The e programming language enjoys widespread use in the microchip industry with applications to specification, modeling, testing and verification of hardware systems and their operating environments. Unique features of e include a combination of object oriented and constraint oriented mechanisms for the specification of data formats and interdependencies, interesting mechanisms of inheritance, and an efficient combination of interpreted and compiled code. Since the language is also extensible if serves as a living, industrial scale, implementation and application of the aspect oriented programming paradigm. This paper briefly describes the e language highlighting its novel features and their particular suitability to the task of hardware verification, and reports on our experience of aspect oriented programming in this intense commercial setting.
Introduction
With the advent of the object oriented paradigm there also came the realisation that despite its numerous benefits it is often the case that the unit of modularization reuse is not the class, but rather a slice of behavior affecting several classes. The research on aspect oriented programming (AOP) [ I] . subjecr oriented programming (SOP) [2] , and the work on adaptive programming (AP) [3] , represent almost a decade of attempts to address this problem. The influential AOP group [I] motivate the departure from the traditional OOP approach thus: crosscut the system's class and module structure. Much of the complexity and brittleness in existing systems appears to stem from the way in which the implementation of these kinds of concerns comes to be intertwined throughout the code."
Mezini and Lieberherr [4] similarly observe that while object oriented techniques have given the programmer excellent data abstraction mechanisms, objects themselves are cumbersome when it comes to expressing aspects of behaviour that affect several data types. Conversely, OOP fails in naturally facilitating non-invasive extension mechanisms for layering new functionality over existing code. Essentially the same issue motivates the SOP community [2] , and authors such as Lauesen [5] , Wilde [7] , Fisler [8] amongst many others.
Fundamentally, the AOP/SOP/AP quest is for mechanisms that will allow one to encapsulate concems (features, or aspects) in modules even if they happen to cross class boundaries; the intent is to be able to apply different combinations of these modules to existing code rather than manually modifying it. This paper describes a solution to the separation of concems problem which is represented in the e [6] programming and modeling language, which blends the 00 paradigm with its own unique programming approach.
Unusually e has emerged from, and is today extensively applied in, a competitive industrial setting. Research directions such as AOP, SOP and AP emphasized the traditional software development model in which a basic product is subject to changes and additions over its lifetime, often by different teams. In our domain, that of "Objects have been a great success at facilitating the separation of concerns. 
42
A few words are needed here to explain the term nents. It is not normally desirable for a test engineer to functional verification as used by the design automa-write code for adapting a library interface as would be tion community. The target of this verification activ-done in more traditional kinds of software; what is reity are hardware devices including CPUs and other mi-quired is a software component that is easily configured crochips, network equipment such as routers, and sys-from without via constraints coming from the requiretems combining hardware with embedded software. We ments of the environment in which the component is shall refer to all these simply as "hardware" in the se-embedded. These constraints can be as simple as setting quel. Functional verification is the process by which the configuration parameters (architectural constraints) of correctness of the hardware design is established, the the device being incorporated, or they may shape the term resting having long been associated in this com-data input space.
.~ Similar conditions prevail in the domain of testing of non-embedded general purpose software systems: exmunity with the process by which manrlfacruring defects are detected.
-~~
In functional verification, the hardware is not tested treme time constraints, high adaptability requirements directly. Instead a description of the hardware writ-and a multitude of similar, but not identical, conten in a hardware description language (HDL) such as currently maintained testbenches. A major difference VHDL [9] or Verilog [IO] , is compared with adifferent, though is that the cost of post-release defects is so much high level description of the hardware. Software written higher in hardware than it is in software. Hardware verin e may therefore play a double role. On the one hand ification is therefore required to be much more thorit is used for expressing the expected behavior of the ough, and hardware testbenches tend to be very large in device under test (DUT). On the other hand, it is used comparison with software testbenches. It is illustrative for exercising a certain functionality of the DUT.
to note that many hardware developers apply a tule of Thus, there are at least proliferation occurs in e: a collection of test environ-each design engineer.
directions in which code thumb that there must be one verification engineer for ments describing the different DUTs in a product line, The e programming language dominates the market of as well as a rich suite of test cases required for thorough testbench automation. In our industrial experience we coverage. This diversity exists even in a first version of have observed testbenches that constitute some IC500 a functional verification testbench. Thus, e evolved in KLOC. These numbers are dwarfed when compared a setting in which the need for mechanization of sepa-to testbenches written in languages such as C, C++, ration of concems was even more important than in a or Ped, which can more than triple the code volume traditional sortware lifecycle model. in order to achieve similar levels of design assurance.
