Correct hardware compilation with Verilog HDL by Pace, Gordon J.
Correct Hardware Compilation with Verilog
HDL
Gordon J. Pace
Chalmers University of Technnology, Sweden
gpace@cs.chalmers.se
Abstract. Hardware description languages usually include features which
do not have a direct hardware interpretation. Recently, synthesis algo-
rithms allowing some of these features to be compiled into circuits have
been developed and implemented. Using a formal semantics of Verilog
based on Relational Duration Calculus, we give a number of algebraic
laws which Verilog programs obey, using which, we then prove the cor-
rectness of a hardware compilation procedure.
1 Introduction
Hardware description languages were originally designed to allow simulation of
hardware components to enable the engineer to compare an implementation with
the specication in a relatively cheap way. To make this comparison even more ef-
cient, HDLs began to allow procedural modules which described the behaviour
in an imperative language style. Unfortunately, these modules were meant for
comparing the output of the hardware description without actually having a
hardware interpretation from such modules to hardware. Recently, transforma-
tions have been implemented in synthesis tools, allowing certain types of be-
havioural modules to be automatically compiled into hardware.
In [Pac98,PH98] we have dened the semantics of Verilog HDL [Ope93,IEE95],
a commercial HDL, widely used in industry. As one of the benets of this for-
malisation, was the verication of a compilation procedure from a subset of
procedural Verilog code to a more hardware oriented subset of the language.
The semantics of Verilog have been specied in terms of Relational Duration
Calculus | a temporal logic. They thus emphasise timing issues in the language.
This is the main dierence from other similar work, which tend to emphasise
the event aspect of the language. Mainly because of this reason, the compilation
procedure is not based on any of the ones used by commercial synthesis tools but
is rather similar to [HJ94,PL91,May90], except that the output is not a circuit,
but another program in the same language.
2 The Semantics of Verilog
2.1 Modules
The semantics of Verilog are given in terms of Relational Duration Calculus
[PH98]. A more complete presentation of these semantics can also be found in
[Pac98]. We assume the reader to be familiar with Duration Calculus [ZHRR91].
We assume that each module P has a number of output wires out(P ) to which
no other module may write. Also, the assignments to the outputs of a module
must take some time. All modules are allowed to read the output variables of
other modules, but reading and writing to and from the same global wires at
the same time is not permitted to avoid non-determinism.
The assumption that module outputs are disjoint gives us the opportunity to
dene parallel composition
1
as:
[[P k Q]]
def
= [[P]] ^ [[Q]]
Continuous assignment: assign v=e forces v to the value of expression e:
[[assign v=e]]
def
= dv = ee

where dP e

= dP e _ de. Mutually dependant continuous assignments are not
allowed in the language subset for which we dene the semantics.
Procedural behaviour: initial P behaves like the sequential program P:
[[initial P]]
def
= [[P]]
out(P )
(Const(out(P )))
[[P]]
W
(D) describes the behaviour of an individual program module P whose out-
put wires are given in set W and which will, upon termination, behave as de-
scribed by the duration formula D. Const(W ) is dened as follows:
Const(W )
def
= 8w 2W  9b  (
  
w = b) ^ (
 !
w = b) ^ dw = be

2.2 Imperative Programming Statements
Verilog statements can be split into two sets: imperative programming-like con-
structs which take no simulation time, and timing control instructions, which
are closer to hardware concepts and may take simulation time to execute.
Skip: [[skip]]
W
(D)
def
= D
Assignments: [[v=e]]
W
(D)
def
= (
 !
v =
  
e ^ Const(W   fvg) ^ de)
W
o
9
D
Conditionals: [[if b then P else Q]]
W
(D)
def
= [[P]]
W
(D) /
  
b . [[Q]]
W
(D)
Sequential composition: [[P;Q]]
W
(D)
def
= [[P]]
W
([[Q]]
W
(D))
Loops: [[while b do P]]
W
(D)
def
= X  ([[P]]
W
(X) /
  
b . D)
Fork . . . join: [[fork P; Q join]]
W
def
=
([[P]]
W
P
(D) ^ [[Q]]
W
Q
(Const(W
Q
)
W
Q
o
9
D))_
([[Q]]
W
Q
(D) ^ [[P]]
W
P
(Const(W
P
)
W
P
o
9
D))
1
Note that in Verilog, no symbol is used to denote the parallel composition of modules.
We use this notation to make the semantics easier to read and follow.
WP
and W
Q
must be disjoint.
The semantics of do while loops, forever loops, case statements, etc can be
specied in terms of these constructs.
2.3 Timing Control Instructions
Blocking Assignments. Assignments can be delayed by using guards, which
block time until a certain condition is satised. The assignment v=guard e reads
the value of expression e and assigns it to v as soon as the guard is lowered:
[[v=guard e]]
W
(D)
def
= 9  [[=e ; guard ; v=]]
W[fg
(D)
The assignment guard v=e waits until the guard is lowered, reads the value of
expression e and assigns it to v:
[[guard v=e]]
W
(D)
def
= [[guard ; v=e]]
W
(D)
Guards. Guards control the ow of time by blocking further execution un-
til they are lowered. Two types of guards are treated here: time delay guards
and level triggered guards. Other types of guards can be described in a similar
manner.
#n blocks the execution of a module by n time units:
[[#n]]
W
(D)
def
= (l < n ^ Const(W ))_
(l = n ^ Const(W ))
W
o
9
D
wait v blocks execution until v carries the value 1.
[[wait v]]
W
(D)
def
= (d:ve

