Formal verification of an OCCAM-to-FPGA compiler and its generated logic circuits by Pizarro De La Iglesia, D
Formal Verification of an OCCAM-to- 
FPGA Compiler and its Generated Logic 
Circuits 
D. Pizarro De La Iglesia 
Submitted for the Degree of 
Doctor of Philosophy 
from the 
University of Surrey 
UNIVERSITY OF 
SURREY 
Department of Computing 
Faculty of Engineering and Physical Sciences 
University of Surrey 
Guildford, Surrey GU2 7XH, UK 
July 2009 
© D. Pizarro De La Iglesia 2009 
Abstract 
As custom logic circuits (e. g. field-programmable gate arrays, or FPGAs) have become 
larger, the limitations of conventional design flows have become more apparent. For large 
designs, verification by simulation is now impractical. 
One solution to this challenge is hardware/software co-design, in which the desired logic 
is specified using a high-level, or programming, approach. Here, the requirements are to 
incorporate the parallelism from the original specification, as well as to accommodate 
greater complexity through various abstraction techniques. Verification may be achieved 
by simulation at an algorithmic level, or by formal proofs. However, verification by a 
particular circuit runs into difficulties of state-space explosion in a state-based model- 
checking scheme. 
The research that is reported in this thesis has addressed the formal verification of a 
compiler that generates FPGA circuits. Rather than proving the correctness of every 
circuit generated by a compiler, the approach has been to validate the behaviour of the 
compiler itself. The source language that has been used is a variant of OCCAM, which 
incorporates fine-grained parallelism and message-passing along channels between 
parallel processes. The syntax of an OCCAM program can be mapped onto an abstract 
syntax tree, and each component of this tree can then be mapped into hardware. It is then 
necessary to prove that the hardware for each component correctly implements its 
specification, which can be performed by specifying each in CSP and model-checking 
them to check for equivalence. The components must also be proved to compose 
correctly, so that they may be plugged together in any way that satisfies the syntax of the 
source language. Finally, the correct composition of components is enforced by the type- 
checking of the compiler itself, using Java classes and inheritance to ensure that the CSP 
for each of the components being checked is manufactured within the same Java methods 
that create the hardware circuits. 
The thesis discusses the proof strategy and shows how correctness can be justified. It 
concludes with some examples of simple OCCAM programs that have been translated 
into hardware and executed on real FPGA devices, correctly at the first attempt. 
Contents 
Abstract ................................................................................................................................ ii 
Contents .............................................................................................................................. 
iii 
List of Figures ................................................................................................................... xvi 
List of Tables ................................................................................................................... xxv 
Acknowledgements ......................................................................................................... xxvi 
I Introduction ....................................................................................................................... 
I 
1.1 Thesis Contributions ................................................................................................ 
2 
1.2 Possible Utilisation .................................................................................................. 
3 
1.3 Thesis Outline .......................................................................................................... 
4 
2 Literature Review .............................................................................................................. 
8 
2.1 FPGA ....................................................................................................................... 
8 
2.1.1 Programming FPGAs ......................................................................................... 
8 
2.2 CSP .......................................................................................................................... 
8 
2.2.1 Processes and Events ......................................................................................... 
8 
2.2.2 External Choice: Determanistic Choice ............................................................. 
8 
2.2.3 Internal Choice: Non-determanistic Choice ....................................................... 
8 
2.2.4 Hiding ................................................................................................................ 8 
2.2.5 Boolean Guards .................................................................................................. 
8 
2.2.6 Let Within .......................................................................................................... 8 
2.2.7 Alphabetised Parallel ......................................................................................... 
8 
2.2.8 Shared Parallel ................................................................................................... 
8 
2.2.9 Interleaving ........................................................................................................ 
8 
2.2.10 Congruence & Monotonicity ............................................................................. 
8 
2.3 FDR .......................................................................................................................... 
8 
Contents 
2.4 OCCAM ................................................................................................................... 
8 
2.5 Clocked Logic .......................................................................................................... 8 
2.6 The 10-PAR Design Paradigm ................................................................................ 8 
2.7 SableCC ................................................................................................................... 
8 
2.8 Comparison with Related Work ............................................................................... 
8 
3 Preliminary Work: Automatic CSP Modelling of Generated Logic Circuits ................... 8 
3.1 Modelling Logic Circuits ......................................................................................... 
8 
3.2 Modelling Logic Components ................................................................................. 8 
3.3 Why Use CSP? ......................................................................................................... 
8 
3.4 Component Models in CSP ...................................................................................... 
8 
3.5 Circuit Models in CSP ............................................................................................. 
8 
3.6 Proving the Logic Circuit is Equivalent to a Low Level Specification ................... 8 
3.6.1 Performance Problems: State Space Explosion ................................................. 
8 
3.6.2 Utilising CHASE to Achieve Viable Runtime Simulations .............................. 8 
3.6.3 Implementation & Model Simplification ........................................................... 
8 
3.7 Experimental Results ............................................................................................... 
8 
3.8 Conclusion ............................................................................................................... 
8 
4 Main Work ........................................................................................................................ 
8 
4.1 Premise for Work ..................................................................................................... 
8 
4.1.1 Implementation Implications of Premise ........................................................... 
8 
4.2 Assumptions made within the Compiler and Proof Strategy ................................... 8 
4.3 Project Overview ..................................................................................................... 
8 
4.4 Logic Component Representation ............................................................................ 
8 
4.4.1 Why Continue Using CSP? ................................................................................ 
8 
4.4.2 Design Considerations & Implications .............................................................. 
8 
4.4.2.1 Combinatorial Logic .................................................................................... 
8 
iv 
Contents 
4.4.2.2 Clocked Logic .............................................................................................. 8 
4.4.2.3 Adapting 10-PAR to OI-SEQ ...................................................................... 8 
4.5 Proof Framework ..................................................................................................... 8 
4.5.1 Appendix D Overview -A Single-Type Super-Type Component .................... 8 
4.5.2 Appendix E Overview -A Single-Type Implemented Component .................. 8 
4.5.3 Alternative Single-Type Component Models .................................................... 8 
4.5.4 Special Multi Type Components ....................................................................... 8 
4.6 Proof/Compiler Integration ...................................................................................... 8 
5 Results ............................................................................................................................... 8 
5.1 Example 1: Commstime - Version I ....................................................................... 8 
5.2 Example 2: Commstime - Version 2 ....................................................................... 8 
5.3 Example 3: A Digital Clock Displayed on an LCD ................................................. 8 
5.3.1 Main ................................................................................................................... 8 
5.3.2 LCD PowerOnlnit ............................................................................................. 
8 
5.3.3 LCD Nibble ....................................................................................................... 
8 
5.3.4 LCD_Delay ........................................................................................................ 
8 
5.3.5 LCD DisplayTime ............................................................................................. 
8 
5.3.6 DigitalClock ....................................................................................................... 
8 
5.3.7 DebounceHour and DebounceMin .................................................................... 8 
5.3.8 Compiling to Hardware ...................................................................................... 
8 
6 Future Work & Conclusion ............................................................................................... 
8 
Appendix A Other Preliminary Work ............................................................................. 
8 
A. 1 Occam Grammar Modifications .............................................................................. 8 
A. 2 AST Transformer Extensions .................................................................................. 
8 
A. 3 Graphical Circuit Visualiser .................................................................................... 8 
A. 3.1 Auto Layout Simplification ............................................................................... 8 
V 
Contents 
A. 3.1.1 Algorithm 1 ................................................................................................. 8 
A. 3.1.2 Algorithm 2 ................................................................................................. 8 
A. 4 Circuit Simulator ...................................................................................................... 8 
Appendix B Logic Component CSP Models for Preliminary Work .............................. 8 
B. 1 AND Gates ............................................................................................................... 8 
B. 1.1 AND Gate with 1-Input ..................................................................................... 8 
B. 1.2 AND Gate with 2-Inputs .................................................................................... 8 
B. 1.3 AND Gate N-Inputs ........................................................................................... 8 
B. 2 D-Type Flip-Flop ..................................................................................................... 8 
B. 3 GND ......................................................................................................................... 8 
B. 4 Inverter ..................................................................................................................... 8 
B. 5 OR Gates .................................................................................................................. 8 
B. 5.1 OR Gate with 1-Input ......................................................................................... 8 
B. 5.2 OR Gate with 2-Inputs ....................................................................................... 
8 
B. 5.3 OR Gate with N-Inputs ...................................................................................... 8 
B. 6 VCC ......................................................................................................................... 8 
B. 7 XOR Gates ............................................................................................................... 8 
B. 7.1 XOR Gate with 1-Input ...................................................................................... 8 
B. 7.2 XOR Gate with 2-Inputs .................................................................................... 8 
Appendix C Logic Component CSP Models for Main Work ......................................... 8 
C. I Developing the Models ............................................................................................ 8 
C. 2 AND ......................................................................................................................... 8 
C. 3 D-Type Flip-Flop ..................................................................................................... 8 
C. 4 GND ......................................................................................................................... 
8 
C. 5 Inverter (NOT) ......................................................................................................... 8 
C. 6 NAND ...................................................................................................................... 
8 
vi 
Contents 
C. 7 NOR ......................................................................................................................... 
8 
C. 8 OR ............................................................................................................................ 8 
C. 9 T-Type Flip-Flop ..................................................................................................... 8 
C. 10 VCC ......................................................................................................................... 8 
C. I 1 XOR ......................................................................................................................... 
8 
Appendix D Single Type Component Generic Specification Model Example ............... 8 
D. 1 Models & Specifications .......................................................................................... 
8 
D. 1.1 GenSpec 1: Valid Low Level Behaviour ........................................................... 
8 
D. 1.2 GenSpec 2: Low Level Behaviour with Explicit Deadlocking .......................... 8 
D. 1.3 GenSpec 3: Correct Component Driving ........................................................... 
8 
D. 1.4 GenSpec 4: Annotated Low Level Behaviour with Explicit Deadlocking........ 8 
D. 1.5 GenSpec 5: Annotating the Outer Layer ............................................................ 
8 
D. 1.6 GenSpec 6: Clock Cycle Higher Generic Specification .................................... 8 
D. 2 Assertions: Linking the Models Together ................................................................ 
8 
D. 2.1 GenSpec Assertion 1: Initial Deadlock Check ................................................... 
8 
D. 2.2 GenSpec Assertion 2: GenSpec 2 Contains GenSpec 1 Behaviour ................... 8 
D. 2.3 GenSpec Assertion 3: GenSpec 3 Compatible with GenSpec 2 ........................ 8 
D. 2.4 GenSpec Assertion 4: GenSpec 3 Removes Deadlock from GenSpec 2........... 8 
D. 2.5 GenSpec Assertions 5: GenSpec 3 Removes Only Incorrect Driving ............... 
8 
D. 2.6 GenSpec Assertions 6: Properties of the Annotation Events ............................. 
8 
D. 2.7 GenSpec Assertion 7: GenSpec 3 Compatible with GenSpec 4 ........................ 
8 
D. 2.8 GenSpec Assertion 8: GenSpec 3 Removes Deadlock From GenSpec 4 .......... 
8 
D. 2.9 GenSpec Assertions 9: GenSpec 4 is an Annotated GenSpec 2 ........................ 
8 
D. 2.10 GenSpec Assertion 10: GenSpec 6 Deadlock Free .................................... 
8 
D. 2.11 GenSpec Assertions 11: GenSpec 5 Annotates Outer Level Correctly...... 8 
D. 2.12 GenSpec Assertions 12: GenSpec 5 Does Not Introduce Extra Behaviour8 
vii 
Contents 
D. 2.13 GenSpec Assertions 13: GenSpec 4 With Signals Hidden is Similar to 
GenSpec 6 ................................................................................................... 
8 
D. 3 Conclusion & Evaluation ......................................................................................... 
8 
D. 4 Future Work ............................................................................................................. 
8 
D. 4.1 Linking Clock Cycle Annotations to a Higher Level Specification .................. 8 
D. 4.1.1 GenSpec 7: Software Component Generic Spec Model ............................. 8 
D. 4.1.2 GenSpec Assertions 14: Linking GenSpec 6 to GenSpec 7 ....................... 8 
D. 4.2 Model Simplifications ........................................................................................ 
8 
Appendix E Single Type Component Implemented Model Example ............................ 8 
E. 1 Models & Specifications .......................................................................................... 
8 
E. 1.1 ImpSpec 1: Valid Low Level Behaviour ........................................................... 
8 
E. 1.2 ImpSpec 2: Low Level Behaviour with Explicit Deadlocking .......................... 8 
E. 1.3 ImpSpec 3: Model of Implemented Logic ......................................................... 
8 
E. 1.4 ImpSpec 4: Annotation Only Specification ....................................................... 
8 
E. 2 Assertions: Linking the Models Together ................................................................ 
8 
E. 2.1 ImpSpec Assertion 1: Deadlock Freedom ......................................................... 
8 
E. 2.2 ImpSpec Assertion 2: Super Type Control Only Limits the Behaviour............ 8 
E. 2.3 ImpSpec Assertion 3: Expected 'IF' Component Behaviour is Deadlock-Free 8 
E. 2.4 ImpSpec Assertion 4: Expected Boundary Behaviour Refines Super Type...... 8 
E. 2.5 ImpSpec Assertions 5: Correctly Driven Implementation Behaves as Expected 
.................................................................................................................... 
8 
E. 2.6 ImpSpec Assertion 6: Annotation Outer Level Does Not Introduce Deadlock. 8 
E. 2.7 ImpSpec Assertion 7: Expected High Level Behaviour is Deadlock-Free........ 8 
E. 2.8 ImpSpec Assertions 8: Component Behaves Similarly to Expected Higher 
Spec ............................................................................................................ 
8 
E. 3 Conclusions & Evaluation ....................................................................................... 
8 
E. 4 Future Work ............................................................................................................. 
8 
viii 
Contents 
E. 4.1 Linking Clock Cycle Annotations to Higher Specification ............................... 8 
E. 4.1.1 ImpSpec 5: Software Specification Model ................................................. 8 
E. 4.1.2 ImpSpec Assertion 9: Software Specification is a Refinement of Super 
Type ............................................................................................................ 8 
Appendix F Multi-Type Component Generic Specification Model Example ................ 8 
F. 1 Models & Specifications .......................................................................................... 8 
F. 1.1 GenSpec 1: Valid Low Level Behaviour ........................................................... 8 
F. 1.2 GenSpec 2: Low Level Behaviour with Explicit Deadlocking .......................... 8 
F. 1.3 GenSpec 3: Correct Component Driving .......................................................... 
8 
F. 1.4 GenSpec 4: Annotated Low Level Behaviour with Explicit Deadlocking........ 8 
F. 1.5 GenSpec 5: Annotating the Outer Layer ............................................................ 8 
F. 1.6 GenSpec 6: Clock Cycle Higher Generic Specification .................................... 8 
F. 2 Assertions: Linking the Models Together ................................................................ 
8 
F. 2.1 GenSpec Assertion 1: Initial Deadlock-Free Check .......................................... 
8 
F. 2.2 GenSpec Assertion 2: GenSpec 2 Contains GenSpec 1 Behaviour ................... 8 
F. 2.3 GenSpec Assertion 3: GenSpec 3 Compatible with GenSpec 2 ........................ 8 
F. 2.4 GenSpec Assertion 4: GenSpec 3 Removes Deadlock from GenSpec 2........... 8 
F. 2.5 GenSpec Assertions 5: GenSpec 3 Removes Only Incorrect Driving ............... 8 
F. 2.6 GenSpec Assertions 6: Properties of the Annotation Events ............................. 8 
F. 2.7 GenSpec Assertion 7: GenSpec 3 Compatible with GenSpec 4 ........................ 8 
F. 2.8 GenSpec Assertion 8: GenSpec 3 Removes Deadlock From GenSpec 4.......... 8 
F. 2.9 GenSpec Assertions 9: GenSpec 4 is an Annotated GenSpec 2 ........................ 8 
F. 2.10 GenSpec Assertion 10: GenSpec 6 Deadlock-Free ........................................... 8 
F. 2.11 GenSpec Assertions 11: GenSpec 5 Annotates Outer Level Correctly ............. 8 
F. 2.12 GenSpec Assertions 12: GenSpec 5 Does Not Introduce Extra Behaviour....... 8 
F. 2.13 GenSpec Assertions 13: GenSpec 4 With Signals Hidden is Similar to 
GenSpec 6 ................................................................................................... 
8 
ix 
Contents 
F. 3 Similarities to Single Type Component Specifications ........................................... 8 
F. 4 Conclusion & Evaluation ......................................................................................... 8 
Appendix G Multi-Type Component Implemented Model Example ............................. 8 
G. 1 Models & Specifications 
.......................................................................................... 8 
G. 1.1 ImpSpec 1: Valid Low Level Behaviour ........................................................... 8 
G. 1.2 ImpSpec 2: Low Level Behaviour with Explicit Deadlocking .......................... 8 
G. 1.3 ImpSpec 3: Model of Implemented Logic ......................................................... 8 
G. 1.4 ImpSpec 4: Annotation Only Specification ....................................................... 8 
G. 2 Assertions: Linking the Models Together ................................................................ 8 
G. 2.1 ImpSpec Assertion 1: Deadlock-Free ................................................................ 8 
G. 2.2 ImpSpec Assertion 2: Super Type Control Only Limits the Behaviour ............ 8 
G. 2.3 ImpSpec Assertion 3: Expected Component Behaviour is Deadlock-Free ....... 8 
G. 2.4 ImpSpec Assertion 4: Expected Boundary Behaviour Refines Super Type...... 8 
G. 2.5 ImpSpec Assertions 5: Correctly Driven Implementation Behaves as Expected 
.................................................................................................................... 8 
G. 2.6 ImpSpec Assertion 6: Annotation Outer Level Does Not Introduce Deadlock. 8 
G. 2.7 ImpSpec Assertion 7: Expected High Level Behaviour is Deadlock-Free........ 8 
G. 2.8 ImpSpec Assertions 8: Component Behaves Similarly to Expected Higher 
Spec ............................................................................................................ 8 
G. 3 Conclusions & Evaluation ....................................................................................... 8 
G. 4 Future Work ............................................................................................................. 8 
G. 4.1 Linking Clock Cycle Annotations to Higher Specification ............................... 8 
Appendix H Alternative Generic Specification Model Example .................................... 8 
H. 1 Models & Specifications .......................................................................................... 8 
H. 1.1 GenSpec 1: Valid Low Level Behaviour ........................................................... 8 
H. 1.2 GenSpec 2: Low Level Behaviour with Explicit Deadlocking .......................... 8 
H. 1.3 GenSpec 3: Correct Component Driving ........................................................... 8 
X 
Contents 
H. 1.4 GenSpec 4: Annotated Low Level Behaviour with Explicit Deadlocking ........ 8 
H. 1.5 GenSpec 5: Correct Component Driving Annotating the Outer Layer .............. 8 
H. 1.6 GenSpec 6: Clock Cycle Higher Generic Specification .................................... 
8 
H. 1.7 GenSpec 7: Driving Clock Cycle Higher Generic Specification ....................... 8 
H. 1.8 GenSpec 8: Annotating Clock Cycle Higher Generic Specification ................. 8 
H. 1.9 GenSpec 9: Software Higher Generic Specification .......................................... 8 
H. 1.10 GenSpec 10: Annotation Only Control Generic Specification ................... 8 
H. 2 Assertions: Linking the Models Together ................................................................ 
8 
H. 2.1 GenSpec Assertion 1: Initial Deadlock-Free Check .......................................... 
8 
H. 2.2 GenSpec Assertion 2: GenSpec 2 Contains GenSpec 1 Behaviour ................... 
8 
H. 2.3 GenSpec Assertion 3: GenSpec 3 Compatible with GenSpec 2 ........................ 8 
H. 2.4 GenSpec Assertion 4: GenSpec 3 Removes Deadlock from GenSpec 2........... 8 
H. 2.5 GenSpec Assertions 5: GenSpec 3 Removes Only Incorrect Driving ............... 8 
H. 2.6 GenSpec Assertions 6: Properties of the Annotation Events ............................. 8 
H. 2.7 GenSpec Assertion 7: GenSpec 3 Compatible with GenSpec 4 ........................ 8 
H. 2.8 GenSpec Assertion 8: GenSpec 3 Removes Deadlock From GenSpec 4.......... 8 
H. 2.9 GenSpec Assertions 9: GenSpec 4 is an Annotated GenSpec 2 ........................ 8 
H. 2.10 GenSpec Assertion 10: GenSpec 6 Deadlock-Free .................................... 
8 
H. 2.11 GenSpec Assertions 11: GenSpec 5 Annotates Outer Level Correctly...... 8 
H. 2.12 GenSpec Assertions 12: GenSpec 5 Does Not Introduce Unexpected 
Behaviours .................................................................................................. 
8 
H. 2.13 GenSpec Assertions 13: GenSpec 4 With Signals Hidden is Similar to 
GenSpec 6 ................................................................................................... 
8 
H. 2.14 GenSpec Assertions 14: GenSpec 10 Similar to GenSpec 5 ...................... 8 
H. 2.15 GenSpec Assertions 15: Linking GenSpec 6 to GenSpec 9 ....................... 8 
H. 3 Conclusion & Evaluation ......................................................................................... 
8 
Appendix I Alternative Implemented Model Example ................................................. 
8 
xi 
Contents 
I. 1 Models & Specifications .......................................................................................... 8 
1.1.1 ImpSpec 1: Valid Low Level Behaviour ........................................................... 8 
I. 1.2 ImpSpec 2: Low Level Behaviour with Explicit Deadlocking .......................... 8 
I. 1.3 ImpSpec 3: Model of Implemented Logic ......................................................... 8 
I. 1.4 ImpSpec 4: Annotation Only Specification ....................................................... 8 
I. 1.5 ImpSpec 5: Software Specification Model ........................................................ 8 
1.2 Assertions: Linking the Models Together ................................................................ 8 
1.2.1 ImpSpec Assertion 1: Deadlock-Free 
................................................................ 8 
1.2.2 ImpSpec Assertion 2: Super Type Control Only Limits the Behaviour............ 8 
1.2.3 ImpSpec Assertion 3: Expected 'IF' Component Behaviour is Deadlock-Free 8 
1.2.4 ImpSpec Assertion 4: Expected Boundary Behaviour Refines Super Type...... 8 
1.2.5 ImpSpec Assertions 5: Correctly Driven Implementation Behaves as Expected 
.................................................................................................................... 8 
1.2.6 ImpSpec Assertion 6: Annotation Outer Level Does Not Introduce Deadlock. 8 
1.2.7 ImpSpec Assertion 7: Expected High Level Behaviour is Deadlock-Free........ 8 
1.2.8 ImpSpec Assertions 8: Component Behaves Similarly to Expected Higher 
Spec ............................................................................................................ 8 
1.2.9 ImpSpec Assertion 9: Software Specification is a Refinement of Super Type. 8 
Appendix J Pattern Matched Selective Renaming Alternative ...................................... 8 
J. 1 Methodology ............................................................................................................ 8 
J. 2 Conclusion ............................................................................................................... 8 
Appendix K Simplified CSP Models Without Reset Feature ......................................... 8 
K. 1 Logic Components ................................................................................................... 8 
K. 2 Super Type Specifications ....................................................................................... 8 
K. 2.1 Control Flow Process ......................................................................................... 8 
K. 2.1.1 Control Flow Process: Correct Control ...................................................... 8 
K. 2.1.2 Control Flow Process: Low Level Specification ........................................ 8 
xii 
Contents 
1(2.1.3 Control Flow Process: Low Level Specification With Deadlocking ......... 8 
K. 2.1.4 Control Flow Process: High Level Specification ....................................... 8 
K. 2.2 Boolean Process ................................................................................................. 8 
K. 2.2.1 Boolean Process: Low Level Specification With Deadlocking .................. 8 
K. 2.2.2 Boolean Process: High Level Specification ............................................... 8 
K. 3 Implemented "IF THEN ELSE" Component .......................................................... 
8 
K. 3.1 IF THEN ELSE: Low Level Specification ........................................................ 8 
K. 3.2 IF THEN ELSE: Low Level Specification With Deadlocking .......................... 8 
K. 3.3 IF THEN ELSE: High Level Specification ....................................................... 8 
Appendix L Expected Run Time .................................................................................... 
8 
L. 1 Generic: Control Flow Process ................................................................................ 
8 
L. 1.1 Implemented: SKIP (Delay) ............................................................................. 
8 
L. 1.2 Implemented: STOP (Deadlock) ........................................................................ 
8 
L. 1.3 Implemented: S EQ ............................................................................................. 8 
L. 1.4 Implemented: PAR ............................................................................................. 
8 
L. 1.5 Implemented: Assignment ................................................................................. 
8 
L. 1.6 Implemented: Channel Declaration ................................................................... 
8 
L. 1.7 Implemented: Variable Declaration ................................................................... 
8 
L. 1.8 Implemented: IF (IF THEN ELSE) ................................................................... 
8 
L. 1.9 Implemented: While ........................................................................................... 
8 
L. 1.10lmplementation: Output Channel (Sending Along a Channel) .......................... 8 
L. 1.11 Implementation: Input Channel (Reading from a Channel) .............................. 8 
L. 2 Generic: Boolean Process ........................................................................................ 
8 
L. 2.1 Implemented: True ............................................................................................. 
8 
L. 2.2 Implemented: False ............................................................................................ 
8 
L. 2.3 Implementation: Boolean AND ......................................................................... 
8 
xiii 
Contents 
L. 2.4 Implementation: Boolean OR ............................................................................ 8 
L. 2.5 Implementation: EQUAL ................................................................................... 8 
L. 2.6 Implementation: NOT EQUAL ......................................................................... 8 
L. 2.7 Implementation: LESS THAN ........................................................................... 
8 
L. 2.8 Implementation: GREATER THAN .................................................................. 
8 
L. 3 Generic: Read ........................................................................................................... 
8 
L. 3.1 Implementation: UINT Constant ....................................................................... 
8 
L. 3.2 Implementation: Read for FlipFlopStorage Variable ........................................ 8 
L. 3.3 Implementation: Read for WatchedFlipFlopStorage Variable .......................... 8 
L. 4 Generic: Store .......................................................................................................... 
8 
L. 4.1 Implementation: Store for FlipFlopStorage Variable ........................................ 8 
L. 4.2 Implementation: Store for WatchedFlipFlopStorage Variable .......................... 8 
L. 5 Generic: Variables ................................................................................................... 
8 
L. 6 Generic: Channels .................................................................................................... 8 
Appendix M Esterel SCADE 6.0 - Design Verifier Problem .......................................... 8 
M. 1 A Simple Model Using Enumerated Types ............................................................. 
8 
M. 2 Breaking the Design Verifier ................................................................................... 
8 
M. 3 Trying to Locate the Problem .................................................................................. 
8 
M. 4 Conclusion ............................................................................................................... 
8 
Appendix N OCCAM: Digital Clock .............................................................................. 
8 
References ............................................................................................................................ 
8 
xiv 
List of Figures 
Figure 1: How the CSP proof fits with the hardware compilation ...................................... 1 
Figure 2: Pictorial representation of the Logic Circuit from Figure 5 on page 25 .............. 8 
Figure 3: Simplified D-Type Flip-Flop Model .................................................................... 8 
Figure 4: An Instantiation of a Two Input AND Gate ......................................................... 8 
Figure 5: Example CSP of Running Logic Components in Parallel .................................... 8 
Figure 6: Algorithmic Specification of the Logic Circuit from Figure 5 ............................ 8 
Figure 7: Simple Testing of the Generated Circuit .............................................................. 8 
Figure 8: Initial T-Type Flip-Flop Model Developed .......................................................... 8 
Figure 9 CSP specification of a 4-bit counter process ......................................................... 8 
Figure 10 Initial OCCAM counter program ........................................................................ 8 
Figure I1 Single-value commstime program ....................................................................... 8 
Figure 12: Triple-value commstime program ...................................................................... 8 
Figure 13: Graphical representation of an "IF THEN ELSE" component ........................... 8 
Figure 14: Simplified class diagram of a subset of components and their super types ....... 8 
Figure 15: Overview of CSP proof structure for a single component ................................. 8 
Figure 16: CSP model of D-Type Flip-Flop used in chapter 3 ............................................ 8 
Figure 17: An Instantiation of a Two Input AND Gate ....................................................... 8 
Figure 18: AND Gate CSP Model: 10-SEQ ........................................................................ 8 
Figure 19: An Instantiation of aD Type Flip Flop .............................................................. 8 
Figure 20: D-Type Flip-Flop CSP Model: 10-PAR ............................................................ 8 
Figure 21: A simple CSP definition of an 01-SEQ component ........................................... 8 
Figure 22: A CSP definition of an 01-SEQ component using channels .............................. 8 
Figure 23: 10-SEQ and IO-PAR connected in a loop .......................................................... 8 
Figure 24: OI-SEQ replaces 10-PAR in 10-SEQ/IO-PAR loop .......................................... 8 
xv 
Figure 25: D-Type Flip-Flop CSP Model: 01-SEQ ............................................................. 8 
Figure 26: Assertions demonstrating 01-SEQ is a refinement of 10-PAR .......................... 8 
Figure 27: Overview of the relationship between the numerous models of an OCCAM 
supertype ....................................................................................................................... 8 
Figure 28: Overview of proof structure for an implemented component ............................ 8 
Figure 29: Commstime written in OCCAM for conversion into hardware ......................... 8 
Figure 30: Commstime hand translated into the AST for the compiler ............................... 8 
Figure 31: Trace through for initialisation phase of Figure 29 commstime ........................ 8 
Figure 32: Trace through of 6 cycle cyclical loop (N+9 to N+15) for Figure 29 
commstime .................................................................................................................... 8 
Figure 33: Commstime passing three values round the loop ............................................... 8 
Figure 34: Trace through for initialisation of Figure 33 commstime .................................. 8 
Figure 35: Trace 11 cycle cyclical loop (N+17 to N+28) for Figure 33 commstime .......... 8 
Figure 36: Optimised trigger & completion step through for initialisation of Figure 33 
commstime .................................................................................................................... 8 
Figure 37: Trigger & completion step through of 6 cycle cyclical loop of Figure 33 
commstime .................................................................................................................... 8 
Figure 38: Overview of the Digital Clock example ............................................................. 8 
Figure 39: Example 3: Digital Clock, running on an FPGA development board ................ 8 
Figure 40 Screen Shot of the Graphical Circuit Visualiser .................................................. 8 
Figure 41 Example output from the first tidying algorithm ................................................. 8 
Figure 42 A graphical representation of how logic components are ordered for algorithm 
I .................................................................................................................................... 8 
Figure 43 An example output from the second tidying algorithm ....................................... 8 
Figure 44 A graphical representations how logic components are ordered for algorithm 28 
Figure 45 A CSV file (shown in Excel) representing input waveforms to a circuit............ 8 
Figure 46 Output waveform from a simulation ................................................................... 8 
xvi 
Figure 47: A pictorial example of a three input AND gate .................................................. 8 
Figure 48: A pictorial example of a three input OR gate ..................................................... 8 
Figure 49: CSP Definition of a D-Type Flip-Flop from [Peel & Wong, 2004] ................... 8 
Figure 50: CSP Definition of a D-Type Flip-Flop from Appendix B, used in Chapter 3 ... 8 
Figure 51: A Modified CSP Definition of a D-Type Flip-Flop - Version 1 ....................... 8 
Figure 52: Overview of the relationship between the numerous models of an OCCAM 
supertype ....................................................................................................................... 8 
Figure 53: Low Level Generic Control Flow Specification ................................................ 8 
Figure 54: Low Level Generic Control Flow Specification with Explicit Deadlocking ..... 8 
Figure 55: Generic Control Flow Specification - Correct Driving Limiter ......................... 8 
Figure 56: Annotated Generic Control Flow Specification with Explicit Deadlocking...... 8 
Figure 57: Generic Control Flow Annotate Outer Layer ..................................................... 8 
Figure 58: Generic Control Flow Annotation Specification ................................................ 8 
Figure 59: Example of GenSpec Assertion I for Controll Flow Process ............................ 8 
Figure 60: Example of GenSpec Assertion 2 for Control Flow Process ............................. 8 
Figure 61: Example of GenSpec Assertion 3 for Control Flow Process ............................. 8 
Figure 62: Example of GenSpec Assertion 4 for Control Flow Process ............................. 8 
Figure 63: Example of GenSpec Assertions 5 for Control Flow Process ............................ 8 
Figure 64: Example of GenSpec Assertions 6 for Control Flow Process ............................ 8 
Figure 65: Example of GenSpec Assertion 7 for Control Flow Process ............................. 8 
Figure 66: Example of GenSpec Assertion 8 for Control Flow Process ............................. 8 
Figure 67: Example of GenSpec Assertions 9 for Control Flow Process ............................ 8 
Figure 68: Example of GenSpec Assertion 10 for Control Flow Process ........................... 8 
Figure 69: Example of GenSpec Assertion 11 for Control Flow Process ........................... 8 
Figure 70: Example of GenSpec Assertions 12 for Control Flow Process .......................... 8 
Figure 71: Example of GenSpec Assertions 13 for Control Flow Process .......................... 8 
xvii 
Figure 72: Example of Simplified Control Flow Annotation Specification ........................ 8 
Figure 73: Example of how to link Annotation Spec to Simplified Spec ............................ 8 
Figure 74: Overview of proof structure for an implemented component ............................ 8 
Figure 75: Low Level 'IF' Component Desired Specification ............................................. 8 
Figure 76: Low Level 'IF' Component Generic Specification with Explicit Deadlocking.. 8 
Figure 77: CSP Model of the Logic Circuit Segment of the Implemented 'IF' Component 
...................................................................................................................................... 8 
Figure 78: A Graphical Depiction of the Logic Segment for an'IF' Component ................ 8 
Figure 79: IF Component Annotation Only Specification ................................................... 
8 
Figure 80: 'IF' Component Deadlock-Free Assertion .......................................................... 
8 
Figure 81: Super Type Component Limits the Behaviour of the Implementation .............. 8 
Figure 82: Expected'IF Component Behaviour is Deadlock-Free ..................................... 8 
Figure 83: Expected IF' Component Behaviour is a Refinement of Super Type ................ 8 
Figure 84: Correctly Driven IF Component Behaves as Expected .................................... 8 
Figure 85: Annotating outer level of 'IF component does not introduce deadlock ............. 8 
Figure 86: 'IF' Component High Level Behaviour is Deadlock-Free .................................. 8 
Figure 87: 'IF Component Behaves Similarly to Expected Higher Behaviour ................... 8 
Figure 88: 'IF' Component Software Annotation Behavioural Specification ...................... 8 
Figure 89: Higher Software Specification is a Refinement of the Super Type ................... 8 
Figure 90: Low Level Generic Data Storage Specification ................................................. 
8 
Figure 91: Low Level Generic Data Storage Specification with Explicit Deadlocking...... 8 
Figure 92: Generic Control Data Storage Specification - Correct Driving Limiter ............ 8 
Figure 93: Annotated Generic Data Storage Specification with Explicit Deadlocking....... 8 
Figure 94: Generic Data Storage Annotate Outer Layer ..................................................... 8 
Figure 95: Generic Data Storage Annotation Specification ................................................ 
8 
Figure 96: Example of GenSpec Assertion 1 for Data Storage Specification ..................... 8 
xviii 
Figure 97: Example of GenSpec Assertion 2 for Data Storage Specification ..................... 8 
Figure 98: Example of GenSpec Assertion 3 for Data Storage Specification ..................... 8 
Figure 99: Example of GenSpec Assertion 4 for Data Storage Specification ..................... 8 
Figure 100: Example of GenSpec Assertions 5 for Data Storage Specification .................. 8 
Figure 101: Example of GenSpec Assertions 6 for Data Storage Spec ............................... 8 
Figure 102: Example of GenSpec Assertion 7 for Data Storage Specification ................... 8 
Figure 103: Example of GenSpec Assertion 8 for Data Storage Specification ................... 8 
Figure 104: Example of GenSpec Assertions 9 for Data Storage Specification .................. 8 
Figure 105: Example of GenSpec Assertion 10 for Data Storage Specification ................. 8 
Figure 106: Example of GenSpec Assertion 11 for Data Storage Specification ................. 8 
Figure 107: Example of GenSpec Assertions 12 for Data Storage Specification ................ 8 
Figure 108: Example of GenSpec Assertions 13 for Data Storage Specification ................ 8 
Figure 109: Assertions Demonstrating Similarities with Single Type Generic Interface 
Specifications ................................................................................................................ 
8 
Figure 110: Low Level 'FlipFlopStorage' Component Desired Specification ..................... 8 
Figure 111: Low Level 'FlipFlopStorage' Component Generic Specification with Explicit 
Deadlocking .................................................................................................................. 
8 
Figure 112: CSP Model of the Logic Circuit Segment of the `FlipFlopStorage' 
Component .................................................................................................................... 
8 
Figure 113: FlipFlopStorage Component Annotation Only Specification .......................... 8 
Figure 114: 'FlipFlopStorage' Component Deadlock-Free Assertion .................................. 8 
Figure 115: Super Type Component Limits the Behaviour of the Implementation ............ 8 
Figure 116: Expected Component Behaviour is Deadlock-Free ......................................... 8 
Figure 117: Expected Component Behaviour is a Refinement of Super Type .................... 8 
Figure 118: Correctly Driven Component Behaves as Expected ........................................ 8 
Figure 119: Annotating outer level of the component does not introduce deadlock ........... 8 
Figure 120: Components High Level Behaviour is Deadlock-Free ..................................... 8 
xix 
Figure 121: Component Behaves Similarly to Expected Higher Behaviour ....................... 8 
Figure 122: Low Level Generic Control Flow Specification .............................................. 8 
Figure 123: Low Level Generic Control Flow Specification with Explicit Deadlocking ... 8 
Figure 124: Generic Control Flow Specification - Correct Singal Driver ........................... 8 
Figure 125: Annotated Generic Control Flow Specification with Explicit Deadlocking.... 8 
Figure 126: Generic Control Flow Annotate Outer Layer ................................................... 8 
Figure 127: Generic Control Flow Annotation Specification ............................................. 8 
Figure 128: Control Generic Control Flow Annotation Specification ................................ 8 
Figure 129: Annotate Generic Control Flow Annotation Specification .............................. 8 
Figure 130: Example of Simplified Control Flow Annotation Specification ...................... 8 
Figure 131: Control Process for Annotation Only Control Flow Specification .................. 8 
Figure 132: Example of GenSpec Assertion I for Controll Flow Process .......................... 8 
Figure 133: Example of GenSpec Assertion 2 for Controll Flow Process .......................... 8 
Figure 134: Example of GenSpec Assertion 3 for Controll Flow Process .......................... 8 
Figure 135: Example of GenSpec Assertion 4 for Control Flow Process ........................... 8 
Figure 136: Example of GenSpec Assertions 5 for Control Flow Process .......................... 8 
Figure 137: Example of GenSpec Assertions 6 for Control Flow Process .......................... 8 
Figure 138: Example of GenSpec Assertion 7 for Control Flow Process ........................... 8 
Figure 139: Example of GenSpec Assertion 8 for Control Flow Process ........................... 8 
Figure 140: Example of GenSpec Assertions 9 for Control Flow Process .......................... 8 
Figure 141: Example of GenSpec Assertion 10 for Control Flow Process ......................... 8 
Figure 142: Example of GenSpec Assertion 11 for Control Flow Process ......................... 8 
Figure 143: Example of GenSpec Assertions 12 for Control Flow Process ........................ 8 
Figure 144: Example of GenSpec Assertions 13 for Control Flow Process ........................ 8 
Figure 145: Linking GenSpec 10 to GenSpec 5 .................................................................. 8 
Figure 146: Example of how to link Annotation Spec to Simplified Spec .......................... 8 
xx 
Figure 147: Low Level IF Component Desired Specification ........................................... 8 
Figure 148: Low Level 'IF Component Generic Specification with Explicit Deadlocking 8 
Figure 149: CSP Model of the Logic Circuit Segment of the Implemented 'IF' 
Component .................................................................................................................... 8 
Figure 150: A Graphical Depiction of the Logic Segment for an IF Component .............. 8 
Figure 151: IF Component Annotation Only Specification ................................................. 8 
Figure 152: 'IF' Component Software Annotation Behavioural Specification .................... 8 
Figure 153: IF Component Deadlock-Free Assertion ........................................................ 8 
Figure 154: Super Type Component Limits the Behaviour of the Implementation ............ 8 
Figure 155: Expected 'IF Component Behaviour is Deadlock-Free ................................... 8 
Figure 156: Expected `IF' Component Behaviour is a Refinement of Super Type .............. 8 
Figure 157: Correctly Driven 'IF Component Behaves as Expected .................................. 8 
Figure 158: Annotating outer level of'IF' component does not introduce deadlock........... 8 
Figure 159: IF Component High Level Behaviour is Deadlock-Free ................................ 8 
Figure 160: 'IF' Component Behaves Similarly to Expected Higher Behaviour ................. 8 
Figure 161: Higher Software Specification is a Refinement of the Super Type ................. 8 
Figure 162: Graphical representation of simplified "IF THEN ELSE" component ............ 8 
Figure 163: CSP Model of "IF THEN ELSE" Component ................................................. 8 
Figure 164: Refactored correctly driven circuit ................................................................... 
8 
Figure 165: Assertions demonstrating low level specification equivalence ........................ 8 
Figure 166: Hybrid Generic Control Flow Process ............................................................. 8 
Figure 167: Hybrid Generic Boolean Process ..................................................................... 
8 
Figure 168: Low Level 'IF Component Specification with Embedded Full Annotations... 8 
Figure 169: Hybrid annotations behave identically to annotation only specification.......... 8 
Figure 170: Check if Outer Annotation Behaviour from Hybrid Model is Allowed........... 8 
Figure 171: Hybrid model with annotations renamed behaves identically to correctly 
driven circuit ................................................................................................................. 
8 
xxi 
Figure 172: Overview of proof structure for pattern matched selective renaming 
alternative ..................................................................................................................... 8 
Figure 173: D-Type FlipFlop with no Reset function ......................................................... 8 
Figure 174: Generic Control Flow Specification - Correct Driving Limiter ...................... 8 
Figure 175: Low Level Generic Control Flow Specification .............................................. 8 
Figure 176: Low Level Generic Control Flow Specification with Explicit Deadlocking ... 8 
Figure 177: Generic Control Flow Annotation Specification .............................................. 8 
Figure 178: Low Level Boolean Specification with Explicit Deadlocking ......................... 8 
Figure 179: Generic Control Flow Annotation Specification .............................................. 8 
Figure 180: Low Level 'IF' Component Desired Specification ........................................... 8 
Figure 181: Low Level 'IF Component Generic Specification with Explicit Deadlocking 8 
Figure 182: IF Component Annotation Only Specification ................................................. 
8 
Figure 183: How to compute the completion time for a 'While' component ....................... 8 
Figure 184: Sending and receiving started at the same time on a0 communication delay 
channel .......................................................................................................................... 
8 
Figure 185: Sending started 1 cycle before receiving on a0 communication delay channel 
...................................................................................................................................... 
8 
Figure 186: Sending started 2 cycles before receiving on a0 communication delay 
channel .......................................................................................................................... 
8 
Figure 187: Reading started I clock cycle before sending on a0 communication delay 
channel .......................................................................................................................... 
8 
Figure 188: A simple SCADE model using enumerated types ............................................ 8 
Figure 189: Modifying Figure 188 to break the design verifier .......................................... 8 
Figure 190: Simplifying the model - Version 1 ................................................................... 
8 
Figure 191: Simplifying the model - Version 2 ................................................................... 
8 
xxii 
List of Tables 
Table 1: Model-Checking Performance of FDR .................................................................. 8 
Table 2: Port ordering imposed by the Comparator for the tidying algorithms ................... 8 
Table 3: Signal ordering imposed by the Comparator for the tidying algorithms ............... 8 
Table 4: Definitions of enumerated type used in Figure 188 ............................................... 8 
Acknowledgements 
I would like to show my appreciation towards my supervisor Dr Roger Peel for his 
limitless patience and support, without whom I would not have contemplated starting this 
thesis. Thanks must also be given to Professor Steve Schneider and Dr Helen Treharne for 
their valuable feedback, support and discussions. Gratitude should also be given to 
EPSRC, as without their funding none of this would have been possible. 
On a more personal note, I would like to thank my parents for their emotional and 
financial support, during both this PhD and the preceding MSc which lead to this 
opportunity. Last, but far from least, I would also like to thank my fiance for her 
understanding, care and consideration, especially when it came to organising holidays. 
I Introduction 
As the number of configurrble logic blocks (CiJ3s) that are contained within field 
pn)grammable gate array (FPGA) devices continues to increase, this promotes the design 
and development of larger and more complex systems. A problem then arises that, as the 
size of systems increase, so does the complexity of the work required for the design and 
configuration these devices. When FPGAs are traditionally designed, developed and 
debugged at a low level, through specifying how individual logic blocks (AND gates, OR 
gates, Flip-Flops, etc) arc connected together, the work that is required for traditional 
verification and debugging involves numerous test vectors and complex simulations that 
eventually become impractical. 
FPGAs are built up from low level hardware components, so they are particularly suited 
to systems or applications that contain fine grained parallel components. This thesis 
focuses on methods for creating such fine grained parallel logic circuits from an OCCAM 
(SGS-Thompson Microelectronics Ltd, 1991) specification. The work reported in this 
thesis involvod the creation of an OC CAM-to-FPGA compiler that builds the logic 
circuits through performing   one-to-one mapping of OC('AM grammar fragments into 
small segments of logic circuits, which arc then connected together in the manner dictated 
by the application's specification. The compiler utilises the same code to generate both 
the logic circuits and formal CSP (Communicating Sequential Processes) (Hoare, 2004J 
models which describe this generation process and validntc the output (see Figure 1). 
.O 
Flgatro 1: How for ( SP proof fist with the bardware compUafon 
The form I C'SP models describe the behaviour% of 'Hall sections of logic circuits that 
represent scgmonts of the OCCAM language (at various levels of abstraction) and the 
relationship between these models, along with how these segments are combined together 
to construct the overall circuit. This enables the compilation of an OCCAM spocißcation 
Introduction 
down into a hardware implementation with a guarantee that the behavioural properties of 
the generated circuits will be as dictated by the specification, without the need to 
explicitly model check the generated circuit. By proving the compilation process of an 
OCCAM-to-FPGA software-to-hardware compiler, one avoids the state space explosion 
that would arise if each generated circuit was model-checked. As the compiler has been 
designed to utilise the same code to generate both the logic circuits and the CSP models, 
we can verify that the compiler output matches the proofs, thus guaranteeing that 
properties in the CSP hold true in the hardware circuits. 
1.1 Thesis Contributions 
This thesis makes a novel contribution to the area of hardware/software co-design through 
the development of an OCCAM-to-FPGA compiler that takes a variant of the OCCAM 
parallel programming language as its input and produces low level, fine grained parallel 
hardware. Importantly, guarantees can be made about the behaviour of the resulting 
hardware due to the way the compiler has been developed. By utilising this method of 
hardware design, it enabled the production of a formally verified compiler that generates 
logic circuits where the behaviour is guaranteed to be as specified. This guarantee of 
behavioural properties, without the need to explicitly check each generated circuit, 
enables one easily to design and develop larger and more complex systems. The design 
and development of these systems are possible because one is working at a higher level of 
abstraction (i. e. at the OCCAM software level as opposed to physical hardware). As the 
compiler guarantees its output, one can formally verify an application at the software 
level as opposed to the hardware level, thus the extra state introduced by the hardware 
does not need to be explicitly checked. This is useful because the work involved in 
proving the compiler is related to the size and complexity of the software specification 
language (i. e. OCCAM), not the application being developed, and this proof only has to 
be done once. As a result of this, the end user has the ability to utilise software design and 
development methodologies to sub-divide their problem into as many layers of 
abstraction or sub-components as desired, without having to worry about manually 
verifying the generated hardware. 
CSP (Communicating Sequential Processes, [Hoare, 2004]) is a process algebra that 
supports modelling the behaviour of interacting processes that execute in parallel. In this 
thesis, the components of circuits are modelled as individual processes and then run in 
2 
Introduction 
parallel, thus giving a model of the circuit that can be analysed and provides the ability 
for various properties to be checked. Although modelling a logic circuit in its entirety 
means that desired and undesired behaviours and specific properties can be explicitly 
checked [Peel and Cook, 2000], as the size of the application increases, so the state space 
explosion caused by the fine grained parallel nature of the circuit becomes unavoidable, 
thus resulting in this model checking approach becoming impractical. Even though this 
technique becomes infeasible as the size and complexity of the application increases, it 
does work for small circuits and as such this has formed the basis for the work of proving 
the compiler's hardware generation process presented in this thesis. 
The process of proving the compiler, and thus the automated method for converting 
software into fine grained parallel hardware circuits, has been achieved by utilising the 
grammatical structure of the OCCAM language to dictate how small segments of circuit 
are composed together. CSP models have been used to describe small segments of logic 
circuits corresponding to each grammatical construct, while proving that each segment of 
circuit achieves the desired behaviour that the corresponding component requires. These 
segments of circuit are then proven to be able to be composed together as specified by the 
OCCAM grammar. The combination of these proofs enables the software specification to 
be directly converted into a logic circuit through a one-to-one mapping, whilst 
guaranteeing that the behaviour of the circuit is as specified. 
Through guaranteeing that the logic circuits created by the compiler will always conform 
to the supplied software specification, one avoids having to model-check each logic 
circuit that is created. This is possible because the compiler has been designed in such a 
way that the same code generates both the eventual logic circuits and the associated CSP 
models and proofs. This design choice provides a guarantee that the models and proofs 
that specify how the circuits were designed directly match how the compiler generates its 
output. Thus, because the compiler itself generates the models and proofs, this ensures 
that the proofs and compiler's actions match at all times. 
1.2 Possible Utllisation 
Designing and developing an application through the use of a software language, rather 
than custom-designing parts in hardware, simplifies the ability to sub divide the parts of 
the tasks that will run on a processor or be converted into hardware (software/hardware 
3 
Introduction 
co-design). By having the whole application specified at the software level, combined 
with the ability to convert this software specification into hardware, the component parts 
may be reclassified from `running on a processor' to being `converted into hardware', and 
vice versa. This re-classification could depend upon the available resources and desired 
performance requirements. The software components designated to be run on a processor 
can be implemented in one of two ways - either on a host processor (e. g. a PC) or on a 
special-purpose built processor on part of an FPGA [Page et al, 1998]. 
The process of designing hardware at the software level is particularly useful when 
considering FPGAs that can have sections dynamically reprogrammed or restructured 
while still running (reconfigurable computing, e. g. [Romer et al, 2000]). Working at a 
higher level of abstraction than that of the electrical component level would simplify the 
process of selecting how to split the application into blocks to be re-programmed onto the 
FPGA chips, along with the conditions under which these reconfigurations should take 
place. The most obvious direct benefit resulting from this thesis is the simplification of 
programming FPGAs at a higher level of abstraction, leading to the automatic design and 
development of the logic circuits and the formal verification of the validity of the 
generated hardware. 
13 Thesis Outline 
Chapter 1 covers a brief introduction to the work covered in this thesis. It states that the 
software to hardware compiler that has been developed generates both the logic circuits 
and CSP proofs describing and proving how those logic circuits are generated. The proofs 
are also tightly integrated into the compiler, guaranteeing that the behaviours of the 
compiler and proofs are both consistent and valid. 
Chapter 2 provides background information concerning the various technologies used in 
this thesis. This covers topics such as the OCCAM programming language, the formal 
process algebra CSP, FDR2 which is a tool to perform refinement and deadlock checks on 
CSP models, digital logic, FPGAs and methods for programming them. 
Chapter 3 is work that directly builds upon [Peel and Wong, 2004]. It automates the 
previously hand generated process of modelling the overall behaviour of the logic 
circuits, through modelling the individual hardware components of the circuit and running 
them in parallel. The result of this work shows that although this technique is feasible for 
4 
Introduction 
small logic circuits, the process does not scale. Model checking the generated CSP model 
of the circuit, for various properties, rapidly suffers from state space explosion as the 
circuit size increases. This problem arises because of the large amount of fine grained 
parallelism that is unavoidable when modelling the circuits at the hardware level. Thus a 
small increase in the amount of hardware a circuit uses will have a dramatic increase in 
the amount of state space that has to be checked. 
Chapter 4 utilises the fact that the work covered in chapter 3 is feasible for small circuits. 
The compiler was completely redesigned and rebuilt, as part of this research, to take 
advantage of this. Through utilising the grammatical structure of the OCCAM language to 
dictate how an application is converted into hardware, the conversion of each 
grammatical construct can be proven independently of one another. The small segments 
of circuit for a grammatical construct can be modelled using the technique covered in 
chapter 3, enabling it to be proven valid and correct. By modelling, and thus proving that 
each component performs the task that it represents, it is possible to guarantee that 
combining instances of these grammatical constructs in a one-to-one mapping to that of 
the application's OCCAM specification, guarantees that the resultant circuit will behave 
as required. This is achieved without having to explicitly check the generated circuit, thus 
avoiding the state space explosion as the circuit size increases, as the amount of state that 
is required to be checked is dependent on the size and complexity of the OCCAM 
language, and not the application being converted. This is possible because the technique 
only requires that each grammatical construct be proven once, and using type checking 
and inheritance available within Java ensures that components can only be connected 
together in structures allowed by the OCCAM grammar. As stated previously, the 
compiler was required to be redesigned and re-implemented to be able to fully utilise this 
technique, as the previous version did not contain well defined boundaries between 
grammatical constructs. This redesign and reimplementation of the compiler took 
advantage of tightly integrating the logic generation with the generation of the models and 
proofs, which the technique covered in this chapter requires, thus enabling one to 
guarantee the behaviour of the proofs and the compiler match. 
Chapter 5 demonstrates a small example. Commstime is a program, comprising of four 
parallel processes that circulate data values using channel communication. It presents the 
OCCAM specification, the corresponding abstract syntax tree (AST) and an analysis of 
how the grammatical constructs are nested, how they trigger each other (i. e. a 
5 
Introduction 
demonstration of when components start and complete). An alternative implementation of 
commstime is then presented (along with its trace), that utilises pipelining to slightly 
reduce the cycle time of the program. A step through analysis is then presented, 
demonstrating how optimising a single grammatical construct would improve the 
performance of the application. This chapter also presents a larger example, a digital 
clock that accepts user input to alter the time, whilst simultaneouslt displaying the time on 
an LCD display. 
Chapter 6 states that, as expected, the compiler worked first time. With the hardware 
generation process of the compiler being formally modelled, the output logic circuits are 
guaranteed to perform as expected. Thus as the CSP proofs have all been run through 
FDR correctly, the only possible outcome was that the compiler would work first time. 
Appendix A covers the other supporting work that has been performed in this research, 
but is not critical to the comprehension of the main body of the work. This appendix 
focuses mainly on the combined digital logic circuit simulator and graphical logic circuit 
visualiser that were developed to aid the debugging of the initial compiler. This section 
also explains the two custom-developed heuristics that the visualiser can utilise to 
simplify the visual layout of the logic circuits within this tool. 
Appendix B contains the CSP models of the low level hardware components that were 
utilised for the work covered in chapter 3 and in [Peel and Pizarro, 20051. Appendix C, on 
the other hand, contains the low level models representing the hardware components that 
were used for the work covered in chapter 4. The reason why an alternative set of CSP 
models was created for the work covered in chapter 4 was because, for the redeveloped 
compiler to be proven to be correct, the models of the hardware components must also 
model the reset functionality to be able to demonstrate that the compiler wired it up 
correctly. The work in chapter 3 did not model the reset functionality in an attempt to help 
to minimise the state space explosion. 
Appendix D presents the CSP models and assertions to prove and define the allowed 
behaviour for an example of a single type generic component (these component 
categories are discussed in section 4.3 and 4.5). This appendix contains the various 
models at numerous levels of abstraction (a hardware behavioural model, a higher 
abstract behavioural model, a combined higher abstract and hardware behavioural model), 
together with processes to manipulate the models and show consistency between them, 
6 
Introduction 
along with various assertions to demonstrate and prove desired properties. This 
component is the super type of the single type component presented in Appendix E. 
Appendix E provides the CSP models and proofs for an example of a single type 
component, which is a sub-type of the example given in Appendix D. This section 
contains CSP models representing the generated hardware, along with the expected 
behavioural models of that hardware. This section contains proofs that demonstrate that 
this implemented grammatical construct is both in itself valid, and also a valid refinement 
and sub-type of its super-type component contained in Appendix D. 
Appendix F and Appendix G are similar to Appendix D and Appendix E respectively, but 
where the components that they represent are multi-type components. These multi-type 
components can be variables that have the ability to be both set and/or read from, or 
channels where data can be transmitted and received. Apart from the CSP to represent the 
various models and the relationships between them, this section also contains proofs to 
demonstrate that the individual interfaces of these multi-type components are valid 
refinements and implementations of their corresponding single type specifications. The 
models contained within this section demonstrates and proves the properties of how 
instances of these interfaces interact with each other. 
Appendix H and Appendix I are similar to Appendix D and Appendix E, but where the 
method for obtaining the higher behavioural abstract models has been adapted. Through 
slightly modifying the method for annotating the hardware behavioural model, the higher 
behavioural abstraction model can be tailored to give a more software-oriented 
perspective, as opposed to the hardware-oriented view that is presented in Appendix D 
and Appendix E. 
Appendix J presents a simplified description of the proof framework which would be 
possible if the reset functionality were not to be considered in the model. The reason why 
the reset functionality causes the implemented proof framework covered in Appendix D 
through to Appendix G and chapter 4 to be more complex than the work covered in this 
section, is because a single higher behavioural abstraction event maps onto the 
combination of multiple parallel low level hardware events. This causes a problem, as the 
combination of separate multiple distinct parallel events cannot be mapped directly to a 
single event. Also, as the hardware generation process of the compiler is required to 
7 
Introduction 
connect the reset signals in the logic circuits it generates, to prove the generation process 
the models used in the proofs, it must be able to contain and represent this behaviour. 
Appendix K contains some supporting CSP models for the example that the speculative 
work in Appendix J requires. 
Appendix L defines the various clock cycle implementation times for the implemented 
components and any dependencies upon any internal components that they require. It also 
demonstrates graphically the timing for the on-chip channel communication that has been 
implemented. 
8 
2 Literature Review 
In this chapter, the literature that provided the motivation for the research is identified, 
and an overview of the different languages used in the thesis: OCCAM and CSP together 
with their supporting tools. Other approaches to hardware/software co-design are also 
compared, which start with a description of the proposed system using a programming 
language. 
The research in this thesis is based upon [Peel and Cook, 2000], initially extending their 
approach by automating the CSP model creation of the logic circuits (see chapter 3 and 
[Peel and Pizarro, 2005]) which were previously hand crafted. These papers chose to 
utilise OCCAM (see section 2.4) as the starting language to specify an application that is 
converted into parallel hardware for programming onto an FPGA (see section 2.1) and 
CSP (see section 2.2) as the formal algebra that is used to create the models and perform 
the proofs. This is a natural combination, as OCCAM [SGS-Thompson Microelectronics 
Ltd, 1995] was initially inspired by CSP [Hoare, 2004]. 
Similar work, covering the conversion of OCCAM or OCCAM-like languages into 
hardware for programming onto FPGAs, has been attempted previously. Ian Page and 
Wayne Luk built a prototype OCCAM to FPGA compiler in Prolog [Page and Luk, 
1991 ], with the choice of using Prolog being that "the implementation and proof are very 
close to each other". The utilisation of the phrase 'very close to each other'' combined 
with the lack of any mention regarding integrating the proof directly into the compiler 
does not guarantee that the implementation matches the proof, even though the theory of 
how the compiler works may be proven. The framework presented in [Schenke and 
Dossis, 1997], on the other hand, is a denotational semantics of the Handel-C language, 
stating that "It is the ambition of the authors work to supply a transformational 
framework in which an implementation relation can be defined between Handel and 
hardware ... " (Handel-C 
is defined in [Agility Design Solutions Inc. 2007] and [Ian Page, 
1997]). This framework demonstrates the theory that the compiler is built on, but it has 
not been integrated into the compiler. Thus, it does not guarantee that the compiler 
matches the proofs. If the compiler conforms to the rules, it will generate the hardware 
correctly but no guarantee is given that this is the case. For example, whilst the code for 
Literature Review 
creating the hardware may contain a subtle bug, the current maturity of the tool helps to 
build confidence that this is not the case, but it does not guarantee it. 
Handel-C was initially based on OCCAM; its compiler was commercialised in early 1996 
as the main product for "Embedded Solutions Limited" (which in 2000 was renamed to 
Celoxica, who recently have sold the DK Suite that contains the Handel-C compiler to 
Agility Design Solutions Inc). As the Handel-C hardware compilation tool has never been 
promoted as being formally proven, one can assume that the proofs covered in [Schenke 
and Dossis, 1997] were never integrated into the compiler. This conclusion is based on 
the fact that tightly integrating the proof into the compiler impacts upon the design. The 
paper states that "Handel is a language already used by hardware designers" and that this 
technique has the "potential" for integration into hardware compilation systems, the 
implication that it was not integrated into the compiler at the time of writing the paper can 
be deduced. Integration of the technique into the compiler would have resulted in a 
considerable refactoring of the compiler code, work that is both highly detailed and time 
consuming. To the best of our knowledge, the Handel-C compiler remains unproven. 
2.1 FPGA 
A field-programmable gate array (FPGA) is a type of programmable logic chip. The 
device is comprised of an array of configurable logic blocks (CLBs) that can be 
connected together by a programmable connection framework, thus representing a 
clocked digital circuit. Apart from being able to represent thousands of simple logic 
blocks (`and' gates, 'or' gates, `flip-flops' etc) interconnected together, FPGAs can also 
contain devices such as special data processing units, memory blocks and complete 
processors such as the PowerPC [Xilinx, 2005]. 
2.1.1 Programming FPGAs 
There are numerous ways to program FPGAs [Wain et al, 2006], with manufacturers 
usually providing a basic schematic tool that takes a low level circuit, performs 
optimisations and converts the result into a format for `place and routing' (i. e. 
programming or configuring) of the FPGA chips. These tools, although they tend to 
provide a graphical representation for the development and specification of a circuit, 
usually generate low level circuit specifications or netlists e. g., Electronic Design 
10 
Literature Review 
Interchange Format (EDIF) [EDIF Steering Committee, 1988] of the circuit to program 
onto the FPGA. The problem with the task of designing, developing and reasoning about 
circuits at this low level is that the required work tends to scale poorly and becomes much 
more difficult as the complexity of the system being developed increases. As mentioned 
previously, the use of simulations and test vectors [Riesgo et al, 1998] becomes 
impractical as the circuit size increases. 
The VHSIC Hardware Description Language (VHDL, [IEEE Std-1076,2002]) and 
Verilog [IEEE Std-1364.1,2002] design languages were developed to simplify the design 
and specification of digital hardware. They provide a way to specify a hierarchy of 
modules through specifying the physical and/or behavioural characteristics of the logic 
being built. JHDL [Bellows and Hutchings, 1998], like VHDL, is another hardware 
description language. Each type of logic element is represented by a Java class, and Java 
methods are used to specify how instances of these classes can be interconnected 
together. Typically, the method utilised for testing HDL specified components and 
evaluating their interactions is through simulation, checking every permutation of the 
signals that can occur. This is a very demanding and computationally expensive process. 
Even though VHDL is currently one of the main languages used to design FPGAs, as the 
size and complexity of the systems one wishes to create increases, new development 
methods and languages are going to be needed to help one cope with designing and 
developing them. 
SystemC [IEEE Std-1666,2005] is a C++ class library that has been built to have 
hardware orientated constructs. It utilises a thread-like mechanism for parallelism, with 
event methods to provide synchronised communications Alternatively, Handel-C 
([Agility Design Solutions Inc. 2007] and [Ian Page, 1997]) is a programming language 
with C-like features, but is similar to CSP in the fact that when two processes need to 
exchange data they both have to perform the relevant I/O task synchronously. If both 
processes are not ready to exchange that data, then one waits for the other. When both 
processes have completed the data transfer, they can continue to perform their own tasks. 
2.2 CSP 
CSP (Communicating Sequential Processes) [Hoare, 2004] is a process algebra. Its main 
use is in the description of parallel processes and their interactions. CSP, and its machine 
11 
Literature Review 
readable form CSPM, can be manipulated to check events or prove various properties of 
the system being modelled. To assist with performing this task, several automated tools 
are available (e. g. FDR [Formal Systems Ltd, 2005], see section 2.3). The investigation of 
various properties of parallel processes is achieved through examining all permutations of 
how these parallel processes are serialised, with each specific ordering of the execution of 
the events being a specific trace. It is through examining these traces that one can 
determine if particular properties hold true or not, a fact that has been used within this 
thesis to examine models that represent logic circuits and the software to hardware 
conversion process. 
2.2.1 Processes and Events 
A process can be comprised of zero or many events, followed by another process. The 
events represent actions or communications, specified as atomic names (e. g. on or ot'), 
compound names (e. g. light. on or light. of/), or channel input/output events (e. g. 
lightswitch? x or sendstate! x). Various algebraic operators can be used to build up and 
specify more complex behaviours, and some of these are described below. 
E. g. A process P that can do event a followed by event b, an infinite number of times, is 
defined as: 
P=8 ->b->P 
2.2.2 External Choice: Determanistic Choice 
External choice is a branching point, enabling a process to offer multiple choices of 
events it is prepared to perform. The choice of which path gets executed is determined 
externally from the process. 
E. g. A process R that is defined as event a or b followed by process P, or event c followed 
by process o, is defined as: 
R-a -> P 
C] 
b->P 
[] 
c->Q 
12 
Literature Review 
2.2.3 Internal Choice: Non-determanistic Choice 
Internal choice is a branching point, where the process chooses which of the multiple 
options to offer. This differs from external choice, where the process offers all the 
available options. 
E. g. A process R that is defined as a process that offers event a followed by process P, or a 
process that offers event b followed by process o, is defined as: 
Ra -> P 
1-1 
b ->Q 
It should be noted that process R behaves the same as: 
R- Z ->a ->P 
[l 
Z ->b ->Q 
Where r (tau) is a hidden event. 
2.2.4 Hiding 
The hiding operator provides a mechanism to enable specific events to be hidden (i. e. to 
be unobservable). 
E. g. A process R that is defined as event a followed by process P, with a events hidden, is 
defined as: 
R- (a -> P) \ {a} 
If process P does not contain any a events, then process R behaves as process P. If process 
P does contain a events, then this is not the case, because the a events within this instance 
of process P are also hidden. E. g. If P is defined as: 
P-a -> b -> P 
Then process R would behave as if it was defined as: 
R-b -> R 
2.2.5 Boolean Guards 
Boolean guards provide a mechanism to only offer options under specified conditions. 
E. g. A process R that is defined as the process P, guarded by the condition g, is defined as: 
R. 9& P 
This process will only offer to perform the process P, if the condition g evaluates to true. 
13 
Literature Review 
2.2.6 Let Within 
`Let Within' blocks enable the scoped definition of sets and processes, but not channels. 
E. g. A process R locally defines a process s, which can only be used within process R, is 
defined as: 
let 
S. a -> S 
within S 
The process s cannot be used outside process R, so the following defined process is 
illegal, as process s has not been defined: 
0-s 
2.2.7 Alphabetised Parallel 
Running two or more processes in alphabetised parallel, each process can only perform 
the events specified for them, and they are also required to synchronise on the common 
events in the alphabets. 
E. g. A process R that is defined as process P and o run in parallel with their corresponding 
alphabets, is defined as: 
R- P[{a, b} II {b, c}]Q 
This defines that process P can perform events a and b, process g can perform the events b 
and c, with the processes requiring synchronisation on b events. If process P and o are 
defined as: 
P Q. cc -> b -> Q 
Process R behaves the same as if it was explicitly defined as: 
R. a-> c-> c -> b -> R 
[] 
C -> (a -> c -> R 
[] 
C -> a -> R) 
2.2.8 Shared Parallel 
Running two or more processes in shared parallel requires that the processes synchronise 
on the specified events. All the processes can only perform the specified events, if all the 
processes perform the event at the same time. 
E. g. A process R that is defined as process P and Q run in parallel synchronising on event 
b, is defined as: 
Q R-P CI {b} 11 
14 
Literature Review 
If Process P and Q are defined as: 
P. a -> b -> P Q=c->c->b-> 0 
Process R behaves the same as if it was explicitly defined as: 
R-a->c->c->b->R 
U 
c -> (a -> c -> R 
[) 
C -> a -> R) 
2.2.9 Interleaving 
Interleaving two or more processes enables the processes to execute their events 
independently of the each other. A trace, the sequence of events that have occurred, can 
be built up from executing from any of the processes any of the possible events that they 
can next perform. 
E. g. A process R that is defined as processes P and Q interleaved, is defined as: 
R-P III Q 
If process P and Q are defined as: 
P"a->b->SKIP Qc ->b -> SKIP 
The possible traces for process R are: 
<a> 
C> 
<a, b> 
<a, c> 
<c, a> 
<c, b> 
< a, b, c 
< a, c, b> 
< C, a, b> 
<c, b, a> 
< a, b, c, b> 
< a, c, b, b> 
< c, a, b, b> 
< c, b, a, b> 
2.2.10 Congruence & Monotonicity 
The semantics are congruent if for all operators within the language (i. e. CSP), the result 
can be computed from the the application of it on its component parts. i. e. "it is possible 
to compute S[[P 0 QJJ in terms of S[[P]] and S[[QJJ" [A. W. Roscoe, 1998]. 
For the context of a process to be monotonic, if process P is contained within process Q, 
then the context of P must also be contained in the context of Q. i. e. 
"P QQ C[I'l Q C[QJ "" 
15 
Literature Review 
2.3 FDR 
FDR (Failures-Divergence Refinement) is a CSP refinement checking tool [Formal 
Systems Ltd, 2005] produced to check and establish properties of CSP models. Through 
testing for refinements of the system (see below), it can check to see if specific properties 
hold true or not. It is able to systematically check all the possible states and transitions 
that the system can reach and perform, being able to determine if the system is 
deterministic, deadlock free (i. e. the CSP model can never reach a state where there are 
no events to perform) and/or a valid trace refinement of another CSP model. This thesis 
uses FDR to examine, analyse and compare against each other, the CSP models used to 
represent the logic circuits and software to hardware compilation process. 
A CSP process is a valid trace refinement of another process ('P [T- o', or 'Q is a trace 
refinement of P'), if all the allowed orderings of events that can occur also exist in the 
process it is being trace refined against (i. e. all traces that Q can produce are contained 
within the traces that P can produce). A process is a failures refinement of another ('P [F= 
o', or 'Q is a failures refinement of P'), if for all points within its traces, all sets of events 
that it can refuse at that point are contained within the sets of events that are refused at the 
corresponding point within the trace of the process it is a refinement of (i. e. for all points 
within the traces that Q can perform, the sets of events that is can refuse to do are 
contained within the sets of events that P can refuse when at the same point within its 
traces). For a process to be a failures-divergences refinement of another ('P [Fn- o', or 
'Q is a failures-divergence refinement of P'), apart from the set of traces and refusals 
having to be contained within that of the process it is refining, the set of traces that dictate 
when it can get into a livelock state (i. e. performing an infinite sequence of internal 
events) is contained within the set of traces that the process it is refining can get into 
livelock. 
2.4 OCCAM 
Occam is what is commonly referred to as a very fine grained parallel programming 
language. It was initially developed by a team at INMOS in conjunction with the design 
of the transputer processor [INMOS 72-TRN-048-03,1987], and it is based on C. A. R. 
Hoare's CSP (see section 2.2) [Hoare, 2004]. 
16 
Literature Review 
Occam supports programming at a very fine grained level both the parallel and sequential 
nature of a program. Communications between the parallel processes is achieved through 
passing messages along channels. The static memory model with Concurrent Read, 
Exclusive Write (CREW) parallel usage [Quinn, 1994] enables the software to be verified 
free from parallel usage errors, which are errors that can occur when channels or variables 
are written to or read-and-written to in parallel. 
Apart from Occam being used as the initial basis of Handel-C, the principles of Occam 
have also been implemented numerous times in Java libraries (e. g. JCSP [Austin, 1998] 
and CTJ "Communicating Threads for Java" [Hilderink, Bakkers and Broenink, 2000]. 
CTJ was renamed from CJT "Communicating Java Threads" for legal reasons, thus it 
may also be referred to in older work by it previous name). It is clear from this that the 
conceptual principles and properties obtainable from the Occam and CSP programming 
style are still considered a worthwhile avenue for practical exploration and utilisation. 
2.5 Clocked Logic 
Clocked logic is the particular type of logic currently produced by the compiler detailed 
in this thesis. This particular type of logic utilises a global clock to control the progression 
of signals through the circuit by controlling when flip-flops output their next signal. With 
the possibility of non-clocked combinatorial logic (e. g. `and', `or' and `not' gates) also 
being contained within the circuit, the maximum allowable clocking speed is dependent 
on the time it takes for signals to propagate through these parts of the system. Although it 
is permissible to have cycles of logic, forming loops, these loops should not normally be 
solely made up of non-clocked logic in a fully-clocked design. If circuits contain non- 
clocked cycles, then race conditions may occur within the circuit, a fact that is often 
undesirable but can be used quite safely in components such as transparent latches. 
2.6 The 10-PAR Design Paradigm 
[Peel and Wong, 2004] determined that the physical behaviour of the components from 
which clocked logic circuits are built behave in an 10-SEQ and 10-PAR manner 
(combinatorial logic and clocked logic, respectively), with the combined behaviour being 
that of the IO-PAR design paradigm covered by [Welch, Justo and Willcock, 1993]. 
17 
Literature Review 
Through combining 10-PAR and 10-SEQ components, various properties of the system 
can be examined, such as deadlock freedom, thus guaranteeing no combinatorial loops. 
Both 10-SEQ and IO-PAR processes run forever, inputting and outputting values on a 
number of channels and performing computation on these values. An 10-SEQ component 
receives its inputs in parallel before performing its outputs in parallel, whereas an 10- 
PAR component sends and receives all its inputs and its outputs in parallel. With the IO- 
PAR components inputting and outputting in parallel, any combination composed 
together as a network is guaranteed to be deadlock-free. From an external point of view, 
the network will be indistinguishable from a single 10-PAR component. 
An 10-Rnet is a network containing 10-PAR and IO-SEQ components, with an I0-SPnet 
being a special type of 10-Rnet. For a network to be an I0-SPnet it must contain no loops 
consisting of only 10-SEQ components, and no paths from an external input to an 
external output of only IO-SEQ components. Therefore externally the 10-SPnet is 
indistinguishable from an 10-PAR component, and as such it is guaranteed to be 
deadlock-fee. 
2.7 SableCC 
As stated earlier in Section 2, this thesis is motivated by Peel's original OCCAM 
compiler which uses the SableCC [Gagnon and Hendren, 1998] parser generator. 
SableCC is a parser generator with an object-oriented structure, written in Java. By 
supplying it with a LALR 1 grammar (the OCCAM grammar required refactoring and the 
addition of several annotations to comply with SableCC's requirements), SableCC can 
automatically generate the parser and AST (abstract syntax tree) for a compiler. Through 
the use of object-oriented techniques, the output that it produces is in a well-structured 
format, with the class inheritance and naming conventions of the produced Java classes 
being directly related to the production rules and annotations within the grammar. This 
linkage of the output to the grammar means that both minor modifications and expansion 
of the grammar can be achieved with minimal fuss and the changes in the output from 
SableCC can be predicted from changes within the grammar. 
The predictability of changes within SableCC's output means that it is particularly suited 
for use with prototyping. This means that software written to utilise sections of the 
generated parser that have not changed can continue to be used when modifications to the 
18 
Literature Review 
grammar have been made. As the parser, abstract syntax tree (AST), and custom 
executable code are separate from each other, the work presented in this thesis is 
relatively independent of the parser generator being used. 
2.8 Comparison with Related Work 
This section highlights other related research that covers different aspects of the work 
presented in this thesis. Firstly, the work covered in this section describes underlying 
languages with formal semantics. This enables the analysis of the behaviour of the 
software specification, which contrasts with the approach of my thesis, which concerns 
itself with the production of verified hardware and the integrated method of validating it. 
In this thesis, the models covered are used in the analysis of how the logic is created, 
providing a proof of construction. Secondly, this section examines various tools that 
contain verification functionality through model checking. 
The work covered in [Butterfield & Woodcock, 2006], provides denotation semantics of a 
`possible (very naive) hardware implementation" of Handel-C. This is achieved through 
modelling the hardware as a finite state machine, whereby it is defined as a single fixed 
function describing how the state changes. With the technique being created 
independently from a practical tool (e. g. the Handel-C compiler), the technique enables 
one to analyse how hardware may be created, but it does not guarantee that a tool builds 
hardware in this manner and therefore can be considered foundation work. Whereby the 
more recent work covered in [Perna & Woodcock, 2008] describes the "limited progress" 
that has been made towards both an axiomatic semantic definition of Handel-C and 
algebraic rules to describe the characteristics of a Handel-C program, with their work 
tending to the unification of the various semantic models of Handel-C. 
Augmenting existing tools with formal verification capabilities is common in several 
industrial tools. For example, [Hamon, 2008] describes the Simulink Design Verifier, a 
verification tool for Simulink enabling the user to automatically create test cases and 
check for the existence of various behavioural properties. Similarly [Köhler and Kant, 
2004], describes a verification tool for Esterel SCADE. Both verification tools have been 
implemented using the Prover Plug-In [Sheeran, 2000], a product developed by Prover 
Technology (hup: //vrover. com) based on StAlmarck's method of tautology checking using 
propositional logic [Harrison, 1996] and [Sheeran & Sti3lmarck, 2000]. 
19 
Literature Review 
Augmenting a tool after it has initially been designed and developed with the ability to 
formally model properties of a system, would require that the tool perform a translation of 
a defined system from one representation to another. This means that an instantiation of 
the internal data structure of the tool (uses to represent a system), would have to be 
converted to the data structure that the proof tool requires so that properties of the model 
could be checked. This unseen conversion from one data structure to another has the 
potential to invalidate the formal verification if errors or bugs were to occur. In essence, 
these errors can have two main effects, which are: 
1. That behavioural properties (desired and/or undesired) which are specified by a 
system, may not be represented within the model that is formally checked (i. e. the 
formally checked model may not be the model that was specified in the tool, or 
the resultant output of the tool). 
2. That a defined system can cause the translation process to fail, resulting in not 
obtaining a formal model to check. This is different from creating a correctly 
specified model that cannot be analysed due to known limitations of the formal 
verification process (e. g. due to state-space explosion). 
It is the previously experienced difficulties caused by the second point specified above 
that highlights the existence of the hidden conversion step and the presence of problems 
with it. For example, the Design Verifier that is part of Esterel SCADE 6.0, which enables 
the user to check for properties within a system that they have defined using the tool 
(graphically and/or textually), can be made to fail to create a model for formal verification 
(although the tool will both simulate it correctly and create the valid resultant output), 
through defining a model that combines trivially together a collection of simple constructs 
that the design verifier independently manages to process and analyse (see Appendix M 
for a simple example). 
The removal of the potential for error, within the integration of formal verification into a 
tool, was part of the aim for the work tackled in this thesis, and it was achieved through 
designing and developing the tool whilst taking into consideration the desire for tight 
integration of the creation of the proof at the same time. The code within the software-to- 
hardware compiler can directly build both the hardware circuit representation and the 
formal model of that hardware to use in the proof, thus guaranteeing that they match, as 
the data structure does not have to be manipulated or restructured. Even though this is a 
20 
Literature Review 
sound and viable approach to take to this problem, it is uncommon as it requires a holistic 
problem solving strategy, simultaneously taking into consideration all factors relating to 
the problem. 
21 
3 Preliminary Work: Automatic CSP 
Modelling of Generated Logic Circuits 
The original concept of this research was to automatically model the output of a software- 
to-hardware compiler which produces fine-grained parallel logic circuits. Due to the 
results of the preliminary work obtained within this chapter, the research concept was 
refined in chapter 4. Prior work had demonstrated that a formal model of a logic circuit 
may be built, from which its behavioural properties can be examined and verified to be 
correct, thus guaranteeing that the circuit performs the desired task. 
The work reported in this chapter covers how the low level logic components are 
modelled, along with how these models are utilised to produce a representation of the 
hardware. This chapter also demonstrates how this representation of the hardware can be 
utilised to validate the generated logic circuits. It also describes some of the limitations 
that this technique suffers from, along with the early strategies utilised in an attempt to 
manage these limitations. 
Although this technique cannot sensibly scale up as the circuits become larger (due to the 
modelling technique suffering from state-space explosion), the work explained in this 
chapter is critical to that of the main body of the research covered in chapter 4. 
3.1 Modelling Logic Circuits 
As indicated in [Peel & Wong, 2004], a CSP model of a logic circuit can be created. This 
can be achieved by running in parallel models that represent each of the logic components 
in the circuit. The circuits' behaviour is explored by simulating the interactions of the 
hardware components by modelling the circuits' net-list data structure. This provides a 
formal model of the circuit, which is then examined to prove the existence (or lack) of 
various properties. 
Preliminary Work: Automatic CSP Modelling of Generated Logic Circuits 
Lchar 1 
chan clock 
D-Type 
Flip Flop 
vcc 
(INST_2) 
chan 2 
INST_3 
(INST 1) 
than 
CLK 
T-Type 
Flip Flop 
(INST_4) 
chan 5 
0 
Figure 2: Pictorial representation of the Logic Circuit from Figure Son page 8 
3.2 Modelling Logic Components 
The process of modelling the logic components (AND gates, OR gates, FLIP-FLOP's etc) 
involves building individual processes to represent each component. Because clocked 
logic circuits are being modelled, the components used fall within two distinct sub 
categories, clocked and non-clocked logic. The strategy chosen to underpin the modelling 
of these logic components is the 10-SEQ / IO-PAR model [Welch, Justo and Willcock, 
1993], with the non-clocked components being 10-SEQ and the clocked ones IO-PAR. 
3.3 Why Use CSP? 
One of the initial reasons for utilising CSP to model the logic circuits, is because it was 
used for the modelling of logic circuits by Peel & Wong [Peel and Wong, 2004]. Their 
work involved hand crafting CSP models of the individual logic components and running 
them in parallel, thus enabling them to specify logic circuits. The CSP model of a logic 
circuit was then compared against a high-level CSP specification of the program's 
algorithm. Using FDR2 [Formal Systems Ltd, 2005] various properties of the two circuit 
models could be tested, enabling the circuits' validity and correctness to be verified. More 
compelling reasons for the utilisation of CSP are covered later, in section 4.4.1. 
23 
Preliminary Work: Automatic CSP Modelling of Generated Logic Circuits 
3.4 Component Models in CSP 
The CSP models used in this section of the research takes its inspiration from the models 
used in the work covered by [Peel & Wong, 2004]. Figure 3 illustrates an 10-PAR 
behavioural model of a D-Type Flip-Flop, where its inputs and outputs can occur in either 
order during each clock cycle (i. e. between clock events). 
D TYPE(clock, din, clout) 
let 
A (x) 
gout !x -> din ?z -> clock -> A(z) 
f] 
d_in ?z -> gout !x -> clock -> A(z) 
within A(0) 
Figure 3: Simplified D-Type Flip-Flop Model 
Appendix B contains the models of the low level logic components used within chapter 3, 
although the work reported in chapter 4 uses an alternative implementation. The 
alternative implementations are illustrated in Appendix C, with the reasoning behind the 
adaptation of the models covered in section 4.4.2. 
3.5 Circuit Models in CSP 
For each logic component contained within the circuit, a CSP process was created as an 
instance of the model that describes the behaviour of that component (e. g. Figure 4 
illustrates both graphically and in CSP, an instance of an "AND" gate). 
CSP Specification of an AND Gate 
-- Declaration of signal channels that the gate 
-- is wired to. 
STATE - (0,11 
channel chap inputl : STATE 
channel chan_input2 STATE 
channel chan_output STATE 
-- Declaration of an instantiation of a tiro 
-- input AND gate. 
INSTAND - 
AND GATE( chan_output, 
<chan_inputi, chan_input2> 
-- Alphabet of instantiated AND gate 
ALPRA_INST_AND - 
(I chap output, chan_inputi, chan_input2 
A Graphical Depiction 
chan_output 
Flgare 4: An Instantiation of a Two Input AND Gate 
These CSP processes were then run in parallel so that they synchronise on events which 
they share with each other. This synchronisation was achieved by going through all the 
24 
Preliminary Work: Automatic CSP Modelling of Generated Logic Circuits 
processes and running them in parallel, synchronising on any events that the current 
process shares with that of any of the preceding processes specified in the 
"SYSTEM LIST". Figure 5 illustrates the CSP required to create instances of the logic 
gates and connect them together for the segment of circuit presented in Figure 2 on page 
8. 
An alternative method for specifying the logic circuits is through writing an algorithmic 
specification of the circuit. This algorithmic specification describes the relationship and 
dependencies between the circuits' inputs and outputs. An example of this is illustrated in 
Figure 6 for the circuit presented in Figure 2 and again in Figure 5. 
-- Channel D. clarationi 
STATE - {0,1} 
channel char clock 
channel chan_l, chan_2, chan_3, chan_4, chan_5 : STATE 
-- Logla Components 
ALPHA INST_1 - {I chan_clock, chan_3, chan_1 
INST_1 - D_TYPE(chan_clock, chan_3, chan_1) 
ALPHA INST 2- {I chan_2 
INST 2- VCC(chan_2) 
ALPHA_INST_3 - {I chan_2, chan_3, chan_4 
INST_3 - AND_OATE(chan_4, <chan_2, chan_3>) 
ALPHA INST 4- {I chan_clock, chan_3, chan_1 
INST_4 -T TYPE(chan_clock, chan_4, chan_5) 
-- The Circuit llodal 
SYSTEM CIRCUIT - CIRCUIT PAR(SYSTSM LIST, SYSTEM-ALPHA) 
-- Lie_t of Cagpoaoati Uaad & their Alphabat& 
SYSTEM-LIST -< (INST 1, ALPHA_INST i), (INST_2, ALPHA_INST_2), 
ý (INST_3, ALPHA 
_INST 
3), (INST_4, ALPHA_INST_4) 
-- Chaanal" to/from Outside Circuit 
SYSTEM 
-ALPHA - 
tl chan_clock, chan_1, chan_5 
-- Process Used to Run Casjponents in Parallel 
CIRCUIT PAR(component_list, outer alpha) 
let 
-- Deadlock it no circuit components 
A(<>) - STOP 
-- If an* aogponent, run it biding inner abanaela 
A(<(pl, al)>) -( pi \ diff(al, outer_alpha) 
-- If aultiple amponent, run in parallel 
A(<(p1, a1)>'<(p2, a2)>"p3) - A(<(B(p1, a1, p2, a2), union(a1, a2))>"p3) 
-- Run two ac pon. nts in parallel 
B(pl, al, p2, a2) - (p1 [I inter(al, a2) 11 p2) 
within A(aorponent list) 
Figure S: Example CBP of Running Logic Components In Parallel 
25 
Preliminary Work: Automatic CSP Modelling of Generated Logic Circuits 
-- Channel Declarations 
STATE - (0,1} 
channel Chan clock 
channel chan_1 STATE 
channel than 5 STATE 
-- The Algorithmic Specification of the Logic Circuit 
SYSTEM SPECIFICATION 
let 
-- Perform the 1O in parallel 
A (x, y) - 
chan_1 ?z -> chan_5 !y -> B(z, y, x) q 
than 5! y -> chan_1 ?z -> B(z, y, x) 
-- Coe}pute the next cycles output 
B(x, y, z) - 
Chan clock -> 
(z -- 1& A(x, 1-y) 
11 
Z -- 0&A (x, y) 
within A(0,0) 
Figure 6: Algorithmic Specification of the Logic Circuit from Figure 5 
3.6 Proving the Logic Circuit is Equivalent to a Low Level 
Specification 
By creating a direct representation of the generated circuit (e. g. Figure 5) along with an 
algorithmic specification of the desired behaviour (e. g. Figure 6), one can test and prove 
various properties of the hardware using FDR2 (see Figure 7). ' 
-- Check that the modal of the specification is deadlock free 
assert SYSTEM SPECIFICATION : [deadlock free [F]) 
-- Check that the model representing the circuit is deadlock free 
assert SYSTEM_CIRCUIT : [deadlock free [F]) 
-- Check that the circuit and specification have the sage behaviour 
assert SYSTEM! SPECIFICATION [FD- SYSTEM CIRCUIT 
assert SYSTEM_CIRCUIT [FD- SYSTEM SPECIFICATION 
-- If both the failure divergence refinement assertions hold true, 
-- this guarantees that the the two previous deadlock free assertions 
-- will return the saau results. 
