Shared Variable Analyser For Hardware Descriptions. by Sharp, James.
Shared Variable Analyser for Hardware 
Descriptions
James Sharp
Thesis for the degree of Doctor of Philosophy
Supervisor: Dr. Helen Treharne 
Co-Supervisor: Prof. Steve Schneider
Formal Methods and Security Group 
Department of Computing 
Faculty of Engineering and Physical Sciences 
University of Surrey 
Guildford, Surrey GU2 7XH, U.K.
December 2013
©  James Sharp 2013
ProQuest Number: 10074582
All rights reserved
INFORMATION TO ALL USERS 
The quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a com p le te  manuscript 
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
uest
ProQuest 10074582
Published by ProQuest LLC (2019). Copyright of the Dissertation is held by the Author.
All rights reserved.
This work is protected against unauthorized copying under Title 17, United States C ode
Microform Edition © ProQuest LLC.
ProQuest LLC.
789 East Eisenhower Parkway 
P.O. Box 1346 
Ann Arbor, Ml 48106 -  1346
Declaration
This thesis and the work to which it refers are the results of my own efforts. Any ideas, data, 
images or text resulting from the work of others (whether published or unpublished) are fully 
identified as such within the work and attributed to their originator in the text, bibliography 
or in footnotes. This thesis has not been submitted in whole or in part for any other academic 
degree or professional qualification. I agree that the University has the right to submit my work 
to the plagiarism detection service TurnitinUK for originality checks. Whether or not drafts have 
been so-assessed, the University reserves the right to require an electronic version of the final 
document (as submitted) for assessment as above.
James Sharp 
December 2013
Abstract
The application of hardware controllers within safety critical environments is becoming 
ever more common and complex. W ith increasing complexity comes a higher potential 
for design errors. Hardware design tools such as Electronic Design Automation (EDA) 
tools, aim to expose these errors using equivalence checking between abstract and concrete 
designs and apply functional property verification, driven by scenarios. Determining these 
scenarios using test environments, is however, not always straightforward. The EDA tools 
aid in determining the simulation coverage of test scenarios, bu t finding corner cases 
during testing to ensure complete coverage is difficult. Current research in hardware 
verification aims to find methods th a t can discover these extremes and identify errors 
th a t reside within the design; one of these approaches employs formal methods.
In this research, we determine tha t an existing Communicating Sequential Processes 
(CSP) compiler, the Shared Variable Analyser (SVA), is suitable as a basis for our work. 
SVA is designed for analysing threaded processes tha t interact with shared global vari­
ables. The systems analysed by this custom compiler reflect many of the behavioural con­
cepts within the hardware design language, Very High Speed Integrated Circuit (VHSIC) 
Hardware Description Language (VHDL). A contribution of the thesis is the definition of 
formal approach for modelling hardware designs based on the concepts of shared signals. 
This approach is implemented by extending the SVA compiler; we call this augmentation 
of the compiler the Shared Variable Analyser for VHDL (SVA4VHDL). Another con­
tribution of the thesis is the automatic generation from VHDL scripts to SVA4VHDL 
scripts, which are then provided as input to the compiler. This autom atic generation 
ensures tha t scripts can be generated easily and repeatably without errors.
SVA4VHDL introduces: new syntax to the compiler to model VHDL processes; replaces 
the SVA variable definition with a new CSP process tha t correctly describes the different 
types of VHDL signals; defines a CSP process tha t describes the VHDL stabilisation 
model for signals; and captures the design of each system as it is written, not only 
modelling the behaviour within a hardware design, but also the hierarchical structure 
used when composing the hardware description.
The hierarchical compilation strategy used in our approach leads to an optimised CSP 
process composition, and therefore is able to accommodate hardware designs compris­
ing multiple instantiated VHDL components. We exploit full state space exploration of 
hardware models compiled by SVA4VHDL that may yield counterexamples demonstrat­
ing tha t the system requirements have not been met. These counterexamples can form 
the basis of test scenarios which can then feedback into the EDA tools.
The compiler proposed in the thesis is applied to two case studies, a Traffic Lights Sys­
tem and a Built-In Self Test. The case studies provide confirmation tha t SVA4VHDL is 
capable of producing optimised CSP models for complex VHDL hardware descriptions 
and support a discussion on the scalability issues and limitations of the formal approach. 
The Traffic Lights System was also used to perform a comparison with an existing CSP 
approach proposed by Evans, to model VHDL descriptions. This evaluation demon­
strated tha t Evans’ approach was not suitable to model real world hardware systems and 
a clearer more optimal modelling strategy was required.
Furthermore, the case studies identify different styles of specification tha t can be applied 
to SVA4VHDL models, from traditional safety and liveness specifications to the use 
of fault injection processes. Fault injection requires the exchanging of definitions of a 
model’s components so tha t faults can be detected. If all specifications are met, the 
hardware designs meet their original requirements, providing the high confidence levels 
required for safety critical systems.
Acknowledgem ents
When I originally decided to undertake a PhD, I realise now that I really did not know 
what was involved, and to what degree it would test my sanity and mettle. Certainly 
I could never have managed to get this far without the support provided by my friends 
and family. I would specifically like to acknowledge the following people, who, each in 
there own different ways, have suffered with me, and kept me going when I wanted to 
throw it all in.
In the most forlorn moments during this challenging time in my life, two mottos have 
stuck by me: “There’s always buns the next day.” , and “Don’t let the buggers grind 
you down” . These could only have come from my parents, two people whom, without, I 
would never have made it to this point. Their love and support through these additional 
five years of student life have ensured my sanity. Their unwavering belief in my abilities, 
allowing me to walk my own path, but always being there to help me back up when I 
stumbled, is something for which I will forever be indebted. And of course, my eternal 
gratitude to them  for putting up with my status as a student for nearly nine years.
My thanks to my dear friend Chris Culnane for listening to my continuous rants and 
providing me with a rational view on the expectations on life as a PhD student. His 
patience was worthy of Job when providing a fountain of knowledge and aid with Java. 
But oh so much more, his continued, unwavering friendship, making sure tha t random 
conversation and banter were always available over a pint of Guinness and th a t a ‘relaxing’ 
Xbox360 racing session (which he inevitably won) was to hand.
I cannot but thank my supervisors: Helen Treharne for her patience, constructive criti­
cism and drive, and supplying me with a beer in the most stressful of weeks; and Steve 
Schneider for his logical view on life, and his continued support and advice. I must apol­
ogise to them  both for subjecting them to my weird, and if I do say so myself, wonderful, 
thought patterns; neither ever quite understanding how I arrived at my conclusions, but 
helping me reform and formalise them so others could.
Thanks, must of course go, to Neil Evans for his external support, ensuring the research 
had industrial relevance, and to AWE pic. and the University of Surrey for investing 
in my post-graduate education. I would also like to thank Bill Roscoe for his time in 
explaining the finer points of analysis using FDR.
To my sister, Sara, I thank her for an unending supply of amazing brownies and cakes, 
and always providing a clever quip, ensuring I laughed whenever it is most inappropriate. 
Then there is Small Dog and Squeaky, for always greeting me with more excitement than 
I can ever believe possible, always reminding me that life must involve some stupidity 
and th a t there is always time for fun.
Lastly, but by no means least, my thanks to another dear friend, Tom Lincoln, for the 
sanity breaks involving fixing or modifying Landrovers, and for the random Internet links 
at two am; whilst never relevant, they were nonetheless always fascinating.
I think, in summary, a quote from Douglas Adams best summarises my PhD experience: 
“I may not have gone where I intended to go, but I think I have ended up where I needed 
to be” . W ithout you all, the fruition of this thesis would never have been possible, from 
the bottom  of my heart I thank you.
vi
Contents
C ontents v i
List o f Figures xii
List o f Tables xv ii
1 In troduction  1
1.1 Motivation ............................................................................................................... 1
1.2 Overview of T h e s is .................................................................................................. 2
1.3 Thesis S t r u c tu r e .....................................................................................................  5
2 Languages 7
2.1 V H D L ........................................................................................................................  8
2.1.1 VHDL Concepts and B ehaviour............................................................... 9
2.1.2 VHDL Syntax .............................   10
2.1.3 Running Example: Candy P u z z le ............................................................. 15
2.1.4 Behavioural M o d e l................. ....................................................................  2 2
2.1.5 Com pilation...................................................................................................  24
2.2 VHDL A nalysis .........................................................................................................  25
2.3 C S P ............................................................................................................................ 27
2.3.1 G ra m m a r ......................................................................................................  28
2.3.2 S em an tics ......................................................................................................  29
2.3.3 Running Example: Candy Puzzle: CSP A p p r o a c h ............................  31
2.3.4 Specifications................................................................................................ 32
2.3.5 C o m p ress io n ................................................................................................ 33
vii
Contents
3 Literature R eview  35
3.1 Introduction to Code C o v e ra g e .......................................................................... 36
3.2 Formal Language E m b e d d in g .............................................................................  37
3.3 Explicit Model C hecking ....................................................................................... 37
3.4 Symbolic Model Checking (S M C )....................................................................... 39
3.5 Theorem P ro v in g ....................................................................................................  41
3.6 Hardware Coverage................................................................................................. 44
3.7 Our A pproach............................................................................................................ 45
4 Shared Variable A nalyser 47
4.1 The SVA S y n ta x .....................................................................................................  48
4.1.1 SVA Process .............................................................................................  48
4.1.2 The Cmd Datatype ................................................................................  49
4.1.3 The lExpr D a ta ty p e ................................................................................  49
4.1.4 BExpr D a ta ty p e ........................................................................................ 30
4.1.5 SVA Process E x a m p le ..............................................................................  50
4.1.6 Running Example: Candy Puzzle: SVA Approach ............................  51
4.2 Compilation F low ......................................................................................................  52
4.3 The SVA Compiler F u n c tio n s .............................................................................  52
4.3.1 A n a ly s e ........................................................................................................ 53
4.3.2 C om pileL ist.................................................................................................  55
4.4 Compilation S tra teg ies ........................................................................................... 56
4.4.1 Uncompressed Compile M e th o d s ........................................................... 56
4.4.2 SVA Compression Strategies .................................................................  59
4.4.3 SVL System D escrip tion ...........................................................................  60
4.5 Tailoring SVA for Hardware Models .................................................................. 61
5 A ugm enting SVA to  D efine a Single V H D L  C om ponent 63
5.1 A VHDL Stabilisation Model for S V A ..........................................   64
5.2 VHDL Signals as CSP P ro c e s s e s .......................................i ............................. 6 6
5.2.1 Defining a Dynamic VHDL Signal CSP P ro cess .................................. 71
5.2.2 Incorporating VHDL Signals in the SVA C o m p ile r ...........................  74
Contents ix
5.3 Modelling VHDL Sensitivity Lists for SV A .......................................................  75
5.4 Augmenting the SVA Compiler to Analyse VHDL P rocesses....................... 77
5.4.1 Adding SVA S y n t a x ................................................................................... 77
5.4.2 Altering SVA Compile F u n c tio n s ............................................................ 80
5.4.3 Compiling SVA4VHDL ............................................................................  83
5.5 Translating VHDL to SV A 4V H D L ....................................................................  85
5.5.1 S ignals............................................................................................................. 85
5.5.2 T y p e s ............................................................................................................. 8 6
5.5.3 E n t i t y ............................................................................................................. 8 6
5.5.4 Architecture ................................................................................................ 87
5.5.5 P r o c e s s .........................................................................................................  8 8
5.5.6 Sequential S ta te m e n ts ...............................................................................  89
5.5.7 E xpressions................................................................................................... 91
5.5.8 O p e ra to rs ......................................................................................................  92
5.6 Running Example: Candy Puzzle: SVA4VHDL A p p ro a c h .......................... 93
6 V H D L  C om ponents in SV A4V H D L 97
6.1 An Illustrative E x a m p le ........................................................................................ 97
6.2 A VHDL Hierarchical Stabilisation M o d e l .......................................................  99
6.3 Scaling S V A 4V H D L ................................................................................................. 101
6.3.1 Flattening a VHDL Component Before T ransla tion .............................. 102
6.3.2 Individual Compilation ............................................................................... 103
6.3.3 Behavioural Component Com pilation........................................................ 104
6.3.4 Defining a Hierarchical Structure within SVA4VHDL........................... 105
7 D efin ing a H ierarchical Structure for SV A 4V H D L 107
7.1 Adding a Component Parameter to SVA4VHDL Generated CSP Channels 108
7.2 Capturing Multi-Component VHDL Systems in SVA4VHDL.......................... 109
7.3 Compilation Framework for Hierarchical S tru c tu re s .......................................... 114
7.4 Translation Technique for a Hierarchical S t r u c tu r e .......................................... 115
7.5 Running Example: Candy Puzzle: SVA4VHDL Components Approach . . 121
7.6 Automated Translation from VHDL to SVA4VHDL .......................................124
7.6.1 VHDL P a r s e r ...................................................................................................124
7.6.2 VHDL to SVA4VHDL Java T ra n s la to r ..................................................... 126
7.6.3 Tool r e s t r ic t io n s ............................................................................................ 126
X Contents
8 D efin ing H ierarchical C om pilation 129
8.1 Extracting SVA4VHDL Processes From a Hierarchical S t r u c tu r e ............. 130
8.2 Compiling SVA4VHDL P ro cesses ........................................................ ................1 3 2
8.3 A Second Hierarchical Structure ...........................................................................1 3 2
8.4 Re-Applying an SVA4VHDL Hierarchical S tru c tu re .......................................1S4
8.4.1 Mapping VPMap to VCPMap ..............................................................I 3 3
8.4.2 Mapping VRTL to V C R T L .................................................................... I 3?
8.4.3 Mapping VProc to V C P ro c .................................................................... I 3?
8.4.4 Generating a Component Stabilisation and Signals Process . . . .  138
8.5 Composing VCStruct Defined S y s tem s ..............................................................1 4 0
8 . 6  Applying a Suitable Compression T echnique....................................................1 4 2
8.6.1 Removing D iv e rg e n c e ................................................................................. 1 4 2
8.7 Running Example: Candy Puzzle: Generated CSP M o d e l ..............................I 4 4
9 Case Study: Traffic Lights l 4 ^
9.1 O v e rv ie w ..................................................................................................................
9.1.1 System R e q u ire m e n ts ..................................................................................14^
9.1.2 A Single Traffic Light C o n tro lle r ............................................................... 1 4 9
9.1.3 Connecting Traffic Lights Controllers........................................................ 150
9.2 CSP Specifications................................................................................................. I 3 3
9.2.1 Requirement 1  ................................................................................153
9.2.2 Requirement 2 ..........................................................................................154
9.2.3 Requirement 3 .......................................................................................... 155
9.3 An SVA4VHDL R epresen tation ..............................................................................156
9.3.1 Model V erifica tio n .......................................................................................156
9.4 An Alternative Model: Using the dd A p p ro a c h ............................................. 160
9.4.1 The dd A pproach .......................................................................................... 161
9.4.2 A dd R epresen tation ................................ 162
9.4.3 Verifying the Case Study P ro p e r t ie s ....................................................... 163
9.5 EDA A nalysis.............................................................................................................. I 6 3
9.5.1 Case Study Test Bench .............................................................................. 169
9.5.2 PSL A sse rtio n s ....................................................................................... 1 • I 6 9
9.5.3 EDA A nalysis..................................................................................................l ^ 2
9.6 D iscussion..................................................................................................................... -*-74
Contents xi
10 Case Study: B u ilt-In  Self Test 177
10.1 O v e rv ie w ..................................................................................................................... 178
10.1.1 System Requirements ................................................................................. 181
10.1.2 VHDL R ep resen ta tion ................................................................................. 181
10.2 Testing the Design Using Questa Advanced S im u la to n ....................................182
10.2.1 Verification M eth o d o lo g y ...........................................................................182
1 0 .2 . 2  Coverage ........................................................................................................ 185
10.3 A SVA4VHDL Model ................................................................  188
10.3.1 CSP R equirem ents....................................................................................... 190
10.4 D iscussion..................................................................................................................... 194
11 D iscussion  197
11.1 Future Work ............................................................................................................. 200
A ppendices 205
A  A  Transform ation Fram ework for th e  dd Approach 205
B  Case S tudy 1: A  dd R epresentation  211
C Case S tudy 2: AW E B u ilt-In  Self Test V H D L  C ode 215
C .l Case Study 2: LFSR VHDL C o m ponen t............................................................. 216
C.2 Case Study 2: TL_LFSR VHDL Component ....................................................216
C.3 Case Study 2: FSM JLFSR VHDL Component ................................................ 217
C.4 Case Study 2: BISTJRAM VHDL C o m p o n e n t................................................ 219
C.5 Case Study 2: BIST_IO VHDL C o m p o n en t.......................................................219
C . 6  Case Study 2: BISTJFSM  VHDL C om ponent....................................................222
C.7 Case Study 2: TL_BIST VHDL C om ponent.......................................................223
C . 8  Case Study 2: Broken LFSR VHDL Component ............................................. 225
D  Case S tudy 2: AW E B uilt In Self Test SV A 4V H D L C ode 227
D .l Case Study 2: LFSR SVA4VHDL C om ponent....................................................228
D.2 Case Study 2: TL_LFSR SVA4VHDL C o m p o n e n t .......................................... 230
D.3 Case Study 2: FSM JLFSR SVA4VHDL C o m p o n e n t .......................................230
xii Contents
D.4 Case Study 2: BISTJRAM  SVA4VHDL C o m p o n e n t.......................................232
D.5 Case Study 2: BIST J O  SVA4VHDL C om ponen t............................................. 233
D . 6  Case Study 2: B IS T J'S M  SVA4VHDL C om ponent.......................................... 240
D.7 Case Study 2: T J3 IS T  SVA4VHDL C o m p o n e n t ............................................. 241
E V H D L  to  SV A 4V H D L Java Tool C lass D iagram  245
Bibliography 257
G lossary 259
Acronym s 263
List of Figures
1.1 The SVA4VHDL Framework .............................................................................  4
2.1 Gajski-Kuhn Y -c h a rt.........................................................................................  9
2.2 Uniform Candy Distribution Puzzle...................................................................  16
2.3 Uniform Candy Distribution Puzzle: VHDL Child Component ................  17
2.4 Uniform Candy Distribution Puzzle: VHDL Teacher C o m p o n e n t............. 19
2.5 Uniform Candy Distribution Puzzle: VHDL Monitor C o m p o n e n t............. 20
2.6 Uniform Candy Distribution Puzzle VHDL Hierarchy .................................. 21
2.7 Uniformed Candy Distribution Puzzle: VHDL Composition Component . 23
2.8 VHDL behavioural model .  .............................................................................. 24
2.9 A VHDL testbench framework ..........................................................................  25
2.10 A CSP representation of the Uniform Candy Distribution P u z z le ........  32
2.11 CSP specification for Uniform Candy Distribution Puzzle stabilisation . . 33
2.12 Visualisation of the CSP chase compression te c h n iq u e ...........................  34
4.1 SVA constructs defined as CSP d a ta ty p e ...................................................... 49
4.2 SVA integer expressions defined as CSP d a ta ty p e .....................................  50
4.3 SVA boolean expressions defined as CSP d a t a t y p e ..................................  50
4.4 A simple SVA p r o c e s s ......................................................................................  51
