Putting Operational Techniques to the Test: A Syntactic Theory for Behavioral Verilog  by Fiskio-Lasseter, John & Sabry, Amr
p  
URL httpwwwelseviernllocateentcsvolumehtml
Putting Operational Techniques to the Test
A Syntactic Theory for Behavioral Verilog
John FiskioLasseter and Amr Sabry
Department of Computer  Information Science
University of Oregon
Eugene OR USA
Abstract
We present a syntactic theory for the behavioral subset of the Verilog Hardware
Description Language Due to the complexity of the language the construction
of this theory represents a serious test of the suitability of syntactic operational
techniques for reasoning about industrial languages Overall we have found that
these techniques are rather robust but with a few caveats Our theory formalizes the
simulation cycle explicitly exposes a number of ambiguities and inconsistencies in
the language reference manual LRM and is the most accurate known description
of this subset of Verilog with respect to the LRM The syntactic theory has been
used to automatically derive a simulator for Verilog
 Introduction
Programming calculi which concentrate on a small set of constructs that cap
ture the essence of a language commonly come equipped with syntactic
theories that explain in intuitive yet formal terms the evaluation and opti
mization of programs In principle then the development of such theories
for fulledged industrial programming languages appears not only possible
but even straightforward Verilog an industrial hardwaredescription lan
guage is a candidate language for which a syntactic theory would be much
welcome First Verilog has an incredibly rich set of constructs and the be
havior of many of these is not well understood Its semantic formalization
is a recognized challenge 	
 yet there exists no complete semantics for the
language operational or otherwise Hence developing a syntactic theory for
Verilog represents a good test of the expressiveness and scalability of opera
tional techniques Second the informal semantics of Verilog in the standard

This work is supported by the National Science Foundation under the Title Career Con
trolling Space Properties of HigherOrder Typed Programs grant number CCR	


c
 Published by Elsevier Science B V
Open access under CC BY-NC-ND license. 
FiskioLasseter and Sabry
language reference manual LRM 
 is already given in an operational style
but simulators that implement the informal semantics dier in subtle ways A
syntactic theory can therefore identify many of the inconsistencies in the in
formal semantics and yield a correctbyconstruction standard simulator that
denes and implements the semantics
This paper presents the development of a syntactic theory for behavioral
Verilog which claries and exposes a number of ambiguities and inconsisten
cies in the LRM With respect to the LRM the resulting formal semantics for
the language is the most accurate of any work to date From a semantic point
of view the development steps themselves are also interesting

First the development of a syntactic theory for Verilog essentially requires
one to encode the state of the simulator in the syntax of terms Part of this
encoding is nowadays standard for example the idea of encoding the store
as a sequence of declarations Encoding of other constructs required new
innovations while still others eg continuous assignments have resisted
encoding outright

Second the complexity of the simulation cycle motivates the introduction of
statespace syntax to conveniently express the state of the simulator This
situation is not uncommon for example one might introduce a letnotation
to conveniently express the axioms of the callbyneed calculus 
 even
though it is technically not necessary Unlike the situation with the let
notation which has a wellknown expansion in the core language our state
space syntax cannot be naively expanded to the core language without a
proof obligation This rigorous treatment of statespace syntax claries its
role in the development of syntactic theories

Finally the complexity of the syntactic theory is such that only the most
trivial examples can be simulated by hand Xiao et al have developed
a tool that automatically generates a rewritingbased interpreter given a
semantic description 
 We have used this tool to implement a correct
byconstruction simulator for Verilog
The remainder of the paper presents our theory in detail The next section
reviews related work and section  introduces the syntax and informal seman
tics of our behavioral subset of Verilog Section  introduces the statespace
syntax in which the syntactic theory is expressed and develops the axioms
needed to express the possible behaviors of Verilog simulators Following this
section  we argue that statespace syntax is not mere notation its intro
duction entails a proof obligation Lastly section  discusses the automatic
generation of a complete simulator from the axioms
 Related Work
The style of semantic specication based on axioms and reductions was pio
neered by Plotkin in  
 The original work explained the semantics of