^ :
 !
v ^ Const(W ))_
(d:ve

^
 !
v ^ Const(W ))
W
o
9
D
Spikes on communication variables are considered to be undesirable behaviour
and are not captured by wait statements. A syntactic check suces to ensure
that no spikes will appear on a global variable in the system.
2.4 Non-blocking Assignments
The semantics of non-blocking assignment are dened by:
[[v<=guard e]]
W
(D)
def
= [[v=guard e]]
fvg
(Const(v))
k
fvg
D
Since both processes running in parallel can control the variable v, they are
composed together using a merging parallel composition operator. Whenever a
variable is assigned to by both processes it non-deterministically takes one of
the values it is assigned to
2
.
2
Note that this is weaker than the simulation semantics of Verilog, which performs
non-blocking assignments only once no enabled threads remain. Our method is too
non-deterministic | thus it permits us to make only sound judegments with respect
to the simulation semantics of Verilog.
It is also necessary to maintain an extra boolean state for every Verilog variable
v: 
v
, which holds in those time slots when variable v has just been assigned a
value.
[[P
k
fvg
Q]]
W
(D)
def
= 9v
P
; v
Q
; 
v
P
; 
v
Q

P [v
P
; 
v
P
=v; 
v
] ^
Q[v
Q
; 
v
Q
=v; 
v
] ^
Join(v
P
; v
Q
; v)
Join(v
1
; v
2
; v)
def
= d
v
= 
v
1
_ 
v
2
e

^
2
6
6
6
6
6
(
v
1
^ :
v
2
) v = v
1
)
^ (
v
2
^ :
v
1
) v = v
2
)
^ (
v
1
^ 
v
2
) v = v
1
_ v = v
2
)
^ (:
v
1
^ :
v
2
) v = 1 v)
3
7
7
7
7
7

