Abstract. This paper presents the derivation of a denotational semantics from an operational semantics for a subset of the widely used hardware description language Verilog. Our aim is to build an equivalence between the operational and denotational semantics. We propose a discrete time semantic model for Verilog. Algebraic laws are also investigated in this paper, with the ultimate aim of providing a unified set of semantic views for Verilog.
Introduction
Modern hardware design typically uses a hardware description language (HDL) to express designs at various levels of abstraction. An HDL is a high level programming language, with usual programming constructs such as assignments, conditionals and iterations and appropriate extensions for real-time, concurrency and data structures suitable for modelling hardware. Verilog is an HDL that has been standardized and widely used in industry [6] . Verilog programs can exhibit a rich variety of behaviours, including event-driven computation and shared-variable concurrency.
The semantics for Verilog is very important. At UNU/IIST, the operational semantics has been explored in [1, 3, 4, 7] . Verilog's denotational semantics [9] has also been explored based on the operational semantics using Duration Calculus [8] . The two semantics can be considered equivalent informally. The question is how the two semantics can be proved equivalent formally.
The aim of this paper is to derive the denotational semantics for Verilog from its operational semantics. This ensures the consistency of the two semantics, making it possible to demonstrate their equivalence formally. The similar problem was also investigated in [5] for Dijkstra's sequential language. In our paper we define a transitional condition and the phase semantics for each type of transition. The denotational semantics can be treated as the sequential composition of those phase semantics. This paper is organized as follows. Section 2 introduces the language and presents a discrete denotational semantic model. We also design a refinement calculus for the discrete model. Section 3 is devoted to deriving the denotational semantics from its operational semantics. We introduce the operational semantics, and define a function that maps any program text to a logic formula representing its denotational semantics. We derive the denotational semantics for each statement from the function by a formal proof in Section 4. We also discuss the algebraic laws that are well suited for symbolic calculation. The three semantics form a unifying model, proving different views useful for varying purposes when reasoning about Verilog.
The Discrete Denotational Model

The Syntax for Verilog
The language discussed in this paper is a subset of Verilog. It contains the following categories of syntactic elements introduced in [2] .
1. Sequential Process (Thread): S ::= P C | S ; S | if b then S else S | c S where P C ranges over primitive commands.
P C ::= (x := e) | skip | chaos and c S denotes timing controlled statement, and c is a time control used for scheduling.
c ::= #(∆) | @(η), where η ::= v |↑ v |↓ v Time delay #∆ suspends the execution for exactly ∆ time units. ∆ is treated as the integer in this paper. Event guard @(↑ v) is fired by the increase of the value of v, whereas @(↓ v) is triggered by a decrease in v. Any change of v awakes the guard @(v).
Parallel Process (Module):
P ::= S | P P To accommodate the expansion laws of parallel construct, the language is equipped with a hybrid control event hc:
hc ::= @(x := e) | @(g) | #(∆) g ::= η | g or g | g and g | g and ¬g and the guarded choice (hc 1 
Denotational Semantic Model
Verilog processes are allowed to share program variables. In order to deal with this shared-variable feature, we describe the behaviour of a process in terms of a trace of snapshots, which records the sequence of atomic actions in which that process has engaged to some moment in time. Our semantic model contains a variable tr to denote that trace.
If a trace tr is not empty, the function "last" yields its last snapshot. Let tr 1 , tr 2 be two traces. The notation tr 1 tr 2 denotes the concatenation of tr 1 and tr 2 . tr 1 tr 2 indicates that tr 1 is a prefix of tr 2 . Suppose tr 1 tr 2 ; the notation tr 2 − tr 1 denotes the result of subtracting those snapshots in tr 1 from tr 2 . We use the notation tr 1 in tr 2 to indicate that tr 1 is contained in tr 2 , i.e., there are sequences s and t such that tr 2 = s tr 1 t.