4.5 An SVA representation of the Uniform Candy Distribution Puzzle . . . .  51
4.6 SVA compilation flow ...........................................................................................  53
4.7 Returned sets from applying Analyse to process P ( ) ............................... 54
4.8 Returned sets from applying Analyse to process Child(l) in Figure 4.5 . . 55
4.9 SVA hierarchical s tru c tu re ................................................................................ 57
xiii
xiv List o f Figures
4.10 SVA CompileStructure fu n c tio n ...........................................................................
4.11 SVA compression visualisation ........................................................................... 59
4.12 An SVL representation of Child p r o c e s s ..........................................................  61
5.1 Our VHDL stabilisation m o d e l ........................................................................... 64
5.2 VHDL stabilisation model in CSP ....................................................................  65
5.3 VHDL input signal state m ach ine.......................................................................  67
5.4 VHDL output signal state m ac h in e .......................................... ...................... ... 6 8
5.5 VHDL internal signal state m a c h in e .................................................................  70
5.6 Generalised VHDL signal (without iveval e v e n ts ) ..........................................  71
5.7 ReadVAR state m ach in e ........................................................................................ 72
5.8 CSP process definition for IntSigPre(id, range, v , c h ) .................................... 73
5.9 CSP composition process IntSIG (id, range, v , c h ) ..........................................  75
5.10 Capturing sensitivity list behav iour....................................................................  75
5.11 VHDL sensitivity list behaviour defined in C S P .............................................  76
5.12 The SVA4VHDL a rc h ite c tu re .............................................................................. 78
5.13 Use of the VHDLProc o p e ra to r ........................................................................... 78
5.14 Pattern  matching functions on Step .  .........................................................  79
5.15 Pattern  matching functions on V H D L Proc......................................................  80
5.16 A fragment example of a VHDL system written in S V A .............................  81
5.17 O utput of Analyse w.r.t. process P A Q .............................................................. 81
5.18 The set Alpha as defined within V H D L A nalyse ............................................  82
5.19 The set L I  as defined within V H D LA nalyse ...................................................  82
5.20 O utput of VHDLAnalyse w.r.t. process P A Q ................................................. 83
5.21 SVA4VHDL compilation f lo w .............................................................................. 84
5.22 CSP model structure for SVA4VHDL system P S y s ' .......................................  85
5.23 Uniform Candy Distribution Puzzle: SVA4VHDL Child t r a c e .................... 95
6.1 VHDL component port m a p p in g .......................................................................  98
6.2 VHDL description of components compA and com pB .................................... 98
6.3 VHDL port mapping of compA and compB descrip tion................................. 99
6.4 Stabilisation models for compA and c o m p B .................................................... 99
List o f Figures XV
6.5 Stabilisation model for compC ......................  100
6 . 6  State machine of VHDL component stabilisation model .................................101
6.7 Simple VHDL component configurations..............................................................101
6 . 8  Flattened VHDL component c o m p C ...................................   102
6.9 Individual compilation of VHDL c o m p o n e n ts .................................................... 104
6.10 Combined compilation of VHDL c o m p o n e n ts .................................................... 106
6.11 Hierarchical compilation of VHDL components . . .  ....................................106
7.1 Adding a component param eter to the MainProc process ............................. 109
7.2 Translation and compilation workflow of VHDL multi-component systems 114
7.3 Visual representation of the workflow show n....................................................... 115
7.4 VHDL architecture, statement part, translation pattern  v2............................ 116
7.5 VHDL architecture, statement part, translation pattern  v2 (continued) . . 117
7.6 VHDL architecture, statement part, translation pattern  v2 (continued) . . 118
7.7 generateComponentProcess fu n c t io n ........................................................... 120
7.8 generatelORenamings f u n c t io n .............................................................................. 120
7.9 translatePortM appings fu n c tio n .............................................................................. 122
7.10 External API dependencies graph for the SVA4VHDL Java translation . . 125
7.11 SVA4VHDL Java translation tool dependency g r a p h ....................................... 127
8.1 Transition stages during compilation of SVA4VHDL component systems . 130
8.2 VFlatten pattern  matching fu n c tio n s .....................................................................131
8.3 Visualisation of ‘pushing down’ renaming in fo rm a tio n .................................... 134
8.4 Base case VUnFlatten function for VPMap c o n s tru c ts .................................... 136
8.5 General case VUnFlatten function for VPMap constructs ............................. 137
8 . 6  VUnFlatten function for VProc c o n s tru c ts ...........................................................137
8.7 MakeComponentSignals process  .....................................................................139
8 . 8  VSPA function for composing a hierarchically compiled SVA4VHDL system 141
8.9 ComponentOverlord p ro cess .....................................................................................143
8.10 A CSP trace from our running example as d e f in e d ...........................................145
9.1 A single traffic light controller FSM .....................................................................148
9.2 The traffic light system ........................................................................................... 149
xvi List o f Figures
9.3 Case Study 1: A VHDL traffic lights c o n tro lle r ............. ................................ 151
9.4 Traffic light controller h ierarchy ...........................................................................152
9.5 VHDL traffic lights system ................................................................................. 152
9.6 Traffic lights requirement 1 (safety property) .................................................153
9.7 Traffic lights requirement 2 (priority property) ............................................. 154
9.8 Traffic lights requirement 3 (liveness property) ............................................. 155
9.9 SVA4VHDL translation of the first instance of Figure 9 . 3 ...............................157
9.10 SVA4VHDL translation of Figure 9 .5 .................................................................... 158
9.11 SVA additional defined values for Figure 9 .5 ....................................................159
9.12 Evans CSP| |B architecture for VHDL ..............................................................161
9.13 Stabilisation notification process for the dd ap p ro ach ................................ ... 162
9.14 A VHDL to dd style CSP model transformation fra m ew o rk .......................163
9.15 A dd CSP model of a single traffic lights c o n tro lle r .......................................... 164
9.16 A dd CSP model of a single traffic lights controller ( c o n t.) ............................... 165
9.17 Traffic lights dd requirement 1 (safety property) .......................................... 166
9.18 Traffic lights dd requirement 2 (priority p roperty )............................................. 167
9.19 Traffic lights dd requirement 3 (liveness p roperty )............................................. 168
9.20 Testbench with s tim u li...........................................................................................170
9.21 PSL a s s e r t io n s ........................................................................................................171
9.22 Waveform to 7 0 0 n s ................................................................................................. 173
9.23 State coverage m e tr ic s ..............................................................................................174
9.24 Transition coverage m e t r ic s .................................................................................... 175
9.25 Branch and total coverage m e t r i c s .........................  175
10.1 Built In Self Test hierarchical design s tru c tu re ....................................................178
10.2 BIST internal logic test b e h a v io u r ....................................................................... 179
10.3 BIST Input Output test b e h a v io u r ....................................................................... 180
10.4 RAM state coverage v isualisa tion .......................................................................... 186
10.5 Branch coverage metrics for the BIST_FSM, BIST_IO, and FSM_LFSR 
c o m p o n en ts ................................................................................................................. 186
10.6 10 state coverage visualisation ..............................................................................187
10.7 Statement coverage m e t r ic s .................................................................................... 188
List o f Figures xvii
10.8 Invalid LFSR SVA4VHDL definition for falsification verification....................192
10.9 RAMSpec: RAM test sp e c if ic a tio n ........................................................................193
10.10CSP I/O  fault injection p ro c e ss .............................................................................. 193
10.1110Spec: I/O  test specification..................................................................................194
10.12BIST verification refinement a ssertions................................................................. 195
A .l ETL VHDL2CSP transformation of a VHDL process to 2 CSP processes . 206
A.2 ETL VHDL2CSP ConstructProcess o p e ra tio n ..................................................207
A.3 ETL VHDL2CSP ConstructPrime opera tion ..................................................... 208
A.4 ETL VHDL2CSP Transformation Pre b lo c k .....................................................208
A.5 VHDL M eta-M odel.....................................................................................................209
A . 6  CSP M eta-M odel........................................................................................................ 210
xvm List o f Figures
List of Tables
5.1 T P i: VHDL entity translation p a t t e r n ..............................................................  87
5.2 T ? 2 : VHDL architecture, declarative part, translation p a t t e r n ...................  87
5.3 TPg: VHDL architecture, statement part, translation p a t t e r n .....................  8 8
5.4 T P 4 : VHDL process translation p a t t e r n ........................................................... 89
5.5 T P 5 : VHDL sensitivity list translation p a t t e r n .............................................. 89
5.6 TPg: VHDL assignment translation p a t t e r n ....................................................  90
5.7 T P 7 : VHDL If statement translation p a t t e r n .................................................  90
5.8 TPg: VHDL case statement translation p a t t e r n .............................................. 91
5.9 TPg: VHDL expression translation p a t t e r n ....................................................  92
5.10 T P iq: VHDL operator translation p a t t e r n ........................................................ 92
6.1 Truth table for c o m p A ........................................................................................... 98
6.2 Truth table for c o m p B ........................................................................................... 98
7.1 Possible combinations for port m app ings.............................................................. 121
7.2 Code metrics for our VHDL to SVA4VHDL Java t r a n s la to r .......................... 127
9.1 SVA4VHDL verification t i m e ..................................................................................160
9.2 dd compilation and requirement verification t i m e ..............................................167
10.1 BIST report c o d e s ..................................................................................................... 181
10.2 VHDL process, instantiated components, and signal d is t r ib u t io n ................ 182
10.3 Required memory and compilation time for the BIST with the increase of
I /O ...................................................................................................................... 189
10.4 Required memory and compilation time for the BIST with the increase of 
LFSR blocks ...............................................................................................................190
xix
XX List o f Tables
10.5 SVA4VHDL process and signal d is tr ib u t io n ....................................................... 191
10.6 BIST verification t i m e .............................................................................................. 194
D .l Location identification for VHDL to SVA4HDL BIST components . . . .  227
D.2 SVA4VHDL and VHDL component representation as lines of code . . . .  228
Chapter 1
Introduction
Formal model checking provides mathematical rigour to verification over the full state 
space of a system, not only providing assurance th a t system requirements are met, but 
tha t the system also does not exhibit any unwanted behaviour. This thesis focuses 
on using formal model checking techniques as an approach for verifying properties of 
hardware systems. We use the process algebra Communicating Sequential Processes 
(CSP) [51,83,88], to model a Very High Speed Integrated Circuit (VHSIC) Hardware 
Description Language (VHDL) [70,99] hardware design and verify required system prop­
erties.
VHDL is a mature, widely used development language, applied throughout the hardware 
development cycle, from design to implementation, and encompasses a large language 
syntax. The developed systems are validated using testbenches tha t observe the design, 
given a scenario, and assert properties over the system for the given stimuli over a specified 
time. As systems become more complex, these testbenches become more elaborate.
1.1 M otivation
Hardware systems used within safety critical industries, including nuclear and aerospace, 
require assurance th a t the systems developed meet the system requirements and do not 
exhibit unwanted behaviour. Providing such assurance over complex VHDL systems re­
quires as much, if not more effort, to develop and execute suitable simulation scenarios 
as the original development of the hardware systems themselves. Even then, these simu­
lations are restricted to only the stimuli identified and may not assess the entire system, 
leaving corner cases within the design unexplored.
1
2 Chapter 1. Introduction
There are two distinct approaches within formal methods: model checking, and theorem 
proving. Theorem proving often requires intensive interaction to provide assumptions and 
linking invariants to fully verify a system. By contrast, model checking is an automated 
approach. Explicit model checking is often inhibited in verifying large systems, as the 
full state space of the system must be analysed and avoiding state space explosion is an 
important issue when model checking real world systems.
Formal methods have been applied within many safety critical domains to provide as­
surance about a system design, including the hardware domain [10,20,32,93]. However, 
such assurance is difficult to provide for complex systems and often results in the abstrac­
tion of design detail. This design detail is often essential when determining where errors 
lie within the design. W ithin this thesis we are motivated to explore the use of model 
checking for the analysis of VHDL hardware descriptions using an optimised hierarchical 
CSP model.
1.2 O verview of Thesis
A formal approach, by our industrial sponsors Atomic Weapons Establishment (AWE) 
pic., for hardware verification of VHDL had been proposed by Evans in [35]. VHDL 
designers produce systems from several small combinatorial blocks and therefore since 
CSP is a formal approach based on the composition of processes, AWE have proposed 
an approach based on CSP. This was the given starting point of the research by our 
sponsors. Our research began with an evaluation of the scalability of this approach. Upon 
evaluating this approach the requirement for a more scalable hierarchical methodology 
within the domain of CSP became evident. Thus, the focus of the research in this thesis 
was to identify a more optimised approach to using CSP for the verification of VHDL.
The work presented in the thesis is based on Roscoe’s Shared Variable Analyser (SVA) [82] 
compiler, which enables verification of threaded architectures. Roscoe’s SVA compiler 
focuses on optimising generated CSP for use in the model checking tool Failures Diver­
gences Refinement (FDR.) [38].
SVA contains both behavioural and hierarchical definitions that identify it as a suitable 
starting point to model VHDL descriptions:
• SVA models threads, interleaved with continuous read and write events, to global 
shared variables. This is analogous to the behaviour of VHDL processes interacting 
with VHDL signals.
1.2. Overview o f Thesis 3
• SVA shared variables are compiled as CSP processes; these processes are simple 
processes tha t allow the variable to be written to and read from, so th a t they can 
be composed with other CSP processes, which capture the behaviour of the system.
• The hierarchical compilation approach taken within SVA lends itself towards a 
VHDL hierarchy. Hence, the foundation for capturing the VHDL component com­
position hierarchy design already exists.
• SVA is written in such a way tha t it generates optimal hierarchical models for 
analysis in FDR.
As a result of the research work, we developed a new augmented SVA compiler, Shared 
Variable Analyser for VHDL (SVA4VHDL), which correctly captures the behavioural 
and hierarchical aspects of VHDL. This representation of the behavioural and hierar­
chical aspects implemented reflects the approach to system exploration taken by VHDL 
simulation tools such as ModelSim [44] and Questa [45]. The development of the compiler 
provides the first two contributions of the thesis:
A d a p tin g  th e  SVA com pile r to  m o d el a  V H D L  c o m p o n en t we identify a novel 
approach for translating a subset of the VHDL syntax to a bespoke CSP compiler 
we call SVA4VHDL. SVA4VHDL utilises the optimisation techniques employed 
within Roscoe’s SVA compiler, whilst correctly modelling the VHDL stabilisation 
model.
Scaling  th e  SV A 4V H D L com pile r to  m o d e l h ie ra rch ica l V H D L  sy s te m s  the 
approach to modelling VHDL within our SVA4VHDL compiler is expanded to cor­
rectly capture the hierarchical structures within VHDL descriptions. We present 
a novel approach to modelling multiple component VHDL systems th a t not only 
captures the hierarchical structure defined by the system designer, but also applies 
an optimal approach to composition. The SVA4VHDL compiler uses an intermedi­
ary notation to represent VHDL descriptions that can be used to generate efficient 
CSP models ‘on-the-fly’ within FDR.
These contributions provide the foundations for being able to define a framework for 
verifying VHDL systems using FDR based on our new SVA4VHDL compiler. Figure 1.1 
depicts the framework and illustrates tha t the compiler is central to the framework.
The framework requires two inputs, a description of a Register Transfer Level (RTL) 
VHDL system, and a manually defined CSP specifications derived from associated system
4 Chapter 1. Introduction
Requirements SPEC
FDR2
SVA4VHDL
Compiler
Counter
Example'  JAVA x  
Translator
SVA4VHDL
ModelVHDL Component
Figure 1.1: The SVA4VHDL Framework
requirements. These are provided as VHDL descriptions and a CSP script respectively. 
In order to formally analyse the VHDL descriptions they first need to be converted into 
the SVA4VHDL compiler input language, since we have already stated above tha t the 
SVA4VHDL uses an intermediary notation. Thus, an additional contribution of the thesis 
is a Java translation tool which translates the VHDL description of a system into the 
compiler’s notation.
Then the following three CSP scripts:
• user defined CSP scripts capturing the properties of a particular system,
• our SVA4VHDL compiler,
• SVA4VHDL model of a VHDL system generated by the Java translator,
are passed to FDR to support the formal analysis of a VHDL system against system 
properties. FDR analysis can then return counter examples, as CSP traces, to inform 
the user of any assertion violations discovered.
Note that the scope of the work presented within this thesis does not include timed 
analysis. W hilst this is used heavily when performing testing of hardware simulations, 
we are more interested in the design of the system and its behavioural requirements. 
These timing constraints are usually dependent on the hardware chosen and not the 
behaviour of the system.
Since the safety properties of a hardware system will need to be described in terms of 
CSP safety specifications, the framework does not remove the need for formal expertise 
when analysing VHDL descriptions using SVA4VHDL. Expertise is still required when 
defining specifications from requirements to verify system properties, and in interpreting
1.3. Thesis Structure 5
any counter examples that may result in formal analysis. This is indicated by the dashed 
lines on the diagram. We discuss the possibility of providing a round trip engineering 
solution of the counter examples in future work, but the automatic extraction of system 
properties is out of scope.
The third contribution enables us to evaluate the framework and the formal analysis 
approach using case studies:
E valuating SV A 4V H D L m odels o f V H D L  system s through tw o case stud ies
This evaluation provides three outcomes. Firstly, it enables us to evaluate the scal­
ability and limitations of our SVA4VHDL approach. In particular, it allows us to 
identify: any limitations tha t are introduced due to the Java translation, or tha t 
are due to the subset of VHDL that is supported by our SVA4VHDL compiler, 
or tha t are due to the ability to model check the CSP models produced by our 
compiler in FDR. Secondly, through the first case study, we illustrate tha t the eval­
uation of the approach proposed by Evans [35] for modelling VHDL using CSP is 
not appropriate for modelling real world systems, justifying the need to identify 
a new approach. Finally, we evaluate the limits of the compiler as compared to 
traditional EDA tools in terms of the analysis tha t can be achieved.
1.3 Thesis Structure
In Chapter 2 we provide a background into the syntax subset of VHDL that we use 
throughout the thesis. The chapter also identifies the behavioural concepts within the 
VHDL language th a t we use, and reviews the common approach to evaluating hardware 
designs using Electronic Design Automation (EDA) tools. We also provide a detailed 
introduction to CSP, its semantic models, and compression techniques of interest.
We review, in Chapter 3, previous research concerning the formal embedding of the 
semantics of VHDL, and various formal techniques applied to the analysis of hardware 
models. Chapter 4 provides a detailed background to the SVA methodology, which 
forms the basis of this thesis and identifies the aspects of the SVA compiler th a t require 
significant adaptation for our application domain.
Chapter 5 documents our first contribution, which is to provide an initial CSP formal 
analysis tool for simple VHDL descriptions. The chapter contains a detailed discus­
sion of VHDL signal behaviour in CSP. The subsequent chapters, Chapters 6 , 7, and 8 ,
6 Chapter 1. Introduction
build upon the initial formal analysis tool and describe an approach to modelling hierar­
chical VHDL composed of multiple components. The resulting tool is referred to as the 
SVA4VHDL compiler. Chapter 7 also discusses the Java tool support which allows VHDL 
descriptions to be automatically translated into the input language of the SVA4VHDL 
compiler.
Our approach is evaluated through two case studies, detailed in Chapters 9 and 10, to 
form the third contribution of the thesis. These case studies provide an opportunity to 
place our research in an industrial context through comparison of their analysis within 
EDA tools. The results of the chapters illustrate the importance of producing models 
that are tailored to promote the use of the implicit compilation functions in FDR, a focal 
point in the contribution of our compiler, thus enabling the analysis of larger models.
The evaluation of Evans’ methodology [35] is also discussed in Chapter 9. In fact, it 
was the starting point of our research work and we demonstrate tha t the methodology 
is not scalable. The presentation of Evans’ methodology is included in Chapter 9, and 
not earlier in the thesis, because a detailed appreciation of what is required of a CSP 
technology to provide a scalable approach is required beforehand. Thus, the main flow 
of the thesis focuses on the new compiler, and the contribution which demonstrates the 
unsuitability of an existing approach follows the presentation of tha t compiler.
The discussion in Chapter 11 provides further reflection on the applicability of our 
SVA4VHDL compiler for hardware verification and identifies directions for future re­
search.
Publications
J. Sharp, H. Treharne, and S. Schneider. Assessing the applicability of SVA in analysing 
VHDL models. ECEASST, 36, 2011. Automated Verification of Critical Systems, 2011.
Chapter 2
Languages
The purpose of this chapter is to identify the source and target language tha t form 
the foundation of this thesis. The hardware design language Very High Speed Integrated 
Circuit (VHSIC) Hardware Description Language (VHDL) [99,106] is the source language 
and the process algebra Communicating Sequential Processes (CSP) [51], the target 
language. The structure of this chapter is as follows:
Section 2.1 identifies the basis of VHDL, and the core concepts of the language and its 
behavioural characteristics are discussed in Section 2.1.1. Section 2.1.2 identifies the 
subset of the VHDL language used in this thesis. Section 2.1.3 introduces the Uniform 
Candy Distribution Puzzle [18] and a VHDL representation is given in Sections 2.1.3 and 
2.1.4. Section 2.1.5 identifies the typical method of compilation of VHDL designs.
Section 2.2 identifies the main method for validating and exploring VHDL designs, and 
discusses some of the features available within industrial tools.
In Section 2.3 the process algebra, CSP is introduced and its grammar is described in 
Section 2.3.1. The relevant semantic models used within this thesis are then discussed in 
Section 2.3.2 before the language is illustrated, in Section 2.3.3, using the Uniform Candy 
Distribution Puzzle. The chapter concludes by elaborating on the use of specifications 
within CSP and describing a compression technique tha t has proved necessary within 
our work, in Sections 2.3.4 and 2.3.5 respectively.
7
8 Chapter 2. Languages
2.1 V H D L
Hardware systems are becoming ever more complex, with the increasing number of gates 
and registers within a single Application Specific Integrated Circuit (ASIC) or a Field 
Programmable Gate Array (FPGA). It is, therefore, not realistic to design large hardware 
systems in terms of a sequence of logic gates. Instead, Hardware Design Languages 
(HDLs) such as VHDL and Verilog are used to develop hardware systems. Typically, large 
hardware systems are defined in terms of smaller VHDL components tha t are combined 
in an appropriate hierarchy.
The choice of VHDL over Verilog is generally down to personal preference or an industrial 
decision, as both are well developed and supported by industrial strength Electronic 
Design Automation (EDA) tools. Comparisons of the two Hardware Design Language 
(HDL) languages have been made in numerous articles [92], [9], and [63]. This thesis 
focuses on VHDL as opposed to Verilog, for the primary reason that the sponsor of the 
PhD, Atomic Weapons Establishment (AWE) pic., works primarily with VHDL.
VHDL is a semi formal language, defined as the IEEE 1076 standard [70]. There have 
been several iterations of IEEE 1076 noting changes to the language and identifying 
additional functionality. Each of these iterations: 1076-1987, 1076-1993, 1076-2000, 1076- 
2002, 1076-2008 are given using an Extended Bacus-Naur Form (EBNF) to define the 
VHDL syntax, along with accompanying textual descriptions and examples to illustrate 
the behaviour of the language, which are defined in the VHDL Language Reference 
Manual (LRM) [70]. For this thesis we focus on IEEE 1076-1993, as this is the most 
widely supported version of the language and again the version used by the PhD sponsor.
The VHDL language aims to encompass development of hardware systems throughout 
the different design levels and domains, identified by Gajski-Kuhn [39]; these design levels 
are depicted in the Gajski-Kuhn chart given in Figure 2.1.
VHDL is a large language that aims to allow development of hardware systems throughout 
these levels. In this thesis we focus on the Register Transfer Level (RTL) since we are 
interested in analysing behavioural designs that are suitable for synthesis.
W ithin this section we identify the subset of the VHDL RTL language, taken from the 
VHDL LRM [70], used throughout this thesis, illustrate the use of VHDL syntax to 
describe our small running example, and then identify how the VHDL language is defined 
in terms of its behaviour and composition; i.e., its semantics.
2.1. VHDL 9
Behavioural Dprrfain
Systems^ 
AlgorimmsX  ^
Register transfers)^
/  /  togiX^"
' Transfer/functions,
Structural Domain
'rocessors
in sister  layout
ucal partitions
Physical Domain
Figure 2 .1 : Gajski-Kuhn Y-chart 1
2.1.1 V H DL C oncepts and Behaviour
Prior to identifying the syntax and behaviour semantics of VHDL, it is im portant to 
understand some of the basic concepts within VHDL such as how information is passed, 
how processes react, and how systems are composed.
VHDL identifies a signal as a store of information from one state to the next. A port, a 
specialisation of a signal, represents information transfer into and out of a single VHDL 
component. Each port must be associated with a direction tha t specifies the flow of 
information; e.g., m, out or inout. In essence, a signal can be thought of as the wire 
connecting two logic gates, passing a changing value. A signal or port may only ever be 
written to by one VHDL process; this is to avoid race conditions in modelling.
A VHDL design is made up of one or more VHDL components, each specifying the con­
nections between different signals and the logic applied to the values of the signals. Each 
VHDL component file, known as a VHDL description may contain: VHDL processes, 
which capture some behavioural requirements in terms of logical expressions, or VHDL 
component port mappings tha t identify another VHDL component and the mapping of 
its ports to other VHDL components, or a combination thereof.
1 Figure 2.1 courtesy of: h t tp : //w w w .texam ple .net /t ikz/exam ples /gajsk i-kuhn-y-chart/
10 Chapter 2. Languages
The behaviour of a VHDL component is captured as the composition of sequential state­
ments, where a series of sequential statements are defined within a single VHDL process.
A VHDL architecture, the body of a VHDL description, may contain numerous VHDL 
processes, all running simultaneously.
Each VHDL process reacts to changes in the value of the signals to which it is sensitive; 
these are identified as the process’ sensitivity list. The process reacts by executing the 
sequential statements defined within it. Upon completion of execution, the process waits 
for all other processes to finish their current execution and then updates the values of 
any signals it may have changed due to its own execution.
We will discuss the execution cycle of a number of processes in more detail in Section 
2.1.4.
A hardware system is usually driven by a clock, and is used to synchronise processes. 
W ithin this thesis we do not single out the clock signal, and instead treat it as any other 
signal as we are not concerned with timing constraints; the thesis focuses on the design 
level of a VHDL system.
