d  f re e . T h e  n e x t  s te p  w as 
to  la y  o u t  t h e  c i r c u i t  in  a n  e ff ic ie n t m a n n e r .  A ll P o s t  O ffice  s t a t e  m a c h in e s  u s e d
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  1 0 1
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S 1 0 2
F ig u r e  4 .5 : C o m p le x  G a te  S c h e m a t ic  fo r  S B u f -S e n d -C tl  YO
c o m p le x  g a te s  to  r e d u c e  th e  a r e a  a n d  p o s s ib ly  in c re a s e  p e r f o r m a n c e  o f  t h e  c i r c u i t .  
T h e  c o m p le x  g a te  to o l  e v a lu a te s  t h e  e q u a t io n s  fo r  e a c h  s t a t e  v a r ia b le  a n d  o u tp u t ,  
a n d  a  s c h e m a t ic  fo r  e a c h  c o m p le x  g a te  is g e n e r a te d .  F ig u r e  4 .5  sh o w s th e  c o m p le x  
g a te  g e n e r a te d  b y  th i s  to o l  fo r  t h e  YO s t a t e  v a r ia b le  lo g ic . T h e  c i r c u i t  w as  t h e n  la id  
o u t  u s in g  in  E le c tr ic .
T h e  f in a l la y o u t  o f  e a c h  ce ll, s u b s y s te m , a n d  th e  e n t i r e  c h ip  w e re  c h e c k e d  b y  s im ­
u la t io n .  T h e  S B u f -S e n d -C tl  la y o u t  w as  e x t r a c t e d  f ro m  E le c t r ic  as a  C O S M O S  ‘n t k ’ 
h ie . C O S M O S  t e s t  v e c to r s  w e re  h a n d - g e n e r a te d  f ro m  th e  b u r s t - m o d e  s p e c if ic a t io n  
a n d  th e  la y o u t  w as  s im u la te d  in  C O S M O S . T h is  s t a t e  m a c h in e  w as  t h e n  in te r c o n ­
n e c te d  as p a r t  o f  a  la rg e r  P o s t  O ffice  s u b s y s te m  a n d  s im u la te d  b y  C O S M O S , a n d  
u l t im a te ly  as t h e  c o m p le te  c h ip .
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S 1 0 3
S in c e  n o  b e h a v io r a l  m o d e l  o r  in te r f a c e  d e s c r ip t io n  e x is te d  fo r  b lo c k s  la rg e r  t h a n  
s in g le  s t a t e  m a c h in e s ,  t h e  s im u la t io n  v e c to r s  w e re  t e s t e d  a n d  d e v e lo p e d  c o n c u r r e n t ly  
w i th  t h e  c i r c u i t  d e s ig n  a n d  la y o u t .  T h e  v e c to r s  d id  a  p o o r  jo b  o f  f a u l t  c o v e r in g  a n d  
b e h a v io r a l  t e s t in g  o f  t h e  la rg e r  f u n c t io n  b lo c k s . In  r e t r o s p e c t ,  a  b e t t e r  e ffo r t in  th is  
a r e a  c o u ld  h a v e  h e lp e d  w i th  t h e  d e s ig n  m o d e l in g  a n d  te s t in g  o f  t h e  im p le m e n ta t io n .
T h e  la y o u t  o f  S B u f -S e n d -C tl  u s e d  in  t h e  P o s t  O ffice  c h ip  is sh o w n  in  F ig u r e  4 .6 .
f/A V f,
F ig u r e  4 .6 : L a y o u t o f  S B u f -S e n d -C tl
4 . 8  S u m m a r y
B u r s t - m o d e  is a  m u l t ip le  i n p u t  a n d  o u tp u t  c h a n g e  A F S M  c o n s t r a in t  s y s te m  d e v e l­
o p e d  as p a r t  o f  t h e  P o s t  O ffice  p r o je c t .  T h e  p r im a r y  a d v a n ta g e s  o f  th i s  s y s te m  is th e  
g u a r a n te e  o f  im p le m e n ta t io n s  f re e  o f  f u n c t io n  h a z a r d s ,  a  fo r m a l is m  fo r  M O C  A F S M  
v e r if ic a t io n s ,  a n d  th e  a b i l i ty  to  s y n th e s iz e  c o m p a c t  c i r c u i ts  s u c h  t h a t  h a z a r d s  c a n  
b e  lo c a liz e d . H e n c e  m a c r o  m o d u le  c o m p o n e n ts  o r  e n t i r e  s y s te m s  c a n  b e  d e s ig n e d  as 
n e tw o rk s  o f  b u r s t - m o d e  s t a t e  m a c h in e s ,  a n d  th e  a r c h i t e c tu r a l  a n d  d e s ig n  te c h n iq u e s  
a re  n o t  r e s t r i c t e d .  H o w e v e r , t h e  la y o u t  o f  t h e  in d iv id u a l  b u r s t - m o d e  s t a t e  m a c h in e s
m u s t  b e  c o n tro l le d  if  a ll  h a z a r d s  c a n n o t  b e  r e m o v e d . B u r s t - m o d e  is a  s ig n if ic a n t  c o n ­
t r i b u t i o n  to  t h e  a s y n c h ro n o u s  d e s ig n  c o m m u n ity .  A  n u m b e r  o f  d if fe re n t  b u r s t - m o d e  
d e s ig n  s ty le s  h a v e  e m e rg e d  s in c e  t h e  M E A T  to o l  in c lu d in g  a  lo c a lly  c lo c k e d  s y s te m  
[N D 9 fb ] , 3 -D  s y s te m  [Y D 92], a n d  a n  S T G  b a s e d  s y s te m  [C h u 9 3 ].
In  a n y  s e q u e n t ia l  c i r c u i t ,  s t a b i l i ty  c a n n o t  b e  fo rc e d  b e tw e e n  in p u t  c h a n g e s  a n d  
s t a t e  c h a n g e s , so s e q u e n t ia l  d e la y  h a z a r d s  m a y  e x is t ,  a l th o u g h  b u r s t - m o d e  c a n  r e ­
d u c e  th e  o c c u r r e n c e  o f  s u c h  h a z a r d s .  V e r if ic a t io n  c a n  b e  u s e d  to  p o in t  o u t  w h e re  
u n re m o v a b le  h a z a r d s  e x is t ,  a n d  w h e re  t im in g  in e q u a l i t ie s  m u s t  h o ld . N o n e  o f  t h e  95 
d if fe re n t  b u r s t - m o d e  s t a t e  m a c h in e s  in  t h e  P o s t  O ffice  r e q u i r e d  a n y  a d d i t io n a l  d e la y s  
o r  lo g ic  to  a s s u re  t h e  t im in g  in e q u a l i ty  w o u ld  h o ld  u n d e r  w o rs t-c a s e  a n a ly s is .  H o w ­
e v e r , in  a  le ss  c o n s t r a in e d  la y o u t  e n v ir o n m e n t  s u c h  as  p r o g r a m m a b le  lo g ic  d e v ic e s , 
w h e re  t h e  lo c a l i ty  o f  A F S M s  m a y  b e  d if f ic u lt  to  e n fo rc e , t h e  in e q u a l i ty  m a y  n o t  h o ld  
a n d  a d d i t io n a l  d e la y s  m a y  b e  n e c e s sa ry .
T h e  M E A T  s y n th e s is  so f tw a re  a n d  a  s e t  o f  P o s t  O ffice  b u r s t - m o d e  A F S M s  h a v e  
b e e n  a v a ila b le  to  t h e  r e s e a rc h  c o m m u n i ty  v ia  a n o n y m o u s  f tp  s in c e  1989.
C H A P T E R  4 .  B U R S T - M O D E  A N D  A F S M  C I R C U I T  S Y N T H E S I S  1 0 4
C h a p t e r  5
H a r d w a r e  E q u iv a le n c e s  F o rm a liz e d  in  C C S
D e fin in g  a n d  c a lc u la t in g  e q u a l i ty  b e tw e e n  a g e n ts  is f u n d a m e n ta l  to  a p p ly in g  fo rm a l  
m e th o d s  to  c i r c u i t  v e r i f ic a t io n , y e t  fo rm a liz in g  p r a c t i c a l  e q u iv a le n c e s  b e tw e e n  a s y n ­
c h ro n o u s  a g e n ts  is a  f o r m id a b le  c h a lle n g e . R e c e n t  d e v e lo p m e n ts  h a v e  r e s u l te d  in  a  
n u m b e r  o f  th e o r ie s  a n d  la n g u a g e s  t h a t  c a n  b e  u s e d  to  sp e c ify  a n d  t h e n  c a lc u la te  
e q u iv a le n c e s  b e tw e e n  a  c o m p o n e n t  a n d  i t s  s p e c if ic a t io n .
A  c i r c u i t  is u s u a l ly  v ie w e d  as a  “b la c k  b o x ” (o r  p a c k a g e )  a n d  i t s  s p e c if ic a t io n  
o n ly  d e s c r ib e s  t h e  n e c e s s a ry  o b s e rv a b le  b e h a v io r s .  A n y  d e s ig n  t h a t  c o n fo rm s  to  th is  
s p e c if ic a t io n  c o u ld  b e  in s e r te d  in to  t h e  p a c k a g e  a n d  f u n c t io n  c o r re c tly . M a k in g  th e  
s p e c if ic a t io n s  as “lo o s e ” as p o s s ib le  w i th o u t  c o m p ro m is in g  th e  d e s ig n  r e q u i r e m e n ts  
a llo w s d e s ig n e rs  m o re  f r e e d o m  o f im p le m e n ta t io n .  R e q u ir in g  t h a t  a  c o m p o n e n t  a n d  
i t s  s p e c if ic a t io n  h a v e  e q u iv a le n t  b e h a v io r s  is u s u a l ly  to o  t i g h t  a  r e q u i r e m e n t  a n d  o n e  
t h a t  d o e s  n o t  c o n c u r  w i th  t h e  b la c k  b o x  p h ilo s o p h y . F u r th e r ,  i t  a lm o s t  a lw a y s  r e s u l ts  
in  s lo w er, m o re  c o m p le x , a n d  m o re  e x p e n s iv e  c ir c u i ts .
T h r e e  te c h n iq u e s  h a v e  b e e n  u s e d  b y  re s e a rc h e r s  to  p ro v e  t h a t  d if fe re n t  c i r c u i t  
im p le m e n ta t io n s  c a n  m a tc h  a  lo o se  s p e c if ic a t io n . O n e  m e th o d  c o m p o s e s  t h e  m ir r o r  
im a g e  ( in v e rs e )  o f  t h e  s p e c if ic a t io n  w i th  t h e  im p le m e n ta t io n  a n d  t h e n  c h e c k s  fo r  
e q u iv a le n c e  a n d  il le g a l c o m m u n ic a t io n  b e h a v io r  b e tw e e n  th e  s p e c if ic a t io n  a n d  im ­
p le m e n ta t io n .  T h e  s e c o n d  a p p r o a c h  u se s  p r e o r d e r s  r a t h e r  t h a n  e q u iv a le n c e  te s t in g .  
P r e o r d e r s  p e r m i t  t h e  im p le m e n ta t io n  to  h a v e  m o re  b e h a v io r s  t h a n  th e  s p e c if ic a t io n , 
a n d  e n s u re s  t h a t  t h e  r e q u i r e d  b e h a v io r s  a re  p r e s e n t .  T h e  f in a l m e th o d  u se s  m o d a l
1 0 5
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S 1 0 6
lo g ic  e q u a t io n s  as  b e h a v io r a l  te s t s .
P r o b a b ly  t h e  f ir s t  g e n e ra l ly  u s e fu l  to o l  fo r  a s y n c h ro n o u s  c i r c u i t  v e r i f ic a t io n  w as 
d e v e lo p e d  b y  D ill [D ilS 9 ]. H e re  v e r i f ic a t io n  is a c h ie v e d  w i th  t r a c e  th e o r e t i c a l  p r in ­
c ip le s  c o u p le d  w i th  s p e c if ic a t io n  m ir r o r in g  fo r  im p le m e n ta t io n  f le x ib ili ty . M ir ro r in g  
c a n  r e s u l t  in  e r ro r s  if  h a n d s h a k in g  o c c u rs  b e tw e e n  th e  in v e rs e  s p e c if ic a t io n  a n d  th e  
im p le m e n ta t io n  w h e n  th e  im p le m e n ta t io n  r e s p o n d s  to o  q u ic k ly , a n d  in te r f e r e n c e  is 
n o t  d e te c ta b le .  T ra c e  th e o ry , m ir r o r in g ,  a n d  th e  c o m p le x i ty  o f  t h e  m o d e l  D ill u se s  
l im i t  t h e  u s e fu ln e s s  o f  t h e  v e r if ie r ; fo r  e x a m p le ,  c o m p le te  t r a c e s  a re  n o t  e m p lo y e d . 
E b e r g e n  d e v e lo p e d  a  v e r if ie r  b a s e d  o n  t r a c e  s e m a n t ic s  fo r  d e la y - in s e n s i t iv e  im p le m e n ­
t a t io n s  [E G 9 3 ]. T h e  d e la y - in s e n s i t iv e  m o d e l ,  a l th o u g h  e x t r e m e ly  u s e fu l  fo r  p ro to c o ls  
a n d  h ig h - le v e l  c i r c u i t  v e r i f ic a t io n , c a n n o t  v e r ify  g a te  le v e l im p le m e n ta t io n s  n o r  m a n y  
o f t h e  c o m m o n  h a z a r d  m o d e ls . T h e  g e n e ra l  p u r p o s e  C o n c u r r e n c y  W o rk b e n c h  [M o l9 f ] 
s u p p o r ts  m o re  p o w e rfu l e q u iv a le n c e  th e o r ie s ,  b u t  n o n e  o f  t h e  e q u iv a le n c e s  o r  p a r ­
t i a l  o rd e r s  in t r o d u c e d  b e fo re  th i s  th e s is  a re  d i r e c t ly  a p p l ic a b le  to  v e r ify in g  h a r d w a r e  
c o m p o n e n ts .
T h is  s e c t io n  re v ie w s  th e  m o s t  i m p o r t a n t  e q u a l i t ie s  u s e d  in  C C S  a n d  b y  m o d e r n  
a s y n c h ro n o u s  v e r if ie rs  a n d  fo rm a l  la n g u a g e s . C C S  is in t r o d u c e d  as  a  u s e fu l  la n g u a g e  
fo r  d e f in in g  e q u iv a le n c e s , r e p r e s e n t in g ,  a n d  r e a s o n in g  a b o u t  c i r c u i ts .  A  se t o f  p a r t i a l  
o rd e r s ,  c a l le d  c o n f o r m a n c e s ,  a re  t h e n  d e s c r ib e d . T h e  in a d e q u a c y  o f t r a c e  b a s e d  
s e m a n t ic s  is d e m o n s t r a te d .  A  n e w  c o n fo rm a n c e  is in t r o d u c e d  b a s e d  o n  b is im u la t io n  
s e m a n tic s .  T h e  c o n fo rm a n c e s  p r e s e n te d  h e re  a re  u s e d  as t h e  f o u n d a t io n  fo r  th e  
p r o to ty p e  s y n th e s is  a n d  v e r i f ic a t io n  to o l  d is c u s s e d  a n d  b u i l t  as  p a r t  o f  th i s  th e s is .
C C S  is a  f o rm a l is m  fo r  r e a s o n in g  a b o u t  c o m p le x  p a r a l le l  s y s te m s  [M il89]. T h e  p r i ­
m a r y  a d v a n ta g e s  o f  C C S  o v e r  o th e r  fo rm a lis m s  a re  v e ry  s ig n if ic a n t .  T h e  fo llo w in g  
is a  s h o r t  s u m m a r y  o f t h e  a s p e c ts  t h a t  a re  m o s t  u s e fu l  fo r  m o d e l in g  p a r a l le l  a s y n ­
c h ro n o u s  h a r d w a r e ,  a n d  w h y  th e  w o rk  in  th i s  th e s is  is b a s e d  o n  C C S .
•  S i m p l i c i t y .  C C S  u t i l iz e s  a  s p a r s e  “o b je c t  o r i e n te d ” n o ta t i o n  w h e re  in te r f a c e s  
a n d  c o m p o n e n ts  c a n  b e  d e s c r ib e d  in d e p e n d e n t ly  [S A B L 9 3 ]. T h e  o b je c t  o r i ­
e n te d  a p p r o a c h  a llo w s o n e  to  d e s c r ib e  c o m p le x  s y s te m s  as a  s e t o f  p a r a l le l  
a g e n ts .  C C S  c o n ta in s  o n ly  fiv e  c o n s t r u c t io n s ,  a n d  s ix  d i s t in c t  t r a n s i t i o n  ru le s .
•  U n i q u e  M i n i m a l  R e p r e s e n t a t i o n .  C C S  h a s  a  u n iq u e ,  c a n o n ic a l  m in im a l  
s t a t e  r e p r e s e n ta t io n  fo r  a n y  b e h a v io r .  T h is  p re c is io n  s im p lif ie s  t h e  a p p l ic a t io n  
o f  G A D  to o ls  a n d  t r a n s f o r m a t io n  in to  o th e r  f o r m a ts  s u c h  as  B D D s  a n d  b u r s t ­
m o d e .
•  H i e r a r c h i c a l  R e p r e s e n t a t i o n s .  H ie r a r c h y  o r  s t ruc ture  in  a  f o rm a l is m  m u s t  
a c c o m p lis h  tw o  c o n f l ic t in g  r e q u ir e m e n ts :  (a )  h id e  t h e  c o m p le x i ty  o f  t h e  u n ­
d e r ly in g  b e h a v io r ,  a n d  (b )  r e t a in  a ll  b e h a v io r s  o f  t h e  lo w e r le v e ls  t h a t  d i r e c t ly  
a ffe c t t h e  b e h a v io r  a t  h ig h e r  le v e ls . R e q u ir e m e n t  (b )  l im i t s  t h e  a m o u n t  o f  s im ­
p l i f ic a t io n  t h a t  c a n  b e  a c c o m p lis h e d . P re c is e ly  m o d e l in g  th i s  t r a d e o f f  is k e y  to  
G G S t r a n s i t i o n  ru le s . I n te r n a l  t r a n s i t io n s  a re  r e p r e s e n te d  b y  th e  s p e c ia l  s y m ­
b o l t  in  G G S . T h e s e  r  t r a n s i t io n s  h a v e  a  u n iq u e  se t  o f  ru le s  t h a t  d iffe r  f ro m  
o th e r  a c t io n s  a n d  s u p p o r t  o b s e r v a t io n a l  e q u iv a le n c e s .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 0 7
5.1 A dvantageous CCS Properties
T h e  a b i l i ty  to  m o d e l  h ie r a r c h y  f ro m  f ir s t  p r in c ip le s  is a  m a jo r  s t r e n g th  o f 
C C S  o v e r  o th e r  fo rm a lis m s . M a n y  r iv a lin g  fo rm a lis m s  s u c h  as  P e t r i  n e ts  t r e a t  
s t r u c tu r e  a n d  h ie r a r c h y  v a g u e ly . O th e r s ,  s u c h  as t r a c e  s y s te m s , ig n o re  to o  
m a n y  b e h a v io r  in  t h e  lo w e r le v e ls  o f  t h e  s t r u c tu r e  (a s  w ill b e  sh o w n  l a t e r  in  
th i s  c h a p te r ) .
•  E q u a t i o n a l  R e a s o n i n g .  T h e  s o u n d  s e m a n t ic s  a n d  c o m b in a to r s  in  C O S  a llo w s 
i t  to  e m b r a c e  m o s t  ( if  n o t  a ll)  o f  t h e  c o m m o n  e q u a l i t ie s  t h a t  h a v e  b e e n  fo rm a lly  
d e f in e d  fo r  f in i te ly  b r a n c h in g  s e q u e n t ia l  p ro c e s s e s . T h is  a llo w s o n e  to  e x p lo re  
t h e  u t i l i t y  o f  d if fe re n t  f o rm a lis m s , s u c h  as t r a c e  a n d  b is im u la t io n  th e o r ie s .  
T h e  a x io m a t iz a t io n  o f t h e  la n g u a g e  s u p p o r t s  t h e  im p le m e n ta t io n  o f  a u to m a t ic  
s u p p o r t  to o ls  su c h  as t h e  C o n c u r re n c y  W o rk b e n c h .
•  F o r m a l  L o g i c s  A  r ic h  s e t  o f  e q u a t io n a l  r e a s o n in g  a n d  lo g ic  s y s te m s  e x is t  fo r  
a n a ly z in g  th e  p r o p e r t ie s  o f  C C S  a g e n ts .  T h is  in c lu d e s  H e n n e s s e y -M iln e r  lo g ic  
a n d  th e  M o d a l- /< c a lc u lu s  [S t i91 ]. T h e s e  c a n  b e  a p p l ie d  d i r e c t ly  to  s p e c if ic a ­
t io n s  to  v e r ify  c e r t a in  b e h a v io r a l  a s p e c ts  b e fo re  c a r r y in g  o u t  t h e  im p le m e n ta ­
t io n  p ro c e s s . S ee  [Liu92] fo r  so m e  a p p l ic a t io n s  o f  th e s e  lo g ic s  to  a s y n c h ro n o u s  
s y s te m s .
C C S  h a s  f o u n d  m a n y  d i r e c t  a p p l ic a t io n s .  P e r h a p s  t h e  m o s t  s u c c e s s fu l h a v e  b e e n  
v e r if ic a t io n s  o f  c o m p le x  p ro to c o ls  [B re9 0 , B ru 9 2 , P a r8 7 ] . S in c e  a s y n c h ro n o u s  c i r c u i ts  
c o m m u n ic a te  v ia  h a n d s h a k in g  p ro to c o ls ,  t h e i r  c o r r e c t  in te r a c t io n  c a n  b e  v ie w e d  as a  
f o rm  o f p ro to c o l  v e r if ic a t io n . H o w e v e r , t h e  c o n s t r a in t s  o f  h a r d w a r e  im p le m e n ta t io n  
r e q u ir e  so m e  m o d if ic a t io n s  to  C C S  as w ill b e  d is c u s s e d  in  t h e  fo llo w in g  c h a p te r .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 0 8
T h is  s e c t io n  d e f in e s  t h e  fo rm a lis m s  a n d  te r m in o lo g y  t h a t  a re  a p p l ic a b le  to  t h e  la b e le d  
t r a n s i t i o n  s y s te m  u s e d  in  th i s  th e s is .
D efin ition  9 A  labeled t rans i t ion  sy s t em ,  T , {-^» : t £  T } ) ,  consis ts  o f
•  a se t  S  o f  s t a te s
•  a se t  T  o f  t r a n s i t i o n  la b e ls
•  a t r a n s i t i o n  r e la t io n  C. S  x  S  f o r  each, t  £  T .
D efin ition  10 The labels (or  ac t ion s)  in labeled transit ion,  s y s t e m s  are defined as 
fo l lows:
•  I n p u t  action, n a m e  a £  A  (where the se t  o f  n a m e s  A  are inpu t s  X ) .
•  O u tp u t  action, c o n a m e  ~a £  A  (where the se t  o f  co n a m e s  A  are o u tpu t s  O ) .  
B y  convent ion,  a =  a.
•  The se t  o f  l a b e l s  C  =  A  U A .
• t  C, where the label t  ( t a u )  is the invisible internal action.
•  The s o r t  £ { P )  o f  an agent  P  is its se t  o f  observable inpu t  a n d  o u tp u t  act ions .
•  The act ions  o f  a system, are: A c t  =  C U { r }
T h e  a b i l i ty  to  sp e c ify  a  p o r t  as  a n  i n p u t  o r  o u tp u t  is e s s e n t ia l  w h e n  m o d e l in g  
h a r d w a r e .  T h e re fo re ,  t h e  la b e le d  t r a n s i t i o n  s y s te m s  u s e d  h e re  a re  e x te n d e d  to  a s s ig n  
d i r e c t io n a l i ty  to  n a m e s  a n d  c o n a m e s . T h e  se t  o f  n a m e s  A  o f  a  s y s te m  c o n s is t  o f  i ts
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 0 9
5.2 N otational D efinitions
in p u t s ,  w h ile  t h e  s e t  o f  c o n a m e s  A  c o n ta in s  t h e  o u tp u t s  o f  a  s y s te m . T h e  n o r m a l  
c o n v e n t io n  is fo llo w e d  b y  a s s u m in g  t h a t  p la c in g  a n  o v e r l in e  o v e r  a  la b e l  p ro d u c e s  
t h e  la b e l  o f  i t s  h a n d s h a k in g  p a r tn e r ,  e v e n  fo r  o u tp u t s  ( 0  =  0 ). T h e  la b e ls  C o f a  
s y s te m  is t h e  u n io n  o f  i t s  in p u t s  a n d  o u tp u t s ,  w h ic h  in c lu d e s  t h e  o b s e rv a b le  a c t io n s  
(s ig n a l  n a m e s )  o f  t h e  e x te r n a l  p o r t s  o f  a  h a r d w a r e  b lo c k  o r  a g e n t .  R e s t r i c t in g  th e  
la b e ls  to  t h e  o b s e rv a b le  e x te r n a l  ( in p u t  a n d  o u tp u t )  a c t io n s  t h a t  t h e  s y s te m  c a n  
p e r f o r m  y ie ld s  i t s  sort .  T h e  se t o f  a c t io n s  A c t  t h e  s y s te m  c a n  m a k e  c o n s is ts  o f  th e  
s o r t  to g e th e r  w i th  t h e  s i le n t  i n te r n a l  a c t io n  r .
D e f i n i t i o n  1 1  A g e n t s  se ts  (or  hardware c o m p o n e n t s ) are def ined as fo l lows:
•  V  is the se t  o f  a g e n t s  P , Q , . . .. B y  convent ion,  I  refers to an i m p l e m e n ta t i o n  
agent  a n d  S  to a specif icat ion agent.
•  £  is the se t  o f  agent  express ions  /' . / ' . . . .
•  V  is der iva t ion closed over  the se t  o f  £
D e f i n i t i o n  1 2  L e t  P  be an agent .  I f  P —t P 1, then  a  is an  a c t io n  o f  P  a n d  P '  is an  
o - d e r iv a t iv e  o f  P .
D e f i n i t i o n  1 3  V  is d e r i v a t i o n  c l o s e d  i f  V P  £  V  a n d  V a  £  A c t ,  whenever  
P A P '  then  I ” £  V
T h is  th e s is  u se s  a g e n ts  a n d  a g e n t  e x p re s s io n s  as b e h a v io r a l  d e s c r ip t io n s  o f  h a r d ­
w a re  c o m p o n e n ts .  T h is  r e s t r i c t s  th e s e  e x p re s s io n s  to  f in i te  s y s te m s  w h e re  V  is d e r iv a ­
t io n  c lo se d  o v e r  t h e  s e t  o f  £ .  T h e r e  is u s u a l ly  n o  lo ss  o f  g e n e r a l i ty  w i th  th i s  a s s u m p ­
t io n ,  a n d  i t  e a se s  c e r t a in  p ro o f  o b l ig a t io n s .  T h e  o - d e r iv a t iv e  o f  a n  a g e n t  is a lw a y s  
a n o th e r  a g e n t .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 1 0
W h e n  V  is m in im iz e d ,  th e r e  is a  s in g le  a g e n t  e x p re s s io n  p e r  s t a t e  a n d  th e  s ize  
o f  £  is e q u iv a le n t  to  t h e  s t a t e  s ize . T h e  la b e le d  t r a n s i t i o n  s y s te m  o f D e f in i t io n  9 
ta k e s  T  to  b e  t h e  a c t io n s  A c t  a n d  S  to  b e  t h e  m in im iz e d  a g e n t  e x p re s s io n s  £ .  T h e  
s e m a n t ic s  fo r  a g e n t  e x p re s s io n s  in c lu d e s  t h e  d e f in i t io n  o f  e a c h  t r a n s i t i o n  r e la t io n  A  
o v e r  £.
T h is  d e f in e s  t h e  s t a n d a r d  C C S  la b e le d  t r a n s i t i o n  s y s te m . T h e  fo llo w in g  d e f in i­
t io n s  s im p lify  r e a s o n in g  a b o u t  t h e  o b s e rv a b le  a c t io n s  a n  a g e n t  c a n  m a k e .
D e f i n i t i o n  1 4  I f  s £  A c t  i.s an  act ion sequence o f  an agent,  then  s is def ined to 
be the pr o ject ion  o f  s on C . i.e. s is the sequence obta ined  f r o m  s by delet ing all  
occurrences  o f  r . I f  s C* then  s =  e.
I f  a  s y s te m  c a n  p e r f o r m  th e  s e q u e n c e  o f  a c t io n s  s,  t h e n  s is t h e  o b s e rv a b le  se ­
q u e n c e s  ( in p u ts  a n d  o u tp u t s )  o f  t h a t  s e q u e n c e . F o r  e x a m p le ,  if  s  =  in t  ou t  t h e n  
s =  in out .  B o th  s a n d  s m a y  b e  e m p ty . I t  is c o n v e n ie n t  to  d e f in e  a  n e w  t r a n s i t i o n  
r e la t io n  => w h ic h  a llo w s th e  in v is ib le  r  t r a n s i t io n s  to  b e  a b s t r a c t e d  aw ay .
D e f i n i t i o n  1 5  I f  s £  Act*  then  s =  « i  . . .  a n £  C* a n d  P ^ P 1 
i f f  P{  )*~*( )* ( r : )* Q’:( r ; )*_P/
D e f i n i t i o n  1 6  I f  s =  « i  . . .  a n £  C* then  P ^ > P '
i f f  p ( ^ y % ( ^ y . . . ( ^ y ^ ( ^ y p ' . i f s  =  e then  =  ( A ) *
The s h o r t h a n d  P=$> s ta n d s  f o r  l )=? t "  f o r  .some t " .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 1 1
T h e r e  is n o  d i r e c t  c o n tro l  o v e r  r  a c t io n s  in  t h e  => t r a n s i t i o n  as  t h e y  h a v e  b e e n  
f i l te r e d  f ro m  c o n s id e ra t io n .  I f  a n  a c t io n  s e q u e n c e  s  c o n ta in s  e x p l ic i t  r  a c t io n s  th e y  
m u s t  b e  f i l te r e d  o u t  as  is d o n e  in  D e f in i t io n  15, r e m o v in g  a n y  c o n t r ib u t io n  to  th e  
t r a n s i t io n .
N o te  in  p a r t i c u l a r  t h a t  in  D e f in i t io n  16 th e  s e q u e n c e  s  c a n n o t  c o n ta in  a n y  r  
a c t io n s .  H o w e v e r , a n y  n u m b e r  o f  r  a c t io n s  m a y  o c c u r  in  t h e  t r a n s i t i o n  b e fo re  a n d  
a f te r  e a c h  a c t io n  ak-  B e c a u s e  t h e  i n te r n a l  r  t r a n s i t io n s  a re  ig n o re d  in  th i s  t r a n s i t i o n  
r e la t io n ,  t h e  a g e n t  c a n  u t i l iz e  i n te r n a l  a c t io n s  to  c h o o se  d if fe re n t  d e s t in a t io n  s ta te s .  
F o r  e x a m p le ,  a s s u m in g  £  =  { E 3 i , E 3 2 }, E 3 i = f a .E 3 2 , a n d  E 3 2  = f r . E 3 i +  & .E 3i, 
t h e n  b o th  E 3 i E 3 i a n d  E 3 i E 3 2  a re  v a lid  t r a n s i t io n s .
D e f i n i t i o n  1 7  I f  s =  Q i . . . a n G A c t * , then  P '  is a s - d e s c e n d a n t  o f  P  i f f  P ^ P ' . 
D e f i n i t i o n  1 8  The s -d e sc en d a n t  o f  an  agent  P  is a t - d e s c e n d a n t  i f f  s G r* .
T h e  a g e n t  P  a n d  i t s  r - d e s c e n d a n t  P '  c a n  b e  t h e  s a m e  a g e n t .  T h is  o c c u rs  w h e n  
s G Act*  a n d  s =  e.
C o n s id e r  t h e  la b e le d  t r a n s i t i o n  s y s te m
( £ , A c f , { 4 >  : s  G A c t * } )  (5 .1 )
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 1 2
b a s e d  o n  s e q u e n c e s  o f  v is ib le  a c t io n s  r a t h e r  t h a n  j u s t  s in g le  t r a n s i t io n s .  T h is  r e s u l ts  
in  a  n o t io n  a n a lo g o u s  to  t h a t  o f  a n  o - d e r iv a t iv e  o f  a n  a g e n t .  T h is  la b e le d  t r a n s i t i o n  
s y s te m  is a  c o n c e p tu a l  e x te n s io n  o f  a  s t a n d a r d  s y s te m  b a s e d  o n  s -d e s c e n d a n ts .  I t  is 
a n  e x t r e m e ly  b u s y  s y s te m . I t s  m a in  a d v a n ta g e  is o n e  o f n o t a t io n a l  c o n v e n ie n c e  in  
d e s c r ib in g  o b s e rv a b le  t r a c e  b a s e d  s y s te m s .
A  c e n t r a l  a s p e c t  o f  a  fo rm a l  v e r i f ic a t io n  s y s te m  is t h e  p o w e r  o f  t h e  e q u a l i t ie s  u se d . 
G G S c a n  c h o o se  f ro m  a  l a t t i c e  o f  fo rm a lis m s  u p o n  w h ic h  o n e  c a n  b a s e  v e r if ic a t io n s ,  
r a n g in g  f ro m  v e ry  s t r o n g  ( s t ro n g  b is im u la t io n )  to  v e ry  w e a k  ( t r a c e  e q u iv a le n c e ) .  See 
[vG 90b] fo r  a n  e x c e l le n t  p a p e r  o n  th e  s e m a n t ic s  o f  e q u a l i t ie s .  F ig u r e  5.1 sh o w s a  
l a t t i c e  o f  so m e  o f t h e  r e la t iv e  s t r e n g th s  o f  s o m e  p r a c t i c a l  e q u a l i t ie s  t h a t  m a y  b e  u s e d  
fo r  c i r c u i t  v e r if ic a t io n . T ra c e  b a s e d  s y s te m s  a re  t h e  w e a k e s t  in  u se  a n d  b is im u la t io n  
th e  m o s t  s e n s i t iv e .
B is im u la t io n  S e m a n tic s  
R e a d y  S im u la t io n  S e m a n tic s
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 1 3
5.3 Equivalences and A gent Properties
F a ilu r e  S e m a n tic s  S im u la t io n  S e m a n tic s
T ra c e  S e m a n tic s  
F ig u r e  5 .1 : L a t t i c e  o f  E q u a l i ty  R e la t io n s
T h is  s e c t io n  w ill c o v e r  t h e  t r a d i t i o n a l  t r a c e  s y s te m s  a n d  b is im u la t io n  b a s e d  m o d ­
els  a n d  e x p la in  t h e i r  a p p r o p r ia te n e s s  to  h a r d w a r e  v e r if ic a t io n .
5 . 3 . 1  C C S  E q u a l i t i e s  
T r a c e  E q u i v a l e n c e
T ra c e  th e o r y  e q u a te s  a g e n ts  w h o se  s e q u e n c e s  o f  o b s e rv a b le  a c t io n s  a re  t h e  s a m e . 
C o m p le te  t r a c e s  m u s t  b e  u s e d  to  a s s u re  a c c u r a c y  u n d e r  th i s  m o d e l .  T h is  is th e  
c o a r s e s t  e q u iv a le n c e  a n d  is t h e  le a s t  a b le  to  d is t in g u is h  d if fe re n c e s  b e tw e e n  a g e n ts . 
I t  e q u a te s  m o re  a g e n ts  t h a n  o th e r  e q u iv a le n c e s  u s e d  in  p r a c t ic e .  T h e  d e f in i t io n  fo r 
t r a c e  e q u iv a le n c e  fo llo w s.
D e f i n i t i o n  1 9  A g e n t s  P  a n d  Q are (weakly)  t r a c e  e q u i v a l e n t ,  wri t ten P  = t  Q,  
i f f y  s  G C* l ’=? i f  a n d  only  i f
A s c a n  b e  se e n , th i s  e q u iv a le n c e  c o m p le te ly  a b s t r a c t s  a w a y  th e  in te r n a l  a c t io n s  
o f  a g e n ts .  I n f o r m a t io n  is n o t  a v a ila b le  a b o u t  d e r iv a t iv e  a c t io n s  n o r  c o n c e rn in g  th e  
e ffec t o f  i n te r n a l  c h o ic e s . M o s t t r a c e  s y s te m s  c a n  n o t  e v e n  r e p r e s e n t  i n te r n a l  r  
t r a n s i t io n s .  P e r h a p s  t h e  b ig g e s t  p r o b le m  w i th  t r a c e  b a s e d  s y s te m s  is t h e i r  in a b i l i ty  
to  d e te c t  d e a d lo c k . N o n e th e le s s ,  t r a c e  th e o r y  is u s e d  to  v e r ify  a s y n c h ro n o u s  h a r d w a r e  
[D il89 , E b e 8 8 , U d d 8 4 ] , A d d i t io n a l  to o ls  m u s t  b e  a p p l ie d  to  v e r ify  o th e r  r e q u ir e m e n ts .  
H o w e v e r , b y  a d d in g  th e  a d d i t io n a l  n o ta t io n a l  s t r e n g th  o f  b i s im u la t io n ,  o n e  c a n  g e t 
th e s e  c a p a b i l i t ie s  in  a  s in g le  to o l.
B i s i m u l a t i o n
O b s e r v a t i o n a l  e q u i v a l e n c e  in  C O S  e q u a te s  p ro c e s s e s  w h o se  e x te r n a l ly  o b s e rv ­
a b le  b e h a v io r  is id e n t ic a l .  T h e  b e h a v io r  o f  a  s y s te m  t h e n  b e c o m e s  p re c is e ly  w h a t  
c a n  b e  o b s e rv e d  f ro m  th e  o u ts id e .  M i ln e r ’s c o n c e p tu a l  id e a  o f  o b s e r v a t io n a l  e q u iv a ­
le n c e  is s im i la r  to  t h e  “b la c k  b o x ” s p e c if ic a t io n  w h e re  d e ta i l s  o f  t h e  im p le m e n ta t io n  
a re  u n im p o r t a n t  if  i t  c o n fo rm s  to  t h e  r e q u i r e d  e x te r n a l  b e h a v io r .  H o w e v e r , in te r n a l
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 1 4
a c t io n s  can  m o d ify  t h e  s t a t e  o f  a  m o d u le  a n d  c a u s e  a  c h a n g e  th e  o b s e rv a b le  b e h a v io r  
o f  t h e  b o x , so t h e  d e f in i t io n  o f  o b s e rv a t io n  e q u iv a le n c e  r e q u ir e s  r  t r a n s i t io n s .
T h e  n o t io n  o f  (o b s e rv a t io n a l)  e q u iv a le n c e  w as  f o rm a liz e d  b y  P a r k  as b i s im u la t io n  
[P a rS l] .  A g e n ts  P  a n d  Q  a re  e q u iv a le n t  if, fo r  e v e ry  a c t io n  o ,  e v e ry  o - d e r iv a t iv e  o f 
P  is o b s e rv a t io n  e q u iv a le n t  to  so m e  o - d e s c e n d a n t  o f  Q , a n d  s im i la r ly  w i th  P  a n d  
Q  in te r c h a n g e d .  B is im u la t io n  g e ts  i t  n a m e  f ro m  th e  b a c k  a n d  f o r th  n a t u r e  o f  th e  
d e f in i t io n . T h e  fo llo w in g  tw o  v a r ie t ie s  o f  b is im u la t io n  c a n  b e  f o u n d  in  [M il89].
D e f i n i t i o n  2 0  A g e n t s  P  a n d  Q are s t r o n g l y  b i s i m i l a r ,  wri t ten  P  ~  Q  
i f f y  o  £  A c t
(i) W h e n  ever  I ’—? I ” then,  f o r  s o m  e Q ' , Q ^ Q 1 a n d  P 1 ~  Q'
(ii) W h e n e v e r  Q ^ Q '  then,  f o r  s o m e  P ' , P A P '  a n d  P '  ~  Q'
T h e  n o t io n  o f  s t r o n g  b is im i la r i ty  is n o t  a p p r o p r ia te  fo r  o u r  o b s e r v a t io n a l  m o d e l  
as i t  r e q u ir e s  i n te r n a l  a c t io n s  o f  e a c h  a g e n t  to  b e  m a tc h e d  b y  th e  o th e r  a g e n t ,  e v e n  
w h e n  th e  o u tc o m e  is o b s e rv a b ly  i r r e le v a n t .  F o r  e x a m p le ,  a .r .& .N il ^  a .b .N il. S tro n g  
b i s im i la r i ty  is , h o w e v e r , a  f o u n d a t io n  fo r  m a n y  d e f in i t io n s ,  in c lu d in g  o u r  d e s ire d  
f o r m u la t io n  o f  (w e a k )  b i s im u la t io n .
D e f i n i t i o n  2 1  A g e n t s  P  a n d  Q are (weakly)  b i s i m i l a r ,  wri t ten  P  sa Q  
i f f y  o  G A c t
(i) W h e n e v e r  P A P '  then,  f o r  s o m e  Q ' , Q ^ Q '  a n d  P '  sa Q'
(ii) W h e n e v e r  Q ^ Q '  then,  f o r  s o m e  P ' , l ’=? I ” a n d  P '  sa Q'
In  th i s  th e s is ,  b is im u la t io n  a n d  e q u iv a le n c e  b e tw e e n  a g e n ts  b o th  re fe r  to  w e a k  
b is im u la t io n  (a lso  k n o w n  as  w e a k  e q u iv a le n c e ) .  W e a k  b is im u la t io n  sa tis f ie s  t h e  n o ­
t io n  o f e q u a t in g  a g e n ts  w h o se  o b s e rv a b le  a c t io n s  a re  in d is t in g u is h a b le .  H o w e v e r ,
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 1 5
w e a k  b is im u la t io n  is n o t  a  c o n g ru e n c e , a n d  so e q u iv a le n t  a g e n ts  c a n n o t  b e  s u b s t i ­
t u t e d  sa fe ly . H o w e v e r , w h e n  th e  a g e n ts  a re  in i t ia l ly  stable  (h a v in g  n o  r - d e r iv a t iv e s )  
b is im u la t io n  is a  c o n g ru e n c e . S ee  [M il89] p a g e s  111-113  fo r  f u r th e r  d e ta i ls .
B r a n c h i n g  t i m e  b i s i m u l a t i o n  is a  s e c o n d  n o t io n  o f b is im u la t io n  e q u iv a le n c e  
d e v e lo p e d  b y  v a n  G la b b e e k  [v G 9 0 a], T h is  d e f in i t io n  is s l ig h t ly  f in e r  t h a n  P a r k ’s 
d e f in i t io n  f o u n d  in  M iln e r . T h e  a g e n ts  a . ( P  +  t .Q)  +  a . Q  =  a . ( P  +  t .Q)  c a n n o t  
b e  d is t in g u is h e d  b y  e x te r n a l  o b s e rv a t io n ,  a n d  h e n c e  a re  o b s e rv a t io n a l ly  e q u iv a le n t .  
H o w e v e r , d u e  to  t h e i r  s ig n if ic a n t ly  d if fe re n t  d e r iv a t io n  t r e e s  a n d  in te r n a l  b r a n c h in g  
s t r u c tu r e ,  ( th e  o -d e r iv a t iv e s  o f  t h e  tw o  s id e s  a re  d if fe re n t) ,  t h e y  a re  n o t  c o n s id e re d  
e q u iv a le n t  in  b r a n c h in g  t im e  b is im u la t io n .
B r a n c h in g  t im e  b is im u la t io n  c o n ta in s  so m e  n ic e  r e a s o n in g  p r o p e r t ie s  a n d  s im ­
p lif ie s  so m e  o f t h e  a n a ly s is  a lg o r i th m s .  H e n c e  th e  to o l  d e v e lo p e d  in  th i s  th e s is  is 
b a s e d  u p o n  v a n  G la b b e e k ’s b r a n c h in g  t im e  b is im u la t io n .  B r a n c h in g  t im e  b is im u ­
la t io n  is s l ig h t ly  f in e r  t h a n  b is im u la t io n  b e c a u s e  i t  c a n  d e te c t  t h e  d if fe re n c e  o f  th e  
a b o v e  n o n d e te r m in a te  a c t io n . N o te  t h a t  t h e  ty p e  o f  n o n d e te r m in is m  n o n d e te r m in ­
is m  n e c e s s a ry  to  c r e a te  a  d e te c ta b le  d if fe re n c e  b e tw e e n  b is im u la t io n  a n d  b r a n c h in g  
t im e  b is im u la t io n  u n l ik e ly  to  o c c u r  w i th  a s y n c h ro n o u s  c o n tro l .
5 . 3 . 2  P r e d i c t a b i l i t y
T h e  predic tabi l i ty  o f  h a r d w a r e ,  e n g in e e re d  c o m p o n e n ts ,  a n d  s y s te m s  is o f  p a r a m o u n t  
im p o r ta n c e .  T h e r e  m u s t  b e  a  m e a n s  fo r  f a b r ic a t in g  d e v ic e s  t h a t  w ill p e r f o r m  id e n t i ­
c a lly  to  p re v io u s ly  b u i l t  d e v ic e s . E n g in e e r s  a lso  w ish  to  t e s t  th e s e  d e v ic e s  fo r  c o r re c t  
o p e r a t io n ,  o r  d e s ig n  se lf  t e s t in g  c ir c u i ts .  M a n y  c i r c u i ts  r e q u ir e  s t r o n g  p r e d ic ta b i l i ty  
-  fo r  t h e  s a m e  in p u t  s e q u e n c e s  t h e  s a m e  o u t p u t  b e h a v io r  is e x p e c te d  e v e ry  t im e .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 1 6
T h is  s t r o n g e r  f o r m u la t io n  o f p r e d ic ta b i l i ty  h a s  b e e n  f o rm a liz e d  a c ro s s  a g e n ts  as th e  
d e t e r m i n a t e  p r o p e r ty ,  a n d  w h e n  a p p l ie d  to  h a r d w a r e  c o m p o n e n ts  is c o n c e p tu a l ly  
s im i la r  to  d e c la r in g  a  c o m p o n e n t  determ in is t i c .
D e f i n i t i o n  2 2  P  is s t r o n g l y  d e t e r m i n a t e  if, f o r  every  der ivat ive  Q o f  P  a nd
V a  £  A c t ,  when ev er  Q  A  Q'  a n d  Q ^ f Q "  then  Q'  ~  Q "  where  ~  i.s s t rongly  bisimi lar .
T h is  r e q u i r e m e n t  s t a t e s  t h a t  t h e  s a m e  e x p e r im e n t  s h o u ld  a lw a y s  y ie ld  t h e  s a m e  
r e s u l t .  C o n s id e r  t h e  a g e n t  E 4  = f a . f i . P  +  a . ^ . Q  (w h o se  d e r iv a t io n  t r e e  c a n  b e  se e n  
as t h e  r ig h t  t r e e  o f  F ig u r e  5 .5 (a )  o n  p a g e  126). T h is  a g e n t  e x p re s s io n  is n o t  s t ro n g ly  
d e t e r m in a t e  b e c a u s e  i t  h a s  tw o  o -d e r iv a t iv e s  to  s t a te s  w h ic h  a re  n o t  s t ro n g ly  e q u iv ­
a le n t .  A s w i th  s t r o n g  b is im u la t io n ,  s t r o n g  d e te r m in a c y  is n o t  u s e fu l fo r  e n g in e e re d  
s y s te m s . F o r  e x a m p le ,  t h e  a g e n t  e x p re s s io n  E 5  = f a . ( /3 .P  +  r .N i l )  i.s s t r o n g ly  d e t e r ­
m in a te ,  b u t  r e s u l ts  in  u n p r e d ic ta b le  b e h a v io r !  A f te r  t h e  a  a c t io n ,  t h e  a g e n t  E 5 , a t  
i t s  o w n  c h o ic e , c a n  d e c id e  to  d e a d lo c k  o r  a c c e p t  a  fi a c t io n  a n d  e v o lv e  in to  a g e n t  P .  
( T h e  d e r iv a t io n  t r e e  o f  E 5  is s im i la r  to  t h e  le f t  d e r iv a t io n  t r e e  o f  F ig u r e  5 .5 (a )  o n  
P a g e  126 w h e re  7  is r e p la c e d  b y  r . )
B y  a b s t r a c t in g  a w a y  f ro m  th e  i n te r n a l  r  t r a n s i t io n s  a  p r e f e r r e d  n o ta t i o n  o f  d e ­
te r m in a c y  c a n  b e  d e f in e d .
D e f i n i t i o n  2 3  P  is (weakly)  d e t e r m i n a t e  if, V s  £  C* when ev er  P = ^ P '  a nd  
P = > P "  then  P '  «  P "
I n tu i t i o n  te l ls  u s  t h a t  a n  u n p r e d ic ta b le  s y s te m  s h o u ld  n o t  b e  d e te r m in a te .  T h is  
is t r u e  w i th  (w e a k ly )  d e t e r m in a t e  s y s te m s . F o r  e x a m p le ,  t h e  u n p r e d ic ta b le  a g e n t
C H A P T E R  5 .  H A R D W A R E  E Q  U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 1 7
e x p re s s io n  E 5  is n o t  d e te r m in a te .  H e n c e  th i s  is t h e  d e f in i t io n  u s e d  in  th i s  th e s is  a n d  
a n y  s u b s e q u e n t  re fe re n c e  to  d e t e r m in a t e  s y s te m s  w ill r e fe r  to  w e a k  d e te rm in a c y .
P r o p o s i t i o n  1 D e t e r m i n a c y  is p res erved  by b i s imu la t ion;  tha t  is i f  P  is d e t e r m in a te  
a n d  P  ss Q then  Q is d e te rm in a te .
P r o o f  M iln e r  [M il89] p a g e  234 . □
U n f o r tu n a te ly ,  d e te r m in a c y  is n o t  p r e s e rv e d  o v e r  t h e  s u m m a t io n  a n d  c o m p o ­
s i t io n  o p e r a to r s  o f  G G S . B y  r e s t r i c t in g  th e  s y n ta x ,  d e te r m in a c y  c a n  b e  p re s e rv e d  
o v e r  c o m p o s i t io n  a n d  s u m m a t io n .  H o w e v e r , t h e  r e s t r ic t io n s  r e q u i r e d  to  g u a r a n te e  
t h a t  d e te r m in a c y  is p r e s e rv e d  b y  c o m p o s i t io n  d isa llo w s  c o m m u n ic a t io n  b e tw e e n  th e  
p a r a l le l  a g e n ts .  T h is  r e s t r i c t io n  w o u ld  r e s u l t  in  a n  u n u s a b le  s y n ta x  fo r  m o d e l in g  
p a r a l le l  h a r d w a r e .  T h u s  w e c a n n o t  b e  a s s u re d  t h a t  a  s y s te m  b u i l t  o u t  o f  p r e d ic ta b le  
d e t e r m in a t e  c o m p o n e n ts  ( s u c h  as A N D  g a te s )  w ill i t s e l f  b e  p r e d ic ta b le  a n d  d e t e r m i ­
n a te .  T h is  n e c e s s i ta te s  a d d i t io n a l  a n a ly s is  o f  c i r c u i ts  d e s ig n e d  f ro m  m u l t ip le  p a r a l le l  
c o m p o n e n ts  w h e n  p r e d ic ta b i l i ty  is im p o r t a n t .
T h e r e  is a  s p e c ia l  t y p e  o f d e te r m in a c y ,  c a l le d  c o n f l u e n c e .  T h e  n o t io n  o f  c o n f lu ­
e n c e  is o n e  w h e re  if  th e r e  a re  m u l t ip le  p o s s ib le  a c t io n s ,  t h e n  th e  o c c u r r e n c e  o f  o n e  
o f  t h e  a c t io n s  w ill n o t  p r e c lu d e  th e  o c c u r r e n c e  o f t h e  o th e r  a c t io n s .  T h is  is a  n o t io n  
t h a t  is s im i la r  to  t h e  s e m i- m o d u la r  p r o p e r ty  d e v e lo p e d  b y  M u lle r  [M il6 5 ].
S im ila r  to  b is im u la t io n  a n d  d e te r m in a c y ,  th e r e  a re  s t r o n g  a n d  w e a k  fo rm s  o f 
c o n f lu e n c e . F o r  o b s e r v a t io n a l  re a s o n s ,  t h e  w o rk  in  th i s  th e s is  is p r im a r i ly  in te r e s te d  
in  t h e  w e a k  fo rm  o f c o n f lu e n c e .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 1 8
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S 1 1 9
D e f i n i t i o n  2 4  P  is (weakly)  c o n f l u e n t  i f  f o r  every  der ivat ive  Q o f  P  the fo l lowing  
d ia gram s  can be completed  such tha t  i f  the top a n d  left h a n d  de r iva t ions  exist  then  
the bo t tom a n d  right  h a n d  der iva t ions  can be inferred.
Q A  Q  i Q
T ^




