Introduction
As formal methods are striving to be understood and accepted by industry the formalization of the design process itself --as opposed to mere post-design verification --receives more and more attention [1, 5, 13, 14, 29, 35] . In this paper we discuss the formal design of a class of computers. By formal design we mean an approach based on theorem-proving and by a class of computers we mean the specification scheme of an abstract computer characterizing each computer in the class. We present a construction model of hardware which applies all the way from an abstract behaviour specification to an unknown structural implementation. It constitutes a new foundation for formal design where the traditional verificationoriented hardware model does not meet the goal. It admits finer-grained design descriptions in which aspects of hardware and software may coexist, and it 1 The author is supported by a scholarship from Siemens AG Munich and scholarship from SERC GR/F 35890 U.K.
ZThe author is supported by a Human Capital and Mobility fellowship in the EuroForrn network.
abstracts from the concrete mode of operation. The choice, for example, of a synchronous, asynchronous, or pipelined realization may be postponed until later design stages. Using the construction model the framework comprises a suite of specification, construction, and proof schemes to cover the complete formal design for a class of computers from the behaviour specification at machine instruction level to the structural specification at register transfer level. In this paper we discuss the first part of the design process: from the behaviour specification to the high-level abstract microprogram at term transition level.
Through exact formal construction we can identify the term transition level as a new and rather natural design stage for computer design. Using term transitions we can capture the abstract and high-level structure of the computer above register-transfer level.
2

Construction Model of Hardware Design
In the field of formal hardware verification a variety of different ways of modelling behaviour have been introduced. The two salient variants are the functional and the relational paradigm. The former is well known from the work of W. Hunt [9.2] and usually adopted in verification research based on the BoyerMoore theorem prover. The latter, on the other hand, probably is the most widely accepted and successfully used hardware model in the HOL community [18, 16, 17, 13, 24] . Though one method of specifying hardware often can be encoded in terms of the other, the relational paradigm is usually considered to be the more general one, covering the ~functional variant as a special case. For instance, in terms of relations we can directly capture phenomena which are not elementary in a purely functional setting such as bidirectionality, partiality, and nondeterminism. This work presents an extension of the components-as-relations, or to be more precise, the components-as-predicates paradigm. This paradigm, which we simply call the (first-order) verification model, can be characterized by three features: (i) Components are represented by predicates with the free variables as their ports, (ii) Internal port connection is realized by existential quantification, and (iii) Composition of components is achieved by logical conjunction.
For example, the delay and inverter circuits would be defined as The verification model originates from the obvious static-topological understanding of physical hardware focusing on the port connection structure of hardware and spatial structural abstraction. This is expressed for instance in [28] :
"The type of abstraction most fundamental to hardware verification is structural abstraction -the suppression of information about a device's internal structure."
Despite its generality a weakness of the verification model is that it is not flexible enough to support a process of formal synthesis and construction. It exhibits the spatial structure of hardware but fails to capture important other structure arising in a top-down construction of hardware. Examples of such non-spatial structure are the interface between software and hardware, microprograms, or behavioural constraints. Therefore the traditional verification model, which flattens away this extra conceptual structure, is intrinsically limited to post-hoc verification and transformation of complete hardware components [10, 11, 25, 15, 26, 28] . To capture the top-down construction of incomplete hardware, in particular for the construction of microprogrammed computers, more sophisticated structure is needed. One purpose of this paper is to introduce such a new and more general hardware model, the construction model. This formulation states that whenever a certain condition Ei is true at the start time point m then the inversion of the input will be effected by some time y, and after the execution the predicate Eo will be true. The predicates Ei and Eo are the logical interface to the environment by which the entry and exit of the component is controlled. We call Ei the entry and Eo the leaving predicate of the model. The difference to the verification model is the fact that it focuses on what makes up the behaviour of an inverter, viz. the equation oy ---,(z m), rather than how this is achieved. The original absolute reference to a fixed propagation delay has been abstracted away and replaced by a generic time interval (m, y) demarcated only by the conditions Ei m and Eo y but otherwise undetermined. Here the predicates Ei, Eo are considered parameters, i.e. free variables, of the specification rather than concrete predicates. This results in a generic description, which can be instantiated in many ways to obtain a variety of different realizations of an inverter. For instance, we get back to the original formulation by takingEim _--m=t and Eoy --y--t+l, and Eo y ~ elk(y, n) such that stab(z, z, A) means input z has been stable for at least a period of length A prior to time ~, and elk(s, n) means $ corresponds to the n-th clock tick. We leave it to the reader to add other instantiations, say to capture input constraints~ multiple phase synchronous reali~ations~ or asynchronous handshake. To sum up, the construction model allows us to capture a wide range of possible modes of control and interaction, and --this is the crucial point --to keep the decomposition at an abstract level as long as convenient and defer instantiating to a particular realiT.ation until much later in the design process.