A snapshot is used to specify the behaviour of an atomic action, and expressed by a triple (t, σ, µ) where: (1) t indicates the time when the atomic action happens; (2) σ denotes the final values of program variables at the termination of an atomic action; (3) µ is the control flag indicating which process is in control: µ = 1 states the atomic action is engaged by the process, whereas µ = 0 implies it is performed by the environment.
We select the components of a snapshot using the projections:
Verilog process is activated, it continues its execution until the completion of an atomic action; namely either it encounters a timing controlled statement, or it terminates successfully. An atomic action usually consists of a sequence of assignments as shown below.
Example 2.1: Consider the parallel program P Q where P = df (x := 1; y := x + 1; z := x + 2) and Q = df x := 2. Three assignments of P form an atomic action, and their execution is uninterrupted. The process Q can only be started at the beginning or at the end of the execution of P . P The execution of an atomic action is represented by a single snapshot. In order to describe the behaviour of individual assignment, we introduce a variable ttr to model the accumulated change made by the statements of the atomic action. On the completion of an atomic action, the corresponding snapshot is attached to the end of the trace to record its behaviour.
Example 2.2:
Let P = df x := x + 1 ; y := y − 1 ; @(g). Assume that program variables x and y are 0 and 1 respectively when P is activated, and the activated time of P is at 0. The execution of x := x + 1 produces ttr = {x → 1, y → 1} on its termination that specifies the change made by the assignment to variable x. The statement y := y − 1 in turn yields ttr = {x → 1, y → 0} as the final value of ttr, which reflects the change incurred by the atomic action (x := x+1; y := y −1). The snapshot (0, {x → 1, y → 0}, 1) will be added to the end of the trace variable tr when @(g) is encountered. After this adding, ttr will be assigned an empty value null. P Example 2.3: Let P = df x := 1 ; @(x := 2) ; x := 3. The contribution of (x := 1) is added to the end of the trace when assignment guard @(x := 2) is encountered. This means x := 1 in this particular case is an atomic action. Although @(x := 2) is an atomic action, it also stores its result in ttr. In order to distinguish assignment guard from assignment, we assign a control f lag with 0 to identify this case. The result of the assignment guard will be added when its sequential statement is encountered (not only guards). − → tr stands for the final trace of a program over the interval. − → tr − ← − tr stands for the sequence of snapshots contributed by the program itself and its environment during the interval.
• ttr and ttr stand for the initial and final value of the variable ttr which are used to store the contribution of an atomic action over the interval.
• f lag and f lag stand for the initial and final value of the control flag. There are two cases to indicate the end of its prior atomic action("ttr = null" or "ttr = null∧f lag = 0").
Example 2.4:
Let P = df x := 1 ; #1, Q = df #1 ; x := 2, R = df x := 3. Consider the trace of program (P Q) ; R. The trace of P is < (
P We use the following diagram to indicate the trace behaviour of a process (and its environment). Here, "•" stands for the process's atomic action. "•" stands for the environment's atomic action. The numbers on the vertical line stand for the snapshot sequences in the process's trace, whereas the number on the horizontal line represents the time when the atomic actions take place. 
As in Temporal Logic, we introduce a binary "chop" operator to describe the composite behaviour of sequential composition.
operator is associative, and distributes over disjunction. It has I has its unit and false as its zero, where
A Verilog process may perform an infinite computation and enter a divergent state.
To distinguish its chaotic behaviour from the stable ones we introduce the variables ok, ok : Bool into the semantic model, where ok = true indicates the process has been started, and ok = true states the process has become stable.
A timing controlled statement can not start its execution before its guard is triggered. To distinguish its waiting behaviour from terminating one, we introduce another pair of variables wait, wait : Bool. wait = true indicates that the process starts in an intermediate state, and wait = true means the process is waiting. The introduction of intermediate waiting state has implications for sequential composition "P ; Q": if Q is asked to start in a waiting state of P , it leaves the state unchanged, i.e., it satisfies the healthiness condition.