Q 2 Q 2 Q 2
a
Q 2
(i) (ii) ( in) (Q ^  P) (iv)
C o n f lu e n t  a g e n ts  p re s e rv e  d e te r m in a c y  o v e r  c o m p o s i t io n  w h e n  a ll  c o m m u n ic a t ­
in g  a c t io n s  a re  r e s t r i c t e d .  T h e  s e t  o f  c o n f lu e n t  h a r d w a r e  c o m p o n e n ts  is e x t r e m e ly  
l im i te d .  H o w e v e r , c o n f lu e n c e  d o e s  h a v e  a n  a p p l ic a t io n  in  b u r s t - m o d e  s t a t e  m a c h in e s  
a s w ill b e  d is c u s s e d  in  C h a p te r s  4 a n d  7. F o r  f u r th e r  d e ta i l s  o n  d e te r m in a c y  a n d  
c o n f lu e n c e , see  [M il89].
5 . 4  H a r d w a r e  C o n f o r m a n c e  t o  S p e c i f i c a t i o n s
W e n o w  h a v e  e n o u g h  n o ta t io n a l  s t r e n g th  to  d e f in e  w h e n  a n  im p le m e n ta t io n  c o n ­
f o r m s  to  a  s p e c if ic a t io n . C o n fo rm a n c e s  a re  n o t  e q u iv a le n c e s , b u t  t h e y  d e te r m in e  
w h e n  a n  im p le m e n ta t io n  is a n  a c c e p ta b le  c o n s t r u c t io n  o f  t h e  s p e c if ic a t io n .
P a r t  o f  t h e  d e s ig n e r ’s a r t  is to  u t i l iz e  t h e  u n s p e c if ie d  s t a t e  sp a c e  in  su c h  a  w ay  
as to  p r o d u c e  p le a s in g  d e s ig n s . G o o d  s p e c if ic a t io n s  w ill m a x im iz e  t h e  u n r e a c h a b le  
s t a t e  sp a c e  w i th o u t  o v e r ly  r e s t r i c t in g  th e  e n v ir o n m e n t  a n d  im p le m e n ta t io n  b e h a v io r s .  
T h is  a llo w s im p le m e n ta t io n s  to  a c c e p t  in p u t s  w h ic h  w o n ’t  b e  p ro v id e d  b y  th e  c i r c u i t ’s
e n v i r o n m e n t ,  a n d  to  g e n e r a te  o u tp u t s  f ro m  u n r e a c h a b le  s ta te s .  S u c h  s p e c if ic a t io n s  
a re  s o m e tim e s  c a lle d  “lo o s e ” s p e c if ic a t io n s .
C o n fo rm a n c e  s h o u ld  b e  as “lo o s e ” as p o s s ib le  -  e q u a t in g  as m a n y  a g e n ts  to  
a  s p e c if ic a t io n  as p o s s ib le  -  w i th o u t  v io la t in g  th e  r e q u i r e m e n ts  s e t  f o r th  b y  th e  
s p e c if ic a t io n . C o n fo rm a n c e  d e f in e s  t h e  a p p r o p r ia te  r e s t r ic t io n s  a p p l ie d  b e tw e e n  th e  
s p e c if ic a t io n  a n d  a n  im p le m e n ta t io n .  T h e  p o s s ib le  s e t  o f  im p le m e n ta t io n  a c t io n  
s e q u e n c e s  c a n  b e  r e s t r i c t e d  b y  th e  s p e c if ic a t io n , w h ic h  k n o w s  e x a c t ly  w h e n  in p u t  
a n d  o u tp u t  a c t io n s  a re  p e rm is s ib le .
T h e  im p le m e n ta t io n  m u s t  b e  c a p a b le  o f  a ll  b e h a v io r s  d i c t a t e d  b y  th e  s p e c if ic a ­
t io n .  F u r th e r ,  t h e  im p le m e n ta t io n  m u s t  n o t  sh o w  a n y  il le g a l b e h a v io r s  w i th in  th e  
r e a c h a b le  s t a t e  s p a c e . In  p a r t i c u la r ,  a n y  o u tp u t s  t h e  im p le m e n ta t io n  m a y  g e n e r ­
a te  m u s t  b e  m a tc h e d  b y  th e  s p e c if ic a t io n . F re e d o m  o f im p le m e n ta t io n  is p o s s ib le  
b e c a u s e  t h e  b e h a v io r  in  u n r e a c h a b le  s t a te s  is c o m p le te ly  u n r e s t r i c t e d .
Ig n o r in g  u n r e a c h a b le  b e h a v io r s  is a x io m a t iz e d  b y  th e  e q u a t io n a l  la w  sh o w n  in  
P r o p o s i t io n  2. W h e n  I n is a n  im p le m e n ta t io n  a g e n t ,  i t  a llo w s th e  a g e n t  e x p re s s io n  
a . I  to  b e  d is c a r d e d  b e c a u s e  i t  is a n  u n r e a c h a b le  i n p u t  e x p re s s io n . T h is  r e s u l ts  in  
a  p r e o r d e r  b e tw e e n  s p e c if ic a t io n  a n d  im p le m e n ta t io n  b e c a u s e  t h e  v a lid  b e h a v io r s  o f 
a n  im p le m e n ta t io n  c a n  b e  g r e a te r  t h a n  th o s e  o f  t h e  s p e c if ic a t io n .
a
P r o p o s i t i o n  2  a . I i  +  I 2 S  i f f  I 2 ^zi S  a n d  a  £  A  a n d  S 7^
T h e  s p e c if ic a t io n  d e f in e s  t h e  c o n t r a c t  b e tw e e n  a n  im p le m e n ta t io n  a n d  i t s  e n v i­
r o n m e n t .  T h e  a g r e e m e n t  is tw o fo ld . F i r s t ,  t h e  e n v ir o n m e n t  a g re e s  to  o n ly  p ro v id e  
i n p u t  s ig n a ls  in  t h e  r e s t r i c t e d  o rd e r in g  d e s ig n a te d  b y  th e  s p e c if ic a t io n . I m p le m e n ­
t a t io n s  a re  n e a r ly  a lw a y s  c a p a b le  o f  a c c e p t in g  in p u t s  w h ic h  w ill n o t  b e  p r o v id e d  b y
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 2 0
t h e  e n v ir o n m e n t .  S in c e  th e s e  a g e n t  d e r iv a t io n s  w ill n o t  o c c u r  b y  d e f in i t io n , th e y  c a n  
b e  ig n o re d . T h is  is i m p o r t a n t  as  i t  r e s u l ts  in  a  “d o n ’t  c a r e ” f r e e d o m  fo r  t h e  d e s ig n e r  
o f  t h e  im p le m e n ta t io n  to  e x p lo i t .  S e c o n d ly , fo r  v a lid  i n p u t s ,  t h e  im p le m e n ta t io n  w ill 
p ro v id e  o u tp u t s  p re c is e ly  as  sp e c if ie d .
5 . 5  T r a c e  C o n f o r m a n c e
D e f in it io n  25(?) a s s u re s  t h a t  u n d e r  T ra c e  C o n fo rm a n c e , t h e  im p le m e n ta t io n  c a n  
m a tc h  th e  b e h a v io r s  o f  t h e  s p e c if ic a t io n . T h is  r e q u i r e m e n t  is id e n t ic a l  to  T ra c e  
E q u iv a le n c e  in  D e f in i t io n  19. F u r th e r ,  a ll  s t a t e s  fo r  w h ic h  th e  a g e n ts  a re  t r a c e  
e q u iv a le n t ,  t h e  o u tp u t s  m u s t  a lso  m a tc h  th e  s p e c if ic a t io n  e x a c tly . D e f in it io n  2h( i i )  
a s s u re s  t h a t  fo r  a n y  s e q u e n c e  t h a t  I  a n d  S  c a n  p e r fo rm , t h e  o u tp u t  s e q u e n c e  w ill 
m a tc h  e x a c tly .
D e f i n i t i o n  2 5  I m p l e m e n t a t i o n  I  is T r a c e  C o n f o r m a n t  to specif icat ion S , writ ten
as I  >zt S , i f f  V s £  C* a n d  V t  £  A*
(i) W h e n e v e r  S=k> then  /=>
(ii) W h e n e v e r  S=k* a n d  then  SM-
T h e  s im p le  F I F O  e x a m p le  o f  F ig u r e  5 .2  w ill b e  u s e d  to  d e m o n s t r a te  t h e  i n tu i t io n  
b e h in d  T ra c e  C o n fo rm a n c e . A s s u m e  t h a t  w e w a n t  to  see  if  a  tw o  p la c e  F I F O  is a  
v a lid  im p le m e n ta t io n  o f  a  o n e  p la c e  F I F O . T h e  s p e c if ic a t io n  o f  t h e  s in g le  F I F O  ce ll F  
in  F ig u r e  5 .2  is d e f in e d  as F  = f i n .o u t . F .  A s s u m e  a lso  t h a t  t h e  ce ll F i  F ig u r e  5 .2 (a )  
h a s  t h e  s a m e  b e h a v io r .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 2 1
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S 1 2 2
(a )  _ _ (b )
T w o  E le m e n t  F I F O / H y b r i d  S in g le  E le m e n t  F I F O
F ig u r e  5 .2 : C o n fo rm a n c e  E x a m p le  w i th  F I F O  B u ffe rs
E x a m p l e  1
T ra c e  c o n fo rm a n c e  w as  d e f in e d  as a n  o p e r a t io n  o n  p o s s ib le  d e r iv a t iv e  s e q u e n c e s . 
I f  t h e  t r a c e s  o f  le n g th  th r e e  a re  e x a m in e d  fo r  t h e  s in g le  F I F O  e le m e n t  F , a n d  th e  
tw o  e le m e n t  F I F O  im p le m e n ta t io n ,  ( F [ t l / o u t ]  |F [ t l / i n ]  ) \ { t  1}. T h e  s p e c if ic a t io n  h a s  
a  s in g le  v a l id  t r a c e  —  in ou t  in.  I f  w e lo o k  a t  t h e  tw o  e le m e n t  F I F O ,  i t  h a s  o n e  
a d d i t io n a l  t r a c e  o f  le n g th  th r e e ,  as  sh o w n  in  T a b le  5 .1 .
1 : in in out  
2 : in out  in
T a b le  5 .1 : T ra c e s  o f  L e n g th  T h r e e  fo r  t h e  T w o  E le m e n t  H y b r id  C ir c u i t
U s in g  th e  o n e  p la c e  F I F O  as t h e  s p e c if ic a t io n , t h e  tw o  p la c e  F I F O  im p le m e n ta ­
t io n  c a n  b e  c h e c k e d  fo r  c o n fo rm a n c e . D e f in i t io n  25(? ) r e q u ir e s  t h a t  t h e  d e f in i t io n  
h a v e  th e  s a m e  b e h a v io r  ( t r a c e s )  as t h e  s p e c if ic a t io n . T h e  s e c o n d  t r a c e  in  T a b le  5.1 
is e q u a l  to  t h e  s p e c i f ic a t io n ’s t r a c e ,  so t h a t  p a r t  h o ld s . N e x t  a ll t r a c e s  t h a t  a re  
u n r e a c h a b le  c a n  b e  d is c a r d e d  b e c a u s e  o f i n p u t  r e s t r ic t io n s .  T h e  tw o  e le m e n t  F I F O  
c a n  a c c e p t  tw o  in p u t s  b e fo re  p r o d u c in g  a n  o u tp u t  as sh o w n  in  t h e  f ir s t  t r a c e  o f  T a ­
b le  5 .1 . H o w e v e r , t h e  e n v ir o n m e n t  is r e s t r i c t e d  b y  th e  s p e c if ic a t io n  s u c h  t h a t  a f te r  
p r e s e n t in g  in,  i t  m u s t  w a it  fo r  ou t  b e fo re  i t  c a n  s u p p ly  a n o th e r  in  s ig n a l. S in c e  a  
s e c o n d  in p u t  w ill n e v e r  b e  p r o d u c e d  b y  th e  e n v ir o n m e n t  w i th o u t  f ir s t  c o n s u m in g  a n
o u t p u t ,  th i s  t r a c e  c a n  b e  d is c a rd e d . T h is  le a v e s  t h e  s in g le  t r a c e  w h ic h  m a tc h e s  th e  
s p e c if ic a t io n , sh o w in g  t h a t  fo r  t r a c e s  o f  le n g th  th r e e  o r  le ss , t h e  im p le m e n ta t io n  is 
t r a c e  c o n fo rm a n t .
F ig u r e  5 .3  r e p r e s e n ts  t h e  s a m e  b e h a v io r  as  sp e c if ie d  b y  th e  c i r c u i t  d ia g r a m s  o f 
F ig u r e  5 .2  w i th  s t a t e  g r a p h s  (o r  t h e  d e r iv a t io n  t r e e s  o f  a  la b e le d  t r a n s i t i o n  s y s te m ) .  
T h is  r e p r e s e n ta t io n  h a s  a  m o re  i n tu i t iv e  r e p r e s e n ta t io n  a n d  s im p le r  a n a ly s is  m e th o d s  
t h a n  th e  t r a c e s  o f  T a b le  5 .1 . T h e  t r a c e  s t r u c tu r e  c a n  b e  c r e a te d  f ro m  th e  s t a t e  g r a p h  
o f  F ig u r e  5 .3 (b ) .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 2 3
, ( a ) . . . ( b )
F I F O  S p e c if ic a t io n  F I F O  I m p le m e n ta t io n
F ig u r e  5 .3 : T w o  F I F O  D e r iv a t io n  T re e s
T ra c e  C o n fo rm a n c e  v e rif ie s  t h a t  t h e  im p le m e n ta t io n  h a s  t h e  s a m e  d e s c e n d a n t  b e ­
h a v io r s  as t h e  s p e c if ic a t io n , a n d  t h a t  th e r e  a re  n o  il le g a l o u tp u t  b e h a v io r s .  S ta te  0 
o f  t h e  s p e c if ic a t io n  a n d  im p le m e n ta t io n  in  F ig u r e  5 .3  b o th  h a v e  th e  s a m e  d e r iv a t iv e  
b e h a v io r s  -  th e y  h a v e  m -d e r iv a t iv e s  t h a t  m o v e  to  s t a t e  f .  F ro m  s t a t e  f ,  t h e  s p e c i­
f ic a t io n  h a s  a n  o w f-d e r iv a tiv e , w h ic h  m o v e s  t h e  s p e c if ic a t io n  b a c k  in to  s t a t e  0. T h e  
im p le m e n ta t io n  a lso  h a s  a n  o w f-d e r iv a tiv e , w h ic h  m o v e s  i t  b a c k  to  t h e  in i t i a l  s ta te .  
H o w e v e r , t h e  im p le m e n ta t io n  a lso  h a s  a n  m - d e r iv a t iv e  w h ic h  th e  s p e c if ic a t io n  d o es  
n o t  h a v e . S in c e  th i s  is a n  i n p u t  t h a t  w ill n o t  b e  g e n e r a te d  b y  th e  e n v ir o n m e n t  th e  
t r a n s i t i o n  c a n  b e  ig n o re d . S ta te  2 is c ir c le d  w i th  a  “c lo u d ” in d ic a t in g  i t  is u n r e a c h ­
a b le . T h is  v e rif ie s  t h a t  fo r  a ll  t r a c e s  t h e  tw o  e le m e n t  F I F O  is T ra c e  C o n fo rm a n t  to  
a  s in g le  e le m e n t  F I F O .
T h is  e x a m p le  c a n  a lso  b e  c o n c e p tu a l ly  v e r if ie d  b y  e x a m in in g  th e  t r a c e s  as  r e g u la r  
e x p re s s io n s . T h e  r e g u la r  e x p re s s io n  fo r  t h e  s p e c i f ic a t io n ’s t r a c e s  is (in out)*. T h e  
r e g u la r  e x p re s s io n  fo r  t r a c e s  o f  t h e  tw o  e le m e n t  F I F O  is (in(in out)?out)*1. T h e  
d e f in i t io n  o f  t r a c e  c o n fo rm a n c e  r e s t r i c t s  t h e  r e g u la r  e x p re s s io n  o f t h e  im p le m e n ta ­
t io n  r e s u l t in g  in  t h e  m a p p in g  o f  (in(in out)?out)* i— > (in out)*. T h e  in te r n a l  t e r m  
(in out)* is re m o v e d , w h ic h  c o r re s p o n d s  to  t h e  r e m o v a l o f  s t a t e  2 in  F ig u r e  5 .3 . S in c e  
t h e  t r a c e s  fo r  t h e  s p e c if ic a t io n  a n d  th e  r e s t r i c t e d  b e h a v io r  o f  t h e  im p le m e n ta t io n  a re  
e q u iv a le n t ,  as  (in out)*,  th e  im p le m e n ta t io n  c o n fo rm s  to  t h e  s p e c if ic a t io n . 
E x a m p l e  2
S u p p o s e  t h a t  t h e  b e h a v io r  o f  b o x  F i  in  F ig u r e  5 .2  is r e d e f in e d . Is th i s  im p le m e n ­
t a t i o n  T ra c e  C o n fo rm a n t  w i th  t h e  s p e c if ic a t io n  w h e n  F i  = f in.(out .out.Fi-\ -out .Fi)?
1: in in out 
2: in out in 
3: in out out
T a b le  5 .2 : T ra c e s  o f  L e n g th  T h r e e  fo r  t h e  T w o  E le m e n t  F I F O
T a b le  5 .2  sh o w s th e  t r a c e s  o f  le n g th  th r e e  fo r  t h e  n e w  s y s te m . V e r if ic a t io n  c a n  n o w  
b e  a p p l ie d  to  t h e  n e w  s y s te m  to  d e te r m in e  w h e th e r  o r  n o t  i t  is t r a c e  c o n fo rm a n t  to  th e  
s p e c if ic a t io n . T h e  s p e c i f ic a t io n ’s t r a c e  is p r e s e n t  as  t h e  s e c o n d  t r a c e  in  T a b le  5 .2 , so 
D e f in it io n  25(? ) h o ld s . N e x t ,  fo r  a ll  r e a c h a b le  t r a c e s  (o r  s t a t e s ) ,  t h e  im p le m e n ta t i o n ’s 
o u tp u t  b e h a v io r  m u s t  m a tc h  t h a t  o f  t h e  s p e c if ic a t io n . I n i t i a l ly  t h e  s p e c if ic a t io n  
c a n  d o  n o  o u tp u t ;  th i s  b e h a v io r  is m a tc h e d  b y  th e  im p le m e n ta t io n .  B e c a u s e  th e  
s p e c if ic a t io n  d o e s  n o t  a llo w  th e  e n v ir o n m e n t  to  p r o d u c e  tw o  a d ja c e n t  in t r a n s i t io n s ,
1The ‘? ’ symbol indicates th a t the expression will be m atched zero or one tim e.
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 2 4
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 2 5
t h e  f ir s t  t r a c e  in  T a b le  5 .2  is th r o w n  o u t  as  u n r e a c h a b le .  L e t s b e  t h e  t r a c e  in,  
w h ic h  is a  v a lid  t r a c e  fo r  b o th  t h e  s p e c if ic a t io n  a n d  im p le m e n ta t io n .  T h e n ,  le t  t r a c e
t  b e  ou t  out .  T h e  t r a c e  M* is p o s s ib le  fo r  t h e  im p le m e n ta t io n .  H o w e v e r , s in c e  
is im p o s s ib le  fo r  fo r  t h e  s p e c if ic a t io n , th i s  im p le m e n ta t io n  is n o t  t r a c e  c o n fo rm a n t  
w i th  a  s in g le  F I F O . T h is  e r ro n e o u s  t r a c e  c a n  b e  se e n  as t h e  t h i r d  t r a c e  in  T a b le  5 .2 .
st
F ig u r e  5 .4 : D e r iv a t io n  T re e  o f  F I F O - l ik e  S t r u c tu r e
T h e  d e r iv a t io n  t r e e  o f  t h e  n e w  F I F O  s t r u c tu r e  is sh o w n  in  F ig u r e  5 .4 . N o tic e  
t h a t  t h e  s a m e  r e q u i r e d  d e r iv a t iv e  s t r u c tu r e  o f  t h e  s p e c if ic a t io n  in  F ig u r e  5 .3 (a )  is 
p r e s e n t  in  t h e  n e w  F I F O  s t r u c t u r e ’s s t a t e s  0 a n d  1. T h e  in t r a n s i t i o n  to  s t a t e  2 
a n d  th e  “c lo u d e d ” re g io n  c a n  b e  th r o w n  o u t  b e c a u s e  i t  is u n r e a c h a b le .  O b s e rv e  t h a t  
th e r e  a re  tw o  out  t r a n s i t io n s  p o s s ib le  f ro m  s t a t e  1. A s s u m e  th e  ou t  t r a n s i t i o n  to  
s t a t e  4 is t a k e n .  F ro m  th e r e ,  i t  is p o s s ib le  to  ta k e  a  s e c o n d  out  t r a n s i t i o n  to  s t a t e  0, 
w h ic h  is v io la te s  c o n fo rm a n c e . T h u s  th i s  im p le m e n ta t io n  is n o t  t r a c e  c o n fo rm a n t  to  
t h e  s p e c if ic a t io n .
5 . 5 . 1  S u i t a b i l i t y  o f  T r a c e  C o n f o r m a n c e
T ra c e  c o n fo rm a n c e  is g e n e ra l ly  u n s u i t a b le  fo r  v e r i f ic a t io n  b e c a u s e  o f so m e  u n d e s i r a b le  
e q u a t io n a l  la w s  a r is in g  f ro m  i ts  in a b i l i ty  to  d is t in g u is h  b e tw e e n  a g e n ts .  P r o p o s i t io n  3
c o n ta in s  so m e  e q u a t io n a l  law s  in  t r a c e  s y s te m s  t h a t  c a u s e  p ro b le m s  w i th  c i r c u i t  
v e r if ic a t io n .
P r o p o s i t i o n  3
( 1 )  a . ( P  +  Q ) =  a . P  +  a . Q
( 2 )  P  +  t .Q  =  P  +  Q
( 3 )  t . P  =  P
( 4 )  ( P  +  Q ) \ R  =  P \ R  +  Q \ R
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 2 6
a  c \ 
1 / =
/ V \ 7
a  \ t  a  \ 7
( b )
c
/3 7 /3 7
— t
P
/ / / / /
a