A further aggravation of the hardware verification do-The practice Of extending the use Of hardmain is that the testbench software merely plays a sup-ware description languages (which have few high level porting role in the development of the hardware, The ConStNCtS? Or capabilities) for the purpose Of production of a testbench can when there is a design specification for the hardware, but it can only Of large software be used once a simulation model of the hardware has The e language, while it is a general purpose programbeen developed. As a result, time constraints on the ming language, has thus grown up specifically to addevelopment of testbenches are even more acute than dress the flexible software demands of functional verthose on the hardware which in its tum has a very short ification. This is explained in Section 2 which sets the time to market, and relatively short lifetime.
context of e applications, its design rationale, and gives testbench definition is even less immune to the maladies be erected around the DUT in order to subject it to a large number of tests. The components of a typical testbench, or verification environment, for a siple CPU are displayed in Figure I Instructions A key element in any verification environment is an adequate description of the data being manipulated4PU instructions, in this case. Such descriptions typically do form natural classes of structured data-thus CPU instructions will be defined by some common elements such as opcode and addressing mode, but differences emerge (say) in the operands present causing a classification into immediate (e.g., the second operand, op2, is a two byte integer constant), memory (op2 and remporul properties (also declarative) which decide how well the verification is progressing have to k designed with reference to a plan. For instance it may be required to when a branch instruction was being decoded. The 'responds correctly' may be a temporal rule invoked under such circumstances, but the fact that Simplified textual syntax The rich toolset that e prothis scenario occurred during testing would be envides to its user must be served in an easy to tered as a functional coverage point. In a simple use, non-cryptic syntax. The design of the syntax case one might be content to count how many and the semantics were also influenced by the retimes this combination of circumstances occurred.
ality that the principal users of the language are not software specialists but mainly hardware engineers who, in particular, may not be schooled in Object Oriented languages.
as mechanisms for specifying parallel execution, Given a functional verification environment such as that envisaged above, tests will be devised to exercise the design. Sometimes these need to be very deterministic performance 
Factors influencing e's design
Since its initial conception in the early nineties the e language has evolved to meet the needs of functional verification engineers. e is used to describe the DUT, its operating environment, its legal inputs, and its behavior Over time. Specman, VerisitY'S flagship Product imPlementing the language and runtime system, lakes such a description and uses it to generate test inputs and drive them into the DUT, cany out temporal and data checkOn the face of it e is a lexically scoped, statically ing by monitoring the device, create coverage reports, type checked object-oriented language with single inand assist in debugging.
Even though e is a general-purpose programming Ian-heritance. A strucf in e, just like a class in other proguage (in fact most of Specman is written in e) its de-gramming languages, may declare fields and methods. sign has been geared towards the task of modeling and Structs may also contain several unique declarative verifying hardware systems. This specific task imposed components, including constraints (affecting initial vala number of important characteristics on the language. ues assigned to fields), event definitions (for monitor-
Compiled and interpmted code F~~
that are discussed in section 3 below, [here is a need when building testbenches to be able to load files which add new features, constructs, and especially constraints, on top of an extant code base. There is also a need for mixing those independently constructed additions in an unrestricted way, ing DUT behaviour), and temporal properties (checking protocols, etc. ules). This process is described through a number of examples below. Example 3.1 A test specification, in its simplest form, simply adds a few constraints on top of an existing environment. For instance, taking the packet example started in Section 2.2, a test writer might want to specify: ( I ) For all packets, z should be equal to j , but no packet should be empty. To achieve this, she needs to write the following e file (call it test1 .e):
The first of these two statements.declares an enumerated type, the second declares a structured object with several scalar fields. The keeps are constraints that affect initial values assigned to the fields mentioned whenever an instance of this class is created-Specman resolves such constraints during a test run in order to generate a random, directed stream of data for the DUT. Constraints in e are linear functions over finite domains.
While the synthesis of constraint solving and object oriented programming in e is an interesting subject in itself, it is not explored further in this article which rather focuses on the language constructs that address separation of concerns. Thus, in addition to the simple inheritance mechanism (which is called like inheritance in e), the language provides a unique and powerful when inheritance mechanism, reminiscent of Chambers' predicate classes [ll] . Moreover, any e struct can be extended in a later module: fields, methods, events, and constraints can be added to it, and method definitions can be modified or ovemdden. Interpreted files can be loaded on top of a compiled executable, possibly extending already-compiled structs. The extension capabilities are discussed in Section 3 below, the when inheritance mechanism is deferred until Section 4. This needs to be loaded on top of the current verification environment containing all the previously-defined files, and executed -in Specman this is achieved by hitting the "test" button to generate packets randomly, based on the augmented set of constraints.