2.1.2 V H DL Syntax
The VHDL LRM [70] identifies a design-entity as representing “ a portion of a hardware 
design tha t has well-defined inputs and outputs and performs a well-defined function” ; 
and that each design—entity is composed of an entity—declaration and a corresponding 
architecture-body.
The VHDL syntax definitions below provide a ‘flattened subset’ of the EBNF, as defined 
in the VHDL LRM [70], making the syntax rules more intelligible for the reader. The 
EBNF syntax shown identifies further restrictions tha t we have applied to the original 
EBNF language definitions to provide a smaller VHDL subset upon which to work. This 
subset does not deal with VHDL syntax such as rec o rd s , loops and c o n fig u ra tio n s , 
often used at the higher level modelling phases of VHDL hardware development. Instead, 
we focus on the VHDL syntax used most commonly used when implementing VHDL 
behavioural components.
E n ti ty  Each VHDL entity provides the interface information for a VHDL component, 
the structure of which is defined within the EBNF entity-declaration:
2.1. VHDL 11
e n t i t y  i d e n t i f i e r  i s  
[ g e n e r i c  ( i n t e r f a c e - c o n s t a n t . d e c l a r a t i o n  
{;  i n t e r f a c e - c o n s t a n t - d e c l a r a t i o n } )  ;]
[p o r t  ( i n t e r f a c e _ s i g n a l _ d e c l a r a t i o n  
{;  i n t e r f a c e _ s i g n a l _ d e c l a r a t i o n } )  ;] 
end  e n t i t y  e n t i t y _ s i m p l e _ n a m e  ;
An entity-declaration enables an entity to contain zero or more port declarations th a t will 
make up a VHDL component’s interface. Furthermore, it will also identify all constants 
used in defining the component. Our restrictions ensure tha t entity_simple_name occurs, 
rather than be an optional value.
C onstants A constant within VHDL is composed of an identifier, a type, and a value. 
The value may be given as a simple value, e.g., ‘O’, or it may be given as an expression 
made from other constant values. The following EBNF defines a constant-declaration:
i d e n t i f i e r  : s u b t y p e - i n d i e  a t  io n  [: =
s t a t i c - e x p r e s s i o n ]
T yp e Each type within VHDL must be clearly defined. Some of these are given in stan­
dard packages, e.g., IEEE .STD —LOGIC—IIQL ALL, where STD —LOGIC  and STD —LO­
G IC -VEC TO R  are identified. VHDL also enables the definition of custom types to be 
used within a hardware component. The EBNF type—declaration describes a type as 
having a name identifier, and a list of enumerated values.
t y p e  i d e n t i f i e r  i s  ( i d e n t i f i e r  { ,  i d e n t i f i e r } )  ;
Signal Interface Signals in VHDL may be internal, ‘signals’, or external, ‘ports’. The 
EBNF signal-interface-declaration can be used to define both:
[ s i g n a l ]  i d e n t i f i e r  : [ in  | o u t  | i n o u t  ] ty p e .m a r k  [ :=  s t a t i c . e x p r e s s i o n ]
The signal—interface—declaration has the option to be appended with the keyword signal 
for defining internal signals. Similarly, for describing ports, the EBNF definition enables 
the direction to be identified. A type-mark provides a reference to a type-declaration, and 
an initial value can also be added to the declaration using the optional static_expression. 
We have removed the option of a buffer from the [in | out | inout] options.
12 Chapter 2. Languages
A rc h ite c tu re  As previously mentioned, a VHDL design^entity contains an archite­
cture-body th a t relates to the entity-declaration of a VHDL component, referred to as 
entitym am e. An architecture—body comprises two sections, the architecture—declarati- 
ve-part th a t contains multiple signal-déclaration and type-declaration constructs, re­
quired in VHDL component design. The architecture-body also contains a set of concur­
rent statements which are the process_statement or component_instantiation_statement. 
This set is known as the architecturestatement-part] this is restricted to a subset of the 
RTL. The EBNF definition for the architecture-body is given as:
a r c h i t e c t u r e  i d e n t i f i e r  o f  e n t i ty _ n a m e  i s  
( t y p e - d e c l a r a t i o n }
{ s i g n a l - d e c l a r a t i o n }
b e g in
{ p r o c e s s - s t a t e m e n t  | c o m p o n e n t - i n s t a n t i a t i o n - s t a t e m e n t  } 
end  a r c h i t e c t u r e  a r c h i t e c t u r e  - s i m p l e  _nam e ;
P ro c e ss  A processstatem ent in VHDL captures some behaviour as a sequence of one 
or more sequential_statements. This contained behaviour occurs when the values of the 
signals identified within the process’ sensitivity list changes. The EBNF definition of 
a processstatem ent is given as:
p r o c e s s _ l a b e l  : p r o c e s s  ( s e n s i t i v i t y _ l i s t  ) i s  
b e g in
{ s e q u e n t i a l - s t a t e m e n t } 
end  p r o c e s s  p r o c e s s _ l a b e l  ;
Each process within our subset of VHDL must have a processHabel, this enables unique 
identification of each process within a VHDL d esig n sn tity .
S e n s itiv ity  L ist The syntax of VHDL specifies th a t a sensitivity Hist is a list of one 
or more VHDL signals; the EBNF is:
s i g n a l .n a m e  { ,  s ig n a l_ n a m e }
S eq u e n tia l S ta te m e n ts  W ithin our subset of VHDL, a sequentialstatem ent can be 
a signal_assignment_statement, an if-statement or a case_statement, and the EBNF is 
given as:
s i g n a l - a s s i g n m e n t - s t a t e m e n t  
| i f _ s t a t e m e n t  
| c a s e . s t a t e m e n t
2.1. VHDL 13
O perators The VHDL LRM identifies two types of operators, relationaLoperators 
and logicaLoperators :
r e l a t i o n a l - o p e r a t o r s  : :=  =  | / =  | <  | < =  | >  | > =  
l o g i c a l - o p e r a t o r s  : :=  and [ or  | nand | nor  | x o r  | x n o r
Signal A ssignm ent Values are assigned to signals in VHDL as defined by the EBNF 
signal-assignm entstatem ent:
t a r g e t  < =  e x p r e s s i o n  ;
where target is a reference to an out port, inout port or internal signal. Assignments to 
a signal can be non-trivial, i.e., not just the value of another signal, but an expression.
E xpression The EBNF expression definition for VHDL utilises the logical-operators, 
enabling boolean arguments to be composed from multiple (simple_expressions) ; an 
expression is given as:
s im p  l e - e x p r e s s  io n  {an d  s i m p l e . e x p r e s s i o n  }
| s im p  l e - e x p r e s s i o n  { o r  
s im p  l e - e x p r e s s  io n  }
| s im p  l e - e x p r e s s i o n  { x o r  
s i m p l e - e x p r e s s i o n }
| s im p  l e - e x p r e s s i o n  {nand  
s im p  l e . e x p r  e s s  io n  }
| s im p  l e - e x p r e s s  io n  { n o r  
s i m p l e _ e x p r e s s i o n  }
| s im p  l e - e x p r e s s i o n  { x n o r  
s i m p l e _ e x p r e s s i o n  }
Sim ple E xpression The VHDL LRM further simplifies a VHDL expression to be a 
simple-expression, enabling the use of addition-operators: —, + . Thus, a simple-expre- 
ssion allows one or more primary values to be composed together using these alternative 
operators as below:
[n o t ]  pr im ary { +  [ n o t ] prim ary | — [n o t ]  pr im ary  }
Prim ary In order to enable recursion of expression as well as identification of a single 
signal (name), the EBNF for VHDL defines primary as an intermediary step:
name | ( e x p r e s s i o n )
14 Chapter 2. Languages
I f  S ta te m e n t The VHDL i l f  statement is like any other conditional branch, a boolean 
expression determines which of the sequentiaLstatement branches is taken. VHDL also 
offers e ls if branches that have separate boolean expressions if met. The EBNF syntax 
for an i f  s ta te m e n t  is given as:
i f  e x p r e s s i o n  t h e n
{ s e q u e n t  i a l_ s t  a t  e m e n t }
{ e l s i f  c o n d i t i o n  t h e n  
{ s e q u e n t i a l - s t a t e m e n t } }
[ e l s e
{ s e q u e n t i a l - s t a t e m e n t  }] 
end  i f  ;
C ase S ta te m e n t Similar to the ifjstatem ent, VHDL’s case_statement provides a branch­
ing operator dependent on the value of an expression, be it a single signal or the evaluation 
of several composed signals. The different possible outcomes for the expression are given 
as choices, and are partitioned with the w h en  operator. The structure of the EBNF 
casesta tm ent is:
c a s e  e x p r e s s i o n  i s  
when c h o i c e s  =>
{ s e q u e n t i a l - s t a t e m e n t }
{when c h o i c e s  =>
{ s e q u e n t  i a l - s t  a t  e m e n t  } }  
end  c a s e  ;
C o m p o n e n t In s ta n tia t io n  An architecture-body may identify multiple instances of 
other VHDL components. Rather than define a process_statement, a component-instant 
—iation_statement is given. This provides the instance with an unique label, which 
references the original VHDL component.
A mapping of the current component’s ports and signals to those of the contained com­
ponent instantiation, as required, is also provided. These mappings provide the stimuli 
for the contained component.
Similarly, a mapping is provided for any generic  elements tha t are defined within the 
contained component’s entity declaration.
W hilst all the g en eric  and p o r t  elements of the instantiated component must be mapped, 
it does not mean th a t all parent component ports must be used in the mapping.
As per the architecture body definition, multiple instantiations may be made within 
a component, and these instantiations are not restricted to a single component, i.e., 
multiple VHDL components may be added to a VHDL designsn tity .
2.1. VHDL 15
The syntax and structure of a component—instantiation—statement is captured in the 
following EBNF definition:
i n s t a n t i a t i o n _ l a b e l  : i n s t a n t i a t e d . u n i t  
[ g e n e r i c  map ( g en e r ic_ n a m e  =>  e x p r e s s i o n  
{ , g en e r ic_ n a m e  =>  e x p r e s s i o n  } ) ]
[ p o r t  map ( p o r t .n a m e  —>  s i g n a l . n a m e  
{ , p o r t .n a m e  =>  s i g n a l . n a m e  } ) ] ;
Additionally, VHDL provides a mechanism for iterative or conditional component-instanti- 
ations. The generatestatem ent is used to describe such instantiations, and in the 
LRM, utilises a generateschem e  offering translations for for loops or conditionals. A 
generatestatem ent is provided using the following EBNF definition:
g e n e r a t e . l a b e l  : 
f o r  g e n e r a te  . s c h e m e  g e n e r a t e  
[ { b l o c k . d e c l a r a t i v e . i t e m  } 
b e g i n  ]
{ c o n c u r  r e n t  . s t a t e  m e n t  } 
end  g e n e r a t e  [ g e n e r a t e . l a b e l  ] ;
And the generateschem e  is defined as:
f o r  g e n e r a t e . p a r a m e t e r . s p e d  c a t i o n  
| i f  c o n d i t i o n  ;
The block—declarative-item  may be substituted with a nested generatestatem ent. The 
substitution for the concurrentstatem ents in our research equates to a component- 
instantia tionstatem ent, where the label of the instantiation—label adopts the value of the 
generate-parameter. In summary, generate is used to instantiate multiple port map 
declarations for a VHDL component.
2 .1 .3  R u n n in g  E xam p le: C a n d y  P u z z le
Throughout this thesis we use the Uniform Candy Distribution Puzzle [18], to illustrate 
the different language syntax and natural approaches for each language. The puzzle 
describes the passing and receiving of sweets between children until an equilibrium in the 
number of sweets each child has can be found.
The Problem
The Uniform Candy Distribution Puzzle 2  [18] contains a number of children, each of 
these children initially have a different number of sweets. For our version of the puzzle
16 Chapter 2. Languages
%
Figure 2.2: Uniform Candy Distribution Puzzle [18]
we assume 3 children, starting with 0, 2 and 4 sweets respectively. The idea is tha t each 
child passes half of their sweets to the child to their right, whilst accepting sweets from 
the child on their left. A child must pass sweets and receive sweets (if it is possible) 
before then passing again.
A teacher is also included within the puzzle, whose purpose is to give an additional 
sweet to children with an odd number, after completing both the passing and receiving 
of sweets; this ensures a whole number of sweets is passed by all children each time. The 
puzzle is solved when the children stop passing sweets, due to them all having the same 
number of sweets. Figure 2.2 illustrates the puzzle.
R u n n in g  E xam ple : C a n d y  P uzz le : V H D L  A p p ro ach
To demonstrate the use of the VHDL language, we define three VHDL components: 
child, teacher and monitor, that, when composed together within the childrenSweets 
component, capture the Uniform Candy Distribution Puzzle.
A  C h ild  C o m p o n e n t To model this puzzle in VHDL we define the behaviour of a 
child as the VHDL component given in Figure 2.3.
The child component contains a single sequential process, share, tha t sets the sweetsOut 
port to half the current number of sweets. It then takes the number of sweets passed over
2Thanks to  Markus Roggenbach, Swansea University, for introducing me to  the example
2.1. VHDL 17
e n t i t y  c h i ld  i s  
g e n e r i c  ( s t a r t v a l u e  : STD_LOGIC_VECTOR := ” 0 0 1 0 ” );  
p o r t  ( s w e e t s l n  : in  STD_LOGIC_VECTOR (3 dow nto  0) : = ” 0 0 0 0 ” ; 
sw ee tsO u t  : o u t  STD_LOGIC_VECTOR (3 dow nto  0) : = ” 0 0 0 0 ” ; 
r ep o rtN o  : o u t  STD_LOGIC_VECTOR (3 dow nto  0) 0 0 0 0 ” ;
teacher  Add : in  STD_LOGIC; 
e lk  : i n  STDJLOGIC ; 
r e s e t  : in  STDJLOGIC) ; 
end  c h i ld  ;
a r c h i t e c t u r e  b e h a v i o r a l  o f  c h i ld  i s
s i g n a l  c u r r e n t S w e e t s  : STD_LOGIC_VECTOR (3 dow nto  0) :=  ” 0 0 0 0 ” ; 
b e g in
sh a re  : p r o c e s s  ( e l k ,  r e s e t  , tea ch erA d d  ) 
b e g in  
i f  ( c lk  =  ’1 ’) t h e n  
i f ( r e s e t  =  ’ 1 ’) t h e n
c u r r e n t S w e e t s  < =  s t a r t v a l u e  ; 
e l s e
i f  ( c u r r e n t S w e e t s  / = ” 0 0 0 0 ” ) t h e n  
sw ee tsO u t  < =  s t d _ l o g i c _ v e c t o r  ( 
t o _ u n s i g n e d ( t o _ i n t e g e r (  u n s ig n e d  ( c u r r e n t S w e e t s  ) ) / 2  ,4)  ) ; 
c u r r e n t S w e e t s  < =  s t d - l o g i c - v e c t o r  ( 
t o _ u n s i g n e d ( t o _ i n t e g e r (  u n s ig n e d  ( c u r r e n t S w e e t s  ) ) / 2  ,4)
+  u n s ig n e d  ( s w e e t s l n ) )  ;
e l s e
c u r r e n t S w e e t s  < = s w e e t s l n  ; 
sw ee tsO u t  < =  ” 0 0 0 0 ” ; 
end  i f  ;
r ep o rtN o  < =  c u r r e n t S w e e t s  ; 
end  i f  ; 
e l s e
i f  teach erA dd  — ’ 1 ’ t h e n
c u r r e n t S w e e t s  < =  s t d - l o g i c - v e c t o r  ( u n s ig n e d  ( c u r r e n t S w e e t s  ) +
i ) ;
end  i f  ; 
end  i f  ; 
end  p r o c e s s  ; 
end  b e h a v io r a l  ;
Figure 2.3: Uniform Candy Distribution Puzzle: VHDL Child Component
18 Chapter 2. Languages
the input port sweetsln and half the number of sweets currently held, currentSweets, and 
replaces the value of currentSweets.
Because of the behaviour of VHDL, we perform a pass and then a receive, but the number 
of sweets passed in are those from the previous cycle. Thus, the system maintains the 
pass and receive cycle but is offset in its representation.
The synchronisation of the system is maintained using the elk input port. Upon a rising 
edge of the signal, that is a transition from 0 to 1, sweets are passed. On the falling edge 
of the signal, 1 to 0, the addition of an extra sweet from the teacher over the teacherAdd 
signal is added to currentSweets. For the purposes of this example it is assumed that, 
initially, each child starts with an even number of sweets; the current implementation 
cannot deal with an odd number of sweets for any child’s initialisation.
Additional behaviour is described within the component to ensure division by 0 does not 
occur and that the child component can be reset. Also, due to VHDL’s strong datatyping, 
VHDL functions are used for converting between data types for these calculations; the 
details of these functions can be found in the VHDL LRM [70].
A  T each er C o m p o n e n t A second VHDL component, teacher, given in Figure 2.4, 
monitors the output value of each child, child 1, child2  and childS. If any of these input 
ports are odd, a sweet is added to the sweetCalc signal.
Notice tha t our representation of a teacher utilises VHDL signal vectors. These are used 
in different ways. The first, identical to the child component, allows us to represent a 
value up to 15 in a binary format.
The second, such as sweetCalc and addSweet, provide an element within the vector to 
be associated with each child. Thus, addSweet(1) is associated with the second child in 
the puzzle. This will be made clear when the system is composed.
A  M o n ito r  C o m p o n en t The Uniform Candy Distribution Puzzle identifies an equi­
librium between children, a solution. We introduce an additional VHDL component, 
with a single process, stabilise, to determine when the solution has been found.
The monitor component, given in Figure 2.5, monitors the value of three input ports, 
triggering the stabilise process each time one of the port values changes. If they are all 
equal, the stabilise process assigns the value of the output port, stable, to 1 .
2.1. VHDL 19
e n t i t y  t e a c h e r  i s  
p o r t  ( e lk  : in  STDJLOGIC ;
c h i ld  1 : i n  STD_LOGIC_VECTOR (3 dow nto  0) ;
c h i  Id 2 : i n  STDJLOGICJVECTOR (3 dow nto  0) ;
c h i ld 3  : in  STD_LOGIC_VECTOR (3 dow nto  0) ;
addSweet : o u t  STD_LOGIC_VECTOR (2 d o w n to  0) ) ;
end  t e a c h e r  ;
a r c h i t e c t u r e  b e h a v i o r a l  o f  t e a c h e r  i s  
s i g n a l  sw e e tC a lc  : STDJLOGICJVECTOR (2 dow nto  0) :=  ” 0 0 0 ”
b e g in
c a lc S w e e t s  : p r o c e s s  ( e l k )
b e g in  
i f  ( e lk  =  ’0 ’) t h e n
i f  ( u n s ig n e d  ( c h i ld  1 ) mod 2) =  1 t h e n  sw e e tC a lc  (0)  
< =  ’ 1 ’ ;
e l s e  sw e e tC a lc  (0) < =  ’O ’ ; 
end  i f  ;
i f  ( u n s ig n e d  ( c h i ld 2  ) mod 2) =  1 t h e n  s w e e tC a lc  (1)  
< =  ’1 ’ ;
e l s e  s w e e tC a lc  (1 )  < =  ’O ’ ; 
end  i f  ;
i f  ( u n s ig n e d  ( c h i ld S  ) mod 2) — l  t h e n  s w e e tC a lc  (2)  
< =  ’ 1 ’ ;
e l s e  sw e e tC a lc  (2) < =  ’O ’ ; 
end  i f  ; 
end  i f  ; 
end  p r o c e s s  ;
g iv e S w e e t s  : p r o c e s s  ( s w e e t C a l c )  
b e g in
fo r  i in  0 t o  2 l o o p
addSweet ( i ) < =  sw e e tC a lc  ( i ) ; 
end  lo o p  ; 
end  p r o c e s s  ; 
end  b e h a v i o r a l  ;
Figure 2.4: Uniform Candy Distribution Puzzle: VHDL Teacher Component
20 Chapter 2. Languages
e n t i t y  m on itor  i s  
p o r t  ( c h i ld  1 : i n  STD_LOGIC_VECTOR (3 dow nto  0 ) ;  
c h i ld 2  : i n  STDJLOGICJVECTOR (3 dow nto  0) ; 
ch i  Id 3 : i n  STDJLOGICJVECTOR (3 dow nto  0) ; 
e lk  : in  STD-LOGIC ; 
r e s e t  : in  STD-LOGIC ; 
s t a b l e  : o u t  STDJLOGIC) ; 
end  m o n ito r  ;
a r c h i t e c t u r e  b e h a v i o r a l  o f  m o n ito r  i s  
b e g in
s t a b i l i s e :  p r o c e s s  ( e l k ,  r e s e t )  
b e g in  
i f ( c l k  =  ’l ’) t h e n
i f ( r e s e t  =  ’ 1 ’) t h e n  
s t a b l e  < =  ’ O ’ ; 
e l s e
i f  ( c h i l d l  =  c h i ld 2  ) and ( c h i l d 2  =  c h i ld S  ) t h e n  
s t a b l e  < =  ’ 1 ’ ; 
e l s e
s t a b l e  < =  ’ O ’ ; 
end  i f  ; 
en d  i f ; 
end  i f  ; 
en d  p r o c e s s  ; 
e n d  b e h a v i o r a l  ;
Figure 2.5: Uniform Candy Distribution Puzzle: VHDL Monitor Component
2.1. VHDL 21
childrenSweets
childl childS child!
Figure 2.6: Uniform Candy Distribution Puzzle VHDL Hierarchy
C om posing  T h e  P u z z le  W ith the three small individual VHDL components de­
scribed above, it is possible to compose these together to create a VHDL system that 
represents the Uniform Candy Distribution Puzzle, illustrated in Figure 2.6. Figure 2.7, 
provides the VHDL composition of three instances of the child component, and a single 
instance of the teacher and monitor components.
Our representation of the Uniform Candy Distribution Puzzle as the VHDL component, 
childrenSweets, only has three external ports. The two input ports:
• elk: providing a stimulus for the synchronisation of cycles.
• reset : adding the ability to reset the puzzle.
There is a single output port:
• stable : identifying when the puzzle is solved; this is mapped directly to the monitor 
output port of the same name.
The childSweets VHDL component also identifies internal signals, allowing mappings to 
be defined between the ports of the contained instantiated components. Internal signals 
are created to link the ports of each component together. These signals are used within 
VHDL port mappings to:
• childl Swap, child2Swap and childS Swap: linking the children of the system to­
gether so th a t sweets may be passed.
• childl Sweets, child2 Sweets, and childSSweets: reporting the number of sweets held 
by each child to both the monitor and teacher component.
• teacherAdd: allowing the teacher to add an extra sweet to each child of the system.
22 Chapter 2. Languages
W ithin each instance of the child component defined in the childrenSweets component, 
Figure 2.7, a different value is assigned for the generic  startvalue. This enables us to set 
the starting values of 0, 2 and 4 to child 1, 2 and 3 respectively, as per the initial puzzle 
description. By altering these initial values we can alter the behaviour of the system and 
change the amount of cycles required for equilibrium to occur between the children.