F ig u r e  5 .5 : W e a k n e s s e s  in  T ra c e  A n a ly s is
T h e s e  b e h a v io r s  c a n  r e s u l t  in  e q u iv a le n c e s  b e tw e e n  d e r iv a t iv e  t r e e s  w h ic h  a re  
u n d e s i r a b le  fo r  c i r c u i t  v e r if ic a t io n . T ra c e  c o n fo rm a n c e  o r  t r a c e  e q u iv a le n c e s  c a n n o t  
d is t in g u is h  b e tw e e n  th e  p a i r s  o f  d e r iv a t io n  g ra p h s  in  F ig u r e  5 .5 . T ra c e  m o d e ls  a re  
g e n e ra l ly  in s e n s i t iv e  to  t h e  b r a n c h in g  s t r u c tu r e  o f  a g e n ts .  T h e y  c a n n o t  d e te r m in e  
w h e n  c h o ic e  is m a d e  b y  a  s y s te m  as sh o w n  in  F ig u r e  5 .5 (a )  a n d  (b ) . L ik e w ise , th e y  
c a n n o t  d e te r m in e  if  d e a d lo c k  h a s  o c c u r r e d  as sh o w n  in  F ig u r e  5 .5 (c ) . T h e  d e r iv a t io n  
t r e e s  in  (a )  a re  a n  e x a m p le  o f  P r o p o s i t io n  3 (1 ) , a n d  th e  t r e e s  in  (b )  a re  a n  e x a m p le  
o f  P r o p o s i t io n  3 (2 ) . T h e  f o u r th  la w  c a n  b e  d e r iv e d  f ro m  th e  f ir s t  tw o .
B e c a u s e  o f  t h e i r  in s e n s i t iv i ty  to  t h e  b r a n c h in g  s t r u c tu r e  o f  a g e n ts ,  t r a c e  v e r if ie d  
s y s te m s  c a n  d e a d lo c k  w h e n  in te r c o n n e c te d .  A s s u m e  t h a t  tw o  c o m p o n e n ts  h a v e  th e
I
b r a n c h in g  s t r u c tu r e  as  sh o w n  b y  th e  le f t  t r e e  o f  F ig u r e  5 .5 (b )  a n d  th e y  a re  i n t e r ­
c o n n e c te d  a n d  c o m m u n ic a te  o n  la b e ls  fi a n d  7 . D e a d lo c k  w ill o c c u r  if  o n e  a g e n t  
d e c id e s  i t  w ill c o m m u n ic a te  o n  fi a n d  th e  o th e r  d e c id e s  i t  w ill c o m m u n ic a te  o n  7 . 
T h e  t r a c e s  o f  t h e  s y s te m  w ill c o n ta in  c o m p le te  t r a c e s ,  as w e ll as  t h e  t r u n c a t e d  o n es  
w h e n  d e a d lo c k  o c c u rs , r e s u l t in g  in  a  “v e r if ie d ” s y s te m . T h is  p r o b le m  is e x a c e r b a te d  
b y  th e  h i d e  o p e r a to r  o f  t r a c e  s y s te m s  w h ic h  d is c a rd s  in te r c o n n e c t iv i ty  in f o r m a t io n  
b e c a u s e  a ll s o u rc e s  o f  t h e  p r o b le m  h a v e  d is a p p e a r e d  o n c e  th i s  o p e r a to r  h a s  b e e n  
a p p lie d !  W h e n  u s e d  th i s  w a y  th e  h id e  o p e r a to r  is s im i la r  to  G G S r e s t r i c t io n ,  b u t  
i t  m e re ly  in f lu e n c e s  t h e  t r a c e s  t h a t  a re  p o s s ib le , r a t h e r  t h a n  in t r o d u c in g  a  s ile n t 
in te r n a l  a c t io n  w h ic h  c a n  e ffec t t h e  e x te r n a l  o b s e rv a b le  a c t io n s .
T h r e e  q u e s t io n s  w ill b e  a n s w e re d  a t  th i s  p o in t .  W h y  w o u ld  o n e  u se  t r a c e  b a s e d  
s y s te m s  a t  a ll , g iv e n  s u c h  se r io u s  flaw s?  Is th e r e  a  w a y  to  s t r e n g th e n  t r a c e  s y s te m s  
to  a llo w  th e m  to  d e te c t  d e a d lo c k  a n d  to  b e  m o re  s e n s i t iv e  to  t h e  b r a n c h in g  s t r u c tu r e  
o f  a g e n ts ?  L a s tly , a re  th e r e  o th e r  a p p ro a c h e s  w h ic h  w ill g iv e  m o re  c o n f id e n c e  in  th e  
r e s u l ts  -  e f fe c tiv e ly  d is a llo w in g  th e  e q u a t io n a l  law s  in  P r o p o s i t io n  3?
5 . 5 . 2  S t r e n g t h e n i n g  T r a c e  V e r i f i c a t i o n s
T h e r e  a re  tw o  w a y s  to  s t r e n g th e n  t r a c e  s e m a n tic s .  T h e  f ir s t  is to  u se  c o m p l e t e  
t r a c e  s e m a n t ic s ,  w h ic h  r e p r e s e n t  c o m p le te  e x e c u t io n s .  In  t h e  c a se  o f  r e c u r s iv e  o r  
n o n te r m in a t in g  p ro c e s s e s , t h e  c o m p le te  t r a c e s  w o u ld  b e  in f in i te .  I f  a  r e g u la r  e x p r e s ­
s io n  c a n  b e  g e n e r a te d ,  as  w as  d o n e  in  a n  e x a m p le  a b o v e , t h e n  in f in i te  s e q u e n c e s  c a n  
b e  r e p r e s e n te d  w i th  a  f in i te  r e p r e s e n ta t io n .  H o w e v e r , c o m p le te  t r a c e s  a re  s t i l l  n o t  
s t r o n g  e n o u g h  to  d e te c t  d e a d lo c k .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 2 7
A  s e c o n d  t e c h n iq u e  w h ic h  s t r e n g th e n s  t r a c e  s e m a n t ic s  is to  a d d  f a i l u r e  s e t s .  
G e n e ra lly , t r a c e s  o n ly  a llo w  th e  o b s e rv a t io n  o f  e x e c u ta b le  s e q u e n c e s . F a i lu re  s e m a n ­
t ic s  r e q u ir e  t h a t  o n e  c a n  a d d i t io n a l ly  d e te r m in e  w h ic h  o p e r a t io n s  c a n n o t  o c c u r  fo r  
e a c h  p o s s ib le  t r a c e .  F a i lu r e  s e m a n t ic s  a d d s  t h e  a b i l i ty  to  o b s e rv e  s o m e  in f o r m a t io n  
a b o u t  t h e  in te r n a l  b r a n c h in g  s t r u c tu r e  o f  a g e n ts .  T h e  G G S d e f in i t io n  o f  a  fa i lu re ,  
s o m e tim e s  c a lle d  tes t ing  equivalence , is d e f in e d  in  [dN H 83] as fo llow s:
D e f i n i t i o n  2 6  A  f a i l u r e  is a p a i r  ( s , L )  where s  £  C* is a trace a n d  I, C  £, is a
se t  o f  labels. The  fa i lure  ( s , L )  belongs to an agent  P  i f  there exis ts  P '  such tha t
(i) P ^ P '
(ii) P '  />
Of
( in )  V a  £  L ,  P-f*
F a ilu r e  s e m a n t ic s  is e x t r e m e ly  b u sy , as  m a n y  p o te n t i a l  fa i lu re s  m u s t  b e  a s s o c i­
a te d  w i th  e a c h  p a r t i a l  t r a c e .  S o m e  o f t h e  fa i lu re s  o f  t h e  e x a m p le  o f  F ig u r e  5 .2  o n  
p a g e  122, w i th  b o x e s  F  a n d  F i  u s in g  th e  s a m e  d e f in i t io n , a re  sh o w n  in  T a b le  5 .3 . 
N o te  t h a t  t h e  fa i lu re s  fo r  t h e  t r a c e  in a re  d if f e re n t , y e t  i t  h a s  b e e n  sh o w n  t h a t  th e  
im p le m e n ta t io n  c o n fo rm s  to  t h e  s p e c if ic a t io n . H e n c e  th e r e  n e e d s  to  b e  so m e  t h e ­
o ry  fo r  w h a t  c o n s t i tu te s  a  s ig n if ic a n t  d if fe re n c e  in  f a i lu r e  t r a c e s  if  t h e y  a re  u s e d  fo r  
c o n fo rm a n c e .
S p e c i f i c a t i o n  I m p l e m e n t a t i o n
(e, out )  (e, out )
( in , i n ) ( in , e)
( in  o u t , out )  ( in  o u t , out )
T a b le  5 .3 : F a ilu re s  fo r  S o m e  M a tc h in g  T ra c e s  o f  t h e  F I F O  E x a m p le
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 2 8
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 2 9
T h e  m o s t  in te r e s t in g  f e a tu r e  o f  fa i lu re s  s e m a n t ic s  is t h a t  i t  is t h e  w e a k e s t  v e r if i­
c a t io n  w h ic h  c a n  t e s t  fo r  d e a d lo c k . H o w e v e r , i t  s t i l l  d o e s n ’t  s ig n if ic a n t ly  d is t in g u is h  
t h e  b r a n c h in g  s t r u c tu r e  o f  a g e n ts .  F ig u r e  5 .6  sh o w s tw o  a g e n ts  w h ic h  c a n n o t  b e  
d is t in g u is h e d  w i th  f a i lu r e  s e m a n tic s .  S ee  [vG 90a] fo r  a  m o re  d e ta i le d  p r e s e n ta t io n  
o n  e q u iv a le n c e s  a n d  th e i r  c o m p a r a t iv e  c o n c u r r e n c y  s e m a n tic s .
o
= /