FiskioLasseter and Sabry
two small pure functional languages a callbyvalue one and a callbyname
one Since then the specication technique has been successfully applied to
explain all sorts of language constructs including assignments jumps and
continuationbased control operators 
 Our current work extends
this application to languages with threads timing and event controls and
hardwarespecic constructs like edges and nonblocking assignments
Within industry there are two problems that drive much of the research
into the semantics of Verilog and the related language VHDL synthesis of
lowlevel designs from highlevel ones and interoperability between Verilog
and VHDL designs There are operational semantic descriptions for Verilog
andor VHDL based on timed nite automata 
 higher order logic 	

abstract state machines 
 and various calculi 
 All of these dene
semantics for restricted subsets of the language and with few exceptions 

the behavior of many constructs is idealized and not accurate with respect to
the requirements of the LRM
Axiomatic specication of hardware description languages is relatively new
although Hua and Zhang 
 do describe an axiomatic semantics for a subset
of the experimental Iowa Logic Specication Language
Many of the subtleties of the Verilog language represented in our semantics
are described informally in Gordons Semantic Challenge paper 	
 For the
most part we follow his description but for certain constructs we have found
it necessary to depart from his interpretation
An earlier version of this work is available as a technical report 
 A
second report detailing the most recent state of our work is in preparation
 Behavioral Verilog
In the full language a Verilog program is a collection of one or more mod
ules Modules bear an intuitive resemblance to classes from objectoriented
languages but their bodies consist primarily of a collection of procedural
statements threads and instantiations of other modules A module body can
also model wiring connections in the form of assign statements continuous
assignments or with a list of parameters port list to which variables are
supplied as arguments for each instantiation All threads and continuous as
signments in each instantiated module are considered to run concurrently In
every Verilog program one of the modules is declared without a port list and
is considered to be at the toplevel All other declared modules are simulated
in terms of this toplevel behavior according to how they are instantiated
Here we limit our formal description to a core subset of Verilog consisting
only of behavioral elements These are the constructs drawn from ordinary
procedural languages that are relevant to simulating designs at a highlevel of
abstraction We consider only Verilog programs consisting of a single toplevel
module excluding continuous assignments variables of wire type and module
instantiations

FiskioLasseter and Sabry
 Syntax and Informal Semantics
The syntax of programs threads statements expressions and timing controls
is
programs P
v
 module m d
v
t
v

endmodule
declarations d
v
 j reg v d
v
j event u d
v
threads t
v
 always s j initial s
statements s  j ve j vc e j ve j vc e j u
j forever s j while e s j c s j s s
j if e s j if e s else s
timing control c  g j e
guards g  v j u j posedge v j negedge v j g or g
expressions e  v jn j uop e j e bop e j ee	e
The value contained in a register is either a number x unknown value
or z high impedance An event declaration introduces a name that can be
used to communicate among threads Such a variable can be triggered  u
but holds no data We use v to range over reg variables u to range over
event variables and n to range over fZ
S
fx zgg We also use uop and bop
to range over the unary and binary operators in Verilog
Expressions and some of the statements should look familiar to C pro
grammers Indeed the semantics of familiar statements like conditionals and
loops is the expected one
The remaining constructs are specic to Verilog and are described in terms
of the simulation cycle of programs  x
 Initially all threads in the program
are active and can be executed concurrently The statement in an initial
thread is run exactly once whereas the statement in an alwaysthread is re
peatedly evaluated Within each active thread the execution of statements
proceeds sequentially we ignore Verilogs forkjoin construct until the next
timing control
In addition to ordinary assignments of the form ve blocking assignment
Verilog also supports the unusual nonblocking assignment of the form ve
The eect of this assignment is to evaluate e immediately resulting in some
value n Unlike a blocking assignment the variable v is not assigned the
value n immediately Rather all such updates are scheduled to execute at the
end of the current simulation cycle in the order in which the original non
blocking assignments occur Meanwhile execution of the rest of the thread
proceeds without interruption using the value of v before the nonblocking
assignment Note that a blocking assignment to v later in the thread body
will be overwritten by the nonblocking update at the end of the cycle
If the execution of a thread encounters an event control g it is im
mediately blocked until the specied event g occurs The possible events are
either explicit signals of the form u or changes in the value of a variable
edges Guards of the form posedge v negedge v and v will re on
rising edges falling edges or any edge respectively as soon as v changes

FiskioLasseter and Sabry
value those of the form u will re as soon as the corresponding event trig
ger occurs A guarded thread can become active during any phase of the cycle
depending on when its guardedupon event happens
With an explicit delay e execution of a thread is suspended for e cycles
At the end of a cycle ie after the nonblocking updates the simulation
clock advances to the time of the earliest scheduled delayed thread which is
then made active The peculiar case of a thread blocked by 	 is also allowed
Such threads called inactive or delayed are suspended until a later point in
the current cycle after all the other active threads have nished or blocked
but before any pending nonblocking updates
Both forms of timing control may also be used in intraassignment delays
of the form vc e or vc e In blocking assignments e is immediately evaluated
to get a number n The thread is then blocked according to the evaluation of
c when it is released v will immediately be updated with the value n Non
blocking assignment with delay is similar except that execution of the thread
continues uninterrupted with a nonblocking assignment of n to v scheduled
according to the specied timing control
 Behavioral vs Structural Verilog
Although it is not part of our theory Verilog also includes a set of lowlevel
constructs which model hardware elements directly This structural subset
includes continuous assignments and port connections but also includes con
structs for modelling elements as primitive as transistors It is at least as
rich as the behavioral subset but the behavior of the constructs and their
applications are fundamentally dierent In particular the structural subset
contains no notion of procedural control
Consider for example a behavioral model of an ordinary SR latch
module beh sr test
reg q  r  s
always q or r or s
if r q   else q  s j q