Where (P  n)(t) = P (t   n). Obviously, the state variables 
v
need to be
maintained by the model. This is done by adding the information that 
v
is true
immediately after assignments [Pac98].
2.5 Other Issues
To avoid unnecessarily long program descriptions, we will write while b do P
as bP, do P while b as Pb, if b then P else Q by P / b . Q and fork P;
Q join as P k Q. Overriding the k symbol is justied by the following algebraic
law:
initial Pk initial Q = initial fork P; Q join
To avoid problems with programs such as while true do skip, we insist that
bodies of loops must take time to terminate. A simple syntactic check is sucient
to ensure this. If dur(P) holds, we can prove that P must always takes time to
execute. dur(P) is dened as follows:
dur(wait v)
def
= false dur(skip)
def
= false
dur(v=e)
def
= false dur(v<=g e)
def
= false
dur(v=g e)
def
= dur(g) dur(g v=e)
def
= dur(g)
dur(#0)
def
= false dur(#(n+ 1))
def
= true
dur(b  P )
def
= false dur(P  b)
def
= dur(P )
dur(P ;Q)
def
= dur(P ) _ dur(Q) dur(PkQ)
def
= dur(P ) _ dur(Q)
dur(P / b . Q)
def
= dur(P ) ^ dur(Q)
3 Algebraic Laws
3.1 Notation
The laws given in this section state an equality (or inequality) between pairs
of programs. It is obviously important to state what we mean by P v Q (P
is rened by Q). For P and Q to be comparable, they have to share the same
alphabet. The other condition is that for any possible continuation, the P can
always exhibit (at least) all behaviours of Q. Equality then follows from this
denition. Formally, this may be written as:
P v Q
def
= [[Q]]
V
(D)) [[P ]]
V
(D)
P = Q
def
= P v Q ^ Q v P
where D can range over all valid relational duration formulae and V is the
alphabet of P and Q.
3.2 Monotonicity
The rst laws state that the programming constructs in Verilog are monotonic |
if we selectively rene portions of the program, we are guaranteed a renement
of the whole program. If we have a program context C, then we can guarantee
that
if P v Q then C(P ) v C(Q)
if P = Q then C(P ) = C(Q)
To guarantee monotonicity, programs may not use non-blocking assignments.
This constraint is somewhat weakened later in the paper.
3.3 Parallel and Sequential Composition
Sequential composition is associative:
P ; (Q;R) = (P ;Q);R
Parallel composition is commutative and associative. Also, if dur(P ) holds, then
#1 is a unit of parallel composition:
P k Q = Q k P
P k (Q k R) = (P k Q) k R
P k #1 = P
In fact #1 distributes in and out of parallel composition:
#1;P k #1;Q = #1; (P k Q)
3.4 Non-determinism and Assumptions
It will be found useful to introduce new Verilog constructs. These will feature
in our proofs but will eventually be removed to reduce the program back to a
standard Verilog program.
One useful construct is non-deterministic composition. The non-deterministic
composition of two programs can behave as either of the two. More formally, we
dene it as:
[[P uQ]]
W
(D)
def
= [[P ]]
W
(D) _ [[Q]]
W
(D)
From this denition it immediately follows that non-determinism is commuta-
tive, associative, idempotent and monotonic.
Non-determinism also distributes over sequential composition:
P ; (Q u R) = (P ;Q) u (P ;R)
(P uQ);R = (P ;R) u (Q;R)
Another useful statement is the assumption. The statement assume b, expressed
as b
>
, claims that expression b has to be true at that point in the program:
[[b
>
]]
W
(D)
def
= (de _ dbe; true) ^D
Conjunction of two conditions results in sequential composition of the conditions.
Two corollaries of this are commutativity and idempotency of assumptions with
respect to sequential composition:
(b ^ c)
>
= b
>
; c
>
b
>
= b
>
; b
>
b
>
; c
>
= c
>
; b
>
Disjunction of two conditions acts like non-determinism:
(b _ c)
>
;P = (b
>
;P ) u (c
>
;P )
Assumptions make a program more deterministic:
P v b
>
;P
3.5 Conditional
Sequential, parallel and non-deterministic composition distributes out of condi-
tionals:
(P / b . Q);R = (P ;R) / b . (Q;R)
P u (Q / b . R) = (P uQ) / b . (P u R)
P k (Q / b . R) = (P k Q) / b . (P k R)
Provided that the values of the variables in expression b are not changed im-
mediately by programs P and Q, a conditional can be expressed in terms of
non-determinism and assumptions:
P / b . Q = (b
>
;P ) u (:b
>
;Q)
The precondition is satised if P has a prex P
1
such that dur(P
1
) and the
variables of b are not assigned in P
1
. Similarly for Q.
3.6 Loops
The recursive nature of loops can be expressed quite succinctly in terms of
algebraic laws:
Unique least xed point: Q = (P ;Q) / b . skip if and only if Q = b  P .
As immediate corollaries of this law, we have:
(b  P ) / b . skip = b  P
Q = P ;Q if and only if Q = forever P
Q = P ; (Q / b . skip) if and only if Q = P  b
The rst law can be strengthened to:
Q = (P ;Q) / b . R if and only if Q = (b  P );R.
The following law allows us to move part of a loop body outside:
If Q;P ;Q = Q;Q then (P ;Q)  b = P ; (Q  b)
3.7 Continuous Assignments
For convenient presentation of certain properties, we will allow programs of the
form P; assign v=e. This will act like:
[[P ]]
W
([[assign v=e]] ^ Const(W   fvg))
Similarly, P; (assign v=e k Q) acts like:
[[P ]]
W
([[assign v=e k initial Q]])
3.8 Communication
The use of synchronisation signals can greatly increase the readability of code.
These `channels' can be implemented as global variables which normally carry
a value of zero, but briey go up to one when a signal is sent over them. `Wait
for signal s', s?, is thus easily implemented as:
s?
def
= wait s
To send a signal, without blocking the rest of the program for any measurable
simulation time but leaving the signal on for a non-zero time measure, the non-
blocking assignment statement can be rather handy:
s!
def
= s=1 ; s<= # 0
What value of  is to be used? Obviously,  has to be larger than zero. However,
taking a value of 1 or larger leads to a conict in the program: s! ; # ; s!
The solution is to use a value of 0.5 for . This does not invalidate previous
reasoning based on discrete time. Eectively, what we have done is to reduce the
size of the smallest time step to a level which normal Verilog programs will not
have direct access to.
If non-blocking assignments are only used for signals, and signals are accessed
only using s! and f(s)?, we can guarantee the monotonicity of any program
context despite the presence of non-blocking assignments.
3.9 Algebraic Laws for Communication
Signal Output We will say that s! 2 P is command s! occurs somewhere in
program P . Similarly, s! =2 P means that s! does not occur anywhere in program
P . In both cases, we assume that s is a signal in the output alphabet of P .
Signals start o as false, provided that they are not initially written to. Also,
between any two time consuming programs which do not output on the signal,
the signal is false. If dur(P ), dur(Q) and s! =2 P , s! =2 Q:
initial P ;R = initial :s
>
;P ;R
P ;Q = P ;:s
>
;Q
s! sets signal s to true:
s! = s!; s
>
Output on a signal can be moved out of parallel composition:
(s!;P ) k Q = s!; (P k Q)
Signalling and assumptions commute:
s!; b
>
= b
>
; s!
Wait on Signal Waiting stops once the condition is satised:
(s
>
;P ) k (s?;Q) = (s
>
;P ) k Q
Execution continues in parallel components until the condition is satised. If no
signal is sent during the initial part of the program, we can aord an extra time
unit. Provided that s! =2 P :
(:s
>
;P ;Q) k (s?;R) = :s
>
;P ; (Q k s?;R)
(:s
>
;P ;Q) k (#1; s?;R) = :s
>
;P ; (Q k s?;R) provided that dur(P )
Furthermore, if P is the process controlling a signal s, and s starts o with a value
0, the value of f(s) will remain that of f(0) until P takes over. If s 2 out(P ):
(s=0)
>
; f(s)?;P = (s=0)
>
; f(0)?;P
Continuous Assignment Signals It will be found useful write to some sig-
nals using continuous assignments. The laws given to handle signal reading and
writing no longer apply directly to these signals and hence need modication.
The following laws thus allow algebraic reasoning about a signal s written to by
a continuous assignment of the form:
assign s = f(s
1
; : : : ; s
n
)
where all variables s
1
to s
n
are signals. For s to behave like a normal signal
(normally zero except for half unit long phases with value one), f(0; 0; : : :0)
has to take value 0. These laws allow us to transform a signal assigned to by a
continuous assignment to one controlled by a sequential program (or vice-versa):
If b) f(s) then:
assign s=f(s) k b
>
;P = b
>
; s!; (assign s=f(s) k P )
If b) :f(s) and for all i, s
i
=2 P then:
assign s=f(s) k b
>
;P ;Q = b
>
;P ; (assign s=f(s) k Q)
Furthermore, instances of a signal controlled by a continuous assignment can be
removed using the following law:
assign s=f(s) k P (s?) = assign s=f(s) k P (f(s)?)
3.10 Signals and Merge
Signals now allow us to transform a process to use a dierent set of variables.
The trick used is to dene a merging process which merges the assignments on
a number of variables to a new variable.
The rst thing to do is to make sure that we know whenever a variable has been
assigned to. The technique we use is simply to send a signal on 
v
to make it
known that v has just been assigned a value. Note that we will only allow this
procedure to be used on global variables, which guarantees that no more than
one assignment on a particular variable can take place at the same time.
We thus replace all assignments: v=g e by (v=g e; 
v
!) and similarly g v=e by
(g v=e; 
v
!)
The program Merge will collapse the variables v
1
and v
2
into a single variable v,
provided that they are never assigned to at the same time:
Merge
def
= assign 
v
=
v
1
_ 
v
2
k assign v=(v
1
/ 
v
1
. v
2
) / 
v
. v
 