Example 3.2
To take a slightly more complicated example. Assume that the test writer wants to specify a "special packets test": ( I ) For all packets, z should be equal to j, but no packet should be empty, and (2) the value j should be the same for all packets generated during a given test. For (I) , all that is needed is t e s t l . e as defined above. To implement (2): The first line includes the definitions from earlier files so that they will be loaded (or reloaded) when the special. e test file is loaded into the verification environment. The second line extends the definition of another
Motivation
struct, sys, by adding a field and a constraint. Finally the packet struct is extended with another constraint One of the basic things people do with e is to define that will have the effect of keeping j in every packet 3 The aspect-oriented features of e structs, and then extend those structs in later files (mod-the same throughout the test. This is feature-oriented programming: The file s p ec i a l . e implemented the "special packets test" feature by layering additional code over existing classes.
Note that this extension mechanism is quite unlike that of C++ or Java, for instance, where class definitions can only be extended via the subtyping mechanism. Thus, in particular, the struct sys above is modified by the additional field, but no subtype is created.
Example3.3 Assume a test writer now wants to ar-

Orthogonal extensions
Because of the extreme time pressure associated with functional verification, a verification team will often split into several groups (or individuals), each group developing verification extensions to the basic environment. e was specifically built so as to allow multiple, independent groups to extend (add features to) some base functionality without bumping into each other and while allowing an integrator to later combine these extensions at will. In that. it is close in mint to SOP.
range that at the end of the test a count of all packets should be printed:
One common practice is to divide work according to the chapters of the test plan written for the DUT. Assume, for instance, that one of the features of our packet router DUT is its ability to handle parity errors. One person might go ahead and implement the part of the verification environment which takes care of genera- I back-to-back, or on all input channels at once, etc.
This modifies another predefined method (one that is actually defined for all structs) which is executed when a new instance of the packet class is created.
Note that c o u n t i n g . e and s p e c i a l . e are independent. One could load either, both or none, and the "right" thing would still happen, even though both extend the same set of classes. Thus, each such file corresponds to a feature (or subject, in SOP parlance).
Test writers might decide to import either file, or none, or both (in which case they would have the flexibility of influencing both parity error behaviour and timing behaviour). These are everyday needs for functional verification engineers which are adequately addressed by e's exrend mechanism. However, this mechanism does not resolve all orthoganality issues on its own.
Programmers need to adopt some conventions to ensure that any two extensions will be loadable in any order. For instance, namespace conventions are needed to avoid name clashes if two aspects introduce fields of the same name; more insidious collisions may arise when methods are extended. The is also method extension used in Example 3.3 is relatively safe to use but is only (used to ocenide a function definition) may cause code to break. Such problems are ameliorated by the when subtyping mechanism discussed in Section 4.3.
Other uses of extension
Here are some other cases where the ability to extend a bunch of classes from the outside is very useful for a verification or modeling language:
Ease of debugginglanalysis It is very easy to add specialized debug code to be loaded on top of existing functionality. For instance, such code might latch into "interesting" events so as to create a GUI visualizer for the DUT.
Design exploration It is very easy to change the configuration from the outside (typically via constraints), so as to see how the DUT behaves e.g. with a bigger intemal buffer, more ports, fewer pipeline stages.
Replacing callback registrations Many
programming environments have a facility for registering a callback, saying in effect "when X happens, call my routine Y". e does not have such a facility, nor does it need one. For each such "interesting" X, there should be a published method (which is often empty initially), which can be extended by any user in any other file. Providing such empty "hook" methods is a convention employed by Specman itself, and verification environment builders are also encouraged to follow it.
Extending in-place
Note that in all of the above examples, the user needs the extension to be done in-place (i.e., the original class has to be extended, rather than creating a new class). The issue is that if one creates a new subclass, then one needs to go back to all places where instances of the original class are created, and change them to create instances of the new class. This process is tedious, invasive and error prone. While it may be possible to address the need using the Abstract Factory pattern [15] , the approach is cumbersome because of the need to manage a profusion of sub-classes, especially when dealing with multiple orthogonal extensions.