Figure 7: Simple Testing of the Generated Circuit 
The basic testing involves ensuring that the model of the logic circuit generated is 
equivalent to that of the specification containing the desired and expected behaviour. This 
is achieved in FDR2 through the use of failures divergent refinement models. The 
deadlock-free check done in FDR2 helps to ensure that the models do not contain any 
race conditions or other undesirable properties, this is because the models were designed 
and constructed so that occurrences of specific properties would cause them to deadlock. 
26 
Preliminary Work: Automatic CSP Modelling of Generated Logic Circuits 
3.6.1 Performance Problems: State Space Explosion 
Even relatively simple OCCAM programs compiled into hardware produce large numbers 
of flip-flops and logic gates. Since simulating these generated circuits requires us to 
model the system at the hardware level, a straight mapping into CSP quite rapidly leads to 
an uncontrollable state space explosion when specifications such as those in Figure 5 are 
model checked. The main work reported in chapter 4 focuses on attempting to bypass this 
state space explosion. The preliminary work in this chapter covers several simple 
techniques in an attempt to manage or delay this problem: 
Simplification of the logic component models (see section 3.6.3) helps to alleviate 
the state space problem, although further techniques can also be used. 
" The high quantity of fine grain parallelism, combined with the fact that we are 
generating clocked logic (where we assume that the choice of clocking speed is 
such to enable the circuit to stabilise between clock cycles) means that we can also 
utilise `CHASE' compression and is discussed in section 3.6.2. 
3.6.2 Utilising CHASE to Achieve Viable Runtime Simulations 
To enable the simulation of the logic circuits to run within a viable time period, we started 
by applying CHASE compression in FDR to the outer level of the CSP process that 
represents each circuit. We can utilise CHASE, which selects one trace order for 
interleaved tau events, due to how we model and combine the logic components to 
represent the circuit in CSP. 
When instances of the CSP representing each logic component in the circuit are joined in 
parallel (see section 3.1), the (me grain parallelism contained in the hardware can cause 
the CSP to have a vast numbers of interleaved events. The reason why we can avoid 
checking every possible interleaved trace ordering is because CHASE works on the 
hidden events that represent internal signals between logic components. The way we 
chose to model the logic components (see section 3.2 and 4.4) causes each channel to 
trigger once and only once in each clock cycle. If this were not the case, the model would 
deadlock regardless of the interleaving order of the hidden events. Choosing any one 
triggering order is sufficient for the CSP to operate, and CHASE achieves this. 
27 
Preliminary Work: Automatic CSP Modelling of Generated Logic Circuits 
3.6.3 Implementation & Model Simplification 
Although modelling each of the logic components can be perceived as an individual task, 
the fact that instances of these models are combined together to represent circuits has 
implications that affect both their design and their implementation. Since the CSP models 
of these components are exclusively used to create representations of the circuits that the 
compiler generates, it is possible to guarantee several of their properties (see below) and 
to utilise these to simplify the models, thus reducing the state space that is model checked. 
" Clocked logic components only need to know the last states on their inputs before 
the clock event (the low-to-high clock transition). Thus the ability to receive 
multiple different input values in any one clock cycle can be removed from the 
model as it is not needed, thereby reducing the state space of the models. 
" The clocked components we utilise only alter their outputs on a low-to-high clock 
transition. Therefore the clock low-to-high transition can be modelled as a single 
event, as opposed to modelling both the high and low states. 
" Each circuit utilises a single global reset that can only be triggered from outside 
the circuit. Triggering the reset will cause the circuit to revert to its initial state. 
Thus, the reset signal can be removed as its assertion simply starts the model 
again. This is because no part of a circuit can carry state over the reset occurrence, 
and therefore cannot alter the behaviour of its next instantiation. Also, the circuits 
that the compiler currently generates cannot be self resetting (i. e. they can not 
trigger their own reset). 
The models that represent the logic components have undergone several iterations for two 
main reasons (see Figure 8 and Figure 3), the first being that I was learning CSPM while I 
was developing them, and the second was an attempt to reduce the state space that they 
create. The model covered in Figure 8 was the initial version that I developed, but the 
properties stated above were identified and the specified simplifications were applied, 
thus resulting in the model covered in Figure 3 (which results in a model closely 
resembeling that contained in [Peel & Wong, 2004]). Currently the logic component 
models being utilised in this section of the work are specified in Appendix B, whereas the 
main body of the work covered in section 4 utilises the models specified in Appendix C. 
One of the main differences between the different models is that the reset functionality 
was reintroduced back into the models for the main work covered in section 4, this was so 
28 
Preliminary Work: Automatic CSP Modelling of Generated Logic Circuits 
the models were a more direct representation of the logic circuits and the generation 
process, so that if the compiler had an error that connected the reset signals incorrectly 
(which it doesn't), it would be modelled in the CSP and identified. 
channel internal-state : {O, 11 
T_TYPE(clock, reset, d_in, clout) 
let 
-- Run the inputs and outputs in parallel (ZO-PAR) 
A-((B [I {I internal_state, clock C)\ {ý internal_state ý} ) 
-- Perform the outputs 
B- internal_state ?z -> clout Iz -> clock ?_ -> B 
-- Perform the inputs & dictate the nett clock cycles output value 
C- 
let 
-- Zn Clock Low State 
CA(x) - 
Let 
CAA = internal state !x -> 
reset ?y -> d_in ?z -> CAB(y, z) 
[] d_in ?z -> reset ?y -> CAB(y, z) 
CAB(y, z) - 
clock ?0 -> CAA 
[] 
clock ?1 -> 
y == 1& CB(O) 
[] y -- 0& CB(z) 
within CAA 
-- In Cloak High State 
CB(x) = internal_state Ix -> 
(( 111 y: {reset, d 
_in) 
0y? 
_ -> 
SKIP 
( clock ?0 -> CA(x) 
[] clock ?1 -> CB(x) 
within CA(O) 
within A 
Figure 8: Initial T-Type Flip-Flop Model Developed 
3.7 Experimental Results 
An example of the automated CSP generation and circuit proof can be demonstrated by 
comparing three different implementations of the same task, together with a hand crafted 
CSP specification. The chosen software task is a cyclical counter that outputs a stream of 
consecutive integers along a channel. Figure 9 specifies the outputs directly. 
SPEC - 
out15 ý outl6 - out17 - outl8 - out19 - out110 - outill out112 
outl13 ý Out114 - out115 - out10 - outli - out12 - outl3 ý out14 ý 
SPEC 
Figure 9 CSP speci6cadon of a 4-bit counter procea 
29 
Preliminary Work: Automatic CSP Modelling of Generated Logic Circuits 
The various implementations each output the same order of values but at slightly different 
rates. Even though the implementations achieve the same task, the difference in 
performance is caused by their differing structure and amount of parallelism which is 
dependent on the OCCAM code that was used to compile the hardware along with the 
efficiency of the generated logic. 
The next implementation (CTR) is generated from a simple counter program (see Figure 
10). 
UINT4 Count: 
CHAN OF UNIT4 d: 
PLACE dl AT "d0", "dl', `d2", `d3', ORDY "dor', IRDY 'dir': 
SEQ 
count :-5 
WHILE TRUE 
SEQ 
count :a count PLUS 1 
dI count 
Figure 10 Initial OCCAM counter program 
Another implementation (CTIM1) is taken from Peter Welch's commstime benchmark 
[P. H. Welch, 1988], with the sink process on channel `d' removed to allow the channel to 
be placed onto the external interface (see Figure 11). 
UINT4 Count: 
CHAN OF UNIT4 d: 
PLACE dl AT "d0", "d1', "d2", "d3', OR "dor", IR "dir": 
CHAN OF UINT4 a, b, c: 
PAR 
SEQ -- prafLx and pale-on 
a! 5 
UINT4 V: 
WHILE TRUE 
SEQ 
b? v 
a! v 
SEQ -- fan-out 
UINT4 V.. 
WHILE TRUE 
SEQ 
a? v 
PAR 
C1v 
d1v 
SEQ -- 32orwMeat 
UINT4 v: 
WHILE TRUE 
SEQ 
a? v 
bIv PLUS 1 
Figure 11 Single-value commetlme program 
Yet another implementation (CTIM2) uses a double-buffered commstime program to pass 
three values round in parallel (see Figure 12). This enables the developed circuit to output 
30 
Preliminary Work: Automatic CSP Modelling of Generated Logic Circuits 
values along channel `d' at an improved rate. This is possible because the extra 
parallelism is implemented in hardware, while it would only be simulated by interleaving 
on a sequential processor. 
UINT4 count: 
CHAN OF UNIT4 d: 
PLACE dl AT "d0", "dl', "d2', "d3", ORDY "dor", IRDY "dir": 
MAN OF UINT4 a, b, c: 
PAR 
SEQ -- prefix and pass-on 
UINT4 X, y: 
SEQ 
a15 
a16 
b? x 
a17 
WHILE TRUE 
SEQ 
PAR 
b? y 
alx 
PAR 
b? x 
aly 
SEQ -- fan-out 
UINT4 v: 
WHILE TRUE 
SEQ 
a? v 
PAR 
clv 
d1v 
SEQ -- increment-by-three 
UINT4 V: 
WHILE TRUE 
SEQ 
c? v 
biv PLUS 3 
Figure 12: Triple-value commaäme program 
The different size and structure of the generated logic influences the amount of state the 
CSP representation generates (see Table 1), as covered in [Peel & Pizarro 2005]. More 
parallelism creates a larger state space, but with the potential for better performance on 
the physical hardware. 
Table 1: Model-Checking Performance of FDR 
Process I Process 
2 
CSPM Source 
Code Size (bytes) 
Process Size 
(states) 
Trace Refinement 
Time on 3.0 GHz 
P4 (sec) 
SPEC CTR 147k 16 + 876 3 
SPEC CTIM1 388k 16 + 1972 23 
SPEC CTIM2 511k 16 + 2418 62 
CTIMI CTIM2 870k 1 1972+2418 93 
31 
Preliminary Work: Automatic CSP Modelling of Generated Logic Circuits 
3.8 Conclusion 
As was indicated previously (see section 3.6.1 and section 3.7), even though this method 
of proving the generated hardware works, the proof is susceptible to state space explosion 
which becomes more apparent as the size and complexity of the application being 
converted increases. Even though techniques exist that can help minimise this problem, 
these techniques help to delay the problem, not solve it. This realisation, along with the 
fact that the proof strategy is viable if the circuits are kept small, has led onto the main 
body of the work in chapter 4 where we attempt to avoid the state space explosion by 
proving the process of creating the logic circuits. 
32 
4 Main Work 
4.1 Premise for Work 
Chapter 3 discussed a viable technique for modelling and proving small circuits which 
becomes infeasible as the circuit size increases. It was deemed more appropriate to devise 
a method to avoid the state space explosion rather than trying to ease or delay this 
problem. Since the generated circuits are composed of logic components, there exist 
patterns and structures within them. Identification of these patterns and structures would 
enable one to simplify the proof of that logic circuit. Rather than focussing on trying to 
search for and identify properties and patterns that exist by analysing the circuits, as the 
circuits have been designed automatically (as opposed to evolved), the task of proving the 
hardware compilation process of the compiler lends itself ideally to providing this 
structural information. 
As logic circuits are being generated from software specifications (written in OCCAM), 
the initial specifications are definitively defined. The grammar and syntax of the OCCAM 
language limits both the number of unique component types and how these components 
can be combined together and thus interact. With the starting point for the software to 
hardware conversion containing structural information, it makes sense to utilise this 
source instead of trying to search for and extract the information after the logic circuit has 
been generated, which is what the technique in chapter 3 outlined. 
Through utilising structural information derived from the OCCAM language, it is 
possible to simplify the CSP model of the corresponding circuit by replacing clusters of 
internally modelled logic components with a CSP model that performs an identical task 
but which contains less state space. Although this would enable the proof of correctness 
of larger and more complex circuits, this is not what this work attempts to do. To do so 
would have too large an impact on the end user of our compiler; some of the main 
implications and restrictions that this might introduce would be: 
Every generated logic circuit generated by the compiler having to be individually 
checked, a time consuming task. 
Main Work 
" The number and size of models needing to be checked would increase as the size 
and complexity of the software that is converted to hardware increases. Thus the 
technique would be delaying any state space explosion instead of avoiding it. 
" The user would be forced to write a CSP specification for each application that 
they wish to convert into hardware, as the proof technique requires the comparison 
of the modelled hardware against a specification. 
Instead, as indicated, what this work does is to prove the method of generating the logic 
circuits and not the individually generated hardware circuits that are output. This is done 
by verifying the conversion of the individual OCCAM components into small segments 
of logic, proving that their behavioural properties cover the function that they are 
supposed to perform, while also ensuring that they can interact properly with all 
grammatically allowed components. The mapping of the OCCAM grammar into 
segments of logic circuit means, if one combines instances of these logic circuit segments 
together so that they represent the OCCAM software code through a one-to-one mapping, 
the generated hardware is guaranteed to perform as specified. 
Proving the process of generating the logic circuits from a software specification is 
possible, because the problem of ensuring that the generated circuit performs as specified 
is completely independent from the problem of proving that the software specification 
achieves a sensible task. It is only possible to determine if a software specification 
achieves a sensible task if sufficient details of the problem it is trying to tackle are known. 
This thesis documents the design, development and proofs of a compiler tool, so it is 
impossible to know the exact details of what the compiler will be asked to compile. This 
means that proving that the generated logic circuits perform a sensible task is completely 
outside the scope of this project. As stated previously, what we can prove and guarantee is 
that the generated hardware will perform as specified. Through proving the generated 
hardware matches the specification, without any impact on whether the application 
performs a sensible task, it provides the end user to freely select how (if at all) they may 
wish to prove and determine the validity and correctness of his application. Proving that 
the application tackles the end user's desired task can be done independently of the proofs 
for the hardware generation, thus this can be done in whichever manner they deem most 
appropriate, i. e. they are not forced to use CSP. 
34 
Main Work 
4.1.1 Implementation Implications of Premise 
The preliminary work covered in chapter 3 and Appendix A builds upon and integrates 
with the OCCAM to logic circuit compiler developed by Dr R. M. A Peel [Peel & Cook, 
20001. The logic circuit generation strategy utilised in that paper concentrates on creating 
optimised logic circuits that run efficiently without clearly defined boundaries between 
the segments of logic used in the conversion of the OCCAM software into hardware. This 
lack of clearly defined boundaries results from the compiler generating optimisations in 
the logic generation process at the interconnection boundaries for the OCCAM 
components. This stylistic choice for the logic generation process complicates the proof 
that the logic produced is always valid, due to the possibility that the OCCAM 
components may produce different logic circuit segments depending on how they are 
interconnected. However it does increase the performance of the generated circuits. 
Through enforcing a more modular and constrained logic generation strategy, the aim of 
this research has been to produce a compiler where the conversion of OCCAM 
components into segments of logic circuit can be individually and independently checked 
and verified. Although this strategy may initially produce less efficient and/or larger 
amounts of logic, it should still be beneficial as the circuits generated by the compiler 
would not need to be checked or proven. The use of peephole optimisations could then be 
applied to a fully generated logic circuit. These optimisations could be allowed to cross 
the interconnecting boundaries between segments of logic for the OCCAM components, 
assuming the optimisations have been proven not to alter the behavioural properties of the 
circuit. Also, pre-processing of the software application being converted, so that more 
specialised segments of logic could be substituted where specific properties within the 
application can be identified, might provide avenues that would enable the generated 
logic to be better optimised. 
The difference in the focus of the generation strategies that underpin the original compiler 
meant that it was deemed more effective to prototype the work in this chapter by 
developing a new compiler rather than retrofitting the new proof strategies onto the 
existing code. Although I chose to redevelop the compiler, the technical information and 
insight gained from the initial compiler development was easy to integrate into this new 
version. 
35 
Main Work 
4.2 Assumptions made within the Compiler and Proof Strategy 
This section covers the assumptions made within the compiler design in this thesis: 
The abstract syntax tree (AST), that the compiler generates the hardware from, is 
assumed to be a correctly constructed representation for the target OCCAM 
application. 
oA non-formally-proven lexical tokeniser and syntax parser has been 
created at the front-end of the compiler. This automatically generates the 
AST from an application's OCCAM source code. It was built to simplify 
the parsing of larger examples, instead of hand generating the AST. 
o The structure of the AST is a direct one-to-one mapping of the 
application's OCCAM source code, so it is realistic to assume that the 
OCCAM can be parsed correctly and converted into a valid AST. 
" The netlist data structure created by the compiler (representing the generated logic 
circuit), is assumed to be correctly output to a file that is used by the FPGA place- 
and-route configuration tools. 
o Both the compiler's internal logic circuit data structure and the output file 
represent the same netlist. The logic components and their 
interconnections in his netlist map in a bi-directional one-to-one fashion 
between these formats, and this is easy to verify. 
" It is assumed that the tool, FDR2, that has been used to automatically check the 
generated proofs, performs correctly. 
o This a well established and stable tool, commonly used in the field of 
formal methods. 
" The choice of FPGA clocking frequency is sufficiently low to enable the circuit to 
stabilise between clock cycles. 
o This operational condition underpins every clocked digital circuit. The 
FPGA development tools determine the maximum tolerable clock speed 
for each circuit. 
These assumptions only affect the context within which the compiler operates, and do not 
detract from the assertions made in this chapter regarding its proof of correctness. 
36 
Main Work 
4.3 Project Overview 
This project focused on the production of an OCCAM compiler that generates fine 
grained parallel clocked logic circuits, along with a formal proof for the generation of 
these logic circuits. This proof guarantees that the hardware generated performs as 
specified by the software specification, but does not prove that the software to be 
converted performs a sensible task; to do the latter would require detailed knowledge of 
why the application was written. 
To avoid the state space explosion that is experienced when attempting to prove that a 
circuit satisfies its behavioural specification as the size and complexity of the application 
increases, this compiler utilises an object-oriented/modular approach. Generic super type 
specifications have been created describing all the allowable behavioural properties that 
the different implementable OCCAM components can perform; these are then used for 
two distinct but interconnected purposes. 
The first purpose is to test and prove that segments of logic that are used to represent the 
OCCAM components in hardware are refinements of their corresponding super type 
specification (e. g. in Figure 13 the segment of logic circuit for an "IF THEN ELSE" 
component is a refinement of a "Control Flow Process", sharing the same interface 
structure of start, clock and reset inputs and a finish output). This is required because the 
second use for the generic specifications is as place fillers for internal components that 
are required for a component to function. If the component being examined requires other 
internal components to function, as in the "IF THEN ELSE" component seen in Figure 13 
needing a boolean component and a "MEN" and "ELSE" control flow process 
component, the model of the segment of logic circuit can be connected to the 
corresponding generic specifications (e. g. the three yellow highlighted components in 
Figure 13). These generic specifications are used as place fillers to provide the full range 
of allowable behaviours that a correctly behaving internal component may perform. Some 
of the generic specifications require that internal choice be utilised to enable them to 
present all these possible behaviours. 
37 
Main Work 
Start 
Start 
ý 
Clock 
-T Boolean Finish 
Condition 
State 
NOT>O---*I 
D 
ý 
D 
Start r' 1i 
"Else" 
Control Flow 
Process 
Finish 
OR 
Figure 13: Graphical representation of an "IF THEN ELSE" component 
Finish 
t 
Provided the segment of logic circuit for a component can be proven to be a refinement of 
its super type, as long as any internal components are behaving correctly, then it can be 
connected anywhere where its super type component may be used. This leads to a proof 
of composition, enabling the OCCAM component to be connected together in a one-to- 
one manner that directly mimics the grammatical structure of the software specification. 
Although this defines and proves how the components fit together, it does not guarantee 
that an individual OCCAM component performs its corresponding conceptual task (i. e. 
whether a segment of logic for an IF component performs an IF statement), just that it is 
the right shape. 
Start 
Reset 
f 
"MEN" 
Control Flow 
Process 
Finish 
38 
Main Work 
OCCAM Component 
4, 
, --------- 
ý ý ý ý 
ý PAR 
Control Flow Process 
Delay IF THEN 
ELSE 
E- -, 
ý 
ý 
ý 
ý 
ý ý 
--'-- 
i -------, 
i 
i 
i 
ý 
i 
i 
ý 
_r 
i1 
EQUALS 
Boolean Process 
Data Read 
iý 
TRUE FALSE 
Figure 14: Simplified class diagram of a subset of components and their super types 
Having a proof of composition, the remaining task is to prove that the segment of logic 
circuit for each OCCAM component performs its required conceptual task. This is 
achieved through the addition of extra events to the model, by running a CSP process in 
parallel with it. These events annotate and depict at a software level what is occurring, 
assigning meaning for specific occurrences of low level signals. These annotation events 
are added in two distinct locations, the first by annotating the outer level of the CSP 
model of the segment of logic circuit of each OCCAM component, annotating its 
interface signals (signals that are used to trigger and drive the logic, along with the signals 
that it returns). The second part is by adding extra events to the generic specifications, 
describing the conceptual software behaviour that this component performs at its outer 
boundary. The combination of these annotation events results in describing conceptually 
at a software level how the segment of logic circuit being tested triggers and interacts 
with any internal components that it utilises. Through hiding the annotation events, one is 
left with a CSP model that is behaviourally identical to the proof of composition model 
that was previously used, whereas hiding all the events other than the annotations 
produces a model that describes at a conceptual level what the segment of logic does. 
This conceptual model can then be compared with a hand crafted specification that 
describes the desired and expected behaviour of each component, proving their 
equivalence. 
39 
Main Work 
r......... 
' 
----------- I 
U 
I 
I 
U 
I 
I 
I 
U 
U 
U 
I 
Hardware \; 
Specification ); 
ý 
ý 
I 
U 
I 
U 
I 
U 
U 
U 
U 
I 
U 
I 
I 
I 
U 
U 
U 
U ýý ý I. :L --------- --------------------------------------------------- S 
. 
I 
I 
U 
I 
U 
a 
a 
I 
 ...... ............................. ........................................ _............... _............... ..... ......................... ___. _. _.. __... _.. _.  : 
.; .ý .ý 
 ¬ 
.ý .F  F 
. Uf 
 : 
 _ 
 i 
 ' 
 ! 
 , 
 _ 
 ; 
 ý 
I CSP Proof  ýýýýýýUUUUUUUUUUUUýýýýýýýýýýýýauu"uý  
------------------------------------------------------ Component Specification 
i zouperiype 
UI ;" % ........................................................................: 
Figure 15: Overview of CSP proof structure for a single component 
It is through the combination of the proof of composition and the proof that each 
component performs its relevant behavioural task, that the generated logic circuits can be 
guaranteed to perform as specified without the need to have their behaviour exhaustively 
checked against a behavioural specification. This makes use of CSP's congruence 
properties for these components. Although, for small circuits, the size and complexity of 
the proof would be greater than that of modelling and behaviourally checking the circuit 
as a whole, the main benefit arises because each OCCAM component only has to be 
checked once before it can be used in the compiler (and then it can be used repeatedly in 
future generated circuits). This guarantees that all circuits which can be generated by the 
compiler will perform as the source code specifies, thus avoiding the state space 
U 
U 
U 
U 
U 
U 
U 
. 
U 
. . ___. .. _........... ..................... ............ .................................. 
 so. U.... "a 
40 
Main Work 
explosion when the software to be converted into hardware increases in size or 
complexity. 
4.4 Logic Component Representation 
4.4.1 Why Continue Using CSP? 
There are several reasons for continuing to use CSP in the main body of this work. Apart 
from building upon the preliminary work that utilises CSP (see chapter 3), several other 
factors contributed to the continued utilisation of CSP. 
As the compiler proofs guaranteeing that the generated logic circuits perform as indicated 
by the OCCAM software are self contained (i. e. the hardware generation process is 
proven independently of any application that is converted), they can be completely 
isolated from any tests, models or proofs that the end user may decide to perform on his 
application. Although this compartmentalisation of the hardware generation proof from 
any proofs of the software application, that in itself was not a reason to utilise CSP, it 
does enable the choice of using CSP to have no impact or restriction upon how an end 
user may wish to prove or test their application. Thus enabling the selection of whichever 
formal language or proof methodology is desired, if the end user wishes to test or prove 
their application. 
CSP is a formal event-based algebra which enables the formal specification of how 
parallel processes interact. As CSP is particularly suited to modelling processes, it can 
equally be used to represent the same problem in varying degrees of abstraction. As we 
can utilise CSP to represent models of specification in various levels of abstraction (both 
hardware and software descriptions), there was no compelling reason to select a different 
formal technique. 
Selecting an alternative to CSP would either have caused the preliminary work covered in 
chapter 3 to have to be redone or the creation of a formal proof to convert between 
different formal methods. Both of these tasks would have been extra work that was 
deemed not critical to the solution of the problem. 
41 
Main Work 
4.4.2 Design Considerations & Implications 
This thesis focuses on proving the construction process of generated logic circuits. The 
modular approach underpinning the chosen strategy requires that models of the logic 
components be sufficiently robust to accommodate features of the circuits that may not be 
guaranteed, desired or expected. Some of the features stated below, such as if a logic 
component is connected to itself, should never happen as the compiler has been designed 
not to produce this condition. Although this is the case, the CSP models must also be 
robust enough to deal with this because if a bug did exist within the compiler that 
produced this, the CSP models and proofs must be able to represent it. This is also the 
reason why this section of the work reintroduced the reset functionality back into the CSP 
models (to be able to detect if the reset pins are connected incorrectly by the compiler), as 
the work covered in chapter 3 removed it to try to help minimise the state space that had 
to be examined. As such the model of the logic components used in chapter 3 (specified 
in Appendix B), are not robust enough for the requirements of this section of the work. 
For example, the model of a D-Type Flip-Flop (see Figure 16), cannot deal with all the 
conditions specified below (i. e. if the output Q is connected to the input D, the model will 
not behave correctly). 
PROC ACTIVE_LIB_PDC(d, q, clock) 
let 
S(Y) 
d? x -> qly -> C? l -> 8(x) 
11 
q! y -> d? x -> c? l -> S(x) 
within S(0) 
Figure 16: CSP mode! of D-Type Flp-Flop used in chapter 3 
Although modelling each logic component can be perceived as an individual task, 
because instances of these models are combined together to represent a circuit or segment 
of circuit, this imposes conditions that affect the design and implementation choices 
which were made. 
"A signal (representing a wire connecting logic components) may be connected to 
multiple pins of a logic component; thus the models have to be designed to deal 
with this feature. 
o The model of the component should be comprised of multiple processes 
run in alphabetised parallel. This would enable common events in the 
42 
Main Work 
model that represent the signals received on the input and output pins of a 
component to synchronise. 
o An alternative in some situations would be the application of peephole 
optimisations that could alter the circuit to remove any connected pins on a 
logic component without adversely affecting the overall behaviour of the 
circuit. 
" Loops of logic containing only combinatorial (non-clocked) logic should not be 
allowed, as loops of non-clocked logic have the possibility of introducing race 
conditions. 
o If a loop is created and the possibility of a race condition exists, its 
occurrence would be detected by the specific run-time instantiation of the 
circuit (i. e. the specific signals being transmitted through the circuit). 
o Non-clocked logic components are modelled as IO-SEQ, and models 
containing loops of only these components are liable to deadlock. To 
ensure that this occurrence can be detected, by forcing the models to 
deadlock in FDR, the special case has to be considered where the loop 
consists of only one 10-SEQ component (i. e. it is wired to itself). To 
ensure that this will deadlock, the model of the component has to explicitly 
check that its outputs (e. g. output Q of a flip-flop) is not connected to its 
own inputs (e. g. input D of the same flip-flop), and explicitly deadlock if 
this does occur. Clocked logic components modelled as 10-PAR are not 
susceptible to deadlocking if they are connected in loops, but the 
individual IO-PAR CSP models will also have to check to see if they are 
connected to themselves. This is required to enable their corresponding 
inputs and outputs to be synchronised together in FDR so they are 
modelled correctly. 
Only one driving pin should be connected to any signal (wire). 
o If an attempt is made to drive a signal from multiple components or I/O 
pins, contention could occur. This would only cause problems in a 
hardware circuit if the different driving pins were trying to propagate 
different signal states at the same time. If the signals that they are trying to 
drive never differ from each other, then the hardware should not have a 
43 
Main Work 
problem, although it is likely in this case that the logic is redundant and 
thus may be optimised or removed. 
o Running the processes representing the logic components in alphabetised 
parallel on the CSP events that represent the signal names causes them to 
deadlock if the processes attempt to drive different values. If the behaviour 
of the circuit is such that multiple drivers of a signal always drive the same 
state as each other, the CSP model of the logic circuit will be deadlock- 
free. This condition is impossible to test for as CSP allows `many-to- 
many' channel synchronisations, and multiple drivers that continuously 
provide the same output do not cause a problem. 
Clocked logic components that the compiler uses only alter their output states on a 
low-to-high clock transition (e. g. D-Type Flip-Flops do this): 
o The clock can be modelled as a single event per cycle representing a clock 
low-to-high transition, thus helping to minimise the size of the state space 
required to be checked for the proofs, as covered in chapter 3 and [Peel & 
Pizarro 2005]. 
4.4.2.1 Combinatorial Logic 
The components that fall under the 10-SEQ category (see section 2.6) are non-clocked 
combinatorial logic functions (AND, OR, NOT, etc). 10-SEQ is particularly suited to 
these components, because in any single clock period, outputs of these components are 
directly related to the inputs received in that clock cycle. Figure 17 demonstrates how to 
create an instantiation of the non-clocked 10-SEQ component (an AND gate), the relevant 
channels are parsed as arguments to the process specified in Figure 18 that defines the 
behaviour. 
44 
Main Work 
CSP Specification of an AND Gate 
-- Declaration of signal channels that the gate 
-- is wired to. 
STATE _ {0,1} 
channel chaninputl : STATE 
channel chan_input2 : STATE 
channel chan_output : STATE 
-- Declaration of an instantiation of a two 
-- input AND gate. 
INST AND 
AND-GATE( chan_output, 
<chan inputs, chan_input2> 
-- Alphabet of instantiated AND gate 
ALPHA INST AND . 
{I chars output, chan_inputl, chap input2 I} 
A Graphical Depiction 
chan_inputl 
Chan-output 
Figure 17: An Instantiation of a Two Input AND Gate 
-- Declaration of a ahannel used internally by the CSP specification. ! DR Will 
-- not allow you to declare channels inside a let-within block, all channels 
-- must be globally defined. 
channel internal state : {0,1} 
-- Instantiations of an AND Gl&TR calls this process and provides channels used 
-- for its inputs and outputs as arguments. 'out' is a single channel to output 
-- to. 'in list' is a list of channels to input from. 
AND GATE (out, in_list) - 
let 
-- Check if this AND gate has any inputs. 
A- 
length(in list) _= 0&B 
(] 
length(in list) 1- 0&C 
-- Specification of an AND gate with no inputs, it behaves as WED. 
B- out l0 -> B 
-- Check if the output of the AND gate feeds any of its inputs, deadlock the 
-- specification if it does. 
C= 
inter( {out}, set(in_liet) ) {out} & STOP 
H 
inter( {out}, eet(in list) ) __ (} &D 
-- AND gate specification. 
D- 
let 
-- Manage the Inputs of the gate. 
DA - 
let 
-- Inputting process managing a single pin. 
-- "z' becomes the input channel to manage. 
DAA(x) - 
x? y -> internal stately -> out? _ -> 
DAA(x) 
-- Run the inputs for all the input pins in parallel. 
DAB(x) _ 
length(x) -- 1& DAA(head(x)) 
(l 
length(x) >1& 
DAA(head(x)) 
union( 
inter( (head(x)), set(tail(x)) 
U out I} ) f) 
DAB(tail(x)) 
45 
Main Work 
within DAB(in_list) 
-- Manage the output of the gate. 
DB - 
let 
DBA - 
internal state? l -> DBC 
[] 
internal state? O -> DBB 
DBB = 
out !0 -> DBA 
U 
internal-state? - -> DBB 
DBC - 
out !1 -> DBA 
[] 
internal_atate? l -> DBC 
U 
internal_state? 0 -> DBB 
within DBA 
-- Connect the inputs and outputs together. 
DC - 
-- The ordering that the 'Internal _State, 
events occur does not 
-- matter, so long as they all occur. This is guaranteed by the 
-- structure of the internal processes running in parallel. 
( DA 
[I fl internal-state, out 
DB 
\ {I internal-State 
within DC 
within A 
Figure 18: AND Gate CSP Model: 10-SEQ 
46 
Main Work 
4.4.2.2 Clocked Logic 
10-PAR can represent clocked logic (D-Type Flip-Flops, T-Type Flip-Flops, etc). For any 
individual clock cycle, the output values are pre-determined and independent of the input 
values (although the input values will have an effect on the output value for the following 
clock cycle). It is because of this that these components can transmit their output values in 
parallel with receiving values on their inputs. 
CSP Specification of a D-Type Flip-Flop 
-- Declaration of signal channels that the gate 
-- is wird to. 
STATE - (0,1} 
channel chap clock : (1} 
channel chan_reset : STATE 
channel chan_input : STATE 
channel chan_output : STATE 
-- D. olaration of an instantiation of a 
-- D Typ. Flip Plop. 
INSTD . 
D__TYPE_PLIP_FLOP_IOPAR 
chan_clock, chan_reeet, 
chan_input, Chan output 
-- Alphabet of instantiated D Typ. Flip Flop 
ALPHA_INST_DTYPS 
chan clock, chan_reset, 
chap input, chan_output 
I) 
A Graphical Depiction 
chan_clock 
chan_input 
chap reset 
INBT D 
D Type 
Flip Flop 1 F; 
chan_output 
Figure 19: An Instantiation of aD Type Flip Flop 
47 
Main Work 
Declaration of a channel used internally by the CSP specification FDR will 
-- not allow you to declare channels inside a let-within block, all channels 
-- must be globally defined. 
channel internal state : (0,11 
channel internal_reset_state : {0,1} 
-- Instantiations of aD TYPS FLIP PLOP calls this process and provides channels 
-- used for its inputs and outputs as arguments. 'q_out' is a single channel to 
-- output to. 'd in' and `reset' are single channels to input from. `clock' is 
-- an event representing a low-to-high clock transition. 
D_TYPR_FLIP_FLOP_IOPAR(clock, 
let 
-- cm eat 
A- 
clock, 
internal-state, 
internal-reset-state 
1}, inter( {) clout ý}, {ý din, reset 
I) c(0) 
\ (I internal state, internal-reset-state 
-- Manage the inputs of the gate. 
B- 
let 
-- Run the inputs in parallel. 
BA - 
( BB 
I} 
11 ) 
reset a in J}, ( t1 union( {I clock 1}, inter( 
BC i) )) 11 
-- Reset Input 
BB - reset ?z -> internal_reset_state !z -> clock -> BB 
-- D Input 
BC - d_in ?z -> internal-state sz -> clock -> BC 
within BA 
-- Manage the output of the gate. 'x' is the current state to Output- 
C(X) 
gout sx -> 
internal-reset-state ?1 -> internal-state ?_ -> clock -> C(O) 
O 
internal reset state ?0 -> internal state ?z -> clock -> C(z) 
within A 
-- Verity that the ordering of the 'internal-state' and 'in tsrnal_reset stat" 
-- does not satter 
channel teatO 
channel testl, test2, testa : {0,1} 
D 
-TYPE -D 
TYPE FLIP FLOP IOPAR(teat0, testl, test2, teet3) 
l aaaert chaae(D TYPE) [PD- D TYPE 
FIgure 20: D-Type Flip-Flop CSP Model: IO-PAR 
the ii{put" and 
reset, d_in, clout) 
outputs together. 
The initial default output value for this object is 10', hence the 
initial default value is passed to the process as an arg=ant parameter 
'C(0)'. 
The ordering that the 'internal 
_state' 
and 'Internal reset state' 
events occur does not matter, to long as it occurs. This 
is guaranteed 
by the structure of the internal processes running in parallel, and has 
been verified by the assertion at the and of this example. 
8 
Iý union( {I 
48 
Main Work 
4.4.23 Adapting 10-PAR to 01-SEQ 
To help to minimise the state space produced when modelling segments of logic, an 
adaptation of 10-PAR was produced. This is where the outputs are performed before the 
inputs and then followed by the clock, whereby the clock event acts as a barrier 
synchronisation ensuring that all components progress from one clock cycle to the next. 
This basic definition of the 01-SEQ concept can be seen in Figure 21, whereas Figure 22 
is the definition reworked for the use of channels. 
Although the utilisation of a barrier synchronisation event is not needed to ensure 
deadlock freedom, it is needed to be able to check if the clock has been correctly 
connected throughout the circuit. The utilisation of the clock as a barrier synchronisation, 
for all 10-PAR components, helps to minimise the state space that FDR2 has to check. 
The state is minimised because any 10-PAR components that may temporarily run ahead 
of others (as stated in the IO-PAR definition, theorem and proof covered in [P. H. Welch, 
1987]), are forced to progress from one cycle to the next, in unison with all the other IO- 
PAR components. So long as the clock event is unique and not dependent on any of the 
other events or signals within the system, the definition, theorem and proof of the 10- 
PAR components covered in [P. H. Welch, 1987] is not invalidated. As previously 
mentioned, the barrier synchronisation event will ensure that the 10-PAR components 
progress from one cycle to the next in unison (which also happens to be the purpose of the 
clock signal within the circuit). This should also explain the position and utilisation of the 
clock event in the models used in [Peel & Wong, 2004] that this research builds upon. 
3. a set of all possible ZO events 
S. a met of input events 
0. a set of output events 
a. a barrier aynabroniaation event (e. g. a clock) 
whore 
(not 040"r (i, 3) ) and (intter (I, 3) . i) and (intar (O, 3) - O) 
(gpty (intar (I, O) )) 
and 
OISEQ - (ICI x: O 0 (x -> SKIP)); (III x: I a (x-> SKIP)); a -> OISEQ 
Figure 21: A simple CSP definition of an 01-SEQ component 
49 
Main Work 
8. a let of all possible SO channels 
Sa set of input channels for a comiponent 
0"a set of output channels for a com1ponent 
a. a barrier synchronisation event (e. g. a clock) 
5"a net of default output events 
where the following conditions hold trues 
The input channels for a component are not in its output channels 
espty(inter(Z, 0)) 
The input and output channels are valid 1O channels 
(inter (1,1) - 1) and (in tar (O, E) - 0) 
The default output events are a gat of events containing one event from the 
expansions of each of the components output channels 
X -c- (z Iz <- set( (l aka <- o 1)), 
Card( Z). Card( 0 ), 
b <- Z, 
a<-0, 
member( b, (I aI)), 
d <- diff ( Z, (b ) ), 
not aber( d, (I a ý) ) 
) 
OISEQ - OISEQ2(z) 
OISEQ2(A) _ 
(111 x: A ® (channel(x) I message(x) -> SKIP)); 
(ill x: I Q (x ?_ -> SKIP)); 
s -> (I-I Y: {xI x<-set({I aI a<-O1}), Card(X) - Card(O), 
b <- X, 
c <- 0, 
member (b, {I c 1}), 
d <- diff(X, {b }), 
not member(d, {I c I}) } 
0 OISEQ2(Y)) 
Figure 22: A CSP definition of an 01-SEQ component using channels 
As the output states for a clocked component are static during a specific clock cycle (i. e. 
they are not dependent on that cycle's input values), modelling the outputs occurring 
before the inputs helps to reduce the state space that has to be checked because the 
number of permutations for the 01-SEQ interleaving order is fewer than for the 10-PAR 
model (the 10-PAR in Figure 23 is replaced by an 0I-SEQ, as shown in Figure 24). 
r--p IasEQ ý0 10-PAR 
Figure 23: 10-SEQ and IO-PAR connected in a bop 
50 
Main work 
r--o 10-SEQ ý----ºI 01-SEQ 
Flure 24: 01-SEQ replace. I0-PAR In I0-SEQ/I0-PAR Mop 
An example of a D-Type Flip-Flop modelled in the OI-SEQ form can be seen in Figure 
25. 
51 
Main Work 
-- Declaration of a channel wed internally of the CSP . pecifiaation CIP will 
-- not allow you to declare channels inside a let-within block, all channel. 
-- must be globally defined. 
channel internal state : (0,1) 
channel internal_reset_state : {0,11 
channel internal 
-- Instantiations of aD TYP3 FLIP PLOP calls this process and provides channels 
-- used for its inputs and outputs as arguments. 'bout' is a single channel to 
-- output to. 'd in' and 'reset' are single channels to input from. 'clock' is 
-- an event representing a low-to-high clock transition. 
D_TYPB_FLIP_FLOP_OISBQ(clock, reset, d_in, q_out) - 
let 
-- Connect the inputs and outputs together. 
A- 
-- The ordering that the 'internal-state' and 'Internal reset state' 
-- events occur does not matter, so long as it occurs. This 
is guaranteed 
-- by the structure of the internal processes running in parallel. The 
-- initial default output value for this object is '0', hence 'C(0)'. 
(B 
union( {I clock, 
internal, 
internal_state, 
internal-reset-state 
I}, 
inter( {I clout 1}, (I din, reset 11 
I] C(0) 
\ {) internal, internal_state, internal_reset_state I} 
-- Manage the inputs of the gate. 
B= 
let 
-- Run the inputs in parallel. 
BA s 
BB 
union( {I internal, clock 
inter( (I din 1}, {I reset I} )) 
II BC 
-- Reset Input 
BB = internal -> reset ?z -> internal_reset_state !z -> clock -> BB 
-- D Input 
BC - internal -> d_in ?z -> internal_ state !z -> clock -> BC 
within BA 
-- Manage the output of the gate. `x' is the current state to output. 
C(x) = q-out !x -> internal -> 
internal-reset-state ?1 -> internal-state ?_ -> clock -> C(O) 
internal reset state ?0 -> internal state ?z -> clock -> 
C(z) 
within A 
Figure 25: D-Type Flip-Flop CSP Model: 01-SEQ 
52 
Main Work 
Figure 26 demonstrates using FDR2, that the behaviour of the OI-SEQ component is a 
valid trace refinement of an 10-PAR version. Thus demonstrating that the 01-SEQ 
behaviour is contained within the 10-PAR behaviour. 
-- 8. a set of all possible 10 events 
-- i. a sat of input events 
-- 0. a sat of output events 
-- a. a barrier synchronisation sweat (e. g. a clock) 
-- where 
-- (not aeaber(a, 3)) and (inter(z, s) . X) and (inter(o, a) - 0) and 
-- (empty (inter (z, O)) ) 
IOPAR = (11) x: union(O, I) 0 (x -> SKIP)); a -> IOPAR 
OISEQ = (111 x: O 0 (x -> SKIP)); (Ill x: I 0 (x-> SKIP)); a -> OISEQ 
-- Check that the OISiQ model is a refinement of the OSPAR model 
laBeert IOPAR IT. OISEQ 
Figure 26: Assertions demonstrating 01-SEQ Is a refinement of 10-PAR 
01-SEQ is useful for the specific style of clocked logic circuits that the compiler 
generates as it helps to minimise the state space that FDR has to check by reducing the 
number of interleaved orderings for parallel events, compared with the equivalent use of 
I0-PAR. The condition for utilisation of 01-SEQ imposes a constraint that no loops 
consisting of only these clocked logic components may exist to avoid the circuit model 
deadlocking. This is acceptable because the compiler never generates these loops, this 
condition may be verified because the component models are defined to behave as STOP 
if they detect that their outputs are directly connected to their inputs, and an FDR check 
can confirm that such a deadlock does not occur. For any OI-SEQ only loops consisting 
of more than one component, the CSP models will naturally deadlock, it is only the 
special case of loops of one component that has to be catered for. 
4.5 Proof Framework 
The proof of correctness of the compiler is complex, and involves many individual stages. 
These can be broken down into three interrelated phases. 
1. The first phase is a proof that individual OCCAM constructs, when converted into 
segments of logic, can be connected together correctly in all possible 
combinations as indicated by the OCCAM grammar - i. e. correct composition. 
2. The second phase is to prove that the logic for each of the individual types of 
OCCAM components performs its corresponding conceptual task. 
53 
Main Work 
3. The third and final phase ensures that the creation of the logic circuit by the 
compiler conforms to that which is indicated by the proof. 
Examples of the various models and assertions used to demonstrate properties of points 1 
and 2 can be found in Appendix D and Appendix E. These two appendixes respectively 
show the models and checks that need to be performed for a single type super type 
generic component and a single type implemented component. 
There are currently six super type OCCAM components in our compiler; flow-control 
constructs (such as SEQ, PAR, IF or channel communications), data-read constructs (such 
as PLUS and numerical constants), data-store constructs, channel-read constructs, 
channel-send constructs and boolean constructs (such as TRUE, FALSE or less than). The 
reason that there are six types is due to the differing structural composition of their 
boundary connectors. There are also specialised multi-types (see section 4.5.4) - e. g. 
channels and variables - that provide access to two different types of interface constructs 
(e. g. `channel-read and channel-send' or `data-read and data-send' respectively); this is 
because they perform a mixture of these behaviours. 
Instances of constructs can utilise components of any type internally to enable them to 
perform the required task. For example, the "IF THEN ELSE" component utilises two 
"Control Flow Processes" and a "Boolean Condition" as shown in Figure 13 on page 8. 
Proving that these components can be composed together requires generic CSP 
specifications to be written that depict the range of behaviours that are allowed to be 
performed at the outer boundaries of the super type OCCAM components. These 
specifications have two uses. For any specific OCCAM component that is being checked, 
if it requires other OCCAM components internally, then a corresponding super type 
generic specification can be used as the internal component. This enables the model of the 
implementable logic to determine all the legal possible states that it could ever get into, 
thus enabling a proof that it is a valid refinement of its super type generic component. 
Through proving that the implemented component is a valid refinement of a generic super 
type component, so long as any internal components used are also a valid refinement of 
their type of component, it is possible to fit all combinations of the implemented 
components together without invalidating or having to rerun any proofs. This 
demonstrates that the hardware for the OCCAM components can be fitted together in a 
manner that directly mimics the grammar of the language, because the logic of a verified 
54 
Main Work 
OCCAM component can be placed wherever its generic super type specification could be 
used (a property that is true because of congruence). 
Although this proves that the composition of the logic circuits will be performed 
correctly, further work has to be done to demonstrate that the logic performs the correct 
high level behavioural task (e. g. that an "IF THEN ELSE" component when triggered 
performs a Boolean test, with the result of the test determining which of the "THEN' or 
"ELSE" blocks are triggered). To achieve this, extra annotation events have been added to 
the specifications to describe the higher level meanings of the states that the signals are 
in. Extra events were chosen to be added due to complications with achieving the same 
result through selective renaming (see Appendix J). These annotation events can then be 
compared by FDR against specifications that depict the desired and expected behaviours. 
Performing these tests enables the determination at a higher conceptual level what 
sequence of actions a component will perform and what conditions that these are 
dependent on. This enables us to demonstrate that an implemented component will 
correctly perform the high level behavioural task that it was designed to achieve (e. g. an 
'IF THEN ELSE' block performs an 'IF THEN ELSE'). 
The combination of proving each individual implemented OCCAM component performs 
the task that its grammar component represents, along with proving that the implemented 
components can be connected together in a manner dictated by the OCCAM grammar, 
has the resultant implication that the components will interact in a way that is dictated by 
the software application code being converted into hardware. This provides a guarantee 
that the hardware will perform the task that the initial software application dictates, 
without having to check each individual circuit that the compiler could generate. 
4.5.1 Appendix D Overview -A Single-Type Super-Type Component 
This section details an overview of Appendix D, describing the CSP models it contains 
and their relationship with each other. Figure 27 illustrates these relationships graphically, 
representing a single, single-type super-type component. These specifications are 
designed to be utilised in the FDR model-check proofs described in Appendix E and 
section 4.5.2. 
55 
Main Work 
ýý 
OCCAM Supertype Model with 
annotations hidden 
IN 
Equivalence (D. 2.12) 
ý 
*I 
ý 
1 
I- 
Hardware specification 
deadlocks after incorrect 
input (D. 1.2) 
0ý 
Process for annotating outer level (D. 1.5) 
Correct Hardware 
Specification (D. 1.1) 
1 edekCheck (D2.1) 
om (D. 2.2) 
r 
Refinement 
D. 2.3) 
Hardware specification deadlocks 
after incorrect input, with inputs 
limited (D. 1.211D. 1.3) 
I 
Iý Equivalence 
I (D. 2.5) 
1 
Process to limit correct 
inputs (D. 1.3) 
IN 
4-1 
Annotated model 
(D. 1.1 11D. 1.5) 
Annotated 
model with 
hardware 
signals 
hidden 
Equivalence 
r(D. 2.12) 
00 
Deadlock Check (D. 2.4) 
1 
ý 
Deadlock Check (D. 2.8) 
Annotated low level 
behaviour with inputs 
limited m1 dim I 'Al 
Refinement (D. 2.7) 
Annotated low level behaviour, 
deadlocks after incorrect input 
(D. 1.4) 
ei 
Clock cycle generic annotation 
specification (D. 1.6) 
to 
Y 
1% 
0 
ro 
Deadlock Check (D2.10) 
Behaviour similar 
to expected model 
(D. 2.13) 
i 
'race Equivelance (D. 2.11) 
Software component generic Hiding subset of annotations relating to clock 
specificaiton (D. 4.1.1) cycle aspects, it behaves similarly to expected 
model (D. 4.1.2) 
N---, 
Figure 27: Overview of the relationship between the numerous models of an OCCAM supertype 
Annotated low 
level behaviour 
with annotations 
hidden 
ý I 
N----ý 
J 
Equivalence 
(D. 2.6) 
Annotated low level 
behaviour with low 
level behaviour hidden 
v 
Hardware 
specification 
with inputs 
limited 
(D. 1.1I1D. 1.3) 
56 
Main Work 
Appendix D. 1.1 contains an 01-SEQ specification that specifies the relationship between 
its external control signals (i. e. clock, reset, start and finish). External choice is used to 
allow for the different orderings of the start and reset signals, whereas internal choice is 
used to provide the specification with the freedom for a finish signal to be generated zero 
or more clock cycles after a start signal is received. This specification forces the correct 
sequencing of these signals. 
Appendix D. 1.2 provides a similar specification to D. 1.1, but where incorrect values are 
allowed to be provided to the components inputs. The CSP specification then explicitly 
deadlocks if any of these invalid inputs are encountered, thus resulting in the failure of 
any FDR deadlock checks that this component is utilised in where this occurs. 
Appendix D. 1.3 is a process that when run in parallel with a model, enforces the correct 
input signals. This specification is similar to that presented in D. 1.1, but now the internal 
choice that determined the state of the finish signal, is replaced with an external choice. 
Appendix D. 1.4 is a process similar to D. 1.2, but containing extra semantic annotation 
events. These annotation events label the states that the process can take, labelling the 
outputs and the appropriate and inappropriate inputs. Hiding the annotation events results 
in a process that is failures divergence equivalent to D. 1.2 (as covered in appendix D. 2.6). 
Appendix D. 1.5 provides a process that when run in parallel with a model, adds outer 
level semantic annotation events that label the states that the process performs. The 
annotation events occur after the corresponding low level hardware events, although 
Appendix H (specifically H. 1.5) provides an alternative, whereby the semantic annotation 
events precede the corresponding low level signal events. 
Appendix D. 1.6 contains a model built of only semantic annotations. These annotations 
represent the allowed states that can occur at a clock cycle based level (i. e. the 
NOTFINISHED state reflects one clock cycle in the hardware implementation). 
Appendix D. 4.1.1 provides a model of semantic annotations, ignoring clock cycles. This 
model gives a representation of the component that directly represents the software level 
of abstraction (e. g. when a control flow process is started, it may or may not finish). 
Appendix D. 2 contains the assertions that have to be proved for a super-type component. 
This proves various properties of the models and their relationships with each other, thus 
enabling the models to be used in the proofs contained in Appendix E. 
57 
Main Work 
Appendix D. 2.1 provides a deadlock freedom check for the model in D. 1.1. 
Appendix D. 2.2 utilises trace refinement to prove that the behaviour of D. 1.1 is contained 
within D. 1.2. The trace refinement is only performed in one direction, as this allows for 
D. 1.2 to contain extra behaviour than D. 1.1. 
Appendix D. 2.3 uses trace refinement to demonstrate that D. 1.3 does not introduce extra 
behaviour to a process it is run in parallel with, but it may limit that processes events. 
Appendix D. 2.4 uses a deadlock freedom check to prove that D. 1.2 is correctly limited by 
D. 1.3 (through running them in parallel). Success in this check illustrates that the process 
is correctly driven, as the explicitly defined deadlocks in D. 1.2 are never triggered. 
Appendix D. 2.5 utilises a pair of failures divergence refinements to ensure that D. 1.2 
limited by D. 1.3 (through running then in parallel), has precisely the same behaviour as 
that defined in D. 1.1. 
Appendix D. 2.6 is a failures divergence equivalence check that proves that the model in 
D. 1.4, with its annotation events hidden, behaves identically to the model in D. 1.2. 
Appendix D. 2.7 provides a trace refinement illustrating that D. 1.3, does not add any extra 
behaviour to the model contained in D. 1.4. 
Appendix D. 2.8 uses a deadlock freedom check to prove that D. 1.3 limits the input events 
of D. 1.4, so that the explicitly defined deadlocks do not occur. 
Appendix D. 2.9 contains a bidirectional failures divergence equivalence check, proving 
that if the annotation events are hidden from D. 1.4, it behaves identically to D. 1.2. This 
illustrates that the model in D. 1.4 is identical to D. 1.2, but contains semantic annotation 
events. 
Appendix D. 2.10 provides a deadlock freedom check for the clock cycle semantic 
annotation model contained in D. 1.6. 
Appendix D. 2.11 is a bidirectional trace refinement used to prove that D. 1.5 annotates a 
correctly performing process (e. g. D. 1.1), such that the sequence of generated annotation 
events are the same as D. 1.6. 
Appendix D. 2.12 contains a bidirectional failures divergence equivalence check. This 
check proves that D. 1.5 only adds annotation events to a process it is run in parallel with 
(e. g. D. 1.1), neither adding nor constraining the interface behaviour. 
58 
Main Work 
Appendix D. 2.13 uses a failure divergence refinement check and a trace refinement check 
to illustrate that the annotation events contained within D. 1.4 generate the same sequence 
of semantic annotations as D. 1.6. 
Appendix D. 4.1.2 contains a failure divergence refinement check and a trace refinement 
check that links the clock cycle semantic annotation model (i. e. D. 1.6), to the software 
semantic annotation model (i. e. D. 4.1.1). 
4.5.2 Appendix E Overview -A Single-Type Implemented Component 
This section details an overview of Appendix E, describing the CSP models it contains 
and their relationship with each other and to the component's super-type. Figure 28 
illustrates these relationships graphically, representing a single, single-type implemented 
component. These specifications are the CSP proofs required to verify a low level 
hardware component. 
Appendix E. 1.1 specifies all the allowable signal transitions of the implemented low level 
hardware components outer interface (e. g. the clock, reset, start and finish signals). The 
chosen example is a component that implements an IF-THEN-ELSE statement. 
Appendix E. 1.2 is similar to D. 1.2. Its basis is the E. 1.1 specification, but it has been 
altered so that invalid inputs are allowed, with the incorrect inputs triggering explicitly 
defined deadlocks. 
Appendix E. 1.3 is an automatically generated model of the hardware created by the 
compiler. It is comprised of a number of logic gates whose inputs are joined together by 
CSP events, directly mimicking the logic net-list that represents the circuit. Figure 78, on 
page 8, illustrates graphically this component's circuit. 
Appendix E. 1.4 shows a clock cycle based semantic annotation model of this component. 
It demonstrates how it drives the BOOLEAN check and the THEN and ELSE processes, 
and also how they interact and affect each other every clock cycle. 
Appendix E. 4.1.1 illustrates the semantic annotation model of this component. 
Appendix E. 2 contain the FDR assertions that link the various CSP specifications of the 
implemented component together, and to its super-type specifications covered in 
Appendix D. 
59 
Main Work 
OCCAM Hardware Conversion 
l\ 
Equivalence CSP Model of Net List 
disallowing incorrect 
driving (E. 1.311D. 1.3) 
Logic Net ý EDIF 
Each individual component is 
Modelled and run in parallel 
CSP Model of Net (may contain D. 1.2) 
List (E. 1.3) 
Refinement (E. 2.2)1 
Constrain input signals to disallow 
correct outer level driving 
Implementation Hardware 
Specification (E. 1.1) 
.i Deadlock Check (E. 2.1) 
r- 
Deadlock Check (E. 2.3) 
efinement (E. 2.4) 
Super Type Hardware 
Specification (D. 1.1) 
Hide low level events 
and check annotations 
perform similarly to 
expected model (E. 2.8) 
Implementation Clock Cycle Software Specification (E. 1.4) 
Hide subset of annotation events 
relating to clock cycle aspects 
Implementation Software efnement E. 4.1.2 
Specification (E. 4.1.1) 
Annotate 
outer layer 
Correctly driven net-list 
with outer annotations 
((E. 1.3 J D. 1.3)JID. 1.5) 
[Deadlock Check (E. 2.7) 
r Super Type Clock Cycle Software Specification (D. 4.1.1) 
Figure 28: Overvkw of proof structure for an implemented component 
Appendix E. 2.1 performs a deadlock freedom check of the model of the circuit (E. 1.3), 
with its inputs limited to being correctly driven (through running D. 1.3 in parallel). Firstly 
this checks that there are no loops of non-clocked logic, as this would result in the CSP 
model of the logic circuit deadlocking. Secondly, the deadlock freedom check guarantees 
that the logic circuit correctly drives any internal components. Failure to drive an internal 
component correctly will trigger the explicitly defined deadlock within the model, thus 
illustrating if the condition is violated. 
60 
Main Work 
Appendix E. 2.2 uses a trace refinement to ensure that running the circuit model in parallel 
with D. 1.3 (thus limiting its inputs so it is correctly driven), guarantees that the 
specification in D. 1.3 does not add any extra behaviour to the circuit. 
Appendix E. 2.3 provides a deadlock freedom check, indicating that the boundary 
behaviour of the component is deadlock free. 
Appendix E. 2.4 uses a trace refinement to prove that the component is a valid sub-type of 
its super-type. 
Appendix E. 2.5 has a bidirectional failure divergence refinement check, that proves that 
when the implemented component is driven correctly, its interface behaviour is identical 
to the expected interface behaviour specified in E. 1.1. 
Appendix E. 2.6 demonstrates that the hardware component annotated with the D. 1.5 
specification, does not deadlock. 
Appendix E. 2.7 is a deadlock freedom check on the high level clock cycle annotation 
only specification (i. e. E. 1.4). 
Appendix E. 2.8 uses trace refinement to ensure that the implemented component behaves 
similarly to the allowed high level annotation specification 
Appendix E. 4.1.2 contains trace refinement check that demonstrates that the annotation 
specification of E. 4.1.1 is a valid sub-type of D. 4.1.1. 
4.5.3 Alternative Single-Type Component Models 
An example of an alternative style of annotating a single-type component can be found in 
Appendix H and Appendix I. These appendices are similar to Appendix D and Appendix 
E, but with the difference being that the control process that is used to ensure the models 
are correctly driven when being analysed, uses internal choice to provide a valid input as 
opposed to limiting the allowed inputs of the models. The method for annotating the outer 
level of the models has also been adapted, whereby the semantic annotation events have 
been added to the control process and occur before the corresponding signal events. This 
adaptation results in the annotation only models having a more sequential style (e. g. an IF 
statement starts before its Boolean check), as opposed to the previous method where 
several annotation events are triggered in parallel (e. g. the IF statement and its Boolean 
check start in parallel in the same clock cycle). 
61 
Main Work 
Appendix J and Appendix K illustrate how much simpler the CSP models become if the 
reset functionality is not introduced into the proof framework. These appendices also 
demonstrate how removing the reset functionality, in this particular example, results in 
the semantic annotation events corresponding to specific instances of events (as opposed 
to a combination of specific instances of events), and how the process of connecting low 
level hardware models to semantic annotation models can be simplified. 
4.5.4 Special Multi Type Components 
The proof strategy covered in section 4.5 can be used to prove nearly all of the OCCAM 
components, with the exception of variables and channels (i. e. the multi type 
components). The reason that they have to be handled differently is because channels and 
variables perform two distinct functions; data can be assigned to a channel for 
transmission along it and also can be received from it, whereas variables can be written to 
and read from. These objects therefore maintain internal state that the proof models must 
accommodate, which is further complicated by the fact that an implementation of one of 
these components can have zero or multiple instances of each of their interface functions. 
The proof methodology for these multi-type components is based on that of the single- 
type components. Single-type specifications are generated for each of the different 
conceptual interface functions that they can perform, along with an extra specification 
that dictates how instances of these interface specifications interact and influence each 
other. This gives a single-type component specification to use as an internal component in 
any proofs for other single-type components, whilst also being able to prove that the 
implemented logic that governs the interactions between these interfaces is valid and 
behaves as expected. This enables us to prove that the correct conceptual task occurs 
when the interfaces are accessed in parallel or sequentially, while still demonstrating that 
each of the implemented interfaces is still a valid refinement of the interface specification. 
An example of the CSP models and assertions for a multi-type generic super type 
specification can be found in Appendix F, and an example of an implemented component 
is contained in Appendix G. 
62 
Main Work 
4.6 Proof/Compiler Integration 
The basic concept of the integration between the proof and the compiler is that, apart 
from generating the logic circuits, the compiler also composes together the CSP models to 
generate the proof. Through the use of inheritance, interfaces and other standard object 
oriented principles in Java, the compiler was designed and built with the concept of tight 
integration with the model generation in mind. The use of interfaces enables the code of 
the compiler that connects together the fragments of logic circuits representing the 
OCCAM components also to connect fragments of logic circuits to other custom hand 
crafted components. This functionality was designed for use in the generation of the CSP 
models, enabling the fragments of logic circuit to be connected to super type generic 
specifications that are substituted as place fillers for any required internal components. 
This feature has the side effect that the compiler has the ability to cope with connecting 
fragments of logic circuits that it generates with other components that may not have been 
created by the compiler. This means that any circuits or components that have been 
created through other design and development strategies have a simple avenue for 
continued reuse and integration into the compiler. 
The combination of inheritance and strong type checking enables the compiler to ensure 
that OCCAM components which require other internal components can only be provided 
with valid sub type components (supplied as method arguments). This results in the Java 
type checker enforcing that the compiler can only compose together components that the 
OCCAM language grammatically allows, thus enforcing the proof of composition is 
upheld. The use of inheritance also results in the proofs for the implementable 
components to be automatically checked against their correct corresponding super type 
specifications (i. e. the super type that they physically inherit from); this is because the 
CSP models obtained from the super type components are integrated into the automatic 
construction of the proofs. If an implementable OCCAM component inherits from an 
incorrect class, the CSP proof that the compiler generates will fail when checked. This is 
because the compiler utilises the class structure to select the models encoded into 
fragments of CSP in a similar way that it utilises the class structure to determine how it 
converts components into hardware, thus ensuring consistency between the proofs that are 
run through FDR and the logic circuits generated. 
63 
5 Results 
The redeveloped compiler currently is approximately 2.4MB of Java, consisting of over 
320 classes and 46000+ lines of code. It generates 4+ MB of CSP split over more than 70 
files, all of which have been run through FDR. As indicated throughout this work, the 
focus has been on guaranteeing the generation process of the logic circuits, thus ensuring 
the circuit behaves as specified by its software specification. The examples that were 
compiled to test the compiler were implemented on an FPGA and worked first time. The 
timings have been measured from the hardware and verified against the expected values 
computed by stepping through the application and using the rules stated in Appendix L. 
5.1 Example 1: Commstl me - Version 1 
The example that was used to test the compiler was commstime, as specified in Figure 29. 
SEQ 
CHAN OF UINT7 a: 
CHAN OF UINT7 b: 
CHAN OF UINT7 c: 
CHAN OF UINT7 d: 
PAR 
SEQ 
UINT7 vl: 
al1 
WHILE TRUE 
SEQ 
b7 v1 
at vi 
SEQ 
üINT7 v2: 
WHILE TRUE 
SEQ 
a? v2 
PAR 
c1 v2 
dI v2 
SEQ 
UINT7 v3: 
WHILE TRUE 
SEQ 
C? v3 
bI v3 PLUS 1 
SEQ 
PLACED UINT7 v4 AT "v0", "vl", "v2", "v3", "v4", "v5", "v6": 
WHILE TRUE 
d? v4 
Figure 29: Commsthne written in OCCAM for conversion into hardware 
Results 
/* instantiate an empty logic circuit and the start and finish signals 
LogicCircuit cir - new LogicCircuit O; 
LogicNet start = new LogicNet(); 
LogicNet finished - new LogicNet(); 
/* Declare the channels used in the specification */ 
OccamChannel_NotPlaced a= new OccamChannel_NotPlaced(cir, 7, "occamChannelA"); 
OccamChannel_NotPlaced b= new OccamChannel_NotPlaced(cir, 7, "occamChannelB"); 
OccamChannel_NotPlaced c= new OccamChannel_NotPlaced(cir, 7, "occamChannelC"); 
OccamChannel_NotPiaced d= new OccamChannel_NotPlaced(cir, 7, "occamChannelD"); 
/* Decaire the variables used in the specification */ 
F1ipFlopStorage vi = new FiipFlopStorage(7); vl. setLogicCircuit(cir); 
FlipFlopStorage v2 - new PlipFlopStorage(7); v2. setLogicCircuit(cir); 
PlipFlopStorage v3 - new F1ipFlopStorage(7); v3. setLogicCircuit(cir); 
WatchedFlipFlopStorage v4 = new WatchedFlipFlopStorage(7, new String[] 
{"vO", "vi", "v2", "v3", "v4", "v5", "v6"}); v4. setLogicCircuit(cir); 
/* Instantiate the AST */ 
OccamSequence_Seq outerSEQ = new OccamSequence_Seq(new OccamProcess[] 
{ 
new OccamProcees_SingleChannelDeclaration(a), 
new OccamProceas_SingleChannelDeclaration(b), 
new OccamProcess_SingleChannelDeclaration(c), 
new OccamProcess_SingleChannelDeclaration(d), 
new OccamParallel_Par(new OccamProcess[] ( 
new OccamSequence_Seq(new OccamProcess[] { 
new OccamProcess_Output_Channel( 
a. getChannelSend(), new Occamßxpression_UINT_Constant(7,1) 
new OccamProcess_SingleVariableDeclaration(vl), 
new OccamProcess_While( 
new OccamBooleanTrue0, 
new OccamSequence_Seq(new OccamProcess[] { 
new OccamProcess_Input_Channel( 
b. getChannelRead(), vi. getDataStore()), 
new OccamProcessOutput_Channel( 
a. getChannelsend(), vi. getDataRead()) }) ) }), 
new OccamSequence_Seq(new OccamProcess[] { 
new OccamProcess_SingieVariableDeclaration(v2), 
new OccamProcessWhile( 
new OccamBooleanTrue (), 
new OccamSequence_Seq(new OccamProcess[] { 
new OccamProcess_Input_Channel( 
a. getChannelRead(), v2 . getDataStore 
0 ), 
new OccamParallel_Par(new OccamProcess[] { 
new OccamProcess_Output_Channel( 
c. getChannelsend(), v2. getDataRead()), 
new OccamProcess_Output_Channel( 
d. getChannelSend(), v2. getDataRead()) }) 
}) ) }), 
new Occamsequence_Seq(new OccamProcess[] { 
new occamProcess_SingleVariableDeclaration(v3), 
new OccamProcess_While( 
new OccamBooleanTrue () , 
new OccamSequence_Seq(new OccamProcess[] { 
new OecamProcess Input_Channel( 
c. getChannelRead(), v3. getDatastore()), 
new OccamProcess Output_Channel( 
b. getChannelsend(), 
new OccamDyadicOperand Plue 
v3. getDataRead(), 
new OccamExpression_UINT_Constant(7,1) )) }) ) 
}), 
new OccamSequence_Seq(new OccamProcese[] { 
new OccamProcess_SingleVariableDeclaration(v4), 
new OccamProcess_While 
new OccamBooleanTrue (), 
new OccamProcess_Input_Channel( 
d. getChannelRead(), v4. getDataStore()) ) 
}) }) }); 
/" Generate the logic circuit "/ 
outersEQ. generateLogic(cir, start, finished); 
Figure 30: Commstime hand translated into the AST for the compiler 
65 
Results 
The specification was then hand translated into its corresponding AST, as illustrated in 
Figure 30 on page 8, followed by the method call to instantiate the compilation into 
hardware. This generated a logic net list structure contained within the "LogicCircuit" 
component which was then output as EDIF (see cd: ex1), although this net list structure 
can also be output as CSP to provide a full circuit specification if desired. The generated 
EDIF was then passed to the "place and route" tools and programmed onto the FPGA. 
........... .............. .................. . "¬ .............. _.. _Q...:............. 
'..; ¬ ¬ 
.. ýwä wwý :'W wOý ..: 
:.................. 
a: 
; CO wa ; `` 
. __ .................. ýý __. _........ _........... _... _. __ _. _ . _.. _.. _ .................... _........ .... :........................... .: .............. ............................................. _....... _................. ........ _............................................................................................................:: :............................................... ........ ..., , ..:. ý... __.... _..... ý.. _:.... _.. _.. ý_............ _.,: _:. ý::.... ý:..... -. -:.... -... _. ý ..... .................. AwUar. ta'wUx Ft zzw. 7 
... .............. ....................................................... :.................... ............ ..................... _....... .......... '-ý-- "- ---_-- ýAwU aý xWuxazzwau= 
ý-- 
t 
_ . _.. -ý --- 'F' ---- -s".. ýiiý,. _iwk=. r.... wn... i:. "- aý--.., n'ýr. o!:: ý! x:::! ý! t°: 14r.:::!! ýt°_: '! 4t. 'ýr_: ''ýý--xx+:::: iX! 
ý --ý 
AWUar. ý rx WUx r1 zzWaA 
.::....:::....: ...... ............... .ý.... ------- 
ý- 
: 
-ý wWAwuaaawuxazz WO rt 
... ." .., c................. .......................... _.. _. __........................... .... ........... _....... .......... tz Ü 
Figure 31: Trace through for initialisation phase of Figure 29 commstime 
66 
_ý. -- "; 
y 
........ _..... 
_. "": . di ý" i':. i 
'ý; 
' JJ i3, wm i": 
i7 
ýFi 
fn : 3. F CJ2 :. ý_...... _.......... ý. ý 
? 
ýýýFFýý., ý" 
: _,.... _.... i ý 
3ri si 
ý............... _"-. l .. F {T "ý ýýýý3 
=' 
33 
!: 33 
1ý 
; ... _.. _... ýý 
_ 
IfF] 'i; E, 
`i iij 
ti`: 
W_... = 
"ýl , 
ý: 
'C1 ° 'O !: 
ý! 
.+" 
.. 
}3 3F. "h- 
!tN 
Al F34!; +! F i£'e 
i 
i`" ý'" iý'0! Fi 
i3'iiti; Fx e a? 
ý 
ý .............. ............. ii 
-. _. _... _. 
" 
3ý 
?' :ýi" '" 33AI 
}ý 
__:; 
iA ýfj =jI i. "iý 
.. 
Iz 
3+: 
n+ j: 
. :" 01 
... 
"_.... 
_1` ý. .............. 3 +3 
F+ W 3ý + ... 
of cn 
O i; ;? FW 
W" 
"¬¬: i i: '; - .. ý. -,: 
Ü ii ;_ ýxHaw {; _' axHaw 
'siiAýxHaw 3 
.............. _.................. ___. _.. _.. _..: . _................. _. _.... ....... _...... _......................................., i? ý; cn W 01 :; En w Of s cn w 03 
Figure 32: Trace through of 6 cycle cyclical loop (N+9 to N+15) for Figure 29 commstime 
Results 
67 
Results 
The generated hardware that represents the application is triggered by a high state held for 
a single clock cycle on the "LogicNet start" wire of the outer component. When this 
occurs the hardware is triggered, the application performs its initialisation and the first 
output value (i. e. data stored in v4) is generated after 9 clock cycles (see Figure 31), this is 
followed by a new value after every further 6 clock cycles (see Figure 32). If this block of 
hardware were to finish, which it does not because it contains a "while true" loop, the 
hardware would have generated a high state on the "Logicxet finish" wire, held for a 
single clock cycle. The "WatchedFlipFlopStorage v4" component represents a placed 
variable with its corresponding signals connected to output pads, thus enabling the state 
within the variable to be viewed from outside the circuit. 
5.2 Example 2: Commstime - Version 2 
Just like in section 3.7, the performance of commstime may be improved by refactoring 
the application. The specification covered in Figure 33, when converted into hardware 
(see cd: ex2) and triggered, outputs its first value after 10 clock cycles, the second after 
another 4 and the third after a further 6. Subsequent values are output in cycles of every 6 
and then 5 further clock cycles. 
This example utilises a hand crafted lexical tokeniser and syntax parser to automatically 
parse the OCCAM source code and generate the AST. Although the syntax parser takes 
advantage of various features to help gain confidance in its AST generation (a formally 
proven parser would be the ideal solution but is outside the scope of this project). As 
stated in section 4.6, the Java type checking ensures that the subcomponents that the AST 
is comprised of can only be composed together in a manner that the OCCAM grammar 
allows. Although this helps to ensure that the AST the compiler utilises as its initial 
starting point is grammatically allowed, it does not guarantee that it is free of parallel 
usage errors (as this is a property of the OCCAM application). 
68 
Results 
SEQ 
CHAN OF UINT7 a: 
CHAN OF UINT7 b: 
CHAN OF UINT7 C: 
CHAN OF UINT7 d: 
PAR 
SEQ 
UINT7 vl: 
UINT7 v5: 
a11 
a12 
b? v5 
a13 
WHILE TRUE 
SEQ 
PAR 
b? V1 
aI v5 
PAR 
b? v5 
ai v1 
SEQ 
UINT7 v2: 
WHILE TRUE 
SEQ 
a? v2 
PAR 
c! v2 
d! v2 
SEQ 
UINT7 v3: 
WHILE TRUE 
SEQ 
C? v3 
b! v3 PLUS 3 
SEQ 
PLACED UINT7 v4 AT "v0", "vl", "v2", "V3", "v4", "V5", "v6": 
WHILE TRUE 
d7 v4 
Figure 33: Commstime passim three values round the loop 
69 
Results 
:.. _.. _.....: 
.. r. ý.... ý. a... cz..: 
ý!.. ý "ý ................... s 
JC"ý:? 
yý; " 
:. ý...., ý 
e 3j7j 
ý 
13ý3ý 
+ 
`/ 
jjj 
ýti 
ii iI 
--3--f; -- IE 11 
HI 
ý ýj 
.. __.. _...... _... ... .. _N... _: i; ambb m 
___.. _.. __ý 
-. 
ýi 
ff....... µp _0 O; a "" e"1 
ei 
i"_ 
+ 
m L,. 
_.. __... ý_. _... 
_.. »......... 
?i jQ i 
ý....... .... ..... -, ::,: :a: _. .. if 
i: '+ . 
4. 
_ .. !iu!, . ._. 1 
w! O 
'. ? uj 
?3ý...:. 
_. rv 
e!:. 
_ýýiS.. .dbi'!: 
}ý....... ___. ___. . }ý; 'rr""výrr. rc: am"ýruý: ý. "ýis . - 
?' 
{Y 
? 
pp 
'W>? Nii"3mQý; 
? @.......... 
_ :.......::. _:.. _.. _.. -5 
i. 
_ 
..... .:,, 
ý 
.. ". _. ý...... ý .. 
'... ..... ... _... _. _.: :::.............. 
i: 
-.. --::::::?..; .. 7 ý.. _...... _... 
_::::: ý: "..:: n. }a? Ne Cl ?..: N_rýw .+... + rr .r rr w .. W ;? a iy__.. _ ._................................. 
ý_... _... _.... r. ... _ ..... 
"... _... .. T...,,........,,,,,..., W, _.. 
r- 
o ®. ýjuue^"yri.: MMK:: 
7MN::: WIL:: 7MMfýMMK: a1M1ý::: Kttt::: Mii#::: ý:........ t.:: 
1: _. ýIIIM"! r'.. O1r" , 
; gmUrlamm Uxa. zzma -{ ---------- 
. ý. _.... _.... __.... _...... _.... __.....! .... ý.. __-. _... 
y. _. 
Iomuaaaw-: ---------- 
ý E........ _ _. _.. _.. _............ ýýýýý.. 
ý ý. ýý_ 
ýýýýý wa.. iFY.... ýi. -ý-wý-ýa... 
Wii-"a'-"' 3 
-ý- r, 
amuaaam uzazzma A--W4 . _. _. ---- 
3 
! ýE 4..,,., ekm uzazzma 0 
Figure 34: Trace through for initialisation of Figure 
33 commstime 
70 
Figure 35: Trace 11 cycle cyclical loop (N+17 to N+28) for Figure 33 commstime 
Results 
71 
Results 
It should be noted that by optimising the channel communication logic, i. e. removing the 
delay in the channel output (see section L. 6), it would be possible to construct the circuit 
that outputs its first value after 10 clock cycles and all subsequent values outputs every 
further 3 clock cycles (see Figure 36 and Figure 37). The initialisation stage could also be 
optimised, and this could be achieved by declaring channels and variables in parallel, but 
not in a PAR. This would reduce the time required for the initialisation phase and shorten 
the time taken until the first value is output. 
72 
Results 
?:.. 
??. 
aax_... 
_. ... " .: "-.. -ý ----:! 
t 
-: ýº: ýý ý ii: ?: _lF!: ": ----------;; ý=' ý---::: ý-ýý -- :? =F 
} tr7äö°eb N °i:: ={{ Nr ¬ '""_ý ; ¬9> 
3 _.. ý. "> ý- 
i.. __.. __. _. - . _... i...... ------- _.... _..... 
i 
--- . ý....,... ý...: s... ý_... ý_., ý 
r }; -. r -m^ Ü 
.`_"i+ 
_. _ ...... _... __. ..... . _. _...,? °ýv rofi ", ;fim_ý_. 31ý.. 
b; 
w; 
-I 
3I 
... ^ '- "" 
?ý a 
ý. 
ý..... 
i" 
:. °La : -ý-_ ---- ............... 
33 
_. _. 
-1 
i 
.? N3N" 
"" it m . 
m] piý? a it ?f 
.:. 
'".......... 
it .. ? 71 >m>E??: :ýSeý...... .... .... ý: ý 
_ 
YiM. 
' 
...... ý :. iQi... _.. __1 . 
3' ýE . y.... " 
i, . .. 
_..... .... 
_? r...... _. 
-.; : 
!. ý 
: ...... 
ý'"ý`_. 
ý'.. 
YN4 
" 
-; '°';... 
_ý ii ?'.? 
"w 
> 
ýi? 
_.: 
u O 
3i 
---ý 'S' 
'-. _. -1^. arc:: ýW[ý: ruc:: ar¢:: a4 ". 
ý ""-mu-ý ýe 
ii"_IYa 
......... _ 
r... ..... 
;?.. ::.. - 
-.. ý... ?:??... 
; 
?e Cw ; ü> i ý: jý u> INWý >ý r wa Qýi.... ........: all :Q VI 94 ?}W? QI: i....: i____ý L. 
it 
i it 
..... .. ?a;.. __.. _.......: -:: ":::: ý : --.: . _. _ ........... 
'"............... i:.: r.:. -. "..: i: i: i:::::: 3 ... wv ý . _. _. _... _..: ý .:. ... " . m: ......... _...... _. ___. _.. _-_. _. _.. _... .,.,,...., n... y,... -... ý... ý.. ý... 
ý...,,,... 
-- "". r .... .., _W axac: xx 
::: ure aac»: xrx: ý' 
?" - ?Qwuaaamuxazzmabl-- --- r- - 
_ 
;..... _.. _.... _ .................................................... -------- 
- --"-S. 
----,..:.....,. w... wl... ýw....,.. _., 
a. ý....... w:... wý.. ýl. -ý. -+ý. -s 
amuaaxm uxazzma u"____- .ý 
-- __ _. _ _. . _....... _. . _ý--ý: ý"ý- ------ 
M"Qo7uaaam 
uxazzma 
----------- 
-ý- 
------ 
-.. r-"rr-Y. r"""nw""+.. -"rn""w.. -".: wýwr"". r-_, _-?? 
e-) w° ; Qu. 7axm uxazzma w _..... _ý . -_ ý , ý.. ý -" ........... .. ___. __...................... 
n -ý ".. -ý----,. +-.. -... ""' 
Figure 36: Optimised trigger & completion step through 
for initialisation of Figure 33 commstime 
73 
Results 
Figure 37: Trigger & completion step through of 6 cycle cyclical loop of Figure 33 commstime 
5.3 Example 3: A Digital Clock Displayed on an LCD 
This section presents a larger example application (see Appendix N). The application is 
an implementation of a digital clock, on which the time is displayed on a liquid crystal 
display (LCD). The clock has two input buttons that allow the displayed time to be 
altered. 
74 
Results 
The application runs on a Xilinx FPGA and performs a power on initialisation of a 
Sitronix ST7066U graphics controller connected to an LCD, configuring it to 
communicate via its 4-bit data interface mode, and instructing it where to display the 
relevant characters. The application also samples two buttons which can be used to alter 
the running clock time, whilst several internal parallel processes interact via channel 
communications. 
LCD Nibble LCD Delay 
a 
Main 
LCD PowerOnlnit 
.9 
LCD_Diepla}rl'ime 
ý 
DigitaiClock 
ý 
DebounceHour 
ý 
DebounceMin 
ý 
Figure 38: Overview of the Digital Clock example 
The developed application was broken down into the following segments: 
" Main 
" LCD PowerOnlnit 
0 
0 
0 
a 
0 
LCD Nibble 
LCD_Delay 
LCD_DisplayTime 
DigitalClock 
DebounceHour 
" DebounceMin 
5.3.1 Main 
The segment of code, commented as "main", runs the LCD PonerOnXnit code, followed by 
the following in parallel: LCD DiaplayTime, DigitalClock, Debounce8our and DebounceMin. 
It also declares locally the channels that Debounaeuour and DebounceMin use to 
communicate with the Digitalclock process, and the channels that Digi talClock uses to 
communicate with LcD DiaplayTime. 
75 
Results 
5.3.2 LCD_PowerOnlnlt 
This segment of code contains the sequence of commands and the required time delay 
between them, to perform the power on initialisation of the LCD graphics controller. This 
initialises and sets the controller to communicate in its 4bit data-mode. 
The process utilises channels to send the individual commands to the rcv Nsbble code to 
output them to the LCD graphics controller. The process also communicates with the 
LCD D. 1ay process, triggering it via channels so that the required delay allows the 
commands to execute correctly. 
5.3.3 LCD Nibble 
This process contains an infinite (WHILE Taus) loop, listening on channels for commands it 
is required send to the LCD graphics controller. When this process recieves a command, 
it sets the corresponding data and command lines to send the correctly timed command to 
the LCD graphics controller. The process then waits, before listening on its channels for 
the next command to send. This is so that there is a correctly-timed delay between 
individual commands. 
5.3.4 LCD_Delay 
This process contains an infinite (WHILE TRUE) loop. The process listens on a channel, 
starting a timer when it is instructed to do so. When the timer completes, the process 
communicates this fact back along another channel, before listening for when to start the 
timer again. 
5.3.5 LCD DlsplayTlme 
This process contains an infinite (WHILE TRUE) loop. The process repeatedly listens on 
several channels for the time that is required to be displayed on the LCD. When it 
receives the time, it proceeds to send the required sequence of commands to the the 
LCD äribbi* process to indicate the correct characters to output. The uD Di playTia. 
process communicates with the um Da1ay process, inserting the correct delays between 
the commands. 
76 
Results 
5.3.6 DlgitaJClock 
This process executes an infinite (WHILE raus) loop. The process continuously updates 
running time, incrementing it every second. Every half a second, the process outputs the 
current time to the r co Di playria . process, whilst also listening to channels from the 
D. bouao Hour and D. bounc. Mia processes to indicate if the user is manually altering the 
time (and adjusting it correspondingly). 
5.3.7 DebounceHour and DebounceMin 
These two processes both contain an infinite (wHrr. E Txus) loop. The processes perform 
the same task, differing only by which user input button they sample and the channel they 
use to communicate to the Digitalcloak process. The processes perform a simple 
debouncing on the user input (connected from a push button) by indicating that the state is 
a stable high input, if it has remained high for a specified period of time (i. e. a specific 
number of clock cycles), otherwise the state is set as low. 
5.3.8 Compiling to Hardware 
The application was parsed by the compiler and the generated logic circuit contained over 
104900 lines of EDIF (see CD: ex3). The logic circuit was then configured onto a Xilinx 
Spartan-3E FPGA development board and run, a photo of the running hardware can be 
see in Figure 39. 
After correctly specifying the wiring between the FPGA and the LCD controller, this 
circuit executed correctly the first time that it was run, again demonstrating the robustness 
of the compiler. 
77 
Results 
Figure 39: Example 3: Digital Clock, running on an FPGA development board 
78 
6 Future Work & Conclusion 
The current implementation of the compiler has several obvious areas where further work 
can be focused. These range from expanding the subset of the grammar that the compiler 
supports, optimising the segments of logic used within the compiler, and adapting the 
compiler to build asynchronous logic circuits. Although the compiler is a prototype 
demonstrating a proof of concept, it shows the validity and viability of proving the 
construction process of building logic circuits from a software specification. The compiler 
can take OCCAM programs, from a limited subset of OCCAM, and compile them down 
into hardware. This is achieved without the need to model or test the generated logic 
circuits, as the process of generating the circuits has been proven to be correct. 