Definition 2.6: Let P and Q be formulae. Define
A formula is called a healthy formula if it has the following form.
Corollary 2.10: If P is a healthy formula then (1) II ; P = P (2) ⊥ ; P = ⊥ P The union and intersection of arbitrary healthy formulae set are also healthy formulae. This implies that healthy formulae form a complete lattice under the implication order, which has a bottom element ⊥ = df H(false true) and a top element = df H(true false).
From Operational Semantics to Denotational Semantics
Transitional Condition and Phase Semantics
In order to derive Verilog's denotational semantics from its operational semantics we define a transitional condition and the phase semantics for each type of transition. The standard way to give an operational semantics is to define a set of transition rules based on configurations, such that any computation of a program can be generated from the transition rules. A configuration usually consists of four components (or five components in some cases):
(1) a program text P representing the rest of the program that remains to be executed; (2) a data state σ (the second element of a configuration) denoting the initial data state of an atomic action; (3) another data state σ (the third element) representing the current data state during the execution of an atomic action (σ = ∅ represents the previous atomic action ends and the new atomic action has not been scheduled); (4) a control flag k (the fourth element) indicating which process is selected to execute: k = 0 states the program P is waiting to be executed and its environment may perform triggering action or let time make advance, whereas k = 1 implies that P is being executed and neither time advance step nor triggering action can take place; (5) a thread number i (in some configurations) denoting the i-th thread of process P is being executed (i.e., this thread obtains the control flag).
The relationship between a transition and the variables in the denotational model can be described by the following diagram of an example transition.
stands for the observation of ttr and f lag.
We use "ttr = notnull" to indicate "ttr = null".
The transition rules can be grouped into the following types [7] . We define a transitional condition Cond i,j and its corresponding phase semantics for each type of transition. Our map from operational semantics to denotational semantics is based on the phase semantics. Here, Cond i,j stands for the transitional condition of the j-th transition of type T i .
• Instantaneous transition T 1 : The i-th thread of process P can perform an instantaneous action, and P enters the instantaneous section by its i-th thread being activated.
T 2 : Within the instantaneous section, the i-th thread of the process P performs a transition, and remains in the section or terminates. This transition assigns the successor of P an active status.
For a specific program P , σ should be of the form f (σ). The two transitional conditions are the same.
T 3 : Within the instantaneous section, the i-th thread of a process may leave the instantaneous section. If the process is breakable, it can also leave the instantaneous section.
The two transitional conditions are the same.
T 4 : A transition represents that the program executes an assignment guard (i.e., assignment guard is regarded as an atomic action). < P, σ, ∅, 0 > −→ < P , σ, σ , 0 > For a specific process P , σ should be of the form f (σ).
The above four types of transitions have the instantaneous feature. The corresponding phase semantics of each transition can be expressed as Inst (Cond i,j ) .
where, Cond i,j can be the above seven transitional conditions.
Inst(X) = df H(true ¬wait ∧ δ(time) = 0 ∧ X ) "δ(time) = 0" indicates those transitions consume zero time.
• Triggered transition
(1) A transition can be triggered by its sequential predecessor. This kind of transition is called the self-triggered transition.
Here, c in notation
−→ c represents the condition which triggers the transition. It has the form c(σ, σ ) based on a pair of states < σ, σ >. If there is no this kind of condition, it can be understood as true. If σ and σ (i.e., π 2 (last( ← − tr )) and ttr) are the same, σ will not be attached to the end of the trace.
This transition also lasts zero time. Its phase semantics is also Inst(Cond 5,1 ).
(2) A transition can be triggered by its parallel partner.
A process can also records the contribution of its environment's atomic action. But the control flag µ in the snapshot is 0. If σ and σ are the same, the environment will not attach σ to the end of the trace. Therefore, the process's trace remains unchanged (i.e., − → tr = ← − tr ) in this case.