endmodule
A similar although not identical structural implementation might be
module struc sr test
wire q reg r  s
assign q  r j s j q



endmodule
The main semantic dierence between the two implementations is that
the blocking assignment in the behavioral implementation happens only when

FiskioLasseter and Sabry
this statement is reached during the ow of control By contrast the assign
is considered to execute constantly the notion of sequential control does not
apply At every moment the value of q is the value at that moment of the
righthand side
As an aside our semantics can in fact handle many Verilog programs with
module instantiations wire variables and continuous assignment In many
cases such elements can be eliminated by performing an inlining transforma
tion 	
 Such a transformation works by using renaming to declare all
variables at toplevel and then applying expression substitution to collapse
all modules into the toplevel and eliminate all module instantiations port
connections and wire variables Because of the presence of runtime vari
able allocation such a transformation would be unsound in most languages
of course Felicitously Verilog lacks any form of recursion or even dynamic
memory allocation All variables are static and hence it is always possible to
determine the space requirements of a program at compiletime
 Syntactic Theory
We will explain the semantics of Verilog using a syntactic theory that con
sists of axioms or rewriting rules that relate Verilog programs to other Verilog
programs In doing so we must represent not only sequential control and
memory but also the state of the discrete event queue as the simulation cycle
progresses Although it is possible to use Verilog syntax during the develop
ment of the theory we nd it much more convenient to use a syntax in which
we can cleanly represent the statespace
	 StateSpace Syntax
The statespace language which we will call V
s
 uses the same denitions of
statements declarations expressions and timing controls as those dened for
Verilog but makes the store and the state of each thread explicit
programs P
s
 d
v
m

fgm

f

g t
s

nbufg
elementary store   j vn 
augmented store 

  j

u
nbu elements   j vn 
threads t
s
 atfsg j zdfsg j fgfg sg
j fdfn sg  n  	
Each thread is annotated with a tag describing whether it is active at 	
delayed zd future guarded fg ie suspended at a guard or future delayed
fd The scheduled nonblocking updates are also explicitly described using
the tag nbu Finally the statespace syntax includes not one but two copies
of the store m

and m

 The set  must consist of exactly one assignment to
a reg variable v
i
 for each declared v
i
in P
s
 If for example P
s
contains k
declared reg variables  must be of the form v

n

    v
k
n
k


FiskioLasseter and Sabry
Each axiom in the theory relates two syntactic constructs by the equiva
lence relation 
ax
 Although this relation is symmetric each axiom is in practice
used to rewrite the left hand side of the equation to the form on the right We
identify terms modulo bound variables and we assume that free and bound
variables do not interfere in denitions or theorems In other words we work
with the quotient under equivalence 

Since the axioms are going to be expressed using the statespace syntax
we must transform a Verilog program to V
s
before evaluating it This step
is straightforward initially the store contents are uninitialized there are no
pending updates and every thread is marked active Hence the mapping from
Verilog to statespace is
S  P
v
 P
s
S
d
 d
v
 d
v
S
t
 t
v
 t
s
Smodule m d
v
t
v
n
endmodule
 S
d
d
v
 S
t
t
v

n
nbuf g
S
d
reg v

     v
k
 event u

     u
k


 reg v

     v
k
 event u

     u
k


m

fv

x    v
k
xg m

fv

x    v
k
xg
S
t
always s  atfforever sg
S
t
initial s  atfsg
The x on the right hand side of each assignment in m

and m

corresponds
to the unknown value in Verilog  x
 For a Verilog procedural block
thread t
v
 t
v
n
denotes the occurence of n consecutive not necessarily iden
tical t
v