By guaranteeing that all of the generated logic circuits produced by the compiler will 
always behave as specified by the corresponding supplied software specification, the 
extra state and complexity that is unavoidably introduced due to the conversion of the 
software into fine grained parallel hardware, has effectively been isolated and removed. 
Thus the process of converting a software specification into hardware does not increase 
the difficulty or complexity that the end users would require for them to prove or verify 
their software specification. Although this was the main focus for the project, which has 
been successfully achieved, other benefits are also present, such as the ability to utilise 
software design methodologies to simplify and speed up the process of building hardware 
applications. 
Appendix A Other Preliminary Work 
A. 1 Occam Grammar Modifications 
The work on the grammar involved two main areas, both of these in preparation for the 
AST (abstract syntax tree) parser extensions. These were the expansion of the subset of 
Occam grammar that the compiler supports, and modifications to the grammar to enable it 
to be LALR1, which is a requirement for utilising SableCC [Gagnon, 1998]. 
A. 2 AST Transformer Extensions 
With SableCC [Gagnon, 1998] being utilised to develop the parser and abstract syntax 
tree (AST), the expanded grammar required the AST transformer to be expanded to 
accommodate the new features. This enabled it to deal with the modified grammar and to 
perform the circuit generation for the newly introduced grammar components. The 
generated logic circuit is represented as an internal net-list structure that can be viewed 
(see A. 3) and simulated (see A. 4), but also converted into a format (e. g. EDIF) suitable for 
final output from the compiler to the Xilinx FPGA synthesis tools. 
A. 3 Graphical Circuit Visualiser 
To assist in the manual debugging of the generated logic circuits, I constructed a 
visualiser that graphically depicts the internal logic circuit's net-list data structure that the 
compiler generates. This is the data structure that is translated into the final format output 
(e. g. EDIF) by the compiler. 
The visualiser provides a simple layout with the components of the circuit stacked 
vertically on the left hand of the screen, and the interconnections between them to their 
right (see Figure 40). The tool enables the user to reorder the layout of the graphical 
components (both the logic components and interconnections) manually or semi- 
automatically with the assistance of two heuristic algorithms that I have developed. These 
are described in section A. 3.1. 
Appendix A: Other Preliminary Work 
Q 
-Q Leple Vhusqssr ). - 
END NOW 9umwe ymutalbn C131 
In [Ine Column - C°enpäclý ý One Cduem - Crum 1. One Cdumn --u 
ass7 
occC. LnpiCDFFC 
cna_o_a 
occc. LooicTFFC 
out8_e C 
occc. LopicCCm6 
; 
_nod95099 occc. L09lCSum 
S91 
R 
Q 
4 
x node5888 öccc. LopicProd 
z nod95997 
occc. Lo9lcProd 
, _node5096 
occc. LopicSum 
7Lnode5095 
occc. Lo9icProd 
x_node5994 
occc. LoOicProd f 
0 
C? 0 
I 
Figure 40 Screen Shot of the Graphical Circuit Visuallser 
A3.1 Auto Layout Simplification 
My main two heuristics attempt to simplify the graphical depiction of the circuit through 
altering the order that the components are presented on the screen, each with a slightly 
different preference. Both of them attempt to reduce the number of times the lines 
interconnecting the components cross over each other, but the second algorithm also 
utilises the information concerning which components are driving the signals propagated 
along the interconnections. 
Both of the algorithms I have developed are designed specifically for the graphical layout 
used, and they both follow a similar format. First, they order the logic components, 
followed by ordering the ports on those components, finally ordering the interconnecting 
signals between the ports. It is this relative ordering that determines the positions that the 
components are drawn onto the screen. 
81 
Appendix A: Other Preliminary Work 
Aä. 1.1 Algorithm 1 
Being a semi-automatic heuristic, the user must first select which is the starting logic 
component that should be at the top of the list (an input to the circuit, e. g. the clock, is 
usually a good place to start - see Figure 41). 
O 
-e Loefc Vlwalisor n- 'd 
Nfe New 9emwe Simulation 0134 --- 
1:: OneColumn -Comact ZÖne COMM- - h Corný j 3: One Column - Compact Al: SmuktlOn Dfeplay 
occaLOOicIPAD ý 
wn co 4 
uft0. LU01C FC 
X. node5075 
occc. LO0ýc8um 
1{_node5073 
occc. LOpicProd 
noLem7 4 
occc. Lopiclmert 
x_Oode5074 
otct. LOpicProd 
ep7_I 
occc. LopicCemE 
x_notls5010 
ocec. Lopic3um 
>Lrwaasoai 
occc. LOpmProtl 
X-noda5038 
octc. LOpicProd 
noLcln7 4 
occc. LOOTUmsrt 
I x, node5104 
IL occc. LopaProd 
-ok 
11 0 
i 
D 
ý 
ý 
Figure 41 Example output from the first tidying algorithm 
E 
f-I 
The algorithm proceeds to build up the order of logic components. The method of 
selecting the order of logic components is derived from examining the interconnecting 
signals (see Figure 42). To start, an empty set of interconnecting signals and an empty list 
of logic components are created. As each logic component is added to the end of the list 
(a process initially started by adding the initial logic component the user selected), the set 
of interconnecting signals is updated to include all the signals connected to the ports of 
this logic component. The set is then ordered by the number of logic components that it 
interconnects, but which are not yet contained within the new list. Any signals that do not 
connect to at least one logic component that is not currently in the new list are removed 
from the set. The first element in the set (if there is one), is selected, a logic component 
not contained within the new list that the signal connects to is selected at random and is 
added to the end of the new list (causing this list of processes to repeat). This continues 
until the set of interconnecting signals is empty. When it is empty, if all of the logic 
82 
Appendix A: Other Preliminary Work 
components are not contained within the new list, the algorithm selects one of the 
remaining components at random and adds it to the end of the list (causing the list of 
processes to repeat), otherwise the new list contains the new order of logic components to 
draw to the screen. 
User selects logic components to start algorithm on 
SETUP 
" Create an empty LIST for logic components 
" Create an empty SET for interconnecting 
signals 
Add selected logic component to end of the LIST 
ý 
Add the interconnecting signals connected to the 
selected logic component to the SET 
ý 
Order the SET ascending based on the number of 
unique logic components they connect to, which 
are not currently in the LIST 
i 
Remove any interconnecting signals form the 
SET that do not connect to any logic components 
that are not currently in the LIST 
From the first interconnecting 
signal in the SET, randomly select 
a logic component that the signal 
connects to which is not currently 
contained in the LIST 
The LIST contains the new order 
of logic components 
Figure 42 A graphical representation of how logic components are ordered for algorithm I 
83 
Appendix A: Other Preliminary Work 
Table 2: Port ordering imposed by the Comparator for the tidying algorithms 
Position of Portl in interconnecting signal 
TOP 
Compare the vertical length of 
the interconnecting signals 
connected to the ports 
aý > 
ý 
ý 0 
w 0 
Porti > Port2 
Porti < Port2 
Compare the number 
of ports each port 
connects to 
. ý. 
y 
Porti = Port 
2 
°+ 
6 
Portl > Port2 
( Port! > Port 
2 
ý >. Port! < Port 2 
Bottom 
Porti < Port2 
Compare the vertical length of 
the interconnecting signals 
connected to the ports 
N 
+i 
I 
ý 
I 
8 
Porti > Port2 
Port i< Port2 
Compare the number 
of ports each port 
connects to 
+I 
0 e 
... w 0 
ý 3 
c 
04 
Portl > Port2 
. 1. 
Portl < Port2 
Porti > Port 
2 
I 9 
Port i< Port 
2 
A 
Portl = Port 
2 
Other 
Porti < Port 
2 
Porti >Port 
2 
Port i= Port 
2 
84 
Appendix A: Other Preliminary Work 
The next stage of the algorithm involves ordering the ports on each of the logic 
components. This is achieved through utilising an existing modified merge sort [JavaDoc 
1.5.0 Comparator] supplied with a custom built comparator (see Table 2). The comparator 
is used in the sorting process to determine if or when it should swap the location of two 
objects. 
The last stage of the algorithm is sorting the order of the interconnecting signals. This is 
done in a similar way to how ports were ordered with a custom Comparator (see Table 3), 
examining both the vertical length of the signals and the number of ports that each signal 
connects to. 
Table 3: Signal ordering Imposed by the Comparator for the tidying algorithms 
Compute result of ((Signal 1 vertical length) - (SignaI2 vertical length)) 
+ve -ve Zero 
Signall signal l m pare the number of ports that each signal connects to 
> Signal2 < Signal2 Si 1 num - (SignsI2 num) 
+ve -ve Zero 
Signall 
> SignaI2 
Signall 
< Si alt 
Signall 
= SiRnal2 
A. 3.1.2 Algorithm 2 
The second heuristic (see Figure 43) performs in a similar manner to algorithm 1, the 
difference being derived from the ordering of the logic components generated. As 
previously stated, this algorithm attempts to incorporate information concerning which 
components are driving the signals propagated along the interconnections. This is done by 
having an alternative comparator to sort the logic components. 
85 
Appendix A: Other Preliminary Work 
0 -K Lnple VI.. IMer }>. 
-- 
END tlew gemere 9nutlaDOn Or34 
ý. 
, 
1:: Ono Column - Cnmpecf '. Z: One Column - Compa One CWOm - Competl 6:: SknuYlbn Dleploy 
..:. -_- 
tlotk ---------------------------- 
otttLOpItIPAD 
rari counLO 
occaLopicTFFC UK F 
0 x ndde5000 
occc. LOpicPrdd 
)LnodB5008 
oocc. Lop¢SUm 
not_cfn7_1 
occcLOplctmen 
; _nodc5011 oCCC. LO01cProd 
1LnodoSO13 
occc. LOOtcSum 
evp7 1 
occc. LOpicCom6 
%_notls5065 
oece. LOplcProtl 
7(. noee5666 
occc. LopIC6um 
Y9f1 COWI(_i 
Ott[ LopItTFFC 
4 
I 
i 
i 
i 
i 
r__. 
Figure 43 An example output from the second tidying algorithm 
a'? 19 e 
F' II 
Iý 
86 
Appendix A: Other Preliminary Work 
User selects logic components to start algorithm on 
SETUP 
" Create an empty LIST for logic components 
" Create two empty sets for interconnecting 
signals, A and B 
Add selected logic component to end of the LIST 
ý 
Add the interconnecting signals connected to the 
selected logic component to the sets. 
Signals from the output/bi-direction ports get 
added to set A. 
Signals from the input/bi-direction ports get 
added to set B. 
ý 
Order the sets ascending based on the number of 
unique logic components they connect to, which 
are not currently in the T. TCT 
ý 
Remove any interconnecting signals form the 
sets that do not connect to any logic components 
that are not currently in the LIST 
From the first interconnecting 
signal in the set, randomly select 
a logic component that the signal 
connects to which is not currently 
contained in the LIST 
II Select a random logic 
component not currently 
contained within the 
LIST 
Figure 44 A graphical representations how logic components are ordered for algorithm 2 
87 
Appendix A: Other Preliminary Work 
The algorithm proceeds to build up the order of logic components. The method of 
selecting the order of logic components is derived from examining the interconnecting 
signals (see Figure 44). Two empty sets (A and B) of interconnecting signals and an 
empty list of logic components are created. As a logic component is added to the end of 
the list (a process initially started by adding the initial logic component that the user has 
selected), the sets of interconnecting signals are updated to include the signals connected 
to the ports of the logic component. If a port is an output or bi-directional port for a logic 
component, then the signal connected will be added to set A. If a port is an input or bi- 
directional port for a logic component, then the signal connected will be added to set B. 
The sets are then ordered by the number of logic components that they interconnect, but 
which are not yet contained within the new list. Any signals that do not connect to at least 
one logic component that is not currently in the new list are removed from the sets. The 
first element in the set A (if there is one), is selected, a logic component not contained 
within the new list that the signal connects to is selected at random and is added to the 
end of the new list (causing this list of process to repeat). If set A is empty, then the 
process is performed for set B. This continues until both sets of interconnecting signals 
are empty. When they are empty, if all of the logic components are not contained within 
the new list, the algorithm selects one of the remaining components at random and adds it 
to the end of the list (causing the list of processes to repeat), otherwise the new list 
contains the order new order of logic components to draw to the screen. 
The algorithm then continues to order the ports and then the interconnecting signals, as 
covered in A. 3.1.1. 
A. 4 Circuit Simulator 
I have integrated a logic simulator with the visualiser (see A. 3), that enables instances of 
the circuit to be run and tested. By providing a waveform for the input ports into the 
circuit as a CSV (Comma Separated Value) file (see Figure 45), the simulator can 
compute the results which are a set of waveforms for the circuit (see Figure 46). 
88 
Appendix A: Other Preliminary Work 
ý 
ij) gle Eck f0ew Insert Pgmat Icols Data 1COrrdow lido 
Ll.. 
--; cl J . 
ý`i 4,3, A ýý- 
iaid 
- 10 -BIU HE BFýý ý% 
Al .¢ IPAO clock 
SQiI 
I 
- 'o. E- 21 At ', "_ . 1i) mox - VA 
I : a8 _8 or or - ý! * - $- a¬J 
I< 
Figure 45 A CSV file (shown in Excel) representing input waveforms to a circuit 
Q -<{ Logic Vlsusdser I-- 
ENO Now Remove Simulation C134 
In One Column . Compact 2: one column - Compact 3t1 One Column -Compact 4: Simu Wbn msplay 
IOCtc. LOgICDFFC III' 
Dch1 d Ir 
occcln IcTFFC 
0 OR 
otcc. LogicDFFC 
Q lC_nuoe5000 -ý nn occc. LO icOFFC 
oO>t_rlccüoqeI cD5001 
_nn 
o FFC 
I ch]. 
LOtlir occc ICTFFC 
Trv1L. 
oCqiCOqnL° actc. TFFC C nn rnoLtllf 
occc. LO Iclmerl 
I ýnotlo5079 
oaaLo icPmd 
Ix notle5080 
ottGLO aProtl 
IrLnode5091 
nnII oece. Lu ICSum IPAD tllr 
oca. Lo iCIPAD 
O ntl Elt 
occc. Iclrnetl 
0t(, Jlooe5079 ýnnn 
occc. LogicPmtl 
I cin7 
occcLO icComb 
I expT O 
qCCC. LU iCCOme 
o1LnoOB60OO 
occc. LOO4OFFC 
1 not c1n7ý1 
i 
--. ý"ý-_dx 
1J-f 
ý 
ý i.. 
o' d' 0 
, ýý uu 
Li 
i 
L-F 
J- 
n 
1 
I 
I 
Figure 46 Output waveform from a simulation 
Due to the fact that a simulator simulates a single instance of the circuit, and does not 
exploring all possible states it can get into, the method of simulation involves transmitting 
values along the interconnecting signals only if they change. When a value gets 
transmitted along a signal, this triggers any logic components connected to it to be 
simulated. The result of a simulated logic component can (if a value has changed) cause a 
transmission along an interconnecting signal resulting in the relevant logic components 
being triggered and simulated. This process helps to minimise the need for computing 
values and segments of the circuit that remain unchanged from one clock cycle to another. 
89 
Appendix A: Other Preliminary Work 
The result of the simulator can be produced in various output formats. Apart from 
producing a CSV file (similar to the file used to specify the input waveforms), a graphical 
representation of the waveforms can be viewed (see Figure 46) or specific signals of the 
simulation can be viewed using the graphical visualiser (see A. 3) with the high/low values 
of signals being depicted as red or black (see Figure 40, Figure 41 and Figure 43). 
90 
Appendix B Logic Component CSP Models 
for Preliminary Work 
This appendix contains the CSP models of the logic components utilised for the 
preliminary work covered in chapter 3. 
B. 1 AND Gates 
B. 1.1 AND Gate with 1-Input 
PROC_ACTIVE_LIB_AND1 (o, i0) a 
let 
I- io? x -> o! x -> I 
within I 
B. 1.2 AND Gate with 2-Inputs 
PROCACTTý LIB_AND2 (o, i0, il) 
lei- 
0 (a, b) 
a1 and b1& oll -> SKIP 
[) 
a== 0 or b== 0& 0l0 -> SKIP 
I= 
i0? x -> il? y -> O(x, Y); I 
[) 
il? y -> i0? x -> O(x, y); I 
within I 
B. 1.3 AND Gate N-Inputs 
AND gates that contain three or more inputs currently are generated by utilising a tree of 
AND gates, an example of a three input AND gate can be seen in Figure 47. 
Appendix B: Logic Component CSP Models for Preliminary Work 
Figure 47: A pictorial example of a three input AND gate 
The CSP for this three input AND gate example is shown below. 
channel chan_active lib_and3 a {0,1} 
channel chan_active_lib_and3_b {0,1} 
PROC_ACTIVE_LIB`AND3(o, i0, ii, i2) - 
let 
hid alpha active_lib and3 - 
(I chan_active_libiand3_a, chan_active_lib_and3 b ýj 
Si - 
PROC__ACTIVE LI8__AND1(chan__active_lib__and3_a, i0) 
S2 - 
PROC`ACTIVB_LIB_AND2(chan__active_lib__and3 b, ii, i2) 
8- 
PROC_ACTIVE_LIB_AND2 (o, 
chan_active lib and3 a, 
than active lib and3 b) 
within 
(S1 ICI S2) (I hid alpha_active lib, and3 11 S 
\ hid alpha_active_libband3 
B. 2 D-Type Flip-Flop 
PROC_ACTIVB_LIB_FDC (d, q, C) 
let 
8 (Y) 
d? x -> qty -> c? l -> 8(x) 
II 
qty -> d? x -> c? 1 -> S(x) 
within S(O) 
B. 3 GND 
PROC__ACTIVE LIB_GND(ground) - 
let 
I- groundl0 -> I 
within I 
s 
92 
Appendix B: Logic Component CSP Models for Preliminary Work 
B. 4 Inverter 
PROC_ACTIVE LIB_INV(i, o) _ 
1et 
I=i? x -> o! (1-x) -> I 
within I 
B. 5 OR Gates 
B. 5.1 OR Gate with 1-Input 
PROC`ACTIVE LIB_OR1 (O, i0) 
let 
I. i0? x -> otx -> I 
within I 
B. 5.2 OR Gate with 2-Inputs 
PROC^ACTIý LIß_OR2(o, i0, il) _ 
let 
O(a, b) 
a == 1 or b==1oll SKIP 
(l 
a0 and b == 0 o! 0 -> SKIP 
I= 
i0? x -> il? y -> O(x, Y); I 
(l 
il? y -> iO? x -> O(x, Y); I 
within I 
B. 5.3 OR Gate with N-Inputs 
OR gates that contain three or more inputs currently are generated by utilising a tree of 
three OR gates in a manner that is similar to that covered in section B. 1.3. An example of 
a three input OR gate can be seen in Figure 48. 
93 
Appendix B: Logic Component CSP Models for Preliminary Work 
3 Input OR Gate 
N OR 
01 
OR 
OR 
Figure 48: A pictorial example of a three input OR gate 
The CSP for a three input OR gate is show below. 
channel chan_active 
_libor3_a 
(0,1} 
channel chan_active_lib__or3_b (0,1) 
PROC_ACTIVE_LIB`OR3(o, i0, il, i2) _ 
let 
hid_alpha_active_lib or3 = 
(I chan_active_lib_or3_a, chan_active_lib_or3_b 
Si = 
PROC_ACTIVE_LIB_ORl (chan_active_lib_or3_a, 10) 
S2 = 
PROC_ACTIVE_LIB_OR2(chan_active_lib_or3_b, ii, i2) 
S= 
PROC_ACTIVE_LIB_OR2 (o, 
than active lib_or3_a, 
than 
_act 
ive_1 ib_or3_b ) 
within 
(S1 ýýý S2) [I hid_alpha_active_lib_or3 1] S 
hid alpha_active lib_or3 
B. 6 VCC 
PROC_ACTIVE_LIB VCC(vcc) 
let 
I- vccli -> I 
within I 
B. 7 XOR Gates 
B. 7.1 XOR Gate with 1-Input 
PROC_ACTIVE_LIB-XOR1(o, i0) 
let 
I= i0? x -> olx -> I 
94 
Appendix B: Logic Component CSP Models for Preliminary Work 
within I 
B. 7.2 XOR Gate with 2-Inputs 
PROC_ACTIVE_LIB_XOR2(o, i0, ii) 
let 
O (a, b) 
a I. b&o! 1 -> SKIP 
[l 
a == b& 010 -> SKIP 
I 
y); I 
y); 
i0? x -> il? y -> O(x, 
[l 
il? y -> io? x -> O(x, 
within I 
S 
I 
95 
Appendix C Logic Component CSP Models 
for Main Work 
The CSP models covered in this appendix are used to create the automatically generated 
CSP representation of the logic net list used in the proof covered in chapter 4. The 
processes defined here are instantiated (as shown in Figure 17 page 8 and Figure 19 page 
8) and then run in parallel, thus mimicking the generated logic circuits with a one-to-one 
mapping. 
C. 1 Developing the Models 
As stated in section 3.4, the reasons for adapting the models used in the work described in 
chapter 3, is covered in section 4.4.2. This section will provide an example of how several 
of the key points affect the design and construction of the models. 
channel dff_out, dff_in (0,1 
channel clock 
DFF(state) - 
dff outlstate -> dff in? next -> clock -> DFF (next) 
[] __ 
dff in? next -> dff outlstate -> clock -> DFF (next) 
DFLIPFLOP m DFF (0) 
Figure 49: CSP Definition eta D-Type Flip-Flop from [Peel & Wong, 2004) 
Figure 49 is a description of a d-type flip-flop, as defined in [Peel & Wong, 2004]. Figure 
50 is the same model, packaged such that the supplied arguments are the channels that the 
process utilises. This packaging is also utilised in the models that are defined in this 
appendix, the following examples will demonstrate how the defined models may be 
constructed through incremental changes. 
PROC_ACTIVB_LIB_FDC (d, q, c) _ 
1et 
S (Y) ' 
d? x -> q! y -> c? l -> S(x) 
[] 
q! y -> d? x -> c? 1 -> S(x) 
within S(0) 
Figure 30: CSP Definition of a D-Type Flip-Flop from Appendix B, used In Chapter 3 
Appendix C: Logic Component CSP Models for Main Work 
With the definition of the flip-flop covered in Figure 50 not being able to function 
properly if the channels supplied for its input and output (d and q) are the same (e. g. the 
flip-flop is connected to itself, or after the reset is added to the model, the same channel is 
fed to both the reset and the d input). To fix this, there must be multiple internal processes 
running in alphabetised parallel, enabling them to syncronise if they share common 
events, but run interleaved when they do not. To achieve this correctly, an extra channels 
must be introduced, thus enabling the processes to interact and communicate. The extra 
events introduced are not and should not be identifiable outside the process representing 
the flip-flop, thus the newly introduced events are hidden. The let-within block enables 
the processes to be clustered logically together, as they represent newly created sub- 
processes of the flipflop, but as the let-within blocks within FDR2 will not allow one to 
define channels inside them, the introduced channels must be declared globally. These 
modifications can be seen in Figure 51. 
channel internal_atate 0,1 
PROC__ACTIVE_LIB_FDC (d, q, c) 
let 
-- Run the Internal processes In parallel 
FDC = 
FDC_D 
[ (I d, c, internal_state q, c, internal_state 
FDC_Q(0) 
\ {I internal state 
-- Process the Input 
FDC D=d? x -> c? 1 -> internal_atatelx -> FDC_D 
-- Process the output 
FDC_Q(x) = qlx -> c? l -> internal_state? y -> FDC Q(y) 
within FDC 
11 1 
Figure 51: A Modified CSP Definition of a D-Type Flip-Flop - Version 1 
As the newly introduced events that enable the internal processes to communicate are 
being hidden, furthermore, adding an extra input for the reset functionality produces a 
model that behaves as that described in section C. 3. 
Although the models covered in this appendix were initially based on those defined in 
[Peel & Wong, 20041, they were not infect developed through incremental changes (as 
described above). The models were developed in a holistic manner, taking into 
consideration all the factors and concerns identified through an examination of the initial 
model, and then recreating the models in a single step to solve, tackle and deal with them. 
97 
Appendix C: Logic Component CSP Models for Main Work 
C. 2 AND 
-- Declaration of a channel used internally by the COD Specification FDR will 
-- not allow you to declare channels inside a let-within block, all channels 
-- must be globally defined. 
channel internal_state : {0,1} 
-- Instantiations of an AND MTN calls this process and provides channels used 
-- for its inputs and outputs as arguments. 'out' is a single channel to output 
-- to. ýia liat, IN a lilt of chaaaal" 
AND_GATE(out, in-list) 
let 
-- Check if thim AMID gate ham 
A= 
length(in_liet) 
11 
ss 0 &B 
to input from. 
any inputs. 
length(in_liet) !-0 
-- Specification of an 
B out !0 -> B 
-- Chock if the output 
-- specification if it 
C- 
&C 
AND gat* with no inputs, it bahavas as GND. 
of the AND gate feeds one of the Inputs, deadlock the 
does. 
inter( {out}, set(in list) 
(l 
inter( {out}, set(in list) 
-- AMW gate epaaifioation. 
D 
let 
f __ {out} & STOP 
{} &D 
-- Manage the inputs of the gate. 
DA - 
let 
-- 1& DAA(head(x)) 
length (x) >1& 
DAA(head(x)) 
[ union( 
inter( {head(x)}, 
{1 out j} I] 
DAB(tail(x)) 
DAS (x) " 
length(x) 
11 
-- Run the inputs for all the input pins in parallel. 
DAA (x) . 
x? y -> internal-stately 
-- 'x' beoomea the input channel to manag.. 
Inputting process managing a single pin. 
within DAB(in_list) 
-- Manage the output of the gate. 
DB 
let 
DBA 
internal_atate? l -> DBC 
[] 
internal state? O -> DBB 
DBB -- 
out I0 -> DBA 
II 
internal-state? 
- -> 
DBB 
DBC 
out I1 -> DBA 
[] 
internal_state? l -> DBC 
II 
internal state? 0 -> DBB 
within DBA 
-> out? -> DAA(x) 
set(tail(x)) ), 
98 
Appendix C: Logic Component CSP Models for Main Work 
-- Connect the inputs and outputs together. 
DC = 
-- The ordering that the *Internal _state, events occur 
does not 
-- matter, to long as they all occur. This is guaranteed by the 
-- structure of the internal processes running in parallel. 
( DA 
[I {I internal_state, out 
DB 
\ (( internal_state 
within DC 
within A 
C. 3 D-Type Flip-Flop 
-- Declaration of a channel used Internally by the CSP Specification FDR will 
not allow you to declare channels inside a let-within block, all channels 
-- must be globally defined. 
channel internal state : (0,1) 
channel internal reset_state : (0,1) 
-- Instantiations of aD Typs FLIP FLOP calls this process and provides channels 
-- used for its inputs and outputs as arguments. 'q_out, is a single channel to 
-- output to. 'd in' and 'reset' are single channels to input from. 'clock' is 
an event representing a low-to-high clock transition. 
D 
-TYPE 
FLIP PLOP(clock, reset, d_in, q_out) 
let 
-- Connect the inputs and outputs together. 
A= 
-- The ordering that the 'internal-state' and 'internal reset state' 
-- events occur does not matter, so long as it occurs. This 
is guaranteed 
-- by the structure of the internal processes running in parallel. The 
initial default output value for this object is '0', hence `C(0)'. 
(B 
() union( {) clock, 
internal state, 
internal reset state 
III 
inter( [I clout J}, {J din, reset ý} ) 
II 
C(0) 
\ {I internal-state, internal-reset-state 
Manage the Inputs of the gate. 
B 
let 
-- Run the Inputs in parallel. 
BA 
BB 
[I union( ( clock 1}, inter( {) d_in ý}, {l reset J}) ) ý) 
BC 
-- Reset Input 
BB - reset ?z -> internal_reset_state Iz -> clock -> BB 
--D Input 
BC - d_in ?z -> internal_ state !z -> clock -> BC 
within BA 
-- Manage the output of the gate. %x' is the current state to output. 
C (x) 
q_out Ix -> 
internal-reset-state ?1 -> internal state ?_ -> clock -> C(O) 
[I 
internal_reset_state ?0 -> internal state ?z -> clock -> C(z) 
within A 
99 
Appendix C: Logic Component CSP Models for Main Work 
C. 4 GND 
-- Xnstantiations of a OW calls this process and provides the output channel 
-- for its output as an argument. out, is a single channel to output to. 
GND(out) = out 10 -> GND(out) 
C. 5 Inverter (NOT) 
-- Instantiations of an Inverter (IY0T G1Ta) calls this process and provides 
-- channels used for its input and output as arguments. out, is a single 
-- channel to output to. 'in' is a single channel to input fron. 
NOT GATE(out, in) - 
let 
-- Check if the output of the NOT gate feeds the input, deadlock the 
-- specification if it does. 
A- 
out -- in & STOP 
11 
out I. in &B 
-- NOT gate specification. 
B- in ?z -> out I (1-z) -> B 
within A 
C. 6 NAND 
-- Declaration of a channel used internally by the CSP specification PDR will 
-- not allow you to declare channels inside a let-within block, all channels 
-- must be globally defined. 
channel internal state : (0,1) 
-- Instantiations of an NAHD G/&TE calls this process and provides channels used 
-- for its inputs and outputs as arguments. 'out' is a single channel to output 
-- to. 'in list' is a list of channels to input from. 
NAND_GATS(out, in-list) - 
let 
-- Check if this NAND gate has any inputs. 
A- 
length(inlist) -- 0&B 
(7 
length(in list) 1- 0&C 
-- Specification of a JMW gate with no inputs, it behaves as VCC. 
B Out 11 -> B 
-- Check if the output of the JUMV gate feeds one of the inputs, deadlock 
-- the specification if it does. 
c- 
inter( {out}, aet(in_liat) 
[1 
inter( {out}, aet(in_list) 
-- NAND pate apecL Haation. 
D= 
let 
{out} & STOP 
{j &D 
-- Manage the inputs of the gate. 
DA - 
let 
-- Inputting process managing a single pia. 
-- `x' becomes the input channel to manage. 
DAA(x) - 
x? y -> internal stately -> out? -> DAA(x) 
-- Run the inputs for all the input pins in parallel. 
DAB (x) - 
length(x) -- 1& DAA(head(x)) 
100 
Appendix C: Logic Component CSP Models for Main Work 
[] 
length(x) >1& 
DAA(head(x)) 
( union( 
inter( {head(x)j, set(tail(x)) 
out 
DAB(tail (x)) 
} 
within DAB(in_list) 
-- manage the output of the gate. 
DB 
let 
DBA = 
internal_state? 1 -> DEC [] 
internal state? O -> DBB 
DBB -- 
out !1 -> DBA [] 
internal_state? 
_ -> 
DBB 
DBC 
out !0 -> DEA 
[l 
internal_state? l -> DBC [l 
internal state? O DBB 
within DBA 
-- Connect the Inputs and outputs together. 
DC = 
-- The ordering that the finternaI_state# events occur does not 
-- matter, so long as they all occur. This Is guaranteed by the 
-- structure of the internal processes running in parallel. 
( DA 
[I (I internal_state, out I} ý] 
DB 
\ (I internal-state 
within DC 
within A 
C. 7 NOR 
-- Declaration of a channel used internally by the CSP specification FDR will 
-- not allow you to declare channels inside a let-within block, all channels 
-- must be globally defined. 
channel internal_state : {0,1} 
-- Instantiations of an NOR GATE calls this process and provides channels used 
-- for its inputs and outputs as arguments. out, is a single channel to output 
-- to. 'in list' is a list of channels to input from. 
NOR GATE(out, in-list) - 
let 
-- Check if this NOR gate has any inputs. 
A= 
length(in list) -- 0&B 
[] 
length(in_list) !-0&C 
-- Specification of an NOR gate with no inputs, it behaves as GRID. 
B- out !0 -> B 
-- Check if the output of the NOR gate feeds one of the inputs, deadlock the 
-- specification if it does. 
C= 
inter( {out}, set(in list) ) {out} & STOP 
[] 
inter( {out}, set(in_list) ) -- {} &D 
101 
Appendix C: Logic Component CSP Models for Main Work 
-- NOR gate specification. 
Da 
let 
-- Manage the inputs of the gate. 
DA 
let 
-- Inputting process managing a single pin. 
-- `x' becomes the input channel to manage. 
DAA (x) 
x? y -> internal_etate! y -> out? _ -> 
DAA(x) 
-- Run the inputs for all the input pins in parallel. 
DAB(x) 
length(x) _. 1& DAA(head(x)) 
II 
length(x) >1& 
DAA (head (x) ) 
[J union( 
inter( {head(x)}, set(tail(x)) 
out 
I] 
DAB(taillx)) 
within DAB(in_liat) 
-- Madge the output of the gate. 
DB 
let 
DBA 
internal_state? 1 -> DBB 
[] 
internal state? O -> DBC 
DBB = 
out !0 -> DBA 
[] 
internal state? 
_ -> 
DBB 
DBC = 
out !1 -> DBA 
[] 
internal_state? 1 -> DBB 
[] 
internal_state? O -> DBC 
within DBA 
-- Connect the inputs and outputs together. 
DC i 
-- The ordering that the 'Internal state, events occur does not 
-- natter, so long as they all occur. This is guaranteed 
by the 
structure of the internal processes running in parallel- 
( DA 
[I fI internal-state, out DB 
\ {I internal-state 
within DC 
within A 
C. 8 OR 
-- Declaration of a channel used internally by the CSP specification DAR will 
-- not allow you to declare channels inside a let-within block, all channels 
-- must be globally defined. 
channel internal state : (0,1) 
-- Instantiations of an OR GAra calls this process and provides channels used 
-- for its inputs and outputs as arguments. 'out' is a single channel to output 
-- to. 'In list' is a list of channels to input from. 
OR_GATE(out, in-list) 
let 
102 
Appendix C: Logic Component CSP Models for Main Work 
-- Check if this OR gate has any inputs. 
A- 
length(in_ list) -- 0&B 
[] 
length(in list) l= 0&C 
-- Specification of an OR gate with no inputs, it behaves as 0111D. 
out t0 -> B 
Check if the output of the OR gate f. ede one of the inputs, deadlock the 
-- specification if it does. 
C- 
inter( {out}, set(in_list) ) {out} & STOP 
[] 
inter( (out}, set(in list) ) {} &D 
-- OR gate specification. 
D= 
let 
-- Manage the inputs of the gate. 
DA = 
let 
-- Inputting process managing a single pin. 
-- 'x' becomes the input channel to manage. 
DAA(x) - 
x? y -> internal stately -> out? _ -> 
DAA(x) 
-- Run the inputs for all the input pins in parallel. 
DAB (x) _ 
length(x) -- 1& DAA(head(x)) 
II 
length(x) >i& 
( DAA(head(x)) 
union( 
inter( {head(x)}, aet(tail(x)) 
out I} I] 
DAB (tail W 
within DAS(in_list) 
-- llfanage the output of the gate. 
DB - 
let 
DBA - 
internal_state? 1 -> DBB 
[] 
internal_state? 0 -> DBC 
DBB - 
out l1 -> DBA 
[] 
internal_state? 
_ -> 
DBB 
DBC - 
out l0 -> DBA 
[] 
internal_state? 1 -> DBB 
[] 
internal_atate? 0 -> DBC 
within DBA 
-- Connect the inputs and outputs together. 
DC - 
-- The ordering that the 'Internal _state, events 
occur does not 
-- matter, to long as they all occur. This is guaranteed by the 
-- structure of the internal processes running in Parallel- 
( DA 
[I {I internal state, out I} I] 
DB 
\ {I internal_etate I} 
within DC 
within A 
103 
Appendix C. Logic Component CSP Models for Main Work 
C. 9 T-Type Flip-Flop 
-- Declaration of a channel used internally by the CSP specification PDR will 
-- not allow you to declare channels inside a let-within block, all channels 
-- must be globally defined. 
channel internal state : (0,11 
channel internal_reaet_atate : (0,1} 
-- Instantiations of ar TYPI FLIP FLOP calls this process and provides channels 
-- used for its inputs and outputs as arguments. 'a_ out, is a single channel to 
-- output to. It in' and 'reset, are single channels to Input from. `clock' is 
-- an event representing a low-to-high clock transition. 
T TYPE_FLIP_FLOP(clock, reset, t_in, clout) 
let 
-- Connect the inputs and outputs together. 
A 
-- The ordering that the 'internal state' and 'internal_resetstate' 
-- events occur does not matter, to long as it occurs. This 
is guaranteed 
-- by the structure of the internal processes running in parallel. The 
-- initial default output value for this object is '0', hence 'C(O)'. 
(B 
[) union( {I clock, 
internal state, 
internal-reset-state 
inter( {I clout I}, {) t_in, reset I} ) 
I) 
c(0) 
\ {I internal state, internal reset state 
-- xanage the input. of the gate. 
B" 
let 
-- Run the Input. In parallel. 
BA - 
( BB 
i} 
(I union( {j clock}, inter( {I din I}. {1 reset }) ) j] 
BC 
-- Reset Input 
BB - reset ?z -> internal-reset-state !z -> clock -> BB 
-- T input 
BC t_in ?z -> internal_ state !z -> clock -> BC 
within BA 
-- Manage the output of the gets. 'x" is the current state to output. 
C(x) - 
q_out !x -> 
internal_reset_state ?1 -> internal_state ?_ -> clock -> C(O) 
[l 
internal-reset-state ?0 -> 
internal_state ?1 -> clock -> C(1-x) 
(] 
internal-state ?0 -> clock -> C(x) 
within A 
C. 10 vcc 
-- Znstantiationa of a VCC calls thin process and provides 
the output channel 
-- for its output as an argument. out, is a single chann01 
to output to. 
VCC(out) - out 11 -> VCC(out) 
104 
Appendix C: Logic Component CSP Models for Main Work 
C. 11 XOR 
-- Declaration of a channel used internally by the CSP specification PDR will 
-- not allow you to declare channels inside a let-within block, all channels 
-- must be globally defined. 
channel internal-state : {0,11 
-- Instantiations of an ZOR OATI calls this process and provides channels used 
-- for its inputs and outputs as arguments. out, is a single channel to output 
-- to. 'in list' is a list of channels to input from. 
XOR_GATE(out, in-list) - 
let 
-- Check if this XOR gate has any inputs. 
A- 
length(inlist) _= 0&B 
[1 
length(in list) l- 0&C 
-- Specification of an XOR gate with no inputs, it behaves as ORD. 
B= out 10 -> B 
-- Check if the output of the YOR gate feeds one of the inputs, deadlock the 
-- specification if it does. 
C= 
inter( {out}, set(in_liat) ) {out} & STOP 
11 
inter( {out}, set(in_list) ) __ {} &D 
-- XOR gate specification. 
D- 
let 
-- Manage the inputs of the gate. 
DA - 
let 
-- Inputting process managing a single pin. 
-" 's' becomes the input channel to manage. 
DAA (x) - 
x? y -> internal-stately -> out? _ -> 
DAA(x) 
-- Run the inputs for all the input pins in parallel. 
DAB(x) - 
length(x) -- 1& DAA(head(x)) 
[1 
length(x) >1& 
DAA(head(x)) 
[I union( 
inter( (head(x)}, set(tail(x)) 
out I} 
)i1 
DAB(tail(x)) 
within DAB(in_list) 
-- Manage the output of the gate. 
DB - 
let 
DBA - 
out !0 -> DBA 
C] 
internal_atate? 1 -> DBC 
C] 
internal state? 0 -> DBA 
DBB = 
out !0 -> DBA 
C] 
internal-state? 
- 
DBB 
DBC - 
out I1 -> DBA 
C] 
internal_atate? 1 -> DBB 
C] 
105 
Appendix C: Logic Component CSP Models for Main Work 
internal_etate? O -> DBC 
within DBA 
-- Connect the inputs and outputs together. 
DC 
-- The ordering that the 'Internal _state' 
events occur does not 
-- matter, so long as they all occur. We is guaranteed by the 
-- structure of the internal processes running in parallel. 
( DA 
[I fl internal_state, out I} I] 
DB 
\ (I internal state 
within DC 
within A 
106 
Appendix D Single Type Component 
Generic Specification Model Example 
This appendix explains the CSP models required for a generic super-type component, 
along with the assertions that need to be checked to link the models to each other (see 
Figure 52). The models covered in this appendix describe in various levels of abstraction, 
the behaviours that an implementable OCCAM component (which is a sub type of this 
generic type) has to conform within (as covered in chapter 4), along with specifications 
dictating the correct driving behaviours that a sub component may have to deal with. 
Appendix D: Single Type Component Generic Specification Model Example 
1 -ºI Process for annotating outer level (D. 1.5) 
OCCAM Supertype Model with 
annotations hidden 
N-----ý 
Equivalence (D. 2.12) 
Correct Hardware 
Specification (D. 1.1) 
Deadlock Check (DI. 1) 
Refinement (D. 2.2) 
Hardware specification 
deadlocks after incorrect 
input (D. 1.2) 
ýi 
ý 
le 
0 
it Equivalence 
(D. 2.5) 
Refinement 
2.3) 
Annotated model 
(D. 1.1 lID. 1.5) 
hardware 
I Signals hidden 
Annotated 
model with 
Equivalence 
ß(D. 2.12) 
Hardware specification deadlocks 
after incorrect input, with inputs 
limited (D. 1.211D. 1.3) 
N-1 
J 
rI 
Process to limit correct 
inputs (D. 1.3) 
r 
Annotated low level 
behaviour with inputs 
t; n fM m1 AM 1 zi 
Deadlock Check (D. 2.4) 
ý 
Deadlock Check (D. 2.8) 
Refinement (D. 2.7) 
Annotated low level behaviour, 
deadlocks after incorrect input 
(D. 1.4) 
r 10 Clock cycle generic annotation 
specification (D. 1.6) d 
ý 
\1 
Hardware 
specification 
with inputs 
limited 
(D. 1.111D. 1.3) 
Annotated low 
level behaviour 
with annotations 
hidden 
r--ýI 
4 
t ock Check (D. 2.10) 
N 
N--, 
Trace Equivelance (D. 2.11) 
Software component generic FHiding subset of annotations relating to clock 
specificaiton (D. 4.1.1) cycle aspects, it behaves similarly to expected 
model (D. 4.1.2) 
Figure 52: Overview of the relationship between the numerous models of an OCCAM supertype 
Annotated low level 
behaviour with low 
level behaviour hidden 
Behaviour similar 
to expected model 
(D. 2.13) 
J 
Equivalence 
(D. 2.6) 
108 
Appendix D: Single Type Component Generic Specification Model Example 
D. 1 Models & Specifications 
The `internalChoice' event that may appear within the code examples has been utilised 
instead of internal choice (i. e. `I- 1') to enable `chase' compression to be applied if 
desired. The `internalChoice' event must be hidden for the specifications to be valid, but 
if `chase' compression has been chosen, the event should only be hidden after `chase' has 
been applied, otherwise the specification becomes invalid. 
D. 1.1 GenSpec 1: Valid Low Level Behaviour 
This model specifies all the valid and allowable low level behaviour of this type of super 
type component. The purpose is to describe the interface boundary behaviours, thus 
enabling implemented components to refinement check against it proving their 
behaviours are within the requirements for it to be a sub-type of this super-type. 
PROC_PROCESS_DESIRED_GENERIC_SPEC(clock, reset, start, finish) 
let 
A 
start? x -> reset? y -> C(x, y) 
[1 
reset? y -> start? x -> C(x, y) 
B 
start? O -> reset? y -> D( y) 
[1 
reset? y -> start? O -> D(y) 
C(x, y) 
y1& clock? l -> finishlO -> A 
[] 
y as 0& 
x == 0& clock? 1 -> finishl0 -> A 
[] 
x1& clock? 1 -> 
internalChoice -> finishll -> A 
[] -- I-1 internalChoice -> finishlO -> B 
D (Y) 
y1& clock? 1 -> finiahl0 -> A 
[] 
y == 0& clock? 1 
internalChoice -> finiahll -> A 
t] -- I-I internalChoice -> finiahl0 -> B 
within finiahl0 -> A 
Figure 53: Low Level Generic Control Flow Specification 
This specification (see Figure 53) will only accept correct input driving signals, and will 
return valid output result signals. Internal choice is utilised to enable it to specify all the 
possible valid refinements. 
109 
Appendix D: Single Type Component Generic Specification Model Example 
D. 1.2 GenSpec 2: Low Level Behaviour with Explicit Deadlocking 
This CSP model (see Figure 54) is based on the one covered in section D. 1.1, but with the 
altered fact that it also accepts invalid driving input signals to be submitted to it. These 
invalid input driving signals are followed by an explicitly defined `STOP', that will 
explicitly deadlock the model should it ever be reached. Similar to the specification in 
section D. 1.1, the returned output signals will be all possible valid permutations allowed 
(internal choice is utilised to create those permutations, so long as it is driven correctly). 
The reason why this model will accept invalid driving signals is to enable the model of 
any component connected to it the opportunity to provide any driving signals it may 
choose, this process will not limit or remove the possibility for the other component 
models to provide invalid signals to this one as an option when they are run in 
alphabetised parallel. The purpose of this is to enable possibility to check that if this 
specification is used as an internal component, so long as the outer component is driven 
correctly, this component will be driven correctly. 
110 
Appendix D: Single Type Component Generic Specification Model Example 
PROC_PROCESS_GENERIC SPEC (clock, 
let 
A 
start? x -> reset? y -> C(x, (] 
reset? y -> start? x -> C(x, 
B 
start? 1 -> STOP 
reset, start, finish) 
Y) 
Y) 
[] 
start? O -> reset? y -> D( y) [] 
reset? y -> 
start? O -> D(y) 
[] 
start? 1 -> STOP 
C(x, y) _ 
y -- 1& clock? 1 -> finishlO -> A 
H 
Y0& 
x0& clock? 1 -> finiehl0 -> A 
[I 
x1& clock? 1 -> 
internalChoice -> finiahll -> A 
[I--i-1 internalChoice -> finiahl0 -> B 
D(y) _ 
y1& clock? 1 -> finishlO -> A [I 
y == 0& clock? 1 -> 
internalChoice -> finishll -> A 
[I -- I-I internalChoice -> finishl0 -> B 
within finishlO -> A 
Figure 54: Low Level Generic Control Flow Specification with Explicit Deadlocking 
D. 1.3 GenSpec 3: Correct Component Driving 
This CSP model is used to limit a process so that it can only accept possible valid input 
signals, this is to enable implemented sub-type components to have the outer layer of their 
logic correctly driven when performing the checks and proofs. The aim for this is to 
check an implemented component holds true to the assumption that so long as it is driven 
correctly, it will correctly drive any internal components. 
111 
Appendix D: Single Type Component Generic Specification Model Example 
PROC PROCESS_CONTROLL(clock, reset, start, finish) 
let 
A= 
start? x -> reset? y -> D(x, y) (] 
reset? y -> start? x -> D(x, y) 
B= 
start? O -> reset? y -> E(y) [] 
reset? y -> start? O -> E(y) 
C= 
clock? 1 -> 
finish! O -> B (l 
finishil -> A 
D (x, y) . 
y1& clock? 1 -> finishl0 -> A [) 
y == 0& 
x -- 0& clock? 1 -> finish10 -> A 
11 
X =ý 1&C 
E(Y) _ 
y == 1& clock? l -> finishlO -> A (] 
y== 0&C 
within finishlO -> A 
Figure 55: Generic Control Flow Specification - Correct Driving Limiter 
D. 1.4 GenSpec 4: Annotated Low Level Behaviour with Explicit 
Deadlocking 
This CSP model is the one covered in section D. 1.2, but with extra events added to 
describe conceptually what is occurring. The aim of this is to enable a link between a low 
level hardware model and a higher level conceptual meaning of the function the hardware 
is performing. The added `id' parameter added to the process is to provide a method to 
distinguish between different instances of this process. The annotation events depicting 
the states that are entered into from how this component is driven can only be specified 
after the event has occurred, where as the output signals are controlled by this component 
and so the corresponding annotation events can be performed before outputting the 
signals. The reason why renaming can not be used to obtain a higher level conceptual 
model of what is occurring, thus the required use of extra events depicting the 
annotations, is because the same signal states can mean different things depending on the 
state of the system (e. g. a start signal high state `start? 1' can mean that this component 
has been triggered, or that this component is being driven incorrectly and an error has 
occurred). 
112 
Appendix D: Single Type Component Generic Specification Model Example 
channel chan_contro11F1owAnnotatedSpec 1,21. {O, i 
PROC_PROCESS ANNOTATED_SPEC(clock, reset, start, finish, id) _ 
let 
A 
start? x -> reset? y -> C(x, y) (] 
reset? y -> start? x -> C(x, y) 
Ba 
start? l -> annotation. ERROR. id -> STOP 
(] 
start? O -> reset? y -> D(y) 
[] 
reset? y -> 
start? O -> D(y) 
[] 
start? l -> annotation. ERROR. id -> STOP 
C(x, y) 
y -- 1& annotation. RESET. id -> clock? l -> finiahl0 -> A 
Il 
Y == 0& 
(x 
[] 
0& annotation. IDLE. id -> clock? 1 -> finishlO -> A 
x1& annotation. START. id -> clock? 1 -> 
internalchoice -> annotation. FINISH. id -> finishll -> A 
[l -- J-J internalchoice -> annotation. NOTFINISHED. id -> finishl0 -> B 
) 
D(y) = 
Y== 1 & annotation. RESET. id -> clock? 1 -> finiah! O -> A 
[] 
y =c 0& clock? 1 -> 
internalChoice -> annotation. FINISH. id -> finiahll -> A 
[] -- 1-1 internalChoice -> annotation. NOTFINISHED. id -> finiahl0 -> B 
within finishl0 -> A 
Figure 56: Annotated Generic Control Flow Specification with Explicit Deadlocking 
D. 1.5 GenSpec 5: Annotating the Outer Layer 
This CSP model is used to annotate the outer layer of an implemented sub-type of this 
component. The process allows correct input and output signals to be able to annotate and 
describe that an error has occurred. No internal choice is used, as this should not restrict 
or control a process, but only annotate what is occurring. 
113 
Appendix D: Single Type Component Generic Specification Model Example 
PROC PROCESS ANNOTATE OOTER(clock, reset, start, finish) 
let 
A= 
start? x -> reset? y -> C(x, y) 
[l 
reset? y -> start? x -> C(x, y) 
B= 
start? 1 -> annotation. ERROR. O -> STOP (] 
start? O -> reset? y -> D(y) [] 
reset? y -> 
start? O -> D(y) 
[] 
start? 1 -> annotation. ERROR. O -> STOP 
C(x, y) 
y == 1& annotation. RESET. O -> clock? l -> 
finishlO -> A 
[] 
finishli -> annotation. ERROR. O -> STOP 
[) 
Y== 0& 
x0& annotation. IDLE. O -> clock? l -> 
( finiah! 0 -> A 
[l 
finiahll -> annotation. ERROR. O -> STOP 
[] 
x1& annotation. START. O -> clock7l -> 
finiehll -> annotation. FINISH. O -> A 
(] 
finiahl0 -> annotation. NOTFINISHED. O -> B 
D(y) 
y1& annotation. RESET. O -> clock? 1 -> 
finishl0 -> A 
[l 
finishll -> annotation. ERROR. O -> STOP 
[] 
y == 0& clock? 1 -> 
finiahll -> annotation. FINISH. O -> A 
[] 
finishlO -> annotation. NOTFINISHED. 0 -> B 
within finish! O -> A 
Figure 57: Generic Control Flow Annotate Outer Layer 
D. 1.6 GenSpec 6: Clock Cycle Higher Generic Specification 
This CSP model is an annotation only clock cycle based higher conceptual specification. 
It is used as a comparison for the extracted annotations from the annotated low level 
hardware models. The model is sufficiently small so that it is unlikely that `chase' 
compression should be needed to be applied, which is why internal choice (i. e. 'I -I ') is 
used instead of using an extra event to simulate internal choice. 
114 
Appendix D: Single Type Component Generic Specification Model Example 
PROC_PROCESS HIGHER OüTER SPEC(id) 
let 
A 
annotation. RESET. id -> A [l 
annotation. START. id -> B [] 
annotation. IDLE. id -> A $a 
annotation. NOTFINISHED. id -> C 
i-i annotation. FINISH. id -> A 
c. 
annotation. RESET. id -> A 
[7 
annotation. NOTFINISHED. id -> C 
1~i 
annotation. FINISH. id -> A 
within A 
Figure 58: Generic Control Flow Annotation Specification 
D. 2 Assertions: Linking the Models Together 
To ensure consistency between all the models for a generic component, several assertions 
have to be proven. The consistency between the models is required because the proof of 
an implemented component can utilise several of these specifications. 
D. 2.1 GenSpec Assertion 1: Initial Deadlock Check 
This initial deadlock-free check (see Figure 59) of GenSpec I( see section D. 1.1) is to 
provide a base comparison for future deadlock-free checking and trace refinement. 
-- ahaaaal d. alarations 
channel internalChoice 
channel chan0 : (1} 
channel chant, chant, chan3 : (0, i} 
-- Create an instance of the model to check 
-- The alpha PROC4 contains the low level channels used by this instance 
alpha 
_PROC4 - 
{I chanO, chant, chant, chan3 (} 
PROC4 - PROC_PROCESS_DESIRED_GENERIC SPEC(chan0, chant, chant, chan3) 
-- Hide the internalChoice event to ensure that PROC4 has internal choice 
-- performing correctly if needed. 
GEN_SPEC1 -( PROC4 \ {internalChoice} 
-- Dadlock-free check the expected correct generic ca onent 
assert GEN SPEC1 : [deadlock free [F]7 
Figure 59: Example of GenSpec Assertion 1 for Controll Flow Process 
115 
Appendix D: Single Type Component Generic Specification Model Example 
D. 2.2 GenSpec Assertion 2: GenSpec 2 Contains GenSpec 1 Behaviour 
This assertion (see Figure 60) demonstrates that GenSpec 2 (see section D. 1.2) contains 
all the behaviour dictated by GenSpec 1 (see section D. I. 1), although this assertion allows 
GenSpec 2 to provide extra behaviours. 
-- channel declarations 
channel internalChoice 
channel chan0 : {1} 
channel chani, chant, chan3 : {0,1} 
-- Create an instance of the models to check 
-- The alpha PROC contains the low level channels used by the processes 
alpha_PROC3 - {I chan0, chant, chant, chan3 1} PROC3 = PROC_PROCESS_GENERIC SPEC(chanO, chant, chant, chan3) 
alpha_PROC4 - {I chanO, chanl, chan2, chan3 11 
PROC4 = PROC_PROCESS_DESIRED_GENERIC_SPEC(chanO, chant, chan2, chan3) 
-- Side the internalChoice event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN SPEC1 =( PROC4 \ {internalChoice} ) 
GEN SPEC2 =( PROC3 \ {internalchoice} ) 
-- Check GenSpec 2 contalne the behaviour of GenBpec 1 
assert GEN_SPEC2 [T- GEN_SPEC1 
Figure 60: Example of GenSpec Assertion 2 for Control Flow Process 
D. 2.3 GenSpec Assertion 3: GenSpec 3 Compatible with GenSpec 2 
This assertion (see Figure 61) demonstrates that the GenSpec 3 controlling specification 
(see section D. 1.3) does not introduce any new behaviour to the specifications it is being 
run in parallel with. This still leaves the possibility of it limiting the events that can occur, 
but does not guarantee any properties regarding this. 
116 
Appendix D: Single Type Component Generic Specification Model Example 
-- channel declarations 
channel internalChoice 
channel chanO : {1} 
channel chant, chant, chan3 : {0,1} 
-- Create an instance of the models to aback 
rho alpha PROC contains the low level channels used by the processes 
alpha PROC2 - (I chanO, chanl, chant, chan3 1) 
PROC2 - PROC_PROCESS_CONTROLL(chan0, chant, chan2, chan3) 
alpha_PROC3 - {I chan0, chanl, chan2, chan3 1} 
PROC3 - PROC_PROCESS_GENERIC_SPEC(chan0, chant, chan2, chan3) 
-- Hide the internalChoice event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN SPECS - PROC2 
GEN_SPEC2 -( PROC3 \ {internalChoice} 
-- GenSpec2 limited by the control . pacification G*nSpe03 
GEN SPEC2_WITH_CONTROLL - GEN SPEC2 [I alpha_PROC2 11 GEN_SPEC3 
-- Check Genspec2 contains the behaviour of Genspec2 limited by GenSpeo3 
assert GEN SPEC2 [T= GEN SPEC2 WITH CONTROLL 
Flare 61: Example of GenSpec Assertion 3 for Control Flow Process 
D. 2.4 GenSpec Assertion 4: GenSpec 3 Removes Deadlock from GenSpec 2 
This assertion (see Figure 62) demonstrates that GenSpec 3 (see section D. 1.3) removes 
the possibility of driving the component it is run in parallel with, incorrectly. This does 
not dictate that GenSpec 3 does not remove a correctly driving option. 
-- channel declarations 
channel internalChoice 
channel chanO : {1) 
channel chani, chan2, chan3 : {0,1} 
-- Create an instance of the models to check 
-- The alpha PROC contains the tow level channels used by the processes 
alpha_PROC2 = (I chan0, chanl, chan2, chan3 f) 
PROC2 - PROC_PROCESS_CONTROLL(chan0, chanl, chant, chan3) 
alpha PROC3 - {I chan0, chant, chant, chan3 1} 
PROC3 - PROC_PROCESS_GENERIC_SPEC(chan0, chant, chan2, chan3) 
-- Side the internalChoice event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN_SPEC3 - PROC2 
GEN_SPEC2 -( PROC3 \ {internalChoice} 
-- Ganspecl limited by the control apeoification Ganspec3 
GEN SPEC2_WITH_CONTROLL s GEN SPEC2 [j alpha_PROC2 j] GEN SPEC3 
-- Check that Genspec3 removes the incorrect driving options from Genspecl 
assert GEN SPEC2 WITH CONTROLL : (deadlock free (F]] 
Figure 62: Example of GenSpec Assertion 4 for Control Flow Process 
117 
Appendix D: Single Type Component Generic Specification Model Example 
D. 2.5 GenSpec Assertions 5: GenSpec 3 Removes Only Incorrect Driving 
These assertions (see Figure 63) demonstrate that GenSpec 3 limits the process it is run in 
parallel with, such that it only allows correct driving signals. These assertions also 
demonstrates that GenSpec 3 does not introduce any extra behaviours and does not 
remove any correct driving options, it is achieved through proving that GenSpec 3 run in 
parallel with GenSpec 2 is indistinguishable to GenSpec 1. 
-- abann. l d alaration" 
channel internalChoice 
channel chan0 : {1} 
channel chant : {O, 1} 
channel chan2 : {0,11 
channel chan3 : (0,1} 
-- Create an instance of the models to check 
-- The alpha_PROC contains the low level channels used by the processes 
alpha PROC2 - (J chano, chant, chant, chan3 1} 
PROC2 - PROC_PROCESS CONTROLL(chanO, chant, chant, chan3) 
alpha_PROC3 - (I chano, chani, chant, chan3 1) 
PROC3 : PROC PROCESS GENERIC SPEC(chan0, chani, chant, chan3) 
alpha_PROC4 - {I chan0, chanl, chant, chan3 11 
PROC4 - PROC PROCESS_DESSRED GENERIC SPEC(chan0, chanl, chan2, chan3) 
-- Side the internalChoice event to ensure that proceeeee bat internal choice 
-- performing correctly i! needed. 
GEN SPEC1 -( PROC4 \ {internalChoice} ) 
GEN_SPEC2 -( PROC3 \ {internalChoice} ) 
GEN SPECS - PROC2 
-- QenBpec2 limited by the control specification G. nßpeo3 
GEN SPEC2_WITH_CONTROLL - GEN_SPEC2 [I alpha_PROC2 J] GEN_SPEC3 
-- Check that Genßpec3 in parallel with Genßpec2 is indistinguishable to 
GonSpool 
assert GEN SPEC1 [PD- GEN SPEC2_WITH_CONTROLL 
assert GEN_SPEC2 WITH_CONTROLL [PD- GEN_SPEC1 
Figure 63: Example of GenSpec Assertions 5 for Control Flow Process 
D. 2.6 GenSpec Assertions 6: Properties of the Annotation Events 
These assertions (see Figure 64) demonstrate that the annotation event contained within 
GenSpec 4 do not introduce extra behaviours, but are only used to conceptually describe 
what is occurring. This is achieved through hiding the annotation events, and proving that 
the resultant process is indistinguishable to the GenSpec 2 model. 
118 
Appendix D: Single Type Component Generic Specification Model Example 
-- channel declarations 
datatype STATES - 
START. {0} I FINISH. {0} I NOTFINISHED. {0} I RESET. {0} I ERROR. {0} I IDLE. {0} 
channel annotation : STATES 
channel internalChoice 
channel chan0 : {1} 
channel chant, chant, chan3 : {0,1} 
-- Create an instance of the models to check 
-- the alpha PROC contains the low level channels used by the processes 
alpha_PROCO - (I chanO, chani, chant, chan3 1} 
PROCO - PROC_PROCESS ANNOTATED SPEC(chanO, chant, chant, chan3,0) 
alpha_PROC3 - (I chanO, chant, chan2, chan3 1) 
PROC3 - PROC_PROCESS GENERIC_SPEC(chanO, chant, chant, chan3) 
-- Side the internalChoice event to ensure that processes has Internal choice 
-- performing correctly if needed. 
GEN SPEC2 -( PROC3 \ (internalChoice} 
GEN SPEC4 -( PROCO \ (internalchoice} 
-- Oenspea4 with the annotations hidden 
GEN SPEC4_NOANNOTATIONS -( GEN_SPEC4 \ {ý annotations j} ) 
-- Cheek that Oan9paa3 in parallel with Oenäpec2 is indistinguishable to 
-- OsnSpeal 
assert GEN_SPEC4 NO ANNOTATIONS [FD- GEN_SPEC2 
assert GEN SPEC2 [FD- GEN SPEC4_NO ANNOTATIONS 
Figure 64: Example of GenSpec Assertions 6 for Control Flow Process 
D. 2.7 GenSpec Assertion 7: GenSpec 3 Compatible with GenSpec 4 
This assertion (see Figure 65) proves that the control process GenSpec 3 does not add 
extra behaviours to the annotated generic specification GenSpec 4. 
-- channel declarations 
datatype STATES - 
START. {0} ( FINISH. {O} I NOTFINISHED. {O} I RESET. {0} I ERROR. {0} I IDLE. {O} 
channel annotation : STATES 
channel internalChoice 
channel chanO : (i) 
channel chant, chant, chan3 : {o, 1} 
-- Create an instance of the models to check 
-- The alpha PROC contains the low level channels used by the processes 
alpha PROC2 - {I chanO, chani, chant, chan3 1} 
FROM - PROC_PROCESS_CONTROLL(chanO, chant, chant, chan3) 
alpha_PROCO - {I chanO, chant, chant, chan3 1} 
PROCO - PROC_PROCESS ANNOTATED SPEC(chan0, chanl, chant, chan3,0) 
-- Side the isternalChoice event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN_SPEC3 - PROC2 
GEN SPEC4 -( PROCO \ {internalChoice} ) 
-- 
Öenßpec4 limited by the control specification OenBpec3 
GEN_SPEC4_WITH_CONTROLL - GEN_SPEC4 [j alpha_PROC2 1] GEN SPEC3 
-- Check OenSpec4 contains the behaviour of Qea8pec4 limited by GenSpec3 
assert GEN_SPEC4 [T= GEN_SPEC4_WITH_CONTROLL 
F pre 65: Example of GenSpec Assertion 7 for Control Flow Process 
119 
Appendix D: Single Type Component Generic Specification Model Example 
D. 2.8 GenSpec Assertion 8: GenSpec 3 Removes Deadlock From GenSpec 4 
This assertion (see Figure 66) proves that the control process GenSpec 3 removes the 
explicitly defined deadlocks from the annotated generic specification GenSpec 4. 
-- channel declarations 
datatype STATES . 
START. {0} I FINISH. {0} I NOTFINISHED. {0} I RESET. {0} I ERROR. {0} I IDLE. {0} 
channel annotation : STATES 
channel internalChoice 
channel chano : {1} 
channel chanl {0,1} 
channel chan2 {0,1} 
channel chan3 {0,1} 
-- Create an instance of the models to check 
-- The alpha PROC contains the low level channels used by the processes 
alpha_PROC2 - tI chan0, chani, chant, chan3 1} 
PROC2 - PROC_PROCESS_CONTROLL(chan0, chant, chant, chan3) 
alpha_PROCO - {I chan0, chani, chan2, chan3 1} 
PROCO - PROC_PROCESS ANNOTATED_SPEC(chan0, chani, chan2, chan3,0) 
Hide tho intarnaiChoice *vent to ansure that procassas has intarnal choice 
-- parlorasing eorractly If naedsd. 
GEN SPEC3 - PROC2 
GEN SPEC4 -( PROCO \ {internalChoice} 
-- GanBp. c4 lialta4 by the control apacification Garßpa03 
GEN SPEC4_WITH CONTROLL - GEN SPEC4 [I alpha_PROC2 11 GEN SPECS 
-- Check that Oenlpec3 reatoves the incorrect driving options from OenSpeo4 
assert GEN SPEC4 WITH CONTROLL : [deadlock free [P]) 
Figure 66: Example of GenSpec Assertion 8 for Control Flow Process 
D. 2.9 GenSpec Assertions 9: GenSpec 4 Is an Annotated GenSpec 2 
These assertions (see Figure 67) demonstrate that if the annotation events contained 
within GenSpec 4 are hidden, then GenSpec is indistinguishable to GenSpec 2. 
120 
Appendix D: Single Type Component Generic Specification Model Example 
-- ohannal declaration, 
datatype STATES = 
START. {0} I FINISH. {0} NOTFINISHED. {0} I RESET. {0} I ERROR. {0} I IDLE. {0} 
channel annotation : STATES 
channel internalChoice 
channel chan0 : {1} 
channel chant : {0,1} 
channel chant {0,1} 
channel chan3 {0,1} 
-- Create an instance of the models to check 
-- The alpha PROC contains the low level cbannale used by the processes 
alpha PROC3 - {1 chan0, chant, chan2, chan3 J} 
PROC3 - PROC_PROCESS_GENERIC_SPEC(chanO, chant, chant, chan3) 
alpha_PROCO = (I chanO, chant, chant, chan3 1} 
PROCO - PROC PROCESS ANNOTATED SPEC(chan0, chant, chant, chan3,0) 
-- Side the intornalChoioa event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN SPEC2 -( PROM (internalChoicel 
GEN_SPEC4 -( PROCO \ {internalChoice} 
-- Genspeo4 Frith hidden annotation events 
GEN SPEC4 NO ANNOTATIONS =( GEN_SPEC4 \ {I annotation i}, 
-- Check that Q"nßpea4 with bidden annotation, it indiatinpui, habl" to GenBp602 
assert GEN SPEC4_NO ANNOTATIONS [FD: GEN_SPEC2 
assert GEN 8PEC2 [FD. GEN SPEC4_NO_ANNOTATIONS 
Figure 67: Example of GenSpec Assertions 9 for Control Flow Process 
D. 2.10 GenSpec Assertion 10: GenSpec 6 Deadlock Free 
This assertion (see Figure 68) deadlock-free checks GenSpec 6 which helps to provide a 
base comparison for future deadlock-free checking and trace refinement for the 
annotations. 
-- Channel daalarationa 
datatype STATES - 
START. {0} I FINISH. {0} I NOTFINISHED. {0} RESET {O} I ERROR. {0} I IDLE. {O} 
channel annotation : STATES 
-- Higb. r outer Bp. a 
GEN SPEC6 - PROC PROCESS HIGHER OtTER SPEC(0) 
-- Check that QenSpec6 is deadlock-free 
assert GEN SPEC6 ; [deadlock free [F]] 
Figure 68: Example of GenSpec Assertion 10 for Control Flow Process 
D. 2.11 GenSpec Assertions 11: GenSpec S Annotates Outer Level Correctly 
These assertions (see Figure 69) demonstrates that GenSpec 5 will annotate the outer 
level of a correct process with annotation events that are similar to GenSpec 6. The 
121 
Appendix D: Single Type Component Generic Specification Model Example 
assertions cant be failures divergent checked (` [FD=') because the events that represent the 
low level signals which have been hidden, determine the initial state and thus the 
annotation that occurs. 
-- channel declarations 
datatype STATES 
START. {0} I FINISH. {0} I NOTFINISHED. {0} I RESET. {0} I ERROR. {0} I IDLE. {0} 
channel annotation : STATES 
channel internalChoice 
channel chan0 {1} 
channel chanl : {0,1} 
channel chan2 {0,1} 
channel chan3 : {0,1} 
-- Create an inatanae of the models to check 
-- The alpha PROC contain, the low level channels used by the process., 
alpha _PROC1 - 
(I chan0, chant, chant, chan3 11 
PROC1 - PROC_PROCESS_ANNOTATE_OUTER(chan0, chant, chant, chan3) 
alpha_PROC4 - {I chanO, chant, chant, chan3 1} 
PROC4 - PROC PROCESS DESIRED GENERIC SPEC(chan0, chani, chant, chan3) 
-- Side the int. rnalChoics event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN SPEC1 -( PROC4 \ {internalchoice} 
GEN-SPECS - PROM 
GEN SPEC6 - PROC_PROCES3 HIGHER OUTER SPEC(0) 
-- Gensp. cl with annotation events added by Gensp. e 5 running in parallel 
GEN SPEC1_WITH ANNOTATIONS -( GEN SPEC1 [I alpha_PROC1 
11 GEN SPECS 
-- The annotations only that were add. d to G. nspecl by Genspec 5 
GEN SPEC1_ANNOTATIONS_ONLY - (GEN SPEC1_WITH_ANNOTATIONS 
\ alpha_PROC4 
-- Check that G. nsp. c4 with hidden annotations is indistinguishable to G. nsp. c2 
assert GEN_SPEC1_ANNOTATIONS_ONLY (T- GEN SPEC6 
assert GEN SPEC6 [T- GEN SPEC1 ANNOTATIONS_ONLY 
Figure 69: Example of GenSpec Assertion 11 for Control Flow Process 
D. 2.12 GenSpec Assertions 12: GenSpec 5 Does Not Introduce Extra 
Behaviour 
These assertions (see Figure 70) demonstrates that GenSpec 5 does not add extra 
behaviours, but only adds events that conceptually annotates the process it is run in 
parallel with. This is shown by the fact that the process run in parallel with GenSpec 5, 
with the annotations then hidden, is equivalent to the initial process by itself. 
122 
Appendix D: Single Type Component Generic Specification Model Example 
-- channel declarations 
datatype STATES 
START. {0} I FINISH. {0} I NOTFINISHED. {O} I RESET. {O} I ERROR. {O} I IDLE. {0} 
channel annotation : STATES 
channel internalChoice 
channel chanO : {1) 
channel chani : {0,1} 
channel chant : {0,1} 
channel chan3 : {0,1} 
-- Create an instance of the models to check 
-- The alpha ? ROC contains the low level channels used by the processes 
alpha_PROC1 = (I chan0, chant, chant, chan3 1} 
PROCI = PROC PROCESS ANNOTATE OUTER(chan0, chant, chant, chan3) 
alpha_PROC4 - {I chanO, chant, chan2, chan3 11 
PROC4 - PROC_PROCESS_DESIRED GENERIC_SPEC(chanO, chant, chant, chan3) 
-- Hide the internalChoice event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN SPEC]. .( PROC4 \ {internalChoice} 
GEN SPECS - PROC1 
-- GenSpecl with annotation events added by Gen9pec 5 running In parallel 
GEN SPEC1_WITH ANNOTATIONS =( GEN_SPEC1 [I alpha-PROM J] GEN SPECS 
-- The annotations only that were added to GenSpecl by Genspec 5 
GEN SPEC1_HIDDEN_ANNOTATIONS = (GENSPECI WITH_ANNOTATIONS \ {I annotation i}, 
-- Check that G4wspea4 with hidden annotations is indistinguishabI0 to Gen6pea2 
assert GEN_SPEC1_HIDDENANNOTATIONS [FD. GEN_SPEC1 
assert GEN_SPEC1 [FD. GEN_SPEC1_HIDDEN_ANNOTATIONS 
FIOure 70: Example of GeuSpec Assertions 12 for Control Flow Process 
D. 2.13 GenSpec Assertions 13: GenSpec 4 With Signals Hidden is Similar to 
GenSpec 6 
These assertions (see Figure 71) demonstrates that GenSpec 4 correctly driven with the 
events that represent the low level signals hidden, performs in a similar manner to 
GenSpec 6. The processes can not be failures divergent checked ('[FD. ') both ways 
against each other, as the driving signal events (which are hidden) determine the initial 
annotation state that occurs. The hidden events become taue events preceding the initial 
annotations, which GenSpec 6 does not contain. 
123 
Appendix D: Single Type Component Generic Specification Model Example 
-- cbann. I doclarationa 
datatype STATES = 
START. {0} I FINISH. {0} I NOTFINISHED. {0} I RESET-{0} I ERROR. {0} 
channel annotation : STATES 
channel internalChoice 
channel chan0 {1} 
channel chant : (0,1} 
channel chan2 {0,1} 
channel chan3 (0,1) 
i IDLE. {0) 
-- Create an instance of the models to check 
-- ma alpha_PROC contains the low level channels used by the processes 
alpha_PROCO - {I chanO, chanl, chant, chan3 1} 
PROCO - PROC_PROCESS ANNOTATED SPEC(chanO, chant, chant, chan3,0) 
alpha_PROC2 - {I chan0, chant, chan2, chan3 1} 
PROC2 - PROC_PROCESS_CONTROLL(chan0, chant, chant, chan3) 
-- Bide the internalCboice event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN_SPEC3 - PROC2 
GEN 8PEC4 -( PROCO \ {internalChoice} 
GEN_SPEC6 = PROC_PROCESS HIGHER OUTER SPEC(0) 
-- Gangpeo4 limited by the control specification GenSpec3 
GEN SPEC4_WITH_CONTROLL -( GEN SPEC4 [) alpha_PROC2 
1] GEN_SPEC3 
-- asnspec4 limited by the control specification aanSpee3, annotation only 
GEN SPEC4_ANNOTATIONS_ONLY = (GEN SPEC4_WITH_CONTROLL \ alpha_PROCO 
-- Check that Genßpec4 with hidden signals Is aiailar to Genßpe06 
-- These can not be failures divergent checked `[FDJ' both ways, as the low 
-- level driving signals that precedes the corresponding annotation events and 
-- determine their occurrences, are hidden. 
assert GEN_SPEC4 ANNOTATIONS_ONLY [FD- GEN_SPEC6 
assert GEN_SPEC6 [T= GEN SPEC4 ANNOTATIONS_ONLY 
Figure 71: Example of GenSpec Assertions 13 for Control Flow Process 
D3 Conclusion & Evaluation 
The combination of the assertions covered in section D. 2 links various properties of the 
various models covered in section D. I. This builds up confidence with the models 
specified so that implemented components can both utilise them in their own proofs and 
be checked against them. It provides processes so that a low hardware level model of the 
components can be refinement checked against, a higher clock cycle based conceptual 
specification to refinement check against, and a method to link the two types of models 
together to show consistency between them. 
124 
Appendix D: Single Type Component Generic Specification Model Example 
D. 4 Future Work 
D. 4.1 Linking Clock Cycle Annotations to a Higher Level Specification 
The models that have been created stop at a clock cycle conceptual model of what is 
occurring, it is possible to link this model to a model that represents at a software level 
what is happening. This may be useful as deadlock in software becomes live lock in 
hardware, as it is impossible for digital clocked logic to be deadlocked (each logic 
component will always output a value each clock cycle). 
If this is desired, the annotation specification (see section D. 1.6) can be linked to a higher 
and simplified specification through selectively hiding specific events so long as the 
circuit is not reset. Resetting the circuit can be perceived as restarting the application, and 
as such, restarting the CSP model. The idle state is also not allowed to occur, as we are 
concerned with what this component does when it is triggered, as this would be when the 
code that this hardware represents would have been called. 
The reason why this simplified model was not fully implemented into the compiler was 
that it was not deemed essential to demonstrate the validity of the concept of this work. It 
was also deemed that the benefits gained would not warrant the required time required to 
code up all the required segments. 
D. 4.1.1 GenSpec 7: Software Component Generic Spec Model 
This model (see Figure 72) provides a software level based model of a generic control 
flow process. A process when started may or may not ever finish, and it can only be 
restarted again if it does finish. 
125 
Appendix D: Single Type Component Generic Specification Model Example 
Internal choice with STOP Is provided as an alternative to the FINISH event, this is because conaeptually when started, a control flow process does not 
-- have to finish and is dependent on itself or other internal components to 
-- determine if it does or not. 
PROC_PROCESS HIGHER SIMPLIFIED SPEC(id) 
let 
A 
annotation. START. id -> 
( STOP 
1-1 annotation. FINISH. id -> A 
within A 
Flgure 72: Example of Simplified Control Flow Annotation Specification 
D. 4.1.2 GenSpec Assertions 14: Linking GenSpec 6 to GenSpec 7 
These assertions (see Figure 73) demonstrate that properties of GenSpec 6 are similar to 
GenSpec 7. 
-- The annotation index value being used 
annotation id -0 
-- An instance of the annotation specification 
GEN_SPEC6 - PROC_PROCESS_HIGHER OUTER SPEC(annotation_id) 
-- Cheaking the annotation specification while ensuring that reset does 
-- not occur (running in parallel with STOP), and hiding clock cycia annotations 
EXPECTED_SIMPLIFIED ANNOTATION SPEC - 
(GEN_SPEC6 
11 {( annotation. RESET ý} I] 
STOP 
\ {I annotation. x I x<-{ IDLE, NOTFINISHED } ý} 
-- The new . iaplitied epaaLZlcation to check against, Oenßpec7 
SIMPLIFIED-ANNOTATION-SPEC - PROC PROCESS_HIGHER_SIMPLIFIED_SPEC(annotation_id) 
-- Check that the two proceaeee are equivalent 
assert EXPECTED_SIMPLIFIED_ANNOTATIONSPEC [FDA SIMPLIFIED_ANNOTATION_SPEC 
assert SIMPLIFIED_ANNOTATION_SPEC [T- EXPECTED_SIMPLIFIBD_ANNOTATIONSPEC 
Figure 73: Example of how to link Annotation Spec to Simplified Spec 
D. 4.2 Model Simplifications 
Although the models are valid and correct, I have noted that they can be partially 
simplified. Through altering the design of the CSP process (see section D. 1.3) that is used 
to ensure that components are driven correctly, it is possible to partially simplify the 
complexity of the required models (see Appendix H for example simplification) making 
them easier to mentally visualise. An example of this simplification is covered in 
126 
Appendix D: Single Type Component Generic Specification Model Example 
Appendix H, as due to time restrictions full integrations of this simplification into the 
compiler for all components was not possible. 
127 
Appendix E Single Type Component 
Implemented Model Example 
This section will cover and explain the CSP models required for an implemented 
component, along with the assertions that need to be checked to link the models to each 
other, thus demonstrating that an implemented component performs as required and 
within the behaviours dictated by its generic super-type component (see Figure 74). 
Appendix E: Single Type Component Implemented Model Example 
OCCAM Hardware Conversion J om EDIF 
Each individual component is 
modelled and run in parallel 
JConstrain input signals to disallow 
correct outer level driving 
Refinement (E. 2.23 
Equivalence (E. 2.5 CSP Model of Net List 
disallowing incorrect 
driving (E. 1.3JJD. 1.3) 
Deadlock Check (E. 2.1) 
Implementation Hardware 
Specification (E. 1.1) 
headlock Check (E. 2.3) 
finement (E. 2.4) 
Super Type Hardware 
Specification (D. 1.1) 
Logic Net 
CSP Model of Net 
(may contain D. 1.2) 
List (E. 1.3) 
Hide low lever events 
and check annotations 
perform similarly to 
expected model (E. 2.8) 
Implementation Clock Cycle Software Specification (E. 1.4) 
Hide subset of annotation events Deadlock Check (E. 2.7) 
relating to clock cycle aspects 
Implementation Software efinement E. 4.1.2 
Super Type Clock 
Cycle Software Specification (E. 4.1.1) Specification (D. 4.1.1) 
J 
Figure 74: Overview of proof structure for an implemented component 
E. 1 Models & Specifications 
The 'internaiChoice' event that may appear within the code examples has been utilised 
instead of internal choice (i. e. 'I- I') to enable 'chase' compression to applied if desired. 
The 'internalChoice' event must be hidden for the specifications to be valid, but if 'chase' 
compression has been chosen, the event should only be hidden after 'chase' has been 
applied, otherwise the specification becomes invalid. 
r 
Annotate 
outer layer 
Correctly driven net-list 
with outer annotations 
((E. 1.3 ýýD. 1.3)j! D. 1.5) 
129 
Appendix E: Single Type Component Implemented Model Example 
E. 1.1 ImpSpec 1: Valid Low Level Behaviour 
This CSP model (see Figure 75) which is similar to the model defined in section D. 1.1, 
specifies all the valid and allowable low level behaviour that this implemented component 
may perform at its outer boundary. It may utilises internal choice to determine the 
possible output behaviour it can perform, although it is not a requirement (e. g. boolean 
true, boolean false, SKIP, STOP, all have well defined fixed behaviours that do not rely 
on other internal components). It is useful to note that some implemented components 
may have the allowable interface boundary behaviour that is identical to that of its generic 
super type component (e. g. boolean comparisons, PAR), where as other components will 
have an interface boundary behaviour that is a refinement of its super type component 
(e. g. boolean true, boolean false, SEQ). 
PROC_PROCESS_IF_DESIRED_SPEC(clock, 
let 
A= 
start? x -> reset? y -> C(x, y) 
[] 
reset? y -> start? x -> C(x, y) 
reset, start, finish} s 
Bs 
start? O -> reset? y -> D(y) [] 
reset? y -> start? O -> D(y) 
C(x, y) - 
clock? i -> finishl0 -> 
y -- 1&A 
11 
Y == 0& 
(x == 0&A 
[] 
x== 1 &B 
D(y) ý 
y ýe 1& clock? 1 -> finishl0 -> A 
[1 
y0& clock? 1 -> 
internalChoice -> finishli -> A 
[1--I_I 
internalChoice -> finishl0 -> B 
within finishl0 -> A 
Figure 75: Low Level 'IF' Component Desired Specification 
E. 1.2 ImpSpec 2: Low Level Behaviour with Explicit Deadlocking 
This CSP model (see Figure 76) is similar to the model covered in section D. 1.2, the CSP 
model is the model covered in section E. 1.1 but altered so that it will accept incorrectly 
driven input signals followed by explicitly defined deadlocking (i. e. STOP). 
130 
Appendix E: Single Type Component Implemented Model Example 
PROC_PROCESS_IF GENERIC SPEC(alock, reset, start, finish) 
let 
A 
start? x -> reset? y -> C(x, y) 
[] 
reset? y -> start? x -> C(x, y) 
Bs 
start? l -> STOP 
[] 
start? O -> reset? y -> D(y) 
[] 
reset? y -> 
start? O -> D(y) 
[] 
start? l -> STOP 
C(x, y) - 
clock? l -> finishl0 -> 
y -- 1&A 
[] 
y--0& 
x -- 0&A 
[] 
x1&B 
D(y) _ 
y :"1& clock? 1 -> finish! O -> A 
[] 
y0& clock? 1 -> 
internalChoice -> finishll -> A 
[I -- I-I internalChoice -> finishl0 -> B 
within finiehl0 -> A 
Figure 76: Low Level 'IF' Component Generic Specification with Explicit Deadlocking 
E. 1.3 ImpSpec 3: Model of Implemented Logic 
This CSP model (see Figure 77), is a model of the segment of logic that this component 
represents and is achieved through modelling the individual logic components and 
running them in parallel. 
131 
Appendix E: Single Type Component Implemented Model Example 
-- Coaponenti used in the segment of logic being verified 
alpha_PROC2 : {I chani, chan8, chanO, chan7 1} 
PROC2 - PROC_PROCESS ANNOTATBD_SPEC(chan0, chant, chan7, chan8, 
alpha_PROC7 - {l chan9, chan4 
PROC7 - PROC_NOT(chan9, chan4) 
alpha PROC1 = {I chani, chan6, chanO, chan5 
PROC1 - PROC_PROCSgg ANNOTATND_$PBC(chan0, chani, chan5, chan6, 
alpha_PROCS . {I chan6, chan8, chanl0 1} 
PROC8 - PROC_OR(chanl0, <chan6, chan8>) 
alpha_PROC9 - {I chan9, chan3, chan7 1} 
PROC9 - PROC AND(chan7, <chan9, chan3>) 
alpha_PROC10 - (I chan4, chan3, chan5 (} 
PROC10 - PROC AND(chan5, <chan4, chan3>) 
alpha_PROCO - {I chan4, chanl, chan3, chanO, chan2 I} 
PROCO - PROC_BOOLEAN ANNOTATED_SPEC(chan0, chant, chant, chan3, 
-- The outer level signals for the component being tested 
SYSTEM INTERFACE - {I chant, chanO, chanl0, chant J} 
-- The alphabet of signals used in the model of the logic 
3) 
a) 
chan4,1) 
SYSTEM_ALPHA - {I chan3, chanO, chan6, chan2, chan5, chan4, chan8, chan9, 
chanl0, chant, chan7 1} 
-- System Declaration of the internal logic coeponents and the signals they use 
SYSTEM_LIST -< (PROC2, alpha_PROC2 (PROC7, alpha_PROC7 
(PROC1, alpha_PROC1 (PROC8, alpha PROC8 
(PROC9, alpha_PROC9 (PROC10, alpha_PROC10 
(PROCO, alpha_PROCO 
-- The logic model of the implemented aoa pon. nt. `IiPpBpe03' 
SYSTEM 
REPL(SYSTEM LIST) \ diff(SYSTEM ALPHA, SYSTEM INTERFACE) 
\ (internalchoice} 
-- sand to run the logic coaIponenta in parallel 
REPL (p) 
let 
INNERI(pi, al, p2, a2) - pl [I inter(al, a2) f) p2 
INNER2( <(p1, a1)>^<(p2, a2)>Ap3 )" 
null(p3) & INNERI(pl, a1, p2, a2) 
[) 
not null(p3) & INNER2( <(INNER1(pl, ai, p2, a2), union(a1, a2))>"p3 
INNER3( <(pl, _)> 
)- pl 
within ( null(p) & STOP 
I) 
length(p) .. 1& INNER3(p) 
I) 
length (p) >1& INNER2(p) 
Figure 77: CSP Model of the Logic Circuit Segment of the Implemented 'IF' Component 
A graphical depiction of the segment of logic circuit that this model represents can be 
seen in Figure 78. 
132 
Appendix E: Single Type Component Implemented Model Example 
I 
sm Boolean 
'TeeC 
RrJa 
lwý 
3 
T-ow 
aK 
I 
9 
II\.. 22 -61M 
aK 
w- 
Proosss 
"Then" 
'Elas' 
N 
RNsh 
Flgare 78: A Graphical Depiction of the Logic Segment for an 'IF' Component 
E. 1.4 ImpSpec 4: Annotation Only Specification 
Flnlsh 
This CSP model (see Figure 79), is the expected behaviour of the 'IF' component from an 
annotation only perspective, with annotation models of the internal component (i. e. the 
boolean condition, the `then' process and the `else' process) having to be supplied. If the 
internal annotation components supplied are the corresponding generic specifications, the 
CSP model will demonstrate all the possible behaviours of the 'IF' component, describing 
both how driving the component drives the internal components and the internal 
components behaviour effects the outputs of this component. The reason why this model 
was designed to take in processes representing the internal components is so that if the 
supplied internal component specifications are a refinement of the corresponding generic 
specification, they will limit the behaviour dictated in the 'IF' component to that which 
describes what should conceptually occur in the hardware. 