Its phase semantics is also Inst(Cond 5,2 ). It means its environment's corresponding atomic action also lasts zero time.
• Time advancing transition
If process P can not do any other transitions at the moment, time will advance. We regard the unit of time advancing is 1. During this period, there are no atomic actions contributed by the process P itself and its environment. Hence, time advancing keeps the trace unchanged. Its phase semantics is:
Map from Operational Semantics to Denotational Semantics
Definition 3.1: A configuration < P, σ, σ , 1 > (or < P, σ, ∅, 0 > ) is called a divergent state if P can perform an infinite sequence of instantaneous transitions or self-triggered transitions; i.e., there exists an infinite set{D i | i ∈ N at} of configurations such that D 0 =< P, σ, σ , 1 > (or < P, σ, ∅, 0 > ), and for all i,
where, N at is the set containing all non-negative integers. P Definition 3.2: A computational sequence of program P is an empty sequence or any finite sequence leading P to the other state, that is: 
−→). P If computational sequence seq is not empty, seq[i] is the i-th transition (D
We write cp[P ] representing the set which contains all the computational sequences leading program P to terminating state or divergent state. cp[P ] ter and cp[P ] div stand for the sets which contain all the sequences leading program P to the terminating and divergent states correspondingly. Therefore, we have cp
From the operational semantics we know the initial state of process P can be one of the following states before it is executed.
• < P, σ, ∅, 0 > (represented as ttr = null in the denotational model).
• < P, σ, σ , 1 > (represented as ttr = null ∧ f lag = 1).
• < P, σ, σ , 0 > (represented as ttr = null ∧ f lag = 0).
Example 3.3:
Let P = df x := 1; @(↑ y). Consider the computational sequences of process P under the state < P, σ, σ , 1 > (operational semantics in the appendix):
where c = f ire(↑ y) (definition in section 4.4) which means two consecutive states can trigger this guard. Also,
is the same as σ except mapping x to 1. Here, we find the computational sequence seq2 will lead the program to the terminating state ( ). P Example 3.4: Let Q = df @(↑ y); x := 1; chaos. Consider the computational sequences of process Q under the state < Q, σ, ∅, 0 >:
Here c = f ire(↑ y). chaos can perform an infinite sequence of instantaneous transitions under any state < chaos, σ, σ , 1 > [7] . If "x := 1; chaos" takes control at the state < x := 1; chaos, σ 3 , ∅, 0 >, it will execute an infinite sequence of instantaneous transitions. Therefore, seq4 is the computational sequence leading the program Q to the divergent state. P cp[P ] ter (0) and cp[P ] div (0) stand for the sets leading the program to the terminating and divergent states under < P, σ, ∅, 0 > respectively. cp[P ] ter (1) and cp[P ] div (1) are the sets leading the program to the terminating and divergent states under < P, σ, σ , 1 > correspondingly. cp[P ] ter (2) and cp[P ] div (2) stand for the sets leading the program to the terminating and divergent states under < P, σ, σ , 0 > correspondingly. This means:
Definition 3.5:
Let seq stands for a computational sequence of program P . Suppose len(seq) = n, sem(seq) is the semantics of the computational sequence seq which can be defined as: If len(seq) = 0 then sem(seq) = df II. If len(seq) = 1 then sem(seq) = df sem 1 . Otherwise sem(seq) = df sem 1 ; . . . ; sem n . sem i is the phase semantics of the i-th transition (seq[i]) of the computational sequence seq. P Example 3.6: Let P = df x := 1 ; x := 2. There is only one computational sequence seq of P under < P, σ, σ , 1 >:
The semantics of computational sequence seq is:
{Def of 3.5} = sem 1 ; sem 2 ; sem 3 ; sem 4 {Phase semantics, Th 2.9}
) P The denotational semantics of program P can be defined as: Definition 3.7: (Map from operational to denotational)
where
Here P [0], P [1] and P [2] stand for the semantics of program P under the states < P, σ, ∅, 0 >, < P, σ, σ , 1 > and < P, σ, σ , 0 > respectively. P The following definitions and theorems are useful for calculating the denotational semantics for Verilog statements. Definition 3.8:
means there exist i steps environment transitions,
L1(i) stands for the following computational sequence:
..,j δ < P, σ , ∅, 0 > means the following detailed computational sequence:
Definition 3.12:
L2(c, j 0 , . . . , j δ ) stands for the following computational sequence.