k assign v
 
=#0.5 v
The following laws relate Merge with parallel composition and conditional:
P ;Q v (P [v
1
=v];Q[v
2
=v]) k Merge
P / b . Q v (P [v
1
=v] / b . Q[v
2
=v]) k Merge
Note that these laws can be strengthened to equalities if we hide the extra
variables appearing on the right hand side.
4 Triggered Imperative Programs
We will not be compiling just any program, but only ones which are triggered
by a start signal and upon termination issue a nish signal. The environment
is assumed not to interfere with the program by issuing a further start signal
before the program has terminated.
Triggered programs can be constructed from general imperative programs:
 
f
s
(P )
def
= forever (s?; P ; f !)
At the topmost level, these programs also ensure that the termination signal is
initialised to zero:
i 
f
s
(P )
def
= initial f = 0;  
f
s
(P )
The environment constraint for two signals s and f may now be easily expressed:

f
s
w forever ( s!; #1; f?;
0
)
where 
0
is a statement which, once triggered, waits for an arbitrary length of
time (possibly zero or innite) before allowing execution to resume.
[[
0
]]
W
(D)
def
= Const(W ) _ Const(W )
W
o
9
D
The unit delay ensures that if a start signal is sent immediately upon receiving
a nish signal, we do not interpret the old nish signal as another nish signal.
Now, we ensure that if we start o with a non-zero delay, the start signal is
initially o:
i
f
s
w ((:s
>
;) u skip) ; 
f
s
 is a statement almost identical to 
0
but which, once triggered, waits for a
non-zero arbitrary length of time (possibly innite) before allowing execution to
resume.
[[]]
W
(D)
def
= Const(W ) _ (l > 0 ^ Const(W ))
W
o
9
D
 obeys a number of laws which we will nd useful later:

0
= skip u 
If dur(P ) then  v P
If s is a signal then its behaviour is a renement of:
(skip u :s
>
;); forever s!;
The results which follow usually state a renement which holds if a particular
environment condition holds. Hence, these are of the form:
environment condition ) (P ) Q)
To avoid confusion with nested implications, we dene the conditional renement
i
f
s
` P v Q as follows:
i
f
s
` P v Q
def
= ` i
f
s
) (Q) P )
i
f
s
` P = Q
def
= (i
f
s
` P v Q) ^ (i
f
s
` Q v P )
The following proofs assume that all programs (and sub-programs) satisfy dur(P )
(hence programs take time to execute). We also add the constraint that programs
do not read or write as soon as they a executed (P = Q;R such that Q does not
read or write data). Note that if all primitive programs we use satisfy these con-
ditions, so do programs constructed using sequential composition, conditionals,
fork join and do while loops.
5 Hardware Compilation
5.1 Basic Results
We start by establishing ways of decomposing our programs into a number of
smaller ones running in parallel. The proofs of the following three theorems can
be found in the appendix.
Theorem 1.1: Sequential composition can be thus decomposed:
i
f
s
` i 
f
s
(P ;Q) v i 
m
s
(P
0
) k i 
f
m
(Q
0
) k Merge
where for any program P , we will use P
0
to represent P [v
P
=v]. Merge has been
dened in section 3.10.
Theorem 1.2: Conditional statements can be thus decomposed:

f
s
`  
f
s
(P / b . Q) v  
f
P
s
P
(P
0
) k  
f
Q
s
Q
(Q
0
) k Merge k Interface
where
Interface = assign s
P
= s ^ b k
assign s
Q
= s ^ :b k
assign f = f
P
_ f
Q
Theorem 1.3: Loops can be decomposed into their constituent parts.

