Complex digital systems are often decomposed into architectures very early in the design process. Unfortunately, traditional simulation based languages such as VnDL do not allow the impact of these architectural decisions to be evaluated until a complete, simulatable design of the system is available. After a complete design is available, architectural errors are time-consuming and expensive to correct. However, there is an alternative to simulation based techniques: formal analysis of abstract architectures at the requirements level. This paper describes vs,Ec's approach for defining and analyzing abstract architectures. VSl,EC is a Larch interface language for VHDL that allows a designer to specify the requirements of a vHI entity using the canonical Larch approach, vi-i)i structural architectures that instantiate vs,c entities define abstract architectures. These abstract architectures can be evaluated at the requirements level to determine the impact of architectural decisions. This paper briefly introduces vs,c, provides a formal definition of vs,c abstract architectures and presents two examples that illustrate the architectural definition capabilities of the language.
INTRODUCTION
Architectural design decisions made early in a system's design profoundly affect overall design quality. Unfortunately, architecture decisions are rarely evaluated until late in the design process. Simulation-based design languages such as vHIi [5, 12] do not allow evaluation until complete models exist. For large systems, simulatable models appear late in the design process, driving up the cost of error correction. These models include not only architectural decisions, but also component design decisions. The ability to analyze architectural decisions as they are made would significantly reduce this cost.
A solution to late architecture evaluation is the formal analysis of abstract architectures at the requirements level. An abstract architecture is an interconnected collection of components where the requirements of each component are specified *Corresponding author, e-mail: {pbaraona, alex}@ececs.uc.edu without defining their implementation. Thus, an abstract architecture describes a class of solutions with a common structure rather than a single instance from that class. Formally described abstract architectures can be evaluated early in the design process when architecture decisions are made before component designs exist.
vspEc [7] , a Larch interface language [10] for vnoL [12] , is a requirements specification language that includes formal architecture definition support. vsPEc describes the requirements of digital system components using the canonical Larch approach. Each vnoL entity is annotated with a pre-and post-condition to specify the entity's functional requirements, vs,c-annotated entities can be connected together using a vni structural architecture to form abstract architectures. The vHo architecture indicates interconnection in the traditional manner, but the vspc specification defines the requirements of each component instead of a specific design. The Figure 1 .
It states the output has all the same elements as the input (permutation(output'post, input)) and the output is in order (ordered(output'post)). Any sorting algorithm may be used to implement these requirements, but vspc allows this algorithm to be chosen later in the design process. Larch interface languages have been developed for a variety of programming languages including C [9] , C + + [15] and Modula-3 [14] define an activation condition in addition to the pre-and post-condition for an entity. When an entity's state satisfies its activation condition, its pre-condition must hold and the entity must perform its specified transformation. This paper describes VS'EC, concentrating on the language's facilities for describing abstract architectures. The next section provides a brief summary of the VSPEC language. After this, we describe VSpEC abstract architectures, including a definition of the VSpEC state model and a description of how a process algebra (CSP [11] ) is used to provide a semantics for the VS Figure 2 , the requirements of a vHoi entity can be defined by describing a relationship from the current inputs and state of the system to the outputs and the next state. This section describes how F(x, s) and s are defined in VSPEC and contrasts these definitions with VHOL definitions of F(x, s) and s.
As shown in the find entity of Figure 3, 
A VSPEC description of a find component is shown in Figure 5 . Notice that the requires clause predicate is true, meaning this entity will function correctly for any set of inputs of the proper type. specification. An example of the includes clause is shown in Figure 5 ; its syntax is the keyword includes followed by a list of trait references. The syntax of a trait reference is similar to a trait reference in LSL. It consists of the trait name followed by an optional parameter list. The parameter list is used to rename LSL names to a name visible in the vsPc entity. Thus, an integer stack is included in a vsPc specification with this includes clause: includes Stack(integer, int_stack).
ARCHITECTURES
The previous section briefly described how VHDL and vsPc are used to define the requirements of a single device in a digital system. The behavior of a device can also be described by decomposing it into smaller pieces and connecting these pieces together to form an architectural description of the device. This architectural description represents a refinement of the device's behavioral VHDL/VSPC description. VrtDL Figure 6 shows a structural architecture for find. Unlike the behavioral representation in Figure 4 , this architecture indicates that a sort component connected to a search component implements the find function. This structural architecture should perform the same function as that specified in the behavioral description.
The VHDL component construct defines each component used in a structural architecture. The structure architecture of find in Figure 6 declares two types of components that are used in this architecture: sorter and searcher. One instance of each of these components (named bl and b2) is created in the body of this architecture. The port maps of these component instances are used to indicate how the components are connected together. In the structure architecture for find, the system's input array is connected to the sorter input and the sorter output is connected to internal Previous versions of vsec [1, 2, 7] also contained a based on clause. The modified syntax of the includes clause described here made the based on clause obsolete.
Allowing includes clauses in package declarations is a change from previous versions of vsec [1, 2, 7] . architecture signal y. The signal y and system input key are inputs to the searcher component. The output of the searcher is connected to the device output.
The vHox configuration construct is used to bind entity-architecture pairs to component instances.
In this example, the test_struet configuration binds the bubble sort defined by entity sort with architecture behavior to the bl instance of the sorter component. Similarly, the binary search defined by entity bin_search with architecture behavior is bound to the b2 instance of searcher. If there were other architectures for these two entities (such as a structural architecture), a different configuration could have been specified stating that the components in structure mapped to these architectures. Entirely different entities could even have been defined.