7  6 
1 /
F ig u r e  5 .6 : W e a k n e s s e s  in  F a ilu re s  S e m a n tic s
5 . 5 . 3  T r a c e  F a i l u r e  E x a m p l e
T h e  m o s t  w id e ly  u s e d  v e r if ie r  in  t h e  a s y n c h ro n o u s  c o m m u n i ty  c a n  b e  a t t r i b u t e d  to  
D ill [D il89]. I t  w as  u s e d  in  t h e  d e v e lo p m e n t  o f  t h e  P o s t  O ffice . D i l l ’s v e r if ie r  u se s  
m o d if ie d  t r a c e  s e m a n t ic s  to  o v e rc o m e  so m e  o f t h e  a f o r e m e n t io n e d  w e a k n e sse s  in  t r a c e  
th e o ry . B e c a u s e  o f  t h e  c o m p le x i ty  o f  c o m p le te  t r a c e  s e m a n t ic s ,  th e y  a re  n o t  a  p a r t  
o f  h is  v e r if ie r . D ill u se s  a  fa i lu re s  th e o r y  in  h is  v e r if ie r , w h ic h  a llo w s i t  to  d is t in g u is h  
c e r t a in  c la s se s  o f  t h e  d e r iv a t io n  t r e e s  in  F ig u r e  5 .5 , b u t  o th e r  b r a n c h in g  s t r u c tu r e s  
s u c h  as sh o w n  in  F ig u r e  5 .6  c a n n o t  b e  d e te c te d .
A n  e x a m p le  o f  t h e  f a u l t s  t h a t  c a n  o c c u r  w i th  t r a c e  v e r i f ic a t io n  is sh o w n . S u p p o s e  
t h a t  a  4 -c y c le  M E R G E  e le m e n t  is to  b e  b u i l t  t h a t  r e s p o n d s  to  e i th e r  a n  a r e q u e s t  
o r  a  b r e q u e s t  (w h ic h  a re  m u tu a l ly  e x c lu s iv e  p ro c e s s e s )  a n d  p ro d u c e s  a  r e q u e s t  to  a  
t h i r d  c o m p o n e n t  v ia  a  ~c o u tp u t .  T h e  G G S d e s c r ip t io n  o f  t h e  s p e c if ic a t io n  is sh o w n
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S 1 3 0
in  E q u a t io n  5 .2  as  a g e n t  E G S pec. A s s u m e  t h a t  t h e  c i r c u i t  E 6  t h a t  is im p le m e n te d  
b e h a v e s  as sh o w n  in  E q u a t io n  5 .3 . In  o th e r  w o rd s , th i s  p ro c e s s  r e q u ir e s  t h a t  a f te r  
a n  a h a n d s h a k e ,  t h e  b h a n d s h a k e  m u s t  fo llo w , b u t  a f te r  a  b h a n d s h a k e ,  e i th e r  m a y  
p ro c e e d .
E G S pec = f a . c . a . c .E G S pec +  b . c .b . c .E G S pec (5-2)
E 2  = f a . c . a . c . b . c . b . c .EG +  b . c .b . c .EG (5-3)
T h e  EG c i r c u i t  w as  v e r if ie d  a g a in s t  E G S pec u s in g  D i l l ’s b u r s t - m o d e  v e r if ie r  ( p o r te d  
b y  N o w ic k  fo r  t h e  b u r s t - m o d e  P o s t  O ffice  a p p l ic a t io n ) .  T h e  in p u t  file  is sh o w n  in  
F ig u r e  5 .7 . T h e  c i r c u i t  t h a t  is p a s s e d  to  t h e  v e r if ie r  is sh o w n  in  F ig u r e  5 .8 . T h is  
c i r c u i t  c o n ta in s  tw o  s t a t e  v a r ia b le s  a n d  th e  o u tp u t .  T h e  d e s c r ip t io n  o f  t h e  c i r c u i t  is 
d e f in e d  as  l i  =  B  +  Y0 x  A  +  l i  x  A , 1 0 = 2  +  Y 0 x  77. a n d  C  =  l i  x  1 ^ +  l i  x  1 0 .
: i n  ( a  b )  ; l i s t  o f  i n p u t  v a r i a b l e s
: o u t  ( c )  ; l i s t  o f  o u t p u t  v a r i a b l e s
: i n i t - s t a t e  0 ; i n i t i a l  s t a t e  ( o p t i o n a l )
: s t a t e  0 ( a )
1 ( c )
: s t a t e  1 ( a ~ )
0 ( c ~ )
: s t a t e  0 ( b )
2 ( c )
: s t a t e  2 (b ~ )
0 ( c ~ )
F i g u r e  5 . 7 :  E G  C i r c u i t  D e s c r i p t i o n  f o r  D i l l ’s  V e r i f i e r
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S 1 3 1
D il l ’s b u r s t - m o d e  v e r if ie r  in c o r r e c t ly  in d ic a te s  t h e  c i r c u i t  is a  f a i th f u l  im p le m e n ta ­
t io n  in  79 s ta te s .  T h is  is m o s t  l ik e ly  d u e  to  o n e  o f  tw o  p ro b le m s  w i th  t r a c e  v e r i f ic a t io n  
m e th o d s  -  a n  in c o m p le te  t r a c e  m o d e l ,  o r  t h e  m ir r o r in g  o f  t h e  s p e c if ic a t io n  to  fo rm  
th e  im p le m e n ta t io n .
A n a ly z e  (see  C h a p te r  7 .5 ) p o in ts  o u t  e ig h t  fa i lu re s  in  th i s  c i r c u i t  u s in g  i t s  t r a c e  
c o n fo rm a n c e  v e r if ic a t io n  m o d e . C o m p u ta t io n  in te r f e r e n c e ,  w h ic h  is c o n s id e re d  a n  
im p le m e n ta t io n  fa i lu r e ,  o c c u rs  a f te r  t h e  a~c a~c a t r a c e .  T h e r e  is a lso  a  d e a d lo c k  
a f te r  th i s  t r a c e ,  w h ic h  d o e s n ’t  a llo w  th e  ~c s ig n a l  to  a s s e r t  in  r e s p o n s e  to  t h e  a i n p u t .  
T h is  o c c u rs  w h e n  th e  l i  X a A N D  g a te  is u n s t a b l e 2 p r o d u c in g  a  h ig h  o u t p u t ,  a n d
2A gate is considered unstable when changes in the inputs will result in a change on the ou tpu t 
th a t has not yet occured.
t h e  l i  O R  g a te  is u n s ta b le  p r o d u c in g  a  low  o u tp u t .  I f  t h e  A N D  g a te  g o es h ig h  f ir s t ,  
t h e  l i  o u t p u t  m a y  r e m a in  h ig h , p r o d u c e  a  r u n t  p u ls e ,  o r  a  s t a t i c  1 h a z a r d .  I f  th e  
O R  o u tp u t  c h a n g e s  f ir s t  i t  m a y  s ta b i l iz e  t h e  A N D  o u t p u t  low , p r o d u c e  a  r u n t  p u ls e , 
o r  o th e r  ra c e s  t h a t  c o u ld  r e s u l t  in  o s c i l la t io n .
F o r  th i s  a n a ly s is  t h e  A N D  a n d  O R  g a te  s p e c if ic a t io n s  a re  m o d e le d  so t h a t  w h e n  
th e y  a re  u n s ta b le ,  th e y  c a n n o t  a c c e p t  a n  i n p u t  t h a t  d is a b le s  t h e  p e n d in g  o u tp u t  
u n t i l  af t er  t h e  o u t p u t  h a s  c h a n g e d  a n d  th e  g a te  s ta b i l iz e s .  T h is  r e s u l ts  in  t h e  d e a d ­
lo c k  as n e i th e r  t h e  l i  A N D  n o r  t h e  y^a, O R  g a te  c a n  fire . F ro m  th e  d e a d lo c k , th e  
o u tp u t  ~c c a n n o t  b e  p r o d u c e d ,  r e s u l t in g  in  a  v e r i f ic a t io n  e r r o r  w i th  t h e  c o m p le te  t r a c e  
s e m a n t ic s  o f  A n a ly z e . T h is  c o m p le te  a n a ly s is  is r e a c h e d  in  74 s ta te s .
5 . 5 . 4  A r e  T r a c e  S y s t e m s  U s e f u l ?
F ro m  th e  p re c e d in g  s e c t io n  o n e  c o u ld  w o n d e r  if  t r a c e  b a s e d  v e r if ic a t io n  is u s e fu l  a t  a ll 
g iv e n  s u c h  se r io u s  flaw s in  c o m p le x i ty  a n d  a n a ly t ic  c o a rs e n e s s . T ra c e  b a s e d  s y s te m s  
a re  to o  c a s u a l ,  a n d  se e m  to  b e  o v e r ly  c o m p le x  w h e n  c o m p le te  t r a c e  a n d  fa i lu re s  a re  
e m p lo y e d . H o w e v e r , e x p e r ie n c e  w i th  D i l l ’s v e r if ie r  sh o w e d  th e  e f fe c tiv e n e s s  o f  s u c h  a  
to o l ,  a n d  g a v e  g o o d  in s ig h ts  in to  w h a t  c o u ld  b e  a c c o m p lis h  w i th  A n a ly z e . T h e r e  a re  
a lso  so m e  m i t ig a t in g  f a c to r s  w h ic h  c a n  m a k e  t r a c e  b a s e d  s y s te m s  a t t r a c t i v e ,  w h ic h  
w ill b e  d is c u s s e d  in  th i s  s e c tio n .
A n  a s y n c h ro n o u s  c i r c u i t  c o n s is ts  o f  b a s ic  b u i ld in g  b lo c k s  w h ic h  a re  c o m p o s e d  in  
p a r a l le l  to  b u i ld  la rg e r  c i r c u i t  m o d u le s .  T h e  b u i ld in g  b lo c k s  fo r  low  la te n c y  c i r c u i ts  
p ro p o s e d  b y  th i s  th e s is  c o n s is t  o f  tw o  ty p e s  o f  c o m p o n e n ts ;  a s y n c h ro n o u s  f in i te  s t a t e  
m a c h in e s  a n d  th e  n o n d e te r m in is t ic ,  a n a lo g  m u tu a l  e x c lu s io n  e le m e n t .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 3 2
A s d is c u s s e d  in  C h a p te r  4 , A F S M s  a re  r e s t r i c t e d  in  s u c h  a  w a y  t h a t  t h e y  a re  
im p le m e n ta b le  w i th o u t  c o m b in a t io n a l  lo g ic  h a z a r d s ,  a n d  t h a t  s e q u e n t ia l  h a z a r d s  a re  
c o n tro l la b le .  T h e s e  r e s t r ic t io n s  r e q u ir e  t h a t  in p u t s  a n d  o u tp u t s  o c c u r  in  b u r s t s ,  a n d  
t h a t  a n y  c h o ic e  b y  th e  e n v ir o n m e n t  b e  m u tu a l ly  e x c lu s iv e . T h e s e  r e s t r ic t io n s  a lso  
m a k e  A F S M  m o d u le s  e a s ie r  to  v e rify .
P r o p o s i t i o n  4  A  m i n i m i z e d  bu rs t -m ode specif ication will  no t  con ta in  a n y  r  t r a n s i ­
t ions .
P r o o f  F o r  a  r  t r a n s i t i o n  to  e x is t  in  a  m in im iz e d  a g e n t ,  t h e r e  m u s t  b e  a  
t r a n s i t i o n  P  -A P '  w h e re  P  96 P ' . S in c e  b u r s t - m o d e  A F S M s  p a r t i t i o n  a c t iv i ty  in to  
d i s t in c t  i n p u t  a n d  o u tp u t  p h a s e s  b y  R u le  I  o n  p a g e  83 th e  r  t r a n s i t i o n  m u s t  b e  
p a r t  o f  a n  i n p u t  o r  o u tp u t  b u r s t .  B y  D e f in it io n s  I  a n d  2 e a c h  in p u t  o r  o u tp u t  b u r s t  
m u s t  b e  c o n f lu e n t . H e n c e  b y  D e f in i t io n  24(z) n o  t r a n s i t i o n  I ’ —r P 1 c a n  e x is t  w h e re  
P  96 P' .  □
P r o p o s i t i o n  5 I f  agent  P  is d e t e r m in a te  a n d  has  no  r  t rans i t ions ,  then  it is also 
s tro n gly dete r m  in ate.
P r o o f  W e a k ly  d e t e r m in a t e  d e f in i t io n s  a llo w  r  t r a n s i t io n s  to  b e  ig n o re d  b e ­
c a u s e  th e y  u se  t h e  t r a n s i t i o n  Q  =$> Q'  w h e re  s  £  C * . S in c e  th e r e  a re  n o  r  t r a n s i t io n s ,  
Q Q'  is e q u iv a le n t  to  Q —> Q'  b y  D e f in i t io n  16. D e f in i t io n  22 s t a te s  t h a t  s t ro n g  
d e te r m in is m  is o p e r a t io n a l  o n  a ll d e r iv a t iv e s  Q  o f  P .  S in c e  d e te r m in a c y  is c lo se d  
u n d e r  d e r iv a t io n  a ll s - d e s c e n d a n ts  w ill b e  d e r iv a t iv e s  o f  P .  T h e re fo re ,  o n ly  t h e  d i r e c t  
o -d e r iv a t iv e s  o f  Q  n e e d  to  b e  t e s te d ,  n o t  t h e  s - d e s c e n d a n ts ,  m a k in g  P r o p o s i t io n  5 
h o ld . □
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 3 3
P r o p o s i t i o n  6  B u r s t - m o d e  A F S M s  are d e te rm in a te .
P r o o f  F o llo w s f ro m  D e f in it io n s  1, 2, 23 , a n d  24. □
P r o p o s i t i o n  7  I f  P  a n d  Q are d e term in a te ,  then  P  Q i f f  P  = t Q
P r o o f  M iln e r  [M il89] p a g e  234 . □
If  o n e  is to  b u i ld  b u r s t - m o d e  A F S M s  t h e n  th e y  m u s t  b e  d e te r m in a te .  I f  th e  
A F S M  a n d  i t s  s p e c if ic a t io n  a re  d e te r m in a te ,  t h e n  t r a c e  e q u iv a le n c e  su ffices  as  a  
v e r i f ic a t io n  to o l!  F u r th e r ,  t h e  d e t e r m in a t e  c h e c k  c a n  b e  s im p lif ie d  b e c a u s e  i t  c a n  u se  
s t r o n g  d e te r m in a c y ,  w h ic h  is a  m u c h  s im p le r  o p e r a t io n  o n  la b e le d  t r a n s i t i o n  s y s te m s . 
W h e n  th e  a g e n ts  a re  m in im iz e d  th i s  o p e r a t io n  is l in e a r  o n  th e  s t a t e  sp a c e .
P r o p o s i t i o n  8  Trace s e m a n t i c s  are n o t  sens i t i ve  to d e t e r m in a te  agents.
P r o o f  T o  b e  s e n s i t iv e  to  d e t e r m in a t e  s y s te m s , o n e  m u s t  d is t in g u is h  b e tw e e n  
t r a n s i t io n s  o f  t h e  t y p e  sh o w n  in  F ig u r e  5 .5 (a ) .  T ra c e  s e m a n t ic s  a re  n o t  s e n s i t iv e  to  
d e te r m in a c y  b e c a u s e  t h e y  c a n n o t  d is t in g u is h  b e tw e e n  a . ( b . N i l - \ - c . N i l )  a n d  a.b .N i l - \ -  
a . c . N i l  □
P r o p o s i t i o n  9  Trace s e m a n t i c s  ca n n o t  d is t inguish  i n te rn a l  r  choices.
P r o o f  F ro m  D e f in it io n s  16 a n d  25. □
T ra c e  s e m a n t ic s  c a n  d is t in g u is h  n e i th e r  n o n d e te r m in a te  n o r  r  t r a n s i t io n s .  T h is  
h a s  tw o  r a m if ic a t io n s .  F i r s t ly ,  a  s t r o n g e r  s e m a n t ic s  m u s t  b e  u s e d  to  v e r ify  t h a t  a  
b u r s t - m o d e  s t a t e  m a c h in e  m e e ts  i t s  d e t e r m in a t e  r e q u i r e m e n ts .  S e c tio n  7 .7  d is c u s se s  
so m e  o f t h e  e x t r a  c o n s t r a in t s  n e c e s s a ry  to  p r e p a r e  s t a t e  m a c h in e s  fo r  s y n th e s is .  G G S 
s e m a n t ic s  h a s  su ff ic ie n t p o w e r  to  v e r ify  d e te r m in a c y  p r o p e r t ie s .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 3 4
S e c o n d ly , a  b u r s t - m o d e  s p e c if ic a t io n  c a n  b e  t u r n e d  in to  a  t r a c e  d e t e r m i n a t e  
s p e c i f i c a t i o n  -  w h ic h  re m o v e s  a ll r  a n d  n o n d e te r m in a te  t r a n s i t io n s  -  b e c a u s e  r  
a c t io n s  a re  in d is t in g u is h a b le  u s in g  t r a c e  s e m a n tic s .  T h e  r e s u l t  a llo w s s im p le  s ta te -  
b y - s ta te  m a tc h in g  b e tw e e n  th e  s p e c if ic a t io n  a n d  th e  im p le m e n ta t io n .  I f  the im p le ­
m e n t a t i o n  is d e te rm in a te ,  then  trace a n d  b is im i la r  ver if icat ions  can be done with 
l inear  co m ple xi t y  on the n u m b e r  o f  s ta t es  in the specif icat ion.  F u r th e r ,  a ll  u n r e a c h ­
a b le  s t a t e s  in  t h e  im p le m e n ta t io n  a re  n e v e r  g e n e r a te d  o r  v i s i te d  u n d e r  c o m p o s i t io n a l  
a n a ly s is  as  is d o n e  in  t h e  to o l  d e v e lo p e d  in  th i s  th e s is .  A d d it io n a l ly ,  t h e  in te r n a l  
s t r u c tu r e  o f  t h e  im p le m e n ta t io n ,  in c lu d in g  h id d e n  in te r n a l  t r a n s i t io n s ,  c a n  b e  p r e ­
s e rv e d  o v e r  th i s  p ro c e s s , w i th  t h e  u n r e a c h a b le  s t a t e s  e x c lu d e d . T h is  e n a b le s  th e  
s t r u c tu r e  o f  t h e  c i r c u i t  to  b e  p re s e rv e d  so t h a t  t h e  f e a tu r e s  a n d  c a p a b i l i t ie s  o f  C C S  
a re  n o t  lo s t  in  t h e  p ro c e s s .
T h e  g o o d  n e w s  is t h a t  b u r s t - m o d e  s t a t e  m a c h in e s  c a n  b e  v e r if ie d  e f f ic ie n tly  u s in g  
t r a c e  fo rm a lis m . F u r th e r ,  m a n y  la rg e  c o m p u ta t io n a l  b lo c k s  c a n  b e  d e te r m in a te ,  so 
t h e y  to o  c a n  b e  e f f ic ie n tly  v e r if ie d . A  g o o d  e x a m p le  is t h e  r e g is te r  b a n k  in  th e  
a s y n c h ro n o u s  A M U L E T  G P U  [ P D F + 92], H o w e v e r , a  p u r e ly  t r a c e - b a s e d  s y s te m  is 
n o t  c a p a b le  o f  p ro v in g  th e  d e t e r m in a t e  p r o p e r ty ,  a  e s s e n t ia l  s te p  in  v e r ify in g  c o r re c t  
b u r s t - m o d e  s p e c if ic a t io n s  ( to  b e  p o in te d  o u t  in  S e c tio n  7 .7 ).
U n f o r tu n a te ly ,  th e r e  a re  m a n y  c o m p u ta t io n a l  b lo c k s  w h ic h  a re  n o n d e te r m in a te  
d u e  to  d a t a  d e p e n d e n c ie s  a n d / o r  s h a r e d  re s o u rc e s . T h e  o v e rh e a d s  o f  t r a c e  v e r if ic a ­
t io n  c a n  b e  e x t r e m e ly  h ig h  fo r  n o n d e te r m in a te  b lo c k s . F o r  e x a m p le ,  m a n y  r e q u ir e d  
t r a c e  t r a n s i t io n s  f ro m  th e  c u r r e n t  im p le m e n ta t io n  s t a t e  m a y  n o t  b e  p r e s e n t  w h e n  
v e r ify in g  th e  t r a c e  c o n fo rm a n c e  o f  a  n o n d e te r m in is t ic  s y s te m  a g a in s t  i t s  t r a c e  d e t e r ­
m in a t e  s p e c if ic a t io n . T h is  is n o t  a n  e r r o r  u n le s s  t h e  t r a c e  is n o t  p o s s ib le  f ro m  an y
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 3 5
s t a t e  in  t h e  s p e c if ic a t io n . H e n c e , in c o m p le te  t r a c e  logs m u s t  b e  s to r e d  a n d  m a tc h e d  
a g a in s t  c o m p le te d  t r a c e s  d u r in g  a  v e r i f ic a t io n  r u n  to  d e te r m in e  if  t h e  t r a c e  is p o s s i­
b le  f ro m  a n o th e r  s t a t e .  O n ly  a t  t h e  e n d  o f  a  r u n  c a n  o n e  d e te r m in e  if  t h e  r u n  w as 
su c c e s s fu l. T h is  o v e rh e a d  is n o t  p r e s e n t  in  t h e  lo g ic  c o n fo rm a n c e  d e f in i t io n s  w h ic h  
fo llow .
5 . 6  L o g i c  C o n f o r m a n c e
T ra c e  v e r i f ic a t io n  h a s  so m e  se r io u s  w e a k n e sse s  b e c a u s e  i t
•  c a n n o t  d is c e rn  d e t e r m in a t e  s y s te m s .
•  c a n n o t  d e te c t  d e a d lo c k .
•  e q u a te s  to o  m a n y  b r a n c h in g  s t r u c tu r e s  o f  a g e n ts .
•  is in e ff ic ie n t fo r  v e r i f ic a t io n  o f  n o n d e te r m in a te  a g e n ts .
T h e s e  a re  s e r io u s  w e a k n e s s e s , as v e r if ic a t io n s  w i th  t r a c e  s y s te m s  c a n n o t  d e te c t  
so m e  o f t h e  f a u l t s  in  r e a l  c i r c u i ts ,  s u c h  as th o s e  d is c u s s e d  in  S e c tio n  2 .3 .4 . P a r t i c u ­
la r ly  c r ip p l in g  is t h e  in a b i l i ty  to  d e te c t  d e a d lo c k . A l th o u g h  m a n y  o f th e s e  c o n c e rn s  
a re  n o t  p r e s e n t  in  s m a ll  A F S M s , th e y  c o m m o n ly  o c c u r  w i th  la rg e r  c o m p o s e d  s y s te m s  
w i th  d a t a  d e p e n d e n c ie s  o r  s h a r e d  re s o u rc e s . T h e s e  s y s te m s  a re  t h e  o n e s  w h ic h  a re  
to o  c o m p le x  fo r  d e s ig n e rs  to  a n a ly z e  in  t h e i r  h e a d s ,  a n d  w h e re  fo rm a l  m e th o d s  a n d  
a u to m a t io n  m u s t  b e  a p p l ie d . ( A l th o u g h  th e  c o m p o s i t io n a l i ty  o f  a s y n c h ro n o u s  c ir ­
c u i ts  a l le v ia te s  t h e  d if f ic u lty  o f  c o m p o s in g  s y s te m s , th e r e  a re  s t i l l  a m p le  p o s s ib i l i t ie s  
fo r  d e s ig n  e r ro r s .)
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 3 6
A  b e t t e r  c o n fo rm a n c e  d e f in i t io n  s h o u ld  h a v e  th e  s a m e  p r o p e r t ie s  a n d  e q u a t io n a l  
law s  as o b s e r v a t io n a l  e q u iv a le n c e . T h e  d e f in i t io n  o f  th i s  c o n fo rm a n c e  fo llo w s, a n d  is 
c a l le d  “o b s e r v a t io n a l  c o n fo rm a n c e ” , o r  l o g i c  c o n f o r m a n c e .
D e f i n i t i o n  2 7  A  b ina ry  relat ion CC C V x V  over  agents  is a l o g i c  c o n f o r m a t i o n
between im p l e m e n ta t i o n  I  a n d  specif icat ion S  i f ( I , S )  £  CC then  V a  £  A c t  a nd
V fi £  A  U { r }  (ou tpu t s  a n d  t ) a n d  V 7  £  A  ( input s)
(i) W h e n e v e r  .S'A.S'' then  3 I '  such that  t=f-11 a n d  ( I 1, S ' )  £  CC
(ii) W h e n e v e r  t  f  then  3 S '  such tha t  S A ^ S '  a n d  ( I ' ,  S ' )  £  CC
(Hi) W h e n e v e r  I I 1 a n d  S=> then  3 S '  such that  S=>S'  a n d  ( I ' ,  S ' )  £  CC
L o g ic  c o n f o r m a t io n  is s im i la r  to  t r a c e  c o n fo rm a n c e , b u t  i t  is m o re  s e n s i t iv e  to  
t h e  b r a n c h in g  s t r u c tu r e  o f  a g e n ts .  T h e r e  is a lso  t h e  b a c k  a n d  f o r th  c o m p a r is o n  
b e tw e e n  th e  im p le m e n ta t io n  a n d  th e  s p e c if ic a t io n  w h ic h  a re  n e c e s s a ry  fo r  a  b is im i la r  
r e la t io n .  D e a d lo c k  is d e te c te d  a n d  m u s t  b e  e q u a l  to  d e a d lo c k s  in  t h e  s p e c if ic a t io n . 
D e f in it io n  27(H)  r e q u ir e s  t h a t  a ll  o u tp u t s  a n d  r  t r a n s i t io n s  a re  b i s im i la r  to  th e  
s p e c if ic a t io n . T h is  a s s u re s  t h a t  th e r e  a re  n o  h a z a r d s  in  t h e  im p le m e n ta t io n  a n d  
t h a t  i t  p ro d u c e s  p re c is e ly  w h a t  t h e  s p e c if ic a t io n  d ic ta te s .  T h e  d if fe re n c e  b e tw e e n  
b is im u la t io n  a n d  lo g ic  c o n fo rm a n c e  is t h a t  in p u t s  n o t  s u p p l ie d  b y  th e  e n v ir o n m e n t  
a n d  th e i r  d e r iv a t iv e  a g e n ts  (D e f in i t io n  2 7 (Hi ) )  c a n  b e  ig n o re d  as p e r  P r o p o s i t io n  2.
T h e  b a c k  a n d  f o r th  b is im u la t io n  n a t u r e  o f  D e f in i t io n  27 a s s u re s  t h a t  P r o p o s i ­
t io n  3 (1 ) o n  p a g e  126 d o e s  n o t  h o ld . I t  a lso  c a tc h e s  a n y  d y n a m ic  a n d  s t a t i c  h a z a r d s  
t h e  c i r c u i t  m a y  p ro d u c e . C la u s e  ( i i )  ch e c k s  fo r  c o r r e c t  r  o p e r a t io n  a n d  a s s u re s  t h a t  
P r o p o s i t io n  3 (2 ) d o e s n ’t  h o ld . W i th o u t  th i s  c la u s e , t h e  r  t r a n s i t i o n  in  IM P L  th e  
e x a m p le  in  t h e  fo llo w in g  s e c t io n  w o u ld  b e  ig n o re d . T h is  w o u ld  m a k e  IM P L  L o g i­
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 3 7
c a lly  C o n fo rm a n t  to  S P E C , a  c a se  w h ic h  s u re ly  s h o u ld  n o t  h o ld  b e c a u s e  IM P L  c a n  
d e a d lo c k  w h ile  S P E C  c a n n o t .
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 3 8
5 . 6 . 1  L o g i c  C o n f o r m a n c e  E x a m p l e
A s s u m e  a g e n ts  E 7  a n d  E T S p ec  a re  d e f in e d  as  fo llow s:
E T S p ec  = f a . b .E T S p ec  (5-4)
E 7  = f a . { T. N i l  +  b.E 7 ) +  b . N i l  (5 .5 )
T h e  t r a n s i t i o n  g ra p h s  o f  th e s e  a g e n ts  is sh o w n  in  F ig u r e  5 .9 . T h e  im p le m e n ta t io n  
E 7  is t r a c e  c o n fo rm a n t  to  E T S p e c , b u t  h a s  n o  lo g ic  c o n fo rm a tio n . T h e  c o n fo rm a t io n  
se t  CC  s t a r t s  as a  c ro ss  p r o d u c t  o f  a ll  o r d e r e d  p a i r s  o f  t h e  im p le m e n ta t io n  E 7  a n d  
s p e c if ic a t io n  E T S p ec  in  t h e  o r d e r  (E T , E T S p e c ) . T h e r e  a re  s ix  s u c h  p a i r s  in  CC -  
(0 , 0 ) ( 0 ,1 ) ( 1 ,  0)(1,1)(iV ?"Z, 0) a n d  ( N i l ,  1). T h e  la s t  tw o  p a i r s  c a n  b e  im m e d ia te ly  
d is c a rd e d . T h e  p a i r  ( 1 ,0 )  c a n  a lso  b e  th r o w n  o u t  as t h e  im p le m e n ta t io n  d o e s n ’t  
s im u la te  t h e  s p e c if ic a t io n  —  i t  d o e s  n o t  h a v e  th e  A  t r a n s i t io n .  T h e  p a i r  ( 0 ,1 )  c a n  
lik e w ise  b e  th r o w n  o u t .  T h e  im p le m e n ta t io n  c a n  m a tc h  th e  s p e c i f ic a t io n ’s t r a n s i t i o n  
r e q u i r e m e n ts  t h r o u g h  th e  t r a n s i t io n s  E T S p e c -1 A  E T S p ec -0  a n d  E T -0 —>■ N il. S in c e  
t h e  p a i r  (N il, 0) ^  CC,  t h e  p a i r  ( 0 ,1 )  c a n n o t  b e  in  CC  a n d  is a lso  th r o w n  o u t .
O n ly  t h e  p a i r s  ( 0 ,0 )  a n d  ( 1 ,1 )  r e m a in  to  b e  c h e c k e d . T h e  im p le m e n ta t io n  s im ­
u la te s  t h e  s p e c i f ic a t io n ’s a t r a n s i t i o n  a n d  r e q u ir e s  t h a t  ( 1 ,1 )  is in  CC.  T h e  s a m e  
o c c u rs  fo r  t h e  a t r a n s i t i o n  o f t h e  s p e c if ic a t io n . S in c e  t h e  b t r a n s i t i o n  is n o t  a  v a lid  
t r a n s i t i o n  o f  E T S p e c , D e f in it io n  2 7 (Hi)  is v a c u o u s ly  t r u e .  In  c h e c k in g  th e  p a i r  ( 1 ,1 ) ,  
n o te  t h a t  a  b is im u la t io n  f ro m  s t a t e  1  to  s t a t e  0  e x is ts  b e tw e e n  th e  im p le m e n ta t io n
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S 1 3 9
b  b  
N il ( o V  r ( T V — ^  N il ( j j ?  r Q
(a )  (b )
E 7  E T S p ec
F ig u r e  5 .9 : S ta te  G r a p h  o f  E x a m p le  E 7
a n d  s p e c if ic a t io n  o n  la b e l  b. D e f in i t io n  27(H)  r e q u ir e s  t h a t  t h e  im p le m e n ta t i o n ’s r  
t r a n s i t i o n  is b i s im i la r  to  t h e  s p e c if ic a t io n . T h e  o n ly  r  t r a n s i t i o n  in  t h e  s p e c if ic a t io n  
t h a t  m a tc h e s  E 7 - I  -A N il o f  t h e  im p le m e n ta t io n  is E 7 S p e c - I  =k- E 7 S p e c - I .  S in c e  th e  
p a i r  (N il, I )  is n o t  in  C C , t h e  p a i r  ( 1 ,1 )  is a lso  th r o w n  o u t .  B e c a u s e  ( 1 ,1 )  is th r o w n  
o u t  so is (0 , 0 ). CC  is e m p ty ,  sh o w in g  th e r e  is n o  lo g ic  c o n f o r m a t io n  b e tw e e n  E 7  a n d  
E 7 S p e c .
If  t h e  r .N i l  a g e n t  e x p re s s io n  w e re  n o t  p a r t  o f  E 7  t h e n  th e s e  a g e n ts  w o u ld  b e  
lo g ic a lly  c o n fo rm a n t .  S e c o n d ly , if  t h e  b i n p u t  w e re  c h a n g e d  to  a n  o u tp u t  6 , t h e n  E 7  
is n o  lo n g e r  t r a c e  c o n fo rm a n t  to  t h e  s p e c if ic a t io n  b e c a u s e  th e r e  is a n  o u t p u t  p o s s ib le  
in  t h e  in i t i a l  s t a t e  b e fo re  a n  a i n p u t  h a s  a r r iv e d .
5 . 6 . 2  P r o p e r t i e s  o f  L o g i c  C o n f o r m a n c e
B e c a u s e  t h e  d e f in i t io n  o f  P r o p o s i t io n  27 u se s  s e ts , t h e r e  a re  m a n y  p o s s ib le  s o lu tio n s ,  
in c lu d in g  th e  e m p ty  r e la t io n  CC  =  e. T h e re fo re ,  th i s  d e f in i t io n  m u s t  b e  p u t  in to  
a  d if fe re n t  fo rm  w h ic h  w ill b e  t h e  la rg e s t  c o n fo rm a n c e . T h is  is d o n e  b y  e x a m in in g  
s o m e  o f t h e  p r o p e r t ie s  t h a t  a re  p r e s e rv e d  b y  v a r io u s  o p e r a t io n s  o n  re la t io n s .
Proposition 10 Assume that each CCt (i = 1,2,. . .) is a logic conformation. Then 
the following relations are all logic conformations:
(1) Idv  (2)CCXCC2 (3)\JieI£Ct
Proof
(1) The identity can be dehned as a relation 7Z =  {(,r,,r) : (x,x) e n }
Suppose that for some P, (P, P) G CC. Each action P  A  P', P  P ', and 
P  A  P' from Proposition 27 can be equaled by the same action, so P  A  P ' , 
P  A  P ', and P  A  P ' all hold. Since (P ,P) £ £C, (P ',P ')  G CC.
(2 ) The composition of two binary relations is dehned as the relation
TZi Hi  = {(•?’, ~) : for some y, (x ,y)  G Tii and (y , ~) G R-2 }
First the most general case is exercised, going from right to left. Suppose 
that (P, R) G CCiCC-2■ Then for some Q there must be (P,Q) G CC\ and
{Q, R) G CC-2-
Let R A  R'. By Definition 27, since (Q,R)  G CC2,
Q A  Q' and (Q\R')  G £C 2 
Since (P ,Q ) G CC\, if Q A  Q', 3 P' such that
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 4 0
P  A  P '  a n d  ( P ' , Q ' )  G
From Definition 15, Q =>- Q' can be rewritten as Q —A
Also, since (P,Q) G £Ci, if Q Q" then we have some P" such that
p 4 p " a n d ( p " , g " )  G f X x
T *Therefore, if Q then there exists a P'" such that
p 4 p '" a n d ( P " ' , Q " ' )  G f X x 
By Definition 15 P  is equivalent to P  =k Since (P"',Q"') G CC\ and
^  *
P  => P'" then there exists a P"" where if Q A Q"'A  Q"" then
P 4  P"" and {P"",Q"") G CCl
By similar reasoning, since (P /w, Q"") G CC\, there exists a P' such that if 
Q Q> then
P 4  P' and {P',Q') G CCX
Since Q AA Q1 equivalent to Q => Q1 and if Q => Q' and (P,Q) G CC\ 
then there exists P' such that P  => P' and (P \  Q') G CC\.
Hence (P', R') G CC\CC-2 from right to left
Going from right to left for fi and 7  transitions uses the same structure as above. 
Going from left to right for fi transitions also follows the same structure.
The 7  transitions are what create the partial order. Any transition in R will 
have similar transitions in Q and P  as shown above. Likewise, any transition
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 4 1
in Q will have a similar transition in P. However, input (7 ) transitions may 
exist in P  that do not exist in Q , and likewise for Q and R. Using similar 
reasoning as above, suppose (P, R) £ CC\CC2■ Then (P,Q) £ CC\ and
{Q,R) £ CC2.
Let P  A  P'. If there is no transition Q =?■ then we are done. If Q =?■ then
Q A  Q' and (P ',Q ') £ CCX.
7  7If Q => Q' and R ^  then we are done.
Definition 16 allows Q =?■ Q' to be rewritten as Q Q"_ Since /3 transitions
include the r  transition, and all fi transitions hold between P, Q and Q, P, the 
above reasoning can be used to deduct that since (Q,R)  £ CC2 and if Q A  Q' 
and P  =?■ then there exists an R' such that
P  A  R' and {Q',R') £ CC2
Hence (P ',P ')  £ CC1CC2
(3) For all CCi, the largest set is created by the union of all such sets. If this were 
not the case, a pair would exist (P, Q) £ {jieICCt that forced (P', Q') CC. 
But if that were the case, (P,Q) would not be in CC.
Definition 28 Implementation I is logic conformant  to specification S, written 
I >21 S if (/, S) £ CC form some logic conformation CC. This may be equivalently 
expressed as = (J{CC : CC is a logic conformation}
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 4 2
(1) is the largest logic conformation
(2) is a partial order
Proof
(1) By proposition 10(3), is a logic conformation and includes any other such
conformation.
(2 ) Reflexivity: For any P, P P  by Proposition 10(1).
Transitivity: If P  >zi Q and Q cli R then (P ,Q ) £ CC\ and (Q , R ) £ CC-2 
for logic conformances CC\,CC-2- Therefore, by Proposition 10(2),
(P, R) £ CC\ CC2, and so P  >zi R.
Antisymmetric: If P  Q and Q P  then P  sa Q (bisimilar equivalence) 
by the definitions of Bisimulation and logic conformance. P ^1 Q does not 
imply Q >zi P. For example, let E8-0 =f a.E8-0 and E8-1 =f a.E8 -l + 6.E8-1. 
Clearly E8-1 E8-0 and E8-0 E8-1
Definition 29 Define the function T , over subsets of binary relations over agents
V X V such that iflZC.'Px'P, then (P, Q) £ F(R) iff V a £ Act and V /3 £ AU {r} 
and V 7  £ A
(i) Whenever ,SA,S' then 3 P  such that /=>P and I'lZS'
(ii) Whenever I A  I1 then 3 S' s uch that S A S '  and I'lZS'
(iii) Whenever I-^I' and S A  then 3 S' such that S A S '  and I'lZS'
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 4 3
P r o p o s i t i o n  1 1
Although T  operates on any i?, it is used in such a manner that it succinctly 
defines logic conformance.
Proposition 12
(1) T  «  monotonic. If Ri C ll> then !F(R\) C ^F(R2)
(2) CC is a logic conformance iff T  C T(CC)
Proof (1) follows directly from Definition 29, and (2) reformulates Defini­
tion 27. □ 
1Z is called a pre-fixed-point of T  if 1Z C 1Z). Also, 1Z is a fixed-point of T  if 
1Z = 1Z). Therefore logic conformations are exactly the pre-hxed-points of J7, and 
it will be further shown that the largest pre-fixed-point, is a fixed-point of T .
Proposition 13 Logic conformance is a fixed point of T , hence >zi = F{>zi). Logic 
conformance is like wise the maxim um, fixed-point of T .
Proof Since is a logic conformation, C by Definition 29. Because
T  is monotonic, C \  so is also a pre-hxed-point of T.  Since
is the largest pre-hxed-point of T  (from Proposition 11), it includes so
F('tii) C >2i. Therefore = F{>zi). Because is the largest pre-hxed-point, it is 
also the maximum fixed-point of T . □
Because is the maximum fixed point, logic conformance can now be defined 
as follows:
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 4 4
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S 1 4 5
D efinition 30 Logic conformance between implementation I and specification S
is written as I  S and holds iff V a £ Act and V fi £ A  U {r}  and V 7  £ A
(i) Whenever ,5 'A,S'' then 3 / '  smc/j that /=>/' anrf I' >zi S'
(ii) Whenever t F then 3 S' such that SA^S' and I' >zi S'
(iii) Whenever / A / '  and S=> then 3 S' such that S=>S' and V S'
P roposition  14 if P >zi Q and Q >zi P then P  ss Q
P roof Follows from Definitions 21 and 30 □
5.7 Sum m ary
Two formalism have been presented, based on trace and bisimulation semantics, 
for comparing circuit specifications and implementations. Informally, these are de­
signed to maximize the implementations that will conform to the specification while 
retaining the correct operation as far as the model’s capabilities allow.
Trace conformance is useful for simple cases where the circuit implementation 
is determinate. Then verification can be done linearly on the state space of these 
processes. An additional feature is that trace equi^valence also implies the preferred 
notion of logic conformance when the specification and implementation are determi­
nate. For these simple examples, logic conformance is no more complex to calculate 
than trace conformance, and can be done linearly on the state space as well.
For the more difficult cases of hierarchical, complex, or nondeterminate logic, the 
trace model becomes slow and inefficient. Trace verification of these models can also 
validate circuits which will not operate as desired, logic conformance contains suf­
ficient rigor to verify circuits hierarchically, while catching hazards and inconsistent
behavior caused at any level in the hierarchy. The computational complexity of logic 
conformance is significantly less than that of complete trace failures testing. When 
no t  transitions exist, the check is linear on the state space in time.
Several attempts at creating loose specifications have been made in the theoretical 
community [GS90, DHWT91, FM91, Lar89, Xin92], These groups have used partial 
orders to achieve the looseness (or partiality) of specifications for behavioral systems. 
Some of the partial orders include |  bisimulation, divergence preorders, and network 
preorders. Although these may have practical applications in some areas, none are 
appropriate for asynchronous hardware verification. Practical applications have also 
been applied by using a “mirroring” or inversion operation on the specification and 
composing that with the implementation. The goal of the mirrored specification is to 
supply a restricted environment for the implementation. These methods either place 
constraints on systems which are unreasonable, hide hazardous behavior, or are not 
“safe” as they permit hazards and illegal transitions to occur in the implementation 
with handshaking communication.
A significant contribution of this thesis is the definition of a generally applicable 
approach to loose behavioral specifications called conformances. A conformance is a 
partial order which restricts the behavior of an implementation to contain at least 
all the behaviors of the specification, and to exclude any bad behaviors. Definitions 
for trace conformance and bisimulation (or logic) conformance have been presented.
A second contribution to the asynchronous community is the ability to apply a 
larger range of equivalence formalisms to verification, as only trace based systems 
have previously been available. The tools developed with this thesis include verifi­
cation based on trace and branching time bisimulation formalisms.
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S  1 4 6
C H A P T E R  5 .  H A R D W A R E  E Q U I V A L E N C E S  F O R M A L I Z E D  I N  C C S 1 4 7
Proving pre-congruence on the conformance partial orders results in many ad­
vantages for hardware synthesis. The primary advantage is that conformance now 
supports compositional (or substitutive) replaceability between specifications and 
their looser implementations. This allows systems to be hierarchically synthesized 
in a top-down fashion, where conformance only needs to be proven at each level in 
the hierarchy.
Many safety features cannot be verified hierarchically, so good global planning 
is still necessary to achieve the full potential of the tools. Good planning is also 
necessary to hide the explosion in complexity due to parallelism.
C hap ter 6
P ra ctica l A p p lica tio n s o f P ro cess  Logics
Process logics can verify that a behavior holds invariantly across a set of states. 
Such invariant analysis is analogous to simulation, but circuit simulation only tests 
the timing and threads of behavior explicitly exercised by the simulation vectors. 
For instance, deadlock might be discovered using simulation, but with invariants 
the deadlock property will or will not exist be found to exist. Temporal logics can 
be used to prove that the existence of behavioral invariants and properties that are 
essential for reliable circuit implementations.
This chapter applies process logics to the practical verification of behaviors and 
properties of asynchronous circuits. First Hennessey-Milner logic and the modal-/< 
calculus are introduced. Invariant properties are then broken into two categories as 
they relate to circuit descriptions -  application independent and application specific 
formulae. Independent formulae are generic for all circuit implementations, while the 
application specific properties rely on the circuit specification and implementation. 
Deadlock and liveness are the independent invariant properties of primary impor­
tance. Some new definitions of these properties, analogous to the liveness definition 
or Petri net theory, are developed here. They are more appropriate definitions for 
parallel VLSI than the forms typically used with temporal logics. New application 
specific invariants are presented and some old forms are strengthened so that they 
are appropriate for hardware. Finally, an example of applying temporal logic as a 
conformance verification is presented.
1 4 8
CHAPTER 6. PRACTICAL APPLICATIONS OF PROCESS LOGICS 149
6.1 H ennessey-M ilner Logic
Hennessey-Milner logic ( H M L )  is a process logic that applies the following logic for­
mulae to labeled transition systems [Sti92]. Recall the definition of labeled transition 
systems from Definition 9: (V, Act , {A : a £ Act}) where A  maps to the agents in
V X V. Terms in Hennessey-Milner logic are defined as:
A : : = T  \ ^ A \  AAA\ (a)A (6.1)
where
• T is a constant representing a true formula
• -iA negates the formula A
• Af\A is the conjunction of two formulae
• {a)A is the modalized term where the formula A holds after some action a.
A modalized operator is a formula that makes an assertion about a changing 
state. A common set of duals apply, including ->T =f F, the disjunctive operator 
-'(-■AA-'i?) =f A\/B , and a second modalized term ->(a)~‘A =f \a\A. Each agent has 
its own HML system because formulae are parameterized by an action set. The 
action set of the formulae should be a subset of the sort of the processes being 
analyzed.
HML is applied to express conditions on the behavior of agents, which can be 
formally defined by the satisfaction relation ‘|=’.
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S 1 5 0
D efinition 31 The sa t is fact ion  relation |= between terms in a process logic A £ 
VC and the agent set P  £ V is defined by induction on the structure of formulae as:
(i) P 1= T VP
(H) P 1= i f fPV=A
(in) P = Kiel A-i i f fy  i £ J, P  |= A;
(iv) P 1= (a) A iff 3 P' where P A P ' and P' = A
Consequently, the derived dual operators introduced above can also have the 
satisfaction relation dehned. Of particular interest is the modalized term [a] A. For 
this term
P  |= [a\A iffV P 'w herePA P'thenP' |= A (6.2)
Note that the modal equation \a\A can be vacuously true. If the a action is not 
possible from P, then the equation is satisfied. If the action is possible, then the 
equation is true if and only if for all actions P A P ', A is satisfied by all states P'.
Agents can now be tested for satisfaction of specific properties using HML. For 
example, Table 6.1 shows various property and behavioral tests for the standard 
C-element definition C =f a.b.~c.C + b.a.~c.C.
C 1= [c]F C cannot make a ~c transition
C 1= («>T C can make an a transition
C 1= (6 )T C can make a b transition
C \=(a)(b)(c)T C can make a, then 6 , then ~c transitions.
C |= [a]FA[6 ]FA[c]F C is deadlocked (false)
C = (a)TA[6 ]FA[c]F C can only make an a transition (false)
Table 6.1: HML Formulae Testing a C-element
Such tests can be used to examine specifications of asynchronous circuits [Liu92]. 
Notational extensions can be used which clarify the meaning of a modal formula 
and reduce the chance of an error. Multiple actions can be placed inside a single 