2 .1 .4  B eh a v io u ra l M o d e l
There are two key behavioural characteristics of VHDL that are necessary in under­
standing the execution of a VHDL system; how a signal is interpreted, and how and 
when processes are executed.
S ignal P ro p e r t ie s  W ithin VHDL, signals are considered to have a dual state, a write 
state and a read state. The values of signals are only updated at ‘safe points’, this ensures 
consistency whilst processes execute.
These ‘safe points’ for updating the signal state are after the execution cycle of all 
the processes within the VHDL component. T hat is, each process has completed its 
sequential behaviour.
At this point, internal signal and output port values can be safely updated. Once the 
values have been updated, processes may execute once more. Thus, signals in VHDL can 
be considered to have historical properties; their current state and their next state. We 
do not consider safe points for input signal changes as these may only be read in during 
a safe state; during the unstable states only the historical values of the input values are 
used.
P ro c ess  E x e c u tio n  As previously mentioned, a VHDL process reacts to state changes 
of those signals to which it is sensitive, identified in the process sensitivity list.
For example: the teacher component, i.e., those defined in Figure 2.4. There are two 
processes defined: calcSweets, reacts to the input port elk only, and giveSweets, reacts 
to changes to the internal signal sweetCalc. By altering the state of elk from 0 to 1, the 
process calcSweets will execute. If we assume that the signal sweetCalc had a previous 
value of ‘000’ and tha t the input port child2 has the value ‘O il’. After the sequential 
behaviour of calcSweets has finalised, the signal value of sweetCalc is assigned the value 
‘010’. The execution of the process is considered to take an infinitesimally small period 
of time, a delta cycle (or delta delay).
2.1. VHDL 23
e n t i t y  c h i ld r e n S w e e t s  i s  
p o r t  ( e lk  : in  STD_LOGIC; 
r e s e t  : in  STDJLOGIC ; 
s t a b l e  : o u t  STD_LOGIC) ; 
en d  c h i ld r e n S w e e t s  ;
a r c h i t e c t u r e  b e h a v i o r a l  o f  c h i ld r e n S w e e t s  i s  
s i g n a l  c h i l d l S w e e t s  : STD_LOGIC_VECTOR (3 dow nto  0) :=  ” 0 0 0 0 ” ; 
s i g n a l  c h i ld lS w a p  : STDJLOGKLVECTOR (3 dow nto  0) :=  ” 0 0 0 0 ” ; 
s i g n a l  c h i l d l S w e e t s  : STDJLOGICJVECTOR (3 dow nto  0) :=  ” 0 0 0 0 ” ; 
s i g n a l  ch i ld 2 S w a p  : STDJLOGKLVECTOR (3 dow nto  0) :=  ” 0 0 0 0 ” ; 
s i g n a l  c h i ld S S w e e t s  : STDJLOGKLVECTOR (3 dow nto  0) :=  ” 0 0 0 0 ” ; 
s i g n a l  ch i ld S S w a p  : STDJLOGKLVECTOR (3 dow nto  0) :=  ” 0 0 0 0 ” ; 
s i g n a l  teach erA dd  : STDJLOGKLVECTOR (2 dow nto  0) :=  ” 0 0 0 ” ; 
b e g in
c h i l d l  : e n t i t y  c h i ld  
g e n e r i c  map ( s t a r t v a l u e  =>  ” 0 0 1 0 ” ) 
p o r t  map ( e lk  = >  e lk  , r e s e t  =>  r e s e t  ,
s w e e t s l n  =>  childSSwap , tea ch erA d d  =>  teach erA dd  (0)  , 
sw ee tsO u t  =>  c h i l d l S w a p ,  r ep o rtN o  =>  c h i l d l S w e e t s ) ;  
c h i ld 2  : e n t i t y  c h i ld  
g e n e r i c  map ( s t a r t v a l u e  =>  ” 0 0 0 1 ” ) 
p o r t  map ( e lk  =>  e lk  , r e s e t  =>  r e s e t  ,
s w e e t s l n  =>  c h i ld lS w a p  , tea ch erA d d  =>  teach erA dd  (1 )  , 
sw ee tsO u t  =>  ch i ld2Sw ap , r ep o r tN o  =>  c h i ld 2 S w e e t s  ) ; 
c h i ld 3  : e n t i t y  c h i ld  
g e n e r i c  map ( s t a r t v a l u e  =>  ” 0 0 1 1 ” ) 
p o r t  map ( e lk  =>  e lk  , r e s e t  =>  r e s e t  ,
s w e e t s l n  =>  ch i ld2Sw ap , teach erA dd  => teach erA dd  (2 )  , 
sw ee tsO u t  =>  c h i ld S S w a p ,  rep o r tN o  =>  c h i l d S S w e e t s ) ;  
t e a c h e r 1 : e n t i t y  t e a c h e r  
p o r t  map ( e lk  =>  e lk  , c h i ld  1 =>  c h i l d l S w e e t s  ,
c h i ld 2  =>  c h i ld 2 S w e e t s  , c h i ld S  =>  c h i ld S S w e e t s  , 
addSweet (0 )  =>  teach erA dd  (0)  , addSw eet (1 )  =>  tea ch erA d d  (1 )  , 
addSweet (2 )  = >  teach erA dd  (2)  ) ; 
s t a b l i s a t i o n  : e n t i t y  m o n ito r  
p o r t  map ( c h i l d l  =>  c h i l d l S w e e t s  , c h i l d 2  =>  c h i ld 2 S w e e t s  , 
c h i ld S  =>  c h i ld S S w e e t s  , e lk  = >  e lk  , r e s e t  =>  r e s e t  , 
s t a b l e  —>  s t a b l e );  
end  b e h a v i o r a l  ;
Figure 2.7: Uniformed Candy Distribution Puzzle: VHDL Composition Component
24 Chapter 2. Languages
write  signal values
update signal values
stabilise
wr i te  s ignal valueexecute processes
update signal values
Figure 2.8: VHDL behavioural model
Because the state of the signal sweetCalc has changed, the giveSweets process will execute 
its sequential behaviour. At the end of this execution, the value of the output port 
addSweet will be updated and another delta cycle will have occurred.
Since both processes have finished, and are no longer causing a cascaded execution of 
other processes, the component is considered to be in a stable state, and will not perform 
any of its contained behaviour until external stimuli are applied.
Figure 2.8 illustrates the stabilisation model within VHDL and the safe updating of signal 
values. Note tha t initially, a VHDL system is considered unstable, that is, the output 
ports have no determined value, and so the processes must execute to determine their 
values, in Figure 2.8 the initial state is DeltaCycle.
2 .1 .5  C o m p ila tio n
So far we have identified and described VHDL from a design perspective in order to 
generate Platform Independent Models (PIMs). However, VHDL designs are ‘pushed 
to chip’, and there are a variety of chip vendors (both ASIC and FPGA), each offering 
different chip models.
Component instantiations in VHDL enables the composition of many VHDL components 
into a hierarchical system design. But, compilation of a VHDL design to a specific chip 
is not necessarily straightforward, a transition from a PIM to a Platform Specific Model 
(PSM).
The VHDL LRM identifies tha t the compilation of VHDL design structures should first
2.2. VHDL Analysis 25
Unit Under 
Test
VHDL Test Bench
Figure 2.9: A VHDL testbench framework
be flattened into a single VHDL design^entity so that all processes are contained within 
a single architecture-body, describing the system. Furthermore, the signals within the 
hierarchical design are explicated, converting all contained components port mappings 
to internal signals.
However, the LRM does not identify a formal approach for this flattening. Instead, it 
is up to the EDA tool vendors to generate the most appropriate flattened PSM for the 
chip specified. Indeed, significant resource has been applied by EDA tool vendors in 
optimising this flattening process to produce faster, smaller PSMs. Thus, not every tool 
will flatten a hardware design in the same way.
Simulation tools [45] [44] are available for evaluating hardware designs tha t work with 
the PIM. Thus, the simulation tools evaluate the model with respect to the hierarchical 
structure and do not first flatten the model to a PSM.
2.2 V H D L A nalysis
The VHDL language not only provides a method for designing hardware systems, but 
also supplies a method for testing the designs as well. A VHDL design-entity  can be 
defined containing: a hardware component or system design, known as the Unit Under 
Test (UUT), processes tha t drive the UUT, and assertions tha t can be validated against 
the UUT for the scenario defined. This design-entity is known as a VHDL testbench. 
We illustrate the set up of a testbench in Figure 2.9.
It is important to note tha t a testbench validates a UUT against a given scenario, selected 
sequential stimuli and with respect to time. The validation of a property against the UUT 
within a test bench may be defined using different methods.
Stimuli
Assertions
26 Chapter 2. Languages
The most straightforward validation for a testbench is written using VHDL assertions.
A VHDL assertion may be applicable at different times within the model simulation, 
based on its placement within the model definition. Assertions placed at a particular line 
within a specific process may only be evaluated when reached during model execution; 
evaluating a property only after preceding behaviour has been executed. Alternatively, 
an assertion may be expected to hold over all simulation time for a component, when 
placed within an architecture body, outside of any process definitions.
Both application approaches for VHDL assertions may only evaluate those signals and 
ports within the component. The EBNF definition for a VHDL assertion is given as a 
boolean expession of the form:
a s s e r t  e x p r e s s i o n
More complex assertions may be defined using the Property Specification Language (PSL) 
[30]. PSL assertions may specify time frames after which a property must hold, or 
properties th a t must eventually hold. The structure for PSL statements are given in the 
PSL Reference Manual, [71].
Finally, some of the EDA tools provide support for using System Verilog Assertions 
(SVA) [4], however, their use requires tha t the VHDL design first be encapsulated within 
a Verilog design file.
VHDL testbenches are evaluated using EDA simulation tools; each providing different 
levels of analysis and support.
Other tools have been developed, such as Averant’s Solidify [7] that performs static 
analysis of a VHDL design. This static analysis does not encompass the passing of time 
into the analysis of the system, but does attem pt to model check the system, exploring 
every possible sequence of input stimuli for the system. Solidify uses its own native 
Hardware Property Language (HPL), but does also support other assertion languages 
such as PSL.
Today, the emphasis on hardware evaluation is on test coverage of properties and proving 
equivalence between VHDL design models.
W ithin the context of this thesis we have focused on the use of two EDA tools, ModelSim 
Student Edition and Questa Advanced Simulator. Both these tools have been developed 
by Mentor Graphics, and are the tools of choice for the PhD sponsor, AWE pic.
23. CSP 27
M o d elS im  S tu d e n t E d itio n  ModelSim [44] is a simulation tool for hardware designs 
th a t produces a waveform for the UUT based on the scenario undergoing simulation. 
Assertions in VHDL, PSL and SVA may be evaluated within ModelSim, and the tool 
also enables the user to step through the design, line by line, to see the impact it is 
having on the resultant waveform.
As well as visualising the values of the UUT’s ports, it is also capable of reporting the 
values of the contained component instances within the UUT, so tha t the user is able to 
understand how the internal behaviour is reacting to the given stimuli.
It is also possible within ModelSim to specify an external file for the location of the 
external stimuli, enabling larger scenarios to be defined more easily.
Q u e s ta  A d vanced  S im u la to r  Questa Advanced Simulator [45] is the ‘big brother’ of 
ModelSim, also offering all the features described above. However, Questa also provides 
different metrics on code coverage, a feature tha t is becoming more and more highly 
valued in today’s tools. Code coverage can be applied in different forms, and is discussed 
in more detail in Section 3.1. These metrics encompass numerous code evaluation aids 
such as the percentage of the code explored using the current testbench and UUT.
The evaluation of code coverage extends further, to provide a visual representation of 
the states within the design’s behaviour, and the states of the contained component’s be­
haviours, that have been reached, the transitions between these states, and the frequency 
of these transitions for the time scale currently specified.
Using this code coverage information Questa provides the user a basis for expanding the 
testbench to fully explore the models. However, developing with testbenches for these 
corner cases is still difficult and often requires a lot of resources for evaluating a small 
area of the design.
We illustrate the use of the Mentor Graphics tools in Chapters 9 and 10 when evaluating 
the functionality of our approach.
2.3 CSP
In this thesis we use Communicating Sequential Processes (CSP) [51,85] as the chosen 
language to support mathematical reasoning for systems design. CSP was developed as 
a process algebra. The language shares the same philosophy as VHDL, since systems are
28 Chapter 2. Languages
defined in terms of the composition of processes, and these processes communicate via 
channels.
2 .3 .1  G r a m m a r
The grammar of CSP is compact; the following defines the processes used within our 
work.
P ::—Stop | Skip \ a -*  P  \ P%Q \ a îx \y .z  P{x) | P  □ Q |DaGA P
| P \A  | i f  b then P\ else P 2  I P  || Q I  P | |  Q I  P  I I I  Q I  P [ a / c l
A B A
Stop describes a termination process which ensures that a process ceases to perform 
internal or external communications and events. Skip describes a successful termination 
process, allowing continuation of events after its occurrence. The prefix operator, o -> P , 
is prepared to engage in the event a and immediately after will behave as process P  .
The sequential operator of the form P  g Q will behave as process P  until successful ter­
mination occurs (Skip), at which point it will then behave as process Q. Note th a t no 
collected parameterised information may be passed over the g operator.
Channels are able to receive and transm it values. The prefix a lx \y .z  -A- P (x) will 
transm it values y and (previously known values) and accept a value x along channel 
a, the subsequent behaviour of P  may depend on x.
The choice P O Q provides an external choice between process P  and process Q, if the 
environment is willing to perform process P  but not Q then the choice is resolved in 
favour of P.
The operation O^GA a P  presents an external choice of event a, where a is drawn 
from a set A, and will immediately after behave as process P.
P \A  denotes a process P with the events in set A hidden. These hidden events, whilst 
still being performed, will no longer be visible and therefore synchronisations cannot 
occur on these channels, and likewise these events will not be displayed in traces.
3% win generally be  a transmitted value, unless the  preceding parameter is being received, at which  
point z will also accept a value along the  channel.
2.3. CSP 29
The i f  then else operator ( if b then Pi else P2 ) is a conditional branching operator. The 
choice of branch is determined by the boolean expression b, if the expression evaluates to 
true then the branch Pi will be performed, otherwise P2 will be performed. From [85], 
“The guard construct a & P I  is used as a convenient shorthand for i f  b then Pi else Stop” .
CSP provides an operator for creating synchronised parallel combinations, in particular a
binary parallel combination P  || Q where the events in A fl B must synchronise between
A B
P  and Q. If A D B =  0 then processes P  and Q are said to be disjoint and will therefore
not synchronise on any events. P  cannot perform any behaviour outside of A, and Q
cannot perform any behaviour outside of B; thus if A U B =  0 then P  || Q =  Stop.
A B
Another version of the parallel operator exists, known as an interface parallel combination
P \\Q  where the events in A must synchronise between P  and Q. The interface parallel 
A
does not require explicit event sets to be defined for P  and Q, only the events they share.
If A =  0, the behaviour exhibited by P 11 Q is equivalent to P  ||( Q.
A
CSP allows for event renaming described as P[[a/ cJ, where all occurrences of the event 
a within process P  are renamed to become the process c. For example, the process 
P = a ^  Stop would become P  =  c — Stop. For both alphabetised and interface 
parallel composition, indexed versions are available.
Indexed alphabetised parallel composes the processes Pi using the alphabets A% for all 
i E I] the notation is given as | | ^  P{. For example, taking I to be the set {1,2,3}, the 
explicated alphabetised parallel composition is of the form: (Pi || P 2 ) || P 3 .
A i A2 A1UA2 A3
Indexed interface parallel composes the processes Pi using the alphabet A for all i £ I, 
defined as || P^. Substituting I for the set {1,2,3}, the expanded form would be:
(P1||P 2)||P3.’e
A A
2 .3 .2  S em a n tic s
Several semantic models exist for checking CSP systems [85] and by using these semantic 
models it is possible to ensure concrete refinements of abstract models are formally veri­
fied. For this thesis we are concerned with the traces, failures, and failures-divergences 
semantic models.
Traces Traces in CSP are representations of events which have occurred. For example, 
the process P = a - A - b - A - c - A -  STO P  has traces(P) = {(), (a), (a, b), (a,b,c)},
30 Chapter 2. Languages
where each trace can be observed. We refer the reader to [85] for the denotational trace 
semantics.
The traces semantic model can be used to establish tha t a refinement P' can contain at 
most the same set of traces available in P , traces(Pr) C traces(P), written in CSP as 
P Q t  P ', and can therefore be considered a traces refinement.
F a ilu res  A more discriminating semantic model to traces in CSP is the failures seman­
tic model. A CSP failure is represented as a pair (£r, A ), where tr  is a trace of a CSP 
system and X  is a set of events which can be refused after the sequence of events shown 
in tr  have occurred; X  is known as a refusal set. For example, {({), {b, c}), ((a), {a, c}), 
((a, b), {a, b}), ((a, b, c), {a, &, c})} is the maximal set of failures for the process P = a - ï  
b —^ c —y STO P.
Thus, the failures semantic model can be used to specify what a system must do in terms 
of what cannot be refused, where previously traces specified only what a system could do. 
This must is referred to as liveness in CSP. Similarly to the traces semantic model, the 
failures semantic model can be used to establish tha t failures (P1) Ç failures (P),  written 
in CSP as P  QF P '.
F a ilu res  D ivergence  A finite sequence of events, tr, is a divergent trace of P , if it is 
possible for P  to perform an infinite sequence of internal events within or after performing 
tr. By hiding events within a system, there is the possibility of internal events occurring 
indefinitely. Since a process is free to execute hidden (internal) events indefinitely, it 
therefore avoids any further interaction with its environment. This behaviour is known 
as divergence.
In this model, a failure is a pair (tr, X )  consisting of a trace tr and a set of events X .  It 
is a failure of a process P  if either tr is a divergence of P  (in which case X  can be any 
set), or ( t r , X)  is a stable failure of P . The set of all possible failures of a process P  is 
written T  [[P]]. If V  [[P]] = V ^ Q \  and P[[P]] =  PHQJ then P  and Q are equivalent in 
the failures-divergences model, written P = f d  Q-
Normally, in practice, and in this thesis, the only divergences requirement is that a 
process has no divergences. For divergence free processes, the failures model is sufficient 
for refinement checking.
These semantic models have been implemented in the CSP model checking tool Failures
23. CSP 31
Divergences Refinement (FDR) [38] th a t is able to provide counter-examples for model 
correction/ analysis of invalid refinement checks.
F reed o m  C hecks
The application of these semantic models is not limited to specifications. The notion 
of a specification is introduced by example in Section 2.3.4. Additionally the failures 
and failures-divergences semantic models may be used to perform additional checks on a 
model with FDR.
D ead lo ck  F reed o m  In CSP systems, deadlocks occur when processes which require 
synchronisations on certain events are both  unwilling to progress to a point where a 
synchronisation can occur. For example, the parallel process a —> c —)• Stop || b —>
{a,c}
c —y a —y Stop will deadlock after event b has been performed. Both events a and c must 
synchronise but the event a must be performed before event c on the left hand side of 
the parallel operator, whilst the right hand side requires c to fire before a. As a result 
both sides are unable to progress and so a deadlocked state occurs.
Deadlock checking within FDR, using the assertion P  : [deadlockfree[F]\, denotes th a t the 
failures semantic model is used to verify tha t the process P  is deadlock free. Similarly, 
the failures-divergences semantic model may also be used to verify th a t P  is deadlock 
free using the assertion P  : [deadlockfree[FD]\.
L ivelock F reed o m  Utilising the idea of divergence, if a process is waiting to synchro­
nise with another divergent process on an external event, the system is considered to be 
in a state of livelock. For example composing the process P = a — wi t h 
the process Q = a ^  Q in the form P \{b }  || Q would result in the possibility th a t the
{o}
process P  always perform b —ï P. As b is an internal event, the synchronisation on a 
would signify a livelocked state.
2 .3 .3  R u n n in g  E xam p le: C a n d y  P u zz le : C S P  A p p ro a ch
To illustrate the natural method for describing systems in CSP we refer back to our 
running example, the Uniform Candy Distribution Puzzle (Section 2.1.3). A CSP repre­
sentation, courtesy of Isobe and Roggenbach [53], of the puzzle is given in Figure 2.10.
32 Chapter 2. Languages
f i l l (n )=  i f  (n%2 =  0) then n else n +  1 
channel c : {0..2}.{0..2}
Child(p, i) =  c.(p +  l)%3!(i/2) -> c.p?a: -> C h ild (p ,f i l l ( i /2  +  x))
□ c .p lx  —>■ c.(p +  l)%3!(i/2) —> Child(p, f i l l ( i /2  +  x))
=ll{|^%p+i)%3|} C%iM(p, 2 * p)
Figure 2.10: A CSP representation of the Uniform Candy Distribution Puzzle
A single channel, c, is defined for the passing of sweets within the system. Identifying 
the child as the first parameter on the channel, and the number of sweets passed as the 
second parameter. Rather than identifying a separate process for the teacher, we can 
more compactly define a function fill(n) th a t performs the same purpose as the teacher, 
by adding an extra sweet in the event that a child has an odd number.
The Child(p, i) process is a parameterised process tha t enables the event c.(p+l)% 3!(«/2) 
to pass sweets to child (p +  1)%3 over the channel c, or receive sweets c.p?x over the 
channel c. The external choice operator enables these two events to occur in either 
order, and each is subsequently followed by the other. After both a pass and receive has 
occurred, the process calls itself, but uses f il l(i/2 +  x) to determine if the new number 
of sweets means an additional sweet is required.
The CSP system, identified as Children, defines an indexed interface parallel composition 
of three Child processes and assigns the initial number of sweets of each child as their 
identifier (0 ,1 ,2 ) multiplied by 2 .
The definition of the child process is clearly comparable to the VHDL child entity but, as 
we can see, is far more elegant. One of the key reasons for this is because CSP does not 
require the data type conversions. But we can see tha t the overall system is a composition 
of processes. We shall discuss the comparable process to the Monitor entity in the next 
section.
2 .3 .4  S p e c ifica tio n s
Using CSP’s ideas of refinement, specifications can be written and used to reason about 
systems. A specification can clearly define a property tha t meets the original system 
requirements. This provides a clear way of expressing properties of a system and allows 
individual properties to be evaluated and reasoned about separately.
For example, with the Uniform Candy Distribution Puzzle, we can define a specification
23. Œ P 33
Stab leA fter(n )  =  i f  n  >  0 then Stable  =  c.0!2 —> Stable
(c.O?x —> StableAfter(n  — 1) □ c.l!2 —>■ Stable
□ c . l? x  —> StableAfter{n  — 1) □ c.2!2 Stable
□ c.2?a; —> StableAfter{n  — 1)) 
eZse Stable
Figure 2.11: CSP specification for Uniform Candy Distribution Puzzle stabilisation
in CSP that determines the number of passes between the children until all the children 
have the same number of sweets; the solution. A suitable specification th a t allows a 
certain number of passes, n , to occur before the system should be considered stable, is 
given in Figure 2.11.