Figure 79: IF Component Annotation Only Specification 
channel Chan_PROC_PROCESS_IF_HIGHER_INNER_SPEC 0.. 2 
channel chan_fin 
_PROC 
PROCESS_IF HIGHER INNER SPEC : {0,1} 
channel char link_PROC_PROCESS_IF_HIGHER_INNER_SPEC 
PROC_PROCES3 IF_HIGHERINNER SPEC(id, bool, bid, thenproc, 
let 
A 
x: {bool, thenproc, elaeproc} ox 
[ý { annotation. z. x, 
annotation. y. bid, 
annotation. w. v 
I v<-{tid, eid}, 
x<-{bid, tid, eid}, 
y<-{BOOLEANR. EAD, 
BOOLEANDONTREAD, 
BOOLEANREADALLOWED, 
BOOLEANTRUE, 
BOOLEANFALSE}, 
z<-{RESET, IDLE), 
w<-{START, FINISH, NOTFINISHED} 
} 
I) 
B 
aoebsaatiam of boolaaa aa"roaua 
tid, elaeproc, eid) 
133 
Appendix E: Single Type Component Implemented Model Example 
B- 
ý C 
[I {I annotation. RESET. x, 
chan_link PROC PROCESS IF HIGHER INNER SPEC, 
chan_fin_PROC_PROCESS_IF HIGHER_INNERSPEC, 
chanPROC_PROCESS_IF_HIGHER 
_INNER_SPEC I x<-{bid, tid, aid, id} 
I] 
D 
I} 
\ {I chars link_PROC PROCESS_IF_HIGHER INNER SPEC, 
Chan_PROC PROCESS IF HIGHER INNER-SPEC, 
chap fin_PROC_PROCESS_IP_HIGHER INNER SPEC 
-- booloan part 
C 
let 
CA 
I} 
(( III z: {bid, tid, eid, id} ® annotation. R888T. z 
[] 
(( ((1 z: {bid, id} 0 annotation. IDLE. z -> SKIP 
ý 
[] 
-> SKIP ); 
( Chan PROC PROCESS IF HIGHER INNER SPEC. 0 -> CA 
((( annotation. BOOLEANREAD. bid -> SKIP ) 
III ( annotation. START. id -> SKIP 
(( CB 
[I {I 
Chan PROC PROCESS IF HIGHER INNER SPEC. 1 -> 
11 
1} 
E 
CA 
annotation. RESET. x, 
chan_PROC PROCESS IF HIGHER INNER SPEC, 
chan_link 
_PROC_PROCESS_IF 
HIGHER_INNER_SPEC, 
chan_fin_PROC PROCESS IF HIGHER INNER_SPEC 
I x<-{id, bid, tid, eid} 
CB = 
annotation. 80OULMDONTREAD. bid 
Chan_PROC_PROCESS_IF_HIC3HER_INNER_SPEC. 0 -> 
ahan_link PROC_PROCSSS IF_HIQHER INNER_SPEC -> 
(( III z: {bid, tid, eid, id} ® annotation. RESET. z 
[] 
chan_link _PROC 
PROCESS IF HIGHER _INNER 
SPEC 
char fin PROC PROCESS IF HIGHER INNERR SPEC. 0 
CC 
(] 
annotation. BOOLEANREADALLONED. bid -> 
annotation. BOOLEANFALSE. bid -> 
Chan 
_PROC_PROCESS _IF_HIGHER _INNER_SPEC. 
2 -> 
char link PROC PROCESS IF HIGHER INNER SPEC 
annotation. BOOLEANTROE. bid -> 
chan_PROC_PROCESS IFHIGHER 
_INNER_SPEC. 
1 -> 
ehan_link_PROC PROCESS IF HIGHER_INNER SPEC 
( Ill 
[] 
-> SKIP ) 
-> CB 
-> cc 
-> CC 
z: {bid, tid, eid, id} o annotation. RESET. z -> SKIP ) 
CA ) 
annotation. IDLE. bid -> chanlink_PROC PROCESS IF HIGHER _INNER _SPEC -> 
134 
Appendix E: Single Type Component Implemented Model Example 
within CA 
let 
EA - 
annotation. NOTFINISHED. id -> 
( Chan 
_PROC_PROCESS_IF_HIGHER_INNER_SPEC. 
0 -> 
chan_link_PROC PROCESS_IF HIGHER_INNER SPEC -> EC 
I1 
Chan PROC PROCESS IF HIGHER INNER SPEC. 1 -> SKIP 
11 
Chan PROC PROCESS IF HIGHER INNER SPEC. 2 -> SKIP 
chan_fin_PROC PROCESS IF HIGHER INNER SPEC. 1 -a 
chan_link_PROC_PROCESS IF HIGHER INNER SPEC -> SKIP 
11 
chan_fin_PROC PROCESS_IF HIGHER INNER SPEC. 0 -> 
chan_link_PROC_PROCESS_IF_HIGHER_INNER_SPEC -> CC 
Chan link PROC PROCESS IF HINHER INNER SPEC -> EB 
EB . 
1+1 z: {bid, tid, eid, id} a annotation. RESET. z -> SKIP 
[] 
chap link 
_PROC_PROCESS _IF 
HIGHER INNER SPEC -> 
chan_finPROCPROCESS 
_IFHIGHER_INNER_SPEC. 
0 -> 
annotation. NOTFINISHED. id -> 
char link PROC PROCESS IF HIGHER INNER SPEC -> EB 
chan_fin_PROC_PROCESS 
_IF_HIGHER_INNER_SPEC. 
1 -> 
annotation. FINISH. id -> 
char link PROC PROCESS IF HIGHER INNER SPEC -> SKIP 
EC x 
III z: (bid, tid, eid, id} 0 annotation. RESET. z -> SKIP } 
Il 
-> chan_link 
_PROC_PROCESS _IF_HIC3HER_INNER _SPEC chan_fin_PROC_PROCESS_IF_HIGHER 
_INNER_SPEC. 
0 -> EA 
within EA 
let 
DA . 
(( ýH z: {bid, tid, eid, id} ® annotation. RESET. z -> SKIP ); DA 
(l 
(! UI z: {tid, eid} 0 annotation. IDLE. z -> SKIP 
( char PROC PROCESS IP HIGHER INNER SPEC. 0 -> DA 
11 
char PROC PROCESS IF HIGHER INNER SPEC. 1 -> DE 
DB = 
Chan_PROC_PROCESS_IF_HIGHER_INNER_SPEC. 0 -> 
chan_link_PROC PROCEBS_IP_HIGHER_INNER_SPEC -> 
((( [if z: {bid, tid, eid, id} m annotation. RESET. z -> SKIP ); DA 
[7 
! +1 z: {tid, eid} 0 annotation. IDLE. z -> SKIP 
than_link 
_PROC_PROCESS_IF_HIGHER 
INNER SPEC -> 
chan_fin_PROC_PROCESS_IF_HIGHER_INNER SPEC. C -> DB 
1 
1) 
chan_PROC PROCESS IF HIGHER INNER_SPEC. 1 -> 
chan_link PROC_PROCESS_IF HIGHER_INNER SPEC -> DF(tid, eid) 
[I 
char PROC PROCESS IF HIGHER INNER SPEC. 2 -> 
135 
Appendix E: Single Type Component Implemented Model Example 
DA 
chan_link_PROC_PROCESS_IF HI4HER_INNER SPEC -> DF(eid, tid) 
DC(x) - 
( fý) z: {bid, tid, eid, id} ® annotation. RESET. z -> SKIP [l 
annotation. START. x -> 
chan_link PROC_PROCESS IF HIGHER INNER SPEC -> DD(x) DD(x) 
annotation. FINISH. x -> 
chan_fin_PROC PROCESS_IF_HIGHER INNER SPEC. 1 -> 
chan_link PROC PROCESS IF HIGHER INNER_SPEC -> SKIP 11 
annotation. NOTFINISHED. x -> 
chan_fin_PROC_PROCESS_IF_HIGHER_INNER_SPEC. 0 -> 
chan_link PROC_PROCESS IF_HIGHER_INNER_SPEC -> 
(( III z: (bid, tid, eid, id} a annotation. RESET. z -> SKIP 
1] 
chan_link_PROC_PROCESS_IF HIGHER_INNER SPEC -> DD(x) 
DE (x) _ 
117 z: {bid, tid, eid, id} 0 annotation. RESET. z -> SKIP 
annotation. IDLE. x -> chan link _PROC_PROCESS _IF_HIGHER _INNER_SPEC -> Chan fin PROC PROCESS_IF HIGHER INNER SPEC. 1 -> 
Chan link PROC PROCESS IF HIGHER INNER SPEC -> SKIP 
11 
than fin PROC PROCESS IF HIGHER INNER SPEC. 0 -> 
chap link PROC PROCESS IF HIGHER INNER SPEC -> DE(x) 
DF (x, y) 
( DE(y) 
chan_link_PROC_PROCESS_IF_HIGHER 
_INNERSPEC, chan_fin_PROC_PROCESS_IP_HIGHER_INNER_SPEC, 
annotation. RESET. z 
i} ýa DC (x) 
within DA 
within B 
I z<-{id, bid, eid, kid} 
E. 2 Assertions: Linking the Models Together 
E. 2.1 ImpSpec Assertion 1: Deadlock Freedom 
The assertion stated in Figure 80 checks that the model of the segment of logic circuit is 
deadlock-free. This check demonstrates two properties, the first is that there exists no 
loops consisting of only clocked or non-clocked logic components (see section 4.4.2), the 
second is that any internal components are guaranteed to be driven correctly so long as 
the outer component is driven correctly. The guarantee that internal components are 
driven correctly is possible because the models of the internal components are models that 
136 
Appendix E: Single Type Component Implemented Model Example 
accept all possible inputs (both valid and incorrect), with the incorrect inputs being 
followed by explicitly defined deadlock i. e. `STOP' (see section D. 1.2). If the STOP's are 
not reached, then invalid inputs to internal components have not been created or 
propagated through. 
-- chann. 1 daclarationa 
channel internalChoice 
channel chan0 : (1 
channel chant, chant, chanlO : {0, i} 
-- Create an instance of the models to check 
-- The alpha PROC contains the low level channels used by the processes 
alpha_PROC6 - {I chani, chanO, chanl0, chant 1} 
PROC6 - PROC PROCESS_CONTROLL(chan0, chant, chant, chanl0) 
-- An implementation of the logic to check 
SYSTEM_INTERFACE _ {I chant, chanO, chanl0, chan2 (} 
IMP SPEC3 - SYSTEM 
GEN SPEC3 = PROC6 
-- Deadlock-frae check the expected correct generic component 
assert (IMP_SPEC3 (I SYSTEM INTERFACE 11 GEN SPECS) [deadlock free [F]] 
Figure 80: 'IF' Component Deadlock Free Assertion 
E. 2.2 ImpSpec Assertion 2: Super Type Control Only Limits the Behaviour 
The assertion stated in Figure 81 demonstrates that the process that dictates allowable 
correct driving input signals of the super type of this component, does only limit the 
behaviour of this implemented component, thus ensuring that it does not introduce any 
new behaviour. 
-- channel daolarationi 
channel internalChoice 
channel chanO : {1} 
channel chant, chant, chanlO : {0,1} 
-- Create an instance of the aodela to check 
-- The alpha PROC contains the low level channel. used by the procesae. 
alpha_PROC6 - (I chani, chanO, chanlO, chant (} 
PROC6 - PROC PROCESS CONTROLL(chan0, chant, chant, chanlO) 
-- An iipl uantation of the logic to check 
SYSTEMINTERFACE - {I chanl, chanO, chanl0, chan2 
IMP_SPEC3 . SYSTEM 
GEN_SPEC3 - PROC6 
I} 
-- Check that the control specification only limits the behaviour of the segment 
-- of logic, and does not introduce new behaviour 
assert IMP_SPEC3 [T- (IMP_SPEC3 (I SYSTEM-INTERFACE II GEN SPECS) 
Figure 81: Super Type Component Limits the Behaviour of the Implementation 
137 
Appendix E: Single Type Component Implemented Model Example 
E. 2.3 ImpSpec Assertion 3: Expected `IF' Component Behaviour Is 
Deadlock Free 
The assertion stated in Figure 82 demonstrates that the expected boundary behaviour that 
the model of the implementation of the logic circuit segment will be checked against is 
deadlock-free. This is to provide better confidence in this models correctness as it will be 
used in future checks. 
-- Channel daolaration, 
channel internalChoice 
channel chano : {1} 
channel chant, chant, chanlO : {0,1} 
-- Craata an inatanoa of tho soda1a to chock 
IMP SPEC1 - PROC PROCESS_IF DESIRED SPEC(ChanO, chanl, 
assert IMP_3PEC1 : [deadlock free [F]] 
chant, chanlO) 
Figure 82: Expected 'IF' Component Behaviour Is Deadlock-Free 
E. 2.4 ImpSpec Assertion 4: Expected Boundary Behaviour Refines Super 
Type 
The assertion stated in Figure 83 demonstrates that the expected correct boundary 
behaviour of the implemented component is a valid refinement of the expected boundary 
behaviour of its generic super type component. 
-- ebann. I daa2aratlono 
channel internalChoice 
channel chanO : {i} 
channel chant, chant, chanlo : {0,1} 
-- Create an Instance of the aiodala to ahaok 
IMP_SPEC1 - PROC_PROCESS_IP_DESIRED SPEC(chan0, chanl, chan2, chanl0) 
(3EN SPEC] . 
PROC_PROCESS_DESIRED aENERIC_SPEC(chan0, chanl, chan2, chanl0) 
\ {internalChoice} 
assert GEN SPEC1 [T= IMP SPEC1 
Figure 83: Expected 'IF' Component Behaviour Is a Refinement of Super Type 
138 
Appendix E: Single Type Component Implemented Model Example 
E. 2.5 ImpSpec Assertions 5: Correctly Driven Implementation Behaves as 
Expected 
The assertions stated in Figure 84 demonstrate that the segment of logic circuit for this 
implemented component, if driven correctly, behaves as expected. 
-- Ob"" *I declarations 
channel internalChoice 
channel chanO : {1} 
channel chant : {0, i} 
channel chan2 (0,1} 
channel chanl0 : {0,1} 
-- Create an Instance of the models to check 
IMP_SPEC1 - PROC_PROCESS 
_IF 
DESIRED SPEC(chanO, chanl, chant, chanlO) 
-- Create an Instance of the models to check 
-- The alpha 
_PROC 
contains the low level channels used by the processes 
alpha_PROC6 - {I chant, chanO, chanlO, chant 11 
PROC6 - PROC_PROCESS_CONTROLL(chanO, chant, chant, chanio) 
-- An implementation of the logic to check 
SYSTEM_INTERFACE - (I chani, chanO, chanl0, chant I} 
IMP_SPEC3 - SYSTEM 
GEN SPEC3 - PROC6 
assert IMP_SPEC1 [FD= 
( (IMP 
_SPEC3 
[I SYSTEM_INTERFACE 1] GEN_SPEC3) \ (ý annotations ý} ) 
assert ( (IMP_SPEC3 [l SYSTEM_INTERFACE 1] GEN_SPEC3) 
\ (I annotations 
[FD- IMP SPEC1 
Figure 84: Correctly Driven 'IF' Component Behaves as Expected 
E. 2.6 ImpSpec Assertion 6: Annotation Outer Level Does Not Introduce 
Deadlock 
The assertion stated in Figure 85 demonstrates that annotating the outer level of the 
implemented component with the annotation process specified by its super type (i. e. 
GenSpec 5, see Section D. 1.5), does not introduce any deadlocks. 
139 
Appendix E: Single Type Component Implemented Model Example 
-- chana. 1 d ol. rationi 
channel internalChoice 
channel chan0 : {i} 
channel chani, chant, chanlO : {0,1} 
-- Create an instance of the models to check 
IMP_SPEC1 - PROC PROCESS IF DESIRED SPEC(chanO, chani, chan2, chanlO) 
-- Create an instance of the models to check 
-- The alpha DROC contains the low level channels used by the processes 
alpha PROC6 - (I chant, chanO, chanlO, chan2 1) 
PROC6 - PROC_PROCESS_CONTROLL(chanO, chani, chan2, chanlO) 
alpha_PROCS - {I chanl, chanO, chanl0, chan2 1} 
PROCS - PROC PROCESS_ANNOTATE OUTER(chanO, chanl, chant, chanl0) 
-- An implemi"ntation of the logic to chock 
SYSTEM-INTERFACE - {I chant, chan0, chanl0, chant I} 
IMP_SPEC3 - SYSTEM 
GEN SPEC3 = PROC6 
GEN_SPECS = PROCS 
assert ( (IMP_SPEC3 [I SYSTEM_INTERFACE 1] GEN_SPEC3) 
(I SYSTEM_INTERFACE J] GEN SPECS 
[deadlock free [F] ] 
Figure 85: Annotating outer level of 'IF' component does not Introduce deadlock 
E. 2.7 ImpSpec Assertion 7: Expected High Level Behaviour is Deadlock- 
Free 
The assertion stated in Figure 86 demonstrates that the high level model describing the 
expected behaviour of the implemented component is deadlock-free. This helps to build 
confidence in the model for when using it in future checks. 
-- Create an iaettaao of Cho model& to chock 
IMP_SPEC4 = PROC PROCESS-IF_HIGHER_INNER_SPEC(0, 
HIGHER 
_SPECO_1,1, HIGHER_SPEC1_2,2, 
HIGHER_SPEC2_3,3) 
-- HLgh. r Proa"ss Instances 
HIGHER_SPEC1_2 - PROC_PROCESS_HIGHEROUTER SPEC(2) 
HIGHER_SPEC2_3 - PROC_PROCESS_HIGHER_OiTPER_SPEC(3) 
HIGHER SPECO 1- PROC BOOLEAN HIGHER OUTER SPEC(1) 
assert IMP_SPEC4 : (deadlock free(F]] 
Figure 86: 'IF' Component High Level Behaviour is Deadlock-Free 
140 
Appendix E: Single Type Component Implemented Model Example 
E. 2.8 ImpSpec Assertions 8: Component Behaves Similarly to Expected 
Higher Spec 
The assertions stated in Figure 87 demonstrate that the annotations obtained from the 
implemented segment of logic circuit, performs in a similar manner to that of the 
expected higher behavioural specification. The test can not be failure divergence checked 
both ways (one has to be a trace refinement), this is due to the way annotations are added 
to the outer layer. As the outer level input annotations occur after the corresponding low 
level input signal events (i. e. the events that represent the wires), hiding these low level 
signal events causes the high level model extracted from the implemented segment of 
logic circuit to appear to have internal choice determining the high level conceptual input 
states. The internal choice for the inputs does not really exist, but appears because the 
events that do determine what occurs though external choice have been hidden (i. e. the 
low level signals). Through altering the process of annotating the outer level of a 
component (see Appendix H), it is possible to simplify the extracted model so that it 
directly equivalent to the expected higher behaviour. 
-- channel declarations 
channel internalChoice 
channel chan0 : (11 
channel chani, chan2, chanlo : {o, i} 
-- Create an instance of the models to check 
IMP_SPEC1 - PROCPROCESS IP_DESIRED_SPEC(chan0, chant, chant, chanl0) 
-- Create an instance_ o! 
-the 
models to check 
-- The alpha PROC contains the low level channels used by the processes 
alpha_PROC6 - {I chant, chanO, chanl0, chant 1} 
PROC6 - PROC_PROCESS_CONTROLL(chan0, chanl, chant, chanl0) 
alpha_PROCS - (' chant, chan0, chanl0, chant j} 
PROC5 - PROC PROCESS ANNOTATE OUTER(chan0, chant, chant, chanl0) 
-- An implementation of tho logic to chock 
SYSTEM INTERFACE = {I chanl, chanO, chanl0, chan2 
IMP SP. EC3 = SYSTEM 
GEN_SPEC3 . PROC6 
GEN SPECS . PROCS 
assert (( (IMP SPEC3 [I SYSTEMINTERFACE 1] GEN SPEC3) [) SYSTEM INTERFACE J] GEN SPECS 
\ SYSTEM_INTERFACE 
[FD- Imp Model_3 
assert Imp Model 3 (T- (( (IMP_SPEC3 [I SYSTEM_INTERFACE 1] GEN_SPEC3) 
[! SYSTEM INTERFACE I] GEN SPECS 
\ SYSTEM_INTERFACE 
Figure 87: 'IF' Component Behaves Similarly to Expected Higher Behaviour 
141 
Appendix E: Single Type Component Implemented Model Example 
E. 3 Conclusions & Evaluation 
The combination of the assertions covered in section E. 2 links various properties of the 
various models covered in section E. 1 together and also with some of the models covered 
in section D. 1 (i. e. the models for its corresponding super type). This builds up 
confidence with the implemented component through crosschecking various properties 
hold true throughout the various models crated for it, along with the implementation 
being a refinement of its super type component, thus allowing the implemented 
component to be placed wherever its super type has been used. 
E. 4 Future Work 
E. 4.1 Linking Clock Cycle Annotations to Higher Specification 
Similar to the work described in section D. 4.1, the CSP model covered in section E. 1.4 
could be linked to a higher conceptual description of the component that gives the 
sequencing of the required conceptual events at a software level, and not a hardware clock 
cycle level. 
E. 4.1.1 ImpSpec 5: Software Specification Model 
This model (see Figure 88) provides a software level based model of the implemented 
component. The external choice with `STOP' is to provide a clear indication of where the 
internal components behaviour is expected to create possible deadlocking within this 
model. The deadlocking at within this model is allowed to possibly occur under the 
conditions where when an internal component is started, it never completes. Should this 
condition arise, the 'IF' component will never finish, a simple example of this is if the 
'then' component gets triggered and is a 'while(true)' loop, the 'while(true)' loop never 
finishes, and so the 'IF' component would never finish. 
142 
Appendix E: Single Type Component Implemented Model Example 
PROC_PROCESS_IF HIGHER SIMPLIFIED SPEC(id, 
let 
A 
bool, bid, 
thenproc, tid, 
elseproc, eid) ý 
annotation. START. id -> SKIP III 
annotation. BOOLEANREAD. bid -> SKIP 
STOP 
[) 
annotation. BOOLEAKREADALLONED. bid -> 
( annotation. BOOLEANTRUE. bid -> B(tid) 
tl 
annotation. BOOLBANFALSfi. bid -> B(eid) 
B (x) 
annotation. START. x -> 
STOP 
(I 
annotation. FINISH. x ->A 
C 
x: {booi, thenproc, elaeproc} ® x) 
annotation. BOOLEANREAD. bid, 
annotation. BOOLEANREADALLOWED. bid, 
annotation. BOOLEANTRUE. bid, 
annotation. BOOLEANFALSE. bid, 
annotation. START. y, 
annotation. FINISH. y, 
II A 
within C 
i} 
Iy <-{tid, eid} 
Figure 88: 'IF' Component Software Annotation Behavioural Specification 
E. 4.1.2 ImpSpec Assertion 9: Software Specification is a Refinement of Super 
Type 
The assertion stated in Figure 89 demonstrates that the expected higher software 
specification for the implemented component with its internal events hidden is a 
refinement of its super types' software specification model. The example show happens to 
be equivalent to its super type software specification model, but this is not a requirement 
and is why it is not being tested for. 
143 
Appendix E: Single Type Component Implemented Model Example 
-- Generic Boolean Higher Software Specification 
PROC_BOOLEAN_HIGHER SIMPLIFIED_SPEC(id) 
let 
A 
annotation. BOOLEANREADALLOWED. id -> 
STOP 
1-1 
annotation. BOOLEANREADALLOWED. id -> 
( annotation. BOOLEANTRUE. id -> A 
[] 
annotation. BOOLEANFAL3E. id -> A 
Within A 
-- Internal Coaponenta 
BoolTeet - PROC BOOLEAN HIGHER SIMPLIFIED SPEC(l) 
ThenProc - PROC_PROCESS7_HIGHER7SIMPLIFIED7_SPEC(2) 
ElseProc - PROC PROCESS HIGHER_SIMPLIFIED SPEC(3) 
-- Cemwonants to root: 
IMP_SPECS - PROC_PROCESS_IF_HIGHER_SIMPLIFIED_SPEC(0, 
BoolTest, 1, 
EhenProc, 2, 
E1seProc, 3) 
GEN_SPEC7 - PROC_PROCESS _HIGHER _SIMPLIFIED_SPEC(0) IMP_SPEC5_HIDDEN_INTERNALS 
IMP_SPECS 
\ diff( {J annotations J}, 
{ annotations. x. 0 Jx <- { START, FINISH }} 
-- Check that IapospeaS with internal events hidden IN a rOfiJm*mnt 01 -its 
-- super type 
assert GEN_SPEC7 (T- IMP-SPECS-HIDDEN-INTERNALS 
Figure 89: Higher Software Specification Is a Refinement of the Super Type 
144 
Appendix F Multi-Type Component 
Generic Specification Model Example 
This section will cover and explain the CSP models required for a multi-type generic 
super-type component, along with the assertions that need to be checked to link the 
models to each other and to the corresponding single-type generic super-type components 
for the interfaces. 
F. 1 Models & Specifications 
The `internalChoice' event that may appear within the code examples has been utilised 
instead of internal choice (i. e. 'I _ I') to enable `chase' compression to applied if desired. 
The `intemalChoice' event must be hidden for the specifications to be valid, but if `chase' 
compression has been chosen, the event should only be hidden after `chase' has been 
applied, otherwise the specification becomes invalid. 
F. 1.1 GenSpec 1: Valid Low Level Behaviour 
This model specifies all the valid and allowable low level behaviour of this type of multi- 
type super type component. The purpose is to describe the interface boundary behaviours, 
thus enabling implemented components to refinement check against it proving there 
behaviours are within the requirements for it to be a sub-type of this super-type. 
This specification (see Figure 90) will only accept correct input driving signals, and will 
return valid output result signals. Internal choice is utilised to enable it to specify all the 
possible valid refinements. 
Figure 90: Low Level Generic Data Storage Specification 
channel chan_midPROC STORAGECOMPONENTDESIRED GENERIC SPEC: 0.. 2 
channel chan_link_PROC_STORAGECOMPONENT DESIRED GENERIC SPEC 
channel than_PROC_STORAGECOMPONENTDESIRED GENERIC_SPEC: (0.. 4) 
channel than_readbits_PROC_STORAGECOMPONENT DESIRED_GENERIC_SPEC : {0.. 2). {0,11 
channel chan_storebits_PROC STORAGECOMPONENT_DESIRED GENERIC_SPEC: {0.. 2). {0,11 
PROC_STORAGECOMPONENT DESIRED_GENERIC SPEC(clock, reset, stores, reads) - 
let 
A= 
Appendix F: Multi-Type Component Generic Specification Model Example 
length (stores) 
[l 
length (stores) 
[] 
length(stores) 
[l 
length (stores) 
B= 
let 
BA = 
(((I 
aa 0 and length(reads) $= 0&E 
!=0 and length(reads) 
__ 
S6 0 &B 
0 and length(reads) !-0&C 
1= 0 and length(reads) 1= 0&D 
union 
fl reset, 
i} 
} 
clock, 
chan_link_PROC_STORAGECOMPONENT DESIRED_GENERIC_SPEC 
{ cheln PROC STORAGECOMPONENT DESIRSD_GBNERIC_SPfiC. y 
1 y<-{3,4} 
x: aet (stores) 0 BB (x) 
reset. 1, 
clock, 
chan_link PROC_STORAGECOMPONENT_DESIRED GENERIC_SPEC, 
Chan PROC STORAGECOMPONENT DESIRED GENERIC SPEC 
i) chan_link PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC -> F 
{1 chan link_PROC STORAGECOMPONENT_DESIRED GENERIC_SPEC, 
I} 
chap PROC STORAC3ECOMPONENT DESIRED GENERIC SPEC 
BB( (store, stored, data) )_ 
let 
BBA 
BBB 
11 {I 
0 
clock, 
chan_link 
_PROC_STORAGECOMPONENT_DESIRED _GENERIC _SPEC, char mid_PROC_STORAGECOMPONENT_DESIRED_GENERIC SPEC 
I] BBC 
\ {l chan mid PROC_STORAGECOMPONENT DESIRED_GENERIC SPEC 
BBB 
chan_mid PROC STORAGECOMPONENT_DESIRED GENERIC SPEC. 0 -> 
x: set(data) a x? 0 -> SKIP 
chan_mid PROC STORAGECOMPONENT_DESIREDGENERIC SPEC. 1 -> 
x: set(data) a 
x? 0 -> SKIP 
[7 
x? 1 -> SKIP 
clock? 1 -> 
chan_link PROC_STORAGECOMPONENT DESIRED GENERIC_SPEC -> BBB 
BBC . 
reset? 1 -> 
store? O -> 
chan_mid_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 0 -> 
SKIP 
[l 
store? 1 -> 
char mid_PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 1 -> 
146 
Appendix F: Multi-Type Component Generic Specification Model Example 
SKIP 
BBD 
reset? O -> 
store? O -> 
chan_mid PROC_STORAGECOMPONENT_DESIRED GENERIC SPEC. 0 -> BBD C) 
store? 1 -> 
Chan mid_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 1 -> 
Chan_PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 0 -> BBE 
[] 
store? O -> 
chan_mid_PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 0 -> 
reset? 0 -> SKIP 
[] 
reset? 1 -> SKIP 
BBD 
store? 1 -> 
chan_mid PROC STORAGECOMPONENT-DESIRED GENERIC SPEC. 1 -> 
reset? O -> 
chan_PROC STORAGECOMPONENT DESIRED GENERIC SPEC. O -> BBE 
11 
reset? 1 -> BBD 
BBD = 
clock? 1 -> 
char PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 3 -> SKIP 
11 
Chan PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 4 -> SKIP 
storedlO -> 
chan_link_PROC STORAGECOMPONENT_DESIRED GENERIC^SPEC -> 
BBC 
SBE " 
clock? i -> 
chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 3 -> 
storedli -> 
chap link PROC STORAGECOMPONENT DEBIRED GENERIC SPEC -> BBC 
11 
chan_PROC_STORAGECOMPONENTDESIRED 
_GENERIC _SPEC. 
4 -> 
storedl0 -> 
char link PROC STORAGECOMPONENT DESIRED GENERIC SPEC -> BBF 
BBF 
reset? 1 -> store? 0 -> 
Chan mid PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 0 -> BBD 
11 
reset? O -> store? 0 -> 
chan_mid PROC_STORAGECOMPONENT_DESIRED_GENERIC SPEC. 0 BBG 
[l 
store? 0 -> 
chan_mid_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 0 -> 
reset?! -> BBD 
[l 
reset? 0 -> BBG 
) 
BBG = 
147 
Appendix F: Multi-Type Component Generic Specification Model Example 
clock? 1 -> chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 4 
storedl0 -> 
chan_link PROC_STORAGECOMPONENT DESIRED_GENERIC SPEC -> BBF 
within ( storedl0 -> 
within BA 
C 
let 
CA = 
(( (I 
chap link PROC STORAGECOMPONENT DESIRED GENERIC SPEC -> BBA 
union 
{I reset, 
i; 
clock, 
Chan link PROC STORAGECOMPONENTDESIRED GENERIC SPEC 
{ chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. y 
I Y<-[3,4} 
} 
x: aet(reada) a CS(x) 
[+ {+ reaet. 1, 
II 
clock, 
Chan 
_link 
PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC, 
char PROC-STORAGECOMPONENTDESIRED GENERIC SPEC 
I) 
chanlink PROCS'PORAGECOMPONENTDESIRED GENERIC 
_SPEC -> 
F 
{1 chan link_PROC STORAGECOMPONENT_DfiSIRED GENERIC_SPEC, 
I} 
chap PROC STORAGECOMPONENT DESIRED GENERIC SPEC 
CB( (read, readallowed, data) 
let 
CBA = 
reset? l -> 
read? O -> SKIP (] 
read? 1 -> SKIP 
Css 
[l 
reset? O -> 
read? O -> CBS [] 
read? 1 -> CBC 
[] 
read? O -> 
reset? 0 -> SKIP 
tl 
reset? 1 -> SKIP 
CBB 
[] 
read? 1 -> 
reset? O -> CBC 
[] 
reset? 1 -> CB8 
CBB = 
clock? 1 -> 
Chan _PROC 
STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 3 -> SKIP 
11 
148 
Appendix F: Multi-Type Component Generic Specification Model Example 
cBC = 
clock? 1 -> 
chan_PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 3 
readallowed! 1 -> 
(( III X, Bet(data) 0 x! O -> SKIP 
CBD 
reset? 1 -> read? O -> CBB 
[l 
reset? O -> read? O -> CBE I] 
read? O -> 
reset? 1 -> CBB 
[] 
reset? 0 -> CBE 
CBE 
clock? 1 -> chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 4 -> 
readallowedl0 -> 
(( III x: set(data) ® x! o -> SKIP 
readallowedl0 -> 
( ýýý x: set(data) 0 x! o -> SKIP 
char link 
_PROC_STORAGECOMPONENT_DESIRED_GENERIC_ 
SPEC -> 
CBA 
[] 
chanPROC_STORAGECOMPONENT_DESIRED_GENERIC SPEC. 4 -> 
readallowedl0 -> 
(( 111 x: aet(data) a x! 0 -> SKIP 
chan_link PROC STORAGECOMPONENTDESIREb-GENERIC SPEC -' 
CBD ---- 
chap link PROC STORAGECOMPONENT DESIRED GENERIC SPEC -> CED 
Chan_PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 4 -> SKIP 
chan_link_PROC STORAGECOMPONENT DESIRED_GENERIC_SPEC -> 
CBA 
within ( readallowedl0 -> 
x: set(data) a x10 -> SKIP 
( chan_link PROC STORAGECOMPONENT DESIRED-GENERIC-SPEC -> 
CHA --- 
) 
r 
within CA 
D 
let 
DA = 
((( (j union 
(I reset, 
clock, 
Chan link PROC STORAGECOMPONENT DESIRED GENERIC SPEC 
{ chap PROC_STORAGECOMPONENT DESIRED 
_GENERIC _SPEC. 
y 
I} 
149 
Appendix F: Multi-Type Component Generic Specification Model Example 
Y<- 3,4 
1 
x: set(stores) a DB(x) 
[ union ( 
reset, 
clock, 
chan_link PROC_STORAGECOMPONENT DESIRED_GENERIC SPEC 
{ Chan PROCSTORAGECOMPONENT DESIRED_GENERIC_SPEC. y 
I} y<-{3,4} 
f 
I] ( (ý union( 
reset, 
clock, 
than link_PROC STORAGECOMPONENT_DESIRED_GENERICSPEC 
} 
{ chan_PROC_STORAGECOMPONENT DESIRED_GENERIC_SPEC. y 
I y<-{3,4} 
ý] x: aet(reada) 0 DC(x) 
reset. i, 
Chan 
_PROC 
STORAGECOMPONENT_DESIRED-GENERIC-SPEC, 
chan_readbita PROC STORAGECOMPONENT DESIRED GENERIC_SPEC, 
chan_storebits PROC_STORAGECOMPONENT DESIRED GENERIC-SPEC, 
clock, 
chap link PROC STORAGECOMPONENT DESIRED GENERIC SPEC 
i) char link PROC STORAGECOMPONENTDESIRED GENERIC SPEC -> H 
\ {ý chan_link_PROC STORAGECOMPONENT_DESIRED GENERIC_SPEC, 
chan_readbitS_PROCSTORAGECOMPONENTDESIRED 
_GENERIC 
SPEC, 
chap storebits_PROC_STORAGECOMPONENT_DESIRED GENERIC_SPEC, 
chap PROC STORAGECOMPONENT DESIRED GENERIC SPEC 
DB( (store, stored, data) 
let 
DBA = 
DBB 
chan_mid PROC STORAGECOMPONENT DESIRED GENERIC SPEC, 
chan_link_PROC STORAGECOMPONENT_DESIRED_GENERIC_SPEC, 
clock 
I] 
DBC 
I? 
\ ti chan_mid_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC 
DBB 
let 
DBBA 
chan_mid_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. O -> 
( III x: set(data) 0 x? O -> SKIP ) 
clockll -> 
chan_link PROC STORAGECOMPONENT DESIRED_GENERIC_SPEC -> 
DBBA 
(1 
150 
Appendix F: Multi-Type Component Generic Specification Model Example 
chan_mid_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 1 -> 
( DBBB(data) 
DBBA 
DBBB(x) _ 
length(x) 0& STOP 
[] 
length(x) 1& DBBC(head(x), length(data) - 1) 
[] 
length(x) >1& 
DBBC(head(x), length(data) - length(x)) {chan_link 
_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC, chan_mid_PROC STORAGECOMPONENT DEBIRED CdENERIC SPEC. 2, 
clock. 1 
il 
DBRB (tail (x)) 
DBBC(x, y) _ 
x? 0 -> 
chan_midPROC STORAGECOMPONENT_DESIRED GENERIC 
_SPEC. 
2 -> 
chan_storebits_PROC STORAGECOMPONENT DESIRED_GENERIC SPEC. y. O -> 
clock? 1 -> SKIP 
[l 
clock? l -> SKIP 
(] 
x? 1 -> 
Chan 
_mid_PROCSTORAGECOMPONENTDESIRED _GENERIC_SPEC. 
2 -> 
chan_atorebits_ PROC_STORAGECOMPONENT_DESIRED_GENERIC SPEC. y. 1 -> 
clock? 1 -> SKIP 
[] 
clock? 1 -> SKIP 
chan_link_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC -> 
SKIP 
within DBBA 
DBC . 
reset? 1 -> 
store? O -> 
chan_mid PROC STORAGECOMPONENT DESIRED GENERIC SPEC. O -> 
SKIP 
[] 
store? 1 -> 
chan_mid_PROC STORAGECOMPONENT DESIRED_GENERIC_SPEC. 1 -> 
SKIP 
DBD 
[l 
reset? O -> 
store? O -> 
chan_mid_PROC_STORAGECOMPONENT_DESIRED GENERIC SPEC. O -> 
DBD 
[] 
store? 1 -> 
chan_PROC_STORAGECOMPONENT_DESIRED GENERIC-SPEC-0 
chan_mid_PROC STORAGECOMPONENT_DESIRED_GENERIC SPEC-1 -> 
chan mid_PROC STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 2 -> 
DBE 
151 
Appendix F: Multi-Type Component Generic Specification Model Example 
[] 
store? 0 -> 
Chan 
_mid 
PROC STORAGECOMPONENT_DESIRED GENERIC SPEC. O -> 
reset? 0 -> SKIP 
[] 
reset? 1 -> SKIP 
DBD 
[] 
store? 1 -> 
Chan 
_mid_PROC 
STORAGECOMPONENT DESIRED GENERIC SPEC. 1 -> 
reset? O -> 
Chan 
_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 
O -> 
Chan 
_mid_PROC 
STORAGECOMPONENT_DESIRED GENERIC SPEC. 2 -> 
DBE 
[) 
reset? 1 -> DBD 
DBD 
clock? 1 -> 
char PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 3 -> SKIP 
11 
Chan PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 4 -> SKIP 
atoredi0 -> 
char link PROC STORAGECOMPONENTDESIRED GENERIC SPEC -> 
DBC - 
DBE 
clock? l -> 
chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 3 -> 
atoredll -> 
Chan-link_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC -> 
DBC 
[] 
chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 4 -> 
atoredlO -> 
chan_link link_PROC_STORAGECOMPONENT- DESIRED- GENERIC-SPEC 
DBF 
DBF = 
reset? 1 -> store? 0 -> 
chan_mid_PROC_STORAGECOMPONENT_DESIREDGENERIC SPEC. 0 -> DBD 
(1 
reset? O -> store? O -> 
chan_mid_PROC STORAGECOMPONENTDESIREDGENERIC SPEC. 0 -> DBG 
(1 
store? 0 -> 
chan_mid_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 0 -> 
reset? i -> DBD 
11 
reset? O -> DBG 
DBG = 
clock? 1 -> 
chan_PROCSTORAGECOMPONENT DESIRED_GENERIC SPEC. 4 
atoredl0 
7> 
chan_link PROC_STORAGECOMPONENT DESIRED_GENERIC-SPEC 
DBF 
within storedl0 -> 
chan link PROC STORAGECOMPONENT DESIRED GENERIC SPEC -> 
DBA ---~- 
DC( (read, readallowed, data) )_ 
152 
Appendix F: Multi-Type Component Generic Specification Model Example 
let 
DCA a 
reset? 1 -> 
read? O -> SKIP 
[1 
read? 1 -> SKIP 
DCB 
[l 
reset? O -> 
read? O -> DC$ 
U 
read? 1 -> 
chan_PROC STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 1 -> 
DCC 
[] 
read? 0 -> 
reset? 0 -> SKIP [] 
reset? 1 -> SKIP 
DCB 
read? 1 -> 
reset? O -> 
than PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 1 -> 
DCC ----- 
[] 
reset? 1 -> DCB 
DCB = 
clock? 1 -> 
char PROC STORAGECOMPONENTDESIRED GENERIC SPEC. 3 -> SKIP 
chan PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 4 -> SKIP 
readallowedl0 -> 
( III x: Bet(data) ® x10 -> SKIP 
char link PROC STORAGECOMPOMMT DESIRED GENERIC SPEC -> DCA 
DCC 
DCD 
Chan link PROC STORAGECOMPONENT DESIRED_GENERIC_SPEC, 
readallowed, 
Chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC, 
reset, 
read, 
clock 
II i} DCE 
DCA 
DCn = 
let 
DCDA 
clock? l -> 
153 
Appendix F: Multi-Type Component Generic Specification Model Example 
Chan_PROC-STORAGECOMPONENT_DESIRED_GENERIC SPEC. 4 -> 
readallowedl0 -> 
chan_link-PROC STORAGECOMPONENT DESIRED GENERIC SPEC -> 
DCDB ---- 
(1 
chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 3 -> 
readallowedii -> 
chan_link PROC STORAGECOMPONENT DESIRED GENERIC SPEC -> 
SKIP ----- 
DCDB = 
reset? 1 -> read? O -> clock? 1 -> 
Chan 
-PROC 
STORAGECOMPONENT_DESIREDGENERIC SPEC. 3 -> 
readallowedl0 -> 
Chan 
_link 
PROC STORAGECOMPONENT DESIRED GENERIC SPEC -> 
SKIP ----- 
t) 
reset? O -> read? O -> clock? 1 -> 
chan PROC gToRAGRcoMpoNT DESIRED GENERIC SPEC .4 -> 
readallowedl0 -> 
Chan 
_link_PROC 
STORAGECOMPONENT DESIRED GENERIC SPEC -> DCDB _--- 
[l 
read? O -> 
reset? 1 -> clock? 1 -> 
chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 3 -> 
readallowedlO -> 
chan_link-PROC STORAGECOMPONENT-DESIRED-GENERIC-SPEC -> 
SKIP - 
reset? O -> clock? 1 -> 
chan_PROC_STORAGECOMPONENT_DESIRED-GENERIC_SPEC. 4 -> 
readallowedl0 -> 
chan_link PROC STORAGECOMPONENT DESIRED-GENERIC-SPEC -> 
DCDB --- 
within DCDA 
DCE _ 
let 
DCEA (x) _ 
length(x) 0& STOP 
[I 
length(x) 1& 
chan_readbitaPROC STORAGECOMPONENT_DESIRED_GENERIC_SPEC. ( 
length(data) - length(x) 
)? z -> 
DCEB(head(x), z) 
[] 
length(x) >1& 
chan_readbita_PROC_STORA(3ECOMPONENT_DESIRED_GENERIC_SPEC. ( 
length(data) - length(x) 
)? z -> 
DCEB(head(x), z) 
[I 
chan_link_PROC STORAGECOMPONENT DESIRED_GENERIC SPEC, 
readallowed, 
chan_PROC STORAGECOMPONENT_DESIRED_GENERIC_SPEC, 
reset, 
read, 
clock 
11 
!} 
DCEA(tail(x)) 
DCEB(x, Y) 
chats PROC STORAGECOMPONENT DESIRED GENERIC SPEC. 4 -> 
(I 
154 
c 
Appendix F. Multi-Type Component Generic Specification Model Example 
readallowedl0 -> 
x10 -> 
Chan 
_link _PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC -> DCEC(x) 
[] 
Chan 
_PROCSTORAGECOMPONENT_DESIRED_GENERIC_SPEC. 3 -> readallowedll -> 
x! y -> 
Chan link_PROC_STORAGECOMPONENT_DESIRED_GENERIC-SPEC 
SKIP 
DCEC (x) 
reset? 1 -> read? 0 -> clock? 1 -> 
Chan_PROC STORAGECOMPONENT DES IRED_GENERIC SPEC. 3 -> 
readallowedl0 -> 
X10 -> 
Chan 
_link_PROC 
STORAGECOMPONENT_DESIRED_GENERIC_SPEC -> 
SKIP 
(] 
reset? o -> read? 0 -> clock? 1 -> 
Chan 
_PROC 
STORAGECOMPONENTDESIRED GENERIC SPEC. 4 -> 
readallowedlo -> 
x10 -> 
than link 
_PROC_STORAGECOMPONENT 
DESIRED_GENERIC_SPEC -> 
DCEC(x) 
I] 
read? 0 -> 
( reset? 1 -> clock? 1 -> 
Chan PROC STORAGECOMPONENT_DESIRED GENERIC_SPEC. 3 -> 
readallowedl0 -> 
X10 -> 
chan_link_PROC_STORAGECOMPONENT_DESIRED_GENERIC SPEC -> 
SKIP 
[7 
reset? O -> clock? 1 -> 
Chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 4 -> 
readallowedl0 -> 
X10 -> 
Chan_link-PROC STORAGECOMPONENT DESIRED GENERIC SPEC -> 
DCECW () ---- 
within clock? 1 -> DCEA(data) 
within ( readallowedt0 -> (( 111 x: eet(data) a x10 -> SKIP 
chart link PROC STORAGECOMPONENT DESIRED GENERIC SPEC -> 
DCA ------ 
within DA 
-- No Reads or Stores 
Es 
reset? O -> SKIP 
[l 
reset? 1 -> SKIP 
l; ( clock? l -> E 
F= 
let 
FA . 
reset? 1 -> clock? 1 -> 
chan_PROC_STORAGECOMPONENTDESIRED GENERIC 
_SPEC. 
3 -> 
Chan link PROC STORAGECOMPONENT DESIRED GENERIC SPEC -> 
FA 
U 
clock? l -> 
chan_PROC STORAGECOMPONENT_DESIRED 
_GENERIC 
SPEC. 3 -> 
char link PROC STORAGECOMPONENT DESIRED GENERIC SPEC -> 
PA 
155 
Appendix F: Multi-Type Component Generic Specification Model Example 
[] 
chan_PROC STORAGECOMPONENT-DESIRED-GENERIC-SPEC. O -a FB 11 
Chan 
_PROC 
STORAGECOMPONENT DESIRED GENERIC SPEC. 1 -> FC 
FB a--- 
clock? 1 -> 
chan_PROC_STORAGECOMPONSNT-DESIRED 
_GENERIC 
SPEC. 3 -> 
chan_link_PROC_STORAGECOMPONENT DESIRED_GENERIC_SPEC -> 
FA 
[] 
chan_PROC STORl4(3ECOMPONENT_DESIRED_C3ENERIC_SPEC. 0 -> FD [l 
chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC SPEC-1 -> FD PC - 
clock? 1 -> 
chan_PROC STORAGECOMPONENT_DESIRED GENERIC 
_SPEC. 
3 -> 
chan_link_PROC_$TORAGECOMPONENT DESIRED GENERIC_SPEC -> 
FA 
t] 
chan_PROC STORAGECOMPONENT_DSSIRED_GENERIC SPEC-0 -> FD [] 
chan_PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC. 1 -> FC 
PD = 
reset? 1 -> clock? 1 -> 
ohan_PROC STORAGECOMPONENTDESIRED GENERIC SPEC .3 -> 
chan_link PROC STORAGECOMPONENT DESIRED GENERIC_SPEC -> 
FA 
[) 
clock? 1 -> 
than-PROC_STORAGECOMPONENT_DESIRED 
_GENSRIC_SPEC. 
4 -> 
chan_link_PROC STORAGECOMPONENT DESIRED GENERIC_SPEC -> 
FD 
U 
Chan PROC STORAGECOMPONENT_DESIRED GENERIC SPEC. O -> FD 
[] 
chan_PROC STORAGECOMPONENT_DESIRED_GENERIC SPEC. 1 -> FD 
within FA 
let 
GA = 
length(stores) l= 0& GB(head(atorea)) 
[] 
length(reads) !=0& GB(head(reads)) 
GB( ( 
_, _, 
data) )_ 
[I ( reset. 1 } ý] x: (0.. (length(data)-1)} e GC(x, 0) 
GC(x, y) - 
reset? 1 -> GC(x, 0) 
[] 
chan_readbita_PROC_STORAGECOMPONENT_DESIRED_GENERIC SPEC. xIy -> 
GC (x, y) 
[] 
chan_etorebita PROC STORAGECOMPONENT DESIRED GENERIC SPEC. x? z -> 
GC (x, z) ----- 
within GA 
H= 
F 
[ý { reaet. l} j] 
G 
within chase(A) 
156 
Appendix F: Multi-Type Component Generic Specification Model Example 
F. 1.2 GenSpec 2: Low Level Behaviour with Explicit Deadlocking 
This CSP model (see Figure 91) is based on the one covered in section F. 1.1, but with the 
altered fact that it also accepts invalid driving input signals to be submitted to it. These 
invalid input driving signals are followed by an explicitly defined `STOP', that will 
explicitly deadlock the model should it ever be reached. Similar to the specification in 
section F. 1.1, the returned output signals will be all possible valid permutations allowed 
(internal choice is utilised to create those permutations, so long as it is driven correctly). 
The reason why this model will accept invalid driving signals is to enable the model of 
any component connected to it the opportunity to provide any driving signals it may 
choose, this process will not limit or remove the possibility for the other component 
models to provide invalid signals to this one as an option when they are run in 
alphabetised parallel. The purpose of this is to enable possibility to check that if this 
specification is used as an internal component, so long as the outer component is driven 
correctly, this component will be driven correctly. 
Figure 91: Low Level Gewerk Data Storage Specification with Explicit Deadlocking 
channel char mid PROC STORAGECOMPONENT GENERIC SPEC: 0.. 2ý 
channel chan_link_PROCC_STORAGECOMPONENT_GENERIC SPEC 
channel chan_PROC STORAGECOMPONENT GENERIC_SPEC: {0.. 4} 
channel chan_readbits_PROC STORAGECOMPONENT_GENERIC_SPEC: {0.. 2}. {0,1} 
channel chan_storebite_PROC_STORAGECOMPONENT_GENERIC_SPEC: {0.. 2}. {0,1} 
PROC_STORAGECOMPONENT GENERIC SPEC (clock, reset, stores, reads) 
let 
A= 
length(stores) _= 0 and length(reads) 0&E 
[] 
length(stores) !=0 and length(reads) 0&B 
[] 
length(stores) _- 0 and length(reads) !-0&C 
[] 
length(stores) I. 0 and length(reads) !-0&D 
B 
let 
BA = 
(( [ý union( 
reset, 
clock, 
chan_link_PROC_STORAGECOMPONENT_GENERIC_SPEC 
I} 
{ chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. y 
y<-{3,4} 
} 
I] > (i {i 
x: set(stores) ® BB(x) 
11 
reset. 1, 
clock, 
chan_link 
_PROC_STORAGECOMPONENT 
GENERIC_SPEC, 
chan_PROC STORAGECOMPONENT GENERIC SPEC 
157 
Appendix F: Multi-Type Component Generic Specification Model Example 
chan_link_PROC STORAGECOMPONENT GENERIC_SPEC -> F 
\ {) chap link_PROC STORAGECOMPONENT_GENERIC SPEC, 
I} 
Chan_PROC STORAGECOMPONENT_GENERIC_SPEC 
BB( (store, stored, data) 
let 
BSA = 
BBB 
[+ {ý clock, 
chan_link_PROC_STORAGECOMPONENT_GENERIC_SPEC, 
chan_mid PROC STORAGECOMPONENT GENERIC SPEC 
I] BBC 
\ (I Chan_mid PROC_STORAGECOMPONENT_GSNSRIC_SPEC 
BBB 
Chan_mid PROC STORAGECOMPONENT GENERIC SPEC. 0 
x: set(data) 
x? 0 -> SKIP 
U 
x? 1 -> STOP 
> 
t 
chan_mid_PROC STORAGECOMPONENT_GENERIC_SPEC. 1 -> 
( ýH x: aet(data) 
x? 0 -> SKIP I) 
x? 1 -> SKIP 
clock? 1 -> 
Chan link_PROC_STORAGECOMPONENT_GENERIC_SPSC -> 
BBB 
BBC . 
reset? 1 -> 
store? 0 -> 
chan_mid PROC STORAGECOMPONENT GENERIC SPEC. O -> 
SKIP 
[J 
store? 1 -> 
than mid PROC STORAC3ECOMPONENT GENERIC SPEC. 1 -> 
SKIP 
BBD 
reset? O -> 
store? O -> 
char mid PROC STORAGECOMPONENTGENERIC SPEC. O -> BBD 
11 
store? 1 -> 
chan_mid_PROC_STORAGECOMPONENT_GENERIC_BPEC. 1 -> 
char PROC STORAGECOMPONENT GENERIC SPEC. 0 -> 
BBE ---- 
1) 
store? 0 -> chan mid PROC_STORAGECOMPONENT_GENERIC SPEC-0 -> 
reset? O -> SKIP 
(1 
reset? 1 -> SKIP 
158 
Appendix F: Multi-Type Component Generic Specification Model Example 
BBD 
[l 
store? 1 -> dran mid PROC_STORAGECOMPONENT_GENERIC_SPEC. 1 -> reset? O -> chan_PROC'STORAGECOMPONENT_GENERIC SPEC. O BBE 
[l 
reset? 1 -> BBD 
BBD = 
clock? 1 -> 
(( chan_PROC STORAGECOMPONENT_GENERIC SPEC. 3 -> SKIP 
[] 
Chan 
_PROC 
STORAGECOMPONENT_GENERIC SPEC. 4 -> SKIP 
atoredl0 -> 
Chan_link_PROC_STORAGECOMPONENT_GENERICSPEC -> 
BBC 
BBE 
clock? i -> 
Chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 3 -> 
etored! i -> 
chan_link_PROC_STORAGECOMPONENT GENERIC-SPEC -> 
BBC 
[J 
Chn_PROC_STORßECOMPONTGqERIC SPEC .4 -> 
storedl0 -> 
chan_link_PROC_STORAGECOMPONENT_GENERIC_SPEC -> 
BBF 
BBP = 
reset? i -> 
store? O -> 
chan_mid_PROC_STORA ECOMPONENT_GENERIC_SPEC. 0 -> 
BBD 
p 
store? 1 -> STOP 
p 
reset? O -> 
store? O -> 
chaa_mid_PROC STORAGECOMPONENT_QENERIC SPEC. 0 -> 
BBG 
(I 
store? 1 -> STOP 
(] 
Store? 0 -> chan mid_PROC_STORAGECOMPONENT_GENERIC_SPEC. 0 -> 
reset? 1 -> BBD (] 
reset? 0 -> BBG 
I] 
store? l -> STOP 
BBG 
clock? l -> 
Chan_PROC_STORAGECOMPONENT_GENERIC SPEC. 4 -> 
atoredl0 -> 
chan_link_PROC_STORAGECOMPONENT_GENERIC_SPEC -> 
BBF 
within storedl0 -> chan_link PROC_STORAGECOMPONENT_GENERIC_SPEC -> BBA 
within BA 
C. 
let 
159 
Appendix F: Multi-Type Component Generic Specification Model Example 
CA 
(( (ý union( 
reset, 
clock, 
Chan link PROC STORAGECOMPONENT GENERIC SPEC 
{ chap PROC_STORAGECOMPONENT_GENERIC_SPEC. y 
) 
tl {I 
1 Y<-(3,4} 
11 x: set(reads) 0 CH(x) 
} 
ý 
I} --- 
reset. 1, 
clock, 
chan_link PROCSTORAGECOMPONENT_GENERIC SPEC, 
char PROC STORAGECOMPONENT GENERIC SPEC 
I1 
Chan link PROC STORAGECOMPONENT GENERIC SPEC -i F 
{ý chan_link_PROC STORAGECOMPONENT_GENERIC SPEC, 
I} 
chan_PROC_STORAGECOMPONENT_GENERIC SPEC 
CB( (read, readallowed, data) 
let 
CBA 
reset? l -> 
(( read? O -> SKIP 
Il 
read? 1 -> SKIP 
CBB 
(] 
reset? O -> 
read? O -> CBB 
[] 
read? l -> CBC 
[) 
read? O -> 
reset? O -> SKIP 
[1 
reset? 1 -> SKIP 
CBB 
s 
Q 
read? 1 -> 
( reset? O -> CBC 
(] 
reset? l -> CBB 
CBB 
clock? 1 -> 
(( chan_PROC STORAGECOMPONENT_GENERIC SPEC. 3 -> SKIP 
[] 
chan_PROC STORAGECOMPONENT_GENERIC SPEC. 4 -> SKIP 
readallowedl0 -> 
( III x: set(data) 0 xl0 -> SKIP 
( chan_link_PROC_BTORAGECOMPONENT GENERIC BPEC -> CBA 
160 
Appendix F: Multi-Type Component Generic Specification Model Example 
csc " 
clock? 1 -> 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 3 -> readallowedil -> 
(( III x. set(data) ® x! 0 -> SKIP ) 
char link PROC STORAGECOMPONENT GENERIC SPEC -> CBA 
[] 
chan_PROC_8TORAGBCOMPONENT_GENERIC_BPEC. 4 -> readallowedl0 -> 
(( III x: eet(data) ® x10 -> SKIP ) 
( chan_link_PROC_STORAGECOMPONENTGENERIC SPEC -> CBD ) 
CBD 
reset? 1 -> 
read? O -> CBB 
[] 
read? 1 -> STOP 
[] 
reset? O -> 
read? O -> CBE 
[] 
read? 1 -> STOP 
[] 
read? O -> 
reset? 1 -> CBB 
[] 
reset? O -> CBE 
read? l -> STOP 
CBE - 
clock? 1 -> 
Chan 
_PROCSTORAQECOMPONENT_GENERIC_SPEC. 
4 -> 
readallowe_dl0 -> 
x: set(data) ® x! O -> SKIP ) 
chan_link_PROC_STORAGECOMPONENT_GENERIC_SPEC -> CBD 
within ( readallowedl0 -> 
(( III x: set(data) 6 x1O -> SKIP 
chan_link_PROC STORAGECOMPONENT GENERIC SPEC -> CBA ) 
within CA 
D= 
let 
DA = 
((( [1 
[I 
I} 
{ chan_PROC_STORAGECOMPONBNT GENERIC SPEC. y 
I y<-{3,4} 
union ( 
reaet, 
clock, 
chan_link_PROC STORAGECOMPONENT_GENERIC_SPEC 
} 
ý] x: set(stores) ® DB(x) 
union ( 
reset, 
clock, 
161 
Appendix F: Multi-Type Component Generic Specification Model Example 
> 
I] 
C tl 
i} 
than link PROC STORAGECOMPONENT GRNERIC SPEC 
{ ehan_PROC_STORAGECOMPONENT_GENERiC_SPEC. y 
ý y<-{3,4} 
} 
union 
reset, 
clock, 
chap link PROC STORAGECOMPONENT GENERIC SPEC 
} 
{ chap PROC_STORAGECOMPONENT GENERIC_SPEC. y 
Y<-(3,4T 
ý] x: set(reads) 6 DC(x) 
[ý {ý reeet. 2, 
13 
Chan 
_PROC 
STORAGECOMPONENT_GENERIC_SPEC, 
Chan_readbite PROC_STORAGECOMPONENT GENERIC_SPEC, 
Chan 
_etorebita_PROC 
STORAGECOMPONENTGENERIC SPEC, 
clock, 
Chan link PROC STORAGECOMPONENT GENERIC SPEC 
Chan_lisk_PROC_STORAGECOMPONENT f3ENERIC_SPEC -> H 
{ý Chan link_PROC STORAGECOMPONENT_GENERIC SPEC, 
I} 
chan_readbita_PROC STORAGECOMPONENT_GENERICSPEC, 
chap storebit$_PROC_STORAGECOMPONENT_GENERIC_SPEC, 
char PROC_STORAGECOMPONENT GENERIC_SPEC 
DB( (store, stored, data) 
let 
DBA 
DBB 
Chan 
_mid 
PROC STORAGECOMPONENTGENERIC SPEC, 
chan_link_PROC_STORAGECOMPONENT_GENERIC SPEC, 
clock 
IJ 
DBC 
\ (I cban_mid PROC_STORAGECOMPONENT_GENERIC_SPEC I} 
DBB 
let 
DBBA 
chan_mid PROC STORAGECOMPONENT GENERIC SPEC. O -> 
III x: eet(data) ®-- 
( x? o -> SKIP 1) 
x? l -> STOP 
( clock? 1 -> 
chan_link_PROC_STORAOECOMPONENT_GENERIC_SPEC -> 
DBBA 
(] 
chan_mid_PROC_3TORAOECOMPONENT_QENERIC_SPEC. 1 -> 
DBBB(data) 
162 
Appendix F: Multi-Type Component Generic Specification Model Example 
DBBA 
DBBB (x) 
length(x) _- 0& STOP 
(1 
length(x) -- 1& DBBC(head(x), length(data) - 1) 
[1 
length(x) >1& 
DBBC(head(x), length(data) - length(x)) 
[ý ( Chan 
_link _PROC 
STORAGECOMPONENTGENERIC SPEC, 
chan_mid_PROC_STORAGECOMPONENT_GENERIC_SPEC. 2, 
clock. 1 
} 
DBBB(tail(x)) 
DBSC(x, y) 
x? O -> 
Chan mid PROC STORAGECOMPONENT GENERIC SPEC. 2 
chanstorebitSPROC STORAGECOMPONENTGENERIC SPEC. y. O -> 
clock? 1 -> 
SKIP 
[l 
clock? i -> SKIP 
[l 
x? 1 -> 
chan_mid_PROC STORAGECOMPONENT_GENERIC_SPEC. 2 -> 
chanetorebita_PROC_STORAGECOMPONEMT_GENERIC_SPEC. y. 1 -> 
clock? 1 -> 
SKIP 
[l 
clock? 1 -> SKIP 
chan_link_PROC_STORAGECOMPONENT_GENERIC_SPEC -> SKIP 
within DBBA 
DBC 
reset? 1 -> 
store? O -> 
Chan mid pp 
SKIP 
fJ 
etore7l 
ahan_mid PROC STORAGECOMPONENT_GENERIC_SPEC-1 -> 
SKIP 
DBD 
[) 
reset? O -> 
store? O -> 
chan_mid PROC STORAGECOMPONENT GENERIC SPEC. O -> 
DBD 
[) 
Store? 1 -> 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. O 
chan_mid_PROC STORAGECOMPONENT_GENERIC SPEC. 1 -> 
chan_mid_PROC_STORAGECOMPONENT_GENERIC_SPEC. 2 -> 
DBE 
U 
163 
Appendix F: Multi-Type Component Generic Specification Model Example 
store? 0 -> chan mid_PROC_STORAGECOMPONENT_GENERIC_SPEC. 0 -> 
reset? 0 -> SKIP 
1] 
reset? i -> SKIP 
DBD 
(] 
store? 1 -> chan_mid PROC_STORAGECOMPONENT_GENERIC_SPEC. 1 
reset? O -> 
chan_PROC STORAGECOMPONENT_GENERIC SPEC. O -> 
chan_mid_PROC STORAGECOMPONENT_GENERIC_SPEC. 2 -> 
DBE 
(1 
reset? 1 -> DBD 
DBD 
clock? 1 -> 
chan-PROC STORAGECOMPONENT GENERIC SPEC. 3 -> SKIP [l 
Chan PROC STORAGECOMPONENT GENERIC SPEC. 4 SKIP 
storedl0 -> 
chan_link_PROC_STORADECOMPONENT_GENERIC_SPEC -> 
DBC 
DBE 
clock? 1 -> 
Chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 3 -> 
atored! 1 -> 
chan_link_PROC_STORAGECOMPONENT_GENERIC_SPEC -> 
DBC 
[] 
Chan_PROC STORAGECOMPONENT_GENERIC SPEC. 4 -> 
8toredl0 -> 
chan_link_PROC_STORAGECOMPONENT_GENERIC_SPEC -> 
DBF 
DBF . 
reset? l -> 
store? O -> 
chan_mid_PROC_STORAGECOMPONENT_DENERIC_SPEC. 0 -> 
DBD 
U 
store? 1 -> STOP 
(] 
reset? O -> 
store? O -> 
Chan 
_mid_PROC_STORAGECOMPONENT_GENERIC_SPEC. 
0 -> 
DBG 
(] 
store? 1 -> STOP 
(] 
etore? 0 -> chars mid PROC_STORAGECOMPONENT_GENERIC_SPEC. 0 -> 
( reset? 1 -> DBD 
[] 
reset? O -> DBG 
store? 1 -> STOP 
DBG - 
clock? 1 -> 
Chan PROC STORAGECOMPONENT GENERIC SPEC. 4 -> 
164 
Appendix F: Multi-Type Component Generic Specification Model Example 
storedl0 -> 
than-link_PROC_STORAGECOMPONENT-GENERIC-SPEC -> 
DBF 
within ( storedl0 -> 
char link PROC STORAGECOMPONENT GENERIC SPEC -> 
DBA ----- 
DC( (read, readallowed, data) ) 
let 
DCA - 
reset? l -> 
read? O -> SKIP 
(l 
read? l -> SKIP 
DCB 
[l 
reset? O -> 
( read? O -> DCB [l 
read? 1 -> chan PROC STORAGECOMPONENT GENERIC SPEC. 1 -> DCC 
[] 
read? O -> 
reset? O -> SKIP [] 
reset? 1 -> SKIP 
DCB 
read? 1 -> 
reset? 0 -> chan_PROC_STORAGECOMPONENT_GENERSC_SPEC. 1 -> DCC 
[] 
reset? 1 -> DCB 
DcB = 
clock? 1 -> 
chan_PROC STORAGECOMPONENT_GENERIC_SPEC. 3 SKIP 
I) 
Chan PROC STORAGECOMPONENTGENERIC SPEC. 4 > SKIP 
readallowedl0 -> 
( III x: aet(data) a xl0 -> SKIP 
( chan_link_PROC_STORAG&COMPONENT aBNERIC SPEC -> DCA ) 
DCC - t( DCD 
chan_link_PROC_STORAGECOMPONENT_GENERIC_SPEC, 
readallowed, 
Chan 
_PROC_STORAGECOMPONENT_GENERIC 
SPEC, 
reset, 
read, 
clock 
II DCE 
DCA 
) 
DCD - 
I} 
165 
Appendix F: Multi-Type Component Generic Specification Model Example 
let 
DCDA 
clock? l -> 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 4 -> 
readallowedlO -> 
chan_link_PROC_STORAGECOMPONENT_GENERIC SPEC -> 
DCDB 
[] 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 3 -> 
readallowedil -> 
chan_link_PROC_STORAGECOMPONENTGENERIC SPEC -> 
SKIP 
DCDB 
reset? 1 -> 
read? O -> 
clock? l -> 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 3 -> 
readallowedl0 -> 
chan_link_PROC_STORAGECOMPONENT_GENERIC SPEC -> 
SKIP 
(] 
read? 1 -> STOP 
(3 
reset? O -> 
read? O -> 
clock? 1 -> 
ehan_PROC STORAGECOMPONENT_GENERIC SPEC. 4 -> 
readallowedl0 -> 
chan_link_PROC_STORAGECOMPONENT_GENERIC_SPEC -> 
DCDB 
1) 
read? 1 -> STOP 
[] 
read? O -> 
reset? 1 -> 
clock? 1 -> 
Chan 
_PROC_STORAGECOMPONENT_GENERIC 
SPEC. 3 -> 
readallowedlO -> 
Chan 
_link 
PROC_STORAGECOMPONENTGENERIC SPEC -> 
SKIP 
[l 
reset? O -> 
clock? 1 -> 
Chan_PROC STORAGECOMPONENT_GENERIC_SPEC. 4 -> 
readallowed! O -> 
Chan 
_link 
PROC STORAGECOMPONENT GENERIC_SPEC -> 
DCDB 
read? 1 -> STOP 
within DCDA 
DCE 
let 
DCEA (x) 
length(x) -0& STOP 
(] 
length(x) _= 1& 
chan_readbita PROC STORAGECOmPONENT_GENERIC SPEC. ( 
length(data) --length(x) 
) ?z -> 
DCES(head (x), z) 
[l 
length(x) >1& 
chan_readbitsPROC STORAGECOMPONENT GENERIC_SPEC. ( 
length(da_ta) --length(x) 
166 
Appendix F: Multi-Type Component Generic Specification Model Example 
)? z -> 
DCEB(head(x), z) 
chan_link 
_PROC_STORAGECOMPONENT_GENERIC_SPEC, readallowed, 
chan_PROC STORAGECOMPONENT_GENERICSPEC, 
reset, 
read, 
clock 
I) 1} 
DCEA(tail(x)) 
DCEC(x, y) 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 4 -> 
readallowedl0 -> 
X10 -> 
chan link PROC STORAGECOMPONENTGENERIC SPEC -> 
DCEC (x) ---- 
[] 
chan_PROC_STORAGECOMPONENT_GENERIC-SPEC. 3 -> 
readallowedll -> 
x! y -> 
chan_link 
_PROC_STORAGECOMPONENT_GENERIC_SPEC 
-> 
SKIP 
DCEC(x) 
reset? 1 -> 
read? O -> 
clock? 1 -> 
chan_PROC STORAGECOMPONENT_GENERIC_SPEC. 3 -> 
readallowedl0 -> 
X10 -> 
chan_link PROC_STORAGECOMPONENTGENERIC SPEC -> 
SKIP 
[] 
read? 1 -> STOP 
1 
[] 
reset? O -> 
read? O -> 
clock? 1 -> 
chan_PROCSTORAGECOMPONENT_GENERIC_SPEC. 4 -> 
readallow_edl0 -> 
X10 -> 
chan_link 
_PROC_STORAGECOMPONENT_GENERIC_SPEC 
-> 
DCEC(x) 
[] 
read? 1 -> STOP 
[] 
read? O -> 
reset? 1 -> 
clock? 1 -> 
chan_PROC STORAGECOMPONENT_GENERIC SPEC. 3 -> 
readallowedl0 -> 
x! 0 -> 
chan_link PROC_STORAGECOMPONENT_GENERIC_SPEC -> 
SKIP - 
[] 
reset? O -> 
clock? l -> 
char PROC STORAGECOMPONENT_GENERIC_SPEC. 4 -> 
readallowedlO -> 
X10 -> 
chen_link PROC_STORAGECOMPONENT_GENERIC_SPEC -> 
DCEC (x) 
[] 
167 
Appendix F: Multi-Type Component Generic Specification Model Example 
read? 1 -> STOP 
within clock? 1 -> DCEA(data) 
within ( readallowed! O -> 
(( III x: set(data) 0 x! 0 -> SKIP 
chap link PROC STORAGECOMPONENT GENERIC SPEC -> DCA 
within DA 
-- No Reads 
reset? o 
(1 
reset? 1 
> 
, ( 
F: 
or Stores 
-> SKIP 
-> SKIP 
clock? 1 -> E) 
let 
PA 
reset? 1 -> 
clock? l -> 
chan_PROC_STORAGECOMPONENT_GENERIC 
_SPEC. 
3 -> 
chan link PROC STORAGECOMPONENT GENERIC SPEC -> 
FA 
(1 
clock? l -> 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 3 -> 
char link PROC STORAGECOMPONENT GENERIC SPEC -> 
FA 
[] 
chan-PROC-STORAGECOMPONENT 
-GENERIC-SPEC. 
0 -> FB 
11 
chan PROC STORAGECOMPONENT GENERIC SPEC. 1 -> PC ---- FB - 
clock? 1 -> 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 3 -> 
chan_link_PROC_STORAGECOMPONENT_GENERIC_SPEC -> 
FA 
[] 
chap PROC STORAGECOMPONENT GENERK SPEC. 0 -> FD 
11 
Chan PROC STORAGECOMPONENT GENERIC SPEC.. -> FD 
FC - 
-- -- 
clock? i -> 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 3 -> 
char link PROC STORAGECOMPONENT GENERIC SPEC -> 
PA ----- 
(] 
chan PROC STORAGECOMPONENT GENERIC SPEC. 0 -> FD 
[] ---- 
chan PROC STORAGECOMPONENT GENERIC SPEC. 1 -> PC 
FD .---- 
reaet? 1 -> 
clock? 1 -> 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 3 -> 
chan_link_PROC_STORAGECOMPONENT GENERIC-SPEC -> 
FA 
(1 
clock? 1 -> 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 4 -> 
chan_link_PROC_STORAGECOMPONENTGENERIC SPEC -> 
FD 
[] 
-> SPEC. O FD chan -PROC -STORAGECOMPONENT - 
GfiNfiRIC 
- [1 
chan_PROC_STORAGECOMPONENT_GENERIC_SPEC. 1 -> FD 
within PA 
168 
Appendix F: Multi-Type Component Generic Specification Model Example 
Ci 
H 
a 
let 
GA = 
length(storea) t= 0& GB(head(stores)) 
(] 
length(reads) !=0& GB(head(reads)) 
GB( (_, 
_, 
data) )_ 
If { reset. l } (] x: {0.. (length(data)-1)} 0 GC(x, 0) 
GC(x, y) _ 
reset? l -> GC(x, 0) (l 
chan_readbita_PROC_STORAGECOMPONENT GENERIC_SPEC. xly -> GC(x, y) 
(] 
chan_storebits_PROC_STORAGECOMPONENT_GENERIC_SPEC. x? z -> GC(x, z) 
within GA 
F 
[I { reeet. 1} 1] 
G 
within chaee(A) 
F. 1.3 GenSpec 3: Correct Component Driving 
This CSP model is used to limit a process so that it can only accept possible valid input 
signals, this is to enable implemented sub-type components to have the outer layer of their 
logic correctly driven when performing the checks and proofs. The aim for this is to 
check an implemented component holds true to the assumption that so long as it is driven 
correctly, it will correctly drive any internal components. 
Figure 92: Generic Control Data storage Specification - Correct Driving Limiter 
channel chan_PROC_STORAGECOMPONENTCONTROLL: 0,1,2,3 
channel chan_link_PROC_STORAGECOMPONENT_CONTROLL 
PROC_STORAGECOMPONENT_CONTROLL(clock, reset, stores, reads) 
let 
A 
( C(stores) 
union( {I clock, reset 
{chan_link_PROC STORAGECOMPONENT_CONTROLL} 
I] 
E(reads) 
\ (chan_link_PROC STORAGECOMPONENT_CONTROLL) 
-- if there are no stores or reads 
Ba 
chan_link 
_PROC_STORAGECOMPONENT_CONTROLL -> reset? O -> clock? 1 -> B 
[] 
reset? l -> clock? 1 -> B 
-- Stores 
C(x) 
length(x) am 0&B 
II 
length(x) >0& 
D(head(x)) 
union( (I clock, reset 
(chan_link_PROC STORAGECOMPONENT CONTROLL} 
169 
Appendix F: Multi-Type Component Generic Specification Model Example 
C(tail(x)) 
-- Controll CSP taken from DataStore object 
-- with an extra event to ensure all outputs happen before new inputs 
D( (store, stored, databits) 
let 
DA - 
chan_PROC STORAGECOMPONENT_CONTROLL. 1 -> 
x: set(databits) 
x? O -> SKIP 
(] 
x? l -> SKIP 
t] 
ChanPROC STORAGECOMPONSNT_CONTROLL. 2 
( Tii x: aet(databita) 0 x? O -> SKIP 
_, 
(chan_PROC_STORAGECOMPONENT_CONTROLL. 0 -> DA ) 
DB 
chan_link_PROC_STORAGECOMPONENT_CONTROLL -> 
store? 0 -> chan_PROC STORAGECOMPONENT_CONTROLL. 2 -> 
reset? 1 -> SKIP 
(] 
reset? O -> SKIP 
DC 
U 
store? 1 -> chan_PROC_STORAGECOMPONENT_CONTROLL. 1 -> 
reset? 1 -> DC 
O 
reset? 0 -> DD 
() 
reset? 0 -> 
store? 1 -> chan_PROC_STORAGECOMPONENT_CONTROLL. 1 -> DD 
O 
store? 0 -> chan_PROC_STORAGECOMPONENT_CONTROLL. 2 -> DC 
reset? 1 -> 
store? 1 -> chan_PROC STORAGECOMPONENT_CONTROLL. 1 -> SKIP 
(] 
store? 0 -> chan_PROC_STORAGECOMPONENT_CONTROLL. 2 -> 
SKIP 
DC 
DC = 
chan_PROC_3TORAGBCOMPONENT_CONTROLL. 0 -> clock? 1 -> 
storedl0 -> DB 
[J 
etoredll -> STOP 
DD - 
chan_PROC_STORAGECOMPONENT_CONTROLL. 0 -> clock? 1 -> 
Storedll -> DB 
(1 
stored! O -> DE 
DE 
chan_link 
_PROC_STORAGECOMPONENT_CONTROLL 
-> 
store? 0 -> chan_PROC STORAGECOMPONENT CONTROLL. 
2 -> 
reset? 1 -> DC 
[] 
reset? 0 -> DD 
[] 
__ 
170 
Appendix F: Multi-Type Component Generic Specification Model Example 
reset? O -> store? 0 -> chars PROC STORAGECOMPONENT CONTROLL. 2 -> DD 
11 
reset? 1 -> store? O -> than PROC STORAGECOMPONENT CONTROLL. 2 -> DC 
DF - 
storedl0 -> DB 
Il 
storedll -> STOP 
chan_PROC STORAGECOMPONENT_CONTROLL 
DA 
)\ (I chan_PROC_STORAGEOOMPONENT CONTROLL 
within DF 
-- Reads 
E (x) _ 
length(x) _= 0&B 
[] 
length(x) >0& 
F(head(x)) 
union( clock, reset 
{ chan_link PROC STORAGECOMPONENT CONTROLL} 
11 
E(tail (x)) 
-- Controll CSP taken from DataRead object 
-- with an extra event to ensure all outputs happen before new inputs 
F( (read, readallowed, databits) 
let 
FA = 
chan_link_PROC_STORAGECOMPONENT_CONTROLL -> 
( read? x -> reset? y -> FD(x, y) 
(] 
reset? y -> read? x -> FD(x, y) 
FH 
chan_link_PROC_STORAGECOMPONENT_CONTROLL -> 
( read? 0 -> reset? y -> FE(y) 
(J 
reset? y -> read? O -> FE(y) 
FC - 
readallowedll -> 
III x: aet(databita) 
x! 0 -> SKIP 
t] 
xli -> SKIP 
FA 
I] 
readallowedlo -> (( III x: set(databits) 40 
X10 -> SKIP 
i] 
xll -> STOP 
); PB 
FD (x, y) . 
clock? 1 -> 
y "" 1& FF 
11 
y =. 0& 
(x -= 
Hs) 
11 
X -- 
0& FF 
1& FC 
171 
Appendix F: Multi-Type Component Generic Specification Model Example 
clock? 1 -> 
iys-1&FF 
[] 
jr :a0& FC 
FF 
readallowedll -> STOP 
[) 
readallowedl0 -> 
I x: set(databite) a 
x! 0 -> SKIP 
1) 
xll -> STOP ); FA 
within FF 
within A 
F. 1.4 GenSpec 4: Annotated Low Level Behaviour with Explicit 
Deadlocking 
This CSP model is the one covered in section F. 1.2, but with extra events added to 
describe conceptually what is occurring. The aim of this is to enable a link between a low 
level hardware model and a higher level conceptual meaning of the function the hardware 
is performing. The added `id' parameter added to the process is to provide a method to 
distinguish between different instances of this process. The annotation events depicting 
the states that are entered into from how this component is driven can only be specified 
after the event has occurred, where as the output signals are controlled by this component 
and so the corresponding annotation events can be performed before outputting the 
signals. The reason why renaming can not be used to obtain a higher level conceptual 
model of what is occurring, thus the required use of extra events depicting the 
annotations, is because the same signal states can mean different things depending on the 
state of the system. 
Figure 93: Annotated Generic Data Storage Speclikation with Explicit Deadlocking 
channel chan_mid PROC_STORAGECOMPONENT_ANNOTATED_SPEC: 0.. 2 
channel chan_link 
_PROC_STORAGECOMPONENT_ANNOTATED 
SPEC 
channel chan_PROC_STORAGECOMPONENT_ANNOTATED_SPEC: {0.. 4} 
channel chan_readbits_PROC STORAGECOMPONENT ANNOTATED_SPEC: {0.. 2}. {0,1} 
channel chan_storebits_PROC STORAGECOMPONENT ANNOTATED SPEC: {0.. 2}. {0,1} 
PROC_STORAGECOMPONENT_ANNOTATED SPEC(clock, reset, stores, aid, reads, rid) 
let 
A= 
length(stores) _= 0 and length(reads) 0&E 
[l 
length(stores) !=0 and length(reads) 0&B 
length(stores) -- 0 and length(reads) !=0&C 
0 
length(stores) !=0 and length(reads) !=0&D 
B= 
172 
Appendix F: Multi-Type Component Generic Specification Model Example 
let 
BA = 
let 
BAA 
i) Chan link PROCSTORACiECOMPONENTANNOTATED SPEC -> P {I chan_link_PROC STORA(3ECOMPONENT_ANNOTATED_SPEC, 
length(stores) I. length(sid) & STOP 
length(stores) _= length(sid) & 
BAB(atorea, aid) 
[t {+ reaet. 1, 
clock, 
chan_link PROC_STORAGECOMPONENT_ANNOTATED SPEC, 
Chan_PROC_STORAGECOMPONENT_ANNOTATED SPEC 
ý} 
i} BAB (x, y) - 
chap PROC STORAGECOMPONENT ANNOTATED_SPEC 
length(x) :-1& BB(head(x), head(y)) 
[7 
length(x) >1& 
BB(head(x), head(y)) 
union( 
reset, 
clock, 
char link PROC STORAGECOMPONENT ANNOTATEQSPEC 
( chan_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. y 
y< (3,4} 
} 
II BAB(tail (x), 
within BAA 
tail (y)) 
BB( (store, stored, data), id 
let 
BBA . 