Further, the ‘ —’ character can be used to substitute for any action of an agent. 
Definition 33
( — M  =  Vvcve.4c/(Q M
( b) A V\/qG-4c/ and a^ a,b(®') A
and dually,
[ — ] A  =  AvqG.4c/[q ]"4 
[ b\A A\/q'G-4c/ and 0^ 0,6 [^]-^
At times a weaker transition rule may be desired when reasoning about circuit 
behaviors. Rather than using the relation A  over V  for modal formulae, the weaker 
transition relation A , defined in Proposition 15, can be used. For such transitions, 
the modal formula [a]A is replaced with [[»]]A and (o)A is replaced with ((a))A 
where the abbreviations preserve their duality.
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S  1 5 1
CHAPTER 6. PRACTICAL APPLICATIONS OF PROCESS LOGICS 152
6.2 M odal-// Calculus
All interesting hardware agents are reusable and thus have recursive definitions in 
GGS. An agent set 7^ . (7^ . C P) is called a fixed point of the function T  if 1Z = J-'i'lZ). 
For example, the behavior of a C-element keeps repeating itself so a fixed point of 
the C-element can be expressed with the following formula in which G is the fix point 
variable.
C = (a)(b)(c)C (6.3)
There may be many solutions or no solution for a fixed point formula. However, 
if a fixed point variable is prefixed by an even number of negations, minimal and 
maximal solutions are guaranteed to exist [Tar55]. Therefore, forms with an odd 
number of negations are not interesting. Multiple solutions can exist because a 
property (or formula) is associated with a set of states. When multiple solutions 
exist, the sets form a lattice with unique minimal and maximal solutions. There 
is no quick way to compute all the fixed points of an equation -  all possible sets 
of states must be examined. However, there are efficient algorithms for finding the 
minimal and maximal fixed point solutions. Luckily these are the ones in which 
all of our characterizing properties can be expressed. The maximal fixed point is 
calculated by iteration starting with all states in the system, throwing out states 
that are necessarily false. The minimum fixed point iteration starts with the empty 
set and includes the states which are necessarily true.
CHAPTER 6. PRACTICAL APPLICATIONS OF PROCESS LOGICS 153 
Modal-/< extends Hennessey-Milner logic with fixed points:
A :: = HML \ min(X.A) \ max(X.A) \ X  (6.4)
where X  is a fixed point variable. These fixed point variables allow properties to 
be tested as invariants across the entire set of states in an agent. Two standard 
branching time temporal logic operations based on fixed points are the box ‘d ’ and 
diamond ‘O’ operators [MP92, And93].
D efinition 34 The always operator □ is defined as 
DP = max(X.P A [~]X)
D efinition 35 The possibil i ty operator O is defined as 
OP rnin(X.P V ( - ) X)
The □ (BOX) macro assures that the property P  holds invariantly across all 
reachable states from a process if Process |= DP.  The O (POSS) macro holds when 
any state in the system reachable from the process has property P.  These operators 
are duals of each other in the sense that DP = -iO~P. Other useful macros that have 
been applied to circuit verification include the EVENTUALLY and PATH macros 
(which are also duals) [Liu92, LABS93]. EVENTUALLY ensures that there is at 
least one state on every trace that contains property P, whereas the PATH operator 
verifies that the property P  holds on each state in at least one trace.
D efinition 36 The eventually  operator EVENTUALLY is defined as 
EVENTUALLY P =f mm{X.P  V [~]X)
D efinition 37 The path operator is defined as 
PATH P = m,ax(X.P A ( - ) X)
Refer back to the example in Table 6.1 on Page 150. Note that the HML test for 
a deadlocked C-element only assures that the initial state does not deadlock (much 
like a simulation test). The modal-/< macro from Definition 38 can be applied to 
prove that the circuit does not contain the “temporal logic” deadlocking property.
D efinition 38 A process contains the complete deadlock property if it is satisfied 
by: 0 [—]F or its dual -■(□( — )T)
This formula is satisfied if there is any state in the system where no action is 
possible. Hence the system can become stuck where it cannot make any moves at 
all. The Concurrency Workbench can be used to test this and other properties using 
the modal-/< formulae presented throughout this chapter.
6.3 A pplication Independent Invariant Properties
Application independent invariant properties do not rely on an agent’s sort or struc­
ture. The properties presented in this section are essential for well defined circuit 
specifications.
6.3.1 Deadlock
The complete system deadlock expressed in Definition 38 is too restrictive to be useful 
for most hardware implementations that employ parallelism because it requires that 
an agent can arrive in a state where no action can be performed. The definition of
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S  1 5 4
a live system in Petri net theory more closely models the hardware designers mental 
model of a deadlock [PetSl].
For example, assume a handshake interface is implemented as shown in Figure 6.1. 
Upon receiving a request, the circuit can move into state 1 where it will handshake 
correctly by responding with an acknowledgment, or it will nondeterministically 
move to state 2  where it will accept any number of requests but will never respond 
with an acknowledgment.
req
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S  1 5 5
reqreq ‘ ' '  '
ack
Figure 6.1: Weakly Deadlocking Handshake 
This agent does not contain the complete system deadlock of Definition 38. How­
ever, this agent does contain a deadlock on the ack signal, because it is possible to 
arrive in a state where the circuit will no longer issue an acknowledgment. The 
following more useful definitions of deadlock for parallel systems are proposed:
D efinition 39 A process P  £ V contains a deadlock if 3 a £ £{P)  which allows 
P to satisfy the following formula:
DEADLOCK a =  OD[q]F
D efinition 40 A process P  £ V contains a strong deadlock if 3 a £ C(P) which 
allows P to satisfy the following formula:
SDEADLOCK a = OPATH[a]F
The stronger and weaker forms of deadlock in Definition 39 and 40 are similar. 
The states that satisfy deadlock are a subset or equal to the states that satisfy strong
deadlock for any process. They both assure that it is possible to arrive in a state 
where the action being checked cannot occur, nor can the action occur in all states 
that are reachable from that state. These deadlock definitions are weaker than the 
Petri net definition since they test liveness of labels rather than transitions. The 
stronger version is satisfied if there is some path where the action a cannot occur, 
whereas the weaker version is satisfied only if there is no reachable state where the 
action can occur. Strong deadlock considers livelock because it may be possible that 
some path is always taken which never allows a label to be exercised. The stronger 
deadlock may be satisfied for nondeterminate agents, and so the weaker version is 
typically used. However, for individual burst-mode AFSMs the stronger version 
should be used.
This definition of deadlock is an important invariant test, because dead branches 
of a parallel circuit can be extremely difficult to detect using simulation techniques. 
An example of such a failure can be shown with the distributed arbiter example taken 
from [SABL93]. The distributed arbiter is specified as shown in Table 6.2. This defi­
nition does not contain deadlock since DINode |^ = DEADLOCK a, V a £ £(DINode). 
The possibility of livelock results in the strong deadlock property holding for the sig­
nals grant, done, and ack because DINode |= SDEADLOCK grant. This livelock 
occurs when the token never chooses to serve the user interface of the arbiter, result­
ing in starvation.
Again, suppose that one of the nodes of the distributed arbiter uses a different 
definition for the interface, where the ack signal has inadvertently been left out, and 
the definition for ‘Interface’ is replaced with the definition of “Lamelnterface” in 
Table 6.3. The module interfacing with the lame arbiter interface will wait for the
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S  1 5 6
CHAPTER 6. PRACTICAL APPLICATIONS OF PROCESS LOGICS 157
Interface =f req. ok. grant, done.ko. ack. Interface + no.Interface
Token =f tin.( ok.ko.tout.Token + no.tout.Token)
DINode =f (Interface | Token)\{oft, fto, no}
Table 6.2: Distributed Arbiter Definition
ack handshake which will never occur, resulting in a partial system deadlock. This 
type of deadlock occurred in the first silicon of the Post Office [SD093], resulting in 
months of work to discover the cause of the flaw. Unaffected portions of the chip 
continued to function properly, while an entire logic block was deadlocked. The weak 
form of deadlock detection from (Definition 39) detects this situation as can be seen
by the satisfaction Lamelnterface |= DEADLOCK ack.
Lamelnterface =f req. ok. grant .done.ko. Lamelnterface + no.Lamelnterface 
Table 6.3: Erroneous Distributed Arbiter Interface
6.3.2 Liveness
A new definition for liveness of agents in labeled transition systems is proposed. This 
definition is intended for complex parallel systems and is an application independent 
invariant that can be automatically checked for any process. A live process must 
be capable of exercising every label in the process from every state in the process. 
This definition is similar to that of liveness in petri nets [PetSf]. Strong and weak 
liveness definitions using modal-/< calculus are presented in Definition 42 and 43. 
The new liveness definitions are the duals of the deadlock definitions as can be seen 
by examining Definition 39 and 40. Hence a system that is live will not contain
deadlock, and a system that contains deadlock will not be live, and only one of the 
tests is required to assure the live and deadlock free properties of a process.
The strong definition of liveness requires the strengthening of the EVENTUALLY 
macro of Definition 36. Note that strong modalities (such as [—]A’) are vacuously 
true when no label maps the the label argument. For example, the test D[a](6 )T 
will satisfy any process that cannot do an a action, including the agent Nil. Hence a 
stronger version of EVENTUALLY, dehned as EV in [Liu92] is required. This defi­
nition ensures that the argument to the fixed point variable using a strong modality 
must contain at least one label or it will fail.
D efinition 41 The eventually  operator EV is defined as 
EV P = min(X.P V { [ - ] X A(-)T))
D efinition 42 A process P  £ V is live if\/ a £ C( P) , P is satisfied by the following 
formula:
LIVE a =  DO(q)T
D efinition 43 A process P  £ V is strong live if\ /  a £ £ ( P) , P  is satisfied by the 
following form ula.
SLIVE a =  □EV(o)T
The strong definition of liveness proves that not only can every signal in the 
system be exercised from each state, but that it must also be fair in that no activity 
can preempt the occurrence of other signals. The possibility of service may exist, 
but the signal also may never be served.
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S  1 5 8
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S 1 5 9
For example, all of the signals in the distributed arbiter of Table 6.2 are live. 
However, the grant, done, and ack signals are not strongly live. The blocking na­
ture of the arbiter allows paths to be chosen which can continually select the token 
interface over the user interface of the arbiter, resulting in livelock. This is proven 
by the tests DINode |= LIVE grant and DINode |^ = SLIVE grant.
As a final example, a FIFO storage management controller explained by Dill 
et. al. in [DNS92] was specified using COS in [LABS93]. The COS specification 
is shown in Table 6.4. The circuit does not contain a complete system deadlock 
as proven by Definition 38. However, both the live and strong live definitions from 
Definitions 42 and 43 prove that the err signal can deadlock (GSM |^ = LIVE err). A 
transition occurs in this design on err when an illegal access has occurred through 
the controller -  either an under or overflow of the FIFO. If the err signal cannot 
occur, then the controller is correctly specified in that aspect. This circuit will be 
examined further in Section 6.4.3.
CSM def (W 1 E I GO I S)\{down, up, / ,  nf, e,gS,pS}
w
def wr. n f . gS .Up. din. pS .Urn. W
E def cr.ne.gS. dout. down.pS. ca.E
S def gS.pS.S
GO def down. err. Nil + up. Cl + nf .GO + "e.CO
Cl def down. GO + up. C2 + nf .Cl + lie. Cl
G2 def down. Cl + up. C3 + nf.C2 + ~ne.C2
C 3
def do wn.G2 + up. err.Nil + / . C3 +  7fe\C3
T a b l e  6 . 4 :  S p e c i f i c a t i o n  f o r  F I F O  G S M  C o n t r o l l e r
CHAPTER 6. PRACTICAL APPLICATIONS OF PROCESS LOGICS 160
6.4 A pplication Specific Invariant Properties
Application specific invariant properties are dependent on the structure and behavior 
of a circuit. There are three main classes of specific invariant properties which must 





Before embarking on the implementation of a process, the specification should be 
tested for its behavioral requirements. The interface specification for a circuit typi­
cally dictates these requirements. Behavioral testing is also required when a complex 
operation has been abstracted out of a higher level specification. Behavioral proofs 
of CCS processes are typically made using modal-/< calculus. A good treatment of 
using modal-/< to test the behavior of asynchronous circuits can be found in [Liu92],
6.4.2 Logical Conform ance
Conformance proves that an implementation or more detailed specification contains 
all of the necessary behaviors and none of the illegal behaviors of the specification. 
This is probably the most critical verification step. Conformance is automated in 
Analyze when the sorts of the specification and implementation are equivalent.
Unfortunately conformance alone may not be sufficient to guarantee an opera­
tional circuit, even when the top level behavior has been correctly specified. Certain
assumptions of correct component interfacing and utilization may need to be explic­
itly tested because (1 ) shared components are accessed in a distributed fashion, or
(2) the safe usage details are not contained in higher levels of the specification. The 
temporal logics of the following section fulfills these verification requirements.
6.4.3 O perational Safety Proofs
Operational conditions, (often referred to as safety constraints), must be met in the 
design of a circuit. These safety conditions are typically implementation dependent. 
For instance, when a shared bus is used, operational safety conditions require mutu­
ally exclusive access. Three types of safety conditions in asynchronous circuits will 
be discussed here. Modal-/< formulae are presented along with a proof technique that 
can verify safe operation.
Access V iolations
Access violations occur when a component is improperly used. For instance, the 
FIFO controller of Table 6.4 contains an up/down counter with a legal range of 
values equivalent to the number of slots in the FIFO buffer. Illegal counter access 
occurs when the counter holds the value zero and a request is made to count down 
resulting in FIFO underflow.
This type of illegal access violation can be proven by adding a test signal to the 
specifications. The signal err (or —) is placed as a response to unsafe access in 
Table 6.4. Applying the process under question (GSM) to the NOTPOSS formula 
of Definition 44 with the error label (err) is sufficient to prove that the controller 
correctly accesses the counter so that FIFO over and underflow cannot occur.
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S  1 6 1
CHAPTER 6. PRACTICAL APPLICATIONS OF PROCESS LOGICS 162
D efinition 44 Signal a cannot occur in process P if P satisfies the following for­
mula:
NOTPOSS a =f □[<*]F
Since GSM |= □ [err]F the safety condition holds and the err signal can never 
occur. Explicitly testing for most types of illegal access is not necessary when us­
ing Analyze. The NOTPOSS test in this circuit is redundant if the do wn. err.Nil 
actions are removed from GO and up. err.Nil is removed from G3. Analyze can then 
automatically detect when the E or W interfaces attempt to count down or up in an 
illegal state.
M utual Exclusion
Safety conditions are violated when illegal access occurs to a restricted or shared 
process. This safety condition can typically be verified by proving mutually exclusive 
access to the process. The modal formula of Definition 45 verifies that the two signal 
arguments do not have mutually exclusive transitions -  there is some reachable state 
where both a and [3 can transition. This equation has a dual in Definition 46 that 
proves that for all states in the system the two signal arguments enjoy the mutually 
exclusive signal transition property.
D efinition 45 Signals a and /3 have concurrent  transit ions  in process P  £ V if 
P satisfies the following formula:
CONCURRENT a /3 =  0 ((a)T  A (/i)T)
D efinition 46 Transitions for signals a and [3 are mutually  exclusive in process 
P  G V if P satisfies the follo wing formula:
MUTEX2 a /3 =  n([a]F V [/i]F)
Refer to the distributed arbiter definition of Table 6.2 on Page f 57. When a token 
arrives at a node the controller must either handshake with the module interface or 
pass the token on to an adjacent node in a mutually exclusive fashion. Applying the 
formula DINODE |= MUTEX2 grant tout proves that the grant signal is mutually 
exclusive with the tout signal. The same invariant holds between the done and 
tout signals. Data input and output on the bidirectional link of the GSM circuit of 
Table 6.4 on Page 159 can likewise be proven mutually exclusive.
The above formulae have a drawback in that they only assure that the two signals 
have mutually exclusive transitions. This is sufficient for transition (or 2-cycle) 
signaling protocols, but not for four-cycle protocols, where there must be a mutually 
exclusive region between the two signals. The formula in Definition 47 assures that 
the two signals are mutually exclusive between pairs of transitions. This is formula 
must be used when a mutually exclusive region is required, as is the case with four­
cycle protocols.
D efinition 47 The signals a and fi define a mutually  exclusive region in process
P  G V if P satisfies the follo wing formula:
MUTEX4 a fi = max{M4X.[a]MJfA A [/i\M4B A [ -aj i \MJfX)
with
max(M4A.[fi]F A [—a]M4A A [a]M4X)  
max{M4B.[a]F A [~/i\M4B A [/i\M4X)
A specification of the analog mutual exclusion element (or ME) commonly used in 
asynchronous design is shown in Table 6.5. The above macros can be applied to this 
definition, so MESpec |= CONCURRENT rl r2 and MESpec |= MUTEX4 al a2
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S  1 6 3
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S 1 6 4
proves that the inputs are concurrent, and that the outputs have a four-cycle mutu­
ally exclusive region.
MEifc =f r.g.a. r.Tf.p.MEifc 
MESem =f 7/.p.MESem
MESpec =f (M Eifcjri/r, al /a]  | MEifc[rS/r, a2/ a\ | MESem)\{(/, p}
Table 6.5: Mutual Exclusion Element Specification
H andshake Protocol
The final type application specific invariant checks for violations of the asyn­
chronous handshake protocol, either due to a delayed or improper response, or a 
hazard. The following two equations are the basis for strong and weak forms of 
the handshake protocol verification. Testing both two and four cycle handshak­
ing is identical because the order of signal transitions remains the same in either 
method. Hence a single equation can be used for both protocols. The formulae in 
Definitions 48 and 49 verify the handshake protocol.
D efinition 48 A process obeys the handshake protocol for the signal arguments a
and fi when the follo wing modal formula is satisfied:
HANDSHAKE a fi = max{X[/i]F A [~a]X A 0 (a)T
A [o]mfl;r(l'.[o]F A [-/ i]Y  A [fi]X A 0{/ i )T))
D efinition 49 A process obeys the strong handshake protocol for the signal ar­
guments a and fi when the follo wing modal formula is satisfied:
SHANDSHAKE a /i = max{X[/i]F A [—a]A' A EV(a)T
A [a]raa;r(Y.[a]F A [-/ i]Y  A [fi]X A EV(/i)T))
Examining these equations shows that they are dehned using mutual recursion. 
Assume that req is substituted for a and ack for fi in Definition 48. This formula 
requires that in every state of the system the ack signal cannot occur until a req 
signal occurs, and there must be a path from every state that allows the req signal 
to occur. After the req occurs, the same test is applied to the ack signal, disallowing 
any req signals until the acknowledgment has occurred. Note in particular that if 
a process has a path where no acknowledgment can be made for a request (or vice 
versa), the handshake protocol is incorrect, and this formula will not be satisfied. 
The strong formula of Definition 49 is similar to the weak formula, except that the 
appropriate handshake response must occur on every path.
These two definitions strengthen the CYCLE definition found in [LABS93] that 
can be vacuously true when the appropriate response is not possible. For exam­
ple, CYCLE is satisfied by the Nil process, the process of Figure 6.1, and Ta­
ble 6.3 whereas none of these are satisfied by the HANDSHAKE and SHANDSHAKE 
macros. Such vacuously true results imply that the nonfunctional circuits are correct.
The handshaking formulae presented in this section can be strengthened further. 
Handshake signals, once offered, cannot be retracted. Hence handshake signals must 
be persisten t [Mil65]. Definition 50 tests persistence by verifying that for all states 
where an a action is possible, that action must remain possible until taken.
D efinition 50 Process P  £ V is pers is ten t  if\/ a £ £{P)  the following formula is 
satisfied
PERSISTENT a =  n ((a)T  =>■ max{X.(a)T A [-a]A"))
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S  1 6 5
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S 1 6 6
The persistence property must be tested separately when using the handshaking 
definitions in this section. Unfortunately the persistency formula from Definition 50 
cannot be applied directly to an implementation agent. Loose specifications permit 
a large set of “don’t care” states in an implementation agent that typically will not 
satisfy Definition 50, invalidating the results. However, this definition can be applied 
to verify the persistence of specifications.
The transfer of bundled data back and forth between two components is typically 
integrated into the handshake protocol. The handshake formulae can be expanded 
to include a trio of signals, for the request, data transfer, and acknowledge, as is 
done in Definitions 51 and 52.
D efinition 51 A process P  £ V obeys the 2-cycle bundled data handshake proto­
col for signal arguments a ,/ i , 7  £ C{P) when the following modal formula is satisfied:
BDHS a /3 7  =f max{BDHSX.[f3rf]F A [a]BDHSA A 0 (a)T  A [-a]BDHSX)
with
max( BDHS A . [a, 7 ] F A [/3\BDHSB A 0(/3)T A [~/3]BDHSA) 
max{BDHSB.[aj3]F A [y]BDHSX A 0 (7)T A [~-{]BDHSB)
D efinition 52 A process P  £ V obeys the 2-cycle strong bundled data hand­
shake protocol for the signals o ,/ i , 7  £ C(P) when the following formula is satisfied: 
SBDHS a (3 7  =f
max(SBDHSX.[/i,7]F A [0 ]SBDHSA A EV(a)T A [~a\SBDHSX)
with
max(SBDHSA.[0 , 7 ]F A [f3\SBDHSB A EV(/i)T A [ - [3}SBDHSA) 
max{SBDHSB.[a, f3]F A [^SBDHSX A EV(7)T A [~-f]SBDHSB)
Definitions 51 and 52 can be modified to verify various types of four-cycle hand­
shake protocols.
The specification of the FIFO storage management controller of Table 6.4 con­
tains data transfers labeled as din and dout. These transfers are controlled by 
the cr/ca and wr/UJa request acknowledge pairs. Since the handshake protocols 
GSM |= HANDSHAKE cr ~ca and GSM |= SHANDSHAKE cr ~ca and the persis­
tency properties GSM |= PERSISTENT cr and GSM |= PERSISTENT ~ca can be 
verified, the read interface of the FIFO obeys the correct bundled data protocol. The 
same properties hold when testing the write interface.
6.5 Conform ance A pplications
The modal-/< calculus, used extensively for application specific invariant verifications 
in Section 6.4, can be used to verify circuits. For example, the verification of a C- 
element implementation can be carried out with the modal-/< formulae in a speed- 
independent (shown in Table 6 .6 ) and burst-mode (Table 6.7) fashion. The circuit is 
not being verified against the specification per se, but against a set of formulae that 
are constructed to model the critical behavioral aspects of the specification. In that 
sense the modal formulae themselves specify the desired behavior.
max(SICO.((a))T A [[a]]SICl A ((b))T A [[6]]SIC2 A [[c]]F) 
max(SICl. ((b))T A [[6]]SIC3 A [[cj]F)
max(SIC2.((a))T A [[a]]SIC3 A [[cj]F)
max(SIC3. ((c))T A [[c]]SIC0)
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S  1 6 7
Table 6 .6 : Modal-/< formulae for SI O-element Verification
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S 1 6 8
max(BMCO.(a)T A [[a]]BMCl A (b)T A [[6]]BMC2 A [[c]]F) 
max(BMCl. (b)T A [[6]]BMC3 A [[c]]F)
max(BMC2.(a)T A [[a]]BMC3 A [[c]]F)
max(BMC3. ((c))T A [[c]](min(BMC3X.BMC0 V ([r]BMC3X A (r)T))))
Table 6.7: Modal-/< formulae for Burst-mode C-element Verification
The formulae presented here are not as rigorous as verifications based on the 
conformance equations of Sections 5.5 and 5.6. However, the burst-mode formulae 
in Table 6.7 are more rigorous than the speed-independent formulae because they 
verify signal persistence. This is done with the strong modalities of the (a)T and
(b)T transitions in formulae BMCO, BMC1, and BMC2. The strong modalities 
assure that the associated label is persistent because it must always be capable of 
making a transition in the states that satisfy the formulae. Persistence of burst­
mode AFSMs is relatively easy to verify because the stability requirement walks the 
t  transitions after the output burst. The speed-independent formulae do not assure 
that persistency is retained in the circuits, although a more complex set of equations 
could be used which does verify this constraint. Since persistence is a necessary 
condition for an AFSM, the SI formulae by themselves are incomplete.
6.6 Perform ance o f A nalyze
Although it may be possible to automatically derive modal formulae from specifi­
cations that are sufficient to verify the behavior of an implementation, this method 
is fairly inefficient as will be shown with a simple example that is comparable with 
other applications.