Using the traces semantic model, we can then define the following two assertions in CSP:
assert StableAfter(8)  Children
assert Stable A f te r  (9) Children
The CSP tool FDR [38] can be used to perform these assertions. The result will be a x 
(fail) for the assertion th a t system Children is stable after 8  passes, but a /  (pass) for 
the assertion tha t Children is stable after 9 passes. Furthermore for the failed assertion, 
a counter example is generated:
(c.2.1, c.1.0, c.0.2, c.2.1, c.1.1, c.0.2, c.0.2, c.1.2, c.2.1)
'---------v----------- ' '---------- V--------- ' '---------- V----------z
roun d  1 roun d  2 rou nd  3
This counter example illustrates tha t after 9 passes, the children are not passing 2 sweets 
to each other all the time, and th a t child 3 (c.2) has only passed a single sweet during 
this round. Thus, the assertion does not hold.
2 .3 .5  C o m p ressio n
In this thesis we use FDR [38] to support our CSP descriptions. Other tools exist for 
analysing CSP models such as ProB [62]. However, due to the use of the specialised 
function (Proc)^ th a t is only available within FDR, is not appropriate to use these other 
tools. The Proc function provides the dynamically generated set of all processes within 
a CSP system under analysis within FDR.
4 “Proc denotes the  type  of processes, so that processes can be  put into datatypes.” from [38], A ppendix  
B.21
34 Chapter 2. Languages
Figure 2.12: Visualisation of the CSP chase compression technique
Compression techniques exist tha t enable a model to be reduced for analysis and in some 
cases are not semantics preserving. T hat is, by applying these compression techniques, 
the behaviour of a model is subject to change. Of these compression techniques, our 
work makes use of FD R’s chase compression technique.
Compression techniques in FDR generally follow down chains of internal events, known 
as r  events, and will reduce a model by matching similar paths. The chase technique, 
as the name suggests, will chase down a chain of r  events and reduce these to a single 
r  event. Because of this technique, it is only safe to apply this form of compression, in 
the sense of preserving semantics, if the system is deterministic. In general this reduces 
non-determinism as some possible execution paths are discarded. The point is that if 
there are other branches along the way of this chain of r  event then they are dropped, and 
if there are choices between r  events then only one of them will be taken. For instance, 
if there are two chains of r  events, both will be reduced to single r  events. However, if 
one of these chains diverges, then the chase compression will force the system to follow 
the infinite internal loop. Thus, using chase on a system where a chain of r ’s results in 
a divergent path, gives rise to an analysis within FDR, which cannot continue. Figure 
2 . 1 2  illustrates the effects of chase and the path taken by chase, in this case this figure 
is not deterministic; i.e., from Figure 2.12, it is possible to follow another r  path when 
chase compression is applied.
Chapter 3
Literature R eview
Hardware has required high level languages in order to design and develop complex sys­
tems. VHDL has been one of the prominent hardware design languages since the early 
1980's. Whilst some of the research we identify within this chapter pertains to other lan­
guages such as Verilog [72] or SystemC [74], the underlying theme still exists: providing 
confidence in a hardware design to behave as expected. The analysis of hardware systems 
has developed in both academia and industry as identified in [36], they have worked in 
concert to develop methodologies to increase assurance in the hardware design. Indeed, 
Limor Fix [36] discusses the evolution of hardware analysis at Intel.
The first generation of formal verification used customised Linear Temporal Logic (LTL) 
[8,29,77] expressions within the Symbolic Model Verifier (SMV) [65] compiler. Analy­
sis of key components of a hardware system, such as the Arithmetic Logic Unit (ALU) 
was conducted, and relied upon assumption guarantees between hardware components. 
Intel’s second generation of hardware analysis utilised SATisfiability (SAT)-based model 
checkers, with embedded symbolic simulators. From this a hardware specification lan­
guage was developed, ForSpec, that was later donated to Accéléra to become the IEEE 
standard assertion language 8 VA [73].
Other ways of providing confidence in a hardware design in previous years have been 
to develop the verification statements themselves, evaluating assertions against more 
stringent requirements. For instance, ensuring tha t signal changes over time do not 
override previously unassigned values, as in [6 ]. In [6 ], Augustin works at the unit delay 
level (delta delay) and converts an assertion to a waveform algebra, VHDL Annotation 
Language (VAL) and back again, resulting in a more detailed assertion. This work
35
36 Chapter 3. Literature Review
dates back to 1989 and since then significant advancements have been made in assertion 
languages such as PSL and SVA.
W ithin this chapter we identify the approaches, and evolution of hardware verification 
research taken by both industry and academia. However, we first introduce the concept 
of code coverage in Section 3.1, and some attem pts to embed formal semantics into the 
VHDL langauge in Section 3.2. Then Section 3.3 discusses the application of traditional 
model checking techniques for hardware analysis, and Section 3.4 moves on to symbolic 
model checking. The use of theorem proving techniques is described in Section 3.5 before 
Section 3.6 identifies the current trend in utilising formal techniques to aid in closing 
the coverage gap. Finally Section 3.7 identifies the approach and the justification for the 
approach taken in this thesis.
3.1 Introduction to  C ode Coverage
The industrially accepted approach to provide confidence in VHDL is to simulate the 
design using a scenario, a testbench. Providing tha t a given sequence of stimuli results 
in the expected output, the scenario provides a level of assurance tha t the system meets 
its requirements. However, this approach does not guarantee that the scenarios provide 
full coverage of the design, and th a t every possible scenario is fully explored.
Coverage of a hardware design may be assessed in different ways [19]: statement cover­
age, condition coverage, and path  coverage. Each of these coverage approaches has its 
restrictions and uncertainties.
S ta te m e n t  coverage measures how many lines of code are executed by a scenario. The 
scenario may never evaluate every branch within a design, and indeed it may be 
th a t dead code exists within the design that is never executed. Hence, determining 
when coverage metrics report full execution of a design, despite not identifying 
100% coverage for the scenario, is non-trivial.
C o n d itio n  coverage identifies how many paths through the code are taken by a sce­
nario. This coverage metric may not be complete although the statement coverage 
reports execution of all code. Thus to increase this form of coverage, it is necessary 
to identify the alterations required to a scenario to take the other paths.
P a th  coverage provides the most assurance regarding a system design, measuring all 
possible ways a sequence of statements can be executed. Evaluating all possible
3.2. Formal Language Embedding 37
paths of a system with a scenario, is however, difficult since the number of paths 
for a sequence of statements grows exponentially with the number of control flow 
statements within the sequence.
From these different levels it is clear th a t using standard scenario and testing within 
VHDL leads to areas of coverage tha t are not explored. The literature tha t identifies and 
aims to close this coverage gap is discussed in Section 3.6; this is currently a fashionable 
area of research for applying formal analysis for hardware verification.
3.2 Formal Language Em bedding
In addition to these forms of verification for hardware, steps have been made to formalise 
the VHDL language. These attem pts [16,43,95] have never fully encapsulated the VHDL 
language, and instead only provide semantics to a subset of the language. Gossen [43] 
introduces operational semantics to VHDL-83, and Thirunarayan [95] furthers these to 
VHDL-93. Both apply formal semantics tha t then enable theorem proving techniques to 
be applied to reason about system behaviour.
Déharbe and Borrione [31] define semantics for VHDL that can then be used to lift the 
behaviour of a VHDL design and use Symbolic Model Checker (SMC) with Computa­
tional Tree Logic (CTL) [8,28,29,78] to verify tha t system properties, at the delta delay 
level, are met. Other operational semantics, such as those identified in [57], endeavour 
to provide a suitable basis for formal verification of VHDL. In all these cases the subsets 
tha t have been described do not scale to systems containing multiple VHDL components.
3.3 Explicit M odel Checking
Bara et al. [10], Man [64], and Kharmeh et al. [55] choose to use formalisms th a t include 
time to model hardware. Both Bara et al. and Man use timed autom ata with speci­
fications in Timed Computational Tree Logic (TCTL) [8,29] to reason about hardware 
systems. Hence, tools such as UPPAAL [61] and PROMELA [52] are employed. Kharmeh 
et al. chose to use the specialisation of the process algebra CSP, CSF-tock [83,85]. All 
of these approaches are only able to express a subset of the VHDL language.
In [10], a network of timed autom ata model is derived by merging two different VHDL 
modelling levels: the behavioural (RTL), and the transistor (NetList). Modelling the
38 Chapter 3. Literature Review
system in such a way enables reasoning about system properties, determining the maximal 
response times or identifying the stability periods. However, due to the fine granularity 
of the generated models, the approach is limited to small systems (100 gates). Since 
these two modelling levels are combined, the component information is removed, as the 
RTL must be flattened to enable mapping to the NetList timings.
Akin to Bara et oZ., M an’s approach [64] proposes to model check hardware systems 
resulting in the generation of timed automata. Instead of a direct mapping, an extension 
to the formalism Chi [100] was developed, Timed Chi. Timed Chi is an intermediary 
language, defining deduction rules to produce the models from the VHDL system.
A ‘brief sketch’ to a CSP methodology for modelling VHDL descriptions was given by 
Barton [12] in 1995. Barton suggested a way of capturing the basic constituents of a 
VHDL description within CSP that distinguished between delta units (d), and real time 
(fs) cycles; these time related cycles were represented as CSP events. This research iden­
tified several key points: firstly, how should a model composed of multiple processes, each 
representing a VHDL process, determine when the internal state should be ‘reawakened’, 
and by which event type, a d event or fs  event; secondly, performing the model checking 
over the entire system and performing the mathematical functions could result in state 
space explosion. The premise of this work was based around also translating Waveform 
and Vector Exchange Specification (WAVES) [68] to produce a CSP specification that 
could then be used to perform system verification.
Kharmeh et al. [55] utilises the additional functionality of the CSP model checker FDR 
to reason about hardware descriptions. Implementing the new r  —priority model and in­
troducing a simplistic took driven process to model the progression of time. They identify 
different configuration models, separating analysis of functional and timing aspects of the 
hardware description. Kharmeh et al. use these configuration models to verify different 
aspects of the design, such as evaluating the interaction with the outside world (the raw 
configuration model). This work is still in its infancy and does not yet scale to the levels 
of analysis necessary for providing confidence in relatively small VHDL systems.
The work of Bloem et al. [16] suggests the use of formal analysis for hardware design 
as the starting point. They derive a system from a detailed PSL specification and from 
this, generate an automaton of the specification that can then be used to derive a coded 
implementation.
Meanwhile the application of the B-Method [1] is employed by Petre, Sere and Tsiopoulos 
[76] to identify optimal component compositions for Network-on-Chip (NoC) designs with
3.4. Symbolic Model Checking (SMC) 39
B animations. The model checking tool, ProB [62], is applied to identify the number of 
communications between components within a simulation cycle. This information is then 
used to optimise the NoC design such tha t the number of interactions is reduced, and 
thus the computation time for the NoC is reduced.
Other work by Evans [35] uses the hybrid formalism CSP||B [89,90,96,97] to describe 
VHDL systems. Abstracting away the timing element of the hardware design and focusing 
on the behavioural aspect, Evans uplifts the details in a B-Method description to CSP, 
resulting in a model th a t can be evaluated in FDR. However, the design of the model does 
not lend itself to efficient compilation within FDR, and so the scalability of the method is 
hindered to inefficient state compilation. Evans’ approach does not discriminate between 
stable and unstable states, recall Section 2.1.4 on page 22. Instead Evans visualises 
behaviour of a hardware design as transitions between delta units, identifying the state 
of all signals within the system as parameters over a single channel dd.
From the literature explored in this section, it is clear tha t the verification approach of 
hardware descriptions depends on those properties to be evaluated. As a result, different 
levels of abstraction are applied to the original hardware design, those focusing on timing 
[10,35,64] evaluating system behaviour at the delta delay unit level. Others are more 
interested in the sequential behaviour of the design [55] and some focus on component 
interaction to speed up computation [76]. By contrast, some other approaches [16] start 
with a formal design and generate a suitable high level hardware design.
Ideas of refinement are also implemented within industrial tools in the form of equivalence 
checking e.g., FormalPro [46], but this verification is between the design and the synthesis 
(RTL and NetList) level. The ability to define abstract specifications using process 
algebras or CTL to provide confidence th a t hardware designs meet individual high level 
system properties still proves non-trivial. This is still a feature not readily available 
within the EDA tools, and is still considered a desirable feature.
3.4 Sym bolic M odel Checking (SM C)
The use of Binary Decision Diagrams (BDDs) [23] for hardware designs is evident within 
the literature, due to their ability to represent large systems for combinational sequential 
problems. However, their use is once again limited by the state space explosion issue 
tha t shadows the model checking world. Symbolic Model Checking SMC is then applied, 
along with varying levels of abstraction, and efficient coding algorithms, in an attem pt 
to combat this problem.
40 Chapter 3. Literature Review
Cabodi and Murciano [25] discuss using SMV to avoid the ever present state space explo­
sion and identify clever manipulation algorithms tha t can be of benefit. Their technique 
uses boolean functions to capture the input and output behaviour of a hardware design, 
and evaluate CTL properties tha t express system requirements. These manipulation al­
gorithms help to determine the possible and most likely outcomes. For instance, take 
a VHDL o r statement: there are three outcomes where the output is ‘1’, and only one 
where the resultant output is ‘O’. Furthermore, they aid in determining loop points, thus 
reducing the state space.
In [32] Déharbe et d . describe a new tool, CMU VHDL Analyzer (CVA), for model check­
ing hardware designs. Their tool integrates well, returning counter examples to Temporal 
Logic (TL) statements as scenarios for hardware tools. As with most approaches to for­
mal analysis of hardware, CVA is only viable for a subset of VHDL. Similarly, their 
analysis is performed at the delta delay unit level, defining boolean transitions for each 
delay unit to generate a HDD.
Bourahla and Benmohamed [22] identify an abstraction from a hardware design to an 
abstract model, using theorem proving to perform such abstractions. The premise that 
properties within an abstraction of a system hold, will therefore also hold in the imple­
mentation, is taken in this work. Using LTL to express system properties, a component 
level abstraction is performed that then undergoes refinement to remove any false pos­
itives to the LTL properties. This approach is only applied to a subset of VHDL, and 
focuses on contained Finite State Machines (FSM). This abstraction and refinement pro­
cess, whilst not being unique in its approach, has not been extended further within 
hardware analysis since its proposal in 2002.
A tool extension, Requirements Analysis Tool with SYnthesis (RATSY), is described 
by Bloem et al. [15]. The tool provides a Graphical User Interface (GUI) front end 
for analysis through specification generation. Using PSL, traces are identified for those 
properties that exist in the model. This work extends the Requirements Analysis Tool 
(RAT) [14] tool, which is based on Biichi automata, and uses the SMC NuSMV [27] 
‘under the hood’. The tool is further extended to provide guarantees that a model is 
correct and robust by construction in [17].
Gupta et al. [48] provide a summary of the SAT-based technology with respect to its 
application to hardware analysis. They stipulate tha t HDD and SMC cannot handle the 
complexity of modern hardware system verification and instead suggest that Bounded 
Model Checking (BMC) can be used to find bugs (falsification), and Unbounded Model 
Checking (UMC) and proof based iterative abstraction can aid in finding proofs (verifi­
3.5. Theorem Proving 41
cation). G upta et al. illuminate th a t BMC techniques have been enhanced with hybrid 
SAT solvers and customised property translations, which effectively produce lazy index­
ing over bounded conjunctions and disjunctions to deal with the ever present state space 
explosion problem. Furthermore, when this technique no longer suffices, modern methods 
for distribution of BMC over a network of machines are identified to overcome memory 
limitations. [48] also identifies a tool, VeriSol [40], developed by the authors, tha t has 
been used on industrial cases, exploits the above techniques for model checking modern 
complex hardware systems.
One application of BMC for hardware systems deals with the case of a reset state, 
where upon initialisation or resetting a hardware system the state is not specified by the 
designer and thus cannot be determined. Khasidashvili and Hanna [56] introduce their 
adaptation of a BMC algorithm and an induction method to enable equivalence checking 
without a specified reset state. By introducing three values for signals, T, F, and X ,  
Khasidashvili and Hanna are able to provide a unique value, A, for the reset state. They 
note th a t whilst SAT based verification concentrates primarily on property checking, it 
can be applied to circuit equivalence checking; and tha t the translation of model checking 
problems to SAT problems would benefit from the development of alternative methods 
to expedite verification time.
An orthogonal approach by Nguyen et al. [67] identifies a symbolic representation for hi­
erarchical constructs, such as parallel composition, within BDDs. These constructs can 
then be applied to different model checking languages to enable symbolic model check­
ing. One of the languages identified within their self contained framework for encoding 
hierarchical modelling languages is CSP.
Clearly within the identified literature, it is apparent tha t the premise of SMC for hard­
ware analysis is valid. The research shows th a t the application of additional algorithms 
is useful to increase the efficiency of the model checking, and make the approaches more 
scalable. Furthermore, the adaptation of formal analysis tools for hardware verification 
is not uncommon.
3.5 Theorem  Proving
Theorem proving has been applied to formal equivalence checking of hardware systems. 
For instance, Hao et al. [49] identify additional algorithms to optimise scalable equivalence 
checking for RTL level designs. These optimisations are based on Satisfiability Modulo
42 Chapter 3. Literature Review
Theories (SMT), using Co-operating Validity Checker 3 (CVC3) [11], and applied within 
AutoPilot [94], a high level synthesis tool for hardware, to optimise synthesis.
Ostroumov and Tsiopoulos [75] detail an automatic generation of VHDL descriptions 
from Event-B [2] B Action Systems [101] descriptions. The Event-B model has been 
developed using Event-B’s ideas of refinement, introducing more detail through each 
refinement layer; concepts similar to VHDL’s own development approach. An imple­
mentation of the automatic generation of a concrete model has been included in the 
form of a beta plug-in for the Event-B tool Rodin [3]. At time of writing we understand 
that Ostroumov is working on expanding this research to design hierarchical hardware 
descriptions through the use of Event-B decomposition to identify such structures.
Reetz and Kropf introduced a hybrid formal analysis tool in [79], for hardware analysis. 
At the time, 1996, Reetz and Kropf identified tha t there were many suggested approaches 
for embedding formal semantics to VHDL, but tha t it was not clear tha t these semantics 
reflected VHDL throughout the different development levels. Their approach works at 
this simulation level rather than the NetList level or abstractions of the RTL level in 
order to preserve the hierarchical structure within a VHDL description.
Reetz et al. [80] further extend FLOW ER with the idea of verification benches. Verifica­
tion benches are based on VHDL’s testbenches, however they identify tha t the natural 
VHDL assertion is not strong enough, and so introduce a new form of assertion for a 
verification bench.
The PREVAIL Environment [33] has also been applied to formal analysis of hardware. 
This environment is used by Borrione et al. [20], who split VHDL descriptions such 
tha t all timing aspects are abstracted for model checking, effectively resulting in static 
model checking for the behaviour; and VHDL components are replaced with a high level 
specification for theorem proving. However, Borrione’s research has migrated in recent 
years to A Computational Logic for Applicative Common Lisp (ACL2) [66] as opposed 
to PREVAIL to verify hardware descriptions.
Borrione and Georgelin [21] present a translation from VHDL to a first-order logic model 
suitable for verification within ACL2. ACL2 offers formal verification, as well as symbolic 
simulation and model execution, and contains an inference engine for proof analysis; 
allowing proof of component properties and functional equivalence.
Rodrigues et aVs model abstracts physical time, and instead models simulation cycles 
based on the rising edge of the clock. The model’s state is advanced after process steps, 
where multiple steps may be contained within a simulation cycle; process steps are com­
3.5. Theorem Proving 43
parable to delta delay units. The translation is expanded to translate contained VHDL 
components within a hardware design. This work is furthered by the same authors in [98] 
by introducing an additional simulation cycle to enable the capture contained hardware 
component. From this model construction, Rodrigues et al. reason over the system in 
terms of component properties rather than  their internal definition.
Tahar, Curzon, and Lu evaluate approaches to formal verification of hardware using 
theorem proving (Higher Order Logic (HOL)), explicit (Verification Interacting with 
Synthesis (VIS)) and symbolic (Multiway Decision Graphs (MDG)) model checking in 
[93] ; a case study is used for this comparison. From this research, the conclusion is drawn 
that whilst theorem proving can provide the most exhaustive verification of a hardware 
system, the effort is far greater due to the number of interactive proofs. Tahar et al. 
expressed that, at the time of writing, VIS identified an accepted approach for model 
checking hardware th a t had high confidence in both industry and academia, but tha t 
a comparison of the RTL level model and a high level behavioural model was virtually 
impossible using VIS.
Alternative research for theorem proving discusses the idea of using Temporal Logic 
to develop ‘rely/guarantee’ style rules for the decomposition of a single proof, over a 
large scale system, into proofs of its subcomponents by Dongol et al. in [34]. Dongol 
et al. reason about shared variable concurrency systems involving interleaving models. 
As a result, guarantees are made for writing to a single variable within time frames, 
using interval predicates, to ensure correct behaviour as a result of this decomposition. 
Parallels can be drawn between the approach and the interleaving of VHDL processes 
and the communication over VHDL signals.
Theorem proving techniques have been used both  with and without model checking to 
aid in providing confidence in hardware systems since the early 1990’s. During this time 
there has been a move from deep embedding (as previously discussed in Section 3.2), to 
the construction of abstract network models, as well as the application of decomposition 
and abstraction of hardware descriptions.
Most recently however, work by Butler et al. [24] has focused on applying the Event-B 
refinement approach to system co-design, defining systems in terms of their components. 
A plug-in called CO-Design Architecture (CODA), has been developed tha t provides a 
graphical front end to guide the development approach of Event-B models within Rigor­
ous Open Development Environment for Complex Systems (Rodin). The methodology 
of CODA has a strong notion of time and signal delay. Refinement consistency between 
CODA levels is ensured using Event-B proof obligations and suitable gluing invariants,
44 Chapter 3. Literature Review
enabling itterative refinement to an implementation level, e.g., a VHDL RTL representa­
tion. Furthermore, model checking may be applied at each level, allowing LTL assertions 
to be evaluated for a system design. W hilst this methodology is still evolving, it identifies 
a suitable approach for correct-by-construction development of systems with the notions 
of time and communication inherent within VHDL.
3.6 Hardware Coverage
In Section 3.1 the concept of code coverage was summarised. We identify different uses 
for formal methods within the literature for identifying and closing the coverage gap 
(those coverage cases not found) in this section. This area has become one of the most 
active domains for the application of formal methods within hardware verification.