	 Axioms for Simple Constructs
As with most languages the ordinary procedural constructs in Verilog are
easy to describe in an axiomatic fashion because they have no global eects
They are described here by the following axioms which can be applied in any
context
ax uop uop n 
ax


uop n  if dened
ax bop n

bop n


ax


bop n

 n

  if dened
ax cond true ne

	e


ax
e

 if n f
  x zg
ax cond unk ne

	e


ax


e

 e

  if nfx zg
ax cond false 	e

	e


ax
e

ax if true if n s 
ax
s  if n f
  x zg
ax if false if n s 
ax
skip  if nf
  x zg
ax ifelse true if n s

else s


ax
s

 if n f
  x zg
ax ifelse false if n s

else s


ax
s

 if nf
  x zg

FiskioLasseter and Sabry
ax forever forever s 
ax
while  s
ax while while e s 
ax
ife begin s while e s end
ax cba x below
Following tradition we use the functions 

and 

to abstract the semantics of
the builtin unary and binary operators 
 Similarly 

abstracts the rather
complicated evaluation of ambiguous conditional expressions  x

	 Evaluation Contexts
The remaining constructs included in our semantics require a little more so
phistication These have global eectseither on the store the simulation
cycle or both They must therefore be performed in a certain order and in
some cases only at certain points in the simulation cycle Such constraints
can be specied syntactically using evaluation contexts 

expressions E   
 j uop E j E bop e jn bop E j Ee	e
statements S  if E s j if E s else s j vE j vE
j vc E j vc E j S s j E s
guards G   
 j G or g j g or G
memory lookup M   
 jM vn jM u
thread selection T   
 j t
s
T j T t
s
programs P  d
v
m

fgm

f

g T nbufg
programs P

 d
v
 
 nbufg
programs P

 d
v
m

fg  
 nbufg
The contexts for expressions and statements have fairly ordinary deni
tions Intraassignment timing controls statements of the form vc e or
vc e are similarly uneventful although the reader should note that we
require evaluation of the righthand side before that of the timing control 
x
 The contexts for guards memory lookup and thread selection allow
for nondeterministic ordering
The three program contexts are used primarily to shorten many of our
axioms They are used almost everywhere but the most straightforward ap
plications are in a pair of housekeeping axioms which are useful for garbage
collection and rearranging the source code ordering of threads
ax tgc Patfg
 
ax
P 

ax ord Pt
s

t
s


 
ax
Pt
s

t
s



The purpose of ax tgc should be clear Axiom ax ord allows us to prove
the equivalence of two programs that dier only in the sourcecode ordering
of their threads This irrelevance of thread ordering is also implied by the
nondeterministic selection of any thread in a context T 
		 Assignments Revisited
To axiomatize assignments we extend a technique introduced by Boehm 

that uses a sequential block at the beginning of the program to represent the

FiskioLasseter and Sabry
store This block consists of a sequence of assignments to constants repre
senting the most recently assigned values one for each declared variable in
the program
Because the evaluation of Verilog programs needs to detect edges changes
in the store we keep two copies of the store m

and m

 In this scheme m

is used to represent the most recently assigned value to a variable The value
held by that variable just before the assignment is kept in m

 The dierence
in assignments corresponds to the edge
We also use the store to keep track of event triggers when one occurs we
just add it to m

 deleting it entirely after its eects have been applied
With these techniques in place we have four axioms that involve the store
ax block assign P

 m

fMvn


g m

fMvn


g T atfvn

 sg
 


ax
P

 m

fMvn


g m

fMvn


g T atfsg
 

ax lookup P

 m

fMvn
g T atfSv
g
 


ax
P

 m

fMvn
g T atfSn
g
 

ax event trig P

 m

f

g T atfu sg
 


ax
P

 m

f

ug T atfsg
 

ax nb assign d
v
m

fg m

f

g T atfvnsg
 nbufg

ax
d
v
m

fg m

f

g T atfsg
 nbuf vng
The requirement in ax block assign that v be the same in both m

and m

ie no edges are present on v arises from the task of guaranteeing correct
event control release In particular it ensures that we can only cancel an edge
under certain conditions section  On the other hand the consistency
requirement on v is relaxed for ax lookup since expressions cannot cause
sideeects in our subset of Verilog Of course we would have to change this
in a complete implementation
For both ax event trig and ax nb assign consistency of m

and m

is
not relevant nonblocking assignments have no immediate eect on the store
and the occurrence of an event trigger does not wipe out other signals already
in m


Note further that the usual way of representing the store is to keep a list
of every assignment using only the most recent one In the present work
however we have chosen to keep only the most recent value Now for blocking
assignments this is an optimization which is clearly equivalent in behavior
On the other hand the same optimization cannot be used with nonblocking
assignment every scheduled update must execute This is so because a non
blocking update can itself trigger an eventcontrolled thread even if the update
is immediately overwritten
Finally note that the value of an expression in a certain state is not neces
sarily welldened Axiom ax lookup applies only to a single lookup it does