Let us consider a very simple example. Suppose in the process of construction we encounter the construction model V$.3y. Eiz ~ recy=ADD(sendl$,send2~)
A Eoy
(1)
as a sub-specification. It says that in the time interval (~, y), and under the start condition El, we are to implement an add function so that upon completion the condition Eo holds. We must achieve this for arbitrary z but are free to choose the exit time point y. 
o y = ADD (il z, i2 ~) A Eb y)
This way we have decomposed the original construction model (1) into a composition of three abstract subcomponents (2) 
Eo(t+l)).
From here we might further instantiate the entry predicates as statements about the state of a program counter to obtain a concrete microprogram:
(Vt. addresst=12 ::~ c~xtAc~2tA address (t + l) =13) A (Vt. address t----13 :=~ catA
=~ crtA address (t + l) =15).
The data-path, which implements the equations within (2)- (4) consists of three registers and one ALU, which might be specified by
where a ~ b $ c abbreviates the term "if a then b else c" [17] . All in all we get an implementation as seen the figure (2)- (4) in which the decomposition into subcomponcnts has been performed already, but the particular mode of control has neither as yet been fixed nor localized in a separate hardware component, cannot be represented naturally and directly. In other words, the construction model of hardware has the potential for a finer-grained design, i.e.
for breaking the refinement process into smaller pieces. Note again that in the description (2)- (4) different instantiations of the entry and leaving predicates would give rise to different realizations of control such as by synchronous clock or asynchronous handshake. Also, a pipelincd operation is possible. If, in the abstract microprogram above, wc specialize Ei such that
Vt. El(t) we get a pipelined implementation with the behaviour Vt. rec(t + 3) = ADD(ix (t), i2 (t)).
The concrete microprogram chosen above, in contrast, realizes only a single thread of control: the microinstruction address address (t)
is unique and cannot be 12, 13, and 14 at the same time. This variability of instantiating the entry and leaving predicates is very useful in practice. For instance, to simulate the functional behaviour one can take a short-cut via a direct instantiation to a synchronous sequential program. In parallel, one may proceed with the actual design path towards a more sophisticated asynchronous pipelined hardware realization, along a number of further refinement steps.
From this viewpoint the entry and leaving predicates are a very flexible means to change or adapt the semantics of a design to a particular mode of operation, and thus go beyond the capabilities of traditional Hoare-style pre//post conditions or Lamport-style assumption/commitment forms. In fact, we conjecture that both can be incorporated in terms of entry and leaving predicates. However, this analysis is outside the scope of the paper. To finish off this section let us sum up our definitions formally. Extending what has been introduced above, the refinements will use a construction model in which the leaving predicate is generalized to a leaving predicate structure. This allows us to express non-linear control structure in terms of entry and leaving predicates. With this extension the abstract syntax is as given in Fig. 1 . In the following we will call any instance of the scheme in Fig. 1 a construction model or simply a model.
Construction Model
The abstract syntax is schematic in the sense that the syntactic classes mp, E, P
are not further specified. They are not of interest at this stage and will only be filled up later with more structure when this is necessary to support a particular refinement step. Also, to keep matters simple, we will focus on the formal, read: syntactic, aspects of our constructions and leave aside semantical issues and correctness arguments. It deserves mention, however, that all refinements and transformations presented are based on sound logical arguments. As far as 'meaning' is concerned we content ourselves with a translation into an ambient (higher-order) predicate logic, which is assumed, at an intuitive level at least, to be understood throughout. In this vein, the semantics of the construction model is 'defined' by the following inductive translation:
(mp[E, lps])* = V~.3y.E~ ==~ mp A Ips* (P(lpsl, tps2))* = P ~ lps~ $ tps~. E* = E y.
To give an example we may write (pcy = pcx) [E2, bl ~ (Ea, b2 z (E4, Es))] to stand for V~.3y.