A SAT based methodology using BMC for identifying missing coverage cases is presented 
by Grofie, Kfihne, and Drechsler in [47], with an idea to close the coverage gap. If a 
property does not produce 100% coverage, the LTL expressed coverage property fails 
and results in a counter example. From this counter example a scenario can be drawn, 
however this is of the form A C, rather than an expressive behavioural trace, since 
the behavioural design is not fully modelled. The goal of this work is to identify missing 
scenarios where input stimuli do not generate the considered output.
Chen et a l discuss the expense, in terms of EDA tool simulation time, involved in 
the function validation for System-on-Chip (SoC) [26]. As a result, Chen et al. offer 
a decision ordering heuristic tha t identifies overlap in produced counter examples for 
formal specifications, in the form of Temporal Logic, evaluated for a hardware design. 
The benefit being tha t this reduces the number of scenarios identified for simulation and 
therefore the coverage gap closure is more efficient with respect to simulation time.
Similarly, Blackmore et al. [13] establish that a lot of the testing effort is in determining 
which cases are coverable but unexplored, and which are identifying dead code. Black- 
more et al. put forward an autom ated formal property analyser for determining coverage 
holes (cases within the coverage gap) tha t do not pertain to dead code. This is affected by 
utilising a formal property checker th a t can identify dead code. From this, the coverage 
report can be updated and thus erroneous cases removed based on the tool findings.
The development approach within languages such as VHDL and SystemC begin with 
Transaction Level Modelling (TLM) and perform multiple refinements to implement a 
system design. One of these stages of refinement is the partitioning of software and
3.7. Our Approach 45
hardware co-design, and the communication protocol identification between these two 
aspects; this is normally carried out at TL31. Bombieri et al [19] discuss the simula­
tion approaches and verification strategies for verifying this communication protocol in 
particular. Since formal analysis bridges two domains, abstractions are defined for both 
so th a t the focus can be on the protocol. The verification assertions from the TLM are 
identified as still applicable since the co-design is a refinement of the original system.
Bombieri et al. [19] go on to discuss the use of fault injection to aid in the verification of 
system properties. They note however, tha t it is not enough to simply introduce a fault 
and validate a model from this. Instead a comparison must be drawn from comparing 
the coverage of both faultless and introduced fault designs to ensure the property is 
evaluating the design correctly.
3.7 Our A pproach
This chapter has discussed the literature surrounding hardware verification using formal 
methods. The research has digressed from the 1990’s view of formal embedding and model 
checking to focus instead on analysis of coverage, and within this the possible approaches 
for aiding in analysing corner cases when testbench simulations fall short. However 
there is a resonating formal approach within the research, the CSP process algebra, from 
Barton [12] to Evans [35], and more recently Kharmeh, Eder, and May [55].
As previously identified, the initial starting point for our research was to evaluate an 
existing method for model checking VHDL using CSP developed by our sponsor, AWE 
[35]. Their suggested approach struggles to scale to model large models due to the 
compositional nature of the models and their initial construction within FDR. However 
the results in [84] demonstrate tha t when CSP models are constructed in a way that 
suites the hierarchical composition within FDR, there is potential for the approach to be 
applied to large systems.
The goal of this research, from our sponsor’s perspective is a methodology for the au­
tomated verification of hierarchical hardware systems, returning the most descriptive 
counterexamples possible as feedback to remove design issues, with a focus on CSP. This 
is due in part to their formal experts being familiar with the language, but more impor­
tantly on the grounds tha t CSP is a very expressive language able to describe high level 
behavioural properties with relative ease.
1 T L 3  p r o v i d e s  ‘e x e c u t a b l e  s p e c i f i c a t i o n s  a n d  t h e  f i r s t  l e v e l  o f  f u n c t i o n a l  p a r t i t i o n i n g  o f  d a t a  a n d  
c o n t r o l ’ ( f r o m  [ 1 9 ] ) .  I t  i d e n t i f i e s  p r o o f  o f  c o n c e p t  f o r  a  s y s t e m
46 Chapter 3. Literature Review
The literature identified within this chapter has illuminated the possible styles of hard­
ware verification: from system properties forming the basis of a refinement specifica­
tion [16]; to fault injection to illuminate required behaviour [19]. Both of these ap­
proaches are explored and the feasibility to apply these styles evaluated within our case 
study chapters, Chapters 9 and 10. Furthermore, adaptations of existing formal tools and 
frameworks for hardware analysis have been apparent throughout this literature review, 
e.g., [64], [15], and [80]; this raises the question: ‘Are there any CSP methodologies that 
model the behavioural semantics of VHDL?3
In Chapter 4 we describe a CSP compiler th a t exhibits some of the hardware behavioural 
properties required, conscious of the need to produce optimised models for analysis in 
FDR. We then proceed, in Chapters 5-8 to identify the significant alterations to the 
compiler necessary to correctly represent VHDL hierarchical systems.
Chapter 4
Shared Variable Analyser
The Shared Variable Analyser (SVA) [82, 83] is a compiler for an abstract language, 
written using CSP and Haskell functions, to analyse systems composed of global variables 
and threaded processes. The compiler takes as its input, an SVA system, and generates 
a representation of it as a CSP model. The CSP model can then be used to analyse 
the interleaved behaviour of the threaded processes and verify safe behaviour across the 
shared variables.
The SVA compiler provides a wide range of additional functionality including: grouping of 
statements into a single atomic step, the provision of overseers, and the ability to include 
events on which the threaded processes must synchronise. The latter is the functionality 
of interest in this thesis.
In this chapter we focus on identifying those areas of SVA that may be utilised to form a 
suitable platform to produce formal hardware models. We first identify the SVA syntax 
in Section 4.1 which is used to define an SVA system. Section 4.2 defines the compilation 
flow of the compiler.
Section 4.3 identifies the compiler functions tha t build the CSP models from an SVA 
input. The compilation strategies available within the SVA compiler are given in Sec­
tion 4.4. Section 4.1.6 illustrates the use of the SVA language using our running example. 
This chapter concludes with Section 4.5, identifying the alterations to the SVA compiler 
tha t are necessary to formally model hardware descriptions.
A detailed account of the SVA compiler from [82,83] is required since it is the basis for 
the compiler proposed by our research.
47
48 Chapter 4. Shared Variable Analyser
4.1 T he SVA Syntax
CSP contains the ability to define Haskell functions. The SVA compiler predominantly 
makes use of Haskell functions, utilising CSP datatypes to define its own language.
The three main CSP datatypes, Cmd, BExpr and lExpr define the SVA syntax. The 
Cmd datatype provides the key programming operators and functionality of the SVA 
language, such as conditional statements, loops and variable assignment. The BExpr 
and lExpr  datatypes are used to define functions tha t perform variable computation and 
comparison.
The shared variables, IVAR  and BVAR, integer and boolean shared variables respectively, 
are defined as CSP processes tha t allow read and write events to occur. Both integer 
and boolean variables are identified using a prefix, I V  or B V  respectively, followed by 
an indexed integer value, e.g., I V .2.
Similarly, processes in SVA are given an indexed integer value when representing them 
in terms of CSP events. SVA processes, whose behaviour is captured using the datatypes 
identified, interact with these shared variables over four distinct CSP channels: iveval, 
ivwrite, bveval, and bvwrite.
All these channels have three parameters: the process identifier of the process tha t is 
involved in the event, the variable identifier tha t is involved in the event and the value of 
the variable being read or written. For example, a process with identifier 1, writing the 
value 5 to the integer shared variable I V .2, will appear as the CSP event ivw rite .l.IV .2.5 
once the SVA analyser translates the SVA description to CSP.
The SVA language does not support enumerated types; it was originally written around 
handling only integer and boolean types. The functions available within the compiler 
reflect this, and indeed it would not be possible to determine incorrect assignments to 
enumerated variables using the method employed. We identify a suitable way of working 
with this restriction in Section 5.2.
4 .1 .1  S V A  P r o c e s s
An SVA system is a collection of SVA processes tha t can be structured hierarchically. 
An SVA process is defined in terms of the Cmd datatype given in Section 4.1.2. An SVA 
process, P, is of the form P() =  (Cmd)({}, {}). The additional tuple of sets provided 
in the definition of an SVA process are used to identify sets of any parametrised shared
4.1. The SVA Syntax 49
datatype C m d
Skin | S q .(C m d , C m d) \ 
ag.&gfCmd) |
Ite r .C m d  | W h ile .(B E xpr, C m d) \
C ond.(B E xpr, C m d, C m d)  |
Iassign .(IE xpr, lE x p r) \ B assign .(B E xpr, B E xpr)  |
Sig.S ignals  | IS ig .(IS ignals, lE xpr)  |
A to m ic .C m d  | E rrorC
Figure 4.1: SVA constructs defined as CSP datatype
variables, and any overlord variables used within the process definition, respectively; this 
additional tuple is not applicable within our work.
4 .1 .2  The Cm d  D atatype
The Cmd datatype is given in Figure 4.1 and identifies the definition of each of the 
SVA syntactic constructs. Clearly, as illustrated in Figure 4.1, the SVA language is 
a prefix language, specifying the construct first, followed by its arguments; this en­
ables Haskell pattern  matching when parsing. For instance, the conditional construct 
Cond.(BExpr, Cmd, Cmd), identifies the boolean expression to be matched, the true 
branch as the second argument, and the false branch as the third.
The Skip construct is identified, allowing single branch conditional statements to  be 
described. To define sequential behaviour, the Sq construct is provided for two sequential 
statements, and the SQ.Seq construct for larger sequences of statements. Assignments to 
the shared variables are made using the lassign and Bassign constructs. In this chapter 
we illustrate the use of Iter  as it gives a natural representation of our running example. 
However, constructs such as Iter, While and Sig, will not be required by our proposed 
Shared Variable Analyser for VHDL (SVA4VHDL) compiler.
4 .1 .3  The lE xp r  D atatype
The SVA syntax offers several constructs for describing behaviour associated within inte­
ger shared variables; the definition of which are given in Figure 4.2. The most simple of 
these datatypes is the identification of an integer variable, IVar, which is appended with 
the integer variable identifier. Constant values may also be described using the Const 
datatype, and can be any value within the range captured by M ini and M axi.
50 Chapter 4. Shared Variable Analyser
datatype lE x p r —IV ar.ivnam es \
I  A rc .{ignam es, lE xpr)  |
C onst. M in i ..M a x i  |
B IO p .B in lO p s .lE x p r .lE x p r  |
U IO p.U IO ps.lE xpr  |
E rro rl
datatype B in lO p s  =  P lus  | T im es \ M inus  | D iv  \ M od \ M ax \ M in  
datatype UIOps  =  Uminus
Figure 4.2: SVA integer expressions defined as CSP datatype
datatype B E xpr = B V a r.b vn a m es \
B A rc.(banam es, Œ xpr)  | True \
False  | N ot.B E xpr \ E rrorB  |
B B O p .B in B O ps.B E xpr.B E xpr \
Com p O p . Com p O ps. lE x p r . lE xpr
datatype B inB O ps  =  A nd  | O r  | X o r  
datatype C om pO ps  =  Eq \ Neq \ G t \ C e \ L t \ Le
Figure 4.3: SVA boolean expressions defined as CSP datatype
Calculations may be described in SVA using the BIOp and UIOp datatypes tha t can be 
nested to capture more complex operations.
4.1.4 B E xpr  D atatype
Boolean datatypes (see Figure 4.3) are also provided for describing systems in SVA. These 
are used not only for operations on boolean variables, but also for describing boolean 
conditions for Cmd operators such as Cond\ the CompOp is used for evaluating two 
integer expressions.
4.1.5 SVA Process Exam ple
Figure 4.4 provides an example SVA process to illustrate the use of the datatypes. It 
describes an iterative process (loops continuously without a guard) tha t compares two 
variables IV .2 and I V .3 and, if equal, sets the value of I V .1 to 0, otherwise the value 1 is 
assigned. In effect this process describes a NAND gate. Notice tha t the type of variable 
is identified as an integer using the IVar prefix in Figure 4.4.
4.1. The SVA Syntax 51
P ()  =  (I te r .C o n d .(C o m p O p .E q .IV a r.IV .2 .IV a r .IV .3 ,  
la s s ig n .(IV a r .IV .1, Const.O),
Ia ss ig n .(IV a r .IV .1, ( 7 o n s t l ) ) ) ( { } ,  { } )
Figure 4.4: A simple SVA process
C h i l d _ k ( 0 ) =  I V . l  
C hilcL k ( 1 ) =  I V . 2 
C h i l d _ k ( 2 ) =  I V . 3
C h i l d ( i )  =
( I t e r  .
SQ .< l a s s i g n  . ( I V a r .  C h ild _k  ( i ) ,BIOp. D i v .  l A r c . ( I A . 1 , C o n s t . i ) . C o n st  .2 )  ,
S i g . ready ,
l a s s i g n  . ( l A r c . ( I A . 1 ,BIOp.M od.BIOp. P lu s  . C o n s t . i . C o n s t . 1. C o n st  .N) ,
BIOp. P l u s . l A r c . ( I A . 1 ,BIOp.Mod.BIOp. P lu s  . C o n s t ,  i . C o n s t . 1.  C o n st  .N) . 
IV a r .  C h ild _k  ( i ) ) ,
S i g . r e f e r e e  ,
l a s s i g n  . ( l A r c . ( IA .  1 , C o n s t ,  i ) ,
B IO p. M in u s . l A r c . ( I A . 1 , C o n s t . i ) .
IV a r .  C h i l d - k ( i ) )  ,
Cond. ( CompOp. Neq. BIOp.Mod. I A r c . ( I A .1  , C o n s t ,  i ) .C o n s t .  2 .  C o n s t . 0 , 
l a s s i g n  . ( l A r c . ( I A . 1 , C o n s t . i ) ,
BIOp. P l u s  . l A r c . ( I A . 1 , C o n s t . i ) . C o n s t . 1 ) , Skip ) ,
I S i g  . ( c h S w ee ts  . ( ( i +l)9cN) , I V a r . C h i ld -k  ( i ) ) ,
S i g . p a s s e d >
) , ( { I V a r .  C h i l d _ k ( i )  , I V a r . IA . 1 .  ( ( i +1)99M) , I V a r . IA . 1. i } , { } )
S t r u c t  =
C o m p iie (<  C h ild  (0)  , Child  (1 )  .C h i ld  (2 )  > )
( {  | c | c <—U n io n ({  S ig n a ls  , I S i g n a l s  , E r r o r s } )  | } )
Figure 4.5: An SVA representation of the Uniform Candy Distribution Puzzle
4 .1 .6  R u n n in g  E x a m p le :  C a n d y  P u z z le :  S V A  A p p r o a c h
To illustrate the SVA language, in particular its application style and structure, we again 
use the Uniform Candy Distribution Puzzle, recall Section 2.1.3.
As previously mentioned in this chapter, a process in SVA may be parameterised. To 
remove the need to define three individual Child SVA processes, we instead define only 
one, indexed by i.
For convenience in the SVA solution, we use SVA arrays, identified as lArc, Figure 4.1, 
where the first argument is the indexed integer shared variable array, denoted IA  rather 
than  IV , and the second argument is the element of the array. Also, as we are using an
52 Chapter 4. Shared Variable Analyser
indexed process, it is possible to define a function tha t returns a unique integer shared 
variable, Child-k(i).
Our SVA solution to the Uniform Sweets Distribution Puzzle is given in Figure 4.5.
We use SVA signals for reporting, but additionally to control execution. Signals synchro­
nise the behaviour of children at certain points during their execution denoted by values: 
ready, referee and passed, prefixed by the datatype Sig. Consequently, we are able to 
ensure tha t each child first acknowledges how many sweets she will be removing from her 
own pile at the beginning of a round. Once all children have read in their current number 
of sweets they proceed to add half of their sweet pile to their neighbouring child’s pile. 
Again, once all children have performed this step they will update their sweets pile by 
removing those passed to their neighbour from their count, and if they then have an odd 
number an extra sweet is added.
The specialized signal, prefixed ISig, reports the current value of a shared variable. By 
using the ISig we are able to use the CSP specification given by Roggenbach [53], Figure 
2.11 on page 33, in terms of this signal, and hence demonstrate tha t the system will 
stabilise after nine passes have occurred, and that each child will have four sweets.
4.2 C om pilation Flow
The compilation flow for the SVA compiler is given in Figure 4.6. In describing this 
compilation flow, we discuss the compiler functions bottom  up, rather than  top down. 
This approach is necessary to understand the non-trivial return types from each of these 
functions and how they are used within the calling functions.
The Analyse function generates the composition alphabets of each process, and identifies 
the read and write shared variables for each process. The composition alphabets and 
shared variables are determined by passing each process in tu rn  to the Analysel function 
tha t unpacks the process’ behaviour.
Similarly, the CompileList function passes each process to the MainProc function. A 
CSP process representing the behaviour of the SVA process is returned.
4.3 The SVA Com piler Functions
W ithin Figure 4.6 the functions Analysel and MainProc were identified. These are pat­
tern matching functions responsible for the deconstruction of SVA processes and returning
4.3. The SVA Compiler Functions 53
BVAR IVAR
Compile
Analysel
CompileList
Analyse
MainProc
Figure 4.6: SVA compilation flow
the information necessary for constructing a CSP representation of an SVA process. The 
Analysel function returns a tuple of sets. These sets are populated during the parsing 
of an SVA process. The signature can be defined as:
A n a lyse l :: C m d  —> (S e t(ivn a m es), S e t(ivn a m es), S e t(bvn am es),
Se t(bvn am es), In t, Set(S ignals))
where ivnames and bvnames are the shared integer and boolean variable names respec­
tively, and Signals represents the user defined signals. We focus on the first two sets 
returned within this tuple. The first is the write frame, the integer shared variables that 
an SVA process writes to within the process behaviour. The second set is the read frame 
of the SVA process, containing all shared variables that are read during the behaviour 
of the process. These sets are then manipulated by the Analyse function, discussed in 
Section 4.3.1.
The MainProc function generates an equivalent CSP process for each SVA process tha t 
it is passed. To reiterate, SVA systems are defined in terms only of iveval, ivwrite, bveval 
and bvwrite events (unless signals have been used within the SVA program ), thus the 
CSP process tha t is returned comprises primarily these events. However, since an SVA 
process defines sequential statements, CSP sequential composition is used to capture this 
behaviour.
4.3.1 A nalyse
W ithin the Analyse function, the read and write frames, returned from calling the 
Analysel function, are manipulated into various sets. For example, the I W (Integer
54 Chapter 4. Shared Variable Analyser
A lp h a =  {\ivw rite.O , iveva l.0,
v e r r o r .I V .l ,  error.O  |}
L I  =  { |  ivw rite .O .IV .1, iveva l.0 .I V . l ,  
iveval.O .IV .2 , iveva l.O .IV .3 |}
IR  =  { I V .2, I V .3 }  
i w  =  { I V . l }
R O I =  { I V .2, I V .3 }
L IV  =  { I V . l }
AOB = {}
L IB  = { }
Figure 4.7: Returned sets from applying Analyse to process P() in Figure 4.4
Write) set contains all integer shared variables th a t have not been identified within pre­
viously parsed process write frames. The set IR  (Integer Read) is also created and is far 
simpler in its definition than  IW , listing all integer shared variables within the associated 
SVA process’ read frame.
Other sets are also generated from the read and write frames returned by the Analysel 
function call. Rather than just identify sets containing variable names, these sets generate 
alphabets associated with the specific SVA process. The first of these is L I  (Alphabet 
of Variables), used to identify the interface alphabet between the SVA process and those 
variables to which it will initially be composed.
The other key alphabet generated within the Analyse function is Alpha: this is the al­
phabet for the process/variable composition that will be generated. This ensures that 
the alphabetised parallel composition of the process and variables will allow other SVA 
processes to read and write to those variables within the generated composition as re­
quired.
Applying the Analyse function to the process P (), given in Figure 4.4, returns the sets 
identified in Figure 4.7.
As previously mentioned, the information returned by the SVA Analyse function becomes 
increasingly complex based on the system being defined. To illustrate this complexity, 
Figure 4.8 details the sets generated to ensure correct generation and composition of 
the second instance of the Child(i) SVA process in the Uniform Candy Distribution 
Puzzle in Figure 4.5. Notice tha t as Child(1) reads and writes to the variable IA.1.2, 
it is composed with the Child(1) process, and thus the allowable events iveval.2.IA.1.2 
and wwrite.2.IA.1.2 are also included in the definition. Also, there is now a discrepancy 
between the Alpha and L I  sets distinguishing those events that can be hidden and those
4.3. The S VA Compiler Functions 55
A lp h a =  { { iv w r i te . l .I V .1, ivw r ite .l.IA .1 .1 , ivw r ite .l.IA .1 .2 ,  
i v e v a l . l . I V . l ,  iv eva l.l.IA .1 .1 , iv e v a l . l .I V .2.1, 
iveva l.2 .IA .1 .2 , ivw rite .2 .IA .1 .2 , e rro r .1, 
v e r ro r .IV .1, verror.IA .1 .1 , verror.IA .1 .2 , passed, 
ready, referee  |}
L I =  { |  i v w r ite . l .I V .1, ivw r ite .l.IA .1 .1 , iv e v a l . l .I V .1.2, 
ivw r ite .l.IA .1 .2 , i v e v a l . l .I V .l ,  iveva l.l.IA .1 .1  |}
IR  = { I V .2 ,I A .1 .1 ,I A .1 .2 }
I W  =  { I V .2, IA .1.1, IA .1.2}
R O I  = { }
L IV  = { }
R O B  =  { }
L IB  = { }
Figure 4.8: Returned sets from applying Analyse to process Child(1) in Figure 4.5
that cannot after the composition of Child(1) with those variables identified through the 
union of IW  and IR.
4.3.2 CompileList
The CompileList generates the composition between SVA processes and their associated 
shared variables, based on the information supplied by the Analyse function.
For each SVA process, shared variables are selected. This selection comprises the union 
of the sets L IV  (List of writeable Integer Variables), L B V  (List of writeable Boolean 
Variables), R O I  (list of Read Only Integer variables) and ROB  (list of Read Only Boolean 
variables), all of which are returned by the Analyse function, as illustrated in Figure 4.7.
Each shared variable, represented by a CSP process, is first composed (using an interface 
parallel) with the CSP process Stop. The composition identifies the events th a t are out 
of scope of the shared variable, and as such, are therefore blocked from future use; these 
encompass those SVA processes that do read and/or write to the shared variable. For 
example, the variable I V .1 from Figure 4.4, would be composed with Stop using the 
interface alphabet: {| ivw rite .l.IV .2, ivw rite .l.IV .3 |}
Whilst these blocked events never occur, they are still initially available in the process 
definitions and thus must be removed as early as possible. The sets returned by the 
Analyse function are used to derive the set of blocked events.