FiskioLasseter and Sabry
not specify that the entire expression be evaluated As a result our semantics
supports full interleaving of statements and expression evaluation as required
by the LRM  x

	 Delay and IntraAssignment Timing Control
Blocking of a thread on an explicit delay is easy to formalize involving only
a relabelling of the threads status in the simulator
ax del block Patfn sg
 
ax
Pfdfn sg
  if n  	
ax zd block Patf	 sg
 
ax
Pzdfsg

It is important to distinguish zerovalued delays delay from ordinary
nonzero ones Whereas ordinary delayed threads fd release during a strictly
later simulation cycle zerodelayed threads zd must execute in the current
one Note that in ax del block the delay value n remains unchanged
whereas the 	 is deleted in ax zd block This is a somewhat arbitrary
choice dictated by ease of representation in the concrete syntax
Intraassignment timing controls are also quite simple
ax cba vc n 
ax
c v  n
ax cnba Patfvc n sg
 
ax
Patfsg atfc vng

The rewrite of a nonblocking assignment with timing control as a new
thread corresponds to one of the LRMs more quirky requirements When two
nonblocking assignments are performed in sequence without intraassignment
timing the order of the scheduled updates is guaranteed With these timing
controls however the order of the updates at the scheduled time unit is
nondeterministic  p	

	 Synchronization Controls
The behavior of eventcontrol based blocking and release includes a context
sensitive property In particular the LRM allows event control constructs to
include variables with arbitrarily large bitwidths but only denes behavior
on the loworder bit  x
 For this purpose we use the lsb function
which returns the value of the least signicant bit of its argument
ax guard block
P

 m

f

g m

f

g T atfg sg
 


ax
P

 m

f

g m

f

g T fgfg sg
 

 if 

 

ax posedge re
P

 m

fMv  n


g m

fMv  n


g T fgfGposedge v
 sg
 


ax
P

 m

fMv  n


g m

fMv  n


g T atfsg
 

 if lsbn

    lsbn

   or lsbn

  	  lsbn

  	
	
FiskioLasseter and Sabry
ax negedge re
P

 m

fMv  n


g m

fMv  n


g T fgfGnegedge v
 sg
 


ax
P

 m

fMv  n


g m

fMv  n


g T atfsg
 

 if lsbn

  	  lsbn

  	 or lsbn

    lsbn

  
ax edge re
P

 m

fMv  n


g m

fMv  n


g T fgfGv
 sg
 


ax
P

 m

fMv  n


g m

fMv  n


g T atfsg
 

 if lsbn

  lsbn


ax event re
P

 m

fMu
g T fgfGu
 sg
 


ax
P

 m

fMu
g T atfsg
 

The requirement in ax guard block that both m

and m

contain an iden
tical  is important The two copies of memory must be consistent before
we can allow guards to block If we allowed any edges to be present in mem
ory then it would be possible for a guard to release on an event or edge that
occurred before the guard itself blocks
In previous work 
 guarded threads were dened to release as delayed
not active This semantics was taken from Gordons paper 	
 and appears to
represent the behavior of most leading implementations The LRM however
does not specify this detail and in the present work a release to active at
status is dened It is thus possible for a thread to block and release within the
same active threads phase of a cycle This interpretation seems justied given
the presence in principle of full interleaving releasing a guarded thread as
zd would leave us with no direct support for thread synchronization within a
single 
	 Global Store Axioms
The denitions of assignment lookup and signals  involve only proper
ties of the store itself Other operations on the storenamely the clearing of
existing edges between m

and m

can only be applied under certain compli
cated sideconditions In particular we must take care never to clear an edge
or signal until every blocked thread that can release on this event does so 
x

ax posedge clear
P

 m

fMvn


g m

fMvn


g t
s




ax
P

 m

fMvn


g m

fMvn


g t
s



 if both of the following hold 
 lsbn

    lsbn

   or lsbn

  	  lsbn

  	
 there is no thread t
s
of the form
fgfGv
 sg or fgfGposedge v
 sg

FiskioLasseter and Sabry
ax negedge clear
P

 m

fMvn


g m

fMvn


g t
s




ax
P

 m

fMvn


g m

fMvn


g t
s



 if both of the following hold 
 lsbn

  	  lsbn

  	 or lsbn

    lsbn

  
 there is no thread t
s
of the form
fgfGv
 sg or fgfGnegedge v
 sg
ax event clear
P