Since a structural architecture only defines dataflow between components, an additional mechanism must be provided to define when a component activates. VHDL but no implementation has been defined. 4 The structure architecture of find, shown in Figure 6 , becomes an abstract architecture by referencing vspc definitions of the instantiated components. Figure 7 This is different than leaving the entity open. When a VHDL entity is left open, the design is being deferred. At the current point in the design, nothing is known about the function of the entity. In contrast, the requirements of a vsPEc entity are known, even though an implementation is not.
for the sort and bin_search components in Figure   6 . A new configuration, test_vspec, has been defined for the find entity. It specifies that the VSeEC descriptions of sort and bin_search should be used instead of a specific architecture for these two entities. This configuration describes an abstract architecture for the find component. Any implementation satisfying the VSPEC requirements of sort and bin_search may be associated with the entity definitions. The architectures specified in Figure 6 represent one such solution, but there are many others.
The VSPEC description of sort specifies the requirements for a sorting component: the input and output must have all the same elements (i.e., the output is a permutation of the input) and the output must be in order. In a similar fashion, the bin_search specification states that whenever the component input is sorted, the component must ensure that the output element contains the same key as the key input and this element is an element of the input array. The requires and ensures clauses of these entities use two predicates (permutation and ordered) to define these requirements. These predicates are defined in the LSL trait SortPredicates, which is included in both vspEc entities.
Although 
Transform Definition
The transform performed by a vs,c architecture is defined by the sensitive to, requires and ensures clauses. The formal definition of the requires and ensures clauses was discussed in the section titled "vspvc". This definition is very similar to the transform defined by a traditional Larch interface language. As described in the section titled "vspc Abstract Architectures", the sensitive to clause is used to synchronize components and define when the requires clause predicate must be satisfied.
Formally, synchronization is easily represented using a traditional process algebra such as csP [11] . Events are defined as changes in the state of the entity. Assume that F(St) is a function between two states of entity P that implements the requirements specified in P's requires and ensures clauses (i.e., F(St) satisfies Eq. (2) This description may not seem correct to an experienced VHDL user because the output signal is driven by two sources, but no resolution function is specified. Although this is illegal in VHDL, it is allowed in VSPEC. In most cases, the csP statement that defines a vspE entity's contribution to the next state of the system will define a single value for every signal, but a vsPc description may allow more than one value for a specific signal. This is legal vsec because vsPc is a specification language, not a simulation language like VHDL. This implies that a vsPc specification does not need to deterministically define a single value for every signal in the system. It is certainly possible to do this with vspEc by defining the requirements of resolution functions, but a vspc specification could allow a signal to be driven to two (or more) different values. In these cases, a designer implementing the specification may chose to drive the signal to any of its allowed values.
The Move Machine
A more complex example is the specification of a Move Machine [22] . The Move Machine is a simple CPU that moves data from one memory location to another. It uses four instructions: jump, load register from memory, store register to memory, and halt, and four addressing modes: absolute, immediate, indirect and relative. Although the Move Machine is a simple device, its structure reflects how a more complex system might be represented.
The first step in specifying the Move Machine is representing it as a simple instruction interpreter (Fig. 13) . At this level, only one vspc annotated entity describes the execution of each instruction and addressing mode. This entity contains state variables to store the current register contents and the value of the instruction pointer. The sensitive to clause states that the machine activates when its start or reset input is on or when the value of the instruction pointer changes. The rather complex ensures clause predicate defines how the machine behaves for each instruction and addressing mode.
An external entity would use this component by first applying the reset signal and then the start signal. This causes the machine to begin executing the instruction in memory location 0. The result of each instruction (except halt) cause the contents of the instruction pointer to change which activates the machine again in the next state. This continues until a halt instruction is processed, causing the machine to stop. One thing to note about this specification is the use clause on the first line. In VHDL, types and functions can be declared in separate packages. These packages are then included in entity and architecture descriptions with the use clause. The mm_types package referenced in this example is shown in Figure 14 . An interesting aspect of this package is the use of incomplete types to specify address and word. VHDL uses incomplete types to allow references to a type before the type is completely defined (such as in an access type). One use of this is to allow a record to contain a pointer to another record of the same type (i.e., to construct a list).
In VSPEC, incomplete types are used for a slightly different purpose. The type definitions for address and word are incomplete because no implementation is defined. They are declared to be types, but no additional information is provided. These incomplete types will be given characteristics by the specification, but no specific implementation is implied or mandated. Thus, the designer must select an implementation at a lower abstraction level. Using incomplete types allows the designer to specify a type's characteristics without specifying its implementation.
The characteristics of the address and word types are defined in the LSL Instruction trait. This trait is included in mm_types using a VSPEC includes clause and the trait is shown in Figure 15 . (mem(ip))) ) reg(rnum(mem(ip)))) or (am(mem(ip)) rel and mem(ip + addr(mem(ip))) reg(rnum(mem(ip))))))) Machine is now three components that execute in sequence. Figure 16 shows the fetch-decode-execute architecture for the Move Machine. The signals FIGURE 15 Instruction (W,A,N [8] . Research in this field has led to the development of several architecture description languages, including UniCon [23] , WRIUT [3, 4] and RAPIDE [16, 17] . Each of these languages allow the definition of components and connectors to define a software architecture. This is similar to the VI-IDL notion of a structural architecture described in this paper. Shaw architecture. This is very different from a VSPEC abstract architecture, which is used to verify that the class of solutions defined by the architecture implements the requirements specified by the VSPEC description of the component.
The WRnx architecture description language [3, 4] by Allen currently under development [21, 20] . Studies of error analysis reports for safety-critical software systems suggest that over 90% of safety related errors arise from incorrect or incomplete specifications, not transformation of requirements into implementations [18] . This suggests that the use of techniques such as those proposed here are warranted even before a complete verification path between VSPEC and VHDL exists.