Once the shared variable process behaviour has been restricted, it is interleaved with the
56 Chapter 4. Shared Variable Analyser
other shared variables to be composed with the current SVA process. This interleaving of 
shared variables is then composed using an interface parallel with the CSP representation 
of the SVA process returned by the MainProc function.
From this method of composition it is clear to see tha t shared variables may be composed 
with more than one SVA process. Whilst this is not an issue if the variable is read only 
for all processes within an SVA system, this can cause complications if written to. Hence, 
a shared variable process is only added to an interleaving if the shared variable has not 
previously been composed with another SVA process, or is read only (that is a constant). 
This is again determined by the Analyse function and those writeable shared variables, 
not previously composed, are defined within the IW  set.
In the case of the process PQ  given in Figure 4.4, the interleaved variables would include 
the set defined as R O I  U ROB  (J L IV  U LIB  from Figure 4.7. Clearly, the sets produced 
by Analyse identify partitions between processes more clearly as systems get larger, see 
Figure 4.8.
Finally, once all processes and variables have been generated, they are returned to the 
compile method that called the CompileList function as a list of tuples. Each tuple 
contains a translated SVA process, composed with its shared variables, and the associated 
alphabet of the process and shared variables composition. This information is then used 
to produce a fully composed CSP system that can be analysed by FDR to verify system 
properties.
4.4 C om pilation Strategies
SVA offers several compilation strategies, both uncompressed and compressed. The com­
pression methods available utilise the strategies within FDR to enable the analysis of 
larger models.
4.4.1 Uncom pressed Com pile M ethods
The uncompressed approaches are the Compile and StructuredCompile methods. The 
first method, Compile uses the list of tuples passed by the CompileList function to gen­
erate an alphabetised parallel composition of all translated SVA processes. For example: 
C om p2Z e((fiQ ,f20 ,f30)) becomes P i P 2  ^
The second method, StructuredCompile, as the name suggests, allows a structure of 
a system to be given. The compiler uses this structure to determine the ordering of
4.4. Compilation Strategies 57
compilation. The function CompiledStructure is defined to generate a structured sequence 
of compiled CSP process and alphabet tuples that can be used by other compilation 
strategies, some of which are discussed later in this section. In order to define such 
hierarchical structures, a new datatype, CSStruct, is introduced:
datatype C SStruct  =  C SL eaf.C m d  | C SN ode.Seq(C SStruct)
This provides a labelling for defining structures, where a CSNode contains a sequence of 
CSStruct elements, and each CSLeaf is parameterised with an SVA process (recall Cmd 
from Figure 4.1). Thus systems may be defined with a hierarchical, ‘tree like’, structure 
as depicted in Figure 4.9.
In order to compile a structured SVA system, the system is first flattened, th a t is, all 
structure is removed. The function CSFlatten is defined to remove the SVA processes 
methodically from the structured system CSLeaf elements, parsing the structure depth 
first from left to right. The SVA processes are added to a sequence and passed to the 
CompileList function to generate the CSP representation of the SVA processes, returning 
a CSP process and alphabet pair for each CSLeaf.
Once all SVA processes (CSLeaf) have been compiled, the structure must then be reap­
plied. To do this, both the original uncompressed system, and the sequence of tuples 
from CompileList are passed to the Unflatten process. The structure of the system is 
then reapplied to the compiled processes, using a new datatype structure, PStruct, th a t 
is defined as:
datatype P S tru ct  =  P SL eaf .(Proc, S e t(E ven ts))  | P SN ode.S eq(P S truct)
This new datatype defines a PSLeaf as a tuple containing the aforementioned CSP pro­
cess, and an alphabet. The Unflatten process then maps each CSNode to a PSNode and
CSNode 
CSLeaf .Pj CSNode
, I ,
CSLeaf .ft, CSLeaf ,p^
Figure 4.9: SVA hierarchical structure
58 Chapter 4. Shared Variable Analyser
Com piled Structure (c t) =  let
(C s, O vSrs)  =  C SF latten (c t)
( p t , - )  — U n F la tten (ct, C om pileL ist(C s, O vSrs))
w ith in p t
Figure 4.10: SVA CompileStructure function from [83]
each CSLeaf to a PSLeaf, exchanging the original un-compiled SVA process (Cmd) for 
a compiled CSP process alphabet tuple (Proc, Set (Events)).
The ordering of the processes is maintained due to the use of sequences, ensuring that the 
processes are placed in their original structure after compilation has taken place. After 
reapplying the system structure, a compilation strategy may then be applied.
The CompiledStructure function tha t composes the compiled SVA processes using their 
associated structure is given in Figure 4.10. Note tha t we do not discuss the SVA over­
seers, denoted as OvSrs within our work as these are out of scope, but are given within the 
original SVA code. Applying CompiledStructure (ct) from Figure 4.10 to the hierarchical 
structure given in Figure 4.9 produces the CSP composition Pi ap  ^H^uapg ( ^ 2  ap2\\ap3 
P3) where Pi, P2 , P3 are the compiled SVA behavioural and shared variable composi­
tions and ap1, ap2, ap3 are the associated alphabets respectively. Notice the ordering of 
composition differs to that generated by the Compile function.
The StructuredCompile strategy utilises the CompiledStructure function and then using 
the PStruct structure provided, compiles the system. Once again pattern  matching is 
employed within the SVA compiler. For each PSNode, the contained sequence of elements 
are placed in an alphabetised parallel composition, much the same as the original Compile 
function. However, the alphabets of the contained elements are also unioned together, 
thus defining the alphabet of each PSNode.
This approach means that not only can the CSP processes be composed together from 
PSLeaf elements, but tha t those composed processes may then be placed in alphabetised 
parallel compositions higher in the hierarchical structure.
An example of the use of the StructuredCompile strategy means that the SVA system 
given by:
(CSNode.((C5&eaf.Pi0, CaWe.((Œheo/.f2(), Œlea/.PsQ)))))
(note the structural resemblance to Figure 4.9) would be compiled, by the CompileStruc­
ture, into the PStruct structure:
4.4. Compilation Strategies 59
b
Figure 4.11: SVA compression visualisation 
(P SN ode.({P S L eaf .(P i ,  a p C , P S N ode.({P S L eaf .(P 2 , a p 2), P SL eaf .(P3, a p 3 ) ) ) ) ) )
And this would give the CSP parallel composition:
P -1 a p 1 \\ a p 2 L)aP3 ("^>2 otp2 Hq:p3
4.4.2 SVA Com pression Strategies
The SVA compiler was written in such a way tha t it is able to efficiently apply the 
compression techniques available within FDR [38] ; compression techniques in FDR were 
mentioned in Section 2.3.5.
Recall tha t SVA is designed to analyse the interleaved, threaded behaviour of systems. 
Some of the FDR compression techniques are very effective when used on interleaved 
behaviour, where the interleaved behaviour results in significant points of convergence. 
Thus it stands to reason tha t these compression techniques would be suitable in reducing 
SVA systems for analysis, as there will often be points where the system reaches identical 
global states by different paths.
SVA applies a consolidation of two of the available FDR compression methods, applying 
sbisim to a diamond compression of the system; this is referred to  as sbida. Diamond 
compression first applies r-loop elimination, and then continues to remove all other r  
actions from an Linear Transition System (LTS). Strong bi-simulation, sbisim is then 
applied to the resultant LTS, removing bisimilar paths within the LTS. The effect of this 
compression is illustrated in Figure 4.11. These compression techniques are identified by 
Roscoe et al. in [84], along with their benefits with respect to state space reduction, as 
well as the potential for increasing the state space when used inappropriately.
In applying this compression strategy to SVA processes, the overall state space of a 
process is reduced prior to its composition with the other processes, and thus the overall 
state space of the system is smaller (if applied correctly).
60 Chapter 4. Shared Variable Analyser
Utilising this compression method, several compression strategies can be used within 
SVA:
• CompressedCompile does not utilise the hierarchical structure, instead it is applied 
on a ‘flat’ system. From the list of tuples provided by the CompileList function, 
CompressedCompile analyses the alphabet of each process, and hides all behaviour 
between a SVA process, and the shared variables with which it is composed, before 
applying the sbida compression technique described above.
• HierarchicalCompress uses the hierarchical structure. First, the behaviour between 
each process and the associated shared variables is hidden and compressed, as with 
CompressedCompile. Hiding is then applied to all behaviour between the pro­
cesses and shared variables defined within each composed node of the hierarchical 
structure. The same compression technique is then applied to each node prior to 
composition, reducing the state space of the node prior to further composition.
Clearly, the SVA compiler does not generate a natural and readable representation of 
the system. Instead the output of SVA produces lots of small processes tha t are tightly 
defined and carefully composed, using compression, where appropriate, to reduce the 
state space as early as possible. The approach identified within the SVA compiler [83] 
illustrates the flexibility of CSP and tha t efficient models can be generated for such 
systems.
4.4.3 SVL System  D escription
As the SVA language is infix, reading the definition given in Figure 4.5 is not trivial. 
Additional work by Roscoe and Hopkins [86], introduces an intermediary language known 
as the Shared Variable Language (SVL) tha t can be translated to SVA. To provide clarity 
to the behaviour defined in our SVA representation of the Uniform Candy Distribution 
Puzzle the SVL representation is given in Figure 4.12.
We only provide the SVL for the Child process definition, and not for the system com­
pilation. Clearly, childSweets[i] is the array L4.1 and k is the indexed integer shared 
variable, ChildJk{i). Similarly, SVL sig represents SVA Sig, and isig represents ISig.
4.5. Tailoring SVA for Hardware Models 61
Child(i)  = { i t e r {  
in t  k\
k := childsSweets [i] /2  ; 
sig (ready)-,
childsSweets[(i  +  1)%AT] :=
sig (referee);
childsSweets[i] := childsSweets[i] — k; 
i f  (childsSweets[i]%2\ =  0) then{
childsSweets[(i  +  1)%N]  +  k;
childsSweets[i\ := childsSweets[i] +  1}; 
isig (ch.( i  +  1)% N , k); 
sig(passed)  }}
Figure 4.12: An SVL representation of Child process in Figure 4.5
4.5 Tailoring SVA for Hardware M odels
From the VHDL behavioural semantics [70], our SVA implementation of the Uniform 
Candy Distribution Puzzle, Figure 4.5, is analogous with the three stages of a VHDL 
process firing:
1. Taking a snapshot of the state of any VHDL signals used.
2. Performing some logical computation.
3. Updating the state of any signals th a t the process has altered.
A VHDL process fires when a signal it is sensitive to changes; as a result of this the 
cascaded firing of processes can occur as internal signals are updated. Only once all 
internal signals have stopped changing is the system considered to be in a stabilised 
state, waiting for external stimuli to start processes firing again.
Roscoe identifies a method for modelling StateM ate semantics and consequently analysing 
StateM ate state machines in FDR [87]. These state machines distinguish between internal 
and external stimuli, performing a variable number of incremental steps to stabilise the 
internal behaviour before external stimulus can be accepted. The concepts described in 
the StateM ate compiler tie closely to the behavioural requirement of VHDL, which is, 
th a t internal behaviour is instantaneous and reaches a stable state before external stimuli 
may influence the model.
By adopting the functionality available within another CSP [87] compiler, it is possible 
to identify the basis for modifying the SVA to appropriately analyse hardware systems.
To correctly model hierarchical hardware designs in SVA the following changes will need 
to be made:
62 Chapter 4. Shared Variable Analyser
• Introduction of a stabilisation model.
• Alter SVA Vars to correctly model VHDL signals with historical state.
•  Execution of a process based upon changes to signal state (sensitivity list).
• Introduction of a hierarchical structure able to represent VHDL systems composed 
of instantiated components.
• Determine the most suitable compression technique to enable efficient analysis of 
hierarchical hardware designs.
Chapter 5
Augm enting SVA to Define a 
Single VHDL Component
In previous chapters we discussed the VHDL language and identified a custom compiler 
on which a suitable formal hardware model can be based. The aim of this chapter 
is to provide the functionality necessary to capture a single VHDL component using an 
augmentation of the SVA compiler. We detail our implemented solutions to the following 
required changes specified in Chapter 4:
• Introduction of a stabilisation model.
• Alter SVA Vars to correctly model VHDL signals with historical state.
•  Execution of a process based upon changes to signal state (sensitivity list).
We first capture the VHDL stabilisation model as a CSP process suitable for inclusion 
within SVA in Section 5.1, and then define a suitable dynamic CSP representation for the 
three VHDL signal types: input ports, output ports and internal signals, in Section 5.2. 
A CSP model for VHDL sensitivity lists is given in Section 5.3, and Section 5.4 describes 
the addition of new syntax and the necessary changes made to the SVA compiler’s core 
functions. The translation patterns between VHDL and SVA are then provided in Sec­
tion 5.5. Finally, we illustrate the new SVA4VHDL compiler, and the SVA4VHDL rules 
from the previous section using our running example, the Uniform Candy Distribution 
Puzzle in Section 5.6.
63
64 Chapter 5. Augmenting SVA to Define a Single VHDL Component
STABLE'
stable
(Unstable^
.stable
Figure 5.1: Our VHDL stabilisation model
5.1 A  V H D L Stabilisation M odel for SVA
The simulation behaviour of a VHDL description must adhere to certain stabilisation 
properties, identifying when it is safe to read in new external signal (input port) values, 
write new external signal (output ports) values and update internal signal (signals) values. 
These properties were identified in Section 2.1 on page 8 .
To reiterate, within VHDL, processes react to changes to certain signal values that are 
identified within the sensitivity lists of a process. When such a signal value has changed 
the VHDL description is said to enter an unstable state, whereby processes sensitive to 
that signal will execute. Once all firing processes have finished, all internal signal values 
changed within this small internal execution cycle are updated.
If this in tu rn  triggers the firing of other processes within the VHDL description then 
this unstable state is maintained. This results in the cascaded firing of processes until 
such time as there are no changes made to any internal signals, ending with the system 
entering a stable state.
In a stable state, external interaction to input and output signals (input and output 
ports) may occur, enabling the update of input signal values and the reporting of new 
output signal values. Should an input signal change, that is on a sensitivity list of one 
or more processes, the system will once again enter an unstable state.
Our stabilisation model, illustrated by the state machine in Figure 5.1, distinguishes 
between internal incremental execution cycles (step events) and external execution cycles 
(stable events), and restricts the updating of external input and output signals (xch and 
outp events). We note that our notion for identifying unstable progressions (step) towards 
a stable state draws parallels with Barton’s concept on ‘reawakened’ state of a VHDL
5.1. A  VHDL Stabilisation Model for SVA 65
ST A B IL IS A T IO N  ( id ) =  let
ST A B L E  =  stable  - >  U P D A T E
U P D A T E  =  ou tp .id?— U P D A T E
□  xch. id?— -»■ U PD A TE
□  U N STA B LE
U N STA B LE  =  step  - >  U N STA B LE
□  ST A B L E
w ith in  U N STA B LE  
Figure 5.2: VHDL stabilisation model in CSP
process in [12] i.e., a step event identifies ‘reawakening5 the VHDL processes and executing 
their behaviour.
The stabilisation model represents an external view of a VHDL component and will 
become a necessary CSP control process for restricting the behaviour of VHDL signals. 
We capture the behaviour shown in Figure 5.1 within the CSP process ST A B IL ISA T IO N , 
given in Figure 5.2.
Once this stabilisation model is composed with the signals behaviour, Section 5.2, the 
behaviour of this stabilisation model becomes constrained. The availability of the step 
event, from the Stable state, will only become available once any changed output ports 
values have been reported. The reasons for this will become clear when scaling the system 
to deal with multiple component hardware designs, discussed in Section 6 .2 .
T h o u g h ts  on  M o d e llin g  T im e  EDA tools generally drive VHDL description explo­
ration using time and signal stimuli to reveal system behaviour, performing evaluation 
over a specified time. However, incorporating time in the analysis of a hardware design 
introduces additional aspects of a system that need to be addressed. For instance, assess­
ing if a chosen FPGA is able to compute the defined behaviour between specified clock 
cycles.
Since we are only interested in verifying the behaviour of the system, we abstract time 
from our analysis, treating the clock as we would any other signal, and instead focus 
on evaluating a system in terms of stabilisation cycles. Removing the need to specify 
time explicitly reduces the size of our models, and since we are applying model checking 
to verify system properties, all possible behavioural traces of a system are explored 
regardless. Our focus is on ensuring tha t the VHDL behaviour described meets the
66 Chapter 5. Augmenting SVA to Deûne a Single VHDL Component
system requirements and does not introduce any unwanted behaviour. Certifying that 
the system behaviour is possible for a specific clock frequency and FPGA is a Platform 
Specific Model (PSM) requirement; we focus on Platform Independent Model (PIM) 
problems.
5.2 V H D L Signals as CSP Processes
W ithin the original SVA compiler there is no notion of stabilisation, a variable can 
unreservedly be read or written at any point, such that, an integer variable is simply 
defined as:
IV A R (x , v ) =  iveva l l—\x\v  —> IV A R (x ,  v)
□ i v w r i t e l - l x l w  —> IV A R {x ,  w)
In defining a representation for VHDL signals the following properties of a signal must 
be captured:
• Distinguish between small internal execution cycles and external execution cycles.
• Return a constant value during a specific execution cycle, even if the value has been 
changed during th a t same execution cycle.
• Update a signal value at the end of a cycle if the value has changed. The execution 
cycle differs (internal or external) depending on the signal type.
• Identify if a signal changes over an execution cycle.
•  Distinguish between signal types (internal signals, input ports and output ports).
As previously identified in Section 2.1, VHDL signals have different behaviours depending 
on their type. VHDL input signals may only be read, VHDL output ports may only be 
written and VHDL internal signals may be read and written. However, VHDL signals 
must also only change value at particular points within execution cycles.
In adapting the SVA compiler to model VHDL descriptions, a new model of an SVA 
integer shared variable (the CSP process IVAR) must be defined. To ensure minimal 
changes to the SVA compiler we modify the original channels defined for reading and 
writing to shared variables within our definitions of VHDL signals; iveval and ivwrite.
We describe the behaviours of the three types of signal in the form of state machines. 
Note the state machines will be schematic and the events are not fully qualified.
5.2. VHDL Signals as CSP Processes 67
xch
calculate
stable
calculate
sigchanged
Unstable^ step
iveval
Figure 5.3: VHDL input signal state machine
Input Signals
Figure 5.3 describes the behaviour of a VHDL input port using a state machine.1. To 
identify input port value changes, we introduce the CSP channel, xch. This channel 
contains two parameters: 1 ) the signal name; and 2 ) the new value to be assigned to the 
input signal. Thus an example of an xch event is xc h .IV .2.0, where the value 0 is assigned 
to the input signal I V .2. The name of the signal preserves the naming convention used 
within SVA.
Another channel, sigchanged, is introduced to report whether a signal value has changed 
between execution cycles (steps). The sigchanged channel contains three parameters: 1) 
the identifier of the process tha t is checking to see if the signal value has changed; 2 ) the 
signal being queried; and 3) a boolean response denoting if the signal value has changed. 
The event sigchanged.l.IV.2.false communicates th a t the value of the signal I V .2 has 
not changed since the last execution cycle (step) of process 1 .
Input port values may only be altered when in a stable state, however VHDL processes 
may repeatedly fire prior to becoming stable (incremental internal execution cycles). 
Thus the sensitivity list of a process may be evaluated multiple times during an external 
execution cycle, regardless of change. Therefore our definition of an input port, Figure 
5.3, enables sigchanged events to occur between internal execution cycles, identified as 
being after step events and before calculate events. The sigchanged event will be required 
to be available in an Unstable state despite not being used, as will be seen later in the 
Chapter.
1 A  G e n e r a l i s e d  C S P  p r o c e s s  d e s c r i b i n g  a l l  s i g n a l  t y p e s  i s  d e f i n e d  i n  F i g u r e  5 . 8
68 Chapter 5. Augmenting SVA to Deûne a Single VHDL Component
outp
stable
Firing calculate
calculate
ivwrite
step
ivwrite
Error
sigError
Figure 5.4: VHDL output signal state machine
Finally, the calculate event signifies the transition back into an internal execution cycle, 
and tha t a signal may not change value until after the next step event.
When a VHDL system is in an unstable state, it is necessary to allow processes to read 
the value of input signals; this is given by the CSP event iveval, referred to in Section 4.1. 
The state machine in Figure 5.3 illustrates the times at which an input signal may allow 
others to read its value (iveval events), determine if the value has changed (sigchanged 
events), and update its current value (xch events). The synchronisation events stable and 
step, introduced in the previous section, and a further synchronisation event calculate, 
are used to control signal execution. The additional synchronisation event, calculate 
identifies the start of a VHDL process execution.
O utput Signals
As with input signals, output signals have a restricted behaviour, only allowing their 
value to be changed, and th a t changes only be visible externally within certain points of 
an execution cycle. The behaviour of an output signal is described by the state machine 
in Figure 5.4. The two notable channels here are outp and ivwrite.
The channel, outp, is introduced to report that the value of an output signal has changed. 
As with the input port channel xch, two parameters are added to this channel, the signal
5.2. VHDL Signals as CSP Processes 69
name and the signal value. Only once the system is stable can the output port value be 
visibly reported. If the value has changed during the execution cycle, it must be reported 
at least once, as shown by stable transition into the state Report and the subsequent outp 
transition to Stable.
The assignment of a value to such a signal must be captured during the firing of a process. 
So, we use the predefined SVA integer shared variable write channel, ivwrite, to capture 
writing values to an output port by a process. The event ivwrite is identified three times 
in Figure 5.4. An initial ivwrite transition from Firing to Updated identifies a safe writing 
to an output port. If the same process from the initial ivwrite performs an additional 
ivwrite event, the value is changed accordingly; this is depicted as the ivwrite with no 
state transition.
VHDL simulation behaviour states th a t a signal may only be updated by one process 
within an internal execution cycle, thus removing race conditions. We capture this as 
bad behaviour within Figure 5.4 as the transition from the Updated state to Error state, 
and subsequently a sigError event occurs. The sigError channel is parameterised by 
the signal name to provide clarity should this message occur. Behaviour of the signal 
then evolves to Stop, allowing deadlock checking in FDR to identify such scenarios. 
Alternatively, a simple specification th a t permits all events except for sigError would 
equally have been appropriate.
The firing of the update events ivwrite and outp are similarly controlled by the synchro­
nisation events stable, calculate and step. Note tha t since an output port may not be 
read, it cannot appear on any sensitivity lists for processes and thus does not perform 
the sigchanged event.
Internal Signals
Internal signal values within VHDL must have a dual state, such th a t their value may 
be updated during a internal execution cycle (step event), but any new value assigned 
cannot be read until the next internal execution cycle. We give a state machine, Figure 
5.5, to describe the behaviour of an internal signal.