 m

fMu
g t
s


 
ax
P

 m

fM 
g t
s



 if there is no thread t
s
of the form
fgfGu
 sg
ax bogus edge
P

 m

fMvn


g m

fMvn


g t
s




ax
P

 m

fMvn


g m

fMvn


g t
s



 if n

 n

 but lsbn

  lsbn


	 Global Simulation Axioms
Finally we must dene the advance of the simulation clock itself There
are three ways in which the simulation cycle advances execution of the 
delayed threads execution of the scheduled nonblocking updates and ad
vancement to the time of the earliest scheduled nonzero delay Note that both
ax zd release and ax del release must be applied to every zd fd More
over axioms ax del release and ax nbu exec require nontrivial transfor
mation of the thread bodies according to the schema specied
ax zd release
d
v
m

f

g m

f

g fgfsg

fdfsg

zd

fsg    zd
n
fsg nbufg

ax
d
v
m

f

g m

f

g fgfsg

fdfsg

at

fsg    at
n
fsg nbufg
 if 

 

ax del release
d
v
m

f

g m

f

g fgfsg

fd

fsg    fd
n
fsg nbuf g

ax
d
v
m

f

g m

f

g fgfsg

at

fs

g    at
n
fs

g nbuf g
 if 

 

 and
 each fd
i
fsg is transformed to a corresponding at
i
fs

g
according to the schema 
fdfn sg  atfn  sg if n  
fdf sg  atfsg

FiskioLasseter and Sabry
ax nbu exec
d
v
m

f

g m

f

g fgfsg

fdfsg

nbufg

ax
d
v
m

f

g m

f

g fgfsg

fdfsg

atf

g nbuf g
 if 

 

 and
 each nonblocking assignment in  is transformed to a
blocking assignment in 

 according to the schema 
vn  vn
Here the consistency requirement on 

and 

 in combination with the
axioms in  ensures that we do not advance the clock when there are still
blocked threads that should release and execute rst
 Formalizing the Relationship Between Verilog and
StateSpace Syntax
We have proposed a number of axioms to explain the semantics of Verilog
These axioms are expressed in the statespace syntax V
s
 which we claim is
only for convenience it is possible to express arbitrary V
s
programs in Verilog
syntax We now make precise the correspondence between Verilog and V
s

 From StateSpace to Verilog
The critical property of a V
s
program is the explicit representation of both
the store and the simulation cycle By tagging each thread with its execution
status it is easy to enforce the order implied by the simulation model The
translation to Verilog uses delays and guards to enforce this ordering
V  P
s
 P
v
V
d
 d
v
 u  d
v
V
m

 m

fg  t
v
V
m

 m

f

g  u  t
v
V
t
 t
s
 u  t
v
V
n
 nbufg  t
v
V d
v
m

fg m

f

g t
s
n
nbufg
 module m V
d
d
v
  V
m

m

fg V
m

m

f

g 
V
t
t
s
 
n
V
n
nbufg
endmodule
 where   d
v
V
d
d
v
   d
v
event 
V
m

m

fg  initial 
V
m

m

f

g   initial 		 begin 

 end
V
t
atfsg   initial  s
V
t
zdfsg   initial 	 s
V
t
fdfsg   initial s
V
t
fgfsg   initial 	 s
V
n
nbufg  initial 
This translation ensures an ordering among the threads corresponding to
that required by the standard 
 The idea here is to ensure that the contents

FiskioLasseter and Sabry
of memory are updated appropriately and that every nonactive thread is rst
scheduled to the appropriate phase of the cycle all of this must be done before
the active threads can execute
To accomplish this the initialization of the rst copy of the store the
futuredelayed statements and the nonblocking updates must be executed
rst Note that the execution of the futuredelayed statements just causes the
statements to be scheduled later and the execution of the nonblocking updates
just causes the assignments to be scheduled later Next the threads with a 	
delay are allowed to run these include all the futureguarded threads Again
the execution of these threads blocks immediately Finally the initialization of
the second copy of the store can be executed which triggers the added event
 enabling the remaining threads
The addition of the  event trigger to m

and of  to the bodies of active
and delayed threads is a change from previous work 
 It arises from the
requirements of capturing edges in the state as represented in 