where, the disjuction " " is for all j 0 ≥ 0, . . . , j δ ≥ 0.
silence(c) means during this period, the environment can do any atomic actions, but can not fire the condition ¬c.
In this section we will derive the denotational semantics for the Verilog statements by strict proof. Therefore our denotational semantics is equivalent with its operational semantics.
The main purpose of the mathematical definition of Verilog operators is to deduce their interesting properties. These are most elegantly expressed as algebraic laws (equations usually). As our denotational map is based on the transition system of a program, we have two ways to prove the algebraic laws, one using the denotational semantics and the other using the transition system.
Sequential Composition
The notation (P ; Q) represents the process which behaves like P before P terminates, and then behaves like Q afterwards. Theorem 4.1: (P ; Q) = (P ) ; (Q)
The ";" in the left side is the sequential composition of programs, whereas ";" in the right side is the semantic sequential composition of logic formulae. This theorem indicates the denotational semantics of program P ; Q is the sequential composition of their denotational semantics.
Skip
The role of skip is the same as x := x (see operational semantics in the appendix).
Theorem 4.2:
skip = f lash ¡ (ttr = null ∧ f lag = 0) £ II ; (hold(0) ; init) ¡ ttr = null £ II where, init = df Inst( − → tr = ← − tr ∧ O(null, π 2 (last( ← − tr )), 0, 1) ) f lash = df Inst ttr = null ∧ f lag = 0 ∧ ( − → tr = ← − tr ¡ (ttr = null ∨ π 2 (last( ← − tr )) = ttr£) − → tr = ← − tr < ←−− time, ttr, 1 > )
Assignment
The execution of x := e assigns the value of e to x. Assignment x := e can be in either of the three states before its execution: < x := e, σ, ∅, 0 >, < x := e, σ, σ , 1 > and < x := e, σ, σ , 0 >.
Case 1:
If ttr = null, the corresponding computational sequence is :
The transitional conditions of the last two instantaneous transitions are: Cond 1,1 and (Cond 1,1 ; Cond 2,2 ) = init ; assign(x, e). Using theorem 3.10, the semantics of x := e in this case is: hold(0) ; init ; assign(x, e).
Case 2:
If ttr = null ∧ f lag = 1, the corresponding computational sequence is < x := e, σ, σ , 1 > −→ < x := e, σ, σ, 1, 1 > −→ < , σ, σ[e/x], 1 > The semantics of assignment in this case can be proved as assign(x, e).
Case 3:
If ttr = null ∧ f lag = 0, the corresponding computational sequence is:
The semantics of x := e under this case is: f lash ; hold(0) ; init ; assign(x, e).
Using the semantic map and predicate calculus, we obtain the semantics of assignment.
Theorem 4.3:
x := e = skip ; assign(x := e) Verilog assignment statements obey the same set of algebraic laws as its counterpart in the conventional programming languages.
Event Guard
The guard event is denoted by @(g). A primitive guard g can be of the following forms:
• ↑ v waits for an increase of the value of v.
• ↓ v waits for a decrease of the value of v.
• v waits for a change of v.
There are also three types of compound guards.
• g 1 or g 2 becomes enabled when either g 1 or g 2 is fired.
• g 1 and g 2 becomes enabled if both g 1 and g 2 are awaken simultaneously.