f
s
`  
f
s
(P  b) v  
f
P
s
P
(P ) k Interface
where
Interface = assign s
P
= s _ (f
P
^ b) k
assign f = f
P
^ :b
5.2 Compilation
Using these renements, we can now dene a compilation process:
	
f
s
(P ;Q)
def
= 	
m
s
(P
0
) k 	
f
m
(Q
0
) k Merge
	
f
s
(P / b . Q)
def
= 	
f
P
s
P
(P
0
) k 	
f
Q
s
Q
(Q
0
) k Merge k Interface
C
	
f
s
(P  b)
def
= 	
f
P
s
P
(P ) k Interface
L
	
f
s
(P )
def
=  
f
s
(P ) otherwise
We know that the individual steps of the compilation process are correct. How-
ever, it is not yet clear whether the topmost environment condition is sucient
to show that the compiled program is a renement of the topmost program.
In fact, we prove that a stronger invariant holds thoughout the compilation
process. This invariant is that for any start signal s and related nish signal f :
s f  s s 1 and s f  s s  s f + 0:5
We start by establishing that this invariant is sucient to guarantee the en-
vironment condition (lemma 2.1). Furthermore, i
f
s
and i 
f
s
(P ) guarantee the
invariant (lemmata 2.2, 2.3).
Lemma 2.1: Provided that s and f are signals, if s f  s s 1 and s f  s s 
s f + 0:5 are valid duration formulae, then so is i
f
s
.
Proof: The proof is given in the appendix.
Lemma 2.2: i
f
s
) s s  s f + 0:5.
Proof: The proof is given in the appendix.
Lemma 2.3: Provided that dur(P ):
i 
f
s
(P )) s f  s s ^ s f  s s 1
Proof: The proof is given in the appendix.
Using these results, we can now show that the invariant is guaranteed by the
compilation process.
Lemma 2.4: The environment conditions follow along the compilation process:
	
f
s
(P )) s f  s s
Proof: The proof can be found in the appendix.
Lemma 2.5: 	
f
s
(P )) s f  s s 1
Proof: The proof follows almost identically to that of lemma 2.4 (see appendix).
5.3 Compiler Correctness
Theorem 2: If s is a signal, then:
s s  s f + 0:5 `  
f
s
(P ) v 	
f
s
(P )
Proof: Assume that s s  s f + 0:5.
	
f
s
(P ) guarantees that s f  s s (lemma 2.4) and that s f  s s  1 (lemma
2.5).
Hence, by lemma 2.1, we know that i
f
s
.
The proof now follows by induction on the structure of the program P .
In the base case, when P is a simple program, 	
f
s
(P ) is just  
f
s
(P ), and hence
trivially guarantees correctness.
For the inductive case we consider the dierent possibilities:
Sequential composition: We need to prove that s s  s f +0:5 `  
f
s
(Q;R) v
	
f
s
(Q;R)
But, by denition of 	 , and the further application of lemma 2.4:
	
m
s
(Q
0
)k	
f
m
(R
0
) ^ s m  s s ^ s f  s m
Hence, combining the above inequalities with the previous ones:
s m  s f + 0:5 ^ s s  s m+ 0:5
By the inductive hypothesis, we thus conclude that:
 
m
s
(Q
0
) k  
f
m
(R
0
)
But we also know that i
f
s
. Thus we can apply theorem 1.1 to conclude that
 
f
s
(Q;R).
Therefore, s s  s f + 0:5 `  
f
s
(P ;Q) v 	
f
s
(P ;Q).
Conditional: We need to prove that:
s s  s f + 0:5 `  
f
s
(Q / b . R) v 	
f
s
(Q / b . R)
As before, we know that: s f  s s  s f + 0:5.
Also, by denition of 	 and lemma 2.4:
	
f
Q
s
Q
(Q) k 	
f
R
s
R
(R) k Interface
C
s f
R
 s s
Q
s f
R
 s s
R
Using simple duration calculus arguments on the interface part, we can con-
clude that:
s s = s s
Q
+ s s
R
s f = s f
Q
+ s f
R
  s(f
Q
^ f
R
)
Hence:
s s  s f + 0:5
) s s
Q
+ s s
R
 s f
Q
+ s f
R
+ 0:5  s(f
Q
^ f
R
)
) s s
Q
 s f
Q
+ 0:5  (s s
R
  s f
R
)  s(f
Q
^ f
R
)
) s s
Q
 s f
Q
+ 0:5
The last step is justied since s s
R
 s f
R
.
The same argument can be used to show that s s
R
 s f
R
+ 0:5. Hence, we
can use the inductive hypothesis to conclude that:
 
f
Q
s
Q
(Q) k  
f
R
s
R
(R) k Interface
C
But, since i
f
s
holds, we can use theorem 1.2 to conclude that:
s s  s f + 0:5 `  
f
s
(Q / b . R) v 	
f
s
(Q / b . R).
Loops: Finally, we need to prove that s s  s f + 0:5 `  
f
s
(Q  b) v 	
f
s
(Q  b).
The argument is almost identical to the one given for the conditional state-
ment, except that the equality we need to derive from the interface so as to
enable us to complete the proof is that:
s s
P
= s s+ s f
P
  s f   s s ^ f
P
^ b
Hence, by induction, we can conclude that s s  s f + 0:5 `  
f
s
(P ) v 	
f
s
(P ).
2
Corollary: i
f
s
` i 
f
s
(P ) v 	
f
s
(P ).
Proof: Follows immediately from lemma 2.2 and theorem 2.
2
5.4 Basic Instructions
Implementation of a number of basic instructions in terms of continuous assign-
ments can also be easily done. Consider, for example:
	