Ez 9 ==~ pcy =pcx A (bl 9 ~ Ea y $ (b~ ~ ~ E4 y ~ E5 y)).
The construction model mp [Ei, lps] being introduced the refinement process may be viewed as a repeated process of protruding particular structure for With this assumption we may drop the existential quantifier 3z. hiding an internal signal in a composite circuit and simply turn z into an existential variable. The same is done with internal entry and leaving predicates. Existential variables are supported in some theorem provers, like LAMBDA [12] ('flexible' variables) or ISABELLV. [31] ('meta' variables) and have been shown to be of great advantage in practice. In particular the work based on LAMBDA (e.g. [12] ) makes heavy use of existential variables to support formal hardware synthesis.
Machine Instruction Level
In this section a generic form of behaviour specification for a class of computers at machine instruction level is defined. At this level the semantics of machine instructions is given in terms of a global state transition. To capture a class of computers we use abstract syntax for the general structure of this state transition. This abstract grammar is given in Fig. 2 . The syntax is abstract because its terminal symbols are uninterpreted, albeit the relationship of the symbols is clearly defined. The syntax is a scheme for a class of computers because all concrete computers whose specifications are obtained as instantiations are treated uniformly along with the construction and refinement of the scheme. In other words: we are not interested in the refinement of a particular instance of a scheme but in the refinement of the scheme itself. The specification scheme itself is a refinement of our general construction model mp [E, E] which protrudes intricate structure for the model predicate rap, and also specializes the leaving predicate structure. Note, that the primitive components Inv, Del, Reg, ALU mentioned before are special if not trivial instances of the specification scheme 1. They are what we will call terra transitions consisting of a single equation of the form sos = sis. The goal of our constructions in the next section essentially is to break down an arbitrary instance of scheme 1 into a set of (parallel and sequential) term transitions. But before we get into the details let us make things definite by way of an example.
Example [Gordon's computer]
Gordon's computer is a simple general-purpose computer introduced as a nontrivial exercise in the formal specification and verification of hardware [15, 26] . The top-level specification of the computer at machine instruction level is what an assembler language programmer would need to write a program. At the This description for Gordon's computer may be rendered formal by the specification given in Fig. 3 , following [26] closely. The meaning of the functions Val2, Cut16_13, Storelz, Opcode, Fetch13 is exactly as in [26] . T and F are the Boolean constants for true and false. The specification easily is seen to be an instance of our generic scheme 1. 
Computer(button, knob, switches, memory, pe, acc, idle ) =_ ((memoryy, pc
Formal Construction
A step of formal construction is a transformation from one specification to another and the main aspect of this transformation is the decomposition of an abstract specification into less abstract sub-specifications. The process is repeated until concrete and minimal pieces of specification are met that are considered executable or directly implementable. This (well-known) idea can be lifted to specification schemes, so that the formal construction specifies and verifies the design process itself rather than a particular piece of hardware. In this section we discuss the high stages of the formal construction, the refinement from the machine instruction level to the term transition level. This involves a number of smaller refinement steps via intermediate levels of description, in which a number of different design decisions are introduced and higher-level structures are realized in terms of lower-level structures. Instead of going through all of these steps we will focus on only one intermediate level, which is sufficient to illustrate the basic idea. The complete treatment can be found in [38] . Starting from the specification scheme 1 (Fig. 2) , among other less central ones, the following four main refinement steps are to be taken:
( (2) Rearranging let_in structure: The let_in binding is our means to break up terms into pieces, i.e. undo syntactic substitution. In our later refinements the binding "A = (v -: trnl)" in "let Ain sos = tm~" is going to be realized by a separate process which sequentially precedes the one generated for "sos ~-trn2", while the functionally equivalent "sos = ~rn2 [tml/v] 