 Any edges
that exist in 

correspond to event triggers and assignments that occurred
within the current  In other words these are the results of statements from
threads which were executing concurrently with the current ats and were
nondeterministically selected rst
 Correctness
Our translation from statespace syntax to Verilog uses delays and guards
judiciously to enforce ordering constraints on the execution of threads The
complexity of the translation however raises the question of its correctness
Intuitively the problem could be that our translations to and from state
space syntax are not consistent with the axioms Another way to look at the
problem is that the axioms are expressed on equivalence classes of terms that
are identied by the translations to and from statespace syntax But if two
dierent representatives of the equivalence class were equal to two terms in
dierent equivalence classes our theory would be inconsistent
Formally we need to prove that the translations to and from statespace
syntax yield provably equal terms In fact this is a special case of an equa
tional correspondence which is the standard way of relating two syntactic
theories 
 To see this let 	
v
be the syntactic theory for Verilog and let
	
s
be the syntactic theory for V
s
 Let P
v
and P
v

be programs in Verilog P
s
and P
s

programs in V
s
 and dene S and V as above
Theorem  There is an equational correspondence between 	
v
and 	
s
 In
other words
i 	
s
	 SV P
s
 
ax
P
s
ii 	
v
	 V SP
v
 
ax
P
v
iii 	
s
	 P
s

ax
P
s


 	
v
	 V P
s
 
ax
V P
s


iv 	
v
	 P
v

ax
P
v


 	
s
	 SP
v
 
ax
SP
v


Before discussing the proofs observe that 	
s
is just the set of axioms given

FiskioLasseter and Sabry
in this paper for V
s
 But V
s
itself is considered a mere notational device for
Verilog Thus the syntactic theory for Verilog 	
v
 is dened in terms of 	
s

	
v
	 P
v

ax
P
v

if 	
s
	 SP
v
 
ax
SP
v


The result is that our proof burden is greatly simplied Statement iv
becomes trivially true for example Further the task of proving statements
iiii collapses into a proof of i only
Proof outline of i
We let P
s
 d
v
m

fg m

f

g t
s
n
nbufg be a program in V
s
 Without loss
of generality we can assume that t
s
n
 atfsg
p
zdfsg
q
fdfn sg
r
fgfg sg
s

where n  p q  r  s otherwise we can apply ax ord to reorder the
source code The proof then proceeds by giving the construction of deriva
tions by which both S V P
s
 and P
s
are rewritten to a common term P
s


Intuitively this derivation corresponds to an execution of SV P
s
 that re
stores the state of each thread

Once this is in place ii is established as an immediate consequence of
i In fact i also implies iii
Proof of iii
By denition this is the same as
	
s
	 P
s

ax
P
s


 	
s
	 SV P
s
 
ax
SV P
s


We suppose that 	
s
	 P
s

ax
P
s

 according to some derivation D

 By
i we also have derivations D

and D

 which prove P
s

ax
SV P
s
 and
P
s


ax
SV P
s

 respectively The conclusion then follows from D

 D

 D


and the symmetry and transitivity of 
ax


 Automatic Generation of a Verilog Simulator
The syntactic approach to operational specication suers a disavantage from
the complexity of the resulting derivations needed to express a programs be
havior In our theory the evaluation of even trivial programs requires very
lengthy rewrites the proof of  i itself runs to ve pages From a prag
matic standpoint manual evaluation of a real program is therefore impossible
some form of automatic support is essential
To this end we have input our theory to a tool that generates a syntactic
termrewriting machine from a given specication 
 We found that the
implementation of the theory required the addition of a few simple CAML
functions to implement the contextsensitive sideconditions Further the re
sulting termrewriting machine had a tendency to apply ax ord in an appar
ently endless loop and we therefore found it necessary to direct the machines
proof strategy away from this axiom

FiskioLasseter and Sabry
Otherwise the implementation was almost perfectly straightforward re
sulting in a correctbyconstruction simulator that was completed and de
bugged in less than three days time
 Conclusion
With some extensions to existing operational specication techniques we have
constructed a syntactic theory for a substantial portion of the behavioral sub
set of Verilog including an explicit description of its standard discrete event
model In the process our work claries the nature of an established infor
mal practice in the construction of syntactic theories namely the use of an
abstract statespace syntax The consistency of a statespace syntax with the
syntactic theory entails a proof obligation which for industrial languages is
likely to be nontrivial We have shown however that this obligation is just
a special case of an equational correspondence proof
There remain certain Verilog constructs which have thus far deed at
tempts at encoding In particular we have not yet found any axiomatic de
scription of Verilogs lowlevel structural subset This includes the wire data
structure and certain hardwarelike behaviors such as continuous assignment
and inertial delay The main obstacle seems to be the lack of an eective
way to represent state in a program which includes wire variables Consider
for example the struc sr test example from section  and the pseudocode
resulting from the transformation V  S
module struc sr test
wire q reg r  s event 
initial begin q  x s  x r  x end
initial 		 begin q  x s  x r  x  end
assign q  r j s j q



initial  no pending nb updates
endmodule
This illustrates two problems The rst is that the traditional represen
tation of state by a sequence of assignments cannot be used with variables
of wire type Procedural assignments are only allowed to reg variables the
statement qx is an error On the other hand one cannot simply eliminate
q by substituting with the RHS of the continuous assignment as this would
result in an innite expansion A satisfactory theory for constructs such as
this remains an open problem
Even more interesting is the challenge of relating such a theory with the
existing description for behavioral Verilog A solution to this would be of
serious interest within industry as it would provide a method of correctby
construction synthesis of circuitry from highlevel specications