BBB 
clock, 
chan_link 
_PROC_STORAGECOMPONENT_ANNOTATED_SPEC, Chan mid_PROC STORAGECOMPONENT ANNOTATED SPEC 
I) 
BBC 
\ {I than mid PROC_STORAGECONPONENT_ANNOTATED_SPEC 
BBB 
let 
BBBA . 
than mid PROC STORAGECOMPONENTANNOTATED SPEC. 0 -> JJ1 x: eet(data) 
( x? O -> SKIP 
[l 
x? 1 -> annotation. ERROR. id -> STOP 
tl 
Chan 
_mid_PROC 
STORAdECOMPONENT_ANNOTATED_SPEC. 1 -> 
BBBB(data, 0) 
clock? 1 -> 
chan_link_PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> 
SBBA 
173 
Appendix F: Multi-Type Component Generic Specification Model Example 
BBBB(x, y) - 
length(x) 0& annotation. ERROR. id -> STOP [] 
length(x) 1& BSBC(head(x), y) 
[] 
length(x) >1& 
BBBC(head(x), y) 
[ý { chan mid PROC_STORAGECOMPONENT_ANNOTATED`SPEC. z 
z<-{1,2} } 
II 
BBBB(tail(x), y+l) 
BBBC(x, y) 
x? O -> BBBD(y, 0) 
1) 
x? 1 -> BBBD(y, 1) 
BBBD (x, y) 
chan_mid PROC STORAGECOMPONENT_ANNOTATED SPEC. 1 -> SKIP (1 
Chan mid PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 2 -> 
annotation. DATABIT. id. x. y -> 
SKIP 
within BBBA 
BBC = 
reset? 1 -> 
(( store? 0 -> 
chan_mid_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 0 -> 
annotation. RESET. id -> 
SKIP 
Store? 1 -> 
chan_mid_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 1 -> 
annotation. RESET. id -> 
chan_mid PROC STORAGECOMPONENT ANNOTATED SPEC. 1 -> 
SKIP 
BBD 
it 
reset? 0 -> 
store? O -> 
Chan 
_mid_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 
0 -> 
annotation. IDLE. id -> 
BBD 
1) 
store? 1 -> 
Chan 
_mid_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 
1 
annotation. STORE. id -> 
Chan 
_mid_PROC 
STORAGECOMPONENT ANNOTATED SPEC. 2 -> 
Chan PROC STORAGECOMPONENT ANNOTATED SPEC. 0 -> 
BBE - 
store? 0 -> chan_mid_PROC STORAGECOMPONENT_ANNOTATED_SPEC. 0 -> 
reset? O -> annotation. IDLE. id -> SKIP 
0 
reset? 1 -> annotation. RESET. id -> SKIP 
BBD 
(1 
store? 1 -> than mid_PROC_STORAGECOMPONENT ANNOTATED SPEC. 1 -> 
( reset? O -> 
annotation. STORE. id -> 
than mid PROC STORAGECOMPONENT ANNOTATED SPEC. 2 -> 
174 
Appendix F: Multi-Type Component Generic Specification Model Example 
Chan PROC STORAGECOMPONENT ANNOTATED SPEC. 0 -> 
BBE - 
[] 
reset? 1 -> 
chan_mid_PROC_STORAGECOMPONENT ANNOTATED SPEC. 1 -> 
annotation. RESET. id -> 
BBD 
BBD = 
clock? 1 -> 
(( char PROC STORAGECOMPONENT ANNOTATED SPEC. 3 -> SKIP 
U 
chan_PROC STORAGECOMPONENT ANNOTATED SPEC. 4 -> SKIP 
storedl0 -> 
chan_link_PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> 
BBC 
BBE 
clock? 1 -> 
chan_PROC STORAGECOMPONBNT_ANNOTATED_SPEC. 3 -> 
annotation. STORED. id -> 
storedll -> 
Chan link PROC STORAGECOMPONENT ANNOTATED SPEC -> 
BBC - 
[] 
chan_PROC_STORAGECOMPONENTANNOTATED_SPEC. 4 -> 
annotation. NOTSTORED. id -> 
atoredlO -> 
than link PROC STORAGECOMPONENT ANNOTATED SPEC -> 
BBF ----- 
BBF 
reset? 1 -> 
store? O -> 
chan_mid_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 0 -> 
annotation. RESET. id -> 
BBD 
[] 
store? 1 -> annotation. ERROR. id -> STOP 
[] 
reset? 0 -> 
c store? O -> 
char mid PROC STORAGECOMPONENTANNOTATED SPEC. 0 -> 
BBG - 
[] 
store? 1 -> annotation. ERROR. id -> STOP 
[l 
store? 0 -> 
chan_mid_PROC_STORAGECOMPONENT ANNOTATED_SPEC. 0 
( reset? l -> annotation. RESET. id -> BBD 
[] 
reset? O -> BBG 
[l 
store? 1 -> annotation. ERROR. id -> STOP 
BBG 
clock? 1 -> 
chan_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 4 -> 
annotation. NOTSTORED. id -> 
storedtO -> 
chan_link_PROC_STORAGECOMPONENT_ANNOTATEDSPEC -> 
BBF 
within stored! O -> Chan link PROC STORAGECOMPONENT_ANNOTATED_SPEC -> BBA 
175 
Appendix F: Multi-Type Component Generic Specification Model Example 
within BA 
Cs 
let 
CA 
let 
CAA 
length(reads) I- length(rid) & STOP 
[] 
length(reads) _- length(rid) & 
CAB(reada, rid) 
(I {I reaet. 1, 
III} 
clock, 
chan_link_PROC_STORAGECOMPONENT_ANNOTATED SPEC, 
Chan PROC STORAGECOMPONENT ANNOTATED SPEC 
chan_lirik PROC_STORAC3ECOMPONENT_ANNOTATED_SPEC -> F 
)\ {I chan link_PROC STORAaECOMPONENT ANNOTATED_SPEC, 
I} 
CAB (x" Y) _ 
length (x) 
11 
1 y<-{3,4} 
length(x) >1& 
C8(head(x), head(y)) 
( union( 
reset, 
clock, 
chan_link_PROC_STORAGECOMPONENT_ANNOTATED_SPEC 
{ chap PROC STORAGECOMPONENTANNOTATED_SPEC. y 
chap PROC_STORAGECOMPONENT_ANNOTATED_8PEC 
-- 1& CB(head(x), head(y)) 
} 
II CAB(tail(x), tail(y)) 
within CAA 
CB( (read, readallowed, data), id ) 
let 
CBA 
reset? 1 -> 
read? O -> SKIP 
[] 
read? l -> SKIP 
( annotation. RESET. id -> CBB 1 
O 
reset? o -> 
read? O -> annotation. IDLE. id -> CBB 
[l 
read? 1 -> annotation. READ. id -> CBC 
[l 
read? O -> 
reset? O -> annotation. IDLE. id -> SKIP 
[l 
reset? i -> annotation. RESET. id -> SKIP 
CBB 
[J 
read? 1 -> 
( reset? O -> annotation. READ. id -> CBC 
176 
Appendix F: Multi-Type Component Generic Specification Model Example 
[] 
reset? 1 -> annotation. RESET. id -> CBS 
CES 
clock? 1 -> 
Chan PROC STORAGECOMPONENTANNOTATED SPEC. 3 -> SKIP 
11 
chan_PROC_STORAGECOMPONENT_ANNOTATED SPEC. 4 -> SKIP 
readallowedl0 -> 
( III x: set(data) 0 x10 -> SKIP 
( char link PROC STORAGECOMPONENT ANNOTATEb SPEC -> CBA ) 
CBC = 
let 
CBCA = 
clock? l -> 
chan_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 3 -> 
annotation. READALLOiPBD. id -> 
readallowed! 1 -> 
( CBCB (data, 0) 
chan_link PROC_STORAGECOMPONENT_ANNOTATEb_SPEC -> 
CBA 
(] 
chan PROC STORA(3ECOMPONENT_ANNOTATED_SPEC. 4 -> 
annotation. DONTREAD. id -> 
readallowedl0 -> 
x: aet(data) @ x! 0 -> SKIP 
( chan_link_PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> 
CBD 
CBCB (x, y) . 
length(x) .. 0& annotation. ERROR. id -> STOP 
[] 
length(x) _: 1& CBCC(head(x), 
[] 
length(x) >1& 
( CBCC(head(x), y) 
III CBCB(tail (x), y+1) 
Y) 
CBCC(x, y) 
annotation. DATABIT. id. y. 0 -> x! 0 -> SKIP 
within CBCA 
CBD 
reset? 1 -> 
read? O -> annotation. RESET. id -> CBS 
[) 
read? 1 -> annotation. ERROR. id -> STOP 
[) 
reset? O -> 
read? O -> CBE 
U 
read? 1 -> annotation. ERROR. id -> STOP 
[l 
read? O -> 
( reset? 1 -> annotation. RESET. id -> CBB 
177 
Appendix F: Multi-Type Component Generic Specification Model Example 
t] 
reset? 0 -> CBE 
(1 
read? 1 -> annotation. ERROR. id -> STOP 
CBE . 
clock? 1 -> 
chan_PROC STORAGECOMPONENT_ANNOTATED SPEC. 4 -> 
annotation. DONTREAD. id -> 
readallowedlo -> (( III x: aet(data) ! x! o -> SKIP 
( chan_link_PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> CBD 
within ( readallowedl0 -> 
(( ill x: set(data) a x! 0 -> SKIP 
chap link_PROC STORAGECOMPONENT ANNOTATEQ SPEC -> CBA 
within CA 
D= 
let 
DA - 
let 
DAA = 
t 
} 
DAB 
( union ( 
reset, 
clock, 
chap link PROC STORAGECOMPONENT ANNOTATED SPEC 
t dran PROC_STORAGECOMPONENT ANNOTATED_8PEC. y 
I y<-{3,4} 
DAD 
[) {ý reset. 1, 
chan_PROC_STORAf323COMPONENT_ANNOTATED_SPEC, 
chan_readbits PROC_STORAGECOMPONENT ANNOTATED_SPEC, 
chan storebite_PROC_STORAaECOMPONENT ANNOTATED_SPEC, 
clock, 
chan_link PROC_STORAGECOMPONENT ANNOTATED_SPEC 
(} 
iý { chan link PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> H} 
)\ {ý chan_link 
_PROC 
STORAGECOMPONENT ANNOTATED SPEC, 
chan_readbite_PROC STORAGECOMPONENT ANNOTÄTED SPEC, 
chan_etorebita_PROC_STORAGECOMPONENT ANNOTATED-SPEC, 
chan PROC_STORAGECOMPONENT ANNOTATED_SPEC 
ý} 
DAB 
length(stores) I- length(aid) & STOP 
q 
length(stores) _- length(sid) & DAC(stores, sid) 
DAC(x, z) - 
length(x) =a 1& DB(head(x), head(z)) 
0 
length(x) >1& 
DB(head(x), head(z)) 
union( 
reset, 
clock, 
chan_link_PROC_STORAGECOMPONENT_ANNOTATED_SPEC 
11 
178 
Appendix F: Multi-Type Component Generic Specification Model Example 
{ chan PROC_STORAGECOMPONENT_ANNOTATED_SPEC. y 
y<-{3,4} 
Jý 
DAC(tail(x), tail(z)) 
DAD = 
length(reads) != length(rid) & STOP 
0 
length(reads) _= length(rid) & DAE(reade, rid) 
DAE(x, z) _ 
length(x) _= 1& DC(head(x), 
11 
length(x) >1& 
DC(head(x), head(z)) 
Iý union( 
(I reset, 
I} 
clock, 
head(z)) 
chan_link PROC_STORAGECOMPONENT_ANNOTATED_SPEC 
{ chan_PROC_STORA(3ECOMPONENT_ANNOTATED_SPEC. y 
ý y<-{3,4} 
} 
II DAE(tail(x), tail(z)) 
within DAA 
DB( (store, stored, data), 
let 
DBA = 
DBB 
(I (1 
id )- 
chan_mid PROC STORAGECOMPONENTANNOTATED SPEC, 
chan_link_PROC_STORAGECOMPONBNT_ANNOTATED_SPEC, 
clock 
II 
11 DBC 
\ {I chan_mid PROC STORAGECOMPONENT ANNOTATED_SPEC 
DBB - 
let 
DBBA - 
chan_mid_PROC STORAGECOMPONENT_ANNOTATSD_SPEC. 0 -> 
( (11 x: set(data) ® 
( x? 0 -> SKIP 
[) 
x? l -> annotation. ERROR. id -> STOP 
1 
i 
ý 
clock? i -> 
chan_link_PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> 
DBBA 
[] 
chan_mid_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 1 -> 
( DBBB(data) 
DBBA 
DBBB (x) 
length (x) 
II 
-- 0& annotation. ERROR. id -> STOP 
179 
Appendix F: Multi-Type Component Generic Specification Model Example 
DBBC(x, y) . 
t(x? 0 -> 
chanmidPROC STORAGECOMPONENTANNOTATED SPEC. 2 -> 
Chan_storebits_PROC STORAGECOMPONENT__ANNOTATED_SPEC. y. 0 -> 
annotation. DATABIT. id. y. 0 -> 
clock? 1 -> 
SKIP 
U 
clock? 1 -> SKIP 
length(x) _= 1& DBBC(head(x), length(data) - 1) 
(] 
length(x) >1& 
DBBC(head(x), length(data) - length(x)) 
[' { chan_link_PROC STORAGECOMPONENT ANNOTATED_SPEC, 
chan_mid PROC_STORAGECOMPONENT_14NNOTATED_SPEC. 2, 
clock. 1 
} 
11 
DH$H(tail(x)) 
[) 
x? 1 -> 
chan_mid PROC STORAGECOMPONENT ANNOTATED SPEC. 2 -> 
chan_storebits_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. y. 1 -> 
annotation. DATABIT. id. y. 1 -> 
clock? 1 -> 
SKIP 
[7 
clock? 1 -> SKIP 
( chan, link_PROC_STORAGECOMPONENT ANNOTATED_SPEC -> SKIP 
within DBSA 
DBC 
reset? 1 -> 
store? O -> 
chan_mid PROC STORAGECOMPONENT ANNOTATED_SPEC. O -> 
SKIP 
1] 
atore? i -> 
Chan 
_mid_PROC 
STORAQECOMPONENT ANNOTATED_SPEC. 1 -> 
SKIP 
annotation. RESET. id -> DBD 
[] 
reset30 -> 
store? 0 -> 
chan mid PROC STORAGECOMPONENT_ANNOTATED SPEC. O -> 
annotation. IDE. id -> 
DBD 
[] 
store? ]. -> 
Chan PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 0 -> 
chan_mid PROC STORACýECOMPONENT_ANNOTATED_SPEC. 1 -> 
annotation. STORE. id -> 
chan_mid_PROC STORAGECOMPONENT_ANNOTATED SPEC. 2 -> 
DBE 
n 
store? 0 -> chan_mid PROC_STORAOECOMPONENT_ANNOTATED_SPEC. 
0 -> 
(( reset? 0 -> annotation. IDLE. id -> SKIP 
180 
Appendix F: Multi-Type Component Generic Specification Model Example 
[l 
reset? 1 -> annotation. RESET. id -> SKIP 
DBD 
U 
store? 1 -> chan mid_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 1 -> 
reset? O -> 
char PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 0 -> 
annotation. STORE. id -> 
char mid PROC STORAGECOMPONENT ANNOTATED SPEC. 2 -> 
DBE 
[] 
reset? 1 -> annotation. RESET. id -> DBD 
DBD ý a 
clock? l -> 
Chan PROC STORAGECOMPONENT ANNOTATED SPEC. 3 -> SKIP 
11 
char PROC STORAGECOMPONENT ANNOTATED SPEC. 4 -> SKIP 
atoredl0 -> 
chan_link PROC STORAGECOMPONENT_ANNOTATED_SPEC -> 
DBC 
DBE 
clock? 1 -> 
chan_PROC STORAGECOMPONENT 
_ 
ANNOTATED_SPEC. 3 -> 
annotation. STORED. id -> 
storedll -> 
char link_PROC_STORAGECOMPONENT ANNOTATED_SPEC -> 
DBC 
[] 
chan_PROC_STOR. AGECOMPONENT_ANNOTATED_BPEC. 4 -> 
annotation. NOTSTORED. id -> 
storedlO -> 
chan link_PROC STORAGECOMPONENT_ANNOTATED_SPEC -> 
DBP 
DBF . 
reget? 1 -> 
store? 0 -> 
chan_mid_PROC STORAGECOMPONENT_ANNOTATED_SPEC. 0 -> 
annotation. RESET. id -> 
DBD 
(] 
store? 1 -> annotation. ERROR. id -> STOP 
tl 
reset? O -> 
store? O -> 
chan_mid_PROC STORAGECOMPONENT ANNOTATED SPEC. 0 -> 
DBG 
H 
store? l -a annotation. SRROR. id - STOP 
U 
store? 0 -> chan_mid_PROC_STORAGECOMPONENT__ANNOTATED_SPEC. 0 -> 
reset? 1 -> annotation. RESET. id -> DBD 
[) 
reset? O -> DBG 
[1 
store? 1 -> annotation. BRROR. id -> STOP 
DBG 
181 
Appendix F: Multi-Type Component Generic Specification Model Example 
clock? l -> 
chan_PROC STORAGECOMPONENT_ANNOTATED SPEC. 4 -> 
annotation. NOTSTORED. id -> 
etoredl0 -> 
chan_link_PROC_STORAGECOMPONENT ANNOTATED-SPEC -> 
DBF 
within ( storedt0 -> 
chan_link_PROC STORAGECOMPONENT ANNOTATED SPEC -> 
DBA 
DC( (read, readallowed, data), id 
let 
DCA = 
reset? 1 -> 
read? O -> SKIP [l 
read? 1 -> SKIP 
annotation. RESET. id -> DCB 
[] 
reset? o -> 
read? O -> annotation. IDLE. id -> DCB [] 
read? 1 -> 
Chn_PROCSTORAßECOMPONENTANOTATED SPEC. 3. -> 
annotation. READ. id -> 
DCC 
read? O -> 
reset? 0 -> annotation. IDLE. id -> SKIP U 
reset? i -> annotation. RESET. id -> SKIP 
DCB 
[] 
read? l -> 
reset? O -> 
chan_PROC_STORAGECOMPONENTANNOTATED SPEC. 1 -> 
annotation. READ. id -> 
DCC 
[] 
reset? 1 -> annotation. RESET. id -> DCB 
DCB = 
C10Ck? 1 -> 
(( Chan_PROC_8TORAGECOMPONENT_ANNOTATED 6PEC. 3 -> SKIP 
[1 
chan_PROC STORAGECOMPONENT_ANNOTATED SPEC. 4 -> SKIP 
readallowedl0 -> ( III x: aet(data) ® x10 -> SKIP ) 
( than link PROC STORAGECOMPONENT ANNOTATEb SPEC -> DCA 
DCC = 
(( DCD 
[1 11 chan_link PROC_STORAGECOMPONENT_ANNOTATED_SPEC, 
readallow_ed, 
chan_PROC STORAGECOMPONENT_ANNOTATED_SPEC, 
reset, 
read, 
182 
Appendix F: Multi-Type Component Generic Specification Model Example 
II DCE 
DCA 
if 
clock 
DCD 
let 
DCDA = 
clock? l -> 
Chan 
_PROC_STORAGECOMPONENTANNOTATED_SPEC. 
4 -> 
annotation. DONTREAD. id -> 
readallowedl0 -> 
chan_link PROC STORAGECOMPONENT ANNOTATED SPEC -> 
DCDS ---- 
1] 
Chan_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 3 -> 
annotation. READALLOWED. id -> 
readallowedll -> 
chan_link_PROC STORAGECOMPONENTANNOTATED SPEC -> 
SKIP 
DCDB 
reset? 1 -> 
read? O -> 
annotation. RESET. id -> 
clock? 1 -> 
chan_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 3 -> 
readallowedl0 -> 
chan_link_PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> 
SKIP 
[l 
read? l -> annotation. ERROR. id -> STOP 
[] 
reset? O -> 
read? O -> 
clock? l -> 
chap PROC STORAGECOMPONENT_ANNOTATED SPEC. 4 -> 
annotation. DONTREAD. id -> 
readallowedl0 -> 
chan_link_PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> 
DCDB 
[] 
read? 1 -> annotation. ERROR. id -> STOP 
[] 
read? O -> 
reset? 1 -> 
annotation. RESET. id -> 
clock? l -> 
Chan_PROC_STORAGECOMPONENT_ANNOTATED SPEC. 3 -> 
readallowedl0 -> 
chan_link PROC_STORAGECOMPONENT ANNOTATED_SPEC -> 
SKIP 
[3 
reset? O -> 
clock? 1 -> 
chan_PROC_STORAGECOMPONENT_ANNOTATED SPEC. 4 -> 
annotation. DONTREAD. id -> 
readallowedl0 -> 
chan_link PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> 
DCDB 
[] 
read? 1 -> annotation. ERROR. id -> STOP 
183 
Appendix F: Multi-Type Component Generic Specification Model Example 
within DCDA 
DCE 
let 
DCEA(x) 
length(x) 0& annotation. ERROR. id -> STOP 
[1 
length(x) 1& 
char_readbits_PROC_STbRAGECOMPONENT ANNOTATED SPEC. ( 
length(data) - length(x) 
?z -> DCEB(head(x), z, (length(data) - length(x))) 
[] 
length(x) >1& 
chan_readbita_PROC STORAGECOMPONENT ANNOTATED SPEC. ( 
length(data) --length(x) 
?z -> DCEB(head(x), z, (length(data) - length(x))) 
char link PROC_STORAGECOMPONENT_ANNOTATED_SPEC, 
readallowed, 
chan_PROC STORAGECOMPONENT_ANNOTATED_SPEC, 
reset, 
read, 
clock 
I) 
1] 
DCEA(tail(x)) 
DCEB (X, y, z) 
Chan 
_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 
4 -> 
readalloweci! 0 -> 
X10 -> 
Chan 
_link _PROC_STORAGECOMPONENT 
ANNOTATED_SPEC -> 
DCEC (x) 
[) 
Chan _PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 
3 -> 
readallowedll -> 
annotation. DATABIT. id. z. y -> 
x! y -> 
Chan 
_link 
link_PROC_STORAGECOMPOKENT_ANNOTATED- SPEC 
SKIP 
DCEC(x) 
reset? 1 -> 
read? 0 -> 
clock? i -> 
Chan PROC STORAGECOMPONENT_ANNOTATED_SPEC. 3 -> 
readallowedlO -> 
X10 -> 
Chan 
-link_PROC_STORAGECOMPONENT_ANNOTATED_SPEC 
-> 
SKIP 
[] 
read? 1 -> STOP 
t] 
reset? O -> 
read? O -> 
clock? 1 
chan_PROC STORAGECOMPONENT_ANNOTATED SPEC. 4 -> 
readailowedl0 -> 
xl0 -> 
chan_link 
_PROC 
STORAGECOMPONENT_ANNOTATEDSPEC -> 
DCEC(x) 
t] 
read? 1 -> STOP 
184 
Appendix F: Multi-Type Component Generic Specification Model Example 
tl - 
read? 0 -> 
reset? 1 -> 
clock? 1 -> 
Chan PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 3 -> 
readallowedl0 -> 
X10 -> 
Chan 
_link 
PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> 
SKIP 
[] 
reset? O -> 
clock? 1 -> 
Chan 
_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 
4 -> 
readallowed! 0 -> 
x! 0 -> 
chan_link_PROC_STORAGECOMPONENT ANNOTATED_SPEC -> 
DCEC(x) 
read? 1 -> STOP 
within clock? l -> DCBA(data) 
within ( readallowedl0 -> 
(( ICI x: set(data) ® x10 -> SKIP 
( chap link_PROC STORAGECOMPONENT ANNOTATED_SPEC -> DCA ) 
within DA 
-- No Reads or Stores 
E- 
reset? 0 -> SKIP 
[] 
reset? l -> SKIP 
); ( clock? l -> E 
let 
FA - 
reset? 1 -> clock? l -> chan_PROC_STORAGECOMPONENT_ANN0TATED_SPEC. 3 
chan_link PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> PA 
[] 
clock? l -> chan_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 3 -> 
chan_link_PROC_STORAGECOMPONENT ANNOTATED_SPEC -> FA 
I] 
chan_PROC STORAGECOMPONENT ANNOTATED SPEC. O -> PB I] 
chan_PROC STORAGECOMPONENT_ANN0TATED_SPEC. 1 -> PC 
PB - 
clock? i -> chan_PROC_STORAGECOMPONENT_ANNOTATED_SPEC. 3 -> 
chan_link PROC_STORAGECOMPONENT ANNOTATED_SPEC -> PA 
I] 
chan_PROC STORAGECOMPONENT_ANNOTATED_SPEC. O -> PD [] 
chan_PROC STORAGECOMPONENT ANNOTATED SPEC. 1 -> PD 
PC - 
clock? 1 -> chan_PROC_STORAGECOMPONENT_ANNOTATED SPEC. 3 -> 
chan_link PROC_STORAGECOMPONENT_ANNOTATED_SPEC -> PA 
I] 
than_PROC_STORAGECOMPONENTANNOTATED SPEC-0 -> FD 
11 
Chan PROC STORAGECOMPONENTANNOTATEb SPEC. 1 -> PC 
PD ----- 
reset? l -> clock? l -> chan_PROC_STORAGECOMPONENT_ANN0TATED_SPEC. 3 -> 
than link PROC STORAGECOMPONENT ANNOTATED SPEC -> FA 
Il ----- 
clock? 1 -> chan_PROC_STORAGECOMPONENT_ANN0TATED_SPEC. 4 -> 
char link PROC STORAGECOMPONENT ANNOTATED SPEC -> FD 
11 
Chan PROC STORAGECOMPONENT ANNOTATED SPEC. O -> PD 
185 
Appendix F: Multi-Type Component Generic Specification Model Example 
(] 
chan_PROC STORAGECOMPONENT ANNOTATED_SPEC. 1 -> FD 
within FA 
Gs 
let 
GA = 
length(stores) !=0& GB(head(stores)) 
(] 
length(reads) !=0& GB(head(reads)) 
G8( 
_, 
data) )_ 
[I { reset. 1 } !]x: {0.. (length(data)-1)} ® GC(x, 0) 
GC (x, y) _ 
reset? ]. -> GC(x, 0) 
(l 
chan_readbits_PROC_STORAGECOMPONENT ANNOTATED_SPEC. xty -> GC(x, y) 
(1 
chan_etorebite_PROC STORAGECOMPONENT_ANNOTATED SPEC. x? z -> GC(x, z) 
within GA 
H= 
F 
(( { reset. 1} (] 
G 
within chase(A) 
F. 1.5 GenSpec 5: Annotating the Outer Layer 
This CSP model is used to annotate the outer layer of an implemented sub-type of this 
component. The process allows correct input and output signals to be able to annotate and 
describe that an error has occurred. No internal choice is used, as this should not restrict 
or control a process, but only annotate what is occurring. 
Figure 94: Generic Data Storage Annotate Outer Layer 
channel Chan_PROC_STORAGEcOMPONNT ANNOTATE OUTER: (0,1,2,3,4,5 
channel chan_link_PROC_STORAGECOMPONENT_ANNOTATE_OUTER 
PROC_STORAGECOMPONENT ANNOTATE_OUTER(clock, reset, stores, aid, reads, rid) 
let 
A= 
C(stores, aid) 
tý union( {I clock, reset 
{ Chan_link_PROC STORAGECOMPONENT ANNOTATE OUTER } 
I) E(reads, rid) 
\ (chan_link 
_PROC 
STORAGECOMPONENT_ANNOTATEOUTER} 
-- if there are no stores or reads 
B- 
chan_link 
_PROC 
STORAGECOMPONENT ANNOTATE OiiTER -> 
reset? O ->ýclock? 1 -> B 
[] 
reset? 1 -> clock? l -> B 
-- Stores 
C (x, Y) 
length(x) -- 0&B 
[] 
length(x) >0& 
D(head(x), head(y)) 
union( clock, reset 
{ chan_link_PROC_STORAGECOMPONENT_ANNOTATE OUTER } 
186 
Appendix F: Multi-Type Component Generic Specification Model Example 
] 
C(tail(x), tail(y)) 
-- Controll CSP taken from DataStore object 
-- with an extra event to ensure all outputs happen before new inputs 
D( (store, stored, databits), id) s 
let 
DA 
than PROC STORAGECOMPONENTANNOTATE OUTER. 1 -> DR(databits) 
11 
chan_PROC STORAGECOMPONENT_ANNOTATE_OUTER. 2 -> 
( ýý) x: set(databita) e 
x? O -> SKIP 
[) 
x? l -> annotation. ERROR. id -> STOP 
s 
( chan PROC STORAGECOMPONENT ANNOTATE OUTER. O -> DA ) 
DH (x) - 
-- -- 
length(x) 0& annotation. ERROR. id -> STOP 
j] 
length(x) 1& DI(head(x), length(databits)-1) 
j) 
length(x) >1& 
DI(head(x), length(databits)-length(x)) 
chan PROC STORAGECOMPONENT_ANNOTATE_OUTER. y 
DH(tail(x)) 
y<-{4,5} i 
DI (x, y) - 
x? 1 -> 
chan_PROC 
i_STORAGECOMPONENT 
ANNOTATE_OUTER. 4 -> 
annotaton. DATABIT. id. y. 1 -> 
SKIP 
U 
Chan PROC STORAGECOMPONENT ANNOTATE OUTER. 5 -> SKIP 
t] 
x? o -> 
chan_PROC STORAGECOMPONENT_ANNOTATE_OiTfER. 4 -> 
annotation. DATABIT. id. y. 0 -> 
SKIP 
H 
chan_PROC_STORAGECOMPONENT_ANNOTATE_OUTER. 5 -> SKIP 
DB 
chap link 
_PROC_STORAQECOMPONENT_ANNOTATE_OUTER 
-> 
store? 0 -> chan_PROC_STORAGECOMPONENT_ANNOTATE OUT'ER. 
2 -> 
reset? 1 -> annotation. RESET. id -> SKIP 
[) 
reset? O -> annotation. IDLE. id -> SKIP 
DC 
(] 
store? 1 -> chan_PROC_STORAQECOMPONENT_ANNOTATE _OUTER. 
1 
( reset? 1 -> 
annotation. RESET. id -> 
chan_PROC_STORAAECOMPONENT__ANNOTATE_OUTER. 5 -> 
DC 
[1 
reset? O -> 
annotation. STORE. id -> 
chan_PROC STORACGECOMPONENT_ANNOTATE_OUTER. 4 -> 
DD 
} 11 
187 
Appendix F: Multi-Type Component Generic Specification Model Example 
p 
reset? O -> 
store? 1 -> 
chan_PROC STORAGECOMPONENT__ANNOTATE_OUTER. 1 -> 
annotation. STORE. id -> 
chan_PROC_STORAGECOMPONENT_ANNOTATE_OUTER. 4 -> 
DD 
[] 
store? O -> 
chan_PROC_STORAGECOMPONENT_ANNOTATE_OUTER. 2 -> 
annotation. IDLE. id -> 
DC 
[] 
reset? 1 -> 
store? 1 -> 
chan_PROC_STORAGECOMPONENT_ANNOTATE_OUTER. 1 -> 
annotation. RESET. id -> 
chan_PROC-STORAGECOMPONENT ANNOTATE OUTER. 5 -> 
SKIP -_ 
[] 
store? O -> 
Chan_PROC_STORAGECOMPONENT_ANNOTATE OUTER. 2 -> 
annotation. RESET. id -> 
SKIP 
ý 
DC 
DC - 
chan PRO STORAGECONPONENT ANNOTATE OUTER. 0 -> clock? 1 -> 
atoredl0 -> DB 
[] 
®toredll -> annotation. ERROR. id -> STOP 
DD s 
chan_PROC_STORAC3ECOMPONENT_ANNOTATE_OUTER. 0 -> clock? 1 -> 
( etoredll -> annotation STORED. id -> DB 
[] 
storedl0 -> annotation. NOTSTORED. id -> DE 
DE 
Chan 
_link_PROC_STORAGECOMPONENT_ANNOTATE_OUTER -> store? 1 -> annotation. ERROR. id -> STOP 
[l 
store? O -> 
Chan_PROC_STORAGECOMPONENT_ANNOTATE_OUTER. 2 -> 
reset? y -> 
DG(y) 
[J 
reset? y -> 
store? 0 -> 
Chan_PROC STORAGECOMPONENTANNOTATE-OUTER. 2 -> 
DG(y) -- 
(] 
store? 1 -> annotation. ERROR. id -> STOP 
DF - 
atoredl0 -> DB 
[] 
atoredll -> annotation. ERROR. id -> STOP 
chan_PROC_STORAGECOMPONENT__ANNOTATE_OUTER 
DA 
)\ chan_PROC_STORAGECOMPONENT ANNOTATE_OUTER 
DG (Y) ý 
188 
Appendix F: Multi-Type Component Generic Specification Model Example 
I == 1 
(l 
y == 0 
within DF 
-- Reads 
E (x, y) _ 
& annotation. RESET. id -> DC 
& DD 
length(x) -0&B 
[] 
length(x) >0& 
F(head(x), head(y)) 
[I union( (I clock, reset { chan_link PROC_STORACiECOMPONENT_ANNOTATE_OUTER 
II E(tail(x), tail(y)) 
} 
-- Controll CSP taken from DataRead object 
-- with an extra event to ensure all outputs happen before new inputs 
F( (read, readallowed, databits), id ) 
let 
PA 
-> chan_link _PROC_STORAGECOMPONENT_ANNOTATE-OUTER read? x -> reset? y -> FD(x, y) 
1) 
reset? y -> read? x -> FD(x, y) 
FB 
than link PROC STORAGECOMPONENT_ANNOTATE_OUTER -> 
read? 0 -> 
reset? 1 -> annotation. RESET. id -> clock? 1 -> FF 
[7 
reset? O -> clock? 1 -> PC 
[l 
reset? 1 -> read? O -> annotation. RESET. id -> clock? 1 -> FF 
(1 
reset? 0 -> read? O -> clock? 1 -> PC 
FC = 
readallowedll -> annotation. READALLOWED. id 
( PG(databita) 
FA 
) 
[l 
readallowedl0 -> annotation. DONTREAD. id -> III x: aet(databita) ® 
xi0 -> SKIP 
[J 
xll -> annotation. ERROR. id -> STOP 
) 
FB 
PD (x, y) 
Yý=1 & annotation. RESET. id -> clock? 1 -> FF 
[l 
Y == 0& 
x -= 0& annotation. IDLE. id -> clock? 1 -> FF 
11 
X -- 
FE (y) _ 
Y"1 
11 
y =a 0 
FF : 
1& annotation. READ. id -> clock? 1 -> FC 
& annotation. RESET. id -> clock? 1 -> FF 
& clock? 1 -> FC 
readallowedll -> annotation. ERROR. id -> STOP 
i}, 
189 
Appendix F: Multi-Type Component Generic Specification Model Example 
[l 
readallowedl0 -> III x: aet(databita) ® 
x! 0 -> SKIP 
fl 
x! 2 -> annotation. ERROR. id -> STOP 
PA 
FG(x) _ 
length(x) 0& annotation. ERROR. id -> STOP [) 
length(x) 1& PH(head(x), length(databits) - length(x)) [l 
length(x) >1& 
PH(head(x), length(databits) - length(x)) III 
FG (tail (x) ) 
FH (x, y) 
x! 0 -> annotation. DATABIT. id. y. 0 -> SKIP (3 
x! i -> annotation. DATABIT. id. y. 1 -> SKIP 
within FF 
within chase (A) 
F. 1.6 GenSpec 6: Clock Cycle Higher Generic Specification 
This CSP model is an annotation only clock cycle based higher conceptual specification. 
It is used as a comparison for the extracted annotations from the annotated low level 
hardware models. 
Figure 9S: Generic Data Storage Annotation Specification 
channel chan_mid_PROC_STORAGECOMPONENT HIGHER OUTER_SPEC: 0.. 2 
channel chan_link 
_PROC_STORAGECOMPONENT_HIGHER_OUTER _SPEC channel chan_PROC STORAGECOMPONENT HIGHER OUTER SPEC: {0.. 4} 
channel chan_readbits PROCSTORAGECOMPONENTHIGHER OUTER SPEC: {0.. 2}. {0,1} 
channel char storebits_PROC STORAGECOMPONENT_HIGHER OUTER SPEC: {0.. 2}. {0,1} 
PROC_STORAGECOMPONENT HIGHER_OUTER_SPEC(bitLength, Did, rid) 
let 
A= 
length(sid) _= 0 and length(rid) 0& SKIP 
(] 
length(rid) I. 0 and length(rid) 0&B 
(] 
length(rid) _- 0 and length(rid) !-0&C 
(] 
length(sid) !=0 and length(rid) !-0&D 
B= 
let 
BA = 
( [ý {ý annotation. RESET, 
chanPROC STORAGECOMPONENT_HIGHEROUTER SPEC. 2, 
chan__PROC STORAGECOMPONENT HIGHER_OUTER_SPEC. 3, 
chan_link PROC_STORAGECOMPONENT_HIGHEROUTER SPEC 
Il 
ý] x: eet(sid) 0 BB(x) 
chan_link PROC_STORAGECOMPONENT_HIGHEROUTER SPEC, 
char PROC STORAGECOMPONENT HIGHER OUTER SPEC, 
190 
Appendix F: Multi-Type Component Generic Specification Model Example 
I} 
II 
BD 
BB (x) _ 
(! III y: eet(sid) ® annotation. RESET. y -> SKIP ); BB(x) 
annotation. IDLE. x -> 
-> than link _PROC_STORAGECOMPONENT_HIGHER _OUTER 
SPEC 
Chan PROC STORAGECOMPONENT HIGHER OUTER SPEC. 2 -> SKIP 
11 
Chan PROC STORAGECOMPONENTHIGHER OUTER SPEC. 3 -> SKIP 
annotation. RESET 
ý 
( char link PROC STORAGECOMPONENT HIGHER OUTER SPEC -> BB(x) 
[l 
annotation. STORE. x -> 
chan_PROC STORAGECOMPONENT_HIGHER_OUTER_SPEC. 0 
111 ya{0.. (bitLength-1)} 
annotation. DATABIT. x. y. 0 -> SKIP 
tl 
annotation. DATABIT. x. y. 1 -> SKIP 
chan_link 
_PROC 
STORAGECOMPONENT HIGHER OUTER SPEC -> 
chan_PROC STORAGECOMPONENT_HIGHER OUTER_SPEC. 2 -> 
annotation. STORED. x -> 
chan_link PROC_STORAGECOMPONENT HIGHER_OUTER_SPEC -> 
SB(X) 
1) 
chan_PROC_STORAGECOMPONENT_HIGHER OUTER_SPEC. 3 -> 
annotation. NOTSTORED. x -> 
Chan link_PROC_STORAGECOMPONENT RIGHER_OUTERSPEC -> 
BC (x) 
BC (x) - 
y: aet(aid) ! annotation. RESET. y -> SKIP ); BB(x) 
I] 
chan_link 
_PROC_STORAGECOMPONENT_HIGHER_OUTER 
SPEC -> 
chan_PROC STORAGECOMPONENT_HIGHER OUTER_SPEC. 3 
annotation. NOTSTORED. x -> 
chan_link PROC_STORAGECOMPONENT HIGHER_OUTER_SPEC -> 
BC (x) 
-- Storeage 
BD = 
chan_link 
_PROC_STORAGECOMPONENT 
HIGHER OUTER SPEC -> 
chan_PROC STORAGECOMPONENT_HTGHER OUTER_SPEC. 2 
chan_link PROC_STORAGECOMPONENT HIGHER 
_OUTER 
SPEC -> 
BD 
t] 
chan_PROC STORAGECOMPONENT_HIGHER OtTfER_SPEC. 0 -> BE 
[] 
y: set(sid) ® annotation. RESET. y -> SKIP BD 
BE 
chan_link PROC STORAGECOMPONENT HIGHER OUTER SPEC -> 
chan_PRÖC STORAGECOMPONENTHIGHER OIITER_SPEC. 2 -> 
chan_link_PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC -> 
BD 
U 
chan_PROC STORAf9ECOMPONENT HIaHER_OUTER SPEC. 0 -> BF 
BF a 
y: aet(sid) a annotation. RESET. y -> SKIP ); BD 
(l 
chan link PROC STORAßECOMPONENT HIGHER OUTER SPEC -> 
191 
Appendix F: Multi-Type Component Generic Specification Model Example 
chan_PROC_STORAßECOMPONENT_HIC3HER_OUTER_SPEC. 3 -> 
chan link_PROC_STORAC3ECOMPONENT_HIC3iiER_OUTER_SPEC -> 
BF 
[7 
chan_PROC STORAGECOMPONENTHIGHER OUTER SPEC. 0 -> BP 
within ( BA \ {ý Chan 
_link_PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC, chap PROC STORAGECOMPONENT HIGHER OUTER SPEC 
I} 
let 
CA 
[ý {ý ennotation. RESET, 
i} 
chap link PROC STORAGECOMPONENT HIGHER OUTER SPEC 
1] x: eet(rid) a CB(x) 
CB(x) _ 
(( ýý) y: aet(rid) a annotation. RESET. y -> SKIP ); CB(x) 
[] 
annotation. IDLE. x -> 
chan_link_PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC -> 
chan_link_PROC_STORAGSCOMPONENT HIGHER_OUTER SPEC -> 
CB (x) 
[] 
annotation. READ. x -> 
chan_link PROC_STORAGECOMPONENT_HIGHER_ODTER SPEC -> 
CC (x) 
CC (x) _ 
annotation. READALLOP1ED. x -> 
y: {0.. (bitLength-1)} a annotation. DATABIT. x. y. 0 -> SKIP 
chan_link_PROC STORAGECOMPONENT_HIGHER OUTER SPEC -> CB(x) 
within CA \ {ý chan_link_PROC_STORAGECOMPONENT_HIGHER OUTER_SPEC 
D= 
let 
DA = 
((( [) union({I annotation. RESET, 
chan_link _PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC 
{ chan_PROC_STORAGECOMPONENT_HIGHER OUTER SPEC. y 
I y<-{2,3} 
} 
f) x: filet (Bid) ® DB(x) 
union({l annotation. RESET, 
char link PROC STORAGBCOMPONBNP_HIGHER OUTER SPEC 
I} 
{ chan_PROC_STORAGECOMPONBNT_HIGSHER OUTER SPEC. y 
y-c'{2.3} 
} 
I] [I union({ annotation. RESET, 
chap link PROC STORAGECOMPONENT_HIGHER OUTER SPEC 
11 
{ chanPROC_STORAGECOMPONENT-HIGHER OUTER SPEC. y 
I y_< {2,3} } 
x. -set(rid) 0 DB(x) 
[ý {' cban link PROC STORAGECOMPONENT HIGHER OUTER SPEC, 
192 
Appendix F: Multi-Type Component Generic Specification Model Example 
17 
DJ ý ýci 
i} -- Store 
DB(x) - 
ChanPROC STORAGECOMPONENT_HIGHER 
_OUTER _SPEC, chan_atorebita_PROC STORAGECOMPONENT HIGHER 
_OUTER _SPEC, char readbits_PROC_STORAGECOMPONENT_HZGHER_OUTER_SPEC, 
annotation. RESET 
11 
than link_PROC STORAGECOMPONENT_HIGHER_OUTER SPEC, 
chap PROC_STORAGECOMPONENT_HIGHEROUTER SPEC, 
chan_etorebitaPROCSTORAGECOMPONENT_HIGHER OUTER SPEC, 
chan_readbita_PROC STORAGECOMPONENT HIGHER_OUTER_SPEC 
chan_link PROC STORAdECOMPONENT_HIf3fIER_OUTER 
_SPEC -> (7(_ ýjý y: union(set(sid), set(rid)) ® annotation. RESET. y -> SKIP 
DS (x) 
[] 
annotation. IDLE. x -> 
chan_link 
_PROC_STORAGECOMPONENT_HIGHER 
OUTER SPEC -> 
chan_PROC STORAGECOMPONSNT HIGHER_OUTER_SPEC. 2 -> SKIP 
Q 
Chan PROC STORAGECOMPONENT HIGHER OUTER SPEC. 3 -> SKIP 
; DS (x) 
(] 
annotation. STORE. x -> 
Chan_PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC. 0 -> 
(( III y: {0.. (bitLength-1)} 
annotation. DATABIT. x. y. 0 -> 
chap storebits_PROC STORAGECOMPONENT_HIGHER OUTER_SPEC. y. 0 -> 
SKIP 
i] 
annotation. DATABIT. x. y. 1 -> 
chan_storebits PROC_STORAG$COMPONENT HIGHER OIITER_SPEC. y. 1 -> 
SKIP 
-> chan_link 
_PROC_STORAGtECOMPONENT 
HIGHER 
_OUTER-SPEC 
chan_PROC_STORAGECOMPONENT_HI(3HER_OUTER SPEC. 2 -> 
annotation. STORED. x -> 
DB (x) 
[) 
chan_PROC STORAGECOMPONENT_HIGtHER ODTER_SPEC. 3 -> 
-> annotation. NOTSTORED. x 
DD(x) 
DD (x) - 
Chan_link PROC_STORAGECOMPONENT_HIGHER_OUTER SPEC -> 
((( Ill y: union(set(sid), set(rid)) 0 annotation. RESET. y 
DB (x) 
[] 
chan_link PROC_STORAaECOMPONENT_HIQHER_OUTER_SPEC -> 
chin 
_PROC 
STORAC3ECOMPONENT_HIC3HER OUTER_SPEC. 3 -> 
annotation. NOTSTORED. x -> 
DD (x) 
-> SKIP 
193 
Appendix F: Multi-Type Component Generic Specification Model Example 
-- Reads 
DE (x) - 
chan_link 
_PROC 
STORAGECOMPONENT_HIGHER OUTER SPEC -> 
((( ITI y: union(set(sid), set(rid)) a annotation. RESET. y -> SKIP 
DB (x} 
U 
annotation. IDLE. x -> 
chan link 
_PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC -> chan PROC STORAGECOMPONENT HIGHER OUTER SPEC. 2 -> SKIP 
11 
chan PROC STORAGECOMPONENT HIGHER OUTER SPEC. 3 -> SKIP 
; DS (X) 
H 
annotation. READ. x -> 
chan_PROC 8TORAGECOMPONENT HIGHER OUTER SPEC. 1 -> 
((( [ý union( 
{ Chan_PROC_STORAGECOMPONENTHIGHER OUTER SPEC. y, 
annotation. READALLOWED. x, 
annotation. DONTREAD. x, 
chan_link_PROC STORAGECOMPONENT_HIGHER OTTTER SPEC 
I y<-{2,3} 
} 
{) annotation. RESET 
y: {O.. (bitLength-1)} 
Chan 
_readbits_PROC_STORACECOMPONENT 
HIGHER_OTTfER SPEC. y. 0 -> 
DG(x, y, 0) 
(] 
than_readbite_PROC_STORAGECOMPONENT HIGHER_OUTER_SPEC. 7.1 
DG (x, y, 1) 
) 
[I union({ chan_PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC. y, 
annotation. READALLOWED. x, 
annotation. DONTREAD. x, 
chan_link_PROC-STORAGECOMPONENT_HIGHER_OUTER_SPEC 
I y<-{2,3j 
} 
{ý annotation. R8S8T (} 
DE (8) 
1] 
DF(x) 
DF(X) : 
y: union(aet(aid), aet(rid)) ® annotation. RESET. y -> SKIP 
[l 
chan_link PROC STORAGECOMPONENT HIGHER_OUTER SPEC -> 
chan_PROCSTORAGECOMPONENT 
HIGHER_OUTER SPEC. 2 -> 
annotation. READALLOWED. x -> 
SKIP 
[l 
chan_PROCSTORAGECOMPONENT HIGHER_OUTER_SPEC. 3 -> 
annotation. DONTREAD. x -> 
chan link PROC STORAGECOMPONENT HIGHER oUTER_SPEC -> 
DF(x) 
194 
Appendix F: Multi-Type Component Generic Specification Model Example 
DG(x, Y, Z) _ 
Chan 
_link 
PROC_STORAGECOMPONENT HIGHER_OUTER SPEC -> 
chan_PROC STORAGECOMPONENT_HIGHEROUTER SPEC. 2 -> 
annotation. READALLOWED. x -> 
annotation. DATABIT. x. y. z -> 
SKIP 
[l 
chan_PROC STORAGECOMPONENT_HIGHER OUTER_SPEC. 3 -> 
annotation. DONTREAD. x -> 
Chan 
_link 
PROC STORAGECOMPONENT HIGHER OUTER SPEC -> 
DI (x) 
DI (x) - 
( III Y: union(aet(aid), set(rid)) ® annotation. RESET. y -> SKIP Cl 
chan link 
_PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC -> chan_PROC STORAGECOMPONENT_HIGHER_OUTER_SPEC. 3 -> 
annotation. DONTREAD. x -> 
chan_link PROC STORAGECOMPONENT HIGHER OUTER SPEC -> 
DI (x) ----- 
-- Storeage 
DJ : 
( [ý {I annotation. RESET x: {0.. (bitLength-1)} ® DK(x, 0) ) 
[t {ý annotation-RESET 
DL 
DK (x, y) : 
(( III y: union(set(sid), set(rid)) it annotation. RESET. y -> SKIP 
DK W, 0) 
l 
[] 
chan_readbits_PROC STORAGECOMPONENT HIGHER OUTER SPEC. x. y -> DK(x, y) C] 
chan_atorebits_PROC STORAGECOMPONENT_HIGHER OUTER_SPEC. x. 0 -> DK(x, 0) 
C] 
chan_storebite PROC STORAGECOMPONENT HIGHER_OUTER_SPEC. x. 1 -> DK(x, 1) 
DL = 
-> chan_link _PROC_STORAGECOMPONENT_HIGHER _OUTER _SPEC 
-> ( chan_link_PROC_STORAGECOMPONENT_HIGHER_OUTER-SPEC 
chan PROC STORAGECOMPONENT HIGHER OUTER SPEC. 2 -> 
DL ----- 
(] 
char PROC STORAGECOMPONENT HIGHER OUTER SPEC. 0 -> DM 
11 
chan PROC STORAGECOMPONENT HIGHER OUTER SPEC. 1 -> DN 
11 
(( III y: union(set(aid), set(rid)) 0 annotation. RESET. y -> SKIP 
DL 
DM = 
chan_link PROC_STORAGECOMPONENT_HICüiER_OUTER SPEC -> 
chan_PRÖC_STORApECOMPONENT_HIQHER_OUTER_SPEC. 2 -> 
DL 
[] 
char PROC STORAGECOMPONENTHIGHER OUTER SPEC. 0 -> DO 
11 
Chan 
_PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC. 
1 -> DO 
DN 
chan_link PROC_STORAGECOMPONENT_HIGHER 
_OUTER 
SPEC -> 
Chan PROC STORAGECOMPONENTHIGHER OUTER SPEC. 2 -> 
DL 
[1 
195 
Appendix F: Multi-Type Component Generic Specification Model Example 
Chan_PROC STORAGECOMPONENT HIGHER OUTER SPEC. 0 -> DO 
13 
Chan PROC STORAGECOMPONENT HIGHER OUTER SPEC. 1 -> DN 
DO ------ 
((Hýy: union(set(aid), set(rid)) ® annotation. RESET. y -> SKIP 
DL 
[] 
chan_link_PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC -> 
Chan PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC. 3 -> 
chan'link PROC STORAGECOMPONENT HIGHER OUTER SPEC -> 
[l 
Chan PROC STORAGECOMPONENT HIGHER OUTER SPEC. 0 -> DO 
11 
Chan_PROC_STORAGECOMPONENT_HIGHER_OUTER_SPEC. 1 -> DO 
within DA 
within A 
F. 2 Assertions: Linking the Models Together 
To ensure consistency between all the models for a generic component, several assertions 
have to be proven. The consistency between the models is required because the proof of 
an implemented component can utilise several of these specifications. 
F. 2.1 GenSpec Assertion 1: Initial Deadlock-Free Check 
This initial deadlock-free check (see Figure 96) of GenSpec I( see section F. 1.1) is to 
provide a base comparison for future deadlock-free checks and trace refinements. 
196 
Appendix F: Multi-Type Component Generic Specification Model Example 
-- aha=al d. alarationi 
channel internalChoice 
channel chano {1} 
channel chani : {0,1} 
channel chant {0,1} 
channel chan3 : {0,1} 
channel chan4 : (0,1) 
channel chan5 : {0,1} 
channel chan6 : {0, i} 
channel chan7 : {0,1} 
channel chan8 (0,1} 
channel chan9 : {0,1} 
channel chanlO : (0,1) 
channel chanil : (0,1) 
channel chanl2 (0,1) 
channel chanl3 {0,1} 
channel chanl4 {0,1} 
channel chanl5 {0,1} 
channel chanl6 : {0,1} 
channel chanl7 : {0, i} 
-- Create an Instance of the miodel to check 
- The alpha_PROC6 contains the low level channels used by thii iastance 
alpha PROC6 -{I chan8, chan0, chanl2, chanl3, chanl5, chani, chan17, chanll, 
chan2, chan4, chan9, chan5, chan7, chanlO, chanl6, chanl4, 
chan3, chan6 (} 
PROC6 - PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC( 
chan0, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
< (chanlO, chanll, <chanl2, chan13> 
(chan14, chaniS, <chan16, chan17> 
-- Side the iaternalChoice event to enaurs that PROC6 has 'ate=al choice 
-- performing correctly if needed. 
GEN SPEC1 =( PROC6 \ {internalChoice} 
-- Deadlock-free check the expected correct generic cappoaent 
assert GEN SPECI : [deadlock free [P]] 
Figure 96: Example of GenSpec Assertion 1 for Data Storage Specification 
F. 2.2 GenSpec Assertion 2: GenSpec 2 Contains GenSpec 1 Behaviour 
This assertion (see Figure 97) demonstrates that GenSpec 2 (see section F. 1.2) contains 
all the behaviour dictated by GenSpec 1 (see section F. 1.1), although this assertion allows 
GenSpec 2 to provide extra behaviours. 
197 
Appendix F: Multi-Type Component Generic Specification Model Example 
-- chann. 2 d. clarationa 
channel internalChoice 
channel chan0 : {1} 
channel chant : (0, i} 
channel chant to, i} 
channel chan3 {0,1} 
channel chan4 {0,1} 
channel chan5 (0,1} 
channel chan6 {0,1} 
channel chan7 {0,1} 
channel chan8 (0,1} 
channel chan9 {0,11 
channel chanlO {0,1} 
channel chanli to, i} 
channel chanl2 : {0,1} 
channel chanl3 : (0,1} 
channel chanl4 : {0,1} 
channel chants {0,1} 
channel chanl6 : (0,1} 
channel chanl7 {0,1} 
-- Create an instance of the atodels to check 
The alpha_PROC contains the loan level Channels used by the Processes 
alpha_PROCS chan8, chan0, chanl2, chan13, chanl5, chanl, chanl7, chanll, 
chant, chan4, chan9, chan5, chan7, chanl0, chanl6, chanl4, 
chan3, chan6 1} 
PROCS - PROC_STORAGECOMPONENT_GENERIC_SPEC( 
chan0, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
< (chanl0, chanhl, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
ý 
> 
alpha_PROC6 = (ý chan8, chanO, chanl2, chanl3, chanl5, chani, chanl7, chanii, 
chan2, chan4, chan9, chanS, chan7, chanlO, chanl6, chanl4, 
chan3, chan6 1} 
PROC6 a PROC STORAGECOMPONENT_DESIRED_GENERIC SPEC( 
chan0, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
< (chanl0, chanli, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chnnl7> 
-- Aida the iaterna1Cboiaa event to ensure that proaeasea hat 
internal choice 
-- performing correctly if needed. 
GEN SPEC1 =( PROC6 \ (internalChoice} ) 
GEN SPEC2 -( PROCS \ (internalChoice} ) 
-- Check Ganspec 2 contains the behaviour of GenSpao 
1 
assert GEN SPEC2 [T- GEN SPEC1 
Figure 97: E: ample of GenSpec Assertion 2 for Data Storage Specification 
F1.3 GenSpec Assertion 3: GenSpec 3 Compatible with GenSpec 2 
198 
Appendix F. Multi-Type Component Generic Specification Model Example 
This assertion (see Figure 98) demonstrates that the GenSpec 3 controlling specification 
(see section F. 1.3) does not introduce any new behaviour to the specifications it is being 
run in parallel with. This still leaves the possibility of it limiting the events that can occur, 
but does not guarantee any properties regarding this. 
-- chaanal d. claratioai 
channel internalChoice 
channel chan0 : {i} 
channel chant, chant, chan3, chan4, chan5, chan6, chan7, chan8, chan9, chanlO, 
chanli, chanl2, chanl3, chani4, chanl5, chanl6, chanl7 : {0,1} 
-- Create an instance of the models to check 
-- The alpha_PROC contains the low level channels used by the processes 
alpha_PROC4 chane, chan0, chanl2, chanl3, chanl5, chani, chanl7, chanll, 
chant, chan4, chan9, chan5, chan7, chanlO, chanl6, chanl4, 
chan3, chan6 1} 
PROC4 = PROC_STORAGECOMPONENT CONTROLL( 
chanO, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chane, chan9> 
< (chanl0, chanil, <chanl2, chanl3> 
(chanl4, chaniS, <chanl6, chanl7> 
), 
> 
alpha_PROCS = {ý chan8, chan0, chanl2, chanl3, chanl5, chanl, chanl7, chanil, 
chan2, chan4, chan9, chan5, chan7, chanio, chanl6, chan14, 
chan3, chan6 1} 
PROCS - PROC_STORAGBCOMPONfiNT_GENERIC_SPEC( 
chan0, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
< (chanl0, chanii, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
ý 
-- Ride the internalC'hoiae event to ensure that proaaMaea haa internal ahoiae 
-- performing correctly if needed. 
GEN SPEC3 - PROC4 
GEN_SPEC2 -( PROCS \ (internalChoice} 
-- QanBpaa? Iiaitad by the control . pacification /ian8p. o3 
GEN SPEC2_WITH_CONTROLL - GEN SPEC2 (I alpha_PROC2 
11 GEN SPEC3 
-- Chaalt QanBpac2 contain. the bahavioer Of QanBpac? lisitad by QanBpaa3 
assert GEN SPEC2 [T. GEN_SPEC2_WITFi CONTROLL 
Figure 98: Example of GenSpec Assertion 3 for Data Storage Specification 
199 
Appendix F: Multi-Type Component Generic Specification Model Example 
F. 2.4 GenSpec Assertion 4: GenSpec 3 Removes Deadlock from GenSpec 2 
This assertion (see Figure 99) demonstrates that GenSpec 3 (see section F. 1.3) removes 
the possibility of driving the component it is run in parallel with, incorrectly. This does 
not dictate that GenSpec 3 does not remove a correctly driving option. 
-- channel declarations 
channel internalchoice 
channel chanO : (1} 
channel chant, chan2, chan3, chan4, chanS, chan6, chan7, chan8, chan9, chanl0, 
chanll, chanll, chanl3, chanl4, chanl5, chanl6, chanll : (0,1} 
-- Create an instance of the models to check 
The alpha PROC contains the low level channels used by the processes 
alpha_PROC4 (l chan8, chan0, chanll, chanl3, chanl5, chant, chanll, chanil, 
chant, chan4, chan9, chan5, chan7, chanl0, chanl6, chanl4, 
chan3, chan6 !} 
PROC4 = PROC_STORAGECOMPONENT CONTROLL( 
chan0, 
chant, 
< (chant, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
< (chanl0, chanll, <chanl2, chanl3> 
(chan14, chanl5, <chanl6, chanl7> 
alpha PROCS = {ý chan8, chanO, chanl2, chanl3, chanl5, chanl, chanl7, chanil, 
chan2, chan4, chan9, chan5, chan7, chanl0, chanl6, chanl4, 
chan3, chan6 1} 
PROCS = PROC_STORAGEC'OMPONENT GENERIC SPEC( 
chano, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
< (chanl0, chanli, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
> 
-- Hide the internalChoiae event to ensure that processes has internal ahoiae 
-- pertorsring correctly it needed. 
GEN_SPEC3 - PROC4 
GEN_SPEC2 -( PROCS \ {internalChoice} 
-- GanBpoas Ziatitad by the aontroZ apaciliaation 0an8pac3 
GEN SPEC2_WITH_CONTROLL - GEN SPEC2 (I alpha_PROC4 11 GEN_SPEC3 
-- Chock that GaaBpsc3 rrrovaa the incorrect driving options from GonSpac2 
assert GEN_3PEC2 WITH CONTROLL : (deadlock free [F)) 
Figure 99: Example of GenSpec Assertion 4 for Data Storage Speciflcadon 
F. 2.5 GenSpec Assertions 5: GenSpec 3 Removes Only Incorrect Driving 
These assertions (see Figure 100) demonstrate that GenSpec 3 limits the process it is run 
in parallel with, such that it only allows correct driving signals. These assertions also 
200 
Appendix F: Multi-Type Component Generic Specification Model Example 
demonstrates that GenSpec 3 does not introduce any extra behaviours and does not 
remove any correct driving options, it is achieved through proving that GenSpec 3 run in 
parallel with GenSpec 2 is indistinguishable to GenSpec 1. 
201 
Appendix F: Multi-Type Component Generic Specification Model Example 
-- channel declaration-& 
Channel internalChoice 
channel chano : {i} 
channel chanl, chan2, chan3, chan4, chan5, chan6, chan7, chane, chan9, chanlO, 
chanli, chanl2, chanl3, chanl4, chanl5, chanl6, chanl7 : {0,1} 
Create an instance of the swdels to check 
The alpha_PROC contains the low level channels need by the processes 
alpha_PROC4 - {I chan8, chan0, chan12, chan13, chanl5, chant, chanl7, chanll, 
chant, chan4, chan9, chan5, chan7, chanlO, chanl6, chan14, 
chan3, chan6 1} 
PROC4 - PROC STORAGECOMPONENT_CONTROLL( 
chano, 
chant, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, cchan8, chan9> 
< (chanl0, chanil, <chanl2, chanl3> 
(chanl4, chani5, <chanl6, chanl7> 
alpha PROCS = {ý chane, chanO, chanl2, chanl3, chanl5, chanl, chanl7, chanli, 
chan2, chan4, chan9, chan5, chan7, chani0, chanl6, chanl4, 
chan3, chan6 (} 
PROCS = PROC_STORAGiECOMPONENT GSENERiC SPEC( 
chanO, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, cchan8, chan9> 
< (chanl0, chanil, <chanl2, cbanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
alpha_PR0C6 - {l chan8, chan0, chanl2, chanl3, chanl5, chani, chanl7, chanll, 
chan2, chan4, chan9, chanS, chan7, chanl0, chanl6, chanl4, 
chan3, chan6 11 
PROC6 = PROC_STORAßECOMPONENT DESIRED C3ENERIC SPEC( 
chan0, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chanB, chan9> 
< (chanl0, chanil, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
-- Side the internalChoiae event to ensure that processes has internal choice 
-- perfozsing correctly if needed. 
GEN SPEC1 -( PROC6 \ {internalChoice} ) 
GEN SPEC2 -( PROCS \ {internalChoice} ) 
GEN_SPEC3 - PROC4 
-- Gen8psc2 lialtsd by the control specification Genepec3 
GEN SPEC2_WITH_CONTROLL - GEN SPEC2 [I alpha_PROC4 11 GEN_SPEC3 
-- Check that Gsn8psc3 In parallel with Gsnßpec2 is India tinguishable to 
-- GenBpecl 
assert GEN_SPEC1 [FD. GEN_SPEC2_WITH_CONTROLL 
assert GEN_SPEC2_WITH_CONTROLL [FD. GEN SPEC1 
Figure 100: Example of GenSpec Assertions 5 for Data Storage Specification 
202 
Appendix F: Multi-Type Component Generic Specification Model Example 
F. 2.6 GenSpec Assertions 6: Properties of the Annotation Events 
These assertions (see Figure 101) demonstrate that the annotation event contained within 
GenSpec 4 do not introduce extra behaviours, but are only used to conceptually describe 
what is occurring. This is achieved through hiding the annotation events, and proving that 
the resultant process is indistinguishable to the GenSpec 2 model. 
-- channel dealaratIons 
allowedIDS - 10. . 41 datatype STATES - 
START. allowedIDS ý FINISH. allowedlDS I NOTFINISHED. allowedIDS 
RESET. allowedIDS ý ERROR. allowedIDS I IDLE. allowedIDS I STORE. allowedIDS 
STORED. allowedIDS ý NOTSTORED. allowedIDS I READ. allowedIDS ý 
READALLOWED. allowedIDS I DONTREAD. allowedIDS ý 
DATAHIT. allowedIDS. {0.. 2}. {0,1} 
channel annotation : STATES 
channel internalChoice 
channel chan0 : {1} 
channel chanl, chan2, chan3, chan4, chan5, chan6, chan7, chan8, chan9, chanlO, 
chanli, chan12, chanl3, chanl4, chani5, chanl6, chanl7 : {0,1) 
-- Create an instance of the aodals to chock 
The alpha PROC contains the low level channels used by the processes 
alpha_PROC1 - {I chan8, chanO, chanl2, chanl3, chanl5, chant, chanl7, chanil, 
chant, chan4, chan9, chan5, chan7, chanl0, chanl6, chanl4, 
chan3, chan6 1} 
PROC1 : PROC_STORAGECOMPONENT_ANNOTATED_SPEC( 
chan0, 
chant, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
<1,2 
< (chanl0, chanil, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
<3,4 > 
alpha_PROCS = {ý chan8, chanO, chanl2, chanl3, chanl5, chanl, chanl7, chanil, 
chan2, chan4, chan9, chanS, chan7, chanl0, chanl6, chanl4, 
chan3, chan6 1} 
PROC5 . PROC_STORAGECOMPONENT_GENERIC_SPEC( 
chan0, 
chanl, 
< (chan2, chan3, <chan4, chan5> ), (chan6, chan7, <chan8, chan9> ) >, 
< (chanlO, chanil, <chanl2, chanl3> ), (chanl4, chanl5, <chanl6, chanl7> 
)> 
-- Sid, the intarnalChoiaa vent to ensure that processes has 
internal choice 
-- performing correctly If needed. 
GEN SPEC2 -( PROCS \ {internalchoice} 
GEN SPEC4 -( PROC1 \ {internalchoice} 
-- 
fiansp, c4 with the annotations hidden 
GEN SPEC4_NO_ANNOTATIONS -( GEN_SPEC4 \ {( annotations 
ý} ) 
-- Check that GenSpsa3 in parallel with Genßpec2 is indistinguishable 
to 
-- GenSpool 
assert GEN SPEC4`NO ANNOTATIONS [FD- GEN SPEC2 
assert GEN SPEC2 [FD- GEN SPEC4 NO ANNOTATIONS 
Figure 101: Example of GenSpec Assertion 6 for Data Storage Spec 
203 
Appendix F: Multi-Type Component Generic Specification Model Example 
F. 2.7 GenSpec Assertion 7: GenSpec 3 Compatible with GenSpec 4 
This assertion (see Figure 102) proves that the control process GenSpec 3 does not add 
extra behaviours to the annotated generic specification GenSpec 4. 
-- 0-h-nnol declarations 
allowedlDS - {0.. 4} datatype STATES - 
START. allowedIDS FINISH. allowedIDS I NOTFINISHED. allowedlDS 
RESET. allowedIDS ( ERROR. allowedIDS I IDLE. allowedIDS I STORE. allowedIDS 
STORED. allowedlDB ý NOTSTORED. allowedIDS I READ. allowedIDS ý 
READALLOiPED. allowedIDS I DONTREAD. allowedIDS 
DATABIT. allowedIDS. {0.. 2}. {0,1} 
channel annotation : STATES 
channel internalChoice 
channel chan0 : {1} 
channel chant, chant, chan3, chan4, chan5, chan6, chan7, chan8, chan9, chanlO, 
chanll, chanl2, chanl3, chanl4, chanl5, chanl6, chanl7 : (0,1) 
-- Create an lnetance of the imodels to check 
-- The alpha P80C contains the low 1ew1 channels usad by the processes 
alpha_PROC4 = {ý chan8, chan0, chanl2, chanl3, chanl5, chani, chanl7, chanli, 
chan2, chan4, chan9, chan5, chan7, chanlO, chanl6, chanl4, 
chan3, chan6 1} 
PROC4 - PROC_BTORAf88COMPONfiNT_CONTROLL( 
chan0, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
< (chanlO, chanii, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
alpha_PROC1 . {ý chan8, chanO, chanl2, chanl3, chanl5, chani, chanl7, chanil, 
chan2, chan4, chan9, chan5, chan7, chanl0, chanl6, chanl4, 
chan3, chan6 1} 
PROC1 - PROC_STORAC3ECOMPONENT_ANNOTATSD_SPEC( 
chan0, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chane, chan9> ) 
<1,2 
< (chanl0, chanli, <chanl2, chanl3> ), (chan14, chanl5, <chanl6, chanl7> 
) >, 
<3,4 > 
-- Side the interaalCholae event to ensure that processes has internal ahoiae 
-- performing correatly if needed. 
GEN_SPEC3 - PROC4 
GEN_SPEC4 -( PROM \ (internalChoice} 
-- Gen8peo4 liaited by the control epecitication Gon8pe03 
GEN_SPEC4_tiPITH_CONTROLL - GEN SPEC4 (I alpha_PROC4 
(] GEN_SPEC3 
-- Check Gen8pec4 oontaiai the behaviour of Gea8pec4 11aited by GenSpec3 
assert GEN_SPEC4 IT. GEN_SPEC4_PiITH CONTROLL 
Figure 192: Example of GenSpec Assertion 7 for Data Storage Specification 
204 
Appendix F: Multi-Type Component Generic Specification Model Example 
F. 2.8 GenSpec Assertion 8: GenSpec 3 Removes Deadlock From GenSpec 4 
This assertion (see Figure 103) proves that the control process GenSpec 3 removes the 
explicitly defined deadlocks from the annotated generic specification GenSpec 4. 
-- channel diolarationa 
allowedIDS - {0.. 4} 
datatype STATES - 
START. allowedIDS ý FINISH. allowedIDS I NOTPINISHED. allowedIDS 
RESET. allowedIDS ý ERROR. allowedIDS I IDI, E. allowedIDS I STORE. allowedIDS 
STORED. allowedlDS ( NOTSTORED. allowedlDS I READ. allowedIDS 
READALLOWED. allowedIDS I DONTREAD. allowedIDS ý 
DATABIT. allowedIDS. {0.. 2}. {0,1} 
channel annotation : STATES 
channel internalChoice 
channel chanO : {i} 
channel chani, chan2, chan3, chan4, chan5, chan6, chan7, chan8, chan9, chanl0, 
chanll, chanl2, chanl3, chanl4, chanl5, chanl6, chan17 : (0,1} 
-- Create an instance of the models to check 
-- The alpha PROC contains the low level channels used by the processes 
4lpha_PROC4 - (I chan8, chanO, chanl2, chanl3, chanl5, chani, chanl7, chanil, 
chant, chan4, chan9, chan5, chan7, chanl0, chan16, chanl4, 
chan3, chan6 1} 
PROC4 - PROC_STORAGECOMPONENT CONTROLL( 
chan0, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
< (chanl0, chanli, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
alpha_PROC1 = (' chan8, chan0, chanl2, chanl3, chanl5, chani, chanl7, chanil, 
chan2, chan4, chan9, chan5, chan7, chanl0, chanl6, chanl4, 
chan3, chan6 (} 
PROCi - PROC STORAC3ECOMPONENT ANNOTATED SPEC( 
chan0, --- 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
<1,2 >, 
< (chanl0, chanll, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
<3,4 > 
Side the internalChoiae event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN 8PEC3 . PROC4 
GEN 8PEC4 -( PROC1 \ (internalChoice) 
-- GenSpea4 limited by the control specification Oenspec3 
GEN SPEC4 WITH_CONTROLL - GEN_SPEC4 [I alpha_PROC4 1] GEN_SPEC3 
-- Check that Oanspec3 removes the incorrect driving options 
from OenSpaa4 
assert GEN 8PEC4 WITH CONTROLL : [deadlock free fFll 
Figure 103: Example of GenSpec Assertion 8 for Data Storage Specification 
205 
Appendix F: Multi-Type Component Generic Specification Model Example 
F. 2.9 GenSpec Assertions 9: GenSpec 4 is an Annotated GenSpec 2 
These assertions (see Figure 104) demonstrate that if the annotation events contained 
within GenSpec 4 are hidden, then GenSpec is indistinguishable to GenSpec 2. 
-- channel daclaratiana 
allowedlDS - {0.. 4} 
datatype STATES - 
START. allowedIDS ý FINISH. allowedlDB I NOTFINISHED. allowedIDS ý 
RESET. allowedlDS ERROR. allowedIDS I IDLE. allowedlDS I STORE. allowedlDS 
STORED. allowedIDS ý NOTSTORED. allowedIDS I READ. allowedIDS ý 
READALLO1aED. allowedIDS I DONTREAD. allowedIDS ý 
DATABIT. allowedIDS. {0.. 2}. {0,1} 
channel annotation : STATES 
channel internalChoice 
channel chan0 : {1} 
channel chani, chan2, chan3, chan4, chan5, chan6, chan7, chan8, chan9, chanl0, 
chanii, chanl2, chanl3, chanl4, chanl5, chanl6, chanl7 : {0,1} 
-- Create an instance of the aodele to check 
-- The alpha PROC contains the low level channels used by the processes 
aipha_PROCS (( chan8, chanO, chanl2, chanl3, chanl5, chant, chanl7, chanll, 
chant, chan4, chan9, chan5, chan7, chanl0, chan16, chan14, 
chan3, chan6 11 
PROCS = PROC STORAGECOMPONENT GENERIC SPEC( 
chan0, 
chant, 
< (chan2, chan3, <chan4, chan5> ), 
(chan6, chan7, <chan8, chan9> ) 
ý I < (chani0, chanil, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
alpha_PROC1 = (ý chan8, chanO, chanl2, chanl3, chanl5, chanl, chanl7, chanll, 
chan2, chan4, chan9, chan5, chan7, chanl0, chan16, chan14, 
chan3, chan6 1} 
PROC1 = PROC_STORAC3ECOMPONENT_ANNOTATED_SPEC( 
chan0, 
chanl, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
<1,2 >, 
< (chanl0, chanil, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
<3,4 > 
-- Bide the internalchoice event to ensure that processes has internal choice 
-- performing correctly i! needed. 
GEN SPEC2 -( PROCS \ {internalChoice} ) 
GEN SPEC4 -( PROC1 \ {internalChoice} ) 
-- 
Öen8pec4 
with hidden annotation events 
GEN SPEC4_NOANNOTATIONS -( GEN SPEC4 \ {I annotation 
I} ) 
-- Check that Oenspec4 with hidden annotations is indistinguishable to 
Gen2pec2 
assert GEN SPEC4_NO_ANNOTATIONS [FD- GEN SPEC2 
assert GEN_SPEC2 (FD- GEN SPEC4 NO ANNOTATIONS 
Flure 104: Example of GenSpec Assertions 9 for Data Storage Specification 
206 
Appendix F: Multi-Type Component Generic Specification Model Example 
F. 2.10 GenSpec Assertion 10: GenSpec 6 Deadlock-Free 
This assertion (see Figure 105) deadlock-free checks GenSpec 6 which helps to provide a 
base comparison for future deadlock-free checks and trace refinements for the 
annotations. 
-- Channel declarations 
allowedIDS - {0.. 4} 
datatype STATES - 
START. allowedIDS ý FINISH. allowedlDS I NOTFINISHfiD. allowedIDS 
RESET. allowedIDB ERROR. allowedIDS I IDLE. allowedIDS I STORE. allowedIDS 
STORED. allowedIDS ( NOTSTORED. allowedIDS I READ. allowedIDS ( 
READALLOWED. allowedIDS I DONTREAD. allowedIDS ý 
DATABIT. allowedlDB. {0.. 2}. {0,1} 
channel annotation : STATES 
-- Higher Outsr 8p"a 
GEN SPEC6 - PROC_STORAGECOMPONENT HIGHER_OUTER_SPEC(2, <1, 
-- Chock that G. näpoc6 is deadlock-fraa 
assert GEN SPEC6 : [deadlock free [F]] 
2>, <3,4> i 
Figure 105: Example of GenSpec Assertion 10 for Data Storage Specification 
i 
F. 2.11 GenSpec Assertions 11: GenSpec 5 Annotates Outer Level Correctly 
These assertions (see Figure 106) demonstrate that GenSpec 5 will annotate the outer 
level of a correct process with annotation events that are similar to GenSpec 6. The 
assertions can not be failures divergent checked ('[PD. ') because the events that represent 
the low level signals which have been hidden, determine the initial state and thus the 
annotation that occurs. 
207 
Appendix F: Multi-Type Component Generic Specification Model Example 
-- channel doclaratickne 
allowedIDS - {0.. 4} 
datatype STATES = 
START. allowedlDS ( FINISH. allowediD3 ( NOTFINISHED. allowedIDS 
RESET. allowedIDS ERROR. allowedIDS I IDLE. allowedIDS ( STORE. allowedIDS 
STORED. allowedIDS ( NOTSTORED. allowedIDS I READ. allowedIDS ( 
READALLOIPED. allowedIDS I DONTREAD. allowedIDS 
DATABIT. allowedIDS. {0.. 2}. {0,1} 
channel annotation : STATES 
i 
channel internalChoice 
channel chan0 : {1} 
channel chani, chan2, chan3, chan4, chanS, chan6, chan7, chan8, chan9, chanl0, 
chanil, chanl2, chanl3, chanl4, chanl5, chanl6, chan17 : {o, 1} 
-- Create an instance of the models to check 
The alpha PROC contains the low level channels used by the proaesses 
alpha_PROC3 chan8, chan0, chanl2, chanl3, chanl5, chant, chanl7, chanil, 
chan2, chan4, chan9, chan5, chan7, chanlO, chanl6, chan14, 
chan3, chan6 1} 
PROC3 = PROC_STORAGECOMPONENT_ANNOTATE_OUTER( 
chan0, 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
>, 
<1,2 
< (chanl0, chanil, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
<3,4 > 
), 
alpha_PROC6 = {ý chan8, chan0, chanl2, chanl3, chani5, chani, chanl7, chanii, 
chan2, chan4, chan9, chan5, chan7, chani0, chanl6, chanl4, 
chan3, chan6 1} 
PROC6 - PROC_STORAGECOMPONENT_DESIRED_GENERIC_SPEC( 
chan0, 
chanl, 
< (chan2, chan3, cchan4, chan5> 
(chan6, chan7, <chan8, chan9> 
< (chanl0, chanil, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
-- Hide the internalChoica event to ensure that processes has internal choice 
-- perforasing correctly if needed. 
GEN SPEC1 .( PROC6 \ {internalChoice} ) 
GEN_SPECS s PROC3 
GEN SPEC6 - PROC STORAGECOMPONENT HIGHER OUTER SPEC(2, cl, 2>, <3,4> 
-- GenBpacl with annotation events added by Genßpoc 5 running in parallel 
GEN_SPEC1 WITH 
_ANNOTATIONS .( 
GEN_SPEC1 [I alpha_PROC3 1] GEN_SPECS 
-- Tha annotations only that ware added to Genßpecl by GenSpsc 5 
GEN SPEC1 ANNOTATIONS ONLY - (GEN SPEC1_WITH_ANNOTATIONS \ alpha_PROC6 ) 
-- Check that Genipec4 with hidden annotations is indistinguishable to Ganßpoa2 
assert GEN_SPEC1 ANNOTATIONS ONLY [T= GEN_SPEC6 
assert GEN_SPEC6 [T- GEN_SPEC1 ANNOTATIONS ONLY 
Figure 106: Example of GenSpec Assertion 11 for Data Storage Specification 
208 
Appendix F: Multi-Type Component Generic Specification Model Example 
F. 2.12 GenSpec Assertions 12: GenSpec 5 Does Not Introduce Extra 
Behaviour 
These assertions (see Figure 107) demonstrates that GenSpec 5 does not add extra 
behaviours, but only adds events that conceptually annotates the process it is run in 
parallel with. This is shown by the fact that the process run in parallel with GenSpec 5, 
with the annotations then hidden is equivalent to the initial process by itself. 
209 
Appendix F: Multi-Type Component Generic Specification Model Example 
-- channel declarations 
allowedIDS . {0.. 4} 
datatype STATES - 
START. allowedlDB FINISH. allowedIDS I NOTFINISHED. allowedIDS 
RESET. allowedIDS ý ERROR. allowedIDS I IDI, E. allowedIDS I STORE. al2owediDS 
STORED. allowedIDS NOTSTORED. allowedIDS I READ. allowedIDS ý 
READALLO¢PED. allowedIDS I DONTREAD. allowedIDS ( 
DATABIT. allowedIDS. {0.. 2}. {0,1} 
channel annotation : STATES 
I 
channel internalChoice 
channel chan0 : {1} 
channel chant, chan2, chan3, chan4, chan5, chan6, chan7, chan8, chan9, chanl0, 
chanii, chanl2, chanl3, chanl4, chanl5, chanl6, chanl7 : {0, i} 
-- Create an instance of the models to check 
The alpha PROC contains the low level channels used by the processes 
alpha_PROC3 - {ý chan8, chanO, chanl2, chanl3, chanl5, chani, chanl7, chanii, 
chan2, chan4, chan9, chan5, chan7, chanl0, chanl6, chanl4, 
chan3, chan6 1} 
PROC3 - PROC STORAGECOMPONENT ANNOTATE_OUTER( 
chan0, 
chani, 
< (chant, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
<1,2 >, 
< (chanl0, chanil, <chanl2, chanl3> 
(chanl4, chanl5, <cbanl6, chanl7> 
<3,4 > 
alpha_PROC6 chan8, chan0, chanl2, chanl3, chanl5, ahani, chanl7, chanil, 
chan2, chan4, chan9, chan5, chan7, chanl0, chanl6, chanl4, 
chan3, chan6 1} 
PROC6 = PROC_STORAC3ECOMPONENT_DESIRED OENERIC SPEC( 
chan0, ' 
chani, 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
< (chanl0, chanll, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
-- Side the 1ntarnalChoice event to ensure that processes has internal choice 
-- perEoreing correctly if needed. 
GEN SPEC1 -( PROC6 \ {internalChoice} 
GEN SPEC5 - PROC1 
-- Gonspecl with annotation events added by Oenlpec 5 running in parallel 
GEN_SPEC1_WITH 
_ANNOTATIONS -( 
GEN_SPEC1 [I alpha_PROC3 11 GEN SPECS 
-- The annotations only that were added to Oentpecl by OenSpae 5 
GENSPECI_HIDDEN ANNOTATIONS : (GEN SPECl_WITH_ANNOTATIONS \ {I annotation i} ) 
-- Chock that G4nSp. 04 with Kidd n aaaotatioai is indiatiapuiihabl" to GavSp0o2 
assert GEN_SPEC1_HIDDEN_ANNOTATIONS [FD= GEN_SPEC1 
assert GEN SPEC1 [FD= GEN SPEC1 HIDDEN_ANNOTATIONS 
Figure 107: Example of GenSpec Assertions 12 for Data Storage Specification 
210 
Appendix F: Multi-Type Component Generic Specification Model Example 
F. 2.13 GenSpec Assertions 13: GenSpec 4 With Signals Hidden Is Similar to 
GenSpec 6 
These assertions (see Figure 108) demonstrates that GenSpec 4 correctly driven with the 
events that represent the low level signals hidden, performs in a similar manner to 
GenSpec 6. The processes can not be failures divergent checked ('[PD. ') both ways 
against each other, as the driving signal events (which are hidden) determine the initial 
annotation state that occurs. The hidden events become taue events preceding the initial 
annotations, which GenSpec 6 does not contain. 
211 
Appendix F: Multi-Type Component Generic Specification Model Example 
-- ehann01 declarations 
allowedIDS - {0.. 4} 
datatype STATES - 
START. allowedIDS ý FINISH. allowedIDS I NOTFINISHED. allowedlDS ý 
RESET. allowedIDS ý ERROR. allowedIDS I IDLE. allowedIDS I STORE. allowedIDS 
STORED. allowedIDS NOTSTORED. allowedIDS I READ. allowedIDS ý 
READALLOOPED. allowedIDS I DONTREAD. allowedIDS ý 
DATABIT. allowedIDS. {0.. 2}. {0,11 
channel annotation : STATES 
channel internalChoice 
channel chanO : {1} 
channel chanl, chan2, chan3, chan4, chan5, chan6, chan7, chane, chan9, chanl0, 
chanli, chan12, chan13, chanl4, chanl5, chanl6, chanl7 : {0,1} 
-- Create an instance of the models to check 
-- The alpha-PROC contains the low level channels used by the processes 
alpha_PROC1 . {ý chan8, chanO, chanl2, chanl3, chanl5, chani, chanl7, chanll, 
chan2, chan4, chan9, chan5, chan7, chanlO, chanl6, chanl4, 
chan3, chan6 1} 
PROC1 e PROC_STORAC3ECOMPONBNT_ANNOTATfiD_SPEC( 
chan0, 
chani, 
< (chan2, cheui3, <chan4, chan5> ), (chan6, chan7, <chan8, chan9> ) >, 
<1,2 >, 
< (chanl0, chanli, <chanl2, chanl3> ), (chanl4, chanl5, cchanl6, chanl7> ) >, 
<3,4 > 
alpha_PROC4 chan8, chanO, chanl2, chanl3, chanl5, chanl, chanl7, chanil, 
chan2, chan4, chan9, chan5, chan7, chanlO, chanl6, chanl4, 
chan3, chan6 1} 
PROC4 . PROC_STORAGECOMPONENT_CONTROLL( 
chanO, 
chani, 
< (chan2, chan3, <chan4, chan5> ), (chan6, chan7, <chan8, chan9> ) >, 
< (chanl0, chanli, <chanl2, chanl3> ), (chanl4, chanl5, <chanl6, chanl7> )> 
-- Ride the internalChoiae event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN SPECS - PROC4 
GEN SPEC4 -( PROM \ {internalChoice} 
GEN SPEC6 - PROC_STORAGECOMPONENT HIGHER OUTER_SPEC(2, cl, 2>, <3,4> 
-- Gmspoc4 limited by the control specification Oenspe03 
GEN SPEC4_WITH 
_CONTROLL =( 
GEN SPEC4 [I alpha_PROC4 1] GEN_SPEC3 
-- Genspe04 limited by the control specification Genspeo3, annotation only 
GEN_SPEC4_ANNOTATIONS_ONLY - (GRN SPEC4_WITH_CONTROLL \ alpha_PROC1 
-- Check that 0enfipec4 with hidden signals is similar to Oenspeo6 
-- These can not be failures divergent checked 'fFDJ' both ways, as the low 
-- level driving signals that precedes the corresponding annotation events and 
-- determine their occurrences, are hidden. 
assert GENSPEC4 ANNOTATIONS ONLY [FD= GEN_SPEC6 
assert GEN_SPEC6 [T= GEN SPEC4 ANNOTATIONS ONLY 
Figure 108: Example of GenSpec Assertions 13 for Data Storage Specification 
F. 3 Similarities to Single Type Component Specifications 
Apart from the models and assertions covered in section F. I and F. 2, similarities between 
this multi type generic component specification and single type generic specifications that 
represent its interfaces (both the different types of interfaces it can provide, along with its 
212 
Appendix F: Multi-Type Component Generic Specification Model Example 
ability to provide multiple instances of those types). The specification for the multi type 
component has the models of the single type interface specifications incorporated directly 
into its self, this is because this component is concerned with the interactions between 
instances of these interfaces, and as such the main aim of the following assertions is to 
provide confidence that this is achieved. 
Figure 109: Assertions Demonstrating Similarities with Single Type Generic Interface Specifications 
-- e8aaaal declaratioaa 
allowedIDS - {0.. 4} 
datatype STATES . 
START. allowedIDS ý FINISH. allowedIDS I NOTFINISHED. allowedIDS 
RESET. allowedlDB ý ERROR. allowedIDS I IDLE. allowedIDS I STORE. allowedIDS 
STORED. allowedIDS NOTSTORED. allowedIDS I READ. allowedIDS ý 
READALLOWED. allowedlDS I DONTREAD. allowedlDS ý 
DATABIT. allowedIDS. {0.. 2}. {0,1} 
channel annotation : STATES 
I 
channel internalChoice 
channel chan0 : (1} 
channel chant, chant, chan3, chan4, chan5, chan6, chan7, chan8, chan9, chanlO, 
chanil, chanl2, chanl3, chanl4, chanl5, chanl6, chanl7 : {0,1} 
-- Croats an instance of the models to check 
-- The alpha PROC contains the low level channels used by the processes 
alpha_PROC4 tI chan8, chanO, chanl2, chanl3, chan15, chant, chanl7, chanll, 
chan2, chan4, chan9, chanS, chan7, chanlO, chanl6, chanl4, 
chan3, chan6 1} 
PROC4 : PROC STORACGRCOMPONENT_CONTROLL( 
chan0, 
chant, 
< (chant, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> 
< (chanlO, chanli, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chani7> 
> 
alpha_PROCS s {ý chane, chan0, chanl2, chanl3, chanl5, chani, chanl7, chanll, 
chan2, chan4, chan9, chan5, chan7, chanl0, chanl6, chanl4, 
chan3, chan6 I} 
PROC5 - PROC_STORAGECOMPONENT_GENERIC_SPEC( 
chanO, 
chani, 
< (chan2, chan3, cchan4, ChanS> 
(chan6, chan7, cchan8, chan9> 
< (chanl0, chanll, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
- The ainQla typo interface components 
alpha 
_INTERFACE 
1- {) chanO, chani, chan2, chan3, chan4, chan5 
INTERFACE 
_1 
- 
PROC_DATASTORE_GENERIC 
_SPEC(chanO, 
chani, chan2, chan3, <chan4, chan5> 
INTERFACE 1_WITH_CONTROLL 
INTERFACE-1 
I) alpha_INTERFACE_1 
PROC DATASTORE CONTROLL(chanO, chanl, chan2, chan3, <chan4, chan5> 
213 
Appendix F: Multi-Type Component Generic Specification Model Example 
alpha_INTERFACS_2 chanO, chanl, chan6, chan7, chan8, chan9 
INTERFACE 
_2 . PROC_DATASTORE_aENERIC SPEC(chan0, chanl, chan6, chan7, <chan8, chan9> 
INTERFACE 
_2_WITH 
CONTROLL = 
INTERFACE_2 
[) alpha_INTERFACE2 
PROC DATA8TORS_CONTROLL(chan0, chani, chan6, chan7, <chan8, chan9> 
alpha-INTERFACE-3 = (ý chan0, chanl, chanlO, chanll, chanl2, chanl3 
INTERFACE_3 - 
PROC_DATASTORE GENERIC SPEC(chan0, chani, chanl0, chanil, <chanl2, chanl3> 
INTERFACE 
_3_WITH 
CONTROLL = 
INTERFACE_3 
[j alpha_INTERFACE3 jj 
PROC DATASTgRE_CON_TROLL(chan0, chani, chanl0, chanll, <chanl2, chanl3> 
alpha_INTERFACE_4 = (ý chan0, chanl, chanl4, chanl5, chanl6, chanl7 
INTERFACE_4 = 
PROC_DATASTORE OENERIC_SPEC(chan0, chanl, chanl4, chanl5, <chanl6, chanl7> 
INTERFACE_4_iýITH_CONTROLL = 
INTERFACE 4 
[I alpha_INTERFACE4 
PROC_DATASTORE_CONTROLL(chan0, chanl, chanl4, chanl5, <chanl6, chanl7> 
-- rh* collection of single type interface camponeats 
MULTIINTERFACES 
_KITH 
CONTROLL - 
(INTERFACE 
_1_WITH 
CONTROLL, alpha_INTERFACE 1), 
(INTERFACE_2_WITH CONTROLL, alpha_INTERFACE_2), 
(INTERFACE_3_WITS CONTROLL, alpha_INTERFACE_3), 
(INTERFACE_4_WITH CONTROLL, alpha INTERFACE_4) 
COMBINE INTERFACES(clock, reset, interfaces) 
let 
A- reset? 