• g 1 and ¬g 2 becomes fired if g 2 remains idle and g 1 is awaken.
We introduce a predicate f ire(g)(σ, σ ) to indicate the transition from the state σ to the state σ can awake the guard @(g).
The event guard @(g) can be immediately fired after it is scheduled, it is actually triggered by the execution of its prior atomic action. According to the operational semantics of @(g) (in the appendix), there are two kinds of computational sequences leading to the terminating state.
Another case is the guard @(g) waits to be fired by the environment. There are three kinds of computational sequences leading to the terminating state.
There is a corresponding phase semantics for each type of transition. Using the definition of phase semantics and Theorem 2.9, 3.13, we obtain:
Other Statements
chaos represents the worst process. Its behaviour is totally unpredictable. The conditional if b(v) then P else Q behaves the same as the "then" branch if b is true when activated, and the same as the "else" branch otherwise. The delay event #n holds the execution for n units. An assignment guard @(x := e) is a special assignment representing an atomic action. It is used in supporting the parallel expansion laws. Let {g i | 1 ≤ i ≤ n} be a finite family of event guards, and
denotes the program which initially waits for one of the guards to be fired, and then behaves the same as the corresponding guarded process. The program (@(x 1 := e 1 ) P 1 )[] . . . [](@(x n := e n ) P n ) performs one of its alternative , and the choice is made non-deterministically.
In accordance with the semantic map and operational semantics of these statements [7] , we obtain the denotational semantics for these statements.
; hold(0) ¡ ttr = null £ II ; ⊥ (6) (@(g 1 ) P 1 ) [] . . . [] (@(g n ) P n ) = {(self trig(g i ) ∨ (await(g); trig(g i ))) ; P i | 1 ≤ i ≤ n} where trig(@(x := e)) = df Inst( − → tr = ← − tr ∧ O(null, π 2 (last( ← − tr ))[e/x], 0, 0) ) g stands for the compound guard g 1 or . . . or g n .
Parallel
Although we have not derived the universal formula representing the denotational semantics for a parallel process, we can write down its transition system. Its semantics can be calculated based on its transition steps. Algebraic laws dealing with parallel can also be proved using the denotational map based on its specific transition systems. Example 4.6: Let P = (#1; x := 2) (x := 1; #1) ; #1. Consider the denotational semantics of P . We can write down the computational sequences leading program P to the terminating state under three cases (ttr = null, ttr = null ∧ f lag = 1 and ttr = null ∧ f lag = 0) based on the parallel transition [7] . The semantics of P can be calculated based on the semantic map and its computational sequences. Therefore, the denotational semantics of P is f lash ; hold(0) ; Inst( S(1) ) ; hold(1) ; Inst( S(2) ) ; hold (1) where, S(u) = df ( − → tr = ← − tr < ←−− time, {x → u}, 1 >) ∧ O(null, null, 0, 0) P Theorem 4.7 (Expansion laws) (par-1) Let P i = df @(η i ) Q i for i = 1, 2. Then 
Conclusion
The main contribution of our work is to derive the denotational semantics for a subset of Verilog from its operational semantics [7] . Thus, our denotational semantics presented here is equivalent with its operational semantics. We provide a discrete denotational model and design a refinement calculus for it. Our approach for the derivation is new. We define a transitional condition and the phase semantics for each type of transition. The denotational semantics can be derived as the sequential composition of those phase semantics. Verilog's algebraic laws are also discussed, which can support program transformation and system partitioning for hardware/software co-design. Proofs are undertaken in two ways, one using the denotational semantics and the other using the operational semantics. Thus, the three semantics form a unifying model for (a subset of) Verilog.
For the future, we are continuing to explore unifying theories for Verilog. We wish to extend the scope of the derivation of denotational semantics for Verilog to further constructs in the language such as iteration. The derivation of operational semantics from denotational semantics for Verilog is another interesting topic for study.