j ANDNBOOO[6 / a ,c / 6 , bc/c] \
| ORNBOOOO[ab/a,ac/b,bc/c,c/d\ \
) \{ab,ac,bc}
Table 6 .8 : GGS Description of C-element Implementation
Table 6 . 8  shows the CCS definition of the AND-OR implementation of the C- 
element shown in Figure 3.6 on Page 63. The definitions of the AND and OR gates 
are library definitions which were not included for clarity. The gates are nonblocking 
definitions, indicated by the “NB” in the component name. Nonblocking gates allow 
inputs into an unstable device to change so long as the changes will not invalidate 
the pending output. For instance, as soon as one input into an OR gate asserts, the 
device becomes unstable until the output fires. Further input transitions are allowed 
without requiring the output to fire so long as at least one input remains asserted. 
The numbers ‘0’ or ‘1’ at the end of the definitions represent the initial voltage states 
of the inputs and output. Signal names in these devices start with a, 6 , and so on 
through the alphabet, with the last signal name being the output.
Note that this direct definition of the C-element will not parse correctly using the 
parallel composition of CCS because of the speed-independent “broadcast” nature 
of the interconnection in the a and b inputs and ~c output. Hence analysis of this 
device in the Concurrency Workbench requires the circuit to be parsed in Analyze 
first. Once the correct definition is loaded into the CWB from Analyze, Table 6.9 
shows the performance of the verifications in the CWB and Analyze.







Speed-independent 0 . 2  sec ( 8  errors) 2  sec (False)
Burst-mode 0 . 2  sec (True) 9 sec (True)
Table 6.9: Performance of Analyze and Modal-/< Verifications
Verifications in Analyze are much more efficient than those using modal-/< on the 
workbench as can be seen from Table 6.9. The difference is even more significant 
when one realizes that the workbench takes 193 seconds just to parse the C-element 
description, a number which is not included in the table! Analyze requires 0.6 seconds 
to parse the C-element description that is subsequently loaded into the CWB. Due 
to the compositional nature of the Analyze conformance verifications, this is three 
times as long as the combined parsing and verification time of 0 . 2  seconds.
Note that the run time for Analyze is the same whether the verification is true or 
false, but there is a significant difference in the run times using modal-/< calculus. In 
the CWB, as soon as a formula will not satisfy the process, false is returned. When 
conformance does not hold, the current version of the Analyze prototype continues 
to evaluate the entire state space and produces a list of the failures. This points out 
the circuit failures, but requires a full run time.
The results using Analyze are also more accurate than the modal-/< formulae. For 
example, the speed-independent equations do not ensure that the implementation 
is persistent as the input signals need not remain enabled. Further, the modal-/< 
expressions are not automatically generated at this time, although they could be 
automatically produced from a specification with the proper tools.
There are several arguments against using modal formulae for specifications given 
the current software technology. Evaluation of modal equations can be quite time 
consuming with the currently available tools. For example, 401 GPU seconds were 
required to satisfy process GSM |= SHANDSHAKE cr ~ca on the Concurrency Work­
bench. Typically, adding fixed point constraints results in slower satisfaction results 
(which is one reason why the persistence property is not included in these macros).
Modal formulae are more difficult to understand than CCS and other represen­
tations. However, there appear to be a few standard tests and styles for those tests 
which can be made quite readable [Liu92, LABS93]. Therefore, constructing tailored 
macros and formulae shouldn’t be overly difficult given a library of case studies and 
some basic intuition. “Object oriented” representations in temporal logics are also 
less obvious than with CCS specifications. Hierarchy and structure is not modeled 
well with these formulae, so synthesis and decompositions are problematic. Finally, 
the problems to be presented in Section 7.2 must be addressed to accurately model 
hardware, as even in the above example the modal calculus could only be used after 
circuit description was parsed by Analyze.
6.7 Sum m ary
Temporal logics are an attractive means of testing invariant behaviors of a system. 
Formulae were presented in this chapter further support the verification tool Analyze 
by verifying invariant properties of specifications and implementations that cannot 
be tested hierarchically or are necessary properties of a specification. This chapter 
continues with the approach in [Liu92, LABS93] where there is a certain class of
C H A P T E R  6 .  P R A C T I C A L  A P P L I C A T I O N S  O F  P R O C E S S  L O G I C S  1 7 1
CHAPTER 6. PRACTICAL APPLICATIONS OF PROCESS LOGICS 172
properties, such as liveness, which must hold for all specifications and implementa­
tions. Once the basic properties hold, there are a number of additional tests which 
may be required to verify correct specifications.
The formulae presented in this thesis make the following contributions.
1. A new definition for the “liveness” of circuits was developed for labeled tran­
sition systems. This definition is also the dual of a new “deadlock” definition. 
Conceptually a circuit is live if from every state each action can be exercised. 
Conversely, a deadlock exists in the circuit if a state can be reached where some 
actions can never occur.
2. A set of modal formulae were created or strengthened that raise the level of 
abstraction for design testing. These formulae can be expressed as macros and 
applied to specifications for satisfaction. Most of the formulae are dependent 
on the sort of the processes, while others also require knowledge of the access 
assumptions of various modules.
There are only a few types of tests that are necessary for verification of most 
circuits. Most of the formulae have been developed for both transition and 
level based asynchronous handshake, as well as bundled data protocols. These 
formulae, applied in concert with Logic Conformance, are sufficient to prove a 
specification will be functional.
Temporal logics have two main drawbacks. First they are quite inefficient on the 
currently available software tools. Second, many of these formulae are only valid 
when applied to specifications because the unreachable states of an implementation 
usually invalidate the results.
C hap ter 7
S yn th esis  and V erification  usin g  A n a lyze
“/ /  every tool, when ordered, or even of its o wn accord, could do the work 
that befits it . . . then there would be no need either of apprentices for the 
master workers or of slaves for the lords."
Aristotle
Verification consists of using formal models to prove that the properties of one 
specification are equivalent to the properties of another. Additional flexibility and 
simplicity of implementations can be achieved if the specifications are “loose”, which 
can be achieved by including information regarding behaviors which are necessary, 
illegal, and irrelevant. These properties can be expressed in a number of ways in 
GGS, including labeled transition system semantics and partial orders such as logic 
conformance, or temporal logics as was presented in the previous chapter.
The assumption that one of the specifications describes a physical circuit rather 
than an interface behavior requires modifications to the standard GGS model. The 
abstractions must be useful in that they simplify reasoning about the circuit, but 
they must also be accurate or no benefit will accrue from the verification process. 
Other techniques such as GGS with priority choice [Cam91] and TGGS [MT90] were 
investigated. None of these extensions to GGS resolved all of the issues, and they 
required specifications that are much more difficult to understand. The extensions 
applied to GGS as part of this thesis are accurate and simple to use.
1 7 3
This section describes a prototype software tool called Analyze that was devel­
oped as part of this thesis. Formal methods used in this tool can make at least three 
major contributions toward aiding engineers design circuit implementations.
1. Formally prove properties of a specification so it is well characterized before 
attempting an implementation.
2. Formally verify equivalence between an implementation and specification to 
assure a faithful implementation.
3. Aid the designer in structured hierarchical design practices to achieve verified 
top-down implementations.
These three issues, and their embodiment in a prototype tool, are covered in this 
chapter. Impediments to reasoning about certain hardware implementation levels 
and asynchronous hazard models in CCS are discussed. Changes to the restriction 
and parallel composition operators are implemented that empower CCS greater flex­
ibility for reasoning about asynchronous hardware. The relation of minimization to 
verification is described, and an efficient minimization algorithm is presented. The 
necessity of observability of agent expansion is presented in a discussion of “compu­
tation interference”. Detecting interference is required for accurate verifications, and 
is used to drive high level synthesis. The verification of correctly constructed burst­
mode specifications developed. The usage of the software tool is then introduced 
and a small example session is presented. Finally the high level synthesis process is 
described.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 7 4
7.1 The C oncurrency W orkbench
The Concurrency Workbench, or CW B, is a software tool which implements CCS 
semantics as described in Milner [Mol91]. It also includes many equivalences, some 
partial orders, and a set of formal logics which have been integrated into the CCS 
labeled transition system.
The CWB is extremely useful for reasoning about asynchronous circuits. Ying 
Liu’s thesis is a good initial reference on how the CWB can be applied to reasoning 
about asynchronous circuits [Liu92], The CWB is also vital to the synthesis and 
verification approach presented in this thesis as general formal logic formulae and 
fixed point calculations cannot be entered into Analyze.
7.2 Problem s w ith  CCS and the W orkbench
CCS is a general model which can be readily applied towards verification of coarse 
models and protocols, to which it has been applied with great success [Bre90, Bru92, 
Par87]. Notational simplicity and succinctness permit this higher level of abstract 
modeling in a hierarchical manner. However, it also imposes some limitations as 
there is no inductive proof system as exists in higher order logics which simplify the 
verification of replicated components such as RAM cells, latches, and so forth. Unfor­
tunately the model also imposes some limitations as to the accuracy and capability 
of modeling hardware and the various asynchronous delay models.
There are two basic approaches to this problem. The first is to live within the 
limitations of CCS while modeling hardware [LBP94], This approach allows one 
to utilize the CWB for verifications. This approach has a number of drawbacks.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 7 5
First there must be a disciplined use of the syntax to assure that the verifications 
do not model inappropriate structure. For example, judicious use of handshake 
communication is required so that choice is not being modeled. Such requirements 
are not automatically checked in the CWB and this weakens the value of verifications 
with this method. Further, the lowest level that can be modeled this way is at the 
coarse block or protocol level. Modeling AND gates and any asynchronous hazard 
model other than the delay-insensitive is not possible.
The second approach is to pinpoint the areas which prevent the accurate modeling 
of hardware gates and other asynchronous delay models, and modify GGS to support 
these requirements. This is the approach taken in this thesis and implemented in 
Analyze. Care has been taken to only modify and extend aspects necessary to 
support such features. The extensions in this thesis keep the look and feel as similar 
to CCS as possible; the modifications are nearly invisible to the user. Both standard 
CCS transitional semantics and those necessary for modeling hardware are present 
in Analyze, permitting it to accurately reason about hardware as well as retain the 
clarity of CCS specifications.
This second approach has also been taken by Milne in the development of Circal, 
a modification of CCS for verifying and modeling hardware [Mil85, MM92], Cir­
cal is intended as a method for specifying general purpose circuit structures, and 
introduces several new syntactic symbols with new semantics. It is intended for 
synchronous systems, but recent research has applied this language to asynchronous 
circuits [Bai94]. Unfortunately, as with TCCS and other extensions to pure CCS, 
the representation of asynchronous circuits becomes cumbersome and awkward and 
it may not easily represent all the hazard models.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 7 6
The remainder of this section points out the shortcomings that prevent the ver­
ification and modeling of gates and the more useful asynchronous hazard models in 
CCS. This thesis assumes that when reasoning about hardware components, the com­
munication between names and conames models a physical communication link in 
the circuitry (typically an aluminum wire). Unless otherwise noted, the unbounded 
delay model is used with speed-independent verification, and equivalences are based 
on branching time bisimulation.
Inpu t and O utpu t Recognition
COS assigns no meaning to the set of labels A  and colabels A  other than for 
synchronization purposes. However, physical circuits have two main terminal types 
-  inputs and outputs -  with critical differences. This difference goes beyond the 
complementary naming convention of COS as can be seen by examining the equations 
for conformance, and static invariant checks of Section 6.3. This thesis assumes that 
names A  always map to inputs, and conames A  always map to outputs. 
Verification
Equivalences overly restrict the freedom of design choice. The logic conformance 
definitions of Section 5.6 are partial orders allowing standard COS agent descriptions 
to be used as loose specifications. The necessary set of actions includes all inputs 
and outputs exactly as they can occur in a transition diagram from the specification. 
The behaviors that may not occur include all output actions from any of the states 
in the transition diagram of the specification which do not explicitly exist. The set 
of irrelevant actions include all others, as the specification guarantees that they are 
non-reachable.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 7 7
Handshake Synchronization
The communication primitive in GGS is analogous to the handshake primitive of 
asynchronous circuits as both a label and colabel must be offered before a commu­
nication can occur. This handshake communication primitive in GGS can greatly 
simplify specifications. However, the handshaking synchronization can result in fail­
ures when modeling hardware because the synchronization rules of GGS will not 
allow restricted communication signals from “firing” until both the label and the 
colabel are offered. A physical circuit can wait arbitrarily long for an input to occur, 
but when an output is offered by a circuit, the physical wire is immediately driven 
to the new voltage level. If this two-way agreement is necessary in a physical circuit, 
it must be modeled by a pair of wires.
Handshaking synchronization also hides many implementation errors if specifica­
tion mirroring is used for verifications as discussed in Chapter 5. The failure caused 
by mirroring and the the handshake primitive is modeled as computation interfer­
ence, which will be discussed further in Section 7.3.
N ondeterm inistic  Choice O perator
The CCS choice operator ‘ + ’ is nondeterministic. This can be exploited in specifi­
cations to simplify or clarify behaviors. However, current digital state of the art does 
not permit nondeterministic AFSM implementations. Nondeterministic behavior is 
attained through the use of analog ME elements, and even so choice is not entirely 
nondeterministic. The inability to reason about fairness in a CCS specification is 
primarily due to the nondeterministic nature of the ‘ + ’ operator.
CCS choice typically models different legal trajectories that a circuit can take 
when parallelism or an externally determined (circuit environment) choice is possible.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 7 8
Choice is necessary and can be modeled in a deterministic fashion. The burst-mode 
requirements discussed later in this chapter assure that choice is used in a fair, 
deterministic fashion in AFSMs.
Interconnection Modeling
Hardware components that are composed in parallel are considered intercon­
nected by a wire on all matching labels and colabels. The primitive interconnec­
tion in CCS is a one-to-one event structure as can be seen by the Com3  rule of 
Figure 1.3. The one-to-one mapping must be possible to reason about DI and 
QDI delay models. CCS rules also allow numerous illegal communication struc­
tures and primitives for the DI and QDI models. For example, the CCS agent 
E9 =f (7LA1 | a .A2 | a.A3)\{a} results in a -A transition where Ti handshakes non- 
deterministically with either of the two a signals, evolving into (Al | a.A2  | A3) or 
(Al | A2 | a.A3). This competition for communication between sets of names and 
conames resulting in nondeterministic choice can greatly simplify a specification, but 
cannot be implemented with a wire!
Parallel Composition
Broadcast communication amongst a set of composed parallel agents, necessary 
for the QDI, SI, and burst-mode delay models, cannot be modeled in CCS. This is a 
serious shortcoming as there are very few valid delay-insensitive circuit implementa­
tions. The isochronous fork assumption and speed-independent assumptions, which 
permit realizable circuits, are based on a broadcast communication primitive.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 7 9
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 1 8 0
Figure 7.1: Manchester Garry Chain
b i MANCHESTER-CARRY 
( AND [g/c] \
| NOR [aorb/c] \
| NOR [g /a , aorb /b , p/c] \ 
) \{aorb}
Table 7.1: CCS Description of Manchester Garry Chain
7.2.1 Parallel Conjunction
The Com transition rules in Figure 1.3 on Page 19 do not correctly model the behavior 
of interconnected circuits operating in parallel. Whenever inputs or outputs of a 
circuit contain the same name or coname, hardware convention assumes that the 
circuit has been connected by a communication channel. Assume the simple circuit 
of Figure 7.1, specified by the CCS agent in Table 7.1. The AND and NOR agents 
are library component specifications having inputs of a and 6 , and an output of ~c. 
Note from the diagram and table that there are four labels which can communicate 
via the ‘|’ (Com) transition -  a, b, g and aorb. Only the aorb signal is restricted to 
the local domain -  the other signal needs to communicate internally as well as with 
external agents.
There are three different actions that this circuit can make on wire g according to 
pure CCS using the parallel communication rule Com. The g signal can communicate
S
P
independently with the environment as an input (the g transition into the NOR gate) 
or an output (</ out of the AND gate), or an internal communication between the 
AND and NOR gate can occur resulting in a r  transition with no interaction with 
the environment. When restricted with the Res transition rule, the first two actions 
are eliminated.
There is no possibility of the physical AND or NOR gates communicating inde­
pendently with the environment as the Comi and Com2 transition rules allow. In 
particular, if the AND gate is the only gate driving the g wire, then an independent 
input action on the g signal should not occur in absence of crosstalk and other cir­
cuit failures. All external communications from this module on wire g should also 
be outputs (</), and will also communicate with the NOR gate. The same sort of 
reasoning exists for the SI or burst-mode processing of the inputs a and b, which 
must communicate jointly when being driven as an input to the circuit. The required 
transitional behavior for modeling this simple circuit under a speed-independent or 
burst-mode model is not possible under the COS Com transition rules -  hence new 
communication transition rules are necessary. Standard CCS syntax would require 
adding a FORK component on each of the wires a, 6 , and g rather than as a single 
wire with three connections. This represents the delay-insensitive hazard model.
New communication transition rules must allow communication between an ar­
bitrary number of agents to model isochronous forks, speed-independent, and burst­
mode hazard models. This requires a conjunctive parallel communication operator, 
that allows broadcast-like communication.
There are two methods for formulating broadcast, or conjunctive synchroniza­
tion. One method is to define a reserved atomic action in which many agents can
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 8 1
participate. This is the definition used in GGS, allowing dual-agent communications 
via the atomic action r  by synchronizing / and 7 as an inseparable action. A second 
approach is to define every action to be composed of a finite set of inseparable atomic 
actions. As the set of actions are inseparable, they can be considered a single event 
that is indivisible in time. Circal takes the latter approach where every action is 
dehned in terms of finite sets of labels, and where the combinators dictate which 
action sets can be synchronized [Mil85].
The desired conjunctive semantics are similar to that of Hoare’s P  || Q combina- 
tor in GSP, which depends on the explicitly supplied sorts of P  and Q, which Hoare 
calls the alphabet of the agents [Hoa85]. This is an alternative method of parallel 
composition which could have been selected as the GGS parallel composition opera­
tor, but it is more difficult to implement because the dependency on sorts effectively 
results in an infinite family of operators. Hoare’s ‘||’ combinator also does not use 
the notion of names and conames (inputs and outputs) for communication -  any set 
of identical characters in the alphabet can communicate. The final significant dif­
ference is that it is more natural to utilize a hiding operator (one which changes an 
externally observable action into an invisible action) with the ‘||’ combinator, rather 
than the restriction operator of GGS (which prevents an action from occurring). 
The dependency on sorts can “restrict” the undesirable independent behaviors from 
occurring when using conjunctive communication.
A new transition rule called Conjunction (V ) is introduced that forces syn­
chronization amongst a set of agents with similar sort labels. The transition rules 
are dehned by inference, and are similar to the GSP operator. The dependency of 
one action being from the set of names A  and the other from the set of conames
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 8 2
A  as in the Com transition rule is not required, but the input-output sense of the 
transition is preserved, which is not possible under the Com rules.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 8 3
Conji E (q, a C{F))
E  c F A £ '  \c F
Conj2
F A  F' (q,q ^ £{E))
E  c F A E \c F'
Conjs
e A e ' E A  F' {a e £ {E )n £ {F ) )
E \c F-^ E ' |c F'
Conj4 E ^ E ' F ^ F ' {I e £{E)M e £{F))
E \c F-Ue ' \c F'
Conjs E ^ E ' F ^ F ' (7 G C{E)M G C{F))
E \c F-Ue > \c F'
Table 7.2: Parallel Conjunction Transition Rules
Note that the side conditions to Conji and Conj2 in Table 7.2 have provided the 
desired “restriction” operation for interconnected hardware components. They do 
not allow agents to evolve independently when composed in parallel if a matching 
name or coname appears in a parallel agent. Conj3, Conj4, and Conj.5 create the 
conjunctive communication. Conj3  is applied when all labels are either inputs or 
outputs. Conj4, and Conj.5 are applied when there is a mixture of input or output 
labels, and the resulting transition will use an output label.
Correctly modeling hierarchical agents and observational equivalence with r  tran­
sitions must be possible when the names and/or conames are not externally accessi­
ble. The operation of creating r  transitions with conjunctive communication is one 
of “localizing” the interconnection between the parallel agents. Removing access to 
the signal from outside the current block is achieved by removing the name from 
the sort while allowing the effect of the action to proceed unconstrained. This new 
hiding operation of Table 7.3 replaces the Res operator when used with Conj.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 8 4
Table 7.3: Hiding Transition Rules
When hiding, L is the set of labels that are being hidden from outside the agent. 
Intuitively, where restriction disallows the occurrence of an action, hiding disallows 
the action from interacting with the environment -  localizing it to the current agent.
The primary advantage of Conj over Com is the ability to synchronize multiple 
agents on a single event, an operation that is necessary for speed-independent, burst­
mode and isochronous fork evaluation. For instance, the agents (P |c Q |c R) 
with sorts £{P) = A, £{Q)  = L , and C(R) = M  will result in a three-agent 
synchronization when the signal I as either an input or output is in the label sets 
A , L, and M. The signals a and b in the example from Figure 7.1 and Table 7.1 
synchronize the AND and NOR gates with signals being driven from the environment, 
and the ~g signal synchronizes the AND and the other NOR gate and drives the ~g 
signal to the environment. The O-element of Figure 3.6 on Page 63 works the same
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 1 8 5
way; two AND gates, one NOR, and the environment all synchronize on the output 
~c. This new combinator has the effect of reducing the behavior of agents further 
than the Com transition rule. The rest of the calculus and proof system remains the
same.
7.2.2 Analyze Parsing
To simplify the specification of agents, the parallel conjunction operator is textually 
specified with the same symbol, ‘|c’, as the standard COS parallel composition op­
erator. The evaluation mode of Analyze will determine whether the operator uses 
composition (‘|’) or conjunctive (‘|c’) transition rules.
The binding power of the COS operators place Restriction and Relabeling as 
the tightest binding, followed by Prefix, Composition, and finally Summation. This 
binding order can result in problems with a circuit definition. For example, the 
definition £ 1 0  =f a.PlO ^ja} will result in an agent £ 1 0  having a sort that includes 
the name a £ £(£10). From a hardware perspective, this is an invalid sort, because 
the a wire will interact with the environment only outside of agent £ 1 0 ', while within 
the agent events on the wire will not propagate outside the circuit. Therefore the 
current version of Analyze makes a slight modification to the binding precedence 
of CCS to simplify the language for hardware designers by binding Prefix tightest, 
followed by Restriction and Relabeling, Composition, and Summation. Hence a 
£(£10) in the definition of agent £10 when £10 =f a.£10'\{a}. Parentheses should 
always be used to clarify any unobvious bindings. For compatibility with the CWB 
and CCS, future versions of the Analyze prototype will use the standard CCS binding 
order but will issue a warning on odd usage as listed above.
CHAPTER 7. SYNTHESIS AND VERIFICATION USING ANALYZE 186
7.2.3 C ircuit Connections
The general flexibility of GGS specifications permits a number of constructions that, 
although useful for specifications, result in errors in an implementation. The static 
analysis of Analyze will prove that the circuit specification does not violate physical 
properties of the circuit.
The following checks are applied when the conjunctive communication operator 
is used to ensure that the interconnections are physically correct. The sort of the 
parallel agents, required for conjunctive communication, is also required by these 
interconnection checks.
1 . When all signals a in the conjunctive communication are inputs, a £ A, all of 
the agents evolve in parallel according to Conj3  on a single input transition A.
Under speed-independent or burst-mode analysis, multi-way input connections 
are assumed correct. A warning is printed out that this particular wire is 
interconnected using the isochronous fork assumption -  hence the analysis is 
quasi delay-insensitive -  when analyzing a circuit in the delay-insensitive mode. 
The designer must make sure that the isochronous fork is necessary for the 
implement at ion.
2. More than one conjunctive communication label is an output. This is an illegal 
circuit interconnection because two actively driven output signals cannot hand­
shake. This is allowed by the Conj3, Conj4, and Conj.5 transition rules and is 
checked upon verification for correct interconnection. A diagnostic error mes­
sage is printed and the verification aborted when this interconnection occurs.
The current version of the Analyze prototype cannot model tristate signals as 
distributed agents requiring a conjunction of output drivers.
3. There is one and only one label in the conjunctive communication which is an 
output. In this case, the rules Conj4  and Conj.5 apply, and the signal / offered 
to the environment is an output, 7 £ A.
The current version of Analyze prints a warning when an unrestricted (unhid­
den) conjunction contains one or more input signals and one output label. This 
is a potential site for errors in a circuit as pointed out in Section 3.3.6 because 
non-local delay analysis of the implementation and its environment becomes 
necessary to assure a hazard free implementation of such an agent. Therefore 
this information must be passed on to the physical layout stage.
7.2.4 R estric tion  and R elabeling
The following static checks of Analyze are associated with the Restriction and Re­
labeling transition rules. Although restriction and relabeling are not necessarily 
associated with the composition or conjunction operators, good design practice will 
relabel and restrict signals as soon as possible to avoid confusion and computational 
complexity. When restrictions are associated directly with a set of parallel compo­
sitions, Analyze can create and analyze the specification compositionally, which can 
reduce the time and memory complexity by an order of magnitude and more.
1. Restricted signals can result in deadlock. For example, if the signal b is re­
stricted from agent E ll where E ll =f a.b.E ll, a deadlock will occur after the 
a transition has occurred because the resulting behavior is equivalent to the
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 8 7
process a.Nil. The deadlock will not occur using the semantics of hiding, and 
E ll sa E12 where E12 =f a.E12. Hiding is a more natural use for hardware 
specifications as it allows actions to occur uninhibited by the environment, 
whereas there is really no way to prevent a signal occurrence as with the re­
striction semantics.
Sometimes a component will contain a redundant or optional input or output. 
Simply leaving the signal unconnected results in confusion for several reasons. 
First, it is not clear if the module has been incompletely interconnected or if 
the signal is to be ignored. Secondly, different behaviors arise if the signal is 
removed from environment interaction with restriction or hiding. The correct 
way to remove the signal from consideration is to first connect the unused signal 
to a “signal sink” and then restrict or hide the signal from the environment. 
A signal sink will accept an unbounded number of signal transitions, and is 
sometimes called a “block of wood” with a definition WOOD =f a.WOOD. 
This makes the semantics of composition and restriction or conjunction and 
hiding the same, and there is no longer any confusion about the completeness 
of the design. Therefore, whenever a signal is restricted or hidden and it does 
not communicate with another agent, a warning is issued by Analyze.
2. A warning is issued if any of the labels in a restriction (hiding) or relabeling 
set are not in the sort of the bound agent. This occurrence typically results in 
circuit failures caused by a typo or an incorrect label set.
3. Verification will usually fail if the sort of the specification and the implemen­
tation are different, because extra behaviors exist in one component that do
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 8 8
not in the other. When verifying an implementation against a specification, a 
warning is issued when the sorts are incompatible.
7.3 C om putation  Interference
Pure GGS implements compositional communication using handshake synchroniza­
tion. If two agents are composed and restricted on a, then the internal r  transition 
can only occur when one agent offers an a transition and the other offers an a 
transition. If only one of the two labels are offered, then the r  transition will not 
occur. This type of handshake synchronization is extremely useful for simplifying 
the specification of complex parallel processes [SABL93]. However, it does not model 
hardware well because this handshake synchronization will assume that an output 
will not be driven until it can be accepted by an input!
D efinition 53 Computation interference exists between composed agents if
a
a.P  | Q where a £ £{Q) and Q-f+
Computation interference exists in a state where an output can fire before its 
corresponding input agents are prepared to synchronize with the output. Any circuit 
output whose firing is disabled by the handshake communication of CCS should result 
in an error.
When an agent is prepared to accept an input signal a label a £ A  is offered. 
No interference occurs when the label is not matched by a colabel (output) from a 
parallel agent; the agent offering the input idly waits for the input to occur.
The compositional design of Analyze retains information about the parallel struc­
ture of agents and can detect when computation interference occurs in a circuit.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 8 9
There are three types of computation interference which require different responses 
from the synthesis and verification procedures.
7.3.1 Interference in a Specification
High level specifications commonly contain synchronizations that contain computa­
tion interference. At this level, interference is not an error but directs the designer 
to synchronizations in the design that require further implementation detail. These 
synchronizations must be split into agents that implement the synchronization with­
out interference. Directed hierarchical verification and refinement is partially based 
on the occurrence of computation interference, as discussed further in Section 7.6. 
This type of synchronization must not be disregarded in hierarchical decomposition 
by splitting it into two separate high-level specifications, or an unfaithful implemen­
tation may result.
7.3.2 Im plem entation  Interference on an O u tpu t
Whenever computation interference occurs in processes modeling hardware compo­
nents an unrecoverable error has occurred. The fault is typically the result of a 
hazard in the circuit, but may also be the result of the behavioral faults of an in­
correct design. If the interference is caused by a design fault the circuit must be 
redesigned to remove the interference. If the interference is caused by a hazard in 
the circuit then the circuit must be redesigned, or this information must be passed 
on to the implementation phase so that the occurrence of the hazard can be avoided 
through layout engineering.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 9 0
Without the ability to detect interference, hazards and behavioral faults can be 
hidden by the handshake synchronization of CCS. For example, the static 1  haz­
ards revealed using speed-independent analysis of the C-element of Figure 3.6 in 
Section 3.3.5 can only be detected as computation interference. Without detecting 
interference, the unstable AND gate would block the output that also feeds back as 
an input until the AND gate stabilizes. This causes the OR gate to stabilize, hiding 
the hazard.
7.3.3 Im plem entation  In terference on a R estric ted  Signal
If the implementation is a flat leaf cell, then computation interference on internal 
(restricted or hidden) signals is an error just as though it were an output. However, if 
a specification is hierarchical and the interference is caused by a hardware sub-agent, 
the error may be due to the unrestricted behavior of the sub-agent. Replacing the 
hardware sub-agent with its specification will remove the computation interference 
in a well designed circuit.
The crossing example in Section 7.5 uses a two level refinement because the 
two halves of the definition are identical. Conformance will point out interference 
violations in the “vehicle” specifications because the environmental restrictions have 
not been specified. Using the specification at that level, or a flat implementation, 
removes the interference.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 9 1
CHAPTER 7. SYNTHESIS AND VERIFICATION USING ANALYZE 192
7.4 B isim ulation and M inim ization
Several aspects must be considered when designing a synthesis and verification sys­
tem for asynchronous circuits, including the time and memory complexity of the 
algorithms, and how accurately the physical circuits are modeled. Trace based sys­
tems were the first to reason about asynchronous systems. These include systems 
based on CSP [Ebe8 8 , Udd84] or variants of trace theory [Dil89]. The most appropri­
ate equality for hardware verification should be chosen when significant advantages 
are apparent.
One of the features of GGS is the unique canonical representation of agents based 
on bisimulation semantics, achieved by merging all indistinguishable states. This 
merging, also called minimization, has a side effect of losing the structure of parallel 
and hierarchical agents in creating the canonical representation.
Minimization can be used to prove bisimilarity between agents when all of the 
states of the agents are minimized together. If the minimized states contain at least 
one state from each of the agents, then they are bisimilar. If the agents are not 
bisimilar, then all of the minimized states from each agent will be mutually exclusive 
of states from the other agent (except the special state Nil).
7.4.1 M inim ization and Equivalences
Two processes are bisimilar when they are trace equivalent and determinate as shown 
in Proposition 7. Hence trace equivalence and minimization are sufficient to show 
bisimilarity amongst determinate processes. Further, two determinate processes that 
are trace conformant are also logic conformant.
P roposition  15 If I and S are determinate, then S I if S I-
P roof Going from left to right (if S I  then S ^  I) can be proven using 
the trace and logic conformance definitions of Definition 25 and 27. Going the other 
way, it is sufficient to show that
CC = f { ( .S ' , / )  : S  I  and S , I  are determinate} 
is a logic conformance up to Since all s-derivatives of a determinate agent are 
bisimilar from Definition 23, by Proposition 14 and Definition 27 it can be shown 
that the above relation holds. By Definitions 15 and 16 the s-derivatives of a deter­
minate agent maps to 51— • • • A,S''. Since CC is a logic conformation, we also have 
and (,$',/) G CC. □
If the implementation or specification are not determinate then Logic Confor­
mance is not implied by Trace Conformance. Typical verifications will require logic 
conformance, which can be calculated more efficiently than trace conformance for 
nondeterminate agents.
7.4.2 M inim ization A lgorithm
The worst case complexity of a set of parallel agents is the product of the state space 
of each of the agents. If the state space of the agents can be reduced, such as through 
minimization, then the complexity of the parallel composition can be greatly reduced 
as well. Minimization also has useful applications for bisimulation and conformance 
as shown in the previous section.
Fernandez implemented an efficient algorithm for minimizing agents using bisim­
ulation [Fer90, PT87]. A different algorithm based on branching time bisimulation 
and used in Analyze is described here. The concept for minimization is to equate
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 9 3
all states as if they were all bisimilar, and then separate any states that can be dis­
tinguished by their transitions. States with distinguishable transitions are separated 
out until no more distinguishing transitions can split states apart.
The minimization algorithm is calculated as follows:
1. First each state is marked with the set of A  transitions that are possible from 
each state by walking all states. All possible => transitions from any state 
are fully specified by the state’s transition set when there are no r  transitions 
from the state, and this set is recorded and stored. When a state contains r 
transitions they are followed until a leaf node is reached where no r  transitions 
are possible, or until a state is reached that has already been completed or 
touched in this walk. The union of the set of possible transitions is returned 
and stored for the source state.
2. All states are initially placed into the same “bin”. States that are not bisimilar 
from their transition sets are then split into different bin. For instance, all 
states that can only do an a transition are placed in one bin, all that can do 
an a and b transition are placed into another bin, etc.
This split will result in a maximum of 2n bins, where n is the number of labels 
in the agent’s sort. As an example, assume that an agent has the sort {a, 6 , c}. 
Each bin is split by the property of having each transition label in it. Those 
states which have the transition go in one bin, those that do not into the 
another. Figure 7.2 conceptually shows how this split works. The input or 
output sense of each signal is considered significant, so transitions ~ and 3 are 
separate, distinguishable transitions placed in different bins.
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 9 4
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 1 9 5
all states
Figure 7.2: Initial Bin Split for Minimization
If a bin contains no states, it is removed or not created. Hence the initial 
partition may contain significantly less than the 2n bins.
3. Following the initial split, this algorithm iteratively splits these bins using 
branching time bisimulation until no more splits are possible.
(a) The following steps are repeated for each bin, until all bins have been 
examined and no extra bins were created.
(b) Each state in the bin is walked, and a data structure is created which 
indicates the destination bins for each transition in the state. For example, 
two a transitions that go to bins 1  and 2  are recorded in an association 
list as (a (1 2)). The r  transitions must be walked just as in step 1 above.
(c) Each transition label is then examined. All states in the bin must have 
an identical set of destination bins for each transition or the current bin 
must be split into separate bins distinguishable by the different destination 
possibilities. If all association lists are identical for each transition label, 
the transitions in this bin cannot be distinguished and the bin is not split. 
The association lists must be recalculated for those transitions that have
the current bin as a destination whenever a split occurs to assure that the 
referenced states have not been split into another bin. For efficiency, each 
bin is iteratively examined until there no more splits can be made.
7.5 A nalyze U sage Exam ple
This section briefly shows a verification session using Analyze. Analyze is a proto­
type verification and synthesis tool written in Common Lisp. The user interface is 
designed as a set of functions that can be called after the software is loaded.
Following is a small example circuit based on a railroad crossing proposed by 
Bracffield and Stirling [BS90]. In this example, a car and train must not be allowed 
to cross the intersection at the same time. This model is based on transitional 
semantics, so the crossing will be the transition of a label. The specification is 
derived using three parallel processes -  one for the car, one for the train, and one 
for the semaphore. The semaphore acts like a “stop light”, only allowing either the 
car or train to enter the intersection at a time. Following is the definition of the 
specification using the notation accepted by the CWB and Analyze (“bi” is used to 
name a process using the Con rule, and label complementation is represented using 
the quotation ’ g rather than an overbar ~g).
b i CAR-TRAIN-SPEC 
(CAR | TRAIN | CTSEM) \{g,p}
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  1 9 6
b i CAR c a r .g . ' c c ro ss . ' p .CAR
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 1 9 7
b i TRAIN t r a i n .g . ’t c r o s s . ’p .TRAIN
bi CTSEM ’g.p.CTSEM
This specification can be tested behaviorally and for invariant properties. The 
following tests were made in the Concurrency Workbench. The i f  command reads 
a hie into the CWB, and the cp command is used to see if a process satisfies the 
formula.