FiskioLasseter and Sabry
In some cases we have purposefully excluded certain behavioral constructs
For example the full language specication allows event controls to guard on
arbitrary expressions By contrast we have chosen to restrict the allowable
controls to single variables only With the introduction of arbitrary guard
expressions the LRM requirements of full statementexpression interleaving
and guaranteed event control release are mutually exclusive it is not possible
to guarantee event control release on an expression that can change value in
the middle of its evaluation
Finally the most immediate task that remains in our work is the proof of
several metaproperties about our theory We have not yet shown the consis
tency of the axioms nor any normalization properties Given their complexity
we suspect that some form of automatic support will be required for this
References
 Ariola Z M and Felleisen M The callbyneed lambda calculus J
Functional Programming  	 


 Ariola Z M Felleisen M Maraist J Odersky M and Wadler P A
callbyneed lambda calculus In the ACM SIGPLANSIGACT Symposium on
Principles of Programming Languages 

 ACM Pr New York pp 		

	 Barendregt H P The Lambda Calculus Its Syntax and Semantics
revised ed vol 	 of Studies in Logic and the Foundations of Mathematics
Elsevier Science Publishers BV Amsterdam 

 Boehm H Side eects and aliasing can have simple axiomatic descriptions
ACM Transactions on Programming Languages and Systems   October

 	
 Cheng S and Brayton R Synthesizing multiphase HDL programs In 	
IEEE International Verilog HDL Conference Washington 

 IEEE Press
pp 
 Cheng S Brayton R York G Yelick K and Saldanha A Compiling
Verilog into timed nite state machines In 
 IEEE International Verilog
HDL Conference Washington 

 IEEE Press pp 		

 Curry H B and Feys R Combinatory Logic Volume I NorthHolland
Amsterdam 

 Felleisen M and Hieb R The revised report on the syntactic theories of
sequential control and state Theoret Comput Sci  

 	 Tech
Rep 
 Rice University

 FiskioLasseter J A formal description of behavioral Verilog based on
axiomatic semantics MSc Thesis Department of Computer and Information
Science University of Oregon 

 Tech Rep CISTR


FiskioLasseter and Sabry
 Gordon M The semantic challenge of Verilog HDL In the IEEE Symposium
on Logic in Computer Science June 

 IEEE Computer Society Press Los
Alamitos Calif Revised version available as of 

 on the WorldWide
Web at http	

wwwclcamuk
users
mjcg
Verilog
VpsZ
 Gordon M and Ghosh A Language independent RTL Semantics
Unpublished manuscript available as of 

 on the WorldWide Web
at http	

wwwclcamuk
users
mjcg
Verilog
V
Vhtml 


 Hua X and Zhang H Axiomatic semantics of a hardware specication
language In Second Great Lakes Symposium on VLSI Los Alamitos CA


 IEEE Press pp 	

	 IEEE Ed Standard Hardware Description Language Based on the Verilog
Hardware Description Language IEEE Computer Society Press Los Alamitos
Calif 

 IEEE Standard 	


 Mason I and Talcott C L Equivalence in functional languages with eects
J Functional Programming  	 July 

 	
 Pace G and He J Formal Reasoning with Verilog HDL In Workshop
on Formal Techniques for Hardware and Hardwarelike Systems Marstrand
Sweden June 


 Plotkin G D Callbyname callbyvalue and the calculus Theoret
Comput Sci  
 

 Sabry A and Felleisen M Reasoning about programs in continuation
passing style Lisp Symbol Comput 	 	 

	 
	 Also in the ACM
Conference on Lisp and Functional Programming 

 and Tech Rep 

Rice University
 Sasaki H A formal semantics for VerilogVHDL simulation interoperability by
abstract state machine In Design Automation and Test in Europe DATE



 pp 			

 Talcott C L The Essence of RumA Theory of the Intensional
and Extensional Aspects of LispType Computation PhD thesis Stanford
University 

 Van Tassel J P A formalisation of the VHDL simulation cycle In Higher
Order Logic Theorem Proving and its Applications NorthHolland 

	
L Claesen and M Gordon Eds Elsevier Science Publishers BV pp 	

	
 Xiao Y Mauny M Remy D and Leroy X A prototype of compiling
semantics Unpublished manuscript 