The problem of influencing what class gets created was well described by Kiczales [I31 who observed that the usefulness of inheritance is severely limited in regular 00 languages because they provide no mechanism to change from the outside the &pes of created objects. Kiczales' seminal work was very influential in the early development of e, and is still very relevant today. His solution, truces, is different from the one adopted in e, although traces could be implemented using constraints to influence when subtypes, and methods under them.
Extending extend
In the previous section we discussed e's extend mechanism which allows one to modify classes in place. Now we discuss other features of the language that complement this mechanism which we have found to be essential components of a high level verification language.
No pre-processor
Most of the experimental AOP languages coming out of AOP/SOP research are implemented as pre-processors: The tool takes program fragments (corresponding to different aspects) from separate files, and "weaves" them into a single program (say in Java). This approach would not suffice in functional verification. Firstly, for performance reasons, most of the e code is eventually compiled (at least for production tuns). However, in each particular run, a different test, adding or modifying constraints, fields, or methods, will be loaded on top of this compiled environment, This process must be relatively quick as it happens very frequently during verification. Thus, a pre-processing style of implementing AOP is not practical. For example we need to extend some methods and add fields without invalidating (and re-compiling) the underlying environment.
Another reason pre-processing is problematic is debugging. When single-stepping through methods, the user would like to see the source of methods she has writ-method is called, except doors in hospitals, which ten, rather than the mangled results of a more corn-should print hiss. This unique inheritance mechanism is plex pre-processing phase. Note, however, that there is more flexible than the regular (single or multiple) inhera tradeoff here: Aspect-weaving-through-preprocessing itance scheme, and is similar in spirit to Craig Chammay allow more powerful transformations.
bers' predicate classes [ I I] .
First it should be noted that e has the "regular" 00 single inheritance. Thus one can write: l s t r u c t packet ( . . I ;
I
The need for environmental acquisition
One of the main things one does in e is knowledge representation: trying to model the (concrete and abstract) "things" which influence the DUT. Here is a typical thing one might want to say: By default, all doors are green, except that car doors all have the color of the car. This can be captured as follows: s t r u c t e t h e r n e t p a c k e t l i k e packet ( . . I ; in order to specialise packets to Ethernet packets, say. However for modeling we recommend writing the same thing using when inheritance. This is done by explicitly specifying determinant fields-the fields which determine the "dimensions" used for inheritance. Determinants in e can be fields of Boolean or enumerated type, For example to capture various kinds of packet: 
;
This problem in knowledge representation and programming, that of an object's need to acquire attributes based on its role within a composite rather than its parents alone, was described by Gil and Lorenz in [14] .
The e language addresses this environmental acquisition problem to a large extent via constraints.
J
We can use the protocol field in order to specialise packets according to need. The when subtyping is implicit in this extension of the packet StNCt:
header: e t h e r n e t h e a d e r ; s h o w 0 is f i r s t ( o u t ( " I am an Ethernet packet. " ) ;
Using when inheritance
Using when inheritance one can easily express things like: All doors should print bung when their s h u t ( )
I ) ;
There is, in this case, only one field of a type that matches the 'Ethernet' determinant. The when subtype thus inherits all fields etc., from the virtual packet class, and provides its own methods and fields. The when subtyping can be expressed more explicitly thus: There are two main reasons why when inheritance is separation of concerns. The main use of e is modeling our experience and that of our customers, many times easier than writing them in a language which does not have constraints and separation of concerns. and verification of digital hardware. This subject domain places a very high premium on separation of concerns, and hence this extend feature was built into the language from the beginning. We have also explained how the special needs of hardware verification further constrain the language design space. For instance, the disadvantages of pre-processing to combine aspects, and the need to provide programming constructs hardware engineers find familiar.
We have introduced other e features such as when inheritance and constraints, and have shown how these, in conjunction with extensibility, are important for knowledge representation. These, the reader will have ob-
1;
The select constraint applied here is used to weight the random generator so that it favours foreign packets over IEEE packets. In fact such weights are often integer valued functions of data sampled from the DUT, thus allowing the generation of packets to be influenced, as need be, by the current state of the device. This is typically how e based functional verification works on-thefly, directed towards corner cases (of the functionality) of the design.
jected into a DUT, and checked off once they are completed. Such abstractions vary in complexity from simple mechanisms to generate a clock signal for a DUT, to sophisticated packages for creating streams of CPU instructions. Clearly these are aspects of a functional verification environment, but presently they largely exist in the corpus of e programs as patterns to guide implementations. The question remains whether and how these can be expressed as adaptive programming components or executable patterns.
Conclusion