f
s
(#1)
def
= assign f = #0.5m
k assign m = #0.5 s
	
f
s
(#1 v = e)
def
= 	
f
s
(#1)
k assign v
 
= #0.5 v
k assign v = e / f . v
 
For a denition 	
f
s
(P )
def
= Q, it is enough to verify that i
f
s
`  
f
s
(P ) v Q. The
result of the corollary can then be extended to cater for these compilation rules.
Hence, these laws can be veried, allowing a total compilation of a program
written in terms of these instructions and the given constructs into continuous
assignments.
5.5 Single Runs
Finally, what if we are interested in running a compiled program just once? It
is easy to see the i
f
s
inequality is satised by initial s!. Also, we can prove
that:
initial s! k  
f
s
(P ) = initial s!;P ; f !
Hence, for a single run of the program, we simply add an environment satisfying
the desired property: initial s!.
6 Comparisons and Conclusions
Most published Verilog and VHDL formal semantics are operational in style,
mainly because this complements the event based nature of their simulation
cycle, which is used to informally dene the semantics of the language in ocial
documentation. [KB95,Bor95] give a rather comprehensive (if dated) overview of
the work done in formalising VHDL semantics. The need for the formalisation of
Verilog semantics was advocated in [Gor95], since when a number of semantics
have been published [GG98,SX98,Sas99,FLS99].
This paper applies to Verilog a number of techniques already established in
the hardware compilation community [KW88,May90], giving us a number of
compilation rules which translate a sequential program into a parallel one. Most
of the proof steps involve a number of applications of the laws of Verilog, and
would thus benet from machine verication.
One interesting result of the approach applied here is the separation placed
between the control and data paths, which is clearly visible from the compilation
procedure.
The method used here is very similar to the compilation procedure used with Oc-
cam in [May90] and Handel in [HJ94,PL91]. The transformation depends heavily
on the timing constraints | unlike the approach usually taken by commercial
synthesis tools which usually synchronise using global clock and reset signals
[Pal96]. The main dierence between the compilation of Verilog programs we
dene with that of Occam or Handel is the fact that timing control can be ex-
plicitly expressed in Verilog. It is thus not acceptable to assume that immediate
assignments take a whole time unit to execute (as is done in the case of Occam
and Handel). It was however necessary to impose the constraint that all com-
piled programs take some time to execute. This limitation obviously allows us to
compile only a subset of Verilog programs. However, clever use of algebraic laws
can allow the designer to modify code so as to enable compilation. How much
of this can be done automatically and eciently by the compiler itself is still an
open question.
References
[Bor95] Editor Dominique Borrione. Formal methods in system design, special issue
on VHDL semantics. Volume 7, Nos. 1/2, Aug 1995.
[FLS99] John Fiskio-Lasseter and Amr Sabry. Putting operational techniques to
the test: A syntactic theory for behavioural verilog. In The Third Inter-
national Workshop on Higher Order Operational Techniques in Semantics
(HOOTS'99), 1999.
[GG98] M.J.C. Gordon and A. Ghosh. Language independent RTL semantics. In
Proceedings of IEEE CS Annual Workshop on VLSI: System Level Design,
Florida, USA, 1998.
[Gor95] Mike Gordon. The semantic challenge of Verilog HDL. In Proceedings of the
tenth annual IEEE symposium on Logic in Computer Science (LICS '95)
San Diego, California, pages 136{145, June 1995.
[HJ94] Jifeng He and Zheng Jianping. Simulation approach to provably correct
hardware compilation. In Formal Techniques in Real-Time and Fault Tol-
erant Systems, number 863 in Lecture Notes in Computer Science, pages
336{350. Springer-Verlag, 1994.
[IEE95] IEEE. Draft Standard Verilog HDL (IEEE 1364). 1995.
[KB95] Carlo Delgado Kloos and Peter T. Breuer. Formal Semantics for VHDL.
Number 307 in The Kluwer International Series in Engineering and Com-
puter Science. Kluwer Academic Publishers, 1995.
[KW88] K. Keutzer and W. Wolf. Anatomy of a hardware compiler. In David S.
Wise, editor, Proceedings of the SIGPLAN '88 Conference on Programming
Lanugage Design and Implementation (SIGPLAN '88), pages 95{104. ACM
Press, June 1988.
[May90] D. May. Compiling occam into silicon. In C. A. R. Hoare, editor, Develop-
ments in Concurrency and Communication, University of Texas at Austin
Year of Programming Series, chapter 3, pages 87{106. Addison-Wesley Pub-
lishing Company, 1990.
[Ope93] Open Verilog International. Verilog Hardware Description Language Refer-
ence Manual (Version 2.0). Open Verilog, March 1993.
[Pac98] Gordon J. Pace. Hardware Design Based on Verilog HDL. PhD thesis,
Computing Laboratory, University of Oxford, 1998.
[Pal96] Samir Palnitkar. Verilog HDL: A Guide to Digital Design and Synthesis.
Prentice Hall, New York, 1996.
[PH98] Gordon J. Pace and Jifeng He. Formal reasoning with Verilog HDL. In Pro-
ceedings of the Workshop on Formal Techniques in Hardware and Hardware-
like Systems, Marstrand, Sweden, June 1998.
[PL91] Ian Page and Wayne Luk. Compiling occam into eld-programmable gate
arrays. In Wayne Luk and Will Moore, editors, FPGAs, pages 271{283.
Abingdon EE&CS books, 1991.
[Sas99] H. Sasaki. A Formal Semantics for Verilog-VHDL Simulation Interoper-
ability by Abstract State Machine. In Proceedings of DATE'99 (Design,
Automation and Test in Europe), ICM Munich, Germany, March 1999.
[SX98] G. Schneider and Q. Xu. Towards a formal semantics of verilog using dura-
tion calculus. Lecture Notes in Computer Science, 1486:282{??, 1998.
[ZHRR91] Chaochen Zhou, Michael R. Hansen, Anders Ravn, and Hans Rischel. Du-
ration specications for shared processors. In J. Vytopil, editor, Formal
Techniques in Real Time and Fault Tolerant Systems, number 571 in Lec-
ture Notes in Computer Science, pages 21{32. Springer-Verlag, 1991.
A Compilation Theorems
Theorem 1.1: Sequential composition can be thus decomposed:
i
f
s
` i 
f
s
(P ;Q) v i 
m
s
(P
0
) k i 
f
m
(Q
0
) k Merge
where for any program P , we will use P
0
to represent P [v
P
=v]. Merge has been
dened in section 3.10.
Proof: First note the following result:
i
f
s
k  
f
s
(P ;Q)
= f communication laws g
(:s
>
; u skip); s!;P ;Q; f !;
0
; (
f
s
k  
f
s
(P ;Q))
= f by law of 
0
g
(:s
>
; u skip); s!;P ;Q; f !; (:s
>
; u skip); (
f
s
k  
f
s
(P ;Q))
= f by denition of i g
(:s
>
; u skip); s!;P ;Q; f !; (i
f
s
k  
f
s
(P ;Q))
= f denition of forever g
forever (:s
>
; u skip); s!;P ;Q; f !
v f new signal introduction and laws of signals g
forever :m
>
; (:s
>
; u skip); s!;P ;m!;Q; f !
Now consider the other side of the renement:
i
f
s
k i 
m
s
(P
0
) k  
f
m
(Q
0
)
= f communication laws g
:m
>
; (:s
>
; u skip);P
0
;m!;Q
0
; f !;:m
>
;
0
; (
f
s
k  
m
s
(P
0
) k  
f
m
(Q
0
))
= f denition of i, i and law of 
0
g
:m
>
; (:s
>
; u skip);P
0
;m!;Q
0
; f !; (i
f
s
k i 
m
s
(P
0
) k  
f
m
(Q
0
))
= f denition of forever g
forever :m
>
; (:s
>
; u skip);P
0
;m!;Q
0
; f !
We can now prove the desired renement:
i
f
s
k i 
f
s
(P ;Q)
v f denition of i and proved inequality g
:f
>
; forever :m
>
; (:s
>
; u skip); s!;P ;m!;Q; f !
= f laws of merge from section 3.10 g
Merge k (:f
>
; forever :m
>
; (:s
>
; u skip); s!;P
0
;m!;Q
0
; f !)
= f above claim g
Merge k (:f
>
; (i
f
s
k i 
m
s
(P
0
) k  
f
m
(Q
0
))
= f denition of i and associativity of k g
Merge k i
f
s
k i 
m
s
(P
0
) k i 
f
m
(Q
0
)
2
Theorem 1.2: Conditional statements can be thus decomposed:

f
s
`  
f
s
(P / b . Q) v  
f
P
s
P
(P
0
) k  
f
Q
s
Q
(Q
0
) k Merge k Interface
where
Interface = assign s
P
= s ^ b k
assign s
Q
= s ^ :b k
assign f = f
P
_ f
Q
Proof: The proof is similar to that of Theorem 1.1.
Theorem 1.3: Loops can be decomposed into their constituent parts.

f
s
`  
f
s
(P  b) v  
f
P
s
P
(P ) k Interface
where
Interface = assign s
P
= s _ (f
P
^ b) k
assign f = f
P
^ :b
Proof: Again, the proof is similar to that of Theorem 1.1.
Complete proofs of Theorems 1.2 and 1.3 can be found in [Pac98].
B Envrionment Theorems
Lemma 2.1: Provided that s and f are signals, if s f  s s 1 and s f  s s 
s f + 0:5 are valid duration formula, then so is i
f
s
.
Proof: Since the inequality holds for all prex time intervals, and s and f are
both signals, we can use duration calculus reasoning to conclude that:
2((dse ^ l = 0:5); true; (dse ^ l = 0:5)) l = 1; true; dfe; true)
This allows us to deduce that s!;; s!;) s!; #1; f?;
0
; s!;.
But s is a signal, and hence satises (:s
>
; u skip); forever s!;.
forever s!;
= f denition of forever loops g
s!;; s!;; forever s!;
) f by implication just given g
s!; #1; f?;
0
; s!;; forever s!;
= f denition of forever loops g
s!; #1; f?;
0
; forever s!;
) f denition of forever loops g
forever s!; #1; f?;
0
Hence, from the fact that s is a signal, we can conclude the desired result:
(:s
>
; u skip); forever s!;
) (:s
>
; u skip); forever s!; #1; f?;
0
= i
f
s
2
Lemma 2.2: i
f
s
) s s  s f + 0:5.
Proof: The proof of this lemma follows by induction on the number of times
that the environment loop is performed. We rst note that i
f
s
can be rewritten
as:
(:s
>
; u skip); s!; #1; forever (f?;
0
; s!; #1)
Using the law f? = f
>
u (:f
>
; #1; f?) and distributivity of non-deterministic
choice, it can be shown that this program is equivalent to:
(:s
>
; u skip); s!; #1; forever
0
@
f
>
; s!; #1
u f
>
;; s!; #1
u :f
>
; #1; f?;
0
; s!; #1
1
A
Using the laws of loops this is equivalent to:
(:s
>
; u skip); s!; #1; forever
0
@
f
>
; s!; #1
u :s
>
; f
>
;; s!; #1
u :s
>
;:f
>
; #1; f?;
0
; s!; #1
1
A
The semantic interpretation of this program takes the form:
P0
_ 9n : N  P ;Q
n
;Q
0
where P
0
corresponds to the partial execution of (:s
>
; u skip); s!; #1, and P
to its full execution. Similarly, Q
0
and Q correspond to the partial and complete
execution of the loop body.
P ) d:se

; (dse ^ l = 0:5); d:se

Q) (true; dfe; true ^ d:se

; (dse ^ l = 0:5)); d:se

P
0
) d:se

_ d:se

; (dse ^ l = 0:5); d:se

Q
0
) d:se

_ (d:se

; (dse ^ l = 0:5); d:se

^ true; dfe; true)
Since P
0
) s s = 0:5, it immediately follows that P
0
) s s  s f + 0:5.
We can also show, by induction on n, that P ;Q
n
implies this invariant. An
outline of the inductive case is given below:
P ;Q
n+1
= P ;Q
n
;Q
) (s s  s f + 0:5);Q
) (s s  s f + 0:5); (s s = 0:5 ^ s f  0:5)
) s s  s f + 0:5
Finally, we can use this result to show P ;Q
n
;Q
0
) s s  s f + 0:5.
P ;Q
n
;Q
0
) (s s  s f + 0:5);Q
0
) (s s  s f + 0:5); s s = 0 _
(s s  s f + 0:5); (s s = 0:5 ^ s f  0:5)
) s s  s f + 0:5
This completes the required proof.
2
Lemma 2.3: Provided that dur(P ):
i 
f
s
(P )) s f  s s ^ s f  s s 1
Proof: Note that i 
f
s
(P ) is a renement of (:f
>
; u skip); forever f !; s?;
which is almost identical to i
s
f
.
The proof follows almost identically to that of lemma 2.2 except that, unlike the
environment condition, i 
f
s
(P ) cannot signal on f as soon as it receives a signal
on s (since P must take some time to execute). This allows us to gain the extra
0.5 time unit.
2
Lemma 2.4: The environment conditions follow along the compilation process:
	
f
s
(P )) s f  s s
Proof: The proof uses structural induction on the program:
In the base case, P cannot be decomposed any further, and hence 	
f
s
(P ) =
 
f
s
(P ). Therefore, by lemma 2.3, we can conclude that s f  s s.
Inductive case: We proceed by considering the three possible cases: P = Q;R,
P = Q / b . R and P = Q  b.
Sequential composition: P = Q;R
	
f
s
(P )
= f by denition of 	 g
	
m
s
(Q) k 	
f
m
(R)
) f by inductive hypothesis g
s f  s m ^ s m  s s
) f  is transitive g
s f  s s
Conditional: P = Q / b . R
	
f
s
(P )
= f by denition of 	 g
	
f
Q
s
Q
(Q) k 	
f
R
s
R
(R) k Interface
C
) f by inductive hypothesis g
s f
Q
 s s
Q
^ s f
R
 s s
R
^ Interface
C
) f by denition of Interface
C
g
s f
Q
 s s
Q
^ s f
R
 s s
R
^ s s
Q
+ s s
R
= s s ^
s f = s f
Q
+ s f
R
  s(f
Q
^ f
R
)
) f by properties of  and
R
g
s f  s s
Loops: P = Q  b
	
f
s
(P )
= f by denition of 	 g
	
f
Q
s
Q
(Q) k Interface
L
) f by inductive hypothesis g
s f
Q
 s s
Q
^ Interface
L
) f by denition of Interface
L
and integral reasoning g
s f
Q
 s s
Q
^ s f = s s  (s s
Q
  s f
Q
)  s(f
Q
^ b ^ s)
) f by properties of  g
s f  s s
This completes the inductive step and hence the result holds by induction.
2
Lemma 2.5: 	
f
s
(P )) s f  s s 1
Proof: The proof follows almost identically to that of lemma 2.4.
2
View publication stats