_ -> 
clock. l -> A 
B( < (xp, xa), (yp, ya) >Az)' 
length(z) "0&( xp [J inter(xa, ya) 1] yp 
[] 
length(z) >0& 
B( < (( xp (I inter(xa, ye) 1] yp ), union(xa, ya)) >"z 
within B( < (A, (ý clock, reset '}) >" z) 
-- Nod. 1. 
GEN SPEC2 -( PROCS \ (internalChoice} 
GEN SPECS - PROC4 
GEN SPEC2WITH CONTROLL - GEN SPEC2 (I alpha PROC4 
(] GEN_SPEC3 
INTERFACES_ - CO_MBINE_INTERFACES(chan0, chani, MULTI INTERFACEB 
WITH_CONTROLL) 
Prove that the correctly driven multi type generic specification is a 
-- refinement of multiple correctly driven single type components run 
in 
-- parallel 
assert INTERFACES [T- GEN 8PEC2_WITH_CONTROLL 
-- Prove that the correctly controlled single type interface components 
-- behaviour is covered in the behaviour of the multi type generic aoMgponent 
-- This is done for each of the instances of the interfaces 
assert (GEN 
_SPEC2_WITH 
CONTROLL \ diff(alpha_PROCS, alpha_INTERFACE_i) ) 
[T- INTERFACE_i_WITE_CONTROLL 
assert (GEN SPEC2_WITH CONTROLL \ diff(alpha_PROCS, alpha_INTERFACE_2) ) 
[T- INTERFACE_2_WITH_CONTROLL 
assert (GEN SPEC2_WITH 
_CONTROLL 
\ diff(alpha_PROCS, alpha_INTERFACE_3) ) 
[T- INTERFACE 
.3 
WITH CONTROLL 
214 
Appendix F: Multi-Type Component Generic Specification Model Example 
assert (GEN SPEC2_WITH 
_CONTROLL 
\ diff(alpha_PROCS, alpha_INTERFACE_4) 
[Ts INTERFACE 4 WITH CONTROLL 
F. 4 Conclusion & Evaluation 
The combination of the assertions covered in section F. 2 links various properties of the 
various models covered in section F. I. This builds up confidence with the models 
specified so that implemented components can both utilise them in their own proofs and 
be checked against them. It provides processes so that a low hardware level model of the 
components can be refinement checked against, a higher clock cycle based conceptual 
specification to refinement check against, and a method to link the two types of models 
together to show consistency between them. The assertions covered in section F. 3 
demonstrate that the multi type generic component specification is a refinement of a 
combination of single type generic specifications, this enables parts of this components 
outer boundary to be utilised and substituted where the corresponding generic single type 
specifications were utilised. 
215 
Appendix G Multi-Type Component 
Implemented Model Example 
This section will cover and explain the CSP models required for an implemented 
component, along with the assertions that need to be checked to link the models to each 
other, thus demonstrating that an implemented component performs as required and 
within the behaviours dictated by its generic super-type component. 
G. 1 Models & Specifications 
The `internalChoice' event that may appear within the code examples has been utilised 
instead of internal choice (i. e. 'I -I') to enable `chase' compression to applied if desired. 
The `internalChoice' event must be hidden for the specifications to be valid, but if `chase' 
compression has been chosen, the event should only be hidden after `chase' has been 
applied, otherwise the specification becomes invalid. 
G. 1.1 ImpSpec 1: Valid Low Level Behaviour 
This CSP model (see Figure 110) which is similar to the model defined in section F. 1.1, 
specifies all the valid and allowable low level behaviour that this implemented component 
may perform at its outer boundary. It may utilises internal choice to determine the 
possible output behaviour it can perform, although it is not a requirement (e. g. boolean 
true, boolean false, SKIP, STOP, all have well defined fixed behaviours that do not rely 
on other internal components). It is useful to note that some implemented components 
may have the allowable interface boundary behaviour that is identical to that of its generic 
super type component (e. g. boolean comparisons, PAR), where as other components will 
have an interface boundary behaviour that is a refinement of its super type component 
(e. g. boolean true, boolean false, SEQ). 
Figure 110: Low Level 'FdpFlopStorage' Component Desired Specification 
channel char mid_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC: 0.. 2 
channel chan~link 
_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC channel Chan_PROCFLIPFLOPSTORAGECOMPONENT DESIRED 
_SPEC 
(0.. 4} 
Appendix G: Multi-Type Component Implemented Model Example 
channel chan_readbits_PROC_PLIPPLOPSTORAGECOMPONENT_DESIRED_SPEC: [0.. 2). [0,1) 
channel chan_atorebits_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC: {0.. 21. {0,11 
PROC_FLIPFLOPSTORAGECOMPONENT DESIRED SPEC(clock, 
let 
A= 
length(stores) 
[] 
length(stores) 
[] 
length(stores) 
[J 
length(stores) 
Bs 
let 
BA 
(( 
-- 0 and length(reads) 
!-0 and length(reads) 
-- 0 and length(reads) 
!=0 and length(reads) 
.ý o& 
sa 0& 
I_ o& 
I_ o& 
reset, stores, reads) 
E 
B 
C 
D 
tl 
union( 
{j reset, 
clock, 
chanlink_PROC_FLIPPLOPSTORAGECOMPONENT_DESIRED_SPEC 
{ chan_PROC_FLIPFLOPSTORAGECOMPONENT DESIRED_SPEC. y 
ý y<-{3,4} 
} 
I} 
) 
I] 
) 
[I tl 
x: set(atores) a BB(x) 
i} 
reset. 1, 
clock, 
chan link PROC FLIPFLOPSTORAQECOMPONENT DSSIRED_SPSC, 
Chan_PROC FLIPFLOPSTORA(dECOMPONENT DSSIRED_SPEC 
i1 
chan_link_PROC_FLIPFLOPSTORA(dECOMPONENT_DSSIRED_SPEC 
F 
\ (ý chanlink PROC FLIPPLOPSTORAGECOMPONENT_DESIRE SPEC, 
i} 
char PROC_FLIPFLOPSTORAGECOMPONENT_DESIREA_SPEC 
BB( (store, stored, data) 
let 
BBA = 
( BBB 
(I clock, 
I} 
tl 
chan_link_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC, 
chan_mid PROC_FLIPFLOPSTORAGECOMPONENT DESIRED SPEC 
II 
BBC 
\ {ý chan_mid PROC FLIPFLOPSTORAGECOMPONENT DESIRED _SPEC ý} 
BBB = 
(( chan_mid PROC FLIPP'LOPSTORAGECOMPONENT_DESIRED__SPEC. 0 -> 
( Ifs x. set(data) 0 x? O -> SKIP 
[) 
chan_mid_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 1 -> 
x: set(data) ® 
( x? 0 -> SKIP 
[) 
X? 1 -> SKIP 
217 
Appendix G: Multi-Type Component Implemented Model Example 
clock? 1 -> 
char link PROC_FLIPPLOPSTORAGECOMPONENT DESIRED SPEC -> 
BBB ) 
BBC = 
reset? 1 -> 
store? O -> chan_mid PROC ` -> 
FLIPFLOPSTORAGECOMPONENT DESIRED SPEC. O SKIP 
[l 
store? 1 -> chan_mid PROC FLIPFLOPSTORAGECOMPONENT DESIRED_SPEC. 1 -> SKIP 
BBD 
reset? O -> 
store? O -> chars mid PROC PLIPFLOPSTORAGECOMPONENTDESIRED SPEC. O -> BBD 11 
store? 1 -> 
Chan 
_mid 
PROC FLIPFS, OPSTORAGECOMPONENT_DESIRED_SPEC. 1 -> 
Chan 
_PROC 
FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 0 -> 
BBE 
[1 
store? 0 -> 
chan_mid_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 0 -> 
reset? 0 -> SKIP 
t7 
reset? 1 -> SKIP 
BBD 
(] 
store? 1 -> 
chap mid PROC FLIPFLOPSTORAGECOMPONENTDESIRED SPEC. 1 -> 
( reset? O -> 
Chan_PROC_FLIPFLOPSTORAGECOMPONENT DESIRED_SPEC. O -> 
BB8 
U 
reset? 1 -> BBD 
BBD - 
clock? 1 -> 
chan_PROC FLIPFLOPSTORAGECOMPONENT__DESIRED_SPEC. 3 -> 
SKIP 
1] 
chan_PROC FLIPFLOPSTORAGECOMPONENT DESIRED SPEC. 4 -> 
SKIP 
storedl0 -> 
chap link PROC FLIPFLOPSTORAGECOMPONENTDESIRED SPEC -> 
BBC - 
BBE i 
clock? 1 -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 3 -> 
atoredtl -> 
chan_link_PROC_PLIPFLOPSTORAGECOMPONENTDESIRED SPEC 
BBC 
11 
218 
Appendix G: Multi-Type Component Implemented Model Example 
chan_PROC FLIPFLOPSTORAGECOMPONENT DESIRED_SPEC. 4 
storedl0 -> 
chap link PROC FLIPFLOPSTORAGECOMPONENT DESIRED_SPEC -> 
BBF 
BBF 
reset? 1 -> 
store? O -> 
chan_mid_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. O -> 
BBD 
H 
reset? 0 -> 
store? O -> 
Chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. O -> 
BBG 
[] 
store? 0 -> Chan mid_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 0 -> 
reset? l -> BBD 
[l 
reset? O -> SBG 
BBG 
clock? 1 -> 
Chan 
_PROC_FLIPFLOPSTORAGIECOMPONENT_DESIRED_SPEC. 
4 -> 
storedtO -> 
chan_link PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC -> 
BBF 
within storedlO -> 
chan_link_PROC FLIPFLOPSTORAGECOMPONENT DESIRED_SPEC -> 
BSA 
within BA 
C= 
let 
CA 
(([I 
union 
{I reset, 
I} 
clock, 
ehern link PROC FLIPFLOPSTORAGECOMPONENTDESIRED SPEC 
{ Chan 
_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 
y 
Y<-{3,4} 
} 
11 x: aet(reada) 0 CB(x) 
reaet. 1, 
clock, 
Chan link PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED _SPEC, 
Chan_PROC FLIPFLOPSTORAGECOMPONENTDESIRED SPEC 
I} 
than link PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC -> 
p 
chan link 
_PROC 
PLIPFLOPSTORAGECOMPONENT_DESIREDSPEC, 
char PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC 
I} 
CB( (read, readallowed, data) 
let 
CBA " 
reset? 1 -> 
read? O -> SKIP 
[l 
read? 1 -> SKIP 
219 
Appendix G: Multi-Type Component Implemented Model Example 
CBB 
reset? 0 -> 
read? O -> CBB 
[l 
read? 1 -> CBC 
[l 
read? O -> 
reset? 0 -> SKIP 
[l 
reset? 1 -> SKIP 
WB 
[] 
read? 1 -> 
reset? 0 -> CBC 
[] 
reset? 1 -> CBB 
CBB 
clock? 1 -> 
chan_PROC_FLIPFLOPSTORAGBCOMPONENTDESIRED SPEC. 3 -> 
SKIP 
[] 
chanPROC_FLIPPLOPSTORAGECOMPONENTDESIRED SPEC. 4 -> 
SKIP 
readallowedl0 -> 
( III x: aet(data) 0 x10 -> SKIP } 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT DESIRED SPEC -> CBA 
CBC = 
clock? 1 -> 
chan_PROC PLIPPLOPSTORAGECOMPONENT_DESIRED SPEC. 3 -> 
readallowedti -> 
(( III x: aet(data) G x! O -> SKIP 
chan_link_PROC_FLIPFLOPSTIORAGECOMPONENT DESIRBDSPEC -> CSA 
it 
ChanPROC FLIPFLOPSTORAGECOMPONENT DESIRED_SPEC. 4 -> 
readallowedl0 -> 
x: Bet(data) ® x! 0 -> SKIP 
Chan_link_PROC_FLIPFLOPSTORAGECOMPONENT DESIRED SPEC -> CBD 
CBD 
reset? 1 -> read? O -> CBB 
11 
reset? O -> read? O -> CBE 
11 
read? O -> 
reset? 1 -> CBB 
11 
220 
Appendix G: Multi-Type Component Implemented Model Example 
reset? O -> CBE 
CBE 
clock? 1 -> 
Chan_PROCFLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 4 -> 
readallow_ed! O -> 
(( III x. -met(data) a x! 0 -> SKIP 
chan_link_PROC FLIPFLOPSTORAGECOMPONENT DESIRED SPEC -> CBD 
within CA 
let 
DA s 
((t [ý union( 
reset, 
clock, 
chan_link_PROC_FLIPP'LOPSTORAGECOMPONENT_DESIRED_SPEC 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT DESIRED SPEC -> CBA 
11 
i} 
{ 
11 
I} 
Chaa_PROC_FLIPFLOPSTORAC3ECOMPONENT_DESIRED_SPEC. y I y<-(3,4) 
ý)x: aet (atorea) 0 DB (x) 
[ý union( 
reset, 
clock, 
chap link_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC 
{ chan_PROC FLIPFLOPSTORAQECOMPONENT_DESIRED_SPEC. y I y<-{3,4}} 
ý 
reset, 
clock, 
than-link-PROC FLIPPLOPSTORAGECOMPONENT_DESIRED_SPEC 
I} 
{ Chan_PROC FLIPPLOPSTORAGECOMPONENT_DESIRED_SPEC. y ) y<-{3,4} 
ý] x: aet(reade) 0 DC(x) 
(I 
I} 
I] chan_link_PROC_FLIPFLOPSTORAOECOMPONENT_DESIRED_SPEC -> 
H 
) {I 
chan_link_PROC FLIPFLOPSTORAGECOMPONENTDESIRED SPEC, 
I chan readbita PROC FLIPFLOPSTORAC3ECOMPONENT DESIRED SPEC, 
within readallowedlo -> 
(( III x: set(data) ® x! o -> SKIP ) 
( [ý union( 
[I 
} 
} 
reset. 1, 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC, 
chan_readbita PROC FLIPFLOPSTORAGECOMPONENT_DESIRED SPEC, 
chan_atorebite PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC, 
clock, 
chan link_PROC FLIPPLOPSTORAGECOMPONENT_DESIRED_SPEC 
221 
Appendix G: Multi-Type Component Implemented Model Example 
char storebits_PROC FLIPFLOPSTORAGECOMpONENTDESIRED SPEC, 
chan_pROC FLIPFLOPSTORAGECOMPONENT DESIRED SPEC 
{I 
I} 
DB( (store, stored, data) 
let 
DBA = 
DBB 
(I 
Chan mid PROC_FLIPFLOPSTORAGECOMPONENT DESIRED SPEC, 
Chan chan_link 
_PROC 
FLIPPLOPSTORAGECOMPONENT DESIRED SPEC, 
clock 
i} I) 
DBC 
chan_mid PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED'SPEC 
ý} 
(( 
) 
{ 
DBB m 
let 
DBBA 
Chan_mid_PROC FLiPFLOPSTORAC3ECOMPONENT_DESIRED SPEC. O 
x: aet(data) ® x? 0 -> SKIP 
clock? 1 -> 
chan_link PROC FLIPFLOPSTORAGECOMPONENT DESIRED_SPEC 
DBBA 
(] 
chan_mid PROC PLIPFLOPSTORA(3ECOMPONENT_DESIRED_SPEC. 1 
( DBBB(data) 
DBBA 
DBBB (x) 
length (x) 
(] 
length (x) 
(1 
0& STOP 
1& DBBC(head(x), 
length(x) >1& 
( DBBC(head(x), 
[1 { 
} 
length(data) 
_, 
_, 
_, 
length(data) 
- length(x)) 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT DESIRED SPEC, 
chan_mid_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 2, 
clock. 1 
I] 
DBBB(tail(x)) 
DBBC(x, y) - 
((x? 0 -> 
1) 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED SPEC. 2 -> 
chan_atorebita_PROC FLIPFLOPSTORAGECOMPONENT DESIRED_SPEC. y. 0 -> 
clock? 1 -> 
SKIP 
[7 
clock? 1 -> SKIP 
x? 1 -> 
chan_mid_PROC_PLIPFLOPSTORAdECOMPONENT_DESIRED 
_SPEC. 
2 -> 
chan_atorebita_PROC FLIPFLOPSTORAQECOMPONENT DESIRED SPEC. y. i -> 
clock? 1 -> 
SXIP 
U 
222 
Appendix G: Multi-Type Component Implemented Model Example 
clock? 1 -"id-p- 
chan_link_PROC_PLIPPLOPSTORAGECOMPONENT DESIRED SPEC -> SKIP 
within DBBA 
DBC 
reset? 1 -> 
ii store? 0 -> 
char mid PROC PLIPFLOPSTORAGECOMPONENT DESIRED SPEC. 0 -> 
SKIP 
[] 
Store? 1 -> 
Chan mid_PROC_FLIPPLOPSTORAGECOMPONENT_DESIRED_SPEC. 1 -> 
SKIP 
DBD 
) 
reset? O -> 
store? 0 -> 
chap mid_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 0 -> 
DBD 
1) 
store? 1 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 0 
chan_midPROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 1 -> 
chan_mid_PROC FLIPFLOPSTORAGECOMPONENTDESIRED_SPEC. 2 -> 
DBE 
U 
store? O -> 
chan_mid_PROC_PLIPFLOPSTORAOECOMPONENT_DESIRED_SPEC. 0 -> 
reset? O -> SKIP 
[] 
reset? 1 -> SKIP 
DBD 
U 
store? 1 -> 
chap mid PROC PLIPFLOPSTORAOECOMPONENT_DESIRED_SPEC. 1 -> 
reget? 0 -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 0 -> 
chan_mid PROC PLIPFLOPSTORAGECOMPONENT DESIRED SPEC. 2 -> 
DBE 
[] 
reset? 1 -> DBD 
DBD 
clock? 1 -> 
than_PROC_PLIPPLOPSTORAGECOMPONENTDESIRED SPEC. 3 -> 
SKIP 
[] 
Chan_PROC_FLIPPLOPSTORAGECOMPONENT DESIRED SPEC. 4 -> 
SKIP 
Ietoredl0 -ý 
223 
Appendix G: Multi-Type Component Implemented Model Example 
chan_link PROC FLIPFLOPSTORAC3ECOMPONENT DESIRED SPEC -> 
DBC 
DBE 
clock? 1 -> 
chan_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPfiC. 3 -> 
atoredll -> 
chan_link PROC_FLIPFLOPSTORAC3ECOMPONENT_DESIRED_SPEC 
DBC 
1] 
Chan _PROC_FLIPFLOPSTORAGECOMPONENT DESIRED SPEC. 4 -> Storedl0 -> _ 
Chan 
_link 
PROC_FLIPFLOPSTORAGECOMPONENT DESIRED SPEC -> 
DBF 
D8F 
reget? i -> 
store? 0 -> 
chan_mid_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 0 -> 
DBD 
1] 
reset? 0 -> 
store? 0 -> 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 0 -> 
DBG 
t] 
store? O -> 
chan mid_PROC_FLIPFLOPSTORAGECOMPONENT__DESIRED_SPEC. 0 -> 
( reset? 1 -> DBD 
[] 
reset? O -> DBG 
DBG - 
clock? 1 -> 
chan_PROC FLIPFLOPSTORAGECOMPONENi'_DESIRED_SPEC. 4 -> 
atoredlO -> 
Chan 
_link_PROC 
FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC -> 
DBF 
within 
atoredl0 -> 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENf_DESIRED_SPEC -> 
DBA 
DC( (read, readallowed, data) ) 
let 
DCA 
reset? l -> 
read? O -> SKIP 
[] 
read? l -> SKIP 
DCB 
[] 
reset? O -> 
read? O -> DCB 
[] 
read? 1 -> 
char_PROC_PI, IPFLOPSTORAGECOMPONENT DESIRED SPEC. 1 -> 
DCC 
read? O -> 
reset? O -> SKIP 
11 
224 
Appendix G: Multi-Type Component Implemented Model Example 
reset? 1 -> SKIP 
DCB 
[] 
read? 1 -> 
reset? O -> 
Chan_PROC_FLIPHLOPSTORADECOMPONENTDESIRED SPEC. 1 -> 
DCC 
[) 
reget? 1 -> DCB 
DCB 
clock? l -> 
chan_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 3 -> 
SKIP 
(l 
Chan_PROC_FLIPPLOPSTORAGECOMPONENT_DESIRED SPEC. 4 -> 
SKIP 
readallowedl0 -> 
x: set(data) a x! 0 -> SKIP 
chan_link PROC_PLIPPI. OPSTORAf3ECOMPONENT_DESIRED SPEC -> DCA 
ý 
{I 
i} 
DCC - 
(( DCD 
[I 
chan_link PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC, 
readallow_ed, 
chan_PROC_FLIPPLOPSTORAGECOMPONENT_DESIRED_SPEC, 
reset, 
read, 
clock 
II DCE 
DCA 
DCD a 
let 
DCDA 
clock? l -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 4 -> 
readallowedlO -> 
Chan link_PROC_FLIPFLOPSTORAGECOMPONENT DESIRED SPEC -> 
DCDB 
(] 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 3 -> 
readallowedll -> 
Chan 
_link_PROC_FLIPFLOPSTORAGECOMPONENT 
DESIRED_SPEC 
SKIP 
DCDB = 
reset? 1 -> 
read? O -> 
clock? 1 -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 3 -> 
readallowedl0 -> 
chan link PROC FLIPFLOPSTORAGECOMPONENT DESIRED SPEC -> 
225 
Appendix G: Multi-Type Component Implemented Model Example 
SKIP 
(] 
reset? o -> read? 0 -> DCDC (] 
read? o -> 
reset? 1 -> 
clock? 1 -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 3 -> 
readallowed! o -> 
chan_link PROC_FLIPPLOPSTORAGECOMPONENT DESIRED_SPEC -> 
SKIP 
U 
reset? 0 -> DCDC 
DCDC - 
clock? 1 -> 
chan_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 4 -> 
readallowed! o -> 
chan_link_PROC_FLIPPLOPSTORAGECOMPONENT DESIRED SPEC -> 
DCDB 
within DCDA 
DCE - 
let 
DCEA (x) 
length(x) 0& STOP 
[] 
length(x) 1& 
chan_readbits_PROCFLIPFLOPSTORAGECOMPONENT DESIRED_SPEC. 
(length(data) - length(x))? z -> 
DCEB(head(x), z) 
(] 
length(x) >1& 
( 
chan readbitsPROCFLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 
(length(data) _ length(x))? z -> 
DCEB(head(x), z) 
chars link 
_PROC 
FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC, 
reads1lowed, 
chan_PROC FLIPFLOPSTORAGECOMPONENT DESIRED SPEC, 
reset, 
read, 
clock 
I} 
i) DCEA(tail(x)) 
DCEB (x, y) _ 
chan_PROC_FLIPFLOPSTORAC3ECOMPONENT_DESIRED_SPEC. 4 -> 
readallowedl0 -> 
xt0 -> 
chan_link_PROC_FLIPFLOPSTORAOECOMPONENT DESIRED-SPEC -> 
DCEC(x) - 
[1 
Chan _PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 
3 -> 
readallowedJO -> 
X10 -> 
Chan 
_link _PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC 
-> 
DCED(x, y) 
[1 
readallowedll -> 
x! y -> 
Chan 
_link 
PROC FLIPFLOPSTORAGECOMPONENT DESIRED_SPEC -> 
SKIP 
reeet? 1 -> 
DCEC (x) - 
226 
Appendix G: Multi-Type Component Implemented Model Example 
read? 0 -> 
clock? 1 -> 
Chan 
_PROC_PLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 
3 -> 
readallowedl0 -> 
X10 -> 
Chan 
_link_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC -> SKIP 
[] 
reset? O -> 
read? 0 -> 
clock? 1 -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 4 -> 
readallowedl0 -> 
X10 -> 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC -> 
DCEC(x) 
[] 
read? O -> 
reset? l -> 
clock? i -> 
Chan 
_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 
3 -> 
readailowedl0 -> 
X10 -> 
Chan 
_link 
PROC FLIPFLOPSTORAGECOMPONENT DESIRED_SPEC -> 
SKIP 
[] 
reset? o -> 
clock? i -> 
Chan 
_PROC 
PLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 4 -> 
readallowedl0 -> 
X10 -> 
Chan 
_link _PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC 
-> 
DCEC(x) 
} 
DCED (x, y) - 
reset? i -> 
read? 0 -> 
clock? 1 -> 
chan_PROC FLIPFLOPSTORAGECOMPONENTDESIRED SPEC. 3 -> 
readallowedl0 -> 
X10 -> 
chan_link PROC_FLIPFLOPSTORAGECOMPONENT_DESIREDSPEC -> 
SKIP 
[) 
reset? O -> read? O -> clock? 1 -> DCEB(x, y) 
U 
read? O -> 
reset? 1 -> 
clock? 1 -> 
chan_PROC PLIPFIAPSTORAGECOMPONENT_DESIRED_SPEC. 3 -> 
readallowedl0 -> 
x10 -> 
Chan 
_link_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC 
-> 
SKIP 
() 
reset? O -> clock? 1 -> DCEB(x, y) 
within clock? 1 -> DCEA(data) 
within 
readallowedl0 -> 
x: aet(data) " x10 -> SKIP 
( chan_link_PROC_FLIPPLOPSTORAGECOMPONENT DESIRED_SPEC -> DCA 
within DA 
-- No Reads or Stores 
227 
Appendix G: Multi-Type Component Implemented Model Example 
reset? o -> SKIP [] 
reset? 1 -> SKIP 
); ( clock? i -> E) 
Fs 
let 
FA 
reset? 1 -> 
clock? 1 -> 
chan_PROC FLIPFLOPSTORAGECOMPONENTDESIREDSPEC. 3 -> 
chan_link PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC -> 
FA 
[] 
clock? 1 -> 
CÄar1_PROC FLIPFLOPSTORAGECOMPONENT__DESIRED SPSC. 3 -> than 
_link 
PROC FLIPFLOPSTORAGßCOMPONENT_DSSIRED_SPEC -> 
FA 
[] 
chan_PROC FLIP FLOPSTORAGECOMPONENT DESIRED SPEC. O -> FB [] 
chan_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 1 -> FC 
FB s 
clock? 1 -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENTDESIRED_SPEC. 3 -> 
chan_link_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC -> 
FA 
[] 
Chaz1_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED 
- 
SPEC-0 FD 
[) 
chan_PROC FLIPFLOPSTORAGECOMPONENT_DESIRED SPEC. 1 -> FD 
FC = 
clock? 1 -> 
Chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 3 -> 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC -> 
FA 
[] 
Chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. O -> FD 
0 
Chan_PROC FLIPPLOPSTORAGECOMPONENT DESIRED_SPEC. 2 -> PC 
FD ý 
reset? 1 -> 
clock? 1 -> 
chan PROC_PLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 3 -> 
chan_link PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC -> 
PA 
[l 
clock? 1 -> 
Chan_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. 4 -> 
char link PROC FLIPFLOPSTORAGECOMPONENTDESIRED SPEC -> 
PI) 
(l 
chan_PROC PLIPPLOPSTORAGECOMPONENT_DESIRED SPEC. O -> PD 
(l 
Chan PROC PLIPPLOPSTORAGECOMPONENT DESIRED SPEC. 1 -> PD 
within FA_ 
G: 
let 
GA = 
length(stores) !=0& GB(head(etores)) 
(l 
length(reads) !=0& GB(head(reads)) 
GB( 
_, 
data) ). 
(I { reset. 1 } +l x: {0.. (length(data)-1)} ® GC(x, 0) 
GC(x, y) ý 
reset? 1 -> GC(x, 0) (l 
chan_readbits_PROC_PLIPPLOPSTORAG$COMPONENT DESIRED_SPEC. xty -> 
GC (x, y) 
- 
228 
Appendix G: Multi-Type Component Implemented Model Example 
[] 
chan_storebits_PROC_FLIPFLOPSTORAGECOMPONENT_DESIRED_SPEC. x? z -> GC(x, z) 
within GA 
H. 
F 
[I { reset. 1 } 11 
G 
within chase(A) 
G. 1.2 ImpSpec 2: Low Level Behaviour with Explicit Deadlocking 
This CSP model (see Figure 111) is similar to the model covered in section F. 1.2, the CSP 
model is the model covered in section G. 1.1 but altered so that it will accept incorrectly 
driven input signals followed by explicitly defined deadlocking (i. e. STOP). 
Figure 111: Low Level 'FlipFlopStorage' Component Generic Specification with Explicit Deadlocking 
channel chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC: 0.. 2 
channel Chan 
_link_PROC 
FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC 
channel Chan 
_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC 
{0.. 4) 
channel chan_readbits_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC: 
(0.. 2). {0,1) 
channel chan_storebits_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC: 
{0.. 2). {0,1) 
PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC (clock, reset, stores, reads) 
let 
A 
length(stores) -- 0 and length(reads) -= 0&E 
1) 
length(stores) 1- 0 and length(reads) 0&B 
[1 
length(stores) _- 0 and length(reads) 1- 0&C 
[) 
length(stores) 1- 0 and length(reads) l- 0&D 
B= 
let 
BA = 
[I {I 
L 
union ( 
reset, 
clock, 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_ SPEC 
I} 
{ chan PROC_FLIPFLOPSTORAC3ECOMPONSNT_C3TNERIC_SPEC. y 
I y<-{3,4} 
} 
ý] x: set(stores) 0 BB(x) 
reset. 1, 
clock, 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
Chan_PROC_FLIPFLOPSTORAGECOMPONENT GENERIC_SPEC 
I} 
229 
Appendix G: Multi-Type Component Implemented Model Example 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_OENERIC_SPEC -> F 
\ {ý chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
I} 
char PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC 
BB( (store, stored, data) ) 
let 
BHA " 
{I clock, 
I} 
II 
BBC 
{l chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC 
0 
BBB 
(( 
_ -> 
Ch 11 mid PROC FLIPpLOPSTORAGECOMPQNT GENERIC_SPEC. 0 
11 x: set(data) 0 
x? 0 -> SKIP 
11 
x? 1 -> STOP 
(l 
chanmid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 1 
JJl x: eet(data) 
x? 0 -> SKIP 
[] 
x? 1 -> SKIP 
clock? 1 -> 
chan_link_PROCFLIPFLOPSTORAGECOMPONENT GENERIC_SPEC -> 
BBB 
} 
BBC 
reset? 1 -> 
store? O -> chan mid PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. O SKIP 
[l 
store? l -> chan mid PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 1 SKIP 
BBD 
[] 
reset? O -> 
store? O -> chan mid PROC FLIPFLOPSTORAGECOMPONENTGENERIC SPEC. 0 -> BBD 
store? 1 -> 
chan_midPROCFLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 1 -> 
chan PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC. 0 -> 
BBB 
[1 
Chan link_PROC_FLIPFLOPSTORAGECOMPONENT GENERIC SPEC, 
Chan mid PROC_FLIPFLOPSTORAGECOMPONENT GENERIC SPEC 
230 
Appendix G: Multi-Type Component Implemented Model Example 
BBE 
[] 
store? 0 -> 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_OENERIC_SPEC. 0 -> 
reset? 0 -> SKIP 
(3 
reset? 1 -> SKIP 
BBD 
[] 
store? i -> 
chan_mid_PROC_FLIPFLOPSTOR. AGECOMPONENT_GENERIC_SPEC. 1 -> 
reset? 0 -> 
Chan PROC FLIPFLOPSTORAGECOMPONENTGENERIC SPEC. 0 -> 
BBE 
(1 
reset? l -> BBD 
BBD 
clock? i -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 3 
SKIP 
[] 
Chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 4 -> 
SKIP 
storedl0 -> 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_iENERICSPEC -> 
BBC 
BBE _ 
clock? i -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT C3ENERIC_SPEC. 3 -> 
etoredll -> 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC -> 
BBC 
t] 
chan_PROC_FLIPFLOPSTORACiECOMPONENT_C3ENERIC_SPEC. 4 -> 
storedlO -> 
chan_link_PROC_FLIPFLOPSTORA(3ECOMPONENT_(3ENERIC_SPEC -> 
BBF 
BBF 
reset? 1 -> 
store? O -> 
chap mid_PROC FLIPFLOPSTORAGECOMPONENT_iENERIC_SPEC. 0 -> 
BBD 
[] 
store? 1 -> STOP 
reset? 0 -> 
store? 0 
231 
Appendix G: Multi-Type Component Implemented Model Example 
chap mid PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC-0 -> BBG 
11 
store? l -> STOP 
[] 
store? 0 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC-0 -> 
reset? 1 -> BBD 
[1 
reset? 0 -> BBG 
_, 
[l 
store? 1 -> STOP 
BBC; 
clock? 1 -> 
Chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 4 -> 
storedlo -> 
Chan-link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_ SPEC -> 
BBF 
within storedlo -> 
Chan-link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC -> 
BBA 
within BA 
C= 
let 
CA = 
(((I 
union( 
{I reset, 
J) 
clock, 
chap link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC 
{ char PROC FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. y 
} 
I y<-{3,4} 
) i) rI {ý 
x: aet(reada) 0 CB(x) 
I} 
reset. 2, 
clock, 
chan_link PROC FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
Chan PROC_FLIPFLOPSTORAGECOMPONENT QENERIC SPEC 
I] 
char link PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC -> 
F 
{l chan_link_PROC FLIPFLOP3TORA4ECOMPONENT_ßENERIC_3PEC, 
Chan_PROC_FLIPFLOPSTORAGECOMPONENT GENERIC SPEC 
CB( (read, readallowed, data) ) 
let 
CBA 
reset? l -> 
read? o -> SKIP 
[] 
read? l -> SKIP 
CBB 
I} 
232 
Appendix G: Multi-Type Component Implemented Model Example 
[1 
reset? 0 -> 
read? O -> CBB 
[] 
read? ]. -> CBC 
[J 
read? O -> 
(( reset? O -> SKIP 
[l 
reset? 1 -> SKIP 
CBS 
[] 
read? l -> ( reset? O -> CBC 
H 
reset? 1 -> CBB 
CBB 
clock? 1 -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 3 -> 
SKIP 
(1 
chan_PROC_FLIPFLOPSTORAOECOMPONENT_4ENERIC_SPEC. 4 -> 
SKIP 
readallowedl0 -> 
( ICI x: set(data) a x10 -> SKIP 
Chan_linh_PROC FLIPFLOPSTORA6FsCOMPONENT (3ENERIC_SPEC -> CBA 
CBC . 
clock? l -> 
char PROC_FLIPPLOPSTORAGECOMPONENT_GENERIC_SPEC. 3 -> 
readallowedll -> 
(( III x: aet(data) a x! 0 -> SKIP 
char link_PROC FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC -> CBA 
[l 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 4 -> 
readallowedl0 -> 
x: aet(data) a x10 -> SKIP 
chan link PROC FLIPFLOPSTORAGECOMPONENTGENERIC SPEC -> CBD 
CBD - 
reset? 1 -> 
233 
Appendix G: Multi-Type Component Implemented Model Example 
read? 0 -> CBB 
[] 
read? 1 -> STOP 
[] 
reset? O -> 
read? O -> CBE 
[] 
read? 1 -> STOP 
} 
[] 
read? O -> 
reset? 1 -> CBB 
[] 
reset? O -> CBE 
[] 
read? l -> STOP 
CBE . 
clock? l -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 4 -> 
readallowedl0 -> 
((ýIx: set(data) ® xIO -> SKIP 
chan_link_PROC FLIPFLOPSTORAGECOMPONENT GENERIC_SPEC -> CBD 
within readallowedlO -> 
(( JJJ x: set(data) 0 x10 -> SKIP 
chap link PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC -> CBA 
D 
{I 
I} 
within CA 
7 
et 
DA - 
((( 11 union( 
reset, 
clock, 
chart link PROC FLIPFLOPSTORAGECOMPONENTGENERIC SPEC 
{ chan PROC_FLIPFLOPSTORAC3SCOMPONBNT_ßENERIC_SPSC. y I y<-{3,4} 
reset, 
clock, 
x: set (stores) ® DB (x) 
[ union( 
chap link PROC FLIPFLOPSTORAGECOMPONENT GENERIC_SPEC 
11 
{ chan_PROC_FLIPFLOPSTORAQECOMPONENT_QENERIC_SPEC. y I yc-{3,4}} 
} 
I) 
[( union ( 
reset, 
clock, 
} 
234 
Appendix G: Multi-Type Component Implemented Model Example 
i} 
chap link PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC 
{ Can 
_PROC 
FLIPFLOPSTORAQECOMPONENT QENERIC_SPEC. y I y<-{3,4} 
ý] x: set(reads) ® DC(x) 
{I 
I} 
tl 
reset. 1, 
chan_PROC_FLIPFLOPSTORAGECOMPONENTGENERIC 
_SPEC, chan_readbits_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC SPEC, 
chan_storebits_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
clock, 
chap link PROC FLIPFLOPSTORAGECOMPONENTGENERIC SPEC 
} 
II chan_lixilc_PROC FLIPFLOPSTORAC3ECOMPONENT_l3ENERIC_SPEC -> 
H 
\ {I 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
chan_readbits_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
chan_storebits_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
chan PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC 
DB( (store, stored, data) )- 
let 
DBA - 
DBB 
II 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
chan_link_PROC FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
clock 
I} II 
DBC 
\ {j chan mid_PROC FLIPFLOPSTORAGECOMPONENT_C3ENERIC_SPEC 
I} 
DBB 
let 
DBBA 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC SPEC. 0 -> 
III x: set(data) 
x? 0 -> SKIP 
1] 
x? l -> STOP 
clock? 1 -> 
chan_link_PROC_FLIPFLOPSTORACiECOMPONENT_DENERIC_SPEC -ý 
DBBA 
[l 
chan_mfd_PROC_FLIPFLOPSTORACdSCOMPONENT_GfENERIC_SPEC. 1 -ý 
( DBBB(data) 
DEBA 
235 
Appendix G: Multi-Type Component Implemented Model Example 
{ 
DBBB(x) - 
length(x) 0& STOP 
[) 
length(x) -- 1& DBBC(head(x), length(data) - 1) 
[l 
length(x) >1& 
{ DBBC(head(x), length(data) - length(x)) 
[I 
Chan 
_link _PROC_FLIPFLOPSTORAßECOMPONENT_QENERIC_SPEC, Chan mid_PROC_FLIPFLOPSTORAQECOMPONENT CiENERIC_SPEC. 2, 
clock. i 
I) 
DBBB(tail(x)) 
DBBC(x, y) 
((x? o -> 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 2 -> 
chan_storebits_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC SPEC. y. C -> 
clock? 1 -> 
SKIP 
[l 
clock? 1 -> SKIP 
[] 
x? 1 -> 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 2 
chan_storebits_PROC_FLIPFLOPSTORAGECOMPONENT GENERIC_SPEC. y. 1 -> 
clock? 1 -> 
SKIP 
[] 
clock? 1 -> SKIP 
char link PROC FLIPFLOPSTORAGECOMPONENTGENERIC SPEC -> SKIP 
within DBBA 
DBC 
reset? 1 -> 
CC 
store? o -> 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 0 -> 
SKIP 
[] 
store? 1 -> 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 1 -> 
SKIP 
DBD 
[] 
reset? 0 -> 
store? O -> 
236 
Appendix G: Multi-Type Component Implemented Model Example 
chan_mid_PROC_FLIPFLOPSTORAßECOMPONENT_(3ENERIC, SPEC. 0 -> 
DBD 
(1 
store? 1 -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 0 -> 
Chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 1 -> 
char mid PROC FLIPFLOPSTORAGECOMPONENTGENERIC SPEC. 2 -> 
DBE ---- 
[l 
store? O -> 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 0 -> 
reset? 0 -> SKIP 
(l 
reset? 1 -> SKIP 
D8D 
[] 
store? 1 -> 
char mid PROC FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 1 -> 
reset? O -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 0 -> 
chan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 2 -> 
DBE 
[l 
reset? l -> DBD 
DBD 
clock? l -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 3 -> 
SKIP 
[) 
ChanPROCFLIPFLOPSTORAGECOMPONENT_GENERIC SPEC. 4 -> 
_ SKIP - 
-> storedlO 
chan_link_PROC_FLIPFLOPSTORAC3ECOMPONENT_aENERIC_SPEC -> 
DBC 
DBE ý 
clock2l -> 
chan_PROC_FLIPFLOPSTORAC3ECOMPONENT_ßENERIC_SPEC. 3 -> 
storedll -> 
chan_link_PROC_FLIPFLOPSTORA(3ECOMPONENT_dENERIC_SPEC -> 
DBC 
[] 
chan_PROC_FLIPFLOPSTORACiECOMPONENT_(3ENERIC_SPEC. 4 
storedlO -> 
chan link_PROC_FLIPFLOPSTORAC3ECOMPONENT_C3ENERIC_SPEC -ý 
DBF , 
DBF 
reset? 1 -> 
237 
Appendix G: Multi-Type Component Implemented Model Example 
store? 0 -> 
chan_mid_PROC FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 0 -> 
DBD 
[1 
store? 1 -> STOP 
[] 
reset? 0 -> 
[ store? 0 -> chan mid PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC. 0 DBG 
11 
store? 1 -> STOP 
} 
[] 
store? O -> 
chan_mid_PROCFLIPFLOPSTORAGECOMPONENT_GENERIC SPEC. 0 -> 
reset? 1 -> DBD 
[] 
reset? 0 -> DBG 
[l 
store? l -> STOP 
DBG - 
clock? l -> 
chan_PROC_FLIPFLOPSTORAGBCOMPONENT_GENERIC_SPEC. 4 -> 
storedl0 -> 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC -> 
DBF 
within 
storedlO -> 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC -> 
DBA 
DC( (read, readallowed, data) 
let 
DCA 
reset? l -> 
(( read? O -> SKIP 
[J 
read? 1 -> SKIP 
DCB 
[] 
reset? O -> 
read? 0 -> DCB 
1] 
read? 1 -> 
chan_PROC_FLIPFLOPSTORAOECOMPONENT_GENERIC_SPEC. 1 -> 
DCC 
Il 
read? O -> 
reset? O -> SKIP 
[l 
reset? l -> SKIP 
DCB 
238 
Appendix G: Multi-Type Component Implemented Model Example 
[] 
read? 1 -> 
reset? O -> 
Chan PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC. l -> 
DCC 
[l 
reset? 1 -> DCB 
DCB " 
clock? 1 -> 
chan_PROC_FLIPFLOPSTORAßECOMPONENT_f3ENERIC_SPEC. 3 -> 
SKIP 
[I 
chan_PROC-FLIPFLOPSTORAGECOMPONENT GENERK SPEC. 4 -> 
SKIP 
readallowedl0 -> 
( III x: set(data) a x10 -> SKIP 
chap link_PROC FLIPFLOPSTORAGECOMPONENT GENERIC_SPEC -> DCA 
{I 
i} 
DCC 
DCD 
(I 
chan_link PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
readallow_ed, 
chan_PROC_PLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
reset, 
read, 
clock 
i] DCE 
DCA 
DCD = 
let 
DCDA - 
clock? l -> 
Chan_PROC_FLIPFLOPSTORAßECOMPONENT_ßENERIC_SPEC. 4 -> 
readallowedl0 -> 
-> chan_link-PROC-FLIPFLOPSTORAßECOMPONENT-C3ENERIC-SPEC 
DCDB 
[] 
chan_PROC_FLIPFLOPSTORAßECOMPONENT_ßENERIC_SPEC. 3 
readallowedll -> 
chan_link_PROC FLIPFLOPSTORAßECOMPONENT_C3ENERIC SPEC -> 
SKIP 
DCDB 
reset? l -> 
read? O -> 
clock? 1 -> 
239 
Appendix G: Multi-Type Component Implemented Model Example 
chan. 
_PROC 
FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 3 -> 
readallowedl0 -> 
chan_link 
_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC SKIP 
[I 
read? 1 -> STOP 
{l 
reset? O -> 
{ read? O -> DCDC 
[l 
read? 1 -> STOP 
[] 
read? O -> 
-> 
reset? 1 -> 
clock? 1 -> 
Chan 
_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 
3 -> 
readallowedl0 -> 
Chan link PROC FLIPFLOPSTORAGECOMPONENTGENERIC SPEC -> 
SKIP --_ 
[] 
reset? O -> DCDC 
read? 1 -> STOP 
DCDC 
clock? 1 -> 
chan_PROCFLIPFLOPSTORAQECOMPONENT_QENERIC_SPEC. 4 -> 
readallow_edi0 -> 
chan_link_PROC FLIPFLOPSTORAQECOMPONENT QENERIC_SPEC -> 
DCDB 
within DCDA 
DCE - 
let 
DCEA(x) _ 
length(x) 0& STOP 
[l 
length(x) 1& 
chan_readbits_PROC_FLIPFLOPSTORAGECOMPONENT GENERIC_SPEC. 
(length(data) - length(x))? z -> 
DCEB(head(x), z) 
O 
length(x) >1& 
chan_readbita_PROCFLIPFLOPSTORA(3ECOMPONENT_C3ENERIC_3PEC. 
(length(data) _- length(x))? z -> 
DCEB(head(x), z) 
{I 
i} 
[I 
chan_link 
_PROC 
FLIPFLOPSTORAGECOMPONENT GENERIC_SPEC, 
readallowed, 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC, 
reset, 
read, 
clock 
II DCEA(tail (x)) 
240 
Appendix G: Multi-Type Component Implemented Model Example 
DCEB (x, y) _ 
chan_PROC_FLIPFLOPSTORAC3ECOMPONENT_QENERIC_SPEC. 4 -> 
readallowedl0 -> 
x10 -> 
Chan link PROC FLIPFLOPSTORA(3ECOMPONENT_ßENERIC_SPEC -> 
DCEC(x) 
(1 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 3 -> 
readallowedl0 -> 
x10 -> 
chan_link PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC -> 
DCED(x, y_ 
[] 
readallowedll -> 
xty -> 
chantlink_PROC_FLIPFLOPSTORAGECOMPONENT GENERIC_SPEC -> 
SKIP 
l 
DCEC (x) 
reset? 1 -> 
read? O -> 
clock? 1 -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 3 -> 
readallowed! O -> 
x! 0 -> 
chan_link PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC 
SKIP _--- 
[l 
read? 1 -> STOP 
[] 
reset? O -> 
read? O -> 
clock? i -> 
Chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 4 -> 
readallowed! O -> 
x! 0 -> 
chan_link 
_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC -> DCEC(x) 
[l 
read? 1 -> STOP 
I] 
read? O -> 
reset? 1 -> 
clock? 1 -> 
Chan_PROCFLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 3 -> 
readallow_edl0 -> 
x10 -> 
chap link_PROC_FLIPFLOPSTORAGECOMPONENT GENERIC_SPEC -> 
SKIP 
I I 
reset? 0 -> 
clock? 1 -> 
Chan_PROC_FLIPFLOPSTORAGECOMPONENTGENERIC_SPEC. 4 -> 
readallowedl0 -> 
x10 -> 
than link PROC FLIPFLOPSTORAGECOMPONENT GENERIC-SPEC 
241 
Appendix G: Multi-Type Component Implemented Model Example 
DCBC(x) 
[] 
read? 1 -> STOP 
DCED(x, y) 
reset? 1 -> 
read? 0 -> 
clock? 1 -> 
than PROC PLIPFLOPSTORAGECOMPONENT GENERIC SPEC. 3 -> 
readallowedl0 -> 
x10 -> 
Chan link 
_PROC_FLIPFLOPSTORAGECOMPONENT 
GENERIC SPEC -> SKI P 
[J 
read? i -> STOP 
(] 
reset? O -> 
( read? O -> clock? 1 -> DCEB(x, 
[] 
read? 1 -> STOP 
[] 
-> read? O 
c 
Y) 
reset? 1 -> 
clock? i -> 
chan_PROC FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 3 -> 
readallowedl0 -> 
x10 -> 
char link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_ SPEC -> 
SKIP 
[3 
reset? O -> clock? l -> DCEB(x, y) 
[] 
read? 1 -> STOP 
within clock? l -> DCEA(data) 
within 
readallowedio -> 
x: set(data) ® x10 -> SKIP 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT GENERIC SPEC -> DCA 
within DA 
-- No Reads or Stores 
E 
reset? O -> SKIP 
{l 
reset? 1 -> SKIP 
); { clock? 1 -> E 
F 
let 
FA " 
reset? l -> 
clock? ]. -> 
chanPROC_FLIPFLOPSTORAGECOMPONENT_GENERIC _SPEC. 
3 -> 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC -> 
FA 
242 
Appendix G: Multi-Type Component Implemented Model Example 
[l 
clock? 1 -> 
chanPROCFLIPFLOPSTORAGECOMPONENTGENERIC SPEC. 3 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC -> FA 
[] 
chan_PROC FLIPFLOPSTORAGECOMPONENT_GENERIC_ SPEC. 0 -> FB [I 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 1 -> FC FB = 
clock? 1 -> 
char PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC. 3 -> 
char link_PROC FLIPFLOPSTORAGECOMPONENT_GENERIC SPEC -> FA 
[] 
chan_PROC_FLIPFLOPSTORAC3ECOMPONENT_ßENERIC_SPEC. 0 -> FD [] 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_dENERIC_SPEC. 1 -> FD 
FC = 
clock? 1 -> 
chanPROC FLIPFLOPSTORAßECOMPONENTGENERIC SPEC. 3 -> 
chan_link_PROC_FLIPFLOPSTORAOECOMPONENT_aE_NERIC_SPEC -> 
FA 
[1 
chan_PROC FLIPFLOPSTORAGECOMPONENT GENERIC SPEC. 0 -> FD [l 
chan_PROC FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 1 -> FC 
FD - 
reset? l -> 
clock? l -> 
chap PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 3 -> 
chap link_PROC FLIPFLOPSTORAGECOMPONENT GENERIC_SPEC -> 
FA 
11 
clock? l -> 
Chan_PROC_FLIPFLOPSTORAGECOMPONENT_GENERIC_SPEC. 4 -> 
Chan link PROC FLIPFLOPSTORAGECOMPONENTGENERIC SPEC -> 
(] 
char PROC_FLIPFLOPSTORAaECOMPONENT_4ENERIC SPEC. O -> FD 
Cl 
chan_PROC FLIPFLOPSTORAf3ECOMP0NENT_aENERIC_SPEC. 1 -> FD 
within FA 
let 
GA - 
length(stores) !. 0& aB(head(stores)) 
(] 
length(reads) I= 0& GB(head(reads)) 
GB( 
_, 
data) )- 
[I { reset. 1 } ý] x: {0.. (length(data)-1)} ® GC(x, 0) 
aC (x, y) - 
reset? 1 -> GC(x, 0) 
[] 
chan_readbits_PROC_FLIPFLOPSTORAaECOMPONENT_aENERIC_SPEC. xIy 
GC (x, y) 
[l 
chan_storebits-PROC_FLIPFLOPSTORAaECOMPONENT_aENERIC_SPEC. x? z -> 
GC (X, z) 
within GA 
H- 
243 
Appendix G: Multi-Type Component Implemented Model Example 
F 
[I { reset. 1} 
G 
within chase(A) 
G. 1.3 ImpSpec 3: Model of Implemented Logic 
This CSP model (see Figure 112), is a model of the segment of logic that this component 
represents and is achieved through modelling the individual logic components and 
running them in parallel. 
Figure 112: CSP Model of the Logic Circuit Segment of the 'FlipFlopStorage' Component 
-- CoMponants used in the segment of logic being verified 
alpha 
_PROCS = 
{1 chaniS, chan33, chan29 1} 
PROCS - PROC_AND(chan33, <chanl8, chan29>) 
alpha_PROC6 - {1 chanl8, chan46, chan49 1} 
PROC6 - PROC_AND(chan46, <chan49, chanl8>) 
alpha_PROC7 - {I chanli, chanl2, chan22 1} 
PROC7 = PROC_AND(chanl2, <chanii, chan22>) 
alpha_PROC8 - (I chan36, chan30, chan20, chan26 
PROCB - PROC_OR(chan2O, <chan26, chan30, chan36>) 
alpha 
_PROC9 = 
{I chan43, chanl4, chan0, chanl 1} 
PROC9 - PROC_DTYPE(chan0, chanl, chanl4, chan43) 
alpha_PROC10 = {I chan40, chan45, chan32 
1} 
PROC10 = PROC_OR(chan45, <chan32, chan40>) 
alpha 
_PROC11 
- {) chan0, chani, chan3l, chan50 
PROC11 - PROC_DTYPE(chan0, chanl, chan3l, chan50) 
alpha_PROC12 - {I chan28 
PROC12 - PROC_f3ND(chan28) 
alpha_PROC13 - {I chan44 
PROC13 = PROC C3ND(chan44) 
alpha_PROC14 = {I chanO, chanl0, chani, chan37 
PROC14 - PROC_DTYPE(chan0, chani, chanl0, chan37) 
alpha_PROC15 - {I chanO, chani, chan33, chan23 
1} 
PROC15 - PROC_DTYPE(chan0, chani, chan33, chan23) 
alpha_PROC16 - (I chan48, chan29 
PROC16 - PROC_NOT(chan48, chan29) 
alpha 
_PROC17 - 
(I chan2l, chan0, chan6, chanl 
PROC17 - PROC_DTYPE(chanO, chani, chan6, chan2l) 
alpha_PROC18 - {I chan4l, chan33, chan32 1} 
PROC18 - PROC_AND(chan32, <chan4l, chan33>) 
alpha_PROC19 = {I chanl4, chan49, chan28, chanl0 
PROC19 - PROC_OR(chan49, <chan28, chanl0, chanl4>) 
alpha 
_PROC20 
- {I chan27, chanl9, chan3l 1} 
PROC20 - PROC_OR(chan3l, <chan27, chanl9>) 
alpha_PROC21 - {I chan49, chan30, chan38 
1} 
PROC21 - PROC_AND(chan30, <chan38, chan49>) 
alpha_PROC22 - {I chan45, chanO, chani, chan22 
PROC22 = PROC_DTYPE(chan0, chani, chan45, chan22) 
alpha_PROC23 - {1 chan40, chan35, chan22 
1} 
PROC23 - PROC AND(chan40, <chan35, chan22>) 
alpha_PROC24 - {I chanii, chan37, chan2S 
1} 
PROC24 - PROC_AND(chanil, <chan25, chan37>) 
alpha_PROC25 - {I chan24, chan27, chan33 
1} 
PROC25 - PROC AND(chan27, <chan24, chan33>) 
alpha_PROC26 - (I chan34 
PROC26 - PROC C3ND(chan34) 
alpha_PROC27 - {I chan42, chanO, chani, chan2 
PROC27 - PROC DTYPE(chan0, chani, chan2, chan42) 
alpha_PROC28 ý {I chan39 
PROC28 - PROC C3ND(chan39) 
244 
Appendix G: Multi-Type Component Implemented Model Example 
alpha PROC29 : chanii, chanl3, chan50 
PROC29 - PROC AND(chanl3, <chanli, chanSO>) 
alpha 
_PROC30 a 
{I chanl5, chanSO, chanl7 1} 
PROC30 a PROC AND(chan17, <chanl5, chanSO>) 
alpha_PROC31 a {I chan2l, chan7, chan23 1} 
PROC31 = PROC AND(chan7, <chan23, chan2l>) 
alpha PROC32 a {I chan47, chan6, chan29, chan2 
PROC32 a PROC XOR(chan29, <chan47, chan2, chan6>) 
alpha PROC33 a {I chanl8, chan2O 
PROC33 a PROC_NOT(chanl8, chan20) 
alpha_PROC34 a {I chanl9, chan35, chanSO 
PROC34 - PROC AND(chan19, <chan35, chan50>) 
alpha PROC35 - {I chan47 +} 
PROC35 a PROCCiND ( chan4 7) 
alpha PROC36 a {I chanl5, chanl6, chan22 
PROC36 - PROC AND(chanl6, <chanl5, chan22>) 
alpha_PROC37 - {I chanl5, chan43, chan25 1} 
PROC37 - PROC AND(chanl5, <chan25, chan43>) 
alphaPROC38 a (I chan36, chan48, chan38 1} 
PROC3_ = PROC AND(chan36, <chan38, chan48>) 
alpha_PROC39 - {I chan8, chan4l, chan4, chan39 
PROC39 = PROC_OR(chan4l, <chan39, chan4, chan8>) 
alpha_PROC40 - {' chan42, chan3, chan23 1} 
PROC40 - PROC AND(chan3, <chan23, chan42>) 
alpha PROC41 a {+ chan35, chan33 
PROC41 - PROC NOT(chan35, chan33) 
alphaPROC42 = {I chan46, chan0, chanl, chan25 I} 
PROC42 = PROC DTYPE(chan0, chani, chan46, chan25) 
alpha_PROC43 - {) chan0, chan20, chan26, chani 1} 
PROC43 a PROC DTYPE(chan0, chanl, chan20, chan26) 
alpha_PROC44 - (I chan44, chan6, chan38, chan2 1} 
PROC44 = PROC OR(chan38, <chan44, chan2, chan6>) 
alpha PROC45 = {I chan24, chan34, chan9, chan5 11 
PROC45 - PROC_OR(chan24, <chan34, chanS, chan9>) 
-- The outer level signals for the component being tested 
SYSTEM INTERFACE - 
chanl5, chanli, chanl2, chanl6, chanO, chan6, chanl0, chanS, chanl7, chan2, 
chan8, chan3, chanl4, chanl3, chani, chan4, chan7, chan9 
I} 
-- The alphabet of signals used in the model of the logic 
SYSTEM ALPHA - fl chanl8, chanl9, chan20, chan2l, chanl3, chan22, chan23, chan24, chan25, 
i} 
chan7, chan26, chan27, chanl0, chan28, chan29, chan2, chan30, chan9, 
chan3l, chanl2, chan32, chan33, chan34, chanl7, chanl4, chan35, chanl5, 
chan36, chan37, chan38, chan39, chan6, chan40, chan4l, chan3, chan42, 
chan43, chan44, chanil, chan45, chan46, chan47, chanl6, chan48, chan4, 
chani, chan49, chanO, chan50, chan8, chan5 
-- 8yst. m Declaration 
SYSTEM LIST a 
of the internal logic coaponenta and the Signal. they use 
(PROCS, alpha_PROCS 
(PROC6, alpha PROC6 
(PROC7, alpha_PROC7 
(PROCS, alpha_PROCB 
(PROC9, alpha_PROC9 ), 
(PROC10, 
(PROC11, 
(PROC12, 
(PROC13, 
(PROC14, 
(PROC15, 
(PROC16, 
(PROC17, 
(PROC18, 
(PROC19, 
(PROC20, 
alpha_PROC10 
alpha_PROC11 
alpha_PROC12 
alpha_PROC13 
alpha_PROC14 
alpha_PROC15 
alpha_PROC16 
alpha_PROC17 
alpha_PROC18 
alpha_PROC19 
alpha PROC20 ), 
245 
Appendix G: Multi-Type Component Implemented Model Example 
(PROC21, alpha_PROC21 
(PROC22, a2pöa_PROC22 
(PROC23, alpha_PROC23 
(PROC24, alpha_PROC24 
(PROC25, alpha_PROC25 
(PROC26, alpha_PROC26 
(PROC27, alpha PROC27 
(PROC28, alpha_PROC28 
(PROC29, alpha_PROC29 
(PROC30, alpha_PROC30 
(PROC31, alpha_PROC31 
(PROC32, alpha_PROC32 
(PROC33, alpha_PROC33 
(PROC34, alpha_PROC34 
(PROC35, alpha_PROC35 
(PROC36, alpha_PROC36 
(PROC37, alpha_PROC37 
(PROC38, alpha_PROC38 
(PROC39, alpha_PROC39 
(PROC40, alpha_PROC40 
(PROC41, alpha_PROC41 
(PROC42, alpha_PROC42 
(PROC43, alpha_PROC43 
(PROC44, alpha_PROC44 
(PROC45, alpha_PROC45 
-- The logic model of the iapleoented coaponent. X pOpec31 
SYSTEM 
REPL(SYSTEM LIST) \ diff(SYSTEM_ALPHA, SYSTEMINTERFACE) 
\ (interna1Choice} 
-- Used to run tbe logic components in parallel 
REPL(p) 
let 
INNERI(pl, al, p2, a2) - pi [I inter(al, a2) 1] p2 
INNER2( <(pl, alº>"<(p2, a2)>"p3 )- 
null(p3) & INNER1(pl, al, p2, a2) 
[] 
not null(p3) & INNER2( <(INNERI(p1, ai, p2, a2), union(ai, a2))>"p3 
INNER3( <(p1, 
_)> 
)- p1 
within ( null(p) & STOP 
[] 
length(p) -- 1& INNER3(p) 
[] 
length(p) >1& INNER2(p) 
G. 1.4 ImpSpec 4: Annotation Only Specification 
This CSP model (see Figure 113), is the expected behaviour of the 'FlipFlopStorage' 
component from an annotation only perspective, with annotation id values for each of the 
interfaces along with the bit width of the storage having to be supplied. The CSP model 
will demonstrate all the possible behaviours that the 'FlipFlopStorage' component can 
perform, thus describing how driving the components interfaces interacts and affect each 
other. 
246 
Appendix G: Multi-Type Component Implemented Model Example 
Flure 113: FHpFlopStorage Component Annotation Only Specification 
channel ehan_mid_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC: 0.. 2 
channel chan_link_PROC_FLIPPLOPSTORAGECOMPONENT_HIGHER_SPEC 
channel chan_PROC FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC (0.. 4) 
channel chan_readbite_PROC FLIPFLOPSTORAGECOMPONENT HIGHER SPEC: (0.. 2). (0,1) 
channel chan_etorebite_PROC FLIPFLOPSTORAGECOMPONEN_T HIGHER_SPEC: (0.. 2). (0,1) 
PROC_FLIPFLOPSTORAGECOMPONENT HIGHER SPEC(bitLength, aid, rid) 
let 
A= 
length(rid) _= 0 and length(rid) 0& SKIP 
[] 
length(rid) !-0 and length(rid) 0&B 
11 
length(rid) -- 0 and length(rid) !=0&C 
C) 
length(rid) !=0 and length(rid) !-0&D 
B- 
let 
BA = 
( [ý {ý annotation. RESET, 
chan_link PROC_FLIPFLOPSTORAGECOMPONENT__HIGHER_SPEC 
f} ý) x: set(sid) 0 BS(x) 
[I (l chan_PROC FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC, 
annotation. RESET 
11 
1} 
BD 
88 (x) _ 
y: set(sid) Q annotation. RESET. y -> SKIP ); B8(x) 
[1 
annotation. IDLE. x -> 
chan_link PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC -> 
chan link PROC FLIPFLOPSTORAGECOMPONENT__HIGHER_SPEC -> 
BS (x) 
[1 
annotation. STORE. x -> 
chan_PROC FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. O -> 
(( III y: {O.. (bitLength-1)} ® 
annotation. DATABIT. x. y. o -> SKIP 
[] 
annotation. DATABIT. x. y. 1 -> SKIP 
chan_link 
_PROCFLIPFIAPSTORAGECOMPONENT 
HIGHfiR_SPEC -> 
Chaa_PROCFLIPFLOPSTORAGECOMPONENT_HIGHER SPEC-4 
annotation. NOTSTORED. x -> 
chan link_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC 
BC(x) 
(J 
ohan_PROC PLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. 3 
annotation. STORED. x -> 
Chan 
_link_PROC_PLIPFLOPSTORAGECOMPONENT_HIGHER 
SPEC -> 
BB (x) 
BC (x) _ 
y: set(sid) 0 annotation. RESET. y -> SKIP ); BB(x) 
[] 
chan_link _PROC_FLIPFLOPSTORAGECOMPONENT'_HIGHER 
SPEC -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. 4 
annotation. NOTSTORED. x -> 
chan_link 
_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC 
-> 
BC(x) 
BD - 
247 
Appendix G: Multi-Type Component Implemented Model Example 
y: set(sid) 0 annotation. RESET. y -> SKIP ); BD 
[] 
char PROC FLIPFLOPSTORAGECOMPONENT HIGHER SPEC. 3 -> BD 
(] 
chan PROC FLIPPLOPSTORAGECOMPONENT HZGHER SPEC. 0 -> BE 
BE .---- 
chan-PROC-FLIPFLOPSTORAGECOMPONENT-HIGHER-SPEC. 3 -> BD 
(7 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. 0 -> BF 
BF : 
y: aet(aid) ® annotation. RESET. y -> SKIP ); BD 
(7 
chan PROC FLIPFLOPSTORAGECOMPONENT HIGHER SPEC. 4 -> BF 
() ---- 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. 0 -> BF 
within BA \ {I chan link_PROC FLIPFLOPSTORAGECOMPONBNT_HIGHER 
_SPEC, 
I} 
chap_PROC_FLIPFLOPSTORAGECOMPONENT HIGHER SPEC 
C= 
let 
CA . 
[ý {) annotation. RESET, 
i} 
chan_link_ PROC_FLIPFLOPSTORAG3ELbMPONENT_HIG3HER_SPEC 
II x: set(rid) ® CB(x) 
CB(x) _ 
(( lif y: set(rid) ® annotation. RESET. y -> SKIP ); CB(x) 
[] 
annotation. IDLE. x -> 
chan_link 
_PROC_FLIPFLAPSTORAGECOMPONENT_HIGHER 
SPEC -> 
chan_link_PROC FLIPFLOPSTORAGECOMPONENT HIGHER_SPEC -> 
CB (x) 
[] 
annotation. READ. x -> 
chan_link PROC FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC -> 
CC (x) 
CC (x) _ 
annotation. READALLOWED. x -> 
({ ýý) y: (0.. (bitLength-1)} ® annotation. DATABIT. x. y. 0 -> SKIP 
chan link PROC FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC -> CB(x) 
within CA \ {ý chan_link_PROC FLIPFLOPSTORAßBCOMPONENT HIGHER_SPfiC ý} 
let 
DA 
tl 
[ union ( 
annotation. RESET, 
Chan link PROC FLIPFLOPSTORAGECOMPONENT_HIGHERSPEC 
I} 
ý chan_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC. y 
Y<-(2,3} 
} 
I] x: eet(aid) ® DS(x) 
union({l annotation. RESET, 
chap link PROC FLIPFLOPSTORAGECOMPOHENT_HIGHER 
SPEC 
11 
{ chan_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC. y 
y<-{2,3} 
} 
I] [I union((I annotation. RESET, 
chan link PROC PLIPFLOPSTORAGECOMPONENT_HIGHER SPEC 
248 
Appendix G: Multi-Type Component Implemented Model Example 
} 
II ý ý ýci 
{ chap PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC. y 
I Y<-{2,3} 
x: set(rid) ® DD(x) 
Iý {ý chan_link PROC_FLIPFIAPSTORAGECOMPONSNP_HIGHER SPEC, 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHERSPEC, 
chan_storebits_PROC FLIPFLOPSTORAGECOMPONENT HIGHER_SPEC, 
chan_readbita_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC, 
annotation. RESET 
1) 
chan_link_PROC FLIPFLOPSTORAGECOMPONENT HIGHER_SPEC, 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC, 
chan_storebits_PROC FLIPFLOPSTORAGECOMPONENT HIGHER_SPEC, 
Chan readbita PROC PLIPPLOPSTORAGECOMPONENT HIGHER SPEC 
I) -- Store 
DB (x) 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC -> 
((( III y: union(set(sid), set(rid)) 0 annotation. RESET. y -> SKIP 
DB (x} 
[l 
annotation. IDLE. x -> 
-> chan link PROC_PLIPPLOPSTORAGECOMPONENT_HIGHER-SPEC 
Chan_PROC PLIPPLOPSTORAGECOMPONENTHIGHER SPEC. 2 -> SKIP 
[l 
char PROC PLIPPLOPSTORAGECOMPONENT HIGHER SPEC. 3 -> SKIP 
DB (x) 
f] 
annotation. STORE. x -> 
chan_PROC F'LIPFLOPSTORA(3ECOMPONENT_HIQHER SPEC. 0 -> 
y: {0.. (bitLength-1)} ® 
annotation. DATABIT. x. y. 0 -> 
Chan 
-atorebita_PROC_FLIPFLOPSTORAßECOMPONENT_HI(3HER_SPEC. 
y. 0 -> 
SKIP 
(1 
annotation. DATABIT. x. y. 1 -> 
chan_atorebits_PROC FLIPFLOPSTORAGBCOMPONENT_HIGHER_SPEC. y. l -> 
SKIP 
chan_link 
_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER 
SPEC -> 
than PROCFLIPFLOPSTORAGECOMPONENT HIGHER_SPEC. 2 -> 
annotation. STORED. x -> 
DB(x) 
(l 
Chan_PROC FLIPFLOPSTORAGECOMPONENT HIGHER_SPEC. 3 -> 
annotation. NOTSTORED. x -> 
DC (x) 
DC(x) - 
chan_linkPROC_FLIPFLOPSTORAGECOMPONENT HIGHER_SPEC -> 
((( IU y: union(aet(aid), set(rid)) 6 annotation. RESET. y -> SKIP 
249 
Appendix G: Multi-Type Component Implemented Model Example 
DB (x) 
[) 
chan_link_PROCFLIPFLOPSTORAGECOMPONENT_HIGHER-SPEC -> 
chan PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. 3 -> 
annotation. NOTSTORED. x -> 
DC(x) 
-- Reads 
DD (X) s 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC -> 
((( III y: union(aet(aid), set(rid)) 0 annotation. RESET. y -> SKIP 
DD (x) 
[] 
annotation. IDLE. x -> 
chan_link 
_PROC_PLIPFLOPSTORAGECOMPONENT_HIGHERSPEC ch 
-> 
an_PROC FLIPFLOPSTORAGECOMPONENT HIGHER_SPEC. 2 -> SKIP 
[) 
chan_PROC FLIPFLOPSTORAGECOMPONENT HIGHER_SPEC. 3 -> SKIP 
DD (x) 
[) 
annotation. READ. x -> 
chan_PROC FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. 1 -> 
((( [j union( 
{ chan_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. y, 
annotation. READALLOPiED. x, 
annotation. DONTREAD. x, 
chan link_PROC FLIPFLOPSTORAGECOMPONENT HIGHER_SPEC 
I y<-{2,3) 
} 
annotation. RESET 
y: {0.. (bitLength-1)} ® 
chan_readbits PROC_FLIPFIAPSTORAGECOMPONENT_HIGHER_SPEC. y. O -> DG(x, y, 0) 
t] 
chan readbits_PROC_FLIPPIAPSTORAGECOMPONENT_HIGHER_SPEC. y. 1 -> DG(x, y, 1) 
union( 
char PROC FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC. y, 
annotation. READALLOWED. x, 
annotation. DONTREAD. x, 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC 
I y<-12,3) 
{ 
} 
{l annotation. RESET ýj 
DF(x) 
) 
DD 
(x1 
DE(x) 
117 y: union(set(sid), set(rid)) ® annotation. RESET. y -> SKIP 
(I 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHERSPEC -> 
Chan PROC FLIPFLOPSTORAGECOMPONENT HIGHER_SPEC. 3 -> 
250 
Appendix G: Multi-Type Component Implemented Model Example 
annotation. DONTREAD. x -> 
than link 
_PROC_FLIPPLOPSTORAGECOMPONENT 
RIGHER_SPEC -> 
DE (x) 
DF(x) 
Y: union(set(sid), set(rid)) a annotation. RESET. y -> SKIP [] 
Chan 
_link _PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC -> Chan_PROCFLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. 2 -> 
annotation. READALLOWED. x -> 
SKIP 
1] 
Chan_PROC FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC. 3 -> 
annotati"on. DONTREAD. x -> 
Chan 
_link_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC -> DE (x) 
DG(x, y, z) _ 
chan_link PROC_PLIPFIAPSTORAGECOMPONENT_HIGHER SPEC -> 
Chan_PROC_PLIPFLOPSTORAGECOMPONENT_HIQiER_SPEC. 2 -> 
( annotation. READALLOWED. x -> annotation. DATABIT. x. y. z -> SKIP 
[] 
annotation. DONTREAD. x -> DH(x, y, z) 
[l 
chan PROC FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. 3 -> 
annotation . 
DONTREAD. x -> 
chan_link PROC_FLIPFIOPSTORAGECOMPONENT HIGHER_SPEC -> 
DI (x) 
DH(x, y, z) a 
chan_link PROC FLIPFLOPSTORAGECOMPONENTHIGHER _SPEC -> IIIýY: union(set(aid), aet(rid)) @ annotation. RESET. y -> SKIP 
[] 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC -> 
chan_PROC_FLIPFIAPSTORAGECOMPONENT_HIGHER SPEC. 2 -> 
( annotation. READALLOiPED. x -> annotation. DATABIT. x. y. z -> SKIP 
[] 
annotation. DONTREAD. x -> DH(x, y, z) 
DI (x) 
[l 
chan_PROCFLIPFLOPSTORAGECOMPONENT HIGHER SPEC. 3 -> 
annotation. DONTREAD. x -> 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENTHIGHER SPEC -> 
DI(x) 
((ý! ý y: union(aet(eid), set(rid)) 0 annotation. RESET. y -> SKIP 
(] 
chan_link 
_PROC_FLIPFIAPSTORAGSCOMPONENT_HIGHSR 
SPEC -> 
ChanPROC FLIPFLOPSTORAGECOMPON6NT HIGHER_SPEC. 3 -> 
annotation. DONTREAD. x -> 
chan_link PROC_FLIPFLOPSTORAGßCOMPONENT_HIGHER SPEC -> 
DI (x) 
-- Storeage 
DJ . 
( [ý (I annotation. RESET 1] x: {0.. (bitLength-1)} ® DK(x, 0) 
Iý () annotation. RESET 
DL 
DK(x, y) ý 
(( III y: union(set(sid), set(rid)) ® annotation. RESET. y -> SKIP 
DK (x, 0) 
(1 
than readbits PROC FLIPPLCPSTORAGECOMPONENT_HIGHER SPEC. x. y -> 
251 
Appendix G: Multi-Type Component Implemented Model Example 
(x, DK Y) 
[] 
chan_atorebita PROC_FLIPFIAPSTORAGECOMPONENT HIGHER_SPEC. x. 0 -> DK(x, 0) 
[l 
chan etorebitaPROC FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. x. 1 -> 
DIC(x, 1) 
DL - 
Chan 
_link _PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC -> chan_linkPROCFLIPFLOPSTORAGECOMPONENTHIGHER SPEC -> 
chan_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. 2 -> 
DL 
[) 
Chan - 
PROC-FLIPPLOPSTORAGECOMPONENT-HIGHER-SPEC. 0 -> DM 
[] 
Chan PROC FLIPFLOPSTORAGECOMPONENT HIGHER SPEC. 1 -> DN ---- [1 
(( III y: union(aet(aid), aet(rid)) 0 annotation. RESET. y -> SKIP 
DL 
ý 
DM . 
chart link PROC_PLIPPLOPSTORAGECOMPONENT_HIGHERSPEC -> 
chan_PROC FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC. 2 -> 
DL 
[] 
Cha1i_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. 0 -> DO 
p 
chan_PROC FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. 1 -> DO 
DN = 
Chaa_link_PROC_FLIPFLOPSTORAGECOMPONENT HIGHER SPEC -> 
Chan_PROC FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC. 2 -> 
DL 
I] 
Chan_PROC FLIPFLOPSTORAGECOMPONENT_HIGHER_SPEC. O -> DO 
[] 
Chan_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC. 1 -> DN 
DO = 
(( III y: union(set(sid), set(rid)) 0 annotation. RBSET. y -> SKIP 
DL 
[7 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHERSPEC 
Chan PROC FLIPFLOPSTORAGECOMPONENT HIGHER SPEC. 3 -> 
chan_link_PROC_FLIPFLOPSTORAGECOMPONENT_HIGHERSPEC -> 
DO 
[] 
Chan PROC FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC. 0 -> DO 
q 
chan_PROC FLIPFLOPSTORAGECOMPONENT_HIGHER SPEC. 1 -> DO 
within DA 
within A 
G. 2 Assertions: Linking the Models Together 
G. 2.1 ImpSpec Assertion 1: Deadlock-Free 
The assertion stated in Figure 114 checks that the model of the segment of logic circuit is 
deadlock-free. This check demonstrates two properties, the first is that there exists no 
252 
Appendix G: Multi-Type Component Implemented Model Example 
loops consisting of only clocked or non-clocked logic components, the second is that any 
internal components are guaranteed to be driven correctly so long as the outer component 
is driven correctly. The guarantee that internal components are driven correctly is possible 
because the models of the internal components are models that accept all possible inputs 
(both valid and incorrect), with the incorrect inputs being followed by explicitly defined 
deadlock i. e. `STOP' (see section D. 1.2). If the STOP's are not reached, then invalid 
inputs to internal components have not been created or propagated through. The 
demonstrated multi type implemented component does not utilise other internal 
components, this check is here to provide the functionality for enabling the development 
of other multi type components which may require this feature. 
-- Obann*l daalärations 
channel internalChoice 
channel chan0 : {1} 
channel chanl8, chanl9, chan20, chan2l, chan13, chan22, chan23, chan24, chan25, 
chan7, chan26, chan27, chanl0, chan28, chan29, chan2, chan30, chan9, 
chan3l, chanl2, chan32, chan33, chan34, chanl7, chanl4, chan35, chanl5, 
chan36, chan37, chan38, chan39, chan6, chan40, chan4l, chan3, chan42, 
chan43, chan44, chanll, chan4S, chan46, chan47, chanl6, chan48, chan4, 
chanl, chan49, chan50, chan8, chan5 : (0,1} 
-- Crsats an iastanco of the modals to absOk 
-- The alpha pROC contains the lov level cbannals used by the procassas 
alpha_PROC6 = {ý chanl5, chanll, chanl2, chanl6, chanO, chan6, chanl0, chan5, 
chanl7, chan2, chan8, chan3, chanl4, chanl3, chanl, chan4, 
chan7, chan9 
PROC6 - PROC_S41DRAC38CUMPONENT_CONTROLL( 
chan0, chani, 
< (chan2, chan3, cchan4, chan5> ) 
(chan6, chan7, cchan8, chan9> ) 
< (chanl0, chanll, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
l 
-- An iaVlmantatian of the logic to aboak 
SYSTEM_INT$RFACE - 
{) chanis, chanil, chanl2, chanl6, chanO, chan6, chanlO, chan5, chanl7, chan2, 
chan8, chan3, chanl4, chan13, chani, chan4, chan7, chan9 
I} 
ZMP_8PEC3 - SYSTEM 
CiEN 8PEC3 - PROC6 
-- Deadlock-tree aback the expected correct generic aaypoaeat 
assert (IMP_SPEC3 (I SYSTEM INTERFACE 11 GEN SPEC3) : [deadlock free [F]7 
Figure 114: 'FIIpFlopStorage' Component Deadlock-Free Assertion 
253 
Appendix G: Multi-Type Component Implemented Model Example 
G. 2.2 ImpSpec Assertion 2: Super Type Control Only Limits the Behaviour 
The assertion stated in Figure 115 demonstrates that the process that dictates allowable 
correct driving input signals of the super type of this component, does only limit the 
behaviour of this implemented component, thus ensuring that it does not introduce any 
new behaviour. 
-- ahann01 daclarationi 
channel internalChoice 
channel chan0 : {1} 
channel chanl8, chanl9, chan20, chan2l, chanl3, chan22, chan23, chan24, chan25, 
chan7, chan26, chan27, chanl0, chan28, chan29, chan2, chan30, chan9, 
chan3l, chanl2, chan32, chan33, chan34, chanl7, chanl4, chan35, chanl5, 
chan36, chan37, chan38, chan39, chan6, chan40, chan4l, chan3, chan42, 
chan43, chan44, chanll, chan45, chan46, chan47, chanl6, chan48, chan4, 
Chani, chan49, chan50, chan8, chanS : (0,1} 
Create an instanoe of the modole to check 
-- rho alpha_PROC contains the low level channels used by the processes 
alpha_PROC6 - {j chanl5, chanll, chanl2, chanl6, chan0, chan6, chanlO, chan5, 
chanl7, chan2, chan8, chan3, chanl4, chanl3, chanl, chan4, 
chan7, chan9 
1} PROC6 - PROC STORAaBCOMPONENT CONTROLL( 
chanO, chani, 
< (chan2, chan3, <chan4, chan5> ) 
(chan6, chan7, <chan8, chan9> ) 
< (chanl0, chanii, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> ) 
-- An iaWIaontatiao of tho logic to chock 
SYSTEM INTERFACE - 
(I chanl5, chanll, chanl2, chanl6, chan0, chan6, chanl0, chan5, chanl7, chan2, 
i) 
chan8, chan3, chanl4, chanl3, chani, chan4, chan7, chan9 
IMP_SPEC3 - SYSTEM 
GEN SPECS . PROC6 
-- Check that the control specification only limits the behaviour of the aagaant 
-- of logic, and does not introduce new behaviour 
assert IMP_SPEC3 [T- (IMP SPEC3 [I SYSTEM INTTBRFACE 11 GEN SPEC3) 
Figure 115: Super Type Component Limits the Behaviour of the Implementation 
G. 2.3 ImpSpec Assertion 3: Expected Component Behaviour Is Deadlock- 
Free 
The assertion stated in Figure 116 demonstrates that the expected boundary behaviour 
that the model of the implementation of the logic circuit segment will be checked against 
254 
Appendix G: Multi-Type Component Implemented Model Example 
is deadlock-free. This is to provide better confidence in this models correctness as it will 
be used in future checks. 
-- channel declarations 
channel internalChoice 
channel chanO : {1} 
channel chanl8, chanl9, chan20, chan2l, chanl3, chan22, chan23, chan24, chan25, 
chan7, chan26, chan27, chanl0, chan28, chan29, chan2, chan30, chan9, 
chan3l, chanl2, chan32, chan33, chan34, chanl7, chanl4, chan35, chanl5, 
chan36, chan37, chan38, chan39, chan6, chan40, chan4l, chan3, chan42, 
chan43, chan44, chanll, chan45, chan46, chan47, chanl6, chan48, chan4, 
chanl, chan49, chan50, chane, chan5 : {0,1} 
-- Create an Instance of the mod*lo to chock 
IMP_SP8C1 - PROC FLIPFIAPSTORAGSCOMPONSNT_DßSIRED_SPSC( 
chan0, chani, 
< (chan2, chan3, <chan4, chan5> ) 
(chan6, chan7, <chan8, chan9> ) 
< (chani0, chanil, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
> 
assert IMP_SPEC1 : [deadlock free [F]] 
Figure 116: Expected Component Behaviour Is Deadlock-Free 
G. 2.4 ImpSpec Assertion 4: Expected Boundary Behaviour Refines Super 
Type 
The assertion stated in Figure 117 demonstrates that the expected correct boundary 
behaviour of the implemented component is a valid refinement of the expected boundary 
behaviour of its generic super type component. 
255 
Appendix G: Multi-Type Component Implemented Model Example 
-- channel d*cIarations 
channel internalChoice 
channel chan0 : {1} 
channel chan18, chanl9, chan20, chan2l, chanl3, chan22, chan23, chan24, chan25, 
chan7, chan26, chan27, chanl0, chan28, chan29, chan2, chan30, chan9, 
chan3l, chanl2, chan32, chan33, chan34, chanl7, chanl4, chan35, chanl5, 
chan36, chan37, chan38, chan39, chan6, chan40, chan4l, chan3, chan42, 
chan43, chan44, chanii, chan45, chan46, chan47, chanl6, chan48, chan4, 
chanl, chan49, chanSO, chan8, chan5 : {O, 1} 
-- Create an iaatanae of the aodela to Check 
IMP_SPEC1 - PROC_FLIPFLOPSTORAGECOMPONENTDESIRED SPEC( 
chan0, chant, 
< (chan2, chan3, <chan4, chanS> ) 
(chan6, chan7, <chane, chan9> ) 
< (cbanlO, chanll, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
GEN SPEC1 . 
PROC_STORA(; ECOMPONENT_DESIRED_GiSNERIC_SPEC( 
chanO, chani, 
< (chan2, chan3, <chan4, chan5> ) 
(chan6, chan7, <chan8, chan9> ) 
> 
< (chanl0, chanli, <chanl2, chanl3> 
(chan14, chanl5, <chanl6, chanl7> 
ý {internalChoice} 
assert GEN_SPEC1 [T. IMP_SPEC1 
Figure 117: Expected Component Behaviour Is a Refinement of Super Type 
G. 2.5 ImpSpec Assertions 5: Correctly Driven Implementation Behaves as 
Expected 
The assertions stated in Figure 118 demonstrate that the segment of logic circuit for this 
implemented component, if driven correctly, behaves as expected. 
256 
Appendix G: Multi-Type Component Implemented Model Example 
-- abannel daolarationAr 
channel internalChoice 
channel chano : {1} 
channel chanl8, chanl9, chan20, chan2l, chanl3, chan22, chan23, chan24, chan25, 
chan7, chan26, chan27, chanl0, chan28, chan29, chan2, chan30, chan9, 
chan3l, chanl2, chan32, chan33, chan34, chanl7, chanl4, chan35, chanl5, 
chan36, chan37, chan38, chan39, chan6, chan40, chan4l, chan3, chan42, 
chan43, chan44, chanli, chan45, chan46, chan47, chanl6, chan48, chan4, 
chani, chan49, chan50, chan8, chan5 : (0,1} 
-- Craat" an initanoa of the aodel" to check IMP SPEC1 - PROC_P'LIPFLOPSTORAC3ECOMPONENT DESIRED SPEC( 
chan0, chani, 
< (chan2, chan3, <chan4, chan5> ) 
(chan6, chan7, <chane, chan9> ) 
< (chanl0, chanll, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> 
'- Croats an instance of the modals to chock 
-- The alpha F1toC contains the low level channels used by the processes 
alpha_PROC6 . {ý chanl5, chanil, chanl2, chanl6, chanO, chan6, chanio, chanS, 
chanl7, chant, thane, chan3, chanl4, chanl3, chani, chan4, 
chan7, chan9 
PROC6 : PROC_STORAGBCOMPONBNT CONTROLL( 
chanO, chant, 
< (chan2, chan3, <chan4, chan5> ) 
(chan6, chan7, <chan8, chan9> ) 
< (chanl0, chanii, <chanl2, chanl3> 
(chanl4, chanl5, <chan16, chan17> 
-- An iWlNimtation of the logic to chick 
SYSTEM INTERFACE - 
{I chanl5, chanii, chanl2, chanl6, chanO, chan6, chanl0, chan5, chanl7, chan2, 
I} 
chan8, chan3, chanl4, chanl3, chani, chan4, chan7, chan9 
IMP SPSC3 - SYSTEM 
GENT SPSC3 a PROC6 
assert IMP_SPEC1 [PD. 