LIVE t r a in  
*** tru e
cp CAR-TRAIN-SPEC 
LIVE 'cc ro ss  
*** tru e
cp CAR-TRAIN-SPEC 
LIVE 'tc ro s s
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 1 9 8
*** tru e
cp CAR-TRAIN-SPEC 
CONCURRENT car t r a in  
*** tru e
cp CAR-TRAIN-SPEC 
MUTEX2 'cc ro ss  ’tc ro ss  
*** tru e
cp CAR-TRAIN-SPEC 
HANDSHAKE car 'cc ro ss  
*** tru e
cp CAR-TRAIN-SPEC 
HANDSHAKE t r a in  ’tc ro s s  
*** tru e
The specification is live, the outputs are mutually exclusive for concurrent ar­
rivals, and the handshake protocols are obeyed. The specification is not a valid 
implementation because there is computation interference on the ~g signal and there 
are multiple output drivers on the p signal.
The specification can be decomposed using a number of approaches. For the first 
pass, let’s assume that the specification is to be decomposed into specifications of
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 1 9 9
macro module components, using inverters, TOGGLEs, mutual exclusion elements 
(MEs), MERGE gates, and signal sinks (WOOD). The analog device for creating 
mutually exclusive signals is the ME element, defined in Table 6.5 on Page 164. 
Note that the ME device is a level-sensitive circuit. This means that the interface 
for this circuit must convert from transition to four-cycle logic to access the ME 





Figure 7.3: Initial Grossing Decomposition
This decomposition is specified in GGS as “CTImpl-Fails” by the following state­
ments:
b i CTImpl-Fails
( V ehicleO bv[car/in , r l / r ,  a l / a ,  ccross/ou t] \
I V eh icleO bv[tra in /in , r 2 / r ,  a2 /a , tc ro ss /o u t]  \  
I MESPEC \
) \{  r l ,  a l ,  r 2 , a2 }
b i VehicleObv
( MERGE[in/a, fb /b , r /c ]  \
I TOGGLE \
I WOOD[c/a] \
I IFORK[b/a, o u t/b , fb /c ] \
) \{  fb , b, c }
Since the behavior of the car and the train are the same as can be seen from 
closer examination of the specification Figure 7.3, the same definition can be shared. 
Relabeling is used to change the names for the correct communication interaction.
This implementation is tested by Analyze, which points out some errors. Analyze 
is written in Common Lisp, so commands must be parenthesized. Analyze is loaded 
with the load-analyze function, a hie of CCS agents is read with the parse-agents 
command, and verification is carried out with the analyze function. The default 
mode uses the unbounded delay speed-independent model.
> (load "load-analyze")
> (parse-agents "car-tra in .ccs")
> (delay-insensitive-mode)
> (analyze ’ |CTImpl-Fails| ’car-train-spec)
; ; ;  Parameters set for delay-insensitive analysis with trace verifica tion
; ;;  Generating a trace-determinate specification from CAR-TRAIN-SPEC . . .
; ; ;  . . .  minimized spec contains 8 sta tes
; ; ;  . . .  successfully generated TD specification with 4 sta tes
; ; ;  Generating and trace verifying CTImpl-Fails against CAR-TRAIN-SPEC . . .
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  2 0 0
C H A P T E R  7 .  S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 201
ERROR! Computation interference encountered!
Signal ’ r2 in agent CTImpl-Fails*
Trace: (car ’r l  tra in  ’r2 t  ’a2 ’tcross ( ’fb) ’r2 tra in  ’r2)
; ; ;  The top-level agent contains 80 unminimized sta tes
; ; ;  The following are warnings or errors detected during analysis:
; ; ;  - The agent contained computation interference.
; ; ;  If  th is  is  an implementation i t  is NOT conformant to
; ; ;  a specification . Otherwise synchronizations are incomplete
; ; ;  to implement the specification.
; ; ;  - This agent contains computation interferences in some
;;;  in ternal subcells. This can cause an error unless i t
; ; ;  occurs exclusively in unreachable s ta te s .
; ; ;  - Duplicate error type messages were suppressed.
Warning:
11 errors encountered during creation of agent CTImpl-Fails*-0. 
Do NOT tru s t the behavior of th is  agent!
Analyze points out a violation in this implementation that is due to a race between 
the inputs into the MERGE element. In the trace above, the feedback signal from 
the output of the TOGGLE and the train input can flip the input to the ME element 
before it has responded. This could result in a deadlock or a runt pulse on the output. 
A modification of this specification is shown in Figure 7.4.
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  202
Figure 7.4: Trace Grossing Decomposition
This implementation verifies using trace conformance but not logic conformance 
(bisimulation). Both ccross and tcross can transition concurrently, yet trace con­
formance cannot detect this because all the correct traces are generated. The final 
attempt is shown in Figure 7.5. This decomposition is trace and logic conformant 
to the specification.
Another method of implementing this circuit is to decompose the initial specifi­
cation into burst-mode specifications which conforms to the specification. Figure 7.6 
is a “transition” burst-mode definition of the circuit that interfaces the environment 
with the ME element. This specification, when composed with the ME, creates 
a circuit that is verified with logic conformance against the original specification 
GAR-TRAIN-SPEG. This burst-mode specification can be directly implemented us­
ing MEAT. The interfaces from Figures 7.3 through 7.5 can be verified against this 
specification for conformance. Only the circuit of Figure 7.5 conforms to this graph.
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 203
Figure 7.5: Correct Crossing Decomposition
req
Figure 7.6: Burst-mode Transition Graph for Train
7 .6  H ig h  L e v e l  S y n t h e s i s
This section describes a method for high level synthesis of verified circuits. This 
hierarchical synthesis starts with a specification, and applies conformance at all 
levels in the hierarchy in a top down fashion to verify the final circuit implementation 
conforms to the specification.
Unfortunately conformance is not a congruence, which could invalidate some 
results. A congruence does not hold when the initial state of the system contains 
an unstable summation. A summation is unstable when a r transition is a possible 
action in the summation. The congruence does not hold on the summation because 
the t  transition can arbitrarily change the derivations of the initial state. Fortunately,
it is a simple test to assure that the verification is a congruence by checking the 
stability of the initial state of the specification and implementation as a side condition 
for verifying conformance.
The high level synthesis method presented here is targeted for high performance 
VLSI implementations. This is a directed synthesis system that requires the talent 
of an engineer to choose amongst the myriad of architectural choices such as par­
allel versus serial, area and time tradeoffs, etc. A major advantage of this system 
over other directed synthesis systems is the ability to verify correct implementations 
rather than just assume that the implementations are correct by construction or by 
simulations. This would have detected the deadlock and other problems that existed 
in the initial Post Office design.
Figure 7.7 shows the method for high level synthesis that is supported by Analyze. 
This synthesis system produces a set of communicating burst-mode state machines 
as leaf nodes. Software tools are named in parenthesis that support the labeled 
operation.
The first synthesis step requires an informal description to be transformed into 
a formal specification such as COS. The informal definition is typically an infor­
mal natural language description of the interface or circuit behavior, or an informal 
description using block diagrams, state diagrams, or timing diagrams. An object 
oriented style of formalizing parallel specifications is described in [SABL93].
The formal description should be tested to ensure that it is correct before em­
barking on an implementation, as described in [Liu92], If the implementation fails 
the property or behavioral tests, the formal description should be modified and re­
tested. The design should be made as loose as possible such that it does not violate
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  204
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 205
F i g u r e  7 .7 :  S y n t h e s is  P r o c e d u r e
design constraints, yet leaves as much flexibility as possible for design decisions.
When the designer is satisfied that the loose specification meets the design con­
straints, the specification must be refined into an implementation. A specification 
must be refined under three circumstances:
1. The implementation has hidden the complexity of an internal behavior.
2. There is a communication which cannot be implemented as specified.
3. The specification cannot be implemented as a burst-mode state machine.
If complexity has been hidden -  such as modeling an addition operation with 
the communication label ‘add’ -  then the implementation details of the operation 
will need to be specified. The second cause for refinement is an illegal communica­
tion which cannot be implemented. These illegal communications occur in a circuit 
as computation interference, described in Section 7.3. Finally, the implementation 
can be tested as a valid burst-mode state machine. If the implementation verifies 
as a valid burst-mode specification, a circuit can be synthesized directly from the 
specification.
If specification is not a valid burst-mode state machine, then it will need to be re­
fined into a set of parallel subspecifications. These refined subspecifications will then 
be tested for conformance against the specification. If the parallel subspecifications 
do not conform to the specification, the subspecifications will need to be modified 
until they are correct. If the designer cannot find any way to correctly implement 
the specification, the designer will need to move up one level in the hierarchy, and 
create a new refinement for that level. All verifications that were dependent on the
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  206
modified refinement must be invalidated and reverified against the new agents. This 
backtracking can also be used to investigate alternate design approaches.
When the specification is a valid burst-mode definition, the circuit should be 
synthesized and then verified for hazards. Typically the hazards can be removed by 
the techniques presented in Section 3.7. If no hazard free implementation can be 
created, the hazard must be controlled in the layout, place, and route steps. Once the 
circuit has been placed and routed, layout information should be passed up through 
the system as back annotations. The Analyze system cannot currently utilize back 
annotated information such as delays, performance, or power consumption figures.
7 .7  B u r s t - m o d e  S t a t e  M a c h in e  V e r i f i c a t io n
Decomposition is necessary under three circumstances as indicated on Page 206. 
Computation interference points out unimplement able handshakes, and the designer 
should be aware of when a complex operation has been modeled abstractly. The 
third condition for decomposition occurs when an agent is not a valid burst-mode 
specification. Terminal burst-mode specifications can be directly implemented if they 
conform to the rules from Section 4. The following steps are necessary enhancements 
to Analyze to verify that an agent is a legal burst-mode specification.
f. Inputs and outputs cannot be concurrently enabled (Rule f ).
2. Input bursts must be confluent (see Definition 24) and may not be empty 
(Definition f).
3. Output bursts may be empty and need not be confluent (Definition 2).
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  207
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 208
4. There must be an even number of transitions for each label in the sort of the 
agent (Rule 7).
5. The AFSM is closed and determinate (Rule 8 ).
6 . The environment will enable only a single input burst from any state (Rule 9).
The first two steps ensure that inputs and outputs are segregated into bursts, and 
that the bursts are semi-modular. The first step can easily be checked mechanically 
for any agent, independent of its sort. However, it is very difficult to determine from 
an arbitrary agent specification what constitutes a valid input burst, particularly 
when output bursts may be empty. By adhering to the burst-mode notational ex­
tension to GGS presented in Table 4.1, bursts can easily be specified and Analyze 
guarantees that the transition is confluent and semi-modular by generating all the 
necessary interleavings. Verifying the confluence of input bursts is implemented as 
part of Analyze, so it is the responsibility of the designer to use the burst-mode no­
tation or assure that the interleavings are correctly specified such that burst-mode 
is obeyed.
According to Definition 2, the output burst need not be confluent. Since all 
input bursts must be confluent, all interleavings of outputs can be accepted. If 
a circuit only generates a subset of those interleavings, the system will continue 
to operate properly. This makes specifications much looser resulting in increased 
design freedom. However, this presents a problem for verification. Specifications 
will typically generate all output burst interleavings. If the implementation does not 
produce all these interleavings, it will not conform to the specification according to 
conformance (Definitions 25 and 30). Currently the specification must be modified to
reflect the subset of the interleavings that the implementation will produce. Further 
research is required to allow logic conformance to automatically verify circuits where 
the interleavings of output bursts are subsets of the specification.
Current technology requires that burst-mode state machines are deterministic. 
Arbitration must be accomplished with an arbiter or mutual exclusion element.
P rop osition  16 A determinate agent will obey Rule 8 in Section Jf .6, which guar­
antees that from any given state, there will not be two burst-mode transitions where 
the labels of one transition are a subset of the other.
P ro o f By Definition 23, any s-derivative must result in bisimilar states. By 
Definition 1, if one burst is a subset of another then the same sequence s of observable 
actions must be possible in both bursts. If the agent is determinate, then these 
sequences P=k?P' and P=$>P" must arrive at the same state since P' sa P". Hence 
Rule 8 must hold as the subsequence can only be part of the longer input burst. □
Therefore, verifying that a circuit specification is determinate is sufficient to 
assure Rule 8 holds.
CCS is a transition based protocol, whereas digital logic is bistable. Therefore 
some preprocessing, mentioned in step 4 (from Rule 7 on Page 93), may be necessary 
to create a specification that can be directly synthesized using MEAT. This rule 
assures that the correct rising and falling of voltage levels is specified.
The final requirement for burst-mode state machines assures that, when there 
are multiple input bursts available from a single state, the bursts are driven by the 
environment in a mutually exclusive fashion. This cannot be verified by examin­
ing the state machine independently, but requires analysis of the environment of
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  209
the state machine. The mutual exclusivity of bursts will automatically be detected 
when verifying the circuit in its environment if and only if the signal transitions in 
all other bursts are not enabled in the destination states. Otherwise Analyze cannot 
automatically verify the mutual exclusive burst requirement. For example, if the 
state fragment in Figure 7.8(a) is composed into a circuit that produces Ti and b 
concurrently, then computation interference will occur in states 1 and 2. Analyze 
cannot automatically verify mutual exclusivity on Ti and b provided by the environ­
ment to fragment Figure 7.8(b) because state 1 can make a b transition and state 2 
can make an a transition.
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  210
Figure 7.8: Environmental Burst Constraints
The MUTEX2 macro of the Modal-/< calculus dehned in Chapter 6 can be used 
when conformance cannot determine mutual exclusivity of the bursts. Unfortunately 
the specifications need to be modified for this test. The completion of the bursts in 
question will each signal completion to the TEE component, and the T output of the 
TEE will be connected following the final signal in the burst. The b signal indicates 
completion of the burst. The component is then placed into the circuit environment, 
and if the b signals of the bursts in question are not mutually exclusive, then the 
environment supplies the bursts concurrently.
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 211
TEE =  a.b.c.TEE  (7.1)
For example, the burst-mode specification of the circuit in Figure 4.4 on Page 97 
does not require the application of modal-/< formulae to its environment. The only 
state with a choice of transition bursts is state 4. Since state 5 cannot accept a transi­
tion on deliver, concurrently presenting deliver and ack-send will result in computa­
tion interference on deliver in state 5. However, the nonblocking arbiter specification 
of Figure 4.3 on Page 94 will not show computation interference because all inputs 
are valid transitions in every state. Compose a TEE between states 0 and 1 and 
states 0 and 4 and compose the circuit with its environment. The MUTEX2 formula 
will not be satisfied by the resulting circuit, showing that the environment is not well 
behaved for this AFSM. Therefore, as discussed in Section 4.5, the SEQUENCER 
circuit needs to shield this AFSM from concurrent input changes supplied by the 
environment.
7 .8  S u m m a r y
The CCS calculus is an extremely concise and useful language for specifying parallel 
asynchronous circuits, particularly when the specifications are created in an object- 
oriented style based on the parallel composition operator. CCS is also amenable to 
automatic proof systems due to the succinctness of the language, and proof systems 
are implemented in the Concurrency Workbench and the Analyze tool of this thesis. 
The attention to structural aspects of concurrent design support accurate hierarchical 
circuit synthesis.
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E 212
Pure GGS cannot modeling and reasoning about circuits specifications at the 
device level due handshake communication. These problems were discussed, and 
solutions were proposed and implemented in a software prototype GAD tool called 
Analyze. Unfortunately some of these solutions required slight changes to the tran­
sitional rules of GGS, in particular the parallel composition operator was redefined 
in terms of a parallel conjunctive composition. The changes impact the basic GGS as 
minimally as possible, solely changing aspects where accuracy or simplicity of mod­
eling hardware systems would be compromised. These modifications were all made 
as transparently as possible, by pushing the complexity of the changes, such as in 
the composition operator, into the Analyze tool rather than burdening the designer 
with more additional notation, etc.
These modifications support a powerful synthesis and proof tool for asynchronous 
circuits. Invariant analysis of specifications was presented. These are divided into 
sets which can be carried out independent of a specification’s structure, and those 
that are dependent upon the behavior and component interactions. Definitions and 
formulae were presented for the hierarchical verification of circuits based on invariant 
analysis. The computational speed of Analyze is much improved over the Concur­
rency Workbench, as many common applications including minimization require an 
order of magnitude less CPU time to complete. Analyze attains this performance 
advantage through compositional algorithms and by a more restricted applicability.
A high level synthesis procedure based on Analyze is presented that can synthesize 
verified circuit implementations in a top-down fashion. This procedure is targeted at 
implementations comprising communicating burst-mode state machines. The steps 
for validating a correct burst-mode specification are also described.
The major contribution of this chapter is the software prototype GAD tool de­
veloped for the verification and synthesis of asynchronous circuits. Although there 
is still work to do, such as supporting hierarchical burst-mode verification and im­
proving performance, this tool has proven very useful to myself and others who have 
exercised its capabilities [vG94], This tool, along with a short user manual and set 
of examples, has been made publicly available via ftp.
The remainder of this chapter notes some of the contributions that are part of 
the Analyze tool and synthesis philosophy.
f . A prototype tool has been developed for supporting the hierarchical, top-down 
synthesis and verification of asynchronous systems. The hazard modeling of 
Analyze is more rigorous than in other tools.
2. Analyze includes all of the common delay models: delay-insensitive, quasi 
delay-insensitive, speed-independent, and burst-mode. When a violation oc­
curs, signal backtraces are included to aid the designer in determining the cause 
of the fault.
3. Analyze includes multiple equivalences. Currently, complete trace seman­
tics and branching time bisimulation semantics have been defined as “con­
formances” .
4. A designer directed hierarchical top-down synthesis methodology has been de­
veloped.
5. A new parallel composition operator, called parallel conjunction, has been 
defined and implemented. The restriction operator for parallel composition
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  213
has been changed to use hiding semantics for the conjunction operator as this 
operator restricts independent actions as a side condition.
6 . The definition of computation interference is created for labeled transition sys­
tems. This is an extension of GGS transition semantics, and is the backbone 
of the verification and synthesis systems developed for this thesis.
7. The steps required for the verification of correct burst-mode specifications is de­
veloped and spelled out. This is necessary for the top-down synthesis method­
ology.
8 . An efficient algorithm for state minimization and branching time bisimulation 
is presented in this chapter, and implemented in Analyze.
C H A P T E R  7. S Y N T H E S I S  A N D  V E R I F I C A T I O N  U S I N G  A N A L Y Z E  214
C h a p te r  8
C onclusions
“It has long been my personal view that the separation of practical and 
theoretical work is artificial and injurious. Much of the practical work 
done in computing, both in software and hardware design, is unsound and 
clumsy because the people who do it do not have any clear understanding 
of the fundamental principles underlying their work. Most of the abstract 
mathematics and theoretical work is sterile because it has no contact with 
the real comp uting. One of the central aims of the PRG, as a teaching and 
research group, has been to set up an atmosphere in which this separation 
cannot happen."
G Strachey 1974
Perhaps the most significant result of this thesis has been my metamorphosis from 
a “devil’s advocate” railing against the lack of utility and maturity of formal methods 
for circuit design into a devotee. The simplicity of CCS syntax and semantics are 
the foundation of my newly acquired interest. It is a specification notation that 
is natural for designers and engineers and is one with which formal proofs can be 
carried out automatically.
Chills go down my spine when I recall the “old ways” of simulation and the 
months I spent modifying simulation sequences in the Post Office and manually in­
specting state machines in an attempt to discover the cause of a deadlock. However,
2 1 5
C H A P T E R  8. C O N C L U S I O N S 216
the most significant advantages of verification have yet to move from the concep­
tual, intellectual, and theoretical domains into the labs of engineers. The success of 
this work is, in a way, battling a two headed dragon as both formal methods and 
asynchronous design must become mainstream for this to happen.
If the momentum behind the work in simulation and clocked systems is to be 
stemmed and turned, significant advantages of other techniques must become appar­
ent. The conceptual advantages of verified asynchronous systems have been espoused 
here and in other works. The momentum will change only if practical solutions to ev­
eryday engineering problems are available. These practical solutions will only come 
about today through the synergy of merging theory, software engineering, and circuit 
design in the form of a toolkit. The prototype Analyze tool of this thesis is a first 
stab at a practical workbench for the synthesis and verification of industrial strength 
asynchronous integrated circuits.
8 .1  C h a l l e n g e s
Significant challenges must be addressed 
This section quickly covers some of the 
facilitate these concepts.
8 .1 .1  C om p lex ity
Invariant analysis inevitably requires that all states be examined. The performance 
of verification techniques is through the complexity of the algorithms directly propor­
tional to the size of the agents being examined. Further, the state space of parallel
before verification becomes widely used, 
areas where further work is required to
C H A P T E R  8. C O N C L U S I O N S 217
systems grows as the product of the parallel terms. The difficulty of controlling such 
consuming complexity becomes apparent when one considers a simple example. The 
nacking (or blocking) arbiter implementation of the Post Office requires a sequencer
-  a library component for many of the macro module based asynchronous synthesis 
systems. My implementation contains four ME’s, 12 2-input NAND gates, six in­
verters, and two set-reset flip flops. The overall complexity of such a rather simple 
circuit is 164 x 812 x 26 x 82 =  18,446,744,073,709,551,616 states (which exceeds 
the address size of a 64 bit architecture). This is typically referred to as the “state 
explosion problem”. Some approaches to reducing the complexity are discussed here. 
C om position al Tools
Significant improvements in performance can be achieved with compositional 
algorithms. Much of the performance gains of Analyze over the Concurrency Work­
bench can be attributed to its compositional style.
For example, let’s review the comparison between Analyze and the CWB for 
the simple C-element circuit from Section 6.5. This design contains three 2-input 
AND gates and a three-input OR gate (or in a CMOS implementation three 2-input 
NAND gates and one 3-input NAND gate). This parallel implementation is bounded 
by 83 X 16 =  8192 states. The workbench’s non-compositional algorithms create all 
8192 states in parsing the circuit, expending 193 CPU seconds. Analyze, which 
creates the circuit compositionally, only creates the 36 restricted states, requiring
0.6 seconds of computation time. Verification is also compositional in Analyze, and 
is more efficient than parsing. The verification of the C-element using the burst­
mode hazard model takes 0.2 seconds of CPU time and touches 23 states as these 
states conform to the four states of the specification.
C H A P T E R  8. C O N C L U S I O N S 218
H ierarchy and O ther M echanism s
Optimally there would be some means of hiding the complexity of parallelism 
from engineers to the extent that large systems could be verified efficiently. Other 
simple and obvious techniques have been used by the Analyze prototype, such as 
hashing. More complicated techniques, such as applying induction techniques to 
regularly interconnected arrays of components, BDD type representations, and more 
efficient algorithms may achieve some limited success for controlling complexity.
However, due to the inherent exponential state explosion of parallel components, 
careful hierarchical decomposition will always remain a fact of life in highly parallel 
architectures. Although COS facilitates this by accurately modeling the observable 
effects of components throughout all levels in the hierarchy, controlling complexity 
through this process of decomposition can be very challenging, particularly when 
the obvious partitions are just too large to verify. For example, even verifying the 
implementation of the sequencer referred to above requires hierarchical modeling.
8 .1 .2  Tool Support
Unfortunately, designers of industrial strength asynchronous VLSI circuits have been 
forced to produce chips without sufficient tool support. Without such assistance, 
the cost and possibility of errors is too great for asynchronous circuit design become 
mainstream.
An applicable theory that has not been put to work simplifying or solving prob­
lems has been squandered. The practical application of the theories presented here, 
that are in themselves based on the founding work of others, is embodied in a soft­
ware prototype that is freely available via anonymous ftp. The work herein is a
C H A P T E R  8. C O N C L U S I O N S 219
first step toward the ultimate application of these principles in the rapid creation of 
verified integrated circuits form an asynchronous designers workbench of tools.
8 .2  A n a l y z e  C r i t iq u e
The application of the principles in this thesis are somewhat limited in scope. Value 
passing has not been implemented as part of the core GGS transition rules. This re­
sults in a dichotomy of effective applicability of GGS toward circuit design. It can be 
very efficient for verifying control, yet quite inefficient for datapath logic. Fortunately 
this melds well with the asynchronous design style I have developed over the years. 
Regular datapath logic is fairly easy to design correctly and is of universal applica­
bility, whereas correctly designing custom control can be very challenging. Therefore 
this method has only been used to verify control and the datapath interfaces.
Complete verification currently requires the use of the Concurrency Workbench as 
well as Analyze. Whenever the satisfaction of application specific temporal equations 
is required, as in certain cases to verify mutually exclusive environmental behavior of 
some input bursts, the CWB must be used. The current Analyze prototype does not 
yet implement the universal invariant tests such as liveness. It would be convenient 
to add the capabilities of verifying liveness and the process logics presented in this 
thesis to the Analyze tool.
The multi-way synchronization of the conjunction operator, trace conformance, 
and computation interference capabilities of Analyze allow it to couple the simplicity 
of the CCS syntax with the ability to accurately model and verify circuits.
The textual and function based user interface of Analyze is rather weak. There 
are no programs that can generate textual CCS descriptions from schematic drawing 
tools. The tool also contains some theoretical flaws from the (too) early implemen­
tation of logic conformance that result in erroneous results under certain conditions. 
There are also some inflexibilities forced upon specifications due to the parser.
One of the largest deficiencies lies in the incompleteness of some essential aspects 
of the tool. Trace conformance is computed directly but logic conformance is not. 
Checking when an agent definition is a valid burst-mode specification has not yet 
been implemented. Hierarchical verification of burst-mode controllers has not yet 
been implemented, but the theory is complete. Unfortunately this has postponed a 
goal of verifying major portions of the Post Office implementation. The synthesis 
procedure is not fully supported as there is no bookkeeping method for tracking 
the validity of verifications over many hierarchical levels, and annotation is neither 
stored nor used. A more automated system of estimating complexity to aid in the 
directed decomposition would greatly reduce designer’s workload. Transistor-level 
and tristate models have not been developed. Hence complex gates must be char­
acterized externally and their behavior imported into Analyze before they can be 
used.
8 .3  F u t u r e  D i r e c t i o n s
My assessment is that CCS is a very promising foundation for the formal verification 
and synthesis of asynchronous circuits. The simplicity of the model is a feature 
and impediment. Specifications can be concise, parallel, and “object oriented”. The
C H A P T E R  8. C O N C L U S I O N S  220
C H A P T E R  8. C O N C L U S I O N S 221
conjunctive transition rules allow most hardware components to be directly modeled. 
However, datapath logic is not modeled efficiently. Verification of regular datapath 
processes such as RAMS, multipliers, registers, etc. can be carried out much more 
efficiently with HOL or other inductive proof techniques. The GGS formalism is 
very similar to the asynchronous design style in that it seems to vastly simplify 
the difficult aspects of design (control verification), whereas the easier tasks such as 
datapath module verification are neither easily nor efficiently automated.
Typical tradeoffs exist between a simple, efficient, restricted model versus a 
broadly applicable, unwieldy, and less efficient one. The ramifications of such trade­
offs seem to have greater impact on performance and the ability to achieve the desired 
goals (proof automation) than with other tools such as programming languages and 
simulation based circuit models. Most tools based on labeled transition systems that 
have been broadened in scope seem to lose the clarity and simplicity of the underly­
ing proof system without acquiring offsetting benefits when applied to asynchronous 
systems. Such broader systems may not be simple or powerful enough to rival other 
more complex logic theorem proving systems such as HOL.
A better approach may be to make GGS and labeled transition systems such as 
Analyze companions to HOL or VHDL, applying each method to solve problems in 
their particular area of expertise. The inductive abilities of HOL can rapidly prove 
the correctness of datapath logic, whereas Analyze is more amenable to proving the 
correctness of control circuitry. VHDL could be used as the back end for circuit 
simulation and as the specification language for automatic synthesis, as well as to 
interface with place and route software available from vendors today. Contact has 
already been made between VHDL and HOL [vT93]. Unfortunately such a coopera­
C H A P T E R  8. C O N C L U S I O N S 222
tion would most likely be difficult and only operate on a subset of the syntax of the 
more general systems. I would very much like to investigate the feasibility of such a 
cooperative tool.
This first prototype has proven its worth in the small set of applications to which 
it has been applied. Hopefully it will serve as a stepping stone for a second generation 
prototype. I would like to continue my work on the software engineering in this tool, 
fix the faults, improve the algorithms and runtime performance, and complete the 
open areas. The real test will come when this methodology is applied to an industrial 