is shared by a number of machine instructions such as the code for op --3, 4, 5, 7, and thus only needs to be implemented once. A complete specification of Gordon's computer at the intermediate level is given in Fig. 4 . It is the result of applying the refinements (1)-(4) to the specification in Fig. 3 . The sub-state transition sets arising in Fig. 4 are abbreviated as in Fig. 5 . In [38] the refinement steps (1)-(4) discussed above have been formalized rigorously in terms of transformations on specification schemes and their correctness has been verified. Obviously, these refinements are nondeterministic, in general, and need a good deal of user-guidance for the appropriate selections and transformations. To account for this the constructions defined in [38] provide The corresponding abstract syntax scheme 3 is given in Fig. 7 . The significance of specification scheme 3 is that it embodies a novel high-level design stage, the term transition level, which is obtained by exact formal construction. This, so we believe, establishes a rather natural and generic level of abstraction between the machine instruction level above (in other words: specification scheme 1) and the function unit and connection level (in other words: register transfer level) below. The term transition level can be viewed as a generalization of the computational model of UNITY [8] or SYNCHRONIZED TgANSITIONS [32] . A term transition model ttm (cf. Fig. 7 ) here corresponds to a basic transition, i.e. a multi-assignment, there. A set ttms of term transition models, then, corresponds to a basic UNITY or SYNCHRONIZED TRANSITIONS program. However, whereas in these languages all control is flattened away and effected implicitly through state changes, in our model a rather generic form of control structure is still explicit through the entry and leaving predicates. We are now going to formalize the construction process that leads from the intermediate level to the term transition level as a transformation 9 of Prolog style from specification scheme 2 to specification scheme 3. The construction, a simplified variant of the one from [38] , is shown in Fig. 8 . The specification of Gordon's computer at the term transition level is shown in Fig. 9 . It is an instance of specification scheme 3 and formally derived by the refinements discussed. It can be obtained by applying ~2 to the specification in Fig. 4 at intermediate level (we also unify appropriate entry and leaving predicates and remove duplicate conjuncts).
From the derived specification of Gordon's computer at term transition level we get a clear picture about how the term transition specification describes a high-level abstract computer architecture. At this level one or a group of term transitions, such as st2, is taken as a ~primitive' component whose internal structure is left to further construction. Scheme 3 reveals the logical dependency between the term transitions, which may in fact be viewed as an abstract microprogram. A primitive component corresponds to a linear microprogram and what the scheme 3 describes is the connection relation of these linear microprograms. The abstract flowchart for Gordon's computer is seen in Fig. 10 , Figure 8 : Formal Construction of the Refinement where for conciseness we omit the obvious signal protections. Note that since every 'primitive' term transition set its is again an instance of scheme 1 the whole refinement process from scheme 1 to scheme 3 can be reiterated locally for its if this appears appropriate. This means we can break up the terms by introducing and rearranging let_ins, identify common blocks, and select for parallel and sequential execution of sub-terms. It is worthwhile to recall that although we have refined the computer to a microprogram level it is abstract in that it still has a large degree of design freedom. Depending on how we decide to interpret (or instantiate) the entry and leaving predicates we can get implementations quite different from a microprogrammed computer such as an abstract synchronous or asynchronous circuit (cf. Sec. 2).
In [38] a complete sequence of refinement steps has been worked out along similar lines, which from the microinstruction level leads all the way down to a concrete implementation at register-transfer level involving 10 major levels of specification schemes together with 9 construction steps. We have presented only one of these steps in this paper. All of these construction steps are rigorously defined and formally verified. If @n is a (nondeterminlstic) construction from a scheme 3n to a scheme 3~+t, then it is verified that for every instance Sn of scheme ~q~ the construction (guided by external choices) will produce a well-formed instance S,~+1 of scheme S,~+1 (--syntactic correctness and completeness), and further it is verified that F-S,~+1 ~ S,~ (--semantical correctness). The framework has been applied to construct several different versions of Gordon's computer.
Conclusion
We have presented a framework for the formal design of a class of microprogrammed computers based on the formal refinement of abstract specification schemes. We used Gordon's computer to illustrate our ideas. We believe that this approach offers a feasible path towards the rigorous specification and verification of hardware synthesis systems, which still remains a major challenge [2, 3, 6, 7, 21, 19, 20, 23, 39] . Two technical contributions are made: (I) We introduce a novel construction model of hardware by which the synthesis process can be split into smaller refinement steps compared to the traditional components-as-predicates verification model. (2) With the term transition level our formal construction establishes a new and natural abstraction level of computer architecture, conveniently between microinstruction and register-transfer level.
Further work will be in two directions. We plan to develop a semi-automatic computer design system which can design a register-transfer level microprocessor from a specification at machine instruction level. The user interaction consists in the selections for high-level allocation and scheduling. Other work aims at the theoretical foundations of our framework, in particular concerning the algebraic and logical properties of the construction model.