( (IMP_SPEC3 [I SYSTEM INTERFACE I) GEN SPECS) \ {ý annotations ý) ) 
assert ( (IMP_SPEC3 (I SYSTEM INTERFACE 1) GEN_SPEC3) 
\ {I annotations j) 
__ 
) [FD- IMP SPEC1 
Figure 118: Correcäy Driven Component Behaves as Expected 
G. 2.6 ImpSpec Assertion 6: Annotation Outer Level Does Not Introduce 
Deadlock 
The assertion stated in Figure 119 demonstrates that annotating the outer level of the 
implemented component with the annotation process specified by its super type (i. e. 
GenSpec 5, see Section F. l . 5), does not introduce any deadlocks. 
257 
Appendix G: Multi-Type Component Implemented Model Example 
-- channel dealaratiousa 
channel internalChoice 
channel chanO : {1} 
channel chanl8, chanl9, chan20, chan2l, chanl3, chan22, chan23, chan24, chan25, 
chan7, chan26, chan27, chanl0, chan28, chan29, chan2, chan30, chan9, 
chan3l, chanl2, chan32, chan33, chan34, chanl7, chanl4, chan35, chanl5, 
chan36, chan37, chan38, chan39, chan6, chan40, chan4l, chan3, chan42, 
chan43, chan44, chanli, chan4S, chan46, chan47, chanl6, chan48, chan4, 
chani, chan49, chan50, chan8, chan5 : {O, 1} 
-- Create an instance of the model& to aback 
IMP SPEC1 s PROC PLIPPLOPSTORAOECOMPONENT DESIRED SPEC( 
chano, chani, 
c (chan2, chan3, <chan4, chan5> (chan6, chan7, <chan8, chan9> ) >, 
< (chanlO, chanii, <chanl2, chanl3> ), (chanl4, chanl5, <chanl6, chanl7> )> 
-- Create an instance of the models to check 
-- The alpha PROC contain, the low level ahannala nand by the processes 
alpha PROC6 chanl5, chanil, chan12, chanl6, chan0, chan6, chanl0, chan5, 
chanl7, chant, chan8, chan3, chanl4, chanl3, chant, chan4, 
chan7, chan9 
i} PROC6 . PROCSTORAGECOMPONENT CONTROLL( 
chanO, chani, 
< (chan2, chan3, <chan4, chan5> (chan6, chan7, <chan8, chan9> ) >, 
< (chanlO, chanli, <chanl2, chanl3> ), (chan14, chanl5, <chanl6, chanl7> 
alpha_PROCS = tý chanl5, chanii, chanl2, chanl6, chanO, chan6, chanl0, chan5, 
chanl7, chan2, chan8, chan3, chanl4, chanl3, chani, chan4, 
chan7, chan9 
I) 
PROCS - PROC STORAC3TsCOMPONBNT ANNOTATfi_OUTBR ( 
chan0, chani, _ 
< (chan2, chan3, <chan4, chan5> 
(chan6, chan7, <chan8, chan9> ) 
<1,3 > 
< (chanl0, chanii, <chanl2, chanl3> 
(chanl4, chanl5, <chanl6, chanl7> } 
<5,7 > 
-- An implementation of the logic to check 
SYSTEM-INTERFACE . 
{I chanl5, chanll, chanl2, chanl6, chan0, chan6, chanl0, chan5, chanl7, chan2, 
I} 
chan8, chan3, chanl4, chan13, chanl, chan4, chan7, chan9 
TMP SPEC3 - SYSTEM 
dEN_SPEC3 - PROC6 
GEN 
-SPECS - 
PROCS 
assert ( (IMP_SPEC3 [I SYSTEM-INTERFACE 11 GEN-SPEC3) 
(I SYSTEMINTERFACE J] GEN SPEC5 
: [deadlock free [F]] 
Fldure 119: Annotating outer level of the component does not introduce deadlock 
258 
Appendix G: Multi-Type Component Implemented Model Example 
G. 2.7 ImpSpec Assertion 7: Expected High Level Behaviour is Deadlock 
Free 
The assertion stated in Figure 120 demonstrates that the high level model describing the 
expected behaviour of the implemented component is deadlock-free. This helps to build 
confidence in the model for when using it in future checks. 
-- Create an . instanoa of the imodels to check IMP SPEC4 - PROC_FLIPFIAPSTORAGSCOMPaNENT_HIC3HER_SPfiC(2, <1,3>, <5,7> 
assert IMP SPEC4 : [deadlock free EP]] 
FIQnre 120: Components High Level Behaviour Is Deadlock-Free 
G. 2.8 ImpSpec Assertions 8: Component Behaves Similarly to Expected 
Higher Spec 
The assertions stated in Figure 121 demonstrate that the annotations obtained from the 
implemented segment of logic circuit, performs in a similar manner to that of the 
expected higher behavioural specification. The test can not be failure divergence checked 
both ways (one has to be a trace refinement), this is due to the way annotations are added 
to the outer layer. As the outer level input annotations occur after the corresponding low 
level input signal events (i. e. the events that represent the wires), hiding these low level 
signal events causes the high level model extracted from the implemented segment of 
logic circuit to appear to have internal choice determining the high level conceptual input 
states. The internal choice for the inputs does not really exist, but appears because the 
events that do determine what occurs though external choice have been hidden (i. e. the 
low level signals). Through altering the process of annotating the outer level of a 
component (see Appendix H), it is possible to simplify the extracted model so that it 
directly equivalent to the expected higher behaviour. 
259 
Appendix G: Multi-Type Component Implemented Model Example 
-- chanaýl daclaratioaý 
channel internalChoice 
channel chano : {1} 
channel chanl8, chanl9, chan20, chan2l, chanl3, chan22, chan23, chan24, chan25, 
chan7, chan26, chan27, chanlO, chan28, chan29, chant, chan30, chan9, 
chan3l, chanl2, chan32, chan33, chan34, chan17, chanl4, chan35, chanl5, 
chan36, chan37, chan38, chan39, chan6, chan40, chan4l, chan3, chan42, 
chan43, chan44, chanli, chan45, chan46, chan47, chanl6, chan48, chan4, 
chani, chan49, chanSO, chanS, chan5 : {0,1} 
-- Craata an 1natanaa of tha awdala to ahoak 
IMP_SPBC1 - PROC_FLIPFLOPBTORAGiECOMPONBNT D88IR8D_SPBC( 
chan0, chani, 
< (chan2, chan3, <chan4, chan5> (chan6, chan7, cchan8, chan9> ) >, 
< (chanl0, chanli, <chanl2, chanl3> (chani4, chanl5, <chanl6, chanl7> 
-- Croats an Instance of the imodelAr to check 
-- She alpha pROC contains the low level channels used by the processes 
alpha PROC6 . {ý chanl5, chanii, chanl2, chanl6, chanO, chan6, chanl0, chan5, 
chanl7, chan2, chan8, chan3, chan14, chanl3, chani, chan4, 
chan7, chan9 
I} 
PROC6 - PROC_6TORAaBCOMPONSNT CONTROLL( 
chan0, chani, 
< (chan2, chan3, <chan4, chan5> (chan6, chan7, <chan8, chan9> ) >, 
< (chanl0, chanli, <chanl2, chanl3> (chanl4, chanl5, cchanl6, chanl7> )> 
alpha_PROCS = {ý chaniS, chanil, chanl2, chani6, chanO, chan6, chanlO, chan5, 
chanl7, chan2, chan8, chan3, chanl4, chanl3, chani, chan4, 
chan7, chan9 
I} 
PROCS - PROC STORAQECOMPONENT_ANNOTATE_OUTER 
chan0, chanl, 
< (chan2, chan3, <chan4, chan5> ). (chan6, chan7, <chan8, chan9> ) >, 
<1,3 >, 
< (chanlO, chanil, <chanl2, chanl3> (chanl4, chanl5, <chanl6, chanl7> ) >, 
<5,7 > 
-- An tWldontation of the logic to aboak 
SYSTEM INTERFACE - 
chanl5, chanli, chanl2, chanl6, chanO, chan6, chanlO, chanS, chanl7, chan2, 
chan8, chan3, chanl4, chanl3, chanl, chan4, chan7, chan9 
I} 
IMP SPECS - SYSTEM 
GEN SPEC3 - PROC6 
GEN SPECS - PROCS 
assert (( (IMP_SPEC3 [I SYSTEM-INTERFACE 1] C; EN_SPEC3) 
[+ SYSTEM INTERFACE 11 GEN-SPECS 
\ SYSTEM INTERFACE 
[FD. Imp_Model 3 
assert Imp Model_3 IT. (( (IMP_SPEC3 (I SYSTEMINTERFACE 1) GEN_SPEC3) 
SYSTEM INTERFACE -) GEN SPEC5 
\ SYSTEM-INTERFACE 
figure 121: Component Behaves Similarly to Expected Higher Behaviour 
260 
Appendix G: Multi-Type Component Implemented Model Example 
G. 3 Conclusions & Evaluation 
The combination of the assertions covered in section G. 2 links various properties of the 
various models covered in section G. 1 together and also with some of the models covered 
in section F. 1 (i. e. the models for its corresponding super type). This builds up confidence 
with the implemented component through crosschecking various properties hold true 
throughout the various models crated for it, along with the implementation being a 
refinement of its super type component, thus allowing the implemented component to be 
placed wherever its super type has been used. 
GA Future Work 
G. 4.1 Linking Clock Cycle Annotations to Higher Specification 
Similar to the work described in section D. 4.1, the CSP model covered in section G. 1.4 
could be linked to a higher conceptual description of the component that gives the 
sequencing of the required conceptual events at a software level, and not a hardware clock 
cycle level. 
261 
Appendix H Alternative Generic 
Specification Model Example 
This section will cover and explain the simplified CSP models required for a generic 
super-type component, along with the assertions that need to be checked to link the 
models to each other. The main modification arises from the process that controls the 
driving of a component supplying the driving signals, instead of just limiting what signals 
can be accepted. This modification also affects the method of annotating the outer layer of 
a component, which will have the effect of simplifying the higher level clock based 
annotation specification of implemented components, thus causing the annotation of the 
start signals preceding the start signals of internal components, and not being specified as 
occurring in parallel which the current implementation indicates. The main benefit of this 
is that when the annotations are simplified to the software based CSP model, it will more 
directly mimic the application source code and becomes more apparent when proving an 
implemented component. The adaptation of the processes also causes some miner 
modifications of the assertions that are required for the proof to hold true, along with the 
introduction of a `NOTRESET' annotation. 
H. 1 Models & Specifications 
The `internalChoice' event that may appear within the code examples has been utilised 
instead of internal choice (i. e. 'I -. I') to enable 'chase' compression to applied if desired. 
The 'internalChoice' event must be hidden for the specifications to be valid, but if 'chase' 
compression has been chosen, the event should only be hidden after 'chase' has been 
applied, otherwise the specification becomes invalid. 
H. 1.1 GenSpec 1: Valid Low Level Behaviour 
This model (see Figure 122) specifies all the valid and allowable low level behaviour of 
this type of super type component. The purpose is to describe the interface boundary 
behaviours, thus enabling implemented components to refinement check against it, 
Appendix H: Alternative Generic Specification Model Example 
proving there behaviours are within the requirements for it to be a sub-type of this super- 
type. 
PROC_PROCESS DESIRED_GENERIC_SPEC(clock, reset, start, finish) - 
let 
A 
start? x -> reset? y -> C(x, y) 
[] 
reset? y -> start? x -> C(x, Y) 
B 
start? O -> reset? y -> D( y) [] 
reset? y -> start? O -> D(y) 
C (x, y) - 
y =- 1& clock? 1 -> finishl0 -> A [] 
y =- 0& 
x -= 0& clock? i -> finishl0 -> A 
[] 
x -- 1& clock? 1 -> 
internalChoice -> finishll -> A 
[] -- 1-I internalChoice -> finishl0 -> B 
D (Y) . 
y =" 1& clock? 1 -> finishlO -> A 
Il 
y == 0& clock? 1 -> 
internalChoice -> finishli -> A 
[) -- I-1 internalChoice -> finish! 0 -> B 
within finiehlO -> A 
Figure 122: Low Level Generic Control Flow Specification 
This specification will only accept correct input driving signals, and will return valid 
output result signals. Internal choice is utilised to enable it to specify all the possible valid 
refinements. 
H. 1.2 GenSpec 2: Low Level Behaviour with Explicit Deadlocking 
This CSP model (see Figure 123) is based on the model covered in section H. 1.1, but 
altered to also accepts invalid driving input signals to be submitted to it. These invalid 
input driving signals are followed by an explicitly defined `STOP', that will explicitly 
deadlock the model should it ever be reached. Similar to the specification in section 
H. 1.1, the returned output signals will be all the valid possible permutations allowed 
(internal choice is utilised to create those permutations, so long as it is driven correctly). 
The reason why this model will accept invalid driving signals is to enable the 
263 
Appendix H: Alternative Generic Specification Model Example 
demonstration that the driving control process will only provide correct valid driving 
signals. 
PROC_PROCESS_GENERIC_SPEC(clock, reset, start, finish) 
let 
A 
start? x -> reset? y -> C(x, y) U 
reset? y -> start? x -> C(x, y) B= 
start? 1 -> STOP (] 
start? O -> reset? y -> D( y) [] 
reset? y -> 
start? O -> D(y) l] 
start? 1 -> STOP 
C(x, y) 
y1& clock? l -> finishl0 -> A 
11 
yý=0& 
(xý. 
) 
D(Y) - 
Y .: 
[) 
0& clock? 1 -> finishlO -> A 
[I 
X :s1& C10Ck? 1 -> 
internalChoice -> finishil -> A 
[I -- 1-1 internalChoice -> finiehl0 -> B 
1& clock? 1 -> finishlO -> A 
y -- 0& clock? l -> internalChoice -> finish! ]. -> A 
t)--I-1 
internalChoice -> finiehl0 -> B 
within finishlO -> A 
ý 
Figure 123: Low Level Generic Control Flow Specification with Explicit Deadlocking 
H. 1.3 GenSpec 3: Correct Component Driving 
This CSP model (see Figure 124) is used to provide the valid input driving signals to an 
implemented sub-type component while testing is performed. It uses internal choice to 
achieve this, and has external choice to enable both correct and incorrect output signals to 
occur. The invalid output signals are followed by an explicitly defined deadlock `STOP', 
which combined with deadlock-free checks will enabled the component being tested to be 
proven to only output valid signals if it is correctly driven. 
264 
Appendix H: Alternative Generic Specification Model Example 
PROC_PROCESS_DRIVER(clock, reset, start, finish) 
let 
A 
start !1 -> 
reset !1 -> D 
1`1 
reset 10 -> C 
start !0 -> 
reset !1 -> D 
1-1 
reset 10 -> D 
reset !1 -> 
start !1 -> D 
1-1 
start !0 -> D 
reset !0 -> 
( start !1 -> C 
1`1 
start 10 -> D 
B- 
start 10 -> 
reset 11 -> D 
1-1 
reset 10 -> C 
reset 11 -> start 10 -> D 
1-1 
reset 10 -> start 10 -> C 
C- 
clock? 1 -> 
finish? 0 -> B 
(] 
finish? 1 -> A 
clock? 1 -> 
finish? O -> A 
[] 
finish? 1 -> STOP 
within finiehlO -> A 
Figure 124: Generle Control Flow Specification - Correct Siegal Driver 
H. 1.4 GenSpec 4: Annotated Low Level Behaviour with Explicit 
Deadlocking 
This CSP model (see Figure 125) is derived from the one covered in section D. 1.2, but 
containing extra events added to describe conceptually what is occurring. The aim of this 
is to enable a link between a low level hardware model and a higher level conceptual 
meaning of the function the hardware is performing. The added 'id' parameter added to 
265 
Appendix H: Alternative Generic Specification Model Example 
the process is to provide a method to distinguish between different instances of this 
process. The annotation events depicting the states that are entered into from how this 
component is driven can only be specified after the event has occurred, where as the 
output signals are controlled by this component and so the corresponding annotation 
events can be performed before outputting the signals. The reason why renaming can not 
be used to obtain a higher level conceptual model of what is occurring, thus the required 
use of extra events depicting the annotations, is because the same signal states can mean 
different things depending on the state of the system (e. g. a start signal high state `start? 1' 
can mean that this component has been triggered, or that this component is being driven 
incorrectly and an error has occurred). 
channel chan_controllplowAnnotatedSpec 1,2). [0,1F 
PROC_PROCESS_ANNOTATBD_SPEC(clock, reset, start, finish, id) 
let 
A= 
start? x -> reset? y -> C(x, y) 
[] 
reset? y -> start? x -> C(x, y) 
$a 
start? 1 -> annotation. ERROR. id -> STOP 
[] 
start? O -> reset? y -> D(y) 
[) 
reset? y -> 
( start? O -> D(y) 
[) 
start? 1 -> annotation. ERROR. id -> STOP 
C (X, y) a 
y -- 1& annotation. RESET. id -> clock? 1 -> finishlO -> A 
0 
y .: 0& 
(x -- 0& annotation. IDLB. id -> clock? 1 -> finiahl0 -> A 
f) 
x == 1& annotation. START. id -> clock? 1 -> 
internalChoice -> annotation. FINISH. id -> finishtl -> A 
[) -- (-I 
internalChoice -> annotation. NOTFINISHED. id -> 
finisht0 -> B 
1 
D(y) _ 
y -- 1& annotation. RESET. id -> clock? 1 -> finishl0 -> A 
[] 
y -- 0& annotation. NOTRESET. id -> clock? 1 -> 
internalChoice -> annotation. FINISH. id -> finishll -> A 
n -- I-1 internalChoice -> annotation. NOTFINISHED. id -> finishl0 -> B 
within finiehlO -> A 
Figure 125: Annotated Generic Control Flow Specification with Explielt Deadlocking 
266 
Appendix H: Alternative Generic Specification Model Example 
H. 1.5 GenSpec 5: Correct Component Driving Annotating the Outer Layer 
This CSP model (see Figure 126) is used to annotate the outer layer of an implemented 
sub-type of this component. The process is modified from the specification in section 
H. 1.3, it provides the correct input signals preceded by any relevant annotations, and 
accepts both correct and incorrect output signals, post fixing any corresponding 
annotation events that are required after they have occurred. 
PROC_PROCESS ANNOTATED_DRIVER(clock, 
let 
A= 
annotation. START. O -> 
( start !1 -> reset 10 -> C 
1-1 reset !0 -> start I1 -> C 
I-I 
annotation. IDLE. O -> 
( start !0 -> reset 10 -> D 
1-1 reset 10 -> start 10 -> D 
annotation. RESET. 0 -> 
start 11 -> reset I1 -> D 
1-1 
start 10 -> reset I1 -> D 
1-1 
reset 11 -> ( start I1 -> D 
1-1 start 10 -> D 
8 
annotation. RESET. O -> 
( start 10 -> reset 11 -> D 
reset I1 -> start !0 -> D 
annotation. NOTRESET. 0 -> 
( start 10 -> reset 10 -> C 
1-1 reset 10 -> start 10 -> C 
reset, start, finish) 
C- clock? 1 -> 
finish? O -> a nnotation. NOTFINISHED. O -> B 
(] 
finish? 1 -> annotation. FINISH. O -> A 
D- clock? 1 -> 
finish? O -> A 
(] 
finish? 1 -> annotation. ERROR. O -> STOP 
within finiehl0 -> A 
Figure 126: Generic Control Flow Annotate Outer Layer 
267 
Appendix H: Alternative Generic Specification Model Example 
H1.6 GenSpec 6: Clock Cycle Higher Generic Specification 
This CSP model (see Figure 127) is an annotation only clock cycle based higher 
conceptual specification. It is used as a comparison for the extracted annotations from the 
annotated low level hardware models. The model is sufficiently small so that it is unlikely 
that 'chase' compression should be needed to be applied, which is why internal choice 
(i. e. 'I- I') is used instead of using an extra event to simulate internal choice. 
PROC PROCESS_HIßHER OUTER SPEC(id) 
let 
A 
annotation. RESET. id -> A 
[] 
annotation. START. id -> B 
tl 
annotation. IDLS. id -> A 
B C 
annotation. NOTFINISHED. id -> C 1-1 
annotation. FINISH. id -> A 
C= 
annotation. RESET. id -> A 
[] 
annotation. NOTRESET. id -> 
( annotation. NOTFINISHED. id -> C 
i-i annotation. FINI9H. id -> A 
within A 
Figure 127: Generic Control Flow Annotation Specification 
H. 1.7 GenSpec 7: Driving Clock Cycle Higher Generic Specification 
This CSP model (see Figure 128) is the driving component for the annotation only 
specification GenSpec 6. The combination of these two specifications run in parallel can 
be used as a basis to perform checks and comparisons against. 
268 
Appendix H: Alternative Generic Specification Model Example 
PROC PROCESS HIGHER CONTROLL OUTER SPEC (id) 
let 
A= 
annotation. RESET. id -> A 1-i 
annotation. START. id -> B 
i-i annotation. IDLE. id -> A 
B= 
annotation. NOTFINiSHED. id -> C [] 
annotation. FINISH. id -> A 
C= 
annotation. RESET. id -> A 
i-i annotation. NOTRESET. id -> 
annotation. NOTFINISHED. id -> C U 
annotation. FINISH. id -> A 
within A 
i 
Figure 128: Control Generic Control Flow Annotation Specification 
H. 1.8 GenSpec 8: Annotating Clock Cycle Higher Generic Specification 
This CSP model (see Figure 129) is the annotated driving component for the annotation 
only specification GenSpec 6. The combination of these two specifications run in parallel 
can be used as a basis to perform checks and comparisons against. 
PROC PROCESS_HIGHER ANNOTATED OUTER SPEC(id) _ 
let 
A 
annotation. RESST. 0 -> annotation. RESET. id -> A 
i-i annotation. START. o -> annotation. START. id -> B 
i-i annotation. IDLE. O -> annotation. IDLE. id -> A 
8ý 
annotation. NOTFINISHED. id -> annotation. NOTFINISHED. 0 -> C [l 
annotation. FINISH. id -> annotation. FINISH. O -> A 
Ca 
annotation. RESET. O -> annotation. RESET. id -> A 1-1 
annotation. NOTRESET. 0 -> annotation. NOTRESET. id -> 
annotation. NOTFINISHED. id -> annotation. NOTFINISHED. O -> C (l 
annotation. FINISH. id -> annotation. PINISH. O -> A 
within A 
FIgure 129: Annotate Generic Control Flow Annotation Specification 
269 
Appendix H: Alternative Generic Specification Model Example 
H. 1.9 GenSpec 9: Software Higher Generic Specification 
This model (see Figure 130) provides a software level based model of a generic control 
flow process. A process when started may or may not ever finish, and it can only be 
started again if it has finished. 
internal choice with STOP Is provided am an alternative to the FINISH event, 
this is because conceptually when started, a control flow process doom not 
-- have to finish and is dependent on itself or other internal components to 
determine if it does or not. 
PROC PROCESS_HIGHER SIMPLIFIED_SPEC(id) 
let 
A= 
annotation. START. id -> 
STOP 
1-1 
annotation. FINISH. id -> A 
within A 
Figure 130: Eumple of Simplified Control Flow Annotation Specification 
H. 1.10 GenSpec 10: Annotation Only Control Generic Specification 
This model (see Figure 131) provides a process to drive the annotation only specifications 
using internal choice to select the possible valid driving states. 
PROC PROCESS_CONTROL_ANNOTATED_ODTER_SPEC 
1et 
A 
annotation. RESET. O -> A 
1"1 
annotation. BTART. O -> B 
1-1 
annotation. IDLS. O -> A 
B. 
annotation. NOTFINI8H8D. 0 -> C 
[l 
annotation. FINi8H. 0 -> A 
C= 
annotation. RBSET. O -> A 
1-1 
annotation. NOTRESET. O -> 
annotation. NOTFINISHED. 0 -> C 
[7 
annotation. FINISH. 0 -> A 
within A 
Figure 131: Control Process for Annotation Only Control Flow Specification 
270 
Appendix H: Alternative Generic Specification Model Example 
H. 2 Assertions: Linking the Models Together 
To ensure consistency between all the models for a generic component, several assertions 
have to be proven. The consistency between the models is required because the proof of 
an implemented component can utilise several of these specifications. 
H. 2.1 GenSpec Assertion 1: Initial Deadlock-Free Check 
This initial deadlock-free check (see Figure 132) of GenSpec 1 (see section H. 1.1) is to 
provide a base comparison for future deadlock-free checks and trace refinements. 
-- abannol daalarationa 
channel internalChoice 
channel chanO : {1} 
channel chani : {0,1} 
channel chan2 : {0, i} 
channel chan3 : {0,1} 
-- Create an instance of the modal to check 
-- The alpha PROC4 contains the low level channels used by this instance 
alpha_PROC4 - {1 chanO, chant, chant, chan3 1} 
PROC4 - PROC PROCESS DESIRED GENERIC SPEC(chan0, chani, chant, chan3) 
-- Side the internalCboice event to ensure that PROC4 has internal choice 
-- performing correctly if needed. 
GEN SPEC1 -( PROC4 \ {internalchoice} 
-- Deadlock-tree check the eapeated correct generic aoajponant 
assert GEN 8PEC1 : [deadlock free [F]] 
Ftgnre 132: Example of GenSpec Assertion 1 for Controll Flow Process 
H. 2.2 GenSpec Assertion 2: GenSpec 2 Contains GenSpec 1 Behaviour 
This assertion (see Figure 133) demonstrates that GenSpec 2 (see section H. 1.2) contains 
all the behaviour dictated by GenSpec I (see section H. 1.1), although this assertion allows 
GenSpec 2 to provide extra behaviours. 
271 
Appendix H: Alternative Generic Specification Model Example 
-- channel declaration, 
channel internalchoice 
channel chan0 : {i} 
channel chani {0, i} 
channel chant : {0, i} 
channel chan3 : {0,1} 
-- Create an inatanaa of the models to check 
-- rho alpha PROC"s aontaint the low level channels used by the processes 
alpha PROC3 = (I chanO, chant, chant, chan3 11 
PROC3 = PROC__PROCSSS_GENERIC_SPEC(chan0, chant, chant, chan3) 
alpha_PROC4 - {I chanO, chani, chant, chan3 1} 
PROC4 - PROC PROCESS DESIRED GENERIC SPEC(chanO, chant, chant, chan3) 
-- Side the iaternalchoiae scant to ensure that processes has internal choice 
-- perfominy correctly if needed. 
GEN SPEC1 -( PROC4 \ {internalChoice} ) 
GEN_SPEC2 -( PROC3 \ {internalChoice} ) 
-- Check Genßpea 2 aontalna the behaviour of SmSp"a 1 
assert GEN_8PEC2 (T= GEN SPEC1 
Flare 133: Example of GenSpec Assertlon 2 for Control) Flow Process 
H. 2.3 GenSpec Assertion 3: GenSpec 3 Compatible with GenSpec 2 
This assertion (see Figure 61) demonstrates that the GenSpec 3 controlling specification 
(see section D. 1.3) does not introduce any new behaviour to the specifications it is being 
run in parallel with. This still leaves the possibility of it limiting the events that can occur, 
but does not guarantee any properties regarding this. 
-- channel declarations 
channel internalChoice 
channel chanO : {1} 
channel chanl, chan2, chan3 : {0,1} 
-- Create an Instance of the models to chock 
-- The alpha DROC's contains the low level ahann"1s used by the process. m 
alpha_PROC2 - {I chanO, chanl, chant, chan3 11 
PROC2 - PROC_PROCESS DRIVER(ehanO, chant, chant, chan3) 
alpha_PROC3 - {I chan0, chant, chant, chan3 1) 
PROC3 - PROC PROCESS GENERIC SPEC(chanO, chant, chant, chan3) 
-- Ride the int"rnalCholce event to aneure that prows... 
has internal choice 
-- p"rforaiing corr"atly if needed. 
GEN SPECS - PROM 
GEN_SPEC2 -( PROC3 \ {internalChoice} 
-- Oanlp"c2 driven by the controll spscifiCatiom 04nSp003 
GEN SPEC2 DRIVEN - GEN_SPEC2 (I alpha_PROC2 1] GEN SPECS 
-- Check Osnlp"c2 contains the behaviour of OoSpoo2 
driven by O"näp"a3 
assert GEN SPEC2 (T- GEN SPEC2 DRIVEN 
Figure 134: Example of GenSpec Assertion 3 for Controll Flow Process 
272 
Appendix H: Alternative Generic Specification Model Example 
H. 2.4 GenSpec Assertion 4: GenSpec 3 Removes Deadlock from GenSpec 2 
This assertion (see Figure 135) demonstrates that GenSpec 3 (see sectionH. 1.3) does not 
incorrectly drive the component it is run in parallel with. This does not dictate that 
GenSpec 3 does not supply all the possible correct driving signals (although it does). 
-- channel doolarations 
channel internalChoice 
channel chan0 : {1} 
channel chant {0,1} 
channel chant : (0,1} 
channel chan3 : (0,1} 
-- Create an instance of the model& to check 
-- She alpha PROC's Contains the low level chars ale used by the prow. /. s 
alpha PROC2 - {I chano, chant, chant, chan3 1} 
PROC2 - PROC_PROCESS DRIVER(chan0, chani, chant, chan3) 
alpha 
_PROC3 - 
{I chan0, chant, chan2, chan3 1} 
PROC3 - PROC_PROCESS_GENERIC_SPEC(chan0, chant, chant, chan3) 
-- Side the internaIChoics event to ensure that processes has internal choice 
-- psrtorswing correctly if needed. 
GEN 
NSPECS - 
PROC 
GE_SPEC2 -( PROC3 \ {internalChoice} 
-- Gon8poc2 driven by the aontroll ipeaillcation GNnBp"c3 
GEN SPEC2_DRIVEId = GEN_SPEC2 [I alpha_PROC2 j] GEN SPEC3 
-- Chock that Gan8psa3 doss not invoke the incorrect driving options in Osntpsc2 
assert GEN SPEC2_DRIVEN : [deadlock free [F]] 
Figure 135: Example of GenSpec Assertion 4 for Control Flow Process 
11.2.5 GenSpec Assertions 5: GenSpec 3 Removes Only Incorrect Driving 
These assertions (see Figure 136) demonstrate that GenSpec 3 drives the process it is run 
in parallel with, such that it only provides correct driving signals. These assertions also 
demonstrates that GenSpec 3 does not introduce any extra behaviours and provides all 
possible correct driving signals, and is achieved through proving that GenSpec 3 run in 
parallel with GenSpec 2 covers all the traces contained in GenSpec 1. The processes can't 
be failure divergent checked ' (Pn=' both ways, as the driving control process uses internal 
choice to provide all the possible driving input signals and determine which ones occur, 
where as the generic specifications (i. e. GenSpec 1) uses external choice to allow the 
components driving it to dictate what state it should enter (by supplying the 
corresponding sequence of input signals). 
273 
Appendix H: Alternative Generic Specification Model Example 
-- channsi daalarations 
channel internalChoice 
channel chan0 : {1} 
channel chani : {0, i} 
channel chan2 : (0,1} 
channel chan3 : (0,1) 
Crate an instance of the modals to check 
The alpha PROC'a contains the low level channels used by the processes 
alpha PROC2 - {I chanO, chani, chant, chan3 1} 
PROC2 - PROC PROCSSS_DRIVER(chan0, chant, chant, chan3) 
alpha 
`PROC3 - 
{I chanO, chani, chant, chan3 1) 
PROC3 - PROC_PROCESS_GENERIC_SPEC(chan0, chant, chan2, chan3) 
alpha PROC4 - fi chan0, chant, chant, chan3 1} 
PROC4 - PROC_PROCESS_DESIRED_GENERIC_SPEC(chan0, chani, chant, chan3) 
-- Hide the internalChoice event to ansute that processes has internal choice 
-- performing correctly if needed. 
GEN SPEC1 -( PROC4 \ {interna2Choice} ) 
GEN_SPEC2 -( PROC3 \ {internalChoice} ) 
GEN SPECS - PROC2 
-- G. nßpec2 driven by the aontrol epeciticatioa 0400603 
GEN SPEC2_DRIVEN - GEN SPEC2 [I alpha_PROC2 11 GEN SPEC3 
Check that GenSpec3 in parallel with Geaspeo2 is produces all traces covered 
-- by Genßpecl 
assert GEN_SPEC1 [T- GEN_SPEC2_DRIVEN 
assert GEN SPEC2 DRIVEN [FD- GEN SPEC1 
Figure 136: Example of GenSpec Assertions 5 for Control Flow Process 
H1.6 GenSpec Assertions 6: Properties of the Annotation Events 
These assertions (see Figure 137) demonstrate that the annotation event contained within 
GenSpec 4 do not introduce extra behaviours, but are only used to conceptually describe 
what is occurring. This is achieved through hiding the annotation events, and proving that 
the resultant process is indistinguishable to the GenSpec 2 model. 
274 
Appendix H: Alternative Generic Specification Model Example 
-- channel declarations 
datatype STATES = 
START. {0} I FINISH. {0} NOTFINISHED. {0} I RESET. {0} I ERROR. {0} I IDLE. {0} 
channel annotation : STATES 
channel internalChoice 
channel chanO : {1} 
channel chant, chant, chan3 : {0,1} 
Create an instance of the models to check 
rho alpha PROC's contains the low level channels used by the processes 
alpha 
_PROCO - 
{I chan0, chani, chant, chan3 1} 
PROCO - PROC_PROCESS ANNOTATED_SPEC(chan0, chant, chan2, chan3,0) 
alpha PROC3 - {I chan0, chani, chan2, chan3 1} 
PROC3 - PROC PROCESS GENERIC SPEC(chan0, chant, chant, chan3) 
-- Bide the internalcboice event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN_SPEC2 -( PROC3 \ {internalChoice} ) 
GEN SPEC4 -( PROCO \ {internalChoice} ) 
-- Genspec4 with the annotations hidden 
GEN SPEC4_NO_ANNOTATIONS -( GEN_SPEC4 \ {I annotations ý} ) 
Check that Genspec3 in parallel with Genspec2 is indistinguishable to 
-- Genspeol 
assert GENSPEC4NO ANNOTATIONS [PD- GEN_SPEC2 
assert GEN__SPEC2_[6- GEN_SPEC4_NO_ANNOTATIONS 
Figure 137: Example of GenSpec Assertions 6 for Control Flow Process 
H. 2.7 GenSpec Assertion 7: GenSpec 3 Compatible with GenSpec 4 
This assertion (see Figure 138) proves that the control driving process GenSpec 3 does 
not add extra behaviours to the annotated generic specification GenSpec 4. 
-- aha="l d. alarationa 
datatype STATES - 
START. {0} I FINISH. {0} I NOTFINISHED. {0} I RESET. {0} I NOTRESET. 
{0} 
ERROR. {0} I IDLE. {0} 
channel annotation : STATES 
channel internalChoice 
channel chan0 : {1} 
channel chant, chan2, chan3 : {0,1} 
-- Create an instance of the models to chock 
The alpha pROC's contains the low level channels used by the processes 
alpha_PROC2 . (I chan0, chant, chant, chan3 1) 
PROC2 - PROC_PROCESS _DRIVER(chan0, 
chant, chant, chan3) 
alpha_PROCO - (I chan0, chant, chant, chan3 
1) 
PROCO - PROC PROCESS ANNOTATED SPEC(chan0, chant, chant, chan3,0) 
-- Ride the internaldboiae event to ensure that processes has internal choice 
-- performing correctly if needed. 
GEN_SPEC3 - PROC2 
GEN SPEC4 -( PROCO \ (internalChoice} 
-- Gensp"c4 drivan by the control specification 
Genspec3 
GEN SPEC4 DRIVEN - GEN_SPEC4 [I alpha_PROC2 
1) GEN_SPEC3 
-- Check Gansp"c4 contains the behaviour of Genfpeo4 
limited by Gangpoc3 
assert GEN SPEC4 [T- GEN SPEC4 DRIVEN 
Figure 138: Example of GenSpec Assertion 7 for Control Flow Process 
275 
Appendix H: Alternative Generic Specification Model Example 
H. 2.8 GenSpec Assertion 8: GenSpec 3 Removes Deadlock From GenSpec 4 
This assertion (seeFigure 139) proves that the control process GenSpec 3 does not drive 
the annotated generic specification GenSpec 4 into a state that is deadlocked (this also 
includes the explicitly defined deadlocks `STOP'). 
-- channel declarations 
datatype STATES 
START. {0} I FIINNIISH. {0} I NOTFINISHED. {0} I RESET. {0} NOTRESET. {0} 
ERROR. 0 IDLE. { O) 
channel annotation : STATES 
channel internalChoice 
channel chanO : {i} 
channel chant, chant, chan3 : {0,1} 
-- Create an instance of the yodels to check 
-- The alpha PROC"s contains the low level channels used by the processes 
alpha_PROC2 - (I chanO, chant, chant, chan3 J} 
PROC2 - PROC_PROCESS DRIVER(chanO, chant, chant, chan3) 
alpha PROCO - (I chanO, chanl, chant, chan3 1) 
PROCO - PROC PROCESS ANNOTATEDSPEC(chanO, chant, chan2, chan3,0) 
-- Ride the internalahoioe event to ensure that processes has internal choice 
-- performing correctly If needed. 
GEN SPECS - PROC2 
GEN SPEC4 -( PROCO \ (internalChoice} 
-- GenSpec4 driven by the control specification Gen8pec3 
GEN_SPEC4_DRIVEN - GEN SPEC4 (I alpha_PROC2 11 GEN SPEC3 
Check that OanSp o3 ramov a the inoorr of driving options from OsnBpaa4 
assert GEN SPEC4 DRIVEN : (deadlock free [F]] 
Flgare 139: Eumple of GenSpec Assertion 8 for Control Flow Process 
HIS GenSpec Assertions 9: GenSpec 4 Is an Annotated GenSpec 2 
These assertions (see Figure 140) demonstrate that if the annotation events contained 
within GenSpec 4 are hidden, then GenSpec is indistinguishable to GenSpec 2. 
276 
Appendix H: Alternative Generic Specification Model Example 
-- channel declarations 
datatype STATES - 
START. {0} I FINISH. {0} I NOTFINISHED. {0} I RESET. {O} I NOTRESET. (0) 
ERROR. {0} I IDLE. {0} 
channel annotation : STATES 
channel internalChoice 
channel chano : {1} 
channel chant, chant, chan3 : {0,1} 
-- Create an Instance of the aodels to check 
-- The alpba PPOC"s contains the low level channels used by the processes 
alpha_PROC3 - (I chanO, chant, chant, chan3 1) 
PROC3 - PROCPROCESS GENERIC_SPEC(chan0, chant, chan2, chan3) 
alpha_PROCO - (j chan0, chan2, chan2, chan3 j) 
PROCO - PROC PROCESS ANNOTATED SPEC(chan0, chant, chan2, chan3,0) 
-- Side the internalChoiae event to ensures that processes has internal choice 
-- performing correctly If needed. 
GEN SPEC2 -( PROC3 \ {internalchoice} ) 
GEN SPEC4 -( PROCO \ {internalChoice} ) 
-- 
5enSpec4 
with hidden annotation events 
GEN SPEC4 NO_ANNOTATIONS -( GEN SPEC4 \ {j annotation ý} ) 
-- Check that Gengpec4 with hidden annotations Is indistinguishable to G. ntpea2 
assert GEN_SPEC4 NO ANNOTATIONS [FD- GEN_SPEC2 
assert GEN SPEC2 [FD- GEN_SPEC4_NO_ANNOTATIONS 
Flure 140: Example of GenSpec Assertions 9 for Control Flow Process 
11.2.10 GenSpec Assertion 10: GenSpec 6 Deadlock Free 
This assertion (see Figure 141) deadlock-free checks GenSpec 6 which helps to provide a 
base comparison for future deadlock-free checks and trace refinements for the 
annotations. 
-- Channel declarations 
datatype STATES - 
START. {0} I FINISH. {0} I NOTFINISHED. {0} RESET. {0} NOTRESET. {0} 
ERROR. {0} I IDLE. {0} 
channel annotation : STATES 
-- Higher Outer Spec 
GEN_SPEC6 - PROC PROCESS HIGHER OUTER SPEC(0) 
-- Check that QonSpaa6 is deadlock-free 
aeaert GEN SPEC6 : [deadlock free [F]] 
Figure 141: Example of GenSpec Assertion 10 for Control Flow Process 
H. 2.11 GenSpec Assertions 11: GenSpec 5 Annotates Outer Level Correctly 
These assertions (see Figure 142) demonstrates that GenSpec 5 will drive a component 
correctly and annotate the outer level of the process with annotation events that are 
similar to GenSpec 6. 
277 
Appendix H: Alternative Generic Specification Model Example 
-- chaanal declarations 
datatype STATES 
START. {0} I FINISH. {0} I NOTFINISHED. {0} I RESET. {0} I NOTRESET. {0} 
ERROR. {0} I IDLE. {0} 
channel annotation : STATES 
channel internalChoice 
channel chan0 : {1} 
channel chant : {0,1} 
channel chan2 : (0,1} 
channel chan3 {0,1} 
-- Create an Instance of the models to shack 
-- The alpha PROC"s contains the low level channels used by the processes 
alpha_PROC1 - {I chanO, chant, chant, chan3 1) 
PROC1 - PROC PROCESS ANNOTATED DRIVER(chan0, chant, chant, chan3) 
alpha 
_PROC3 - 
(1 chanO, chani, chan2, chan3 1} 
PROC3 - PROC_PROCE9S_GENERIC_SPEC(chanO, chant, chan2, chan3) 
-- Hide the internalChoics scant to ensure that processes has internal choice 
-- psrforaing correctly if needed. 
GEN SPEC2 -( PROM \ (internalChoice} 
GEN_SPEC5 - PROC1 
GEN SPEC6 - PROC PROCESS HIGHER OUTER SPEC(0) 
-- Gensp. ai with annotation . vents added by Ganlpsa 5 running in parallel 
GEN SPEC2_WITHANNOTATIONS -( GENSPEC2 [I alpha PROC1 
11 GEN SPECS 
-- Tb. annotations only that were added to Genspeal by Genspan 5 
GEN SPEC2_ANNOTATIONS ONLY - (GEN SPEC2_WITH_ANNOTATIONS \ alpha_PROC3 
-- Check that G. nspec2 controlled correctly and annotated has annotations that 
-- are siailar to Gsn0pec6 
assert GEN_SPEC2 ANNOTATIONS ONLY [T- GEN_SPEC6 
assert GEN_SPEC6 [T- GEN SPEC2 ANNOTATIONS_ONLY 
Figure 142: Example of GenSpec Assertion 11 for Control Flow Process 
H. 2.12 GenSpec Assertions 12: GenSpec S Does Not Introduce Unexpected 
Behaviours 
These assertions (see Figure 143) demonstrates that GenSpec 5 does not introduces 
unexpected behaviours, but only correctly drives a component and adds events that 
conceptually annotates at the outer layer the process it is run in parallel with. This is 
shown by the fact that the process run in parallel with GenSpec 5, with the outer 
annotations then hidden, is equivalent to the component correctly driven by GenSpec 3, 
and that hiding the low level signals leaves only the expected annotations. 
278 
Appendix H: Alternative Generic Specification Model Example 
-- channel daalarationo 
datatype STATES - 
START. {0.. 1} ' FINISH. {0.. 1} NOTFINISHED. {0.. 1} I RESET. {0.. 1} I 
NOTRESET. {0} I ERROR. {0.. 1} I IDLE. {0.. 1} 
channel annotation : STATES 
channel internalChoice 
channel chanO {1} 
channel chant : {0,1} 
channel chant {0,1} 
channel chan3 {0,1} 
-- Annotation alphab. ta 
alpha_inner - { annotation. x. 1 I x<-{RESET, NOTRESET, START, IDLE, NOTFINISHED, FINISH} 
alpha_outer - 
{ annotation. x. 0 I x<-{RESET, NOTRESET, START, IDLE, NOTFINISHED, FINISH} 
-- Create an instance of the models to check 
-- The alpha DROC"s contains the low level Channels used by the processes 
alpha PROCO - {I chan0, chani, chant, chan3 1} 
PROCO - PROC PROCESS ANNOTATED SPEC(chan0, chant, chant, chan3,1) 
alpha_PROC1 - {I chanO, chant, chant, chan3 11 
PROC1 - PROC PROCESS ANNOTATED DRIVER (chan0, chani, chan2, chan3) 
} 
} 
alpha_PROC2 - {1 chanO, chanl, chant, chan3 1} 
PROC2 - PROC_PROCESS_DRIVER(chanO, chant, chan2, chan3) 
-- Kid* the Int. rnalChoice event to ensure that procoaaae has internal choice 
-- performing correctly if naadad. 
GEN SPEC3 . PROC2 
GEN SPEC4 -( PROCO \ (internalChoice} 
GEN SPEC5 a PROC1 
GEN_SPEC6 - PROC_PROCESS_HIGHER_OUTER_SPEC(1) 
GEN SPEC? - PROC_PROCESS_HIGHER CONTROLL OTfER_SPEC(1) 
GEN-SPECS - PROC_PROCESS_HIGHERANNOTATED OUTER SPEC (1) 
-- Gsnäpec4 driven by Genßpec 3 
GEN SPEC4 DRIVEN BY 3-( GEN_SPEC4 [I alpha_PROCO GEN_SPEC3 
-- Gen8pec4 driven and annotated by GenSpec 5 
GEN SPEC4_DRIVEN BY 5-( GEN SPEC4 [I alpha_PROCO ß] GEN SPECS 
-- Gen8pec4 driven and annotated by Genapec 3 with outer annotations hidden 
GEN SPEC4_DRIVEN 
_BY 
5_HIDDEN OUTER -( GEN SPEC4_DRIVEN BY_5 
\ alpha_outer 
-- Gan8pe04 driven and annotated by GenSpec 5 with low level signals hidden 
GEN SPEC4_DRIVEN BY_5_HIDDEN SIGNALS -( GEN_SPEC4_DRIVEN BY_5 \ alpha_PROCO 
-- GanSpec6 driven and annotated by GenSpec 8 
GEN SPEC6_ANNOTATED GEN_SPEC6 11 alpha_inner 11 GEN-SPECS 
-- Check that Genßpec4 driven by GsnBpec5 with the outer annotations hidden is 
-- indistinguishable to Gea8pec4 driven by GenSpec3 
assert GEN SPEC4_DRIVEN BY_5_HIDDEN OIITER [PD- GEN 8PEC4_DRIVEN BY 3 
assert GEN_SPEC4_DRIVEN BY 3 [FD- GEN SPEC4_DRIVEN BY_5_HIDDEN OUTER 
-- Check that GenSpec4 driven by Genßpec3 with the low level signals hidden is 
-- indistinguishable to Genapec6 driven by Gen8pec8 
assert GEN_SPEC4_DRIVEN 
_BY_5_HIDDENSIGNALS 
[FD- GEN SPEC6_ANNOTATED 
assert GEN SPEC6 ANNOTATED [FD- GEN SPEC4_DRIVEN_BY_5 HIDDEN_SIGNALS 
Figure 143: Example of GenSpec Assertions 12 for Control Flow Process 
279 
Appendix H: Alternative Generic Specification Model Example 
H. 2.13 GenSpec Assertions 13: GenSpec 4 With Signals Hidden Is Similar to 
GenSpec 6 
These assertions (see Figure 144) demonstrates that GenSpec 4 correctly driven with the 
events that represent the low level signals hidden, performs in a similar manner to 
GenSpec 6, and indistinguishable from GenSpec 6 when correctly driven. 
-- channel aaalaratione 
datatype STATES - 
START. {0.. 1} FINISH. {0.. 1} I NOTFINISHED. {0.. 1} I RESET. {0.. 1} 
NOTRESET. {0} I ERROR. {0.. 1} I IDLE-{0.. 1} 
channel annotation : STATES 
channel internalChoice 
channel chano {1} 
channel chant 
channel chant (0,1} 
channel chan3 (0,1} 
-- Annotation alptzabata 
alpha_inner 
{ annotation. x. i I x<-{RESET, NOTRESET, START, IDLE, NOTFINISHED, FINISH} 
alpha outer - 
{ an_notation. x. 0 I x<-{RESET, NOTRESET, START, IDLE, NOTFINISHED, FINISH} 
-- Create an instance of the aodels to aback 
-- The alpha PROC's aontains the low level channels used by the processes 
alpha_PROCO - {) chan0, chani, chant, chan3 !j 
PROCO - PROC_PROCES3 ANNOTATBD_SPEC(chanO, chani, chant, chan3,1) 
} 
} 
alpha PROC2 - {I chano, chant, chant, chan3 11 
PROC2 - PROC_PROCESS_DRIVER(chanO, chant, chan2, chan3) 
-- Sido the intornalChoice event to ensure that processes has internal choice 
-- performing correctly if needed. 
GENSPEC3 - PROC2 
GEN SPEC4 -( PROCO \ {internalChoice) 
GEN SPEC6 - PROC_PROCESS_HIGHEROUTER SPEC(1) 
GEN SPEC? - PROC PROCESS_HIGHER CONTROLL_ODTER_SPEC(1) 
-- Gan8pac4 driven by Ganßpec 3 
GEN SPEC4_DRIVEN BY 3-( GEN SPEC4 [I aipha_PROCO 11 GEN_SPEC3 
-- 
ýanRpac4 driven and annotated by GenSpec 5 with low level signals hidden 
GEN SPEC4DRIVEN BY_3_HIDDEN SIGNALS -( GEN SPEC4_DRIVEN BY 3\ alpha_PROCO 
-- GanBpa_c6 driven by GanSpec 7 
GEN SPEC6_DRIVEN -( GEN_SPEC6 [I alpha_inner 11 GEN SPECS 
-- Check that Ganßpec4 driven by GanSpac3 with the low level signals hidden is 
-- indistinguishable to Genßpoc6 driven by Ganßpoc7 
assert GEN_SPEC4_DRIVEN BY_3_HIDDENSIGNALS [FD- GEN_SPEC6_DRIVEN 
assert GEN_SPEC6_DRIVEN [FD- GEN_SPEC4_DRIVEN BY_3_HIDDEN_SIGNALS 
Figure 144: Example of GenSpec Assertions 13 for Control Flow Process 
280 
Appendix H: Alternative Generic Specification Model Example 
H. 2.14 GenSpec Assertions 14: GenSpec 10 Similar to GenSpec 5 
The assertions stated in Figure 145 demonstrate the similarity of GenSpec 5 to GenSpec 
10, more specifically that if you hide the events that represent the low level signals (i. e. 
the wires), they are identical. 
GEN SPEC10 . PROC PROCESS_CONTROL. ANNOTATED OUTER_SPEC 
FlOnre 145: Linldn0 GenSpec 10 to GenSpec 5 
H. 2.15 GenSpec Assertions 15: Linking GenSpec 6 to GenSpec 9 
These assertions (see Figure 146) demonstrate that properties of GenSpec 6 are similar to 
GenSpec 7. This proves the link between the clock cycle based higher annotation 
specifications and the software based higher annotation specification (non-clocked). 
-- The annotation index value being used 
annotation id a0 
-- An instance of the annotation specification 
GEN SPEC6 ! PROC_PROCESS HIGHER_ODTER SPEC(annotation_id) 
-- Checking the annotation specification while ensuring that reset does 
-- not occur (running in parallel with 970D), and hiding clock cycle annotations 
EXPECTED 
_SIMPLIFIED-ANNOTATION-SPEC (GEN SPEC6 
[1 {1 annotation. RESET I} IJ 
STOP 
\ {I annotation. x I x<-{ IDLE, NOTPINISHED, NOTRESET } ý} 
-- The new simplified specification to aheak against, Onnspea7 
SIMPLIFIED 
-ANNOTATION 
SPEC = PROC PROCESS_HIGHER SIMPLIFIED_SPEC(annotation_id) 
-- Check that the two processes are equivalent 
aasert EXPECTED SIMPLIFIED_ANNOTATIONSPEC (FD- SIMPLIFIED_ANNOTATION_SPEC 
aaaert SIMPLIFIED ANNOTATION_SPEC (T= EXPECTED_SIMPLIFIED_ANNOTATIONSPEC 
Figure 146: Example of how to link Annotation Spec to Simplified Spec 
H. 3 Conclusion & Evaluation 
The combination of the assertions covered in section H. 2 links various properties of the 
various models covered in section H. I. This builds up confidence with the models 
specified so that implemented components can both utilise them in their own proofs and 
be checked against them. It provides processes so that a low hardware level model of the 
components can be refinement checked against, a higher clock cycle based conceptual 
281 
Appendix H: Alternative Generic Specification Model Example 
specification to refinement check against, and a method to link the two types of models 
together to show consistency between them. 
The modifications that have been applied, thus causing the work to differ from that 
covered in Appendix D, causes the higher level models to be modelled in a more serial 
manner. Where as previously the models were annotated such that it was more directly 
mimicking the hardware, components that triggered other internal components when 
started appeared to start in parallel. The changes have resulted in the annotations 
mimicking more closely how the initial software appears, thus the annotation model now 
appears such that the component is triggered just before the internal component is 
triggered (but within the same clock cycle). This change more closely resembles a model 
of the software language, where the internal component can only be triggered after the 
command it is contained within has been triggered (e. g. the test for an 'IF' block is only 
performed afters the 'IF' block has been reached). 
282 
Appendix I Alternative Implemented 
Model Example 
This section will cover and explain the CSP models required for an implemented 
component for the future work described in Appendix H, along with the assertions that 
need to be checked to link the models to each other, thus demonstrating that an 
implemented component performs as required and within the behaviours dictated by its 
generic super-type component. This work is the same as that covered in Appendix E, with 
the main exception of the parts covered in sections I. 1.4, some other minor modifications 
have been added to the models through the introduction of the 'NOTRESET' annotation. 
This was required so that when an annotated model of a component that has its internal 
signal events hidden (i. e. when the annotated model of the segment of logic circuit is 
compared against ImpSpec 4), the model performs correctly when it has been started, has 
not finished, and has not been reset. 
1.1 Models & Specifications 
The 'internalChoice' event that may appear within the code examples has been utilised 
instead of internal choice (i. e. 'I -I') to enable 'chase' compression to applied if desired. 
The 'internalChoice' event must be hidden for the specifications to be valid, but if 'chase' 
compression has been chosen, the event should only be hidden after 'chase' has been 
applied, otherwise the specification becomes invalid. 
I. 1.1 ImpSpec 1: Valid Low Level Behaviour 
This CSP model (see Figure 147) which is similar to the model defined in section D. 1.1, 
specifies all the valid and allowable low level behaviour that this implemented component 
may perform at its outer boundary. It may utilises internal choice to determine the 
possible output behaviour it can perform, although it is not a requirement (e. g. boolean 
true, Boolean false, SKIP, STOP, all have well defined fixed behaviours that do not rely 
on other internal components). It is useful to note that some implemented components 
Appendix G: Multi-Type Component Implemented Model Example 
may have the allowable interface boundary behaviour that is identical to that of its generic 
super type component (e. g. Boolean comparisons, PAR), where as other components will 
have an interface boundary behaviour that is a refinement of its super type component 
(e. g. boolean true, boolean false, SEQ). 
PROC_PROCESS_IF_DESIRED_SPEC(clock, reset, start, finish) 
let 
A 
atart? x -> reset? y -> C(x, y) [1 
reset? y -> start? x -> C(x, Y) 
B- 
start? O -> reset? y -> D(y) 
[l 
reset? y -> start? O -> D(y) 
C(x, y) - 
clock? 1 -> finiehl0 -> 
y -- 1&A 
[l 
y--0& 
x--0&A 
(1 
x--1 &B 
D(y) 
y a: 1& clock? 1 -> finishl0 -> A 
II 
y aa 0& clock? 1 -> 
internalChoice -> finishll -> A 
[] -- I-I internalchoice -> finishlO -> B 
within finishlO -> A 
Figure 147: Low Level 'IF' Component Desired Specification 
1.1.2 ImpSpec 2: Low Level Behaviour with Explicit Deadlocking 
This CSP model (see Figure 148) is similar to the model covered in section D. 1.2, the 
CSP model is the model covered in section E. 1.1 but altered so that it will accept 
incorrectly driven input signals followed by explicitly defined deadlocking (i. e. STOP). 
284 
Appendix G: Multi-Type Component Implemented Model Example 
PROC_PROCESS IF_G{ENERIC SPEC(clock, reset, start, finish) 
let 
A= 
start? x -> reset? y -> C(x, y) 
[] 
reset? y -> start? x -> C(x, y) 
B= 
start? 1 -> STOP I] 
start? 0 -> reset? y -> D(y) II 
reset? y -> 
start? O -> D(y) 
II 
start? l -> STOP 
C(x, y) _ 
clock? 1 -> finishlO -> 
y1&A 
(] 
y == 0& 
(x :s0&A 
18B 
[] 
X -- 
D (Y) _ 
y == 1& clock? 1 -> finishlO -> A 
[l 
y =- 0& clock? l -> 
internalChoice -> finishll -> A 
[] -- 1-1 internalChoice -> finishl0 -> B 
within finishlO -> A 
Figure 148: Low Level 'IF' Component Generic Specification with Explicit Deadlocking 
I. 1.3 ImpSpec 3: Model of Implemented Logic 
This CSP model (see Figure 149), is a model of the segment of logic that this component 
represents and is achieved through modelling the individual logic components and 
running them in parallel. 
Figure 149: CSP Model of the Logic Circuit Segment of the Implemented 'IF' Component 
-- Components used in the segment of login being verified 
alpha PROC2 - {I chant, chan8, chanO, chan7 1} 
PROC2 - PROC_PROCESB ANNOTATED_SPEC(chanO, chant, chan7, chan8,3) 
alpha_PROC7 - {I chan9, chan4 
PROC7 - PROC NOT(chan9, chan4) 
alpha_PROC1 - {I chani, chan6, chanO, chan5 1} 
PROC1 - PROC_PRACSSB ANNOTATED_SPEC(chan0, chanl, 
alpha_PROCB - {I chan6, chan8, chanl0 1} 
PROCB - PROC_OR(chanl0, <chan6, chan8>) 
alpha_PROC9 - {I chan9, chan3, chan7 1} 
PROC9 - PROC AND(chan7, <chan9, chan3>) 
chan5, chan6,2) 
285 
Appendix G: Multi-Type Component Implemented Model Example 
alpha 
_PROC10 - 
{I chan4, chan3, chan5 1} 
PROC10 - PROC AND(chan5, <chan4, chan3>) 
alpha PRoco = (I Chan4, chant, chan3, chanO, chant 1} 
PROCO - PROC BOOLEAN ANNOTATED SPEC(chan0, chanl, chant, chan3, chan4,1) 
-- Th. outer level atgnalm for the component being teat"d 
SYSTEM INTERFACE - (I chant, chan0, chanjO, chan2 1) 
-- The alphabet of aignala uaad in th* nodal of th" logic 
SYSTEM ALPHA - {ý chan3, 
chan0, 
chan6, 
chan2, 
chan5, 
chan4, 
chan8, 
chan9, 
chanlO, 
chani, 
chan7 
-- 9yatea D. claratton of the internal logic couponenta and tha aignala they uaa 
SYSTEM_LIST -< (PROC2, alpha_PROC2 
(PROC7, alpha PROC7 
(PROC1, alpha PROC1 
(PROC8, alpha_PROCS 
(PROC9, alpha_PROC9 
(PROC10, alpha_PROC10 
(PROCO, alpha_PROCO )> 
-- The logic model of the implemented aoa'onent. `IwpSyea3' 
SYSTEM = 
REPL(SYSTEMLIST) \ diff(SYSTEM ALPHA, SYSTEM_INTERFACE) 
\ {internalchoice} 
-- Used to run the logic ao, ponanta in parallel 
REPL (p) _ 
let 
INNER1(pl, ai, p2, a2) - pl [( inter(al, a2) 
11 p2 
INNER2( <(pl, ai)>ý<(p2, a2)>"p3 )_ 
null(p3) & INNERI(pl, ai, p2, a2) 
[] 
not null(p3) & INN8R2( <(INNER1(pl, al, p2, a2), union(a1, a2))>"p3 
INNER3( c(pl, _)> 
)= pi 
within ( null(p) & STOP 
II 
length(p) -= 1& INNER3(p) 
[] 
length(p) >1& INNER2(p) 
A graphical depiction of the segment of logic circuit that this model represents can be 
seen in Figure 150. 
286 
Appendix G: Multi-Type component implemented Model Example 
Figure 150: A Graphical Depiction of the Logic Segment for an 'IF' Component 
I. 1.4 ImpSpec 4: Annotation Only Specification 
This CSP model (see Figure 151), is the expected behaviour of the 'IF' component from 
an annotation only perspective, with annotation models of the internal component (i. e. the 
boolean condition, the 'then' process and the 'else' process) having to be supplied. If the 
internal annotation components supplied are the corresponding generic specifications, the 
CSP model will demonstrate all the possible behaviours of the 'IF' component, describing 
both how driving the component drives the internal components and the internal 
components behaviour effects the outputs of this component. The reason why this model 
was designed to take in processes representing the internal components is so that if the 
supplied internal component specifications are a refinement of the corresponding generic 
specification, they will limit the behaviour dictated in the 'IF' component to that which 
describes what should conceptually occur in the hardware. 
Figure 151: IF Component Annotation Only Specification 
channel chan_PROC_PROCESS 
_IF_HIGHER _INNER _SPEC 
: 0.. 2 
channel chan_fin_PROC PROCESS IF_HIGHER_INNER SPEC : {0,1} 
PROC_PROCESS_IF_HIGHER_INNER_SPEC(id, bool, bid, thenproc, tid, elaeproc, eid) ý 
let 
Aý 
III x: (bool, thenproc, elaeproc} ®x 
[ý { annotation. z. x, 
annotation. y. bid, 
annotation. w. v 
v<-{tid, eid), 
x<-{bid, tid, eid}, 
y<-{BOOLEANREAD, 
BOOLEANDONTREAD, 
BOOLEAN READALLOBTED, 
BOOLEANTRTTE, 
BOOLEANFALSE}, 
z<-{RESET, NOTRESET, IDLE}, 
W<-(START, FINISH, NOTFINISHED} 
} 
II B 
-- combination of boolran and prooarr 
B= 
287 
Appendix G: Multi-Type Component Implemented Model Example 
annötation. RESET. id -> 
i III x: {bid, tid, eify 0 annotation. RESET. x -> SKIP 
Li 
annotation. IDLE. id -> III x: {bid, tid, eif} ® annotation. IDLE. x -> SKIP Il 
annotation. START. id -> 
(C 
II {I clan PROC PROCESS_IF HIGHER INNER SPEC, 
II 
chan_fin_PROC PROCESS 
_IF_HIGHER_INNER_SPEC, annotation. RESET. id, 
annotation. NOTRESET. id 
11 
annotation. BOOLEANREAD. bid -> 
annotation. BOOLEANDONTREAD. bid -> 
chan_PROC PROCESS IF HIGHER INNER SPEC. 0 -> D U 
annotation. BOOLEANREADALLOWED. bid -> 
annotation. BOOLEANFALSE. bid -> 
ahan_PROC PROCESS_IF HIGHER INNER SPEC. 2 -> E [] 
annotation. BOOLEANTRIIE. bid -> 
chan_PROC PROCESS_IF_HIGHER_INNER_SPEC. 1 -> E 
s 
-- Then & aI. " prnos.. "e 
c= 
let 
CA = 
Ili x: (tis, eid} . annotation. IDLE. x -> SKIP 
III 
annotation. NOTFINISNED. id -> SKIP } 
chan_PROC PROCESS IF HIGHER INNER SPEC. O -> CB 
11 
chan_PROC PROCESS_IF_HIGHER INNER SPEC. 1 -> CC(tid, eid) 
U 
chan_PROC PROCESS_IF HIGHER INNER SPEC. 2 -> CC(eid, tid) 
CB . 
annotation. RESET. id -> III x: {tid, eidj m annotation. RESET. x -> SKIP 
O 
annotation. NOTRESET. id -> CA 
CC(x, y) . 
let 
CCA " 
(( CCB 
[I 11 chan_fin_PROC PROCESS_IF HIGHER INNER SPEC, 
annotation. RESET. id, 
annotation. NOTRESET. id 
11 
1} 
ccc 
chanfin_PROC PROCESS 
_IF_HIQHLR 
INNER-SPEC, 
annotation. RESET. id, 
annotation. NOTRBSET. id 
iI i} 
CCE 
l 
tl {I 
288 
Appendix G: Multi-Type Component Implemented Model Example 
CCD 
annotation. RESET. id -> annotation. RESET. x -> SKIP [] 
annotation. NOTRESET. id -> 
annotation. FINISR. y -> 
chan_fin_PROC PROCESS_IF_HIGHER_INNER SPEC. 1 -> SKIP [] 
annotation. NOTFINISHED. y -> 
Chan fin PROC PROCESS IF HIGHER INNER SPEC. O -> CCD 
CCE 
annotation. RESET. id -> annotation. NOTFINISHED. id -> SKIP [] 
annotation. NOTRESET. id -> 
Chan 
_fin_PROC_PROCESS _IF_HIGHER _INNER_SPEC. 
1. -> 
annotation. FINISH. id -> SKIP 
(1 
Chan 
_fin_PROC_PROCESS_IF_HIGHER_INNER_SPEC. 
0 -> 
annotation. NOTFINISHED. id -> CCD 
1 
CCB 
annotation. RESET. id -> annotation. RESET. y -> SKIP 
I] 
annotation. NOTRESET. id -> annotation. IDLE. y -> 
chan_fin_PROC PROCESS_IF_HIGHER INNER SPEC. O -> CCH 
(] 
chan_fin PROC PROCESS_IF HIGHER INNER_SPEC. 1 -> SKIP 
CCC a 
annotation. RESET. id -> annotation. RESET. x -> SKIP I) 
annotation. NOTRESET. id -> annotation. START. y -> 
annotation. FINISH. y -> 
ehan_fin_PROC PROCESS_IF HIGHER_INNER_SPEC. 1 -> SKIP (] 
annotation. NOTFINISHED. y -> 
chan_fin_PROC PROCESS_IF_HIGHER INNER_SPEC. 0 -> CCD 
within CCA 
within CA 
-- Sent of Boolean Process 
D 
annotation. RESET. id -> annotation. RESET. bid -> SKIP U 
annotation. NOTRESET. id -> 
annotation. BOOLRANDONTRRAD. bid -> 
Chan_PROC PROCESS_IF HIGHER INNER SPEC. 0 -> D 
11 
annotation. BOOLEANREADALLOWED. bid -> 
annotation. BOOLEANFALSE. bid -> 
char PROC PROCESS IF HIGHER INNER SPEC. 2 -> E 
11 
annotation. BOOLEANTRUE. bid -> 
dran PROC PROCESS IF HIGHER INNER SPEC. 1 -> S 
E 
annotation. RESET. id -> annotation. RESET. bid -> SKIP [) 
annotation. NOTRESET. id -> annotation. IDLE. bid -> 
than fin PROC PROCESS IF HIGHER INNER SPEC. 1 -> SKIP 
11 
chap fin PROC PROCESS IF HIGHER INNER SPEC. 0 -> B 
within (A\ {ý chan_PROC_PROCESS_IFHIGHER INNER SPEC, 
chan_fin_PROC_PROCESS IF HIGHER INNER SPEC 11 ) 
289 
Appendix G: Multi-Type Component Implemented Model Example 
I1.5 ImpSpec 5: Software Specification Model 
This model (see Figure 152) provides a software level based model of the implemented 
component. The external choice with `STOP' is to provide a clear indication of where the 
internal components behaviour is expected to create possible deadlocking within this 
model. The deadlocking at within this model is allowed to possibly occur under the 
conditions where when an internal component is started, it never completes. Should this 
condition arise, the 'IF' component will never finish, a simple example of this is if the 
`then' component gets triggered and is a `while(true)' loop, the `while(true)' loop never 
finishes, and so the 'IF' component would never finish. 
PROC_PROCBSS_IP_HIC3HSR_SZMPLIFIBD_SPBC(id, 
bool, bid, 
thenproc, tid, 
elseproc, eid) ý 
let 
A 
annotation. START. id -> SKIP 
III 
annotation. aOOLEANREAD. bid -> SKIP 
STOP 
[J 
annotation. BOOLENREADALLOWED. bid -> 
annotation. BOOLEANTRUE. bid -> B(tid) 
[1 
annotation. BOOLEANFALSE. bid -> B(eid) 
B (x) _ 
annotation. START. x -> 
STOP 
[) 
annotation. FINISH. x ->A 
c. 
cc III 
(I {I 
11 
I} 
A 
x: {bool, thenproc, eleeproc} ! x) 
annotation. BOOLBANREAD. bid, 
annotation. BOOLEANREADALLO9fED. bid, 
annotation. BOOLEANTRUE. bid, 
annotation. BOOLEANFALSE. bid, 
annotation. START. y, 
annotation. PINISH. y, 
1y <-{tid, eid} 
within C 
Figure 152: 'IF' Component Software Annotation Behavioural Specification 
290 
Appendix G: Multi-Type Component Implemented Model Example 
I. 2 Assertions: Linking the Models Together 
1.2.1 ImpSpec Assertion 1: Deadlock Free 
The assertion stated in Figure 153 checks that the model of the segment of logic circuit is 
deadlock-free. This check demonstrates three properties, the first is that there exists no 
loops consisting of only clocked or non-clocked logic components, secondly is that any 
internal components are guaranteed to be driven correctly so long as the outer component 
is driven correctly, and thirdly is that the component deal with all valid inputs of its super 
type component. The guarantee that internal components are driven correctly is possible 
because the models of the internal components are models that accept all possible inputs 
(both valid and incorrect), with the incorrect inputs being followed by explicitly defined 
deadlock i. e. `STOP' (see section H. 1.2). If the STOP's are not reached, then invalid 
inputs to internal components have not been created or propagated through. The control 
process used to drive the implemented component is the control process from its super 
type. As the control process (see section H. 1.3) utilises internal choice to provide all the 
possible valid driving signals, if the deadlock-free assertion holds true then the 
implementation is guaranteed to be able to process all patterns of driving signals that it 
may receive, along with the guarantee that it will not produce incorrect output signals. 
-- aha=al d. alaratione 
channel internalChoice 
channel chanO : {1} 
channel chant (0,1} 
channel chant : (0,1} 
channel chanlO {0,11 
-- Create an instance of the aodels to check 
-- The alpha PROC contains the low level channels used by the processes 
alpha_PROC6 - (( chant, chano, chanlO, chant (} 
PROC6 - PROC PROCESS CONTROLL(chanO, chant, chant, chanlO) 
-- An implementation of the logic to aback 
SYSTEM_INTERFACE - (( chant, chanO, chanl0, chant 
IMP SPEC3 - SYSTEM 
GEN_SPEC3 - PROC6 
-- Deadlock-free check the earpeated correct generic coWJonent 
aeaert (IMP_SPEC3 [I SYSTEM INTERFACE 11 GEN SPEC3) : [deadlock free [F]) 
Figure 153: 'IF' Component Deadlock Free Assertion 
291 
Appendix G: Multi-Type Component Implemented Model Example 
1.2.2 ImpSpec Assertion 2: Super Type Control Only Limits the Behaviour 
The assertion stated in Figure 154 demonstrates that the process that dictates and provides 
the allowable correct driving input signals of the super type of this component, does only 
limit the behaviour of this implemented component, thus ensuring that it does not 
introduce any new behaviour. 
-- abannal daalarationa 
channel internalchoice 
channel chan0 : (1} 
channel chani : (0,1) 
channel chant : (0,1} 
channel chanl0 : (0,1} 
-- create an tnetana" of the modals to ch"ak 
-- The alpha PROC contains the low level channels used by the proa"sses 
alpha PROC6 - {I chani, chan0, chanl0, chant J} 
PROC6 - PROC_PROCESS_CONTROLL(chanO, chant, chant, chanl0) 
-- An iaqplanentation of the logic to chick 
SYSTEM INTERFACE - (I chani, chanO, chanl0, chant (} 
IMP_SPEC3 - SYSTEM 
GEN-SPECS = PROC6 
-- Check that the control apeoification only limit. the behaviour of the segment 
-- of logic, and doem not introduce nay behaviour 
assert IMP_SPEC3 [T. (IMP_SPEC3 [I SYSTEM_INTERFACE 11 GEN SPECS) 
Figure 154: Super Type Component Limits the Behaviour of the Implementation 
1.2.3 ImpSpec Assertion 3: Expected 'IF' Component Behaviour Is 
Deadlock Free 
The assertion stated in Figure 155 demonstrates that the expected boundary behaviour 
that the model of the implementation of the logic circuit segment will be checked against 
is deadlock-free. This is to provide better confidence in this models correctness as it will 
be used in future checks. 
-- ah-al daalarationa 
channel internalChoice 
channel chan0 {i} 
channel chani : (0,1} 
channel chant : {0, i} 
channel chani0 : {0, i} 
-- Create an instance of the aodela to check 
IMP SPEC1 - PROC PROCESS IF DESIRED SPEC(chan0, chanl, chan2, chanl0) 
aaaert IMP SPSC1 : [deadlock free [F]] 
Figure 155: Expected 'IF' Component Behaviour is Deadlock Free 
292 
Appendix G: Multi-Type Component Implemented Model Example 
1.2.4 ImpSpec Assertion 4: Expected Boundary Behaviour Refines Super 
Type 
The assertion stated in Figure 156 demonstrates that the expected correct boundary 
behaviour of the implemented component is a valid refinement of the expected boundary 
behaviour of its generic super type component. 
-- channel declarations 
channel internalMoice 
channel chan0 {1} 
channel chani {0, if 
channel chant : {0, i} 
channel chanl0 : {0,1} 
-- Create an instance of the modals to chock 
IMP_SPEC1 - PROC_PROCESS_IP_DESIRED_SPEC(chan0, chant, chant, chanl0) 
GEN_SPEC1 - 
PROC_PROCESS_DESIRED_GENERIC_SPEC(chan0, chant, chan2, chanl0) 
\ {internalChoice} 
assert OEN SPEC1 (T= IMP_SPBCI 
Figure 156: Expected IF, Component Beiwvlour ie a Refinement of Super Type 
I. 2.5 ImpSpec Assertions 5: Correctly Driven Implementation Behaves as 
Expected 
The assertions stated in Figure 157 demonstrate that the segment of logic circuit for this 
implemented component, if driven correctly, behaves as expected. Trace refinement 
(` IT. ') is used instead of failures divergent ('[? D-') because the process used to drive the 
model of the segment of logic utilises internal choice to provide all possible allowed 
driving signals, where as the model of the expected behaviour uses external choice for the 
input signals because the input signals are provided by an outside source. 
293 
Appendix G: Multi-Type Component Implemented Model Example 
-- channel daalarationi 
channel internalChoice 
channel chan0 : {1} 
channel chant {0, ij 
channel chant (0,1} 
channel chanl0 {0, i} 
-- Create an inatanaa of the models to check 
IMP_SPEC1 - PROCPROCESS IF_DESIRED 
_SPEC(chanO, 
chant, chant, chan10) 
-- Create an instance of'-the models to check 
-- The alpha PROC contains the low level channale used by the processes 
alpha_PROC6 - {j chanl, chan0, chan10, chan2 11 
PROC6 - PROC_PROCESS CONTROLL(chanO, chant, chant, chanl0) 
-- An i, plaantation of the logic to check 
SYSTEM_INTERFACE - {I chani, chan0, chanl0, chant 
IMP_SPEC3 - SYSTEM 
GEN SPECS - PROC6 
assert IMP_SPEC1 [T- 
( (IMP 8PEC3 [I SYSTEM INTERFACE 1] GEN SPECS) \ (ý annotations 
assert ( (IMP 
_SPEC3 
[I SYSTEM INTERFACE IT GEN_SPEC3) 
\ (I annotations 
(T- IMP SPEC1 
11 ) 
Figure 157: Correctly Driven 'IF' Component Behaves as Expected 
1.2.6 ImpSpec Assertion 6: Annotation Outer Level Does Not Introduce 
Deadlock 
The assertion stated in Figure 158 demonstrates that using the annotated control to 
annotate the outer level of the implemented component, with this process being specified 
by its super type (i. e. GenSpec 5, see Section D. 1.5), does not introduce any deadlocks. 
-- channel declarations 
channel intemalChoice 
channel chan0 : {1} 
channel chani : {0,1} 
channel chant (0,1} 
channel chanlO : {0,11 
-- Create an instance of the aodela to check 
iMP_SPEC1 - PROC_PROCESS_IF_DESIRED_SPEC(chanO, chant, Chant, chanlO) 
-- Croat* an instance of the models to check 
-- the alpha PROC contains the low level channels used by the proceaaea 
alpha _PROCS - 
{I chant, chanO, chanlO, chant 1} 
PROC5 - PROC PROCESS ANNOTATE OUTER(chanO, chant, chant, chanlO) 
-- An iaplaaantation of tho logic to ch*ck 
SYSTEM INTERFACE - (I chant, chanO, chan10, chant 
IMP_SPEC3 - SYSTEM 
GEN 8PEC5 - PROCS 
assert ( IMP_SPEC3 [I SYSTEM_INTERFACE 11 GEN SPEC5 ) : [deadlock free [F]] 
Figure 158: Annotating outer level of 'IF' component does not introduce deadlock 
294 
Appendix G: Multi-Type Component Implemented Model Example 
1.2.7 ImpSpec Assertion 7: Expected High Level Behaviour Is Deadlock- 
Free 
The assertion stated in Figure 159 demonstrates that the high level model describing the 
expected behaviour of the implemented component is deadlock-free. This helps to build 
confidence in the model for when using it in future checks. 
-- Create an Instance of the models to aback 
IMP_SPEC4 = PROC_PROCESS_IF_HIC3iIER_INNER_SPEC(0, 
HIC3HER_SPECO_l, 1, 
HIGHER_SPEC1_2,2, 
HIGHER SPEC2 3,3) 
-- 8igb. r Process ximstances 
HIGHER_SPEC1_2 = PROC_PROCESS_HIGHER_OUTER_SPEC(2) 
HIGHER_SPEC2_3 = PROC PROCESS HIGHER_OUTER_SPEC(3) 
HIGHER SPECO_1 = PROC BOOLEAN HIGHER_OUTER_SPEC(1) 
assert IMP_SPEC4 [deadlock free[PI] 
Figure 159: 'IF' Component High Level Behaviour Is Deadlock-Free 
1.2.8 ImpSpec Assertions 8: Component Behaves Similarly to Expected 
Higher Spec 
The assertions stated in Figure 160 demonstrate that the annotations obtained from the 
implemented segment of logic circuit, performs in a similar manner to that of the 
expected higher behavioural specification. The test can not be failure divergence checked 
both ways (one has to be a trace refinement), this is due to the way annotations are added 
to the outer layer. As the outer level input annotations occur after the corresponding low 
level input signal events (i. e. the events that represent the wires), hiding these low level 
signal events causes the high level model extracted from the implemented segment of 
logic circuit to appear to have internal choice determining the high level conceptual input 
states. The internal choice for the inputs does not really exist, but appears because the 
events that do determine what occurs though external choice have been hidden (i. e. the 
low level signals). Through altering the process of annotating the outer level of a 
component (see Appendix H), it is possible to simplify the extracted model so that it 
directly equivalent to the expected higher behaviour. 
295 
Appendix G: Multi-Type Component Implemented Model Example 
-- ahaana1 doolarationa 
channel internalChoice 
channel chan0 {1} 
channel chanl {0,1} 
channel chant {0,1} 
channel chanl0 : (0,1} 
-- Create an Inatanaa of the models to check 
IMP SPEC1 - PROC PROCESS IF DESIRED SPEC(ChanO, 
-- Craat" an iaataaca of tha aodal" to chock 
chani, chan2, chanlO) 
-- The alpha DROC aoatsina tha low laaal ahaanala 
alpha PROC6 . {I chanl, chan0, chanl0, chan2 11 
PROC6 - PROC PROCESS CONTROLL(chan0, chanl, chan2, 
alpha_PROCS . (I chani, chanO, chanlO, chan2 '} 
PROCS - PROC_PROCE$S ANNOTATE_OIITBR(chan0, chanl, 
-- An ialplasantation of the logic to aboak 
used by 
chanl0) 
the proasssss 
chant, chanlO) 
SYSTEMINTERFACE _ (1 chani, chan0, chanlO, chan2 
IMP SPEC3 = SYSTEM 
GEN_SPEC3 - PROC6 
GEN SPECS - PROC5 
assert (( (IMP SPECS [I SYSTEMINTERFACE 1] GEN SPECS) 
assert 
SYSTEM INTERFACE 11 GEN SPECS 
\ SYSTEMINTERFACE 
[FD. IMP-Model-3 
Imp Model_3 [T- (( (IMP_SPEC3 (I SYSTEM-INTERFACE 1] GEN_SPEC3) 
SYSTEM INTERFACE t] QEN SPEC5 
\ SYSTEMINTERFACE 
Figure 160: 'IF Component Behaves Similarly to Expected Higher Behaviour 
I. 2.9 ImpSpec Assertion 9: Software Specification is a Refinement of Super 
Type 
The assertion stated in Figure 161 demonstrates that the expected higher software 
specification for the implemented component with its internal events hidden is a 
refinement of its super types' software specification model. The example show happens to 
be equivalent to its super type software specification model, but this is not a requirement 
and is why it is not being tested for. 
296 
Appendix G: Multi-Type Component Implemented Model Example 
-- Canaric Boolean Siphar 9ott»aro Spacitication 
PROC BOOLEAN_HIGHBR SIMPLIFIED_SPEC(id) 
let 
A 
annotation. BOOLEANREADALLOWED. id -> 
STOP 
1-1 
annotation. BOOLEANREADALLOWED. id 
( annotation. BOOLEANTRUE. id -> 
Within A 
_, 
A 
U 
annotation. BOOLEANFALSE. id -> A 
-- Znterna2 CoaWonente 
BoolTest = PROC BOOLEAN HIGHER SIMPLIFIED SPEC(l) 
ThenProc = PROCPROCESS HIGHERSIMPLIFIED _SPEC(2) ElseProc - PROC_PROCESS_HIGHER_SIMPLIFIED SPEC(S) 
-- CoNpoa. nta to That 
IMP_SPEC5 . PROC_PROCESS IF_HIGHER_SIMPLIFIED_SPEC(0, 
BoolTeet, 1, 
EhenProc, 2, 
ElaeProc, 3) 
GEN_SPEC7 - PROC_PROCESS_HIGHER_SIMPLIFIED_SPEC(0) 
IMP_SPEC5_HIDDEN_INTERNALS 
IMP SPECS 
\ diff( annotations 
{ annotations. x. 0 Ix <- { START, FINISH }} 
-- Cheek that lapoSpeaS with internal events hidden it a refinement of it" 
-- super type 
assert GEN_SPEC7 [T- IMP-SPECS-HIDDEN-INTERNALS 
Figure 161: Higher Software Specification is a Refinement of the Super Type 
297 
Appendix J Pattern Matched Selective 
Renaming Alternative 
This section of work covers a methodology to circumvent the lack of ability to perform 
event renaming constrained by pattern matching. The ability to perform pattern matched 
event renaming would simplify the process of annotating and extracting the conceptual 
meanings for occurrences of events within a low level model, without the need to refactor 
and modify the models. 
Currently the technique has not been adapted to deal with describing the conceptual 
meanings that are dependent on the combination of multiple parallel events. The "IF 
THEN ELSE" component has a combination of parallel events sent along its start and 
reset channels determining if the process starts, has been reset, or an error has occurred 
due to incorrect driving. It is due to this feature why the example that is demonstrated is a 
simplification of the "IF THEN ELSE" component with the reset functionality removed 
(see Figure 162 and Figure 163). A further requirement for this technique to work 
properly is that internal OCCAM components can not directly utilise the same signals of 
that which are used at the boundaries for the components they He within and results in the 
an addition of a single input OR gate added into the logic circuit (see Figure 162 for the 
yellow OR gate). This is required so that when the refactored model of the logic circuit 
has selective low level events replaced with annotation events, the CSP can synchronise 
correctly on the events. If the internal OCCAM components utilised the same events as 
the boundary components they lie within, instances of the low level events would be 
renamed to different annotation events in different models, thus greatly complicating the 
process of integrating them together. The addition of extra single input OR gates has no 
adverse effect of the logic circuits being created for two reasons, the first is that from a 
clock cycle perspective the extra OR gate does not introduce clock cycle delays. The 
second reason why the extra OR gate does not impact on the design is that it is easy to 
optimised away after the whole logic circuit has been generated, thus it has no impact on 
the speed that the clock will be able to run at. 
Appendix J: Pattern Matched Selective Renaming Alternative 
Start 
OR 
Start 
Clock 
Boolean inish 
Condition 
1-F 
State 
ý NOT 
ý 
AND Start 
Control Flow 
Process 
Star 
Control Flow 
Process 
Finis r1 
! D7 
Finish 
Figure 162: Graphical representation of simplified "IF THEN ELSE" component 
Finish 
T 
299 
Appendix J: Pattern Matched Selective Renaming Alternative 
-- CoMPoäoat" used in the eequeat of logic being verified 
alpha 
_PROC2 = 
{I chan8, chan0, chan7 11 
PROC2 = PROCPROCESS 
_GENERIC _SPEC _ 
NORESET(chan0, chan7, chan8) 
alpha_PROC7 = {) chan9, chan4 
PROC7 = PROC_NOT(chan9, chan4) 
alpha 
_PROC1 = 
if chan6, chan0, chanS 
PROC1 = PROC_PROCESS 
_GENERIC _SPEC 
NORESET(chan0, chan5, chan6) 
alpha_PROCB = {I chan6, chan8, chanl0 1} 
PROCB - PROC OR(chanl0, <chan6, chan8>) 
alpha_PROC9 = {I chan9, chan3, chan7 1} 
PROC9 - PROC AND(chan7, <chan9, chan3>) 
aipha_PROC10 - {I chan4, chan3, chan5 11 
PROC10 - PROC AND(chan5, <chan4, chan3>) 
alpha_PROC11 = {I chanli, chan2 f) 
PROC11 = PROC OR(chanil, <chan2>) 
alpha_PROCO : {I chan4, chan3, chanO, chanll 
PROCO - PROC BOOLEAN GENERIC SPEC NORESET(chan0, chanil, chan3, chan4) 
-- The outer 1"val signals for the cc ponant being tested 
SYSTEMINTERFACE _ {+ chan0, chanl0, chant 1} 
-- The_alphabet of signals used in the nodal of the logic 
SYSTEM-ALPHA {) chan3, chan0, chan6, chant, chan5, chan4, chan8, chan9, 
chanl0, chanli, chan7 
I} 
-- Syataa Declaration of the internal logic components and the signals they use 
SYSTEM_LIST -< (PROC2, alpha_PROC2 
(PROC7, alpha_PROC7 
(PROC1, alpha PROC1 
(PROC8, alpha_PROC8 
(PROC9, alpha PROC9 
(PROC10, alpha_PROC10 
(PROC11, alpha_PROC11 
(PROCO, alpha_PROCO )> 
-- The logic model of the iapleaented component. 'ZagpSpec3' 
SYSTEM-WITH-INTERNALS = REPL2(SYSTEM_LIST) \ 
{internalChoice } 
-- Used to run the logic components in parallel 
REPL2(p) 
let 
INNERI(pl, al, p2, a2) = pl (Iinter(a1, a2) 
(] p2 
INNER2( <(pl, al)>"<(p2, a2)>*p3 ) 
null(p3) & INNERI(p1, a1, p2, a2) 
[] 
not null(p3) & INNER2( c(INNERI(p1, a1, p2, a2), union(a1, a2))>4p3 
INNER3( <(pl, 
_)> 
)= pi 
within ( null(p) & STOP 
[] 
length(p) _. 1& INNER3(p) 
[] 
length(p) >1& INNER2(p) 
Figure 163: CSP Model of "IF THEN ELSE" Component 
300 
Appendix J: Pattern Matched Selective Renaming Alternative 
J. 1 Methodology 
The alternative methodology to pattern matched event renaming requires the creation and 
linkage (through assertions) of various models. The initial stage involves the specification 
defining the expected low level behaviour of the model of the segment of circuit (see 
Figure 164). This specification can be perceived as a refactored model containing the 
same behaviour as that of the segment of logic circuit constrained with being correctly 
driven (see Figure 165). 