[ A G 9 2 ]
[ B r u 9 3 b ]
Venkatesh Akella and Ganesh Gopalakrishnan. SHILPA: A High-Level 
Synthesis System for Self-Timed Circuits. In International Conference 
on Computer-Aided Design (ICCAD-92), pages 587-591, 1992.
Henrik Reif Andersen. Verification of Temporal Properties of Concur­
rent Systems. PhD thesis, Aarhus University, Denmark, June 1993.
Andrew Michael Bailey. Modeling, Design and Analysis of Digital Cir­
cuits Using Circal. PhD thesis, University of Strathclyde, September 
1994.
H. B. Bakoglu. Circuits, Interconnections, and Packaging for VLSI. 
Addison-Wesley, 1990.
J. A. Brzozowski and J. C. Ebergen. On the Delay-Sensitivity of 
Gate Networks. IEEE Transactions on Computers, 41(11): 1349—1360, 
November 1992.
P. Beerel and T.H.-Y. Meng. Automatic Gate-Level Synthesis of Speed- 
Independent Circuits. In International Conference on Computer-Aided  
Design (ICCAD-92). IEEE Computer Society Press, November 1992.
G. Brebner. A CCS-based Investigation of Deadlock in a Multi-process 
Electronic Mail System. Technical Report, University of Edinburgh,
1990.
Erik Brunvand. Translating Concurrent Comm unicating Programs into 
Asynchronous Circuits. PhD thesis, Carnegie Mellon University, 1991.
G. Bruns. A Case Study in Safety-Critical Design. Technical Report 
ECS-LFCS-92-239, Edinburgh University, 1992.
Erik Brunvand. Designing Self-Timed Systems using Concurrent Pro­
grams. Journal of VLSI Signal Processing, 7, 1993. Special issue on 
asynchronous circuits.
Erik Brunvand. The NSR Processor. In Proceedings of the 26th Inter­
national Conference on System Sciences, Maui, Hawaii, January 1993.
2 2 3










E. Brunvand and R. F. Sproull. Translating Concurrent Communicating 
Programs into Delay-Insensitive Circuits. In Randall Bryant, editor, In­
ternational Conference on Computer-Aided Design (IC C  AD-89J, pages 
262-265. IEEE Computer Science Press, 1989.
J. Bradfield and C. Stirling. Verifying Temporal Properties of Processes. 
In J.C.M. Baeten and J.W. Klop, editors, Concur 90: Theories of Con­
currency, Unification, and Extension, number 458 in Lecture Notes in 
Computer Science, pages 115-125. Springer Verlag, 1990.
Juanito Camilleri. Priority in Process Calculi. PhD thesis, University 
of Cambridge, March 1991.
Carnegie-Mellon University. User's Guide to COSMOS.
Henry Y. H. Chuang and Santanu Das. Synthesis of Multiple-Input 
Change Asynchronous Machines using Controlled Excitation and Flip- 
Flops. IEEE Transactions on Computers, C-22( 12):1103—1109, Decem­
ber 1973.
W. S. Coates, A. L. Davis, and K. S. Stevens. Automatic Synthesis of 
Fast Compact Self-Timed Control Circuits. In IFIP Working Confer­
ence on Design Methodologies, pages 193-208, April 1993.
W. S. Coates, A. L. Davis, and K. S. Stevens. The Post Office Expe­
rience: Designing a Large Asynchronous Chip. Integration, the VLSI 
Journal, 15(3):341—366, October 1993. Special issue on asynchronous 
systems.
Tam-Anh Chu. Synthesis of Self-Timed VLSI Circuits From, Graph- 
Theoretic Specifications. PhD thesis, Massachusetts Institute of Tech­
nology, September 1987.
Tam-Anh. Chu. CLASS: A CAD System for Automatic Synthesis and 
Verification of Asynchronous Finite State Machines. Integration, the 
VLSI Journal, 15(3):263—289, October 1993. Special issue on asyn­
chronous systems.
[CM72] W.A. Clark and C.E. Molnar. The promise of macromodular computer 
systems. In Sixth IEEE Computer Conference, pages 309-312, Septem­
ber 1972.











[D S 8 7 ]
A. J. Cohn. A Proof of Correctness of the VIPER Microprocessor: 
The First Level. In G. Birtwistle and P. A. Subrahmanyam, editors, 
VLSI Specification, Verification and Synthesis, pages 27-71, Norwell, 
Massachusetts, 1988. Kluwer. Proceedings from the Calgary workshop.
R. Comerford. How DEC Developed Alpha. IEEE Spectrum,, pages 
26-31, July 1992.
Ranee Cleaveland and Bernhard Steffen. A Preorder for Partial Process 
Specifications. In J.C.M. Baeten and J.W. Klop, editors, Proceedings 
of ConCur ’90, number 458 in LNCS, pages 141-151. Springer Verlag,
1990.
A. L. Davis. The Architecture of DDM1: A Recursively Structured 
Data-Driven Machine. Technical Report UUCS-77-113, University of 
Utah, Computer Science Dept, 1977.
A. L. Davis. Mayfly: A General-Purpose, Scalable, Parallel Processing 
Architecture. Lisp and Symbolic Computation, 5(1/2):7—47, May 1992.
Al Davis, Bill Coates, Robin Hodgson, Richard Schediwy, and Ken 
Stevens. Mayfly System Hardware. Technical Report HPL-SAL-89-23, 
Hewlett Packard Company, April 1989.
David L. Dill, Alan J. Hu, and Howard Wong-Toi. Checking for Lan­
guage Inclusion Using Simulation Preorders. In K. G. Larsen and 
A. Skou, editors, Proceedings of CAV'91, number 575 in LNCS, pages 
255-265, 1991.
David L. Dill. Theory for A utomatic Hierarchical Verification of Speed- 
Independent Circuits. MIT Press, 1989.
R. de Nicola and M. C. Hennessy. Testing Equivalence for Processes. 
Journal of Theoretical Computer Science, 34:83-133, 1983.
D. Dill, S. Nowick, and R. F. Sproull. Specification and Automatic 
Verification of Self-timed Queues. Formal Methods in Systems Design, 
f (f ):30—60, f 992.
William J. Dally and Paul Song. Design of a Self-Timed VLSI Mul­
ticomputer Communication Controller. In Proceedings of the Interna­
tional Conference on Computer Design, pages 230-234. IEEE Computer 
Society Press, f 987.










[ G M 9 3 ]
Jo C. Ebergen. A Formal Approach to Designing Delay-Insensitive Cir­
cuits. Technical Report Computing Science Note 88/10, Eindhoven Uni­
versity of Technology, May 1988.
Jo C. Ebergen. A Formal Approach to Designing Delay-Insensitive Cir­
cuits. Distributed Computing, 3(5):447-450, 1991.
Jo Ebergen and Sylvain Gingras. A Verifier for Network Decompo­
sitions of Command-Based Specifications. In Proceedings of the 26th 
International Conference on System Sciences, Maui, Hawaii, January 
1993. IEEE Computer Society Press.
J. C. Ebergen and A. M. G. Peeters. Modulo-N Counters: Design and 
Analysis of Delay-Insensitive Circuits. In J. Staunstrup and R. Sharp, 
editors, 2nd Workshop on Designing Correct Circuits, pages 27-46. El­
sevier Science Publishers, June 1992.
S. B. Furber, P. Day, J. D. Garside, N. C. Paver, and J. V. Woods. A 
Micropipelined ARM. In Proceedings of VLSI '93, Grenoble, France, 
September 1993. Best paper award.
Jean-Claude Fernandez. An implementation of an efficient algorithm for 
bisimulation equivalence. Science of Computer Programming, 13:219 -  
236, 1990.
Jean-Claude Fernandez and Laurent Mounier. “On the Fly” Verification 
of Behavioral Equivalences and Preorders. In K. G. Larsen and A. Skou, 
editors, Proceedings of CAV'91, number 575 in LNCS, pages 181-191,
1991.
G. Gopalakrishnan and V. Akella. Specification, Simulation, and Syn­
thesis of Self-Timed Circuits. In Proceedings of the 26th Hawaii Inter­
national Conference on System Sciences. IEEE Computer Society Press, 
January 1993.
George H. Barnes et al. The ILLIAC IV Computer. IEEE Transactions 
on Computers, 8(C-17):746-757, August 1968.
M. J. C. Gordon and T. F. Melham. Introduction to HOL: a theorem 
proving environment for higher order logic. Cambridge University Press, 
Cambridge, 1993.












[ L a i ’8 9 ]
Brian T. Graham. The SECD Microprocessor, A Verification Case 
Study. Series in Engineering and Computer Science. Kluwer Academic 
Publishers, Boston, 1992.
A. B. Hayes. Stored State Asynchronous Sequential Circuits. IEEE  
Transactions on Computers, C-30(8), August 1981.
A. B. Hayes. Self-Timed IC Design with PPL’s. In R. E. Bryant, editor, 
Third Caltech Conference on Very Large Scale Integration, pages 257­
274, Rockville, Maryland, 1983. Computer Science Press, Inc.
C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall 
International, London, 1985.
Lee Hollaar. Direct Implementation of Asynchronous Control Units. 
IEEE Transactions on Computers, C-31(2), February 1982.
David A. Huffman. The Design and Use of Hazard-free Switching Net­
works. Journal of the Association for Computing Machinery, 4(41 ):47- 
62, January 1957.
W. A. Hunt. FM8501, A Verified Microprocessor. PhD thesis, Institute 
for Computing Science, University of Texas, Austin, February 1986.
Mark B. Josephs and Jan Tijmen Udding. Delay-insensitive Circuits: 
An Algebraic Approach to their Design. In J.C.M. Baeten and J.W. 
Klop, editors, Proceedings of ConCur ’90, number 458 in LNCS, pages 
342-466. Springer Verlag, 1990.
P. Kermani and L. Kleinrock. Virtual Cut-Through: A New Computer 
Communication Switching Technique. Computer Networks, 3:267-286, 
1979.
Glenn A. Kramer. Helios Design Consultant System. SIG ART Newslet­
ter , (92):92-93, April 1985.
Y. Liu, J. Aldwinckle, G. Birtwistle, and K. S. Stevens. Testing the Con­
sequences of Specifications in Modal /<. In 1993 Canadian Conference 
on Electrical and Computer Engineering, number Vol II, pages 987-990, 
Vancouver, Canada, September 1993.
K.G. Larsen. Modal specifications. In J. Sifakis, editor, Automatic 
Verification Methods for Finite State Systems , number 407 in LNCS, 
pages 232 -  246. Springer-Verlag, 1989.











[M G S 9 4 ]
Y. Liu, G. Birtwistle, and N. Paver. Specification of the Manchester 
Amulet 1: Execution Pipeline. Computer Science Department Technical 
Report, University of Calgary, June, 1994.
Ying Liu. Reasoning about Asynchronous Designs in CCS. Master’s 
thesis, University of Calgary, 1992.
L. Lavagno, K. Keutzer, and A. Sangiovanni-Vincentelli. Synthesis of 
Verihably Hazard-Free Asynchronous Control Circuits. Technical Re­
port UCB/ERL M90/99, University of California at Berkeley, November
1990.
L. Lavagno, K. Keutzer, and A. Sangiovanni-Vincentelli. Synthesis of 
Verihably Hazard-Free Asynchronous Control Circuits. In Carlo H. Se­
quin, editor, Proceedings of the 13th Conference on Advanced Research 
in VLSI, UC Santa Cruz, March 1991.
Alain J. Martin. The Design of a Delay-Insensitive Microprocessor: An 
Example of Circuit Synthesis by Program Transformation. In Hardware 
Specification, Verification and Synthesis: Mathematical Aspects, pages 
244-259, 1989.
Alain J. Martin. The Limitations to Delay-Insensitivity in Asynchronous 
Circuits. In W.J. Dally, editor, Sixth M IT  Conference on Advanced 
Research in VLSI, pages 263-278. MIT Press, 1990.
Alain J. Martin. Synthesis of Asynchronous VLSI Circuits. Techni­
cal report, California Institute of Technology, Department of Computer 
Science, Pasadena, CA 91125, August 1991.
A.J. Martin, S.M. Burns, T.K. Lee, D. Borkovic, and P.J. Hazewindus. 
The Design of an Asynchronous Microprocessor. In C.L. Seitz, editor, 
Decennial Caltech Conference on VLSI, pages 251-273. MIT Press, 1989.
C. Mead and L. Conway. Introduction to VLSI Systems , chapter “Sys­
tem Timing”. Computer Science. Addison Wesley, 1980. This chapter 
written by Charles L. Seitz.
Edward J. McCluskey. Logic Design Principles with Emphasis on 
Testable Semicustom, Circuits. Prentice Hall International Editors, 1986.
Alan Marshall, Bill Coates, and Polly Siegel. Designing an Asyn­
chronous Communications Chip. IEEE Design & Test of Computers, 
11(2):8—21, summer 1994.











[N D 8 9 ]
T. F. Melham. Abstraction Mechanisms for Hardware Verification. 
In G. Birtwistle and P. A. Subrahmanyam, editors, VLSI Specifica­
tion, Verification and Synthesis, pages 267-291, Norwell, Massachusetts,
1988. Kluwer.
C. E. Molnar, T. P. Fang, and F. U. Rosenberger. Synthesis of Delay- 
insensitive Modules. In H. Fuchs, editor, Chapel Hill Conference on 
VLSI, pages 67-86, Rockville, MD, 1985. Computer Science Press.
R. E. Miller. Switching Theory, volume 2. Wiley, New York, New York, 
1965. Chapter 10 is a review of Muller’s work on speed independent 
circuits.
G. J. Milne. Circal and the Representation of Communication and Con­
currency. A C M  Transactions on Programming Languages and Systems,
1985.
Robin Milner. Communication and Concurrency. Computer Science. 
Prentice Hall International, London, 1989.
Wenbo Mao and George J. Milne. An Automated Proof Technique for 
Finite-State Machine Equivalence. In K. G. Larsen and A. Skou, editors, 
Proceedings of CAV'91 , number 575 in LNCS, pages 233-243, 1991.
G. A. McCaskill and G. J. Milne. Hardware description and verification 
using the Circal-System. Technical Report HDV-24-92, University of 
Strathclyde, Department of Computer Science, Glasgow, Scotland, June 
1992.
Faron Moller. The Edinburgh Concurrency Workbench (Version 6.0). 
University of Edinburgh, August 1991.
Z. Manna and A. Pnueli. The Temporal Logic of Reactive Systems: 
specification. Springer-Verlag, New York, 1992.
F. Moller and C. Tofts. A Temporal Calculus of Communicating Sys­
tems. In J.C.M. Baeten and J.W. Klop, editors, Proceedings of ConCur 
'90, number 458 in LNCS, pages 401-415. Springer Verlag, 1990.
Steven M. Nowick and David L. Dill. Practicality of State Machine Ver­
ification of Speed-Independent Circuits. In 1989 International Confer­
ence on Computer-Aided Design (ICCAD-89). IEEE Computer Society,
1989.










[ P T 8 7 ]
S. M. Nowick and D. L. Dill. Synthesis of Asynchronous State Ma­
chines Using a Local Clock. In 1991 IEEE International Conference on 
Computer Design: VLSI in Computers and Processors. IEEE Computer 
Society, 1991.
Steven M. Nowick and David L. Dill. Automatic Synthesis of Locally- 
Clocked Asynchronous State Machines. In IEEE International Confer­
ence on Computer-Aided Design (ICCAD-91). IEEE Computer Society,
1991.
Steven M. Nowick and David L. Dill. Exact Two-Level Minimization 
of Hazard-Free Logic with Multiple-Input Changes. In International 
Conference on Computer-Aided Design (ICCAD-92). IEEE Computer 
Society, 1992.
S. M. Nowick, M. E. Dean, D. L. Dill, and M. Horowitz. The Design of 
a High-Performance Cache Controller: A Case Study in Asynchronous 
Synthesis. Integration, the VLSI Journal, 15(3):241—262, October 1993. 
Special issue on asynchronous systems.
D.M.R. Park. Concurrency and Automata on Infinite Sequences. In 
Proceedings of 5th G. I. Conference on Theoretical Computer Science, 
number 104 in Lecture Notes in Computer Science, pages 167-183. 
Springer Verlag, 1981.
J. Parrow. Verifying a CSMA/CD-protocol with CCS. Technical Report 
ECS-LFCS-87-18, University of Edinburgh, 1987.
Nigel Charles Paver. Design and Implementation of an Asynchronous 
Microprocessor. PhD thesis, University of Manchester, 1994.
N. Paver, P. Day, S. B. Furber, J. D. Garside, and J. V. Woods. Register 
Locking in an Asynchronous Microprocessor. In IEEE International 
Conference on Computer Design (ICCD-92), pages 351-355, October
1992.
J. Peterson. Petri Net Theory and Modeling of Systems. Prentice Hall, 
1981.
Robert Paige and Robert Tarjan. Three partition refinement algorithms. 
SIAM  Journal of Computation, 16(6):973—989, 1987.










[S te 9 2 ]
J. E. Robertson. Problems in the Physical Realization of Speed Indepen­
dent Circuits. In Proceedings of the 2nd AIEE Symposium, on Switching 
Circuit Theory and Logical Design,, pages 106-108, Detroit, MI, October 
1961. Early treatment of the isochronous fork problem.
Steven M. Rubin. Computer Aids for VLSI Design. VLSI Systems. 
Addison-Wesley, 1987.
I\. S. Stevens, J. Aldwinckle, G. Birtwistle, and Y. Liu. Designing Par­
allel Specifications in CCS. In 1993 Canadian, Conference on Electrical 
and Computer Engineering, number Vol II, pages 983-986, Vancouver, 
Canada, September 1993.
I\. S. Stevens, A .L. Davis, and W. S. Coates. The Post Office Experi­
ence: Designing a Large Asynchronous Chip. In Proceedings of the 26th 
Hawaii International Conference on System, Sciences, pages 409-418, 
January 1993.
Polly Siegel, Giovanni De Micheli, and David Dill. Automatic Tech­
nology Mapping for Generalized Fundamental-Mode Asynchronous De­
signs. In 30th A C M /IE E E  Design, Automation, Conference, pages 61-67,
1993.
Ivan E. Sutherland, Charles E. Molnar, Robert F. Sproull, and J. Craig 
Mudge. The TRIMOSBUS. In Charles L. Seitz, editor, Proceedings of 
the Caltech, Conference on Very Large Scale Integration,, pages 395-426, 
January 1979.
Kenneth S. Stevens, Shane V Robison, and A.L. Davis. The Post Office
-  Communication Support for Distributed Ensemble Architectures. In 
Proceedings of 6th International Conference on Distributed Computing 
Systems, pages 160 -  166, May 1986. Best paper award.
Kenneth S. Stevens. “The Soft Controller”. Master’s thesis, University 
of Utah, October 1984.
Kenneth S. Stevens. The Communications Framework for a Distributed 
Ensemble Architecture. Technical Report 47, Schlumberger Palo Alto 
Research Center, 3340 Hillview Ave, Palo Alto, Ca. 94304, February
1986.
Kenneth S. Stevens. Automatic Synthesis of Fast, Compact Self-Timed 
State Machines. Technical Report 92/495/33, University of Calgary, 
Computer Science Department, December 1992.












[ v B K R + 9 1 ]
Colin Stirling. An Introduction to Modal and Temporal Logics for CCS. 
In A. Yonezawa and T. Ito, editors, Concurrency: Theory, Language, 
and Architecture, number 491 in LNCS, pages 2-20. Springer-Verlag,
1991.
Colin Stirling. Modal and Temporal Logics for Processes. Tech Re­
port ECS-LFCS-92-221, Laboratory for the Foundations of Computer 
Science, Computer Science, University of Edinburgh, 1992.
Ivan E. Sutherland. Micropipelines. Communications of the AC M , 
32(6):720—738, June 1989. Turing Award Lecture.
The HOL System. Reference Manual. Technical report, Cambridge 
Research Center, SRI International under contract to DSTO Australia, 
Cambridge, England, 1989.
A. Tarski. A Lattice Theoretic Fixpoint Theorem and its applications. 
Pacific Journal of Mathematics, 5, 1955.
Y. Tamil’ and G. L. Frazier. Dynamically-Allocated Multi-Queue Buffers 
for VLSI Communication Switches. IEEE Transactions on Computers, 
41(6):725—737, June 1992.
Jan Tijmen Udding. Classification and Composition of Delay-insensitive 
Circuits. PhD thesis, Technical University of Eindhoven, 1984.
S. H. Unger. Asynchronous Sequential Switching Circuits. Wiley- 
Interscience, New York, New York, 1969.
C. H. van Berkel. Beware the Isochronic Fork. Integration, the VLSI 
Journal, 13 (2): 103-128, 1992.
C. H. (Kees) van Berkel. Handshake Circuits: an Intermediary Between 
Communicating Processes and VLSI. PhD thesis, Technical University 
of Eindhoven, May 1992.
K. van Berkel, R. Burgess, J. Kessels, M. Roncken, F. Schalij, and 
A. Peeters. Asynchronous Circuits for Low Power: A DCC Error Cor­
rector. IEEE Design & Test of Computers, 11(2):22—32, summer 1994.
Kees van Berkel, Joep Kessels, Marly Roncken, Ronald W.J.J. Saeijs, 
and Frits Schalij. The VLSI programming language Tangram and its 
translation into handshake circuits. In Proceedings of the European De­
sign Automation Conference, pages 384-389, 1991.








R. J. van Glabbeek. The Linear Time - Branching Time Spectrum. 
Technical Report CS-R9029, Centre for Mathematics and Computer Sci­
ence, P.O. Box 4079, 1009 AB Amsterdam, The Netherlands, 1990.
R. J. van Glabbeek. The Linear Time - Branching Time Spectrum (ex­
tended abstract). In J.C.M. Baeten and J.W. Klop, editors, Proceedings 
of ConCur ’90, number 458 in LNCS, pages 279-297. Springer Verlag,
1990.
Hans van Gageldonk. The Asynchronous Move Machine: Verification 
using CCS. Master’s thesis, University of Eindhoven, August 1994.
John P. van Tassel. Femto-VHDL: The Semantics of a Subset of VHDL 
and its Embedding in the HOL Proof Assistant. PhD thesis, University 
of Cambridge, July 1993. Available as Technical Report 317.
N. Weste and K. Eshraghian. Principles of CMOS VLSI Design: A 
Systems Perspective. VLSI Systems. Addison-Wesley, Menlo Park, CA, 
1985.
Liu Xinxin. Specification and Decomposition in Concurrency. PhD the­
sis, University of Aalborg, April 1992.
K. Y. Yun and D. L. Dill. Automatic Synthesis of 3D Asynchronous 
Finite-State Machines. In International Conference on Computer Aided 
Design, ICCAD-92 , pages 576-580, Los Alamitos, Calif., November
1992. IEEE Computer Science Press.