Figure 164: Refactored correctly driven circuit 
channel chan_PROC_PROCESS_IF_REFACTORED_SPEC_NORESET 0.. 5 
channel chan_link PROC PROCESS IF REFACTORED_SPEC NORESET {0.. 3} 
PROC PROCESS IFREFACTORED_SPEC NORESET 
clock, start, finish, 
boolproc, boolstart, boolfin, boolatate, 
thenproc, thenstart, thenfin, 
elseproc, elsestart, elsefin, 
negation 
let 
-- Perform checks on the input parameters 
A- 
inter( { start, finish} 
{ boolstart, boolfin, boolstate, thenstart, thenfin, elsestart, 
elsefin 
} 
> -- t} &B (] 
inter( { start, finish} 
{ boolstart, boolfin, booletate, thenstart, thenfin, elaeatart, 
elsefin 
} 
!_ {} & STOP 
Perform the model 
Run the internal components in parallel with the remainder of the IF 
component 
B= 
(( [ý {I clock 1} 1] x: {boolproc, thenproc, elseproc} ® 
x\ {internalChoice}) ) 
[ý {+ boolstart, boolfin, boolstate, thenstart, thenfin, 
elsestart, elsefin 
I? 
I] E 
ý 
C 
let 
CA 
((( thenfin? O -> SKIP 
III 
el®efin? O -> SKIP 
( finiahl0 -> 
atart? O -> 
boolstart! O -> 
chap PROC PROCESS IF REFACTORED SPEC NORESET. O -> 
301 
Appendix J: Pattern Matched Selective Renaming Alternative 
CA 
(1 
start? 1 -> 
boolstartll -> 
Chan PROC PROCESS_IF_REPACTORED_SPEC NORESET. 1 -> 
CB 
CB = 
((( thenfin? 0 -> SKIP ) 
III ( elsefin? 0 -> SKIP 
£inishl0 -> start? 0 -> boolstartl0 -> 
Chan PROC PROCESS IF REFACTORED SPEC NORESET. 2 -> CB 
11 
than PROC PROCESS IF REFACTORED SPEC NORESET. 3 -> CC 
11 
char PROC PROCESS IF REFACTORED SPEC NORESET. 4 -> CD 
CC 
chan_link_PROC_PROCESS_IF_REFACTORED_SPEC_NORESET. O -> 
thenfin? O -> 
Chan 
_link _PROC_PROCESS_IF_REFACTORED_SPEC_NORESET. 
1 -> 
finish! O -> 
start? O -> 
boolstartIO -> 
chan_PROC_PROCESS_IF_REFACTORED_SPEC_NORESET. 5 -> 
CC 
[l 
thenfin? 1 -> 
chan_link 
_PROC_PROCESS_IF_REFACTORED_SPEC_NORESET. 
1 -> 
finishil -> 
start? O -> 
boolstart! O -> 
Chan PROC PROCESS IF REFACTORED SPEC NORESET. 0 -> 
(1 
start? 1 -> 
boolstartil -> 
Chan-PROC-PROCESS_IF_REFACTORED_SPEC NORESET. 1 -> 
CB 
cD = 
chan_link_PROC_PROCESS_IF REFACTORED_SPEC_NORESET. 2 -> 
elsefin? 0 -> 
Chan link PROC_PROCESS_IF REFACTORED SPEC_NORESET. 3 -> 
finishl0 -> 
start? O -> 
boolstart! O -> 
chan_PROC_PROCESS_IF_REFACTORED SPEC NORESET. 5 -> 
CD 
elsefin? 1 -> 
Chan link PROC-PROCESS-IF-REFACTORED_SPEC_NORESET. 3 
finishll -> 
start? O -> 
boolstart! O -> 
Chan_PROC_PROCESS_IF_REFACTORED SPEC NORESET. 0 -> 
CA 
[] 
start? 1 -> 
boolstartli -> 
302 
Appendix J: Pattern Matched Selective Renaming Alternative 
Cban_PROC PROCESS IF_REFACTORED_SPEC NORESET. 1 
CB 
) 
within CA 
D 
let 
DA - 
boolfin? 0 -> 
boolatate? 0 -> 
negation. 1 -> 
((( thenetartlO -> SKIP 
III 
elaeetartl0 -> SKIP 
( chan_PROC PROCESS_IF_REFACTORED SPEC NORESET. 0 -> DA [l 
chan_PROC_PROCESS_IF_REFACTORED_SPEC NORESET. 1 -> DB 
} 
[] 
((( thenstart! O -> SKIP III 
negation. 1 -> elsestartl0 -> SKIP 
ý 
( char PROC PROCESS IF REFACTORED SPEC NORESET. 0 -> DA 
11 
chan_PROC PROCESS_IF_REFACTORED_SPEC NORESET. 1 -> D8 
DB 
boolfin? 0 -> 
boolstate? 0 -> 
negation. 1 -> 
((( thenetartl0 
III 
( elsestartl0 
-> SKIP ) 
-> SKIP ) 
Chan_PROC PROCESS_IF REFACTORED SPEC NORESET. 2 -> DS 
[] 
((( thenatartlO -> SKIP 
III 
( negation. 1 -> elsestartlO -> SKIP 
Chan_PROC PROCESS_IF_REFACTORED_SPEC NORESET. 2 -> DB 
O 
boolfin? 1 -> 
( boolatate? 0 -> 
negation. 1 -> 
((( thenatartlO -> SKIP III 
( elaeatartll -> SKIP 
chan_PROC PROCESS_IP REPACTORED SPEC NORESET. 4 -> DD 
((( thenstart! O -> SKIP 
III 
303 
Appendix J: Pattern Matched Selective Renaming Alternative 
ý 
( negation. 1 -> eleeatartll -> SKIP ) 
-> DD ) 
( chan_PROC PROCESS_IF_REFACTORED_SPEC_NORESET. 4 
[l 
boolatate? 1 -> 
negation. 0 -> 
((( thenstartll -> SKIP 
III 
elaestartl0 -> SKIP 
chan_PROC_PROCESS_IF_REFACTORED_SPEC NORESET. 3 -> DC 1 
(] 
((( thenatartll -> SKIP 
III 
( negation. 0 -> elsestartl0 -> SKIP 
( Chan_PRAC PROCESS_IF REFACTORED_SPEC NORESET. 3 -> DC ) 
DC - 
-> boolfin? O 
boolstate? O -> 
negation. 1 -> 
((( thenstartl0 -> SKIP 
It' 
( eleestartlO -> SKIP 
ý 
Chan PROC PROCESS IF REFACTORED SPEC NORESET. 5 -> DC 
11 
Chan PROC PROCESS IF REFACTORED SPEC NORESET. O -> DA 
[1 
Chan PROC PROCESS IF REFACTORED SPEC NORESET. 1 -> DB 
[7 
((( thenetartl0 -> SKIP 
III ( negation. l -> eleeatart! O -> SKIP 
char PROC PROCESS IF REFACTORED SPEC NORESET. S -> DC 
11 
char PROC PROCESS IF REPACTORED SPEC NORESET. 0 -> DA 
1] 
Chan PROC PROCESS IF REFACTORED SPEC NORESET. 2. -> DB 
DD . 
boolfin? O -> 
boolstate? O -> 
negation. I -> 
((( thenstartl0 -> SKIP ) 
III 
elsestartl0 -> SKIP 
i Chan_PRAC PROCESS_IF_REFACTORED_SPEC NORESET. S -> DC 
[] 
Chan PROC PROCESS IF REFACTORED_SPEC_NORESET. O -> DA 
304 
Appendix J: Pattern Matched Selective Renaming Alternative 
11 
chan_PROC PROCESS_IP REPACTORED_SPEC NORESET. 1 -> DB 
(] 
((( thenstartl0 -> SKIP III 
negation. 1 -> elsestartl0 -> SKIP 
chan_PROC PROCESS_IF REFACTORED SPEC NORESET. 5 -> DC 
[] 
chan_PROC PROCESS 
_IF 
REPACTORED SPEC_NORESET. 0 -> DA [] 
chan_PROC PROCESS_IF_REFACTORED_SPEC_NORESET. 1 -> DS 
E_ 
CC 
1 
within DA 
(C 
[I {I chan_link PROC_PROCESS_IF_REFACTORBD_SPBC_NOR. ESET I} I] 
FIIia) {I chan link_PROC PROCESS_IF_REFACTORED_SPEC NORESET I} 
chan_PROC PROCESS_IF REFACTORED SPEC NORESET 
D 
)\ (ý chan_PROC_PROCESS_IF REFACTORED_SPEC NORESET 
F= 
chan_link 
_PROC_PROCES3_IF_REFACTORED 
SPEC_NORESET. 0 -> 
elsefin? 0 -> 
- 
chan link PROC PROCESS IF REFACTORED SPEC NORESET. 1 -> 
F------- 
G 
chan_link 
_PROC_PROCESS_IF_REFACTORED_SPEC_NORESET. 
2 -> 
thenfin? O -> 
Chan link PROC PROCESS IF REFACTORED SPEC NORESET. 3 -> 
G 
within A 
SYSTEM_INTERFACE a (I chanO, chanlo, chant 11 
SYSTEM_CONTROL - PROC PROCESS_CONTROLL_NORESET(chan0, chant, chanlO) 
SYSTEM WITH CONTROL 
(SYSTEM WITH INTERNALS [I SYSTEM_INTERFACE I) SYSTEM CONTROL) 
LOW LEVEL SPEC : PROC PROCESS_IF_REFACTOREDSPEC NORESET( 
chan0, chant, chanl0, 
PROCO, chanll, chan3, chan4, 
PROC1, chan5, chan6, 
PROC2, chan7, chan8, 
chan9 
assert LOW_LEVEL_SPEC [FD- SYSTEM WITH_CONTROL 
assert SYSTEM WITH CONTROL [FD= LOW LEVEL SPEC 
Figure 165: Assertions demonstrating low level specification equivalence 
305 
Appendix J: Pattern Matched Selective Renaming Alternative 
The methodology involves adapting the specifications through replacing selected events 
with annotation events, thus describing the conceptual meaning for specific instances the 
events have. See Figure 168 for the modified "IF" component specification, Figure 166 
for the modified generic control flow process specification and Figure 167 for the 
modified generic boolean process specification. Renaming in its current state can not be 
used to achieve these models, as all occurrences of a low level event may not 
conceptually mean the same thing and thus global replacing can not be used on a process. 
-- This process was modttiad from PROC PROCESS DBSIRRD QENIRIC SPEC NORMS8T 
-- Sea Pigur. 173 an page 8----- 
PROC-PROCESS GENERIC HYBRID SPEC-NORBSBT(clock, start, finish, id) 
let 
A= 
annotation. START. id -> clock? 1 
internalChoice -> annotation. FINISH. id -> A 
[l -- I-I internalChoice -> annotation. NOTFINISHED. id -> B 
U 
annotation. IDLE. id -> clock? 1 -> finishl0 -> A B 
start? 1 -> STOP 
[] 
start? O -> clock? 1 -> 
internalChoice -> annotation. FINISH. id -> A 
[] -- I-1 internalChoice -> annotation. NOTFINISHED. id -> B 
within finiah! O -> A 
Figure 166: Hybrid Generic Control Flow Process 
-- Täis prOC. ss was aodifi. d from PROC BOOLEAN GBNXRIC SPBC NORBS1T 
S.. Figur. 178 ca pay. 8 
PROC_BOOLEAN GENERIC HYBRID SPEC_NORESET(clock, bool_read, bool_readallowed, 
state, id) _ 
let 
A- 
bool readallowedl0 -> atatel0 -> B 
B 
annotation. IDLB. id -> clock? 1 -> A 
[] 
annotation. BOOLEANRBAD. id -> clock? 1 -> D 
D- 
internalChoice -> annotation. BOOLEANDONTREAD. id -> atatel0 -> E 
[l -- I-I internalChoice -> annotation. BOOLEANREADALLOBIED. id -> 
internalChoice -> annotation. BOOLEANFALBE. id -> B 
U -- I-I 
internalChoice -> annotation. BOOLEANTRLJE. id -> B 
B 
bool_read? 1 -> STOP 
[l 
bool_read? O clock? 1 -> D 
within A 
Figure 167: Hybrid Generic Boolean Process 
306 
Appendix J: Pattern Matched Selective Renaming Alternative 
Figure 168: Low Level 'IF' Component Specification with Embedded Fait Annotations 
channel than PROC_PROCESS_IF_HYBRID_FIILL_SPEC_NORESET 0.. 5 
channel chan_link PROC_PROCESS_IF HYBRID FULL SPEC_NORESET : f0.. 31 
PROC_PROCESS IF HYBRID FULL SPEC_NORESET( 
clock, start, finish, id, 
boolproc, booletart, boolfin, boolstate, bid, 
thenproc, thenetart, thenfin, tid, 
elseproc, elsestart, elsefin, eid, 
negation 
let 
-- Perform checks on the input parameters 
A= 
inter( ( start, finish) 
{ boolatart, boolfin, boolstate, thenstart, thenfin, elsestart, 
elsefin 
} 
== {} ýB [1 inter( { start, finish} 
{ boolstart, boolfin, boolatate, thenatart, thenfin, elseatart, 
elaefin 
} 
I- {} & STOP 
-- Perform the model 
-- Run the internal components in parallel with the remainder of the IF 
-- component 
B= 
clock (} ý] x: {boolproc, thenproc, eleeproc} 
x\ {internalChoice}) ) 
clock, boolstart, boolfin, boolstate, thenstart, thenfin, 
elsestart, elsefin, 
annotation. START. x, 
annotation. FINISH. x, 
annotation. NOTFINISHED. x, 
annotation. IDLE. y, 
annotation. BOOLEANREAD. bid, 
annotation. BOOLEANDONTREAD. bid, 
annotation. BOOLEANREADALLOWED. bid, 
annotation. BOOLEANFALSE. bid, 
annotation. BOOLEANTRÜE. bid 
i} iý EC= 
let 
CA = 
I x<-{tid, eid}, y<-{bid, tid, eid} 
((( thenfin? O -> SKIP 
III 
elaefin? O -> SKIP 
finiahl0 -> 
annotation. IDLE. id -> 
annotation. IDLE. bid -> 
Chan 
_PROC 
PROCESS 
_IF 
HYBRID FULL SPEC NORESET. 0 -> 
CA 
annotation. START. id -> 
annotation. BOOLEANREAD. bid -> 
chan_PROC PROCESS_IF_HYBRIDFULL SPEC_NORESET. 1 -> 
CB 
307 
Appendix J: Pattern Matched Selective Renaming Alternative 
CC 
CB 
!(( thenfin? O -> SKIP 
III ( elsefin? O -> SKIP 
annotation. NOTFINISHED. id -> start? O -> boolstartlO -> 
char PROC PROCES3 IF HYBRID FULL SPEC NORESET. 2 -> CB 
11 
chan PROC PROCESS IF HYBRID FULL SPEC NORESET. 3 -> CC 11 
Chan PROC PROCESS IF HYBRID FULL SPEC NORESET. 4 -> CD 
chan_link_PROC_PROCESS_IF_HYBRID_FULL_SPEC_NORESET. O -> 
annotation. NOTFINISHED. tid -> 
Chan 
_link _PROC_PROCESS _IFHYBRID _FULL _SPEC _NORESET. 
1 -> 
annotation. NOTFINISHED. id_-> 
start? O -> 
annotation. IDLE. bid -> 
Chan PROC PROCESS IF HYBRID FULL SPEC NORESET. 5 -> 
[] 
annotation. FINISH. tid -> 
Chan 
_link 
PROCPROCESS 
_IF_HYBRID_FULL_SPEC 
NORESET. 1 -> 
annotation. FIN_ISH. id -> 
annotation. IDLE. id -> 
annotation. IDLE. bid -> 
Chan 
_PROC 
PROCESS IF HYBRID FULL_SPEC_NORESET. O -> 
CA 
[l 
annotation. START. id -> 
annotation. BOOLEANREAD. bid -> 
Chan 
_PROC_PROCESS_IFHYBRID 
FULL_SPEC_NORESET. 1 -> 
CB 
CD - 
chan_link PROC_PROCESS 
_IF_HYBRID _FIILL 
SPEC NORESET. 2 -> 
annotation. NOTPINISHED. eid -> 
Chan link PROC PROCESS IF HYBRID FULL SPEC NORESET-3 
annotation. NOTFINISHED. id -> 
start? O -> 
annotation. IDLE. bid -> 
ahan_PROC PROCESS_IP_HYBRID FULL_SPEC NORESET. S -> 
CD 
[] 
annotation. FINISH. eid -> 
char link_PROC PROCESS 
_IF 
HYBRID_FULL SPEC NORESET. 3 -> 
annotation. FINISH. id -> 
annotation. IDLE. id -> 
annotation. IDLE. bid -> 
chan_PROC PROCESS_IF_HYBRID FULL SPBC_NORESET. 0 -> 
CA 
U 
annotation. START. id -> 
annotation. BOOLEANREAD. bid -> 
chan_PROC PROCESS_IF HYBRID FULL SPEC NORESET. 1 -> 
CB 
within CA 
D= 
308 
Appendix J: Pattern Matched Selective Renaming Alternative 
let 
DA = 
boolfin? 0 -> 
boolstate? O -> 
negation. 1 -> 
((( annotation. IDLB. tid -> SKIP ) 
III ( annotation. IDLE. eid -> SKIP 
11 
chan_PROC PROCESS_IP HYBRID FQLL SPEC NORESET. 1 -> DB 
( chan_PROC PROCSSS_IF_HYBRID FULL SPEC_NORESET. O -> DA 
[1 ((! annotation. IDLE. tid -> SKIP 
III negation. 1 -> annotation. IDLE. eid -> SKIP 
( Chan_PROC PROCESS_IF HYBRID FULL_SPEC NORESET. O -> DA [] 
chan_PROC PROCESS_IF HYBRID FULL_SPEC_NORESET. 1 -> DB 
DB = 
annotation. BOOLBANDONTRSAD. bid -> 
boolstate? O -> 
negation. 1 -> 
!(( annotation. IDLB. tid -> SKIP III 
annotation. IDLE. eid -> SKIP 
( chan_PROC PROCESS_IF_HYBRID FULL_SPEC_NORESET. 2 -> DB 
U 
((( annotation. IDLE. tid -> SKIP III 
negation. ) -> annotation. IDLE. eid -> SKIP 
Chan- RO(: LPROCESSý_IF_HYBRIEý_FULL_SPEC_NORESET. 2 -> DB 
[] 
annotation. BOOLEANREAD. bid -> 
annotation. BOOLEANFALSE. bid -> 
negation. 1 -> 
((( annotation. IDLE. tid -> SKIP 
III 
annotation. START. eid -> SKIP 
11 
( chan_PROC PROCE33_IF HYBRID_FULL SPEC_NORESET, 4 -> DD 
[l 
((( annotation. IDLE. tid -> SKIP 
III 
negation. i -> annotation. START. eid -> SKIP 
3 
( chan_PROC PROCESS_IF HYBRID PULL SPEC_NORESET. 4 -> DD ) 
) 
309 
Appendix J: Pattern Matched Selective Renaming Alternative 
annotation. BOOLEANTRUE. bid -> 
negation. 0 -> 
((( annotation. START. tid -> SKIP 
III 
( annotation. IDLE. eid -> SKIP 
( Chan_PROC PROCESS_IF HYBRID FIILL SPEC_NORESET. 3 -> DC ) 
((( annotation. START. tid -> SKIP 
III 
( negation-0 -> annotation. IDLE. eid -> SKIP } 
Chan_PROC PROCESS_IP HYBRID F'IILL_SPEC NORESET. 3 -a DC ) 
DC 
boolfin? 0 -> 
boolstate? 0 -> 
negation. 1 -> 
((( thenstartl0 -> SKIP 
III ( annotation. IDLE. eid -> SKIP 
chan_PROC_PROCESS-IF HYBRID_FULL SPEC NORESET. 5 -> DC 
[] 
char PROC PROCESS IF HYBRID FULL SPEC NORE8ET. 0 -> DA 
11 
Chan PROC PROCESS IF HYBRID FULL SPEC NORESET. 1 -> DB 
} 
c1 ((( tbenstartlO -> SKIP 
III 
negation. ]. -> annotation. IDLE. eid -> SKIP 
chan PROC PROCfiSS_IF_HYBRID_FIJLL_SPEC_NORESET. 5 -> DC 
[l 
Chan 
_PROC_PROCESS_IF_HYBRID_FULL_SPEC 
NORESET. O -> DA 
Q 
chan_PROC PROCESS_IF_HYBRID FULL_SPEC_NORESET. 1 -> DB 
DD = 
boolfin? 0 -> 
boolstate? O -> 
negation. l -> 
((( annotation. IDLE. tid -> SKIP 
III 
( eleeetartl0 -> SKIP 
( chan_PROC PROCESS_IF_HYBRID FULL SPEC_NORESET. 5 -> DC 
[l 
chap PROC PROCESS_IF_HYBRID_FULL_SPEC NORESET. O -> DA 
[l 
chan_PROC PROCESS_IF_HYBRID FULL SPEC_NORESET. 1 -> DB 
[l 
((( annotation. IDLE. tid -> SKIP III 
310 
Appendix J: Pattern Matched Selective Renaming Alternative 
( negation. 1 -> eleestartSO -> SKIP ) 
( Chan PROC PROCESS IF HYBRID FULL SPEC NORESET. S -> DC 
11 
Chan PROC PROCESS IF HYBRID FULL SPEC NORESET. 0 -> DA 
13 
Chan PROC PROCESS IF HYBRID FULL SPEC NORESET. 1 -> DB 
} 
within DA 
(((C 
chan_link_PROC_PROCESS_IF_HYBRID_FULL_SPEC_NORESET 
(F III a) i {+ chan_link_PROC PROCESS_IF_HYBRID FULL SPEC NORESET 
chan_PROC PROCESS_IF_HYBRID_FULL_SPEC NORESET ý} I] 
D 
\ {ý chan PROC_PROCESS IF HYBRID FULL_SPEC_NORESET 
char link 
_PROC_PROCESS_IP_HYBRID_FULL_SPEC_NORESET. 
0 -> 
elaefin? 0 -> 
chan_link_PROC_PROCESS IP HYBRID FULL SPEC NORESET. 1 -> 
F 
chan_link 
_PROC_PROCESS_IF_HYBRID_FIILL_SPEC_NORESET. 
2 -> 
thenfin? O -> 
char link PROC PROCESS IF HYBRID FULL SPEC NORESET. 3 -> 
G 
within A 
I} H 
I} 
The specification covered in Figure 168 can be perceived as a hybrid combination of 
events modelling low level hardware and its higher level conceptual meanings. The 
purpose of this model is to provide an avenue to link the model of the segment of logic 
circuit (when driven correctly), to the desired annotation only model describing 
conceptually the task it is trying to perform. Connecting these two models together is 
achieved through linking both of them to the hybrid model through the use of assertions 
and the process to do so it is broken down into three sections. The first part involves 
demonstrating that the annotations contained within the hybrid model behaves identically 
to that of the higher level full annotation only model so long as the low level events are 
hidden (see Figure 169). 
311 
Appendix J: Pattern Matched Selective Renaming Alternative 
SYSTEM_INTERFACE chanO, chanlO, chant 
HPROCO - PROC BOOLEAN GENERIC HYBRID_SPEC NORESET( 
chanO, chanll, chan3, chan4,1) 
HPROCI - PROC PROCESS GENERIC HYBRID_SPEC NORESET( 
chanO, chan5, chan6,2) 
HPROC2 - PROC PROCESS GENERIC HYBRID_SPEC_NORESET( 
chano, chan7, chan8,3) 
APROCO - PROC BOOLEAN HIGiEiER ODTER SPEC NORESET(1) 
APROCI - PROC_PROCESS_HI6HER_Oi7TER_SPEC(2) 
APROC2 - PROC PROCESS_HIQHER_Oi1TER_SPEC(3) 
HYBRID SPEC = PROC_PROCESS _IF 
HYBRID_FQLL_SPEC_NORESFs'T( 
chanO, chan2, chanlo, 
HPROCO, chanll, chan3, chan4,1, 
HPROC1, chan5, chan6,2, 
HPROC2, chan7, chanS, 3, 
chan9 
HYBRID SPEC_NO INTERNALS - 
HYBRID SPEC \ {I chanll, chan3, chan4, chan5, chan6, cahn7, chan8, chan9 
HYBRID SPEC ANNOTATION ONLY . (HYBRID SPEC NO_INTERNALS \{ SYSTEMINTERFACE 
ANNOTATION_ONLY_SPEC = PROC_PROCESS _IF_FtTLL_SPEC _NORESET( 0, APROCO, 1, APROC1,2, APROC2,3 ) 
assert HYBRID SPEC ANNOTATION ONLY [FD= ANNOTATION ONLY_SPEC 
assert ANNOTATION ONLY SPEC [FD= HYBRID SPEC ANNOTATION_ONLY 
Figure 169: Hybrid annotations behave identically to annotation only specification 
The second part involves demonstrating that the outer level annotations from the 
annotation only model (having the annotations for the internal components hidden), 
behaves within the allowed behaviour for a generic control flow process (see Figure 170). 
312 
Appendix J: Pattern Matched Selective Renaming Alternative 
SYSTEM INTERFACE chan0, chanlO, chant 11 
APROCO - PROC_BOOLEAN_HIGHER_OUTER_SPEC_NORESET(1) 
APROCI - PROC_PROCESS_HIGHER OUTER_SPEC(2) 
APROC2 - PROC PROCESS HIGHER OUTER SPEC(S) 
ANNOTATION 
_ONLY _SPEC = 
PROC_PROCESS 
_IF_FTJLL_SPEC _NORE$ET( 0, APROCO, 1, APROC1,2, APROC2,3 ) 
\{ OUTER_ANNOTATION ONLY SPEC = ANNOTATION-ONLY-SPEC 
annotation. IDLE. 1, 
annotation. BOOLEANREAD. 1, 
annotation. BOOLEANDONTREAD. 1, 
annotation. BOOLEANREADALLOWED. 1, 
annotation. BOOLEANFALSE. 1, 
annotation. BOOLEANTRUE. 1, 
annotation. IDLE. 2, 
annotation. START. 2, 
annotation. NOTFINISHED. 2, 
annotation. FINISH. 2, 
annotation. IDLE. 3, 
annotation. START. 3, 
annotation. NOTFINISHED. 3, 
annotation. FINISH. 3 
} 
assert PROC PROCESS HIGHER ODTER SPEC(0) [PD= OTJTER ANNOTATION ONLY_SPEC 
Figure 170: Check If Outer Annotation Behaviour from Hybrid Model ie Allowed 
The third part involves demonstrating that the hybrid model with the annotation events 
renamed back to the corresponding low level hardware events, behaves identically to the 
correctly driven circuit (see Figure 171). 
313 
Appendix J: Pattern Matched Selective Renaming Alternative 
SYSTEM 
, _INTERFACE - chan0, chanl0, chant SYSTEM CONTROL - PROC_PROCESS_CONTROLL_NORESET(chan0, chan2, chanl0) 
HPROCO = PROC_BOOLEAN_GENERIC HYBRID_SPEC_NORESET( 
chanO, chanli, chan3, chan4,1) 
HPROC1 - PROC_PROCESS_GENERIC_HYBRID_SPEC_NORESET( 
chan0, chanS, chan6,2) 
HPROC2 - PROC_PROCESS_GENERIC_HYBRID_SPEC_NORESET( 
chanO, chan7, chan8 3) 
APROCO - PROC_BOOLEAN_HIGHER_OUPER_SPEC_NORESET(l) 
APROC1 - PROC_PROCESS_HIGHER_OUTER_SPEC(2) 
APROC2 - PROC PROCESS HIGHER OUTER SPEC(S) 
HYBRID SPEC = PROC_PROCESS 
_IF 
HYBRID_FDLL_SPEC_NORESET( 
chan0, chan2, chanl0,0, 
HPROCO, chanll, chan3, chan4,1, 
HPROC1, chan5, chan6,2, 
HPROC2, chan7, chan8,3, 
chan9 
f 
HYBRID SPEC RENAMED . 
HYBRID SPEC 
It annotation. IDLE. O <- chan2.0, 
annotation. START. O <- chan2.1, 
annotation. NOTFINISHED. O <- chanl0.0, 
annotation. FINISH. O <- chan10.1, 
annotation. IDLE. 1 <- chan11.0, 
annotation. BOOLEANREAD. 1 <-chanll. l, 
annotation. BOOLEANDONTREAD. 1 <-chan3.0, 
annotation. BOOLEANREADALLOt4ED. 1 <- chan3.1, 
annotation. BOOLEANFALSE. 1 <- chan4.0, 
annotation. BOOLEANTRIIE. 1 <- chan4.1, 
annotation. IDLE. 2 <- chan5.0, 
annotation. START. 2 <- chan5.1, 
annotation. NOTFINISHED. 2 <- chan6.0, 
annotation. FINISH. 2 <- chan6.1, 
annotation. IDLE. 3 <- chan7.0, 
annotation. START. 3 <- chan7.1, 
annotation. NOTFINISHED. 3 <- chan8.0, 
annotation. FINISH. 3 <- chan8.1 
11 ) 
FULL_SYSTEM_WITH_CONTROL 
( SYSTEM-WITH-INTERNALS [ SYSTEM INTERFACE I SYSTEM_CONTROL 
assert FULL SYSTEM WITH CONTROL [PD- HYBRID SPEC RENAMED 
assert HYBRID SPEC RENAMED [FD= FULL SYSTEM WITH_CONTROL 
Figure 171: Hybrid model with annotations renamed behaves identically to correctly driven circuit 
Ideally the process of linking the hybrid model back to the low level implementation 
model would not be needed to be performed. If pattern matched selective renaming was 
allowed (possibly through expanding CSP to combine regular expressions to pattern 
match and select which events a renaming is applied to), it would be possible to 
automatically generate the hybrid model from the segment of logic circuit modelled, thus 
guaranteeing that the hybrid model derives its behaviour from the implementation being 
examined. 
314 
Appendix J: Pattern Matched Selective Renaming Alternative 
occaM 
Hardware Conversion 
Logic Net 
Each individual component is 
modelled and run in parallel 
CSP Model 
of Net List 
Constrain input signals to disallow 
incorrect outer level driving 
Equivalence 
i so 
Implementation 
Hardware 
Specification 
r 
Specification 
modified by 
hand, changing 
specific low level 
events to 
annotation events 
f 
CSP Model of Net 
List disallowing 
incorrect driving 
ýJ 
EDIF 
Refinement of 
r Super Type Hardware L Specification 
Selective 
pattern 
matched 
event 
renaming Y 1 
Hybrid 
Specification 
Equivalence 
I Rename annotations 
Hide low level events 
r 
ý 
Implementation 
Clock Cycle 
Software 
Specification 
r 
Implementation 
Software 
Specification 
I- 
Hybrid Specification 
with annotations 
renamed as low level 
events 
Refinement of Equivalence Clock Cycle 
Software Model 
Hide subset of 
annotation events 
Software 
Model 
Equivalence 
t 
Super Type 
Clock Cycle 
Software 
¼, 
Refinement of 
/ 
Super Type 
Software 
Specification 
Figure 172: Overview of proof structure for pattern matched selective renaming alternative 
315 
Appendix J: Pattern Matched Selective Renaming Alternative 
Figure 172 illustrates diagrammatically for this section of work, the structure of how the 
CSP models representing the hardware at various levels of abstraction are used in the 
proof, and relate to each other. The section highlighted in yellow is the area of the proof 
structure that differs from that used in the main body of the work (chapter 4 and 
Appendix D to Appendix G), along with the slightly modified method illustrated in 
Appendix H and Appendix I. This yellow section is a simplification of the proof structure, 
and was presented at the cost of the robustness of the model (i. e. not checking the reset 
functionality), in an attempt to simplify the presentation of the structure that the proof 
framework uses to prove individual grammatical constructs. 
J. 2 Conclusion 
It is through the combination of the proofs that integrate the various models together that 
a segment of logic circuit can be demonstrated to be a valid implementation. This 
demonstration of the validity of a components implementation, combined with a proof of 
composition (achieved through proving implementations are a refinement of a super type 
specification and so can be replaced wherever that super type specification was used), 
provides an avenue to prove the process of generating the complete logic circuit (without 
the need to model the complete circuit). 
316 
Appendix K Simplified CSP Models 
Without Reset Feature 
This section contains the modified models for the proof of the "IF THEN ELSE" 
component that has the reset functionality removed (see Appendix J). 
K. 1 Logic Components 
The removal of the reset functionality from the models has no effect on the combinatorial 
logic (e. g. AND gates, OR gates, NOT gates, etc), but requires a slight adaptation to the 
clocked logic components (see Figure 173). The D-Type Flip Flop is modelled in an 01- 
SEQ manner. 
-- Instantiations of aD 2YP3 FLIP FLOP calls this process and provides channels 
-- used for its inputs and outputs as arguments. 'Q_out' is a single channel to 
output to. 'd in, is a single channel to input from. 'cloak' is 
-- an event representing a low-to-high clock transition. 
D_TYPE_FLIP FLOP_NORESET(clock, din, q_out) 
let 
-- Check if the output is connected to the input. 
A- 
inter( (I q_out din & B(O) (] 
inter( {I q_out 1}, {j din 1}) !- {} & STOP B (x) - 
q_out !x -> din ?y -> clock ?1 -> B(y) 
within A 
Figure 173: D-Type FiipFiop with no Reset function 
K. 2 Super Type Specifications 
K. 2.1 Control Flow Process 
This section contains the modified models that specify a super type control flow process 
that the proof in Appendix J builds upon. 
Appendix K: Simplified CSP Models Without Reset Feature 
K. 2.1.1 Control Flow Process: Correct Control 
This CSP model (see Figure 174) is used to limit a process so that it can only accept 
possible valid input signals, this is to enable implemented sub-type components to have 
the outer layer of their logic correctly driven when performing the checks and proofs. The 
aim for this is to check an implemented component holds true to the assumption that so 
long as it is driven correctly, it will correctly drive any internal components. 
PROC PROCESS_CONTROLLNORESET(clock, start, finish) 
l_ 
A= 
start? x -> 
(x -- 0& clock? l -> finishl0 -> A 
[) 
x == 1&B 
B= clock? l -> 
finishl0 -> start? O -> B 
[) 
finishll -> A 
within finishl0 -> A 
Figure 174: Generic Control Flow Specification - Correct Driving Limiter 
K. 2.1.2 Control Flow Process: Low Level Specification 
This model (see Figure 175) specifies all the valid and allowable low level behaviour of 
this type of super type component. The purpose is to describe the interface boundary 
behaviours, thus enabling implemented components to refinement check against it 
proving there behaviours are within the requirements for it to be a sub-type of this super- 
hpe 
PROC_PROCESS_DESIRED_GENERIC_SPEC_NORESET(clock, start, finish) 
let 
A 
start? x -> clock? 1 -> 
x0& finishlo -> A [) 
x =- 1& 
internalChoice -> finishll -> A 
(1 -- 1-1 internalChoice -> finish! 0 -> S 
B= 
c 
start? O -> clock? 1 -> 
interna]Choice -> finishll -> A 
[l -- I-I internalChoice -> finishlO -> B 
within finiahl0 -> A 
Figure 175: Low Level Generic Control Flow Specification 
318 
Appendix K: Simplified CSP Models Without Reset Feature 
K. 2.1.3 Control Flow Process: Low Level Specification With Deadlocking 
This CSP model (see Figure 176) is based on the one covered in section K. 2.1.2, but 
altered so that it also accepts invalid driving input signals submitted to it. These invalid 
input driving signals are followed by an explicitly defined `STOP' that will deadlock the 
model should it ever be reached. Similar to the specification in section K. 2.1.2, the 
returned output signals will be all possible valid permutations allowed (internal choice is 
utilised to create those permutations, so long as it is driven correctly). 
The reason why this model will accept invalid driving signals is to enable the model of 
any component connected to it the opportunity to provide any driving signals it may 
choose, this process will not limit or remove the possibility for the other component 
models to provide invalid signals to this one as an option when they are run in 
alphabetised parallel. The purpose of this is to enable possibility to check that if this 
specification is used as an internal component, so long as the outer component is driven 
correctly, this component will be driven correctly. 
PROC_PROCESS GENERIC SPEC NORESET(clock, start, finish) 
let 
A 
start? x -> clock? l -> 
(x == 0& finishl0 -> A 
[l 
X s: 1& 
internalChoice -> finishil -> A 
[l -- I-( internalChoice -> finiahl0 -> B 
B 
start? 1 -> STOP 
(1 
start? O -> clock? 1 -> 
internalChoice -> finishll -> A [] -- I-1 
internalChoice -> finishlO -> B 
within finishl0 -> A 
Figure 176: Low Level Generic Control Flow Specification with Explicit Deadlocking 
K. 2.1.4 Control Flow Process: High Level Specification 
This CSP model (see Figure 177) is an annotation only clock cycle based higher 
conceptual specification. It is used as a comparison for the extracted annotations from the 
annotated low level hardware models. The model is sufficiently small so that it is unlikely 
319 
Appendix K: Simplified CSP Models Without Reset Feature 
that `chase' compression should be needed to be applied, which is why internal choice 
(i. e. 'I - I') is used instead of using an extra event to simulate internal choice. 
PROC_PROCESS HIGHER OUTER SPEC(id) 
let 
A= 
annotation. START. id -> B [l 
annotation. IDLE. id -> A 
$a 
annotation. NOTFINISHBD. id -> B 
1-1 
annotation. FINISH. id -> A 
within A 
Figure 177: Generic Control Flow Annotation Specification 
K. 2.2 Boolean Process 
This section contains only two of the modified models that would be required to fully 
specify a Boolean super type specification, this is due to the fact that the proof covered in 
Appendix J only utilises these two models as internal component place fillers. 
K. 2.2.1 Boolean Process: Low Level Specification With Deadlocking 
This CSP model (see Figure 178) is the low level behaviour altered so that it also accepts 
invalid driving input signals submitted to it. These invalid input driving signals are 
followed by an explicitly defined `STOP' that will deadlock the model should it ever be 
reached. The specification returns all possible valid permutations of allowed output 
signals so long as it is driven correctly, internal choice is utilised to create those 
permutations. 
The reason why this model will accept invalid driving signals is to enable the model of 
any component connected to it the opportunity to provide any driving signals it may 
choose, this process will not limit or remove the possibility for the other component 
models to provide invalid signals to this one as an option when they are run in 
alphabetised parallel. The purpose of this is to enable possibility to check that if this 
specification is used as an internal component, so long as the outer component is driven 
correctly, this component will be driven correctly. 
320 
Appendix K: Simplified CSP Models Without Reset Feature 
PROC BOOLEAN_ßBNBRIC_SPEC NORESET(clock, bool_read, 
let 
A- 
bool readallowed: 0 -> atatel0 -> B 
B B. - 
bool_read? x -> clock? 1 -> 
x -- 0&A 
11 
X ss 1&D 
bool_readallowed, state) 
D 
internalChoice -> bool readallowedl0 -> statelO -> E 
[1 -- I-I - internalChoice -> bool_readallowedll -> 
internalChoice -> etatel0 -> B 
[1 -- i_1 internalChoice -> atate! 1 -> B 
E 
bool_read? 1 -> STOP 
(1 
bool_read? O -> clock? 1 -> D 
within A 
Figure 178: Low Level Boolean Specification with Explicit Deadlocking 
K. 2.2.2 Boolean Process: High Level Specification 
a 
This CSP model (see Figure 179) is an annotation only clock cycle based higher 
conceptual specification. It is used as a comparison for the extracted annotations from the 
annotated low level hardware models. The model is sufficiently small so that it is unlikely 
that `chase' compression should be needed to be applied, which is why internal choice 
(i. e. 'I- I') is used instead of using an extra event to simulate internal choice. 
PROC_BOOLEAN_HIGHER_OUTER_SPEC_NORESET(id) 
let 
A= 
annotation. IDLE. id -> A 
[) 
annotation. BOOLEANREAD. id -> B 
B. 
annotation. BOOLBANDONTREAD. id -> B 
1-1 
annotation. BOOLEANRBADALLOIPED. id -> 
( annotation. BOOLEANFALSE. id -> A 
i-i annotation. BOOLBANTRUS. id -> A 
within A 
Figure 179: Generic Control Flow Annotation Specification 
321 
Appendix K: Simplified CSP Models Without Reset Feature 
K. 3 Implemented "IF THEN ELSE" Component 
This section contains modified models from the "IF THEN ELSE" component, with the 
reset functionality removed. 
K. 3.1 IF THEN ELSE: Low Level Specification 
This CSP model (see Figure 180) which is similar to the model defined in section K. 2.1.2, 
specifies the valid and allowable low level behaviour that this implemented component 
may perform at its outer boundary. It may utilises internal choice to determine the 
possible output behaviour it can perform, although it is not a requirement (e. g. boolean 
true, boolean false, SKIP, STOP, all have well defined fixed behaviours that do not rely 
on other internal components). It is useful to note that some implemented components 
may have the allowable interface boundary behaviour that is identical to that of its generic 
super type component (e. g. boolean comparisons, PAR), where as other components will 
have an interface boundary behaviour that is a refinement of its super type component 
(e. g. boolean true, boolean false, SEQ). 
PROC_PROCESS_IFDESIRED SPEC NORESET(clock, start, finish) 
let 
A= 
start? O -> clock? l -> finisht0 -> A 
O 
start? l -> clock? l -> finiaht0 -> B 
Bs 
atart? 0 -> clock? 1 -> 
internalChoice -> finiahll -> A 
(J -- 1-1 internalChoice -> finiahl0 -> B 
within finishi0 -> A 
Figure 180: Low Level jr 'Component Desired Specification 
X. 3.2 IF THEN ELSE: Low Level Specification With Deadlocking 
This CSP model (see Figure 181) is similar to the model covered in section 1(2.1.3, the 
CSP model is the model covered in section K. 3.1 but altered so that it will accept 
incorrectly driven input signals followed by explicitly defined deadlocking (i. e. STOP). 
322 
Appendix K. Simplified CSP Models Without Reset Feature 
PROC PROCESS IF GENERIC SPEC NORESET(clock, start, finish) 
let 
A 
start? x -> clock? l -> finish! 0 -> 
x e= 0&A 
[7 
x==1&B 
Ba 
start? 1 -> STOP [] 
start? O -> clock? 1 -> internalChoice -> finishll -> A 
[] -- 1-1 
internalChoice -> finishl0 -> B 
within finishlo -> A 
Figure 181: Low Level 'IF" Component Generic Specification with Explicit Deadlocking 
K. 3.3 IF THEN ELSE: High Level Specification 
This CSP model (see Figure 182), is the expected behaviour of the 'IF' component from 
an annotation only perspective, with annotation models of the internal component (i. e. the 
boolean condition, the `then' process and the `else' process) having to be supplied. If the 
internal annotation components supplied are the corresponding generic specifications, the 
CSP model will demonstrate all the possible behaviours of the 'IF' component, describing 
both how driving the component drives the internal components and the internal 
components behaviour effects the outputs of this component. The reason why this model 
was designed to take in processes representing the internal components is so that if the 
supplied internal component specifications are a refinement of the corresponding generic 
specification, they will limit the behaviour dictated in the 'IF' component to that which 
describes what should conceptually occur in the hardware. 
Figure 182: IF Component Annotation Only Specification 
channel chan_PROC PROCESS_IF_FUI, L SPEC_NORESET : 0.. 5} 
PROC PROCESS IF FULL SPEC NORESET( 
id, boolproc, bid, thenproc, tid, eleeproc, eid 
let 
-- Perform checks on the input parameters 
A= 
inter( { id }, { bid, eid, tid }) __ {} &B 
[l 
inter( { id }, { bid, eid, tid }) !_ {} & STOP 
-- Perform the model 
-- Run the internal components in parallel with the remainder of the IF 
-- component 
B= 
323 
Appendix K: Simplified CSP Models Without Reset Feature 
x: boolproc, thenproc, elaeproc ® 
x\ {internalChoice}) 
annotation. START. x, 
annotation. FINISH. x, 
annotation. NOTFINISHED. x, 
annotation. IDLE. y, 
annotation. BOOLEANREAD. bid, 
annotation. BOOLEANDONTREAD. bid, 
annotation. BOOLEANREADALLOT9ED. bid, 
annotation. BOOLEANFALSE. bid, 
annotation. BOOLEANTRIIE. bid 
I x<-{tid, eid}, y<-{bid, tid, eid} 
ý} 
II E 
C 
let 
CA = 
annotation. IDLE. id -> 
annotation. IDLE. bid -> 
char PROC PROCESS IF FULL SPEC NORESET. 0 -> 
[] 
annotation. START. id -> 
annotation. BOOLEANREAD. bid -> 
Chan PROC PROCESS IF FULL SPEC NORESET. 1 -> 
CB . 
annotation. NOTFINISHED. id -> 
chan_PROC_PROCESS_IF_FiJLL_SPSC_NORESET. 2 -> CB 
[] 
chan PROC PROCES9 IF FULL SPEC NORSSET. 3 -> CC 
[] ------ 
chan_PROC PROCESS_IF_FULL SPEC NORESET. 4 -> CD 
CC a 
annotation. NOTFINISHED. tid -> 
annotation. NOTFINISHED. id -> 
annotation. IDLE. bid -> 
chan_PROC_PROCESS_IF_FULL_SPEC NORESET. S -> 
CC 
Il 
annotation. FINISH. tid -> 
annotation. FINISH. id -> 
annotation. IDLE. id -> 
annotation. IDLE. bid -> 
chan_PROC PROCESS_IF_FULL SPEC_NORESET. 0 -> 
CA 
[l 
annotation. START. id -> 
annotation. BOOLEANREAD. bid -> 
chan_PROC PROCESS_IF PULL SPEC_NORESET. 1 -> 
CB 
CD ý 
annotation. NOTFINISHED. eid -> 
annotation. NOTFINISHED. id -> 
annotation. IDLE. bid -> 
chan_PROC PROCESS_IF_FULL SPEC NORESET. S -> 
CD 
[l 
annotation. FINISH. eid -> 
annotation. FINISH. id -> 
annotation. IDLE. id -> 
annotation. IDLE. bid -> 
chan_PROC_PROCESS_IF_FOLL_SPEC_NORESET. 0 
CA 
324 
Appendix K. Simplified CSP Models Without Reset Feature 
within CA 
D 
let 
DA 
((( annotation. IDLE. tid -> SKIP 
III 
annotation. IDLE. eid -> SKIP 
[] 
annotation. START. id -> 
annotation. BOOLEANREAD. bid -> 
Chan PROC PROCESS IF FULL SPEC NORESET. 1 -> 
Chan PROC PROCESS IF FULL SPEC NORESET. O -> DA 
char PROC PROCESS IF FULL SPEC NORESET. 1 -> DB 
DB 
annotation. BOOLBANDONTREAD. bid -> 
((( annotation. IDLE. tid -> SKIP 
chan_PROC PROCESS_IP_FULL_SPEC NORESET. 2 -> DB 
H 
annotation. BOOLEANREAD. bid -> 
annotation. BOOLEANFALSE. bid -> 
((( annotation. IDLE. tid -> SKIP 
III ( annotation. IDLE. eid -> SKIP ) 
III ( annotation. START. eid -> SKIP } 
) 
( chan_PROC PROCESS_IF_FIILL SPEC_NORESET. 4 -> DD ) 
[l 
annotation. BOOLEANTRIIE. bid -> 
((( annotation. START. tid -> SKIP 
III annotation. IDLE. eid -> SKIP 
( char PROC PROCESS IF FULL SPEC NORESET. 3 -> DC ) 
DC 
annotation. IDLE. eid -> 
chan_PROC PROCESS_IF_FULL_SPEC NORESET. S -> DC 
[] 
char PROC PROCESS IF FULL SPEC NORESET. O -> DA 
11 
Chan PROC PROCESS IP FULL SPEC NORESET. 1 -> DB 
DD . 
annotation. IDLE. tid -> 
Chan 
_PROC 
PROCESS IF FULL SPEC NORESET. 5 -> DC 
11 
Chan PROC PROCES9 IF FULL SPEC NORESET. 0 -> DA 
11 
Chan PROC PROCESS IF FULL SPEC NORESET. 1 -> DB 
within DA 
325 
Appendix K: Simplified CSP Models Without Reset Feature 
(C 
[I [I chap PROC PROCESS_IP PULL SPEC NORESET I} ý] 
D 
\ [I chap PROC_PROCESS_IPFULL SPEC NORESET J} 
within A 
326 
Appendix L Expected Run Time 
To detennine the timings for expected output of a software application that has been 
converted into hardware, the following rules stated in this section can be applied while 
stepping through an instance of the application. 
L. 1 Generic: Control Flow Process 
This super type specification for control flow process is allowed to take one or more 
clock cycles to complete. 
L. 1.1 Implemented: SKIP (Delay) 
This component takes one clock cycle to complete. 
L. 1.2 Implemented: STOP (Deadlock) 
This component never completes. 
L. 1.3 Implemented: SEQ 
This component takes the sum total of the time that all its internal processes take to 
complete, i. e. it completes after the all its internal processes have completed running 
sequentially. 
L. 1.4 Implemented: PAR 
This component takes the same as the longest of its internal components take to complete, 
i. e. it completes when all its internal components have completed with them running in 
parallel. 
L. 1. S Implemented: Assignment 
This component takes the sum total of the time its internal `Read' and `Store' 
components take to complete (see sections L. 3 and L. 4 respectively), i. e. it completes 
after the read and store have sequentially finished (in that order). 
Appendix L: Expected Run Time 
L. 1.6 Implemented: Channel Declaration 
This component takes one clock cycle to complete. 
L. 1.7 Implemented: Variable Declaration 
This component takes the storage time for the variable (see section L. 5), to complete. 
L. 1.8 Implemented: IF (IF THEN ELSE) 
This component takes the summation of the length of time for it internal 'Boolen Process' 
(see section 0) and its corresponding `THEN' or `ELSE' process (dependent on if the test 
returns true or false respectively). 
L. 1.9 Implemented: While 
This components time to completion is dependent on the specific result of its internal 
`Boolean Process' component each time the loop is triggered, combined with the length 
of its internal `Control Flow Process' if result of the test was true, see Figure 183. 
While 
Start 
Perform 
Boolean Process 
Result: 
Finish 
Result: 
J 
Finish / Completed 
/I- 
Perform 
Control Flow 
Figure 183: How to compute the completion time for a While' component 
L. 1.10 Implementation: Output Channel (Sending Along a Channel) 
This component takes the summation of the length of time for its internal `Read' 
component, along with any channel communication delay. The channel communication 
delay is comprised of any delay due to the need to wait for the other side of the channel to 
328 
Appendix L: Expected Run Time 
be ready, and also any delay for communication across the channel medium. This channel 
communication delay will be explained further in section L. 6. 
L. 1.11 Implementation: Input Channel (Reading from a Channel) 
This component takes the summation of the length of time for any channel 
communication delay, along with the delay due to its internal `Store' component. The 
channel communication delay is comprised of any delay due to the need to wait for the 
other side of the channel to be ready, and also any delay for communication across the 
channel medium. This channel communication delay will be explained further in section 
L. 6. 
L. 2 Generic: Boolean Process 
This super type specification for a `Boolean Process' is allowed to take one or more clock 
cycles to complete. 
L. 2.1 Implemented: True 
This component takes one clock cycle to complete. 
L. 2.2 Implemented: False 
This component takes never completes. 
L. 2.3 Implementation: Boolean AND 
This component takes the same as the longest of its internal `Boolean Process' 
components take to complete. 
L. 2.4 Implementation: Boolean OR 
This component takes the same as the longest of its internal `Boolean Process' 
components take to complete. 
L. 2.5 Implementation: EQUAL 
This component takes the same as the longest of its internal `Boolean Process' 
components take to complete. 
329 
Appendix L: Expected Run Time 
L. 2.6 Implementation: NOT EQUAL 
This component takes the same as the longest of its internal `Boolean Process' 
components take to complete. 
L. 2.7 Implementation: LESS THAN 
This component takes the same as the longest of its internal `Boolean Process' 
components take to complete. 
L. 2.8 Implementation: GREATER THAN 
This component takes the same as the longest of its internal 'Boolean Process' 
components take to complete. 
L. 3 Generic: Read 
This super type specification for a `Read' is allowed to take one or more clock cycles to 
complete. Specific implementations of variables can have differing times to completion 
and allows for implementation of off chip storage of variables, which might take multiple 
clock cycles to access. 
L3.1 Implementation: UINT Constant 
This component takes a single clock cycle to complete. 
L3.2 Implementation: Read for FlipFlopStorage Variable 
This component takes a single clock cycle to complete. 
L. 3.3 Implementation: Read for WatchedFlipFlopStorage Variable 
This component takes a single clock cycle to complete. 
L. 4 Generic: Store 
This super type specification for a `Store' is allowed to take one or more clock cycles to 
complete. Specific implementations of variables can have differing times to completion 
330 
Appendix L: Expected Run Time 
and allows for implementation of off chip storage of variables, which might take multiple 
clock cycles to set. 
L. 4.1 Implementation: Store for FlipFlopStorage Variable 
This component takes a single clock cycle to complete. 
L. 4.2 Implementation: Store for WatchedFlipFlopStorage Variable 
This component takes a single clock cycle to complete. 
L. 5 Generic: Variables 
The current implemented variables are all on chip and are achieved by utilising flip flops 
to keep the data (e. g. FlipFlopStorage component). The `WatchedFlipFlopStorage' 
component is identical to that of the `FlipFlopStorage' component, but it has the values 
from the flip flops used to store the data values connected to output pads so that the 
values can be examined from outside the circuit. 
Sections L. 3.2 and L. 3.3 specify the `Read' interfaces for the implemented variables 
respectfully (i. e. for the `FlipFlopStorage' and `WatchedFlipFlopStorage' components), 
where as sections L. 4.1 and L. 4.2 specify the `Store' interfaces. 
L. 6 Generic: Channels 
Currently I have impleneted three different channels, these are `Channel NotPlaced', 
'Channel 
_PlacedInput' and 
'Channel 
_PlacedOutput'. 
These three types of channels are 
basically all the same, apart from the placed input channel having its 'Channel Output' 
placed to the outside of the chip, and the placed output channel having its 'Channel Input' 
placed to the outside of the chip, thus allowing data to be supplied or extracted 
respectfully from or to the circuit via channels. 
The medium that the current implemented channels use is digital logic (i. e. it does not 
communicate over a network, etc). Because of this, the communication delay stated in 
sections L. 1.10 and L. 1.11 is 0. Examples for the timings that two ends of a channel have 
on the completion timings of each other is demonstrated in Figure 184, Figure 185 
and Figure 187, where as increasing the communication delay (i. e. the number of clock 
cycles for information to pass from one side of the channel to the other) would impact 
and increase the completion time. It should be noted that the logic that logic that 
represents the channel communication has not been optimised fully, although it still is a 
331 
Appendix L: Expected Run Time 
viable implementation. This can be seen in Figure 184, Figure 185 and Figure 187, 
by the channel output taking one extra clock cycle to terminate than the start of the 
channel input. 
C1oc1ý (N) C1oc1ý C1oc1ý 
............ .............. -. -. ___...... _i ý_ .................................................. ý . Channe 
1..................... _. Start . 
Pi Read 
.................. _......... 
Start 
i 
e E6 
Figure 184: Sending and receiving started at the same time on a0 communication delay channel 
Cloc1S (N) Clocý Cloclf 
............................... _....... _............. ý ......... ....... .......................... _..... Channe 8! 
_yý . _. ......... . ý_........, Start 4 
-1-'l Read 
...................... _.. _ 
I 
1 
I 
I 
1 
I 
1 
........... __ ........................................ 
r 
Channel Input 
............................ 
ý 
-. __........ _.......: i ý--.: 
-º' Store ý 
............................. ý Fý 
Figure 185: Sending started 1 cycle before receiving on a0 communication 
delay channel 
ý 
ý 
 
......................................................... : 
ý 
ý 
ý 
k 
ý 
............ _ ....................................... I 
ý 
:........ _ ................... 6 
I Innut 
-º Store 
...........................: 
332 
Appendix L: Expected Run Time 
C1oc1ý (N) C1oc1ý 
. Channel .. _ 
Start ii Read 
............ r.. _. ý. __. __. _. 
t 
I 
I 
I 
I 
I 
I 
i 
Clocý Cloc4 
___.... . .......................................... __... k, ý 
_ .................................................... _ tý 
ý .............................. t 
Store -! ` 1 
I 
1 
Channel Input 
__.. ý ............ . 
II 
Figure 186: Sending started 2 cycles before receiving on a0 communication delay channel 
Cloc1S (N) Clock Clod Clock 
1 
I 
I 
I 
I 
........................ _........................ 
........ _..... __.. ---........... _............................................... ... _......... Channel Input 
i Start 
F 
ý 
ý 
f 
............... ......... .. 
E 
e. 
Store -- .. 
Ifi 
III 
Figure 187: Reading started 1 clock cycle before sending on a0 communication delay channel 
ý 
wý 
.Ej 
Channel 
Start 
Read 
Start 
333 
Appendix M Esterel SCARE 6.0 - Design 
Verifier Problem 
This appendix provides a simple example illustrating the inconsistency of the SCADE 
design verifier's ability to analyse a model, even though the SCADE tool can compile and 
simulate the model. SCADE is a model based development environment dedicated to 
safety critical embedded software, produced by Esterel Technologies (http: //www. esterel- 
technologies. com). 
M. 1 A Simple Model Using Enumerated Types 
The model illustrated in Figure 188 (that utilises the enumerated types defined in Table 
4), is a simple example. Two inputs (of different types) are taken as inputs and compared 
against constants, these results are then passed to an AND gate, whereby the result is 
passed as the output. 
Irp22 NhiErunerdecirvPel 
EN1 B, 
MyEn. mardedTYPe1 f 1-J 
bod > AtpLt1 
\_ WEnmerdedTYPe2 
/r 
EN2 B; 
MyEnmeaedTYpe2 
Figure 188: A simple SCADE model using enumerated types 
Placing a `proof objective' on the output enables the design verifier to analyse the model, 
although an example can easily found whereby the output is false. 
Table 4: Definitions of enumerated type used in Figure 188 
Name of Type Definition 
MyEnumeratedTypel enum {EN1_A, EN1_B} 
MyEnumeratedrype2 enum {EN2_A, EN2_B} 
Appendix M: Esterel SCADE 6.0 - Design Verifier Problem 
M. 2 Breaking the Design Verifier 
Through a simple modification of the model illustrated in Figure 188, whereby `Input2' is 
replaced with a constant (see Figure 189), one can produce a model that the design 
verifier can not analyse. Placing a `proof objective' on the output and attempting to 
analyse the model results in the design verifier producing a "Not_found" error. It should 
be noted however that the tool can compile and simulate the model. 
EN1 A: 
MyErvnerdedTYPel J-ý bcd 
EM 
-B 
ý""", 
NTyEn. merdedTypa2 
EN2 B; MyEnmeae7TYPe2 
ErnmeratedTYR'l 
ý i 
ma > a2PLt1 
Figure 189: Modifying Figure 188 to break the design verifier 
M. 3 Trying to Locate the Problem 
Having identified a model whereby the SCADE tool can compile and simulate it, but the 
design verifier can not analyse it, one can then break the model down into simpler 
segments in an attempt to identify the section that is causing the error. 
Replacing one subsection of the model with a `true' constant, we get the model illustrated 
in Figure 190. When a `proof objective is placed on the output, the design verifier can 
analyse the model. Although this may appear to suggest that the problem is located in the 
section of the model that was removed, this is not the case. 
tnua 
-> OLIP-t, Irp11 rvtyEnmer3edTypa2 
EN2 81 
MyEnmerdedTYPL-2 I 
Figure 190: Simplifying the model - Version 1 
Through replacing an alternative section of the model with a `true' constant, we get the 
model illustrated in Figure 191. When a `proof objective' is placed on the output, the 
design verifier can analyse the model. This could be interpreted as suggesting that the 
problem is located not in the first part that was removed but the second. 
335 
Appendix M: Esterel SCADE 6.0 - Design Verifier Problem 
EN1}1 
EN B 
EnunerdediYpel 
MyErunrrattiTVpe1 bool ý U. tpLt1 
true s 
M. 4 Conclusion 
Figure 191: Simplifying the model - Version 2 
With the two different models (Figure 190 and Figure 191) suggesting the cause of the 
problem exists in different sections of the model, which, if any of these theories is 
correct? Without the ability to examine the source code of the SCARE tool and the 
integrated Prover Plug-In [Sheeran, 2000] that underpins its design verifier [Köhler and 
Kant, 2004], it is impossible to specify the exact cause of the bug. Even though this is the 
case, it is possible to reason about the construction of the tool, thus identifying possible 
causes or areas of concern. 
With the SCADE tool being able to compile and simulate the models (Figure 188 to 
Figure 191), this suggests that the problem is not located in the internal data structure that 
represents the model. If one assumes that Stalmarck's method of tautology checking using 
propositional logic ([Harrison, 1996] and [Sheeran & StAlmarck, 2000]) that underpins 
the Prover Plug-In [Sheeran, 2000] is sound, one is lead to believe that the location of the 
error or bug is contained within how the tool was developed. 
As the Prover Plug-In was developed by a third party (the product is utilised by several 
companies and tools), a sensible assumption would be that it contains its own internal 
data structures. It is highly unlikely that the SCADE compiler utilises this data structure 
as its internal representation, a theory that is supported by the fact that the SCADE 
compiler was designed and developed independently of the Prover Plug-In. This is clearly 
illustrated by the fact that [Köhler and Kant, 2004] describe the augmentation of the 
SCADE compiler with the formal proof tool. So, under the assumption that there are at 
least two internal data structures that represent the model, a process must exist to translate 
the SCADE internal data structure into one that the Prover Plug-In formal verification 
tool can utilise. I believe that this is the most likely location for the error or bug, but as 
previously indicated, I can not ascertain as to whether this is correct, without access to the 
SCADS source code. 
336 
Appendix N OCCAM: Digital Clock 
SEQ 
PLACED UINT1 afd AT "SF D": 
afd :-1 
CHAN OF UINT1 chanLCDRS: 
CHAN OF UINT4 chanSFD: 
CHAN OF UINT1 atartDelay: 
CHAR OF UINT1 delayFinished: 
PAR 
-- rCD Nibble 
-- When a acarand is received on the ebanl. CDRB and chanSFD channels, 
-- send the corresponding co-and, correctly timed, to the LCD controller 
sEQ 
PLACED UINT4 sfd AT "SFD_8", "SFD 9", "SFD_10", "SFD_11": 
PLACED UINT1 lade AT "LCD E": 
PLACED UINT1 lcdre AT "LCD RS": 
PLACED UINT1 lcdrw AT "LCD_RW": 
UINT2 holdcom: 
DINTS comdelay: 
WHILE TRUE 
SEQ 
PAR 
comdelay 0 
holdcom :. 0 
chanLCDRS ? lcdrs 
chanSFD ? afd 
SKIP 
lcde 1 
WHILE holdcom <> 3 
holdcom :- holdcom PLUS 1 
SKIP 
lcde :-0 
SKIP 
WHILE comdelay <> 16 
comdelay := comdelay PLUS 1 
-- andOfs LCD Nibble 
-- LCD Delay 
-- Crates a delay of the correct length between the parts of a nibbled 
-- command 
SEQ 
UINT1 junk: 
UINT11 waitcom: 
WHILE TRUE 
SEQ 
atartDelay ? junk 
WHILE waitcom <> 666 
waitcom :- waitcom PLUS 1 
PAR 
waitcom :-0 
delayFiniahed I1 
-- dndOfl LCD Delay 
-- main 
-- Runs the LCD power on initialisation, followed by the gain body of the 
-- application 
SEQ 
-- LCD Poweronrni t 
SEQ 
UINT1 junk: 
UINT7 initWait: 
WHILE initWait <> 103 
Appendix N: OCCAM: Digital Clock 
SEQ 
etartDelay I1 
initWait :- initWait PLUS 1 
delayFinished ? junk 
PAR 
chanLCDRS 10 
chanSFD 13 
SEQ 
atartDelay 11 
delayFinished ? junk 
startDelay 11 
delayFiniehed ? junk 
startDelay I1 
delayFinished ? junk 
PAR 
chanLCDRS 10 
chanSFD 12 
SEQ 
startDelay I1 
delayFinished ? junk 
PAR 
SEQ 
chanLCDRS 10 
chanLCDRB 10 
SEQ 
chanSFD 12 
chanSFD 18 
SEQ 
startDelay 11 
delayFinished ? junk 
PAR 
SEQ 
chanLCDRS 10 
chanLCDRS 10 
SEQ 
chanSFD 10 
chanSFD 16 
SEQ 
etartDelay 11 
delayFinished ? junk 
PAR 
SEQ 
chanLCDRS 10 
chanLCDRS 10 
SEQ 
chanSFD 10 
chanSFD 1 14 
SEQ 
etartDelay I1 
delayFinished ? junk 
PAR 
SEQ 
ChanLCDRS 10 
chanLCDRB 10 
SEQ 
chanSFD 10 
chanSFD 11 
WHILE initWait <> 41 
SEQ 
startDelay 11 
initWait :- initWait PLUS 1 
delayFinished ? junk 
initWait :-0 
-- EndOt: LCD_Porss'OIIIa. i t 
SEQ 
CHAN OF UINT4 chanTimeHl: 
CHAN OF UINT4 chanTimeHO: 
CHAN OF UINT4 cbanTimeMl: 
338 
Appendix N: OCCAM: Digital Clock 
CHAN OF UINT4 chanTimeSO: 
CHAN OF UINT4 chanTimeSi: 
CHAN OF UINT4 chanTimeSO: 
CHAN OF UINT1 buttonlState: 
CHAN OF UINT1 button2State: 
PAR 
-- Digital Cloak 
SEQ 
UINT4 timeHl: 
UINT4 timeHO: 
UINT4 timeMl: 
UINT4 timeMO: 
UINT4 timeSi: 
UINT4 timeSO: 
UINT1 incH: 
UINT1 incM: 
UINT23 counter: 
WHILE TRUE 
SEQ 
SEQ 
PAR 
chanTimeHl ! timeHl 
chanTimeHO ! timeHO 
chanTimeSl I timeMl 
chanTimeMO I timeMO 
chanTimeSi ! timeSi 
chanTimeSO ! timeSO 
buttoniState ? incH 
button2State ? incM 
WHILE counter <> 8333331 
counter :" counter PLUS 1 
PAR 
counter :-0 
IF 
incH =1 
timeHO := timeHO PLUS 1 
TRUE 
SEQ 
SKIP 
SKIP 
IF 
incM -1 
timeMO :. timeMO PLUS 1 
TRUE 
SEQ 
SKIP 
SKIP 
PAR 
IF 
timeHl =0 
IF 
timeHO = 10 
PAR 
timeHO timeHO MINUS 10 
timeHl :=1 
TRUE 
SEQ 
SKIP 
SKIP 
TRUE 
IF 
timeHO -3 
PAR 
timeHO :- timeHO MINUS 2 
timeHi 0 
TRUE 
SEQ 
SKIP 
339 
Appendix N: OCCAM: Digital Clock 
SKIP 
SEQ 
SKIP 
IF 
timeMO - 10 
PAR 
timeMO :-0 
timeMl :- timeMi PLUS 1 
TRUE 
SEQ 
SKIP 
SKIP 
IF 
timeMl =6 
timeMi :=0 
TRUE 
SEQ 
SKIP 
SKIP 
SEQ 
PAR 
chanTimeHl I timeHi 
chanTimeHO I timeHO 
chanTimeHl ! timeMi 
chanTimeMO I timeMO 
chanTimeSi I timeSi 
chanTimeSO I timeSO 
buttoniState ? incH 
button2State ? incM 
WHILE counter <> 8333326 
counter := counter PLUS 1 
PAR 
counter 0 
timeSO := timeSO PLUS 1 
PAR 
IF 
incH -1 
timeHO :. timeHO PLUS 1 
TRUE 
SEQ 
SKIP 
SKIP 
IF 
incM -1 
timeMO := timeMO PLUS 1 
TRUE 
SEQ 
SKIP 
SKIP 
IF 
timeSO - 10 
PAR 
timeSO 0 
timeSi timeSi PLUS 1 
TRUE 
SEQ 
SKIP 
SKIP 
IF 
timeSl .6 
PAR 
timeSi :-0 
timeMO :- timeMO PLUS 1 
TRUE 
SEQ 
SKIP 
SKIP 
IF 
340 
Appendix N: OCCAM: Digital Clock 
timeMO - 10 OR timeMO - 11 
PAR 
timeMO timeMO MINUS 10 
timeMl :. timeMl PLUS 1 
TRUE 
SEQ 
SKIP 
SKIP 
IF 
timeMi -6 
PAR 
timeMi 0 
timeHO timeHO PLUS 1 
TRUE 
SEQ 
SKIP 
SKIP 
IF 
timeRl =0 
IF 
timeHO - 10 OR timeHO . 11 
PAR 
timeHO timeHO MINUS 10 
timeHl := timeHl PLUS 1 
TRUE 
SSQ 
SKIP 
SKIP 
TRUE 
IF 
timeHO -3 OR timeHO -4 
PAR 
timeHO :- timeHO MINUS 2 
timeHl :-0 
TRUE 
SEQ 
SKIP 
SKIP 
-- EndOft DigitalClock 
-- DabounceNdur 
-- Debounoa and aajWle tha Input for inarfaaing the hour. 
SEQ 
PLACED UINT1 button ON "inCH": 
UINT1 buttonsampled: 
PLACED UINT1 currentState AT "buttonH": 
UINT1 nextState: 
UINT1 stable: 
UINT22 count: 
PAR 
stable :. 1 
buttonsampled s- button 
WHILE TRUE 
SEQ 
PAR 
buttoniState I currentState 
WHILE count <> 3124999 
PAR 
buttonSampled :- button 
Count :- count PLUS 1 
IF 
nextState <> buttonSampled 
stable :-0 
TRUE 
SEQ 
SKIP 
SKIP 
PAR 
count :ý0 
341 
Appendix N: OCCAM: Digital Clock 
stable :=1 
IF 
stable 1 
current8tate nextState 
TRUE 
currentState 0 
SEQ 
SKIP 
nextState buttonSampled 
-- 3ndOf: Debounc. Hour 
-- DebounceNin 
-- Debounce and eaaple the input for increasing the minutes 
SEQ 
PLACED UINT1 button ON "incM": 
UINT1 buttonSampled: 
PLACED UINT1 currentState AT "buttonM": 
UINT1 nextState: 
UINT1 stable: 
UINT22 count: 
PAR 
stable :=1 
buttonSampled :- button 
WHILE TRUE 
SBQ 
PAR 
button2State I currentState 
WHILE count <> 3124999 
PAR 
buttonSampled := button 
count := count PLUS 1 
IF 
nextState <> buttonSampled 
stable :-0 
TRUE 
SEQ 
SKIP 
SKIP 
PAR 
Count 0 
stable :-1 
IF 
stable -1 
currentState nextState 
TRUE 
currentState 0 
SEQ 
SKIP 
nextState :- buttonSampled 
-- 3ndOfz Debouna Nin 
-- LCD Diiplay2ia. 
SEQ 
UINT4 timeHl: 
UINT4 timeHO: 
UINT4 timeMl: 
UINT4 timeMO: 
UINT4 timeSi: 
UINT4 timeSO: 
UINT1 junk: 
UINT15 counter: 
WHILE TRUE 
SEQ 
PAR 
counter :-0 
chanTimeHi ? timeHl 
chanTimeHO ? timeHO 
chanTimeMl ? timeMi 
chanTimeMO ? timeM0 
chanTimeS1 ? timesl 
342 
Appendix N: OCCAM: Digital Clock 
chanTimeSO ? timeSO 
SEQ 
PAR 
SEQ 
chanSFD 13 
chanSFD i timeHl 
SEQ 
chanLCDRS 11 
chanLCDRS 11 
startDelay I1 
delayFiniahed ? junk 
PAR 
SEQ 
chanSFD 13 
chanBFD 1 timeHO 
SEQ 
chanLCDRS 11 
chanLCDRS i1 
startDelay i1 
delayFinished ? junk 
PAR 
SEQ 
chanSFD 13 
chanSFD 1 10 
SEQ 
chanLCDRS 11 
chanLCDRS 11 
startDelay 11 
delayFiniahed ? junk 
PAR 
SEQ 
chanSFD 13 
chanSFD I timeMi 
SEQ 
chanLCDRS 11 
chanLCDRS 11 
atartDelay 11 
delayFinished ? junk 
PAR 
SEQ 
chanSFD 13 
chanSFD I timeMO 
SEQ 
chanLCDRS 11 
chanLCDRS 11 
atartDelay 11 
delayFinished ? junk 
PAR 
SEQ 
chanSFD 13 
chanSFD 1 10 
SEQ 
chanLCDRS 11 
chanLCDRS I1 
atartDelay 11 
delayFiniahed ? junk 
PAR 
SEQ 
chanSFD 13 
chanSFD 1 timeSi 
SEQ 
chanLCDRS 11 
chanLCDRS 11 
startDelay 11 
delayFinished ? junk 
PAR 
SEQ 
chanSFD 13 
343 
Appendix N: OCCAM: Digital Clock 
chanSFD ! timeSO 
SEQ 
chanLCDRS 11 
chanLCDRS 1 
startDelay !1 
delayFiniahed ? junk 
PAR 
SEQ 
chanLCDRS !0 
chanLCDRS 10 
SEQ 
chanSFD 10 
chanSFD !2 
WHILE counter <> 26666 
counter :- counter PLUS 1 
3adOtf LCD Di playTims 
344 
References 
References 
" Agility Design Solutions Inc. 2007, Handel-C Language Reference Manual. From 
httv: //www. aailitvds. com 
" David Arnow and Gerald Weiss, 2000, Java An Object-Oriented Approach, Addison- 
Wesley, ISBN 0-201-61272-0 
" Paul Austin, 1998, Java Communicating Sequential Processes - Design ofJCSP 
Language Classes, From http: //www. cs. kent. ac. uk/proiects/ofa/jcspO- 
5/design/langdes. pdf see also http: //www. cs. kent. ac. uk/projects/ofa/icsn0-5/ and 
http: //www. cs. kent. ac. uk/vroiects/ofa/icsD/ 
" Avison and Fitzgerald, 1997, Information Systems Development: Methodologies, 
Techniques and Tools (Second Edition), McGraw-Hill, ISBN 0-07-709233-3 
" J. Becker, F. Henrici, S. Trendelenburg, M. Ortmanns, Y. Manoli, 2008, A Field 
Programmable Analog Array (FPAA) for reconfigurable instantiation of continuous- 
time filter, Presentation at CDNlive! EMEA Student Design Contest, 2008, 
http: //www. imtek. de/content/ydf/Dublic/2008/becker cdc. pdf 
" Peter Bellows and Brad Hutchings, 1998, JHDL - An HDL for Reconßgurable 
Systems, From http: //www jhdl. org/papers. html 
J. Glenn Brookshear, 2000, Computer Science an Overview (Sixth Edition), Addison- 
Wesley, ISBN 0-201-35747-X 
" Andrew Butterfield and Jim Woodcock, 2006, "A Hardware Compiler Semantics for 
Handel-C", in Proceedings of the Third Irish Conference on the Mathematical 
Foundations of Computer Science and Information Technology (MFCSIT 2004) 
Dublin, Ireland ENTCS Vol 161, pp73-90, August 2006. 
b-tip: //dx. doi. org/l0. I016/i. cntcs. 2006.04.026 
Deitel and Deitel, 1999, Java How to Program (Third Edition), Prentice Hall, ISBN 
0-13-012507-5 
Alan Dennis and Barbara Haley Wixom, 2000, System Analysis and Design, John 
Wiley & Sons Inc, ISBN 0-471-24100-8 
345 
References 
" EDIF Steering Committee. 1988. EDIF Reference Manual Version 2.0.0. Washington, 
DC: Electronic Industries Association. ISBN 0-7908-0000-4 
" David Flanagan, 1997, Java in a Nutshell (Second Edition), O'Reilly, ISBN 1-56592- 
262-X 
Formal Systems (Europe) Ltd. Oxford. 2005, Failures Divergence Refinement - the 
FDR User Manual. Version 2.82. From httn: //www. fsel. com 
" Etienne M. Gagnon, 1998, "SableCC, an Object-Oriented Compiler Framework" 
(Thesis), School of Computer Science, McGill University, Montreal 
" Etienne M. Gagnon, and Laurie J. Hendren, 1998. "SableCC, an Object-Oriented 
Compiler Framework", Proceedings of the Technology of Object-Oriented Languages 
and Systems, pages 140-154, August 03-07,1998. From 
http: //sablecc. org/documentation. html 
" Hall, Tyson Stuart, 2004, "Field-Programmable Analog Arrays: A Floating-Gate 
Approach", Georgia Institute of Technology, 
httv: //smartech. gatech. edu/handle/I 853/5071 
" Gregoire Hammon, 2008, "Simulink Design Verifier - Applying Automated Formal 
Methods to Simulink and Stateflow", AFM'08. Third Workshop on Automated 
Formal Methods, 14 July 2008, Princeton, New Jersey, John Rushby and Natarajan 
Shankar (Editors), SRI International, Computer Science Laboratory, Menlo Park CA 
94025 USA 
" J. Harrison: 1996. "The StAlmarck Method as a HOL Derived Rule". Theorem 
Proving in Higher Order Logics, Springer-Verlag LNCS vol. 1125,1996. 
" Gerald Hilderink, Andre Bakkers and Jan Broenink, 2000, "A Distributed Real-Time 
Java System Based on CSP", The Third IEEE International Symposium on Object- 
Oriented Real-Time Distributed Computing, ISORC 2000, Newport Beach, 
California, pp. 400-407, March 15-17,2000. From 
httn: //www. ce. utwente. nl/iavavv/information/CTJ/DRTJSBCSP. Rdf see also 
http: //www. ce. utwente. nl/iavapp/ 
C. A. R. Hoare, 2004. "Communicating Sequential Processes", Electronic Version. 
From http: //www. usingcsp. com (first published in 1985 by Prentice-Hall 
International, ISBN 0-13-153289-8) 
346 
References 
" Ellis Horowitz and Sartaj Sahni, 1976, Fundamentals of Data Structures, Computer 
Science Press, ISBN 0-71678-042-9 
" Robin Hunter, 1999, The Essence of Compilers, Prentice Hall, ISBN 0-13-727835-7 
" IEEE Std-364.1,2002, IEEE Standard for Verilog® Register Transfer Level 
Synthesis, Std 1364.1-2002, Print-ISBN 0-7381-3501-1, PDF-ISBN 0-7381-3502-X 
" IEEE Std-1666,2005, IEEE Standard SystemC® Language Reference Manual, IEEE 
Std 1666-2005, Print-ISBN 0-7381-4871-7 SH95505, PDF-ISBN 0-7381-4870-9 
SS95505, From httn: //standards. ieee. org/getieee/1666/index. html see also 
http: //www. systemc. org/ 
" IEEE Std-1076,2002, IEEE Standard VHDL Language Reference Manual, Std 1076- 
2002, Print-ISBN 0-7381-3247-0, PDF-ISBN 0-7381-3248-9 
" INMOS 72-TRN-048-03,1987, Transputer Architecture Reference Manual, 72-TRN- 
048-03, From: http: //www. transputer. net/fbooks/tarch/tarch. pdf 
" JavaDoc, 1.5.0, Comparator, From: 
http: //lava. sun. com/j2se/1.5.0/docs/api/i ava/util/Collections. html#sort(i ava. util. List, 
20i ava. util. Comparator) 
" He Jifeng, I. Page and J. P. Bowen, 1993, Towards a provable correct hardware 
implementation of OCCAM, in G. J. Milne and L. Pierre (eds. ), Correct Hardware 
Design and Verification Methods, SpringerVerlag, LNCS 683, pp 214-225,1993 
" Kohler and Kant, 2004. Use of Formal verification For the Software Development in 
the Automotive Area, Presented at the Symposium on Formal Methods for 
Automotive & Transportation, Esterel-Technologies, http: //www. esterel- 
technolog, es. com/technology//WhitePapers/ 
" Laura Lemay and Charles L. Perkins, 1996, Teach YourselfJava in 21 Days, 
Sams. net, ISBN 1-57521-030-4 
" Mathstar, 2007, Field Programmable ObjectArray"t ArrixTmFamily, v1.02, 
httU2: //www. mathstar. coria/Architecture. t)hg#Documentation 
" Mathstar, 2007, Product Data Sheet & Design guide: ArrixTMFamily, v1.02, 
httD: //www. mathstar. com/Architecture. phADocumentation 
347 
References 
" Khalid A. Mughal and Rolf W. Rasmussen, 2000, A Programmers Guide to Java 
Certification, Addison-Wesley, ISBN 0-201-59614-8 
" Ian Page, 1997. Hardware Software Co-Synthesis Research at Oxford, In Proc. lEE 
Vacation School on Hardware/Software Co-design. IEE, July 1997. 
httD: Hciteseer. ist. psu. edu/r)age96hardwaresoftware. htmi 
" Ian Page et al. 1998, "Advanced Silicon Prototyping in a Reconfigurable 
Environment", in Peter H. Welch and AndreW. P. Bakkers, eds, Proceedings of 
WoTUG-21: Architectures, Languages and Patterns for Parallel and Distributed 
Applications, pages 81 - 92, IOS Press, Amsterdam, 1998, ISBN 90-5199-391-9. 
From hM: //www. doc. ic. ac. uk/-ii)ajze/DaRers 
" I. Page and W. Luk, 1991, Compiling OCCAM into FPGAs, in FPGAs, W. Moore and 
W. Luk (editors), pp. 271-283, Abingdon EE&CS Books, 1991. 
" RM. A. Peel and B. M. Cook, 2000. "Occam on Field Programmable Gate Arrays - 
Fast Prototyping of Parallel Embedded Systems" in H. R. Arabnia, editor, The 
Proceedings of the International Conference on Parallel and Distributed 
ProcessingTechniques and Applications (PDPTA'2000), pages 2523-2529, CSREA 
Press, June 2000. ISBN 1-892512-51-3 
"KM. A. Peel and Wong Han Feng Javier, 2004, "Using CSP to Verify Aspects of an 
OCCAM-to-FPGA Compiler", Ian East, Jeremy Martin, Peter Welch, David Duce 
and Mark Green, editors, Communicating Process Architectures 2004, pages 339-352, 
IOS Press, ISBN 1-58603-458-8 
"RM. A. Peel and D. Pizarro de la Iglesia, 2005. "Automatically Generated CSP 
Provides Verification for Occam-derived Logic Circuits". in H. R. Arabnia, editor, The 
Proceedings of the international conference on Parallel and Distributed Processing 
Techniques and Applications (PDPTA'05), pages 180-186, CSREA Press, June 2005. 
ISBN 1-932415-58-0. 
" Michael J. Quinn, 1994. Parallel Computing Theory and Practice (Second Edition), 
McGraw-Hill, ISBN 0-07-113800-5 
" T. Riesgo, Y. Torroja, E. de la Torre, J. Uceda. 1998, Quality Estimation of Test 
Vectors and Functional Validation Procedures Based on Fault and Error Models, 
Design, Automation and Test in Europe (DATE). Paris (France), 1998 
348 
References 
" Romer, Andreas, Enzler, Rolf, Cottet, Didier and Tröster, Gerhard. 2000, 
Reconfigurable FPGA processor. Swiss Federal Institute of Technology (ETH) 
Zurich, Electronics Laboratory (2000). http: //e_ 
collection. ethbib. ethz. ch/view/eth: 27114 
" A. W. Roscoe, 1998, The Theory and Practice of Concurrency, Prentice Hall, ISBN 
0-13-674409-5 
" M. Schenke and M. Dossis, 1997, Provable correct hardware compilation using 
timing diagrams, oxford University Laboratory, UK, 1997 
" Robert Sedgewick, 1990, Algorithms in C, Addison-Wesley, ISBN 0-201-51425-7 
" SGS-Thompson Microelectronics Ltd, 1995. "OCCAM 2.1 Reference Manual". From 
http: //www. wotug. org/occam/ 
" M. Sheeran, 2000, Prover plug-in documentation, ESPRIT LTD Project Prosper 
(26241), part of deliverable D4. lb (Prover Technology AB, 2000). 
htt R: //www. dcs. gla. ac. uk/vrosper/vub/prover Rs 
" M. Sheeran and G. StAlmarck, 2000, "A tutorial on StAlmarck's proof procedure for 
propositional logic". Formal Methods in System Design, Volume 16, Number 1, 
January 2000. 
" Kathy Sierra and Bert Bates, 2003, Sun Certified Programmer & Developer for Java 
2, McGraw-Hill, ISBN 0-07-222684-6 
" Richard Wain, Ian Bush, Martyn Guest, Miles Deegan, Igor Kozin and Christine 
Kitchen, 2006, An overview of FPGAs and FPGA programming; Initial experiences 
as Dares bury, httD: //www. cse. scitech. ac. uk/disco/oublications/FPGA overview. ndf 
" P. H. Welch, 1987, Emulating Digital Logic Using Transputer Networks (Very High 
Parallelism = Simplicity = Performance), Volume 1: Parallel architectures on 
PARLE: Parallel Architectures and Languages Europe, pages 357-373, Eindhoven, 
The Netherlands, 1987, Springer-Verlag, UK. ISBN 0-087-17943-7. 
" P. H. Welch, 1988, An occam approach to tnsputer engineering, Proceedings of the 
3rd Conference on Hypercube Concurrent Computers and Applications, 
" P. H. Welch, G. R. R. Justo, and C. J. Willcock, 1993. "High-Level Paradigms for 
Deadlock-Free High-Performance Systems". R. Grebe et al, editors, Transputer 
349 
References 
Applications and Systems '93, Proceedings of the 1993 World Transputer Congress, 
volume 2, pages 981-1004, Aachen, Germany, September 1993. IOS Press, 
Netherlands. ISBN 90-5199-140-1. 
" Xilinx. 2005 "Virtex-II Pro and Virtex-II Pro X Platform FPGAs: Complete Data 
Sheet". Version 4.5. From httn: //direct. xilinx. com/bvdocs/publications/ds083. pdf 
350 