As the state machine illustrates, the behaviour of an internal signal is a composite of 
the input and output signals, enabling the reading and writing of an event during an 
execution cycle. Should an internal signal value be changed by a process, given by the 
occurrence of ivwrite events, then at the end of the internal execution cycle (identified by 
a step event) an iwrite event occurs; tha t must occur prior to further execution cycles.
70 Chapter 5. Augmenting SVA to Define a Single VHDL Component
sigchanged
stable
iveval
^ calculate 
ivwrite
ivwrite
iveval
step
Updated
calculate iw rite
-(jY rite)
iveval
ivwrite
sigchanged Error
sigError
Figure 5.5: VHDL internal signal state machine
This channel has been introduced to deal with the dual state requirements of VHDL 
signals.
Similarly to the output signal behaviour, should more than one process write to a signal 
in one execution cycle, an error message, sigError is thrown. As with the output port 
representation, this occurrence of an additional ivwrite event, trigged by another process, 
is depicted as the ivwrite transition from Updated to Error in Figure 5.5.
The iwrite channel only holds two parameters, the name of the signal (e.g., I V .1) and 
the value tha t should be assigned to the internal signal.
The state machine for internal signals illustrates tha t read events, iveval may occur 
during process execution times. Similarly to input signals, sigchanged events may also 
occur during certain states to determine if processes should fire.
Again, the firing of the update and read events ivwrite, iwrite, iveval and sigchanged are 
controlled by the synchronisation events stable, calculate and step.
5.2. VHDL Signals as CSP Processes 71
outp
sigchanged
outp
\stable
stable
xch
calculate
ivwrite
(Firing^
stepstep
ivwritecalculate
ivwritestep
(Error^sigchanged
sigError
Figure 5.6: Generalised VHDL signal (without iveval events)
5 .2 .1  D e f in in g  a  D y n a m ic  V H D L  S ig n a l C S P  P r o c e s s  
C a p tu r in g  W rite a b le  S ignal V alue B eh av io u r
The merging of the three state machines previously described (Figures 5.3, 5.4 and 5.5), 
but devoid of all read behaviour, is captured in the state machine behaviour given in 
Figure 5.6. Clearly this merged representation provides more behaviour than  given in 
any one of our signal state machines, thus behaviour must be restricted to only enable 
those branches relevant to the signal required. We describe a CSP process capturing this 
behaviour, with these restrictions, on page 72.
E n a b lin g  D u a l S ta te  S ignal V alues
The remaining behaviour of the signals, the read behaviour of VHDL internal signals 
and input ports, is captured using the state machine depicted in Figure 5.7. The state 
machine specifies the point within an execution cycle when values of a VHDL signal can 
be updated safely, and subsequently when these values are updated, tha t the reading of 
their values is blocked. The CSP process ReadVar, lines 28 to 38 of the IntSigPre process 
in Figure 5.8, defines such behaviour for dynamic signals.
72 Chapter 5. Augmenting SVA to Define a Single VHDL Component
stable
xchstep
iwriteiveval ooCO
calculate
sigError
Figure 5.7: Read VAR state machine 
C om bin ing  R e a d  a n d  W rite  B eh av io u r
Note tha t the CSP process, IntSIGPre in Figure 5.8, which describes the merged be­
haviour defined in Figures 5.6 and 5.7, identifies four parameters in its definition:
• The signal name id, e.g., I V .1.
•  The range (type) of the signal.
• The initial value of the signal, v, given as an integer.
• And the status of the signal’s sensitivity list, ch, given as a boolean true or false.
Recall from Section 4.1 tha t the SVA compiler only deals with integer or boolean values. 
We choose to represent VHDL types only as integer values in SVA, providing a suitable 
translation between the two.
For instance, the VHDL type std-logic comprises the enumerated values ‘O’, ‘1’, ‘A ’, 
‘H ’, ‘L’, ‘V’, ‘W ’, ‘Z ’; we could therefore represent this for SVA as the indexed
set { 0 ...  8 }. However in the case of this type it is considered unnecessary to represent 
all 9 values for our purposes. The values ‘0’ and ‘1’ are those frequently required for 
modelling purposes, since we are only interested in the behavioural aspect of a VHDL 
system; although it is possible to require a ‘Z ‘ in the case of modelling tri-state values, as 
identified in Chapter 10. Indeed, all the other values in this VHDL type result in either 
high (‘1 ’) or low (‘0 ’) values. 2
We define three new sets: Inputs, Outputs, and Internals. These sets are populated with 
triples of the form (id, v, range)-, containing the signal identifier, initial value, and an in­
dexed range of the signal type respectively. These sets provide the necessary information
2 T h e  s td -lo g ic  t y p e  w a s  i n t r o d u c e d  a s  a  r e p l a c e m e n t  f o r  bit i n  V H D L  d e s i g n s  i n  V H D L - 9 3  t o  c o n s i d e r  
t h e  s i g n a l  s t r e n g t h s  w h e r e  v a l u e s  m a y  n o t  b e  s o  c l e a r l y  i d e n t i f i e d  [ 6 9 ] .
5.2. VHDL Signals as CSP Processes 73
In tS IG P re ( id ,  range, v,  ch) =  let
S T A B L E (v ,  ch) =  {m em ber( id ,  Inputlds)&cxch\id?v/ : range  —> 
i f ( v  = =  v')  then U N S T A B L E ly ' , false)  
else U N S T A B L E {v ' , true))
□ calculate —> F IR IN G (y ,  ch)
□ m e m b e r { i d , { l n t e m a l ld s \ j  InputIds))&Lsigchangedrlp \ id \ch  - 4
S T A B L E R ,  ch)
□ m em ber{id ,  OutputIds)&outp\id \v  —> S T A B L E (v ,  ch)
U N S T A B L E (v ,  ch) =  calculate —¥ F IR IN G {v ,  ch)
□ m em ber(id ,  ( In tem allds  [J Inputlds))8zsigchanged?p\id\ch  —> 
UN ST A B L E  (v,  ch)
FIR IN G {v,  ch) =  step  -> U N S T A B L E (v ,  false)
□ (ch = =  false)Szstable —> S T A B L E ( v , false)
□ m em ber(id ,  In tem a l ld s  (J OutputIds)Sz
(ivwrite'?plidlv' : range  —> U P D A T E D (v ' , (v'\  =  v ) ,p ) )
□ m em ber(id ,  OutputIds)&c(ch = =  false)&cstable —> R E P O R T ( v ,  ch)
R E P O R T ( v , c h )  =  outplidlv  - ï  S T A B L E (v ,  ch)
U P D A T E D (v ,  ch ,p )  — ( s t e p —*■
if  mem ber(id ,  In tem allds)  then W R IT E (v ,  ch) 
else U N S T A B L E (v ,  ch))
□ mem ber(id ,  In tem allds  |^ J OutputIds)$zivwrite?p'  \ id ? v / : range  —> 
( i f(p \  =  p ')  then E R R O R  else U P D A T E D (v ' , ch ,p ') )
E R R O R  =  sigErrorlidlsecondProcessWrite  —> S T O P
W R IT E (v ,  ch) =  iw r i te . id lv  —ï  UN S T A B L E  (v ,ch )
R eadVAR (id ,  v)  =  let
BlockRead(v)  =  calculate —>■ R dV A R (v )
□ m em ber ( id, InputIds)Szxch\id'?v' —» BlockRead(v')
□ m em ber ( id, I n t e m a l l d s ^ i w r i t e U d l v '  —> BlockRead(v')
R d V A R (v )  =  iveval?—lidlv R dV A R (v)
□ step  —> BlockRead(v)
□ stable —> BlockRead(v)
□ s igEmorlidlsecondProcessWrite  —> S T O P  
within R dV A R (v)
within
i f  (m em ber( id ,  Outputlds))  then 
stable(v, ch)
else
stable(v, ch) || BlockRead(v)
{ \iw rite .id ,x ch .id , step,calculate, stable,sigE rror.id \}
Figure 5.8: CSP process definition for IntSigPre(id, range, v, ch)
74 Chapter 5. Augmenting SVA to Deûne a Single VHDL Component
to generate other sets tha t can be used to distinguish between the signal types, determine 
signal ranges, and initialise signals.
As we do not wish to exhibit the behaviour of all three different signal types at once we 
restrict the behaviour using guards. Thus, the events xch, ivwrite, iwrite, and outp must 
be restricted so th a t they may only occur for the relevant signal type.
The use of the derived sets Intemallds, Inputlds, and Outputlds is necessary to provide 
a set of all signals identifiers for a particular type. These sets are generated by combining 
the first element of each triple within the Internals, Inputs and Outputs set respectively.
Using the derived sets and guarded CSP external choice, a CSP process is defined that 
can dynamically represent each of the three VHDL signals. This behaviour is given by 
lines 2 to 33 in the CSP process, IntSIGPre, shown in Figure 5.8.
The behaviour described through lines 2 to 33 from Figure 5.8 maps to tha t shown 
in Figure 5.6, but is in fact results in a subset of the behaviour shown. Through the 
application of CSP guards within the CSP definition, only the behaviour based on the 
signal type is exhibited, ensuring correct representation of the different VHDL signals. 
CSP guards are also employed to ensure that any new values assigned on an update event 
{xch and ivwrite) are within the range of the signal.
We define IntSIGPre as in Figure 5.8, such tha t the actual behaviour of the signal 
process is determined by the if statement from lines 46 to 49. If the process represents 
an output port, only the write behaviour is exhibited, line 47. Otherwise the combined 
read behaviour and write behaviour needed for an input port or internal signal is given 
by the interface parallel composition from line 49.
5 .2 .2  In c o r p o r a tin g  V H D L  S ign a ls  in  th e  S V A  C om p iler
Finally, our dynamic signal definition, IntSIGPre, is composed with our stabilisation 
model, ST A B ILISA TIO N , identified earlier in this chapter. The two processes are com­
posed using CSP interface parallel composition, synchronising on the events step, stable, 
xch and outp. We define the composition of these two process as the CSP process IntSIG  
given in Figure 5.9.
Thus, using this new CSP definition for VHDL signals we may now replace the shared 
variable definition, IVAR, in the SVA compiler.
5.3. Modelling VHDL Sensitivity Lists for SVA 75
In tS IG (id ,  range, v,  ch) =
In tSIGPre(id ,  range, v,  ch) || S T A B IL ISA T IO N (id )
{\to ck ,o u tp .id ,xch .id ,s tep \}
Figure 5.9: CSP composition process IntSIG (id, range, v, ch)
SensitiveC heck(signal) = s ig ch an ged .j\s ign a l.tru e  —> calculate  —> S K IP
□  arb—fa lse .j  —> calculate  —> S K IP
□  calculate S K IP
Figure 5.10: Capturing sensitivity list behaviour
5.3 M odelling V H D L Sensitiv ity  Lists for SVA
Recall th a t a VHDL process only fires when any item within its associated sensitivity list 
changes value from the previous cycle. Also recall th a t the items on the sensitivity list 
can be a collection of any or all of the VHDL input and internal signals, Section 2.1.1 
on page 9.
A new boolean CSP channel, sigchanged, was introduced in the previous section to 
identify whether a signal value had changed between step events. A suitable CSP process 
can be defined to capture information from the sigchanged channel and identify if the 
values of a VHDL process’ sensitivity list have changed, requiring the process to fire.
Focusing firstly on an individual signal, we define a CSP process, SensitiveCheck, given 
in Figure 5.10, to capture the behaviour of a sensitivity list against one of its contained 
signals. The calculate event is used to identify th a t a process can fire, and as previously 
mentioned the sigchanged event is used to determine if the signal has changed.
A VHDL process must fire if any one of its sensitive signals has changed, bu t will not 
fire only if all sensitive signals have not changed. We introduce a single event, arb-false, 
th a t is only available should all sigchanged values for a process be false. To distinguish 
between processes, the arb-false channel carries the parameter j ,  where j  is the process 
id. CSP renaming can be applied to rename all sig chang ed. j  .x. false events to arb-false.j 
events. Thus, synchronising on arb-false.j events, all signals for process j  must be 
false before the event can occur. By further restricting the SensitiveCheck (signal) pro­
cess we shall see tha t it is only ever possible for a process, j ,  to acknowledge either a 
signchanged.jlsignal.true or an arb-false.j event when evaluating its sensitivity list.
We define a CSP process, Sensitivity List in Figure 5.11 to evaluate whether a signal on 
a VHDL sensitivity list has changed. The Sensitivity List process is composed of several
76 Chapter 5. Augmenting SVA to Define a Single VHDL Component
S e n s it iv i ty L is t(S L ,p ,j)  =  let
SensitiveC heck(signal) =  sig chang ed .jl signal, true  —> calculate  —> S K IP
□  a rb -fa lse .j  —> calculate  —>■ S K IP
□  calculate  —> S K IP
FireProcess = O xeSL sigchanged .j.x .tru e  -4- calculate  - 4  SKIP', M a in P ro c (p ,j)
□  a rb -fa lse .j  - 4  calculate  - 4  S K IP
sig chang edTrue =  {s igchan ged .i.signal.x  | % 4 -  { j } ,  signal <— S L ,x  <— { tr u e } }
1 sigchanged TrueU { calculate, arb—fais e . j } FiraPrOCeSS
w ith in  L ist(S L )
Figure 5.11: VHDL sensitivity list behaviour defined in CSP 
smaller CSP processes.
Firstly, the FireProcess identifies whether a process, j ,  should fire. Since a VHDL pro­
cess should fire if any one of those signals to which it is sensitive changes, a CSP indexed 
external choice for the event sigchanged is defined. This branching ensures th a t should 
any one of the signal values change, the VHDL process behaviour, M ainProc(p,j), will 
occur after first performing a multi-way synchronisation (calculate) with all other pro­
cesses within the system. However, rather than check every sigchanged value for a false 
parameter, in the event tha t none of those sensitive signals have changed, the arb-false.j 
multi-way synchronisation event occurs, and the process does not execute its behaviour.
A second process, Sensitivity Check (signal) is also provided tha t defines the possible be­
haviour for each sensitive signal. As we only need to evaluate that a single signal value has 
changed in order to execute the process behaviour, each sensitive signal may report that 
i t’s value has or has not changed, or it can just perform the multi-way synchronisation 
over the calculate event.
By composing the system, as shown in Figure 5.11, we are able to capture the behaviour 
of a VHDL process’ sensitivity list with a minimal trace.
To support this new process, Sensitivity List, additional information must be manually 
provided for each VHDL system. A list, SensLists must be created, containing tuples 
tha t identify the sensitive signals for each process identifier. For instance, a single process 
system with process identifier 0, sensitive to the signal I V .1, would result in a definition
5.4. Augmenting the SVA Compiler to Analyse VHDL Processes 77
of the form SensLists = ((0, { /V .l})).
Additionally, a CSP renaming must also be applied to all IntSIG (id, range, v, ch) pro­
cesses,Figure 5.9, defined earlier in this chapter, which are composed within a system. 
Such a renaming replaces sig chang ed.j .id. false with arb-false.j to enable the multi-way 
synchronisation with our newly defined SensitivityL ist(sl,p , j )  process.
Now that we have provided a new definition for VHDL signals, and specified a suitable 
representation of VHDL sensitivity list behaviour, new syntax can be added to the SVA 
compiler, and alterations made to the SVA compilation functions to represent a hardware 
component.
5.4 A ugm enting th e SVA Com piler to  A nalyse V H D L  
Processes
The channels calculate, step, and stable have already been introduced for the purpose 
of controlling the synchronisation of VHDL processes and the state of VHDL signals. 
These channels must therefore be added to all processes generated by the CSP compiler 
to ensure the VHDL stabilisation model is preserved, thus some of the compiler functions 
must be altered. New SVA datatypes need to be added to model the behaviour of VHDL 
processes, including the incorporation of the CSP Sensitivity List process.
To visualise the augmentation of the SVA compiler, coined SVA4VHDL, we illustrate the 
alterations to the architecture of the SVA compiler in Figure 5.12; the new additions to 
the compiler are highlighted within the dashed box.
5 .4 .1  A d d in g  S V A  S y n ta x
A new datatype is required to capture the unique behaviour of a VHDL process, which 
will fire repeatedly if a sensitivity list signal value changes, and will iteratively determine 
when the process should fire.
The SVA compiler already contains a datatype, Iter. Cmd, that iteratively runs the con­
tained behaviour, Cmd. Another SVA datatype While(BExpr, Cmd) exists tha t will run 
the contained behaviour, Cmd, whilst the boolean expression, BExpr, is true. However 
neither are entirely suitable.
78 Chapter 5. Augmenting SVA to Deûne a Single VHDL Component
CompileList
Analyse
Analysel MainProc
Compile
Methods
VHDLCompileList
Timing VHDLAnalyse
Analysel MainProc
VHDL
Compile
Methods
SensitivityList
Figure 5.12: The SVA4VHDL architecture
P ’ ( ) =(VHDLProc. ( { I V . 2 , I V . 3 }  ,
C o n d . (CbmpOp.Eq. I V a r . IV . 2 . I V a r . I V . 3 , 
l a s s i g n  . ( I V a r . IV . 1 , C o n s t . 0 )  , 
l a s s i g n  . ( I V a r . IV. 1 , C o n s t . 1 ) ) )
)({},{})
Figure 5.13: Use of the VHDLProc operator
We introduce a new datatype, VHDLProc, taking the arguments (ivnames, Cmd). The 
first argument, ivnames, provides a set containing signal identifiers (the sensitivity list 
for the process), and the second argument, Cmd, is a recursive call to the SVA syntax 
describing the behaviour of the process.
Similarly, we introduce another datatype to aid in our definition of VHDL within the SVA 
compiler, Step. Step is a simple datatype that allows us to add the necessary synchronous 
events step and stable to compiled SVA programs.
The use of this new SVA datatype, VHDLProc.(ivnames, Cmd), is illustrated in Figure 
5.13. The SVA process P'Q  provides the same functionality as that of Figure 4.4 on page 
51, but the process will only fire when either I V .2 or I V .3 has changed.
New pattern  matching functions, for both the SVA compiler functions MainProc and 
Analysel, must be added to correctly compile the newly introduced Step and VHDLProc 
datatypes. These new pattern  matching functions are defined in Figures 5.14 and 5.15 
respectively.
5.4. Augmenting the SVA Compiler to Analyse VHDL Processes 79
MainProc (S t e p , j )  =
step  S K IP  
□ took —> S K IP
A n a lyse l (S tep )  =
Figure 5.14: Pattern  matching functions on Step
Note tha t the augmentation of SVA precludes local variables in the allowable constructs. 
This reflects the best practice application of RTL level VHDL for implementation.
Step
Figure 5.14 describes both the CSP behaviour tha t should be generated when compiling 
the introduced SVA Step datatype, as given by the MainProc function; and the additional 
information tha t should be passed to the Analyse function should the datatype be found 
(note tha t no extra information is added in the case of the Step datatype).
The M ainProc(Step,j) function defines a small CSP process th a t can perform either the 
events step or stable. Once these events have occurred the process successfully term inates, 
as defined by the Skip event.
V H D L P roc
The pattern  matching of MainProc on the VHDLProc datatype, as identified in Fig­
ure 5.15, is passed the SVA process VHDLProc.(b,p) as well as the process identifier, j .  
The parameters b, p, and j ,  are then passed to a previously discussed SensitivityList(b, p ,j )  
function (see Section 5.3).
Once the SensitivityList function successfully terminates, the MainProc function is called, 
this time matching on the Step datatype. This introduces a synchronous event across all 
generated processes, keeping them in ‘lock step’. Finally the whole function is iteratively 
called again providing the required behaviour of a VHDL process.
The Analysel function for the VHDLProc.(b, P) operator, Figure 5.15, calls the Analysel 
function, passing in the contained behaviour of a VHDL process, represented by P.
This additional syntax to SVA enables VHDL processes to be defined within the SVA 
compiler.
80 Chapter 5. Augmenting SVA to Deûne a Single VHDL Component
MainProc(VHDLProc.(b ,  p) ,  j )  =
Sensit iv i tyL ist  (b ,p ,j)- ,
M ainP roc(S tep , j )]
MainProc  ( VHDLProc  .(&, p ) , j )
Ana lyse l(V H D L P roc .(b ,  P ) ) —
A n a ly s e l (P )
Figure 5.15: Pattern  matching functions on VHDLProc
5 .4 .2  A lte r in g  SV A  C o m p ile  F u n ctio n s
We have introduced several new channels to model VHDL signals: iwrite, outp, and 
xch] and new channels relating to our VHDL stabilisation model: sigchanged, arb-false, 
calculated, tock, and step. The original compilation functions within SVA do not accom­
modate these functions, or indeed the CSP processes we have previously defined within 
this section.
So tha t the SVA compiler can still model threaded processes, a design decision was 
made to copy the compiler functions. We give them the names VHDLCompileList and 
VHDLAnalyse.
Figure 5.16 describes two SVA4VHDL processes PAQ and PB if), to illustrate the new 
syntax discussed earlier in this section and the changes discussed later in this section. 
W ithin Figure 5.16, IV A  is an input port, I V .2 and /V .3 are internal signals and /V .4 
is an output port.
The first process, PAQ, reacts to changes over I V .1, and updates the value of /V .3 to 
the logical eXclusive OR (XOR) computation of I V .1 and I V .2. The second process, 
PB(), reacts to changes over /V .3, and assigns the inverse value of /V .3 to /V .2  and 
/V.4.
VHDLAnalyse
Recall th a t the original SVA Analyse function returned the sets IW , IR, L IV , RO I, L I  
and Alpha. The values of these sets, when applying the Analyse function to the process 
PAQ, in Figure 5.16, are given in Figure 5.17.
Also, recall th a t the set L I  contains the events on which the compiled process and the 
associated shared variables3  synchronise. Also, Alpha is the set of all events that the
3 T h e s e  w i l l  b e  e x c h a n g e d  f o r  s i g n a l s
5.4. Augmenting the SVA Compiler to Analyse VHDL Processes 81
PA() =(VHDLProc. ( { I V . 1 }  , 
l a s s i g n . ( I V a r . I V . 3  ,
CompOp. X o r . I V a r . IV . 1.  I V a r . I V . 2 ) )
),({},{})
P B ()  =(VHDLProc. ( { I V . 3 }  ,
Cond. (CompOp.Eq. I V a r . IV . 3 . C o n s t . 0 ,
S q . ( l a s s i g n  . ( I V a r . I V . 2 , C o n s t . 1) , 
l a s s i g n  . ( I V a r . I V . 4 , C o n s t .  1) ) ,
S q . ( l a s s i g n  . ( IV a r .  I V . 2 , C o n s t . 0) , 
l a s s i g n  . ( I V a r . I V . 2 , C o n s t . 0)  ) ) )
) , ( { } , { } )
Figure 5.16: A fragment example of a VHDL system written in SVA
A lph a=  {\iveval.0 , ivwrite.O,
iv eva l . l . IV .3 ,  i v w r i t e . l . I V .3, 
verror .IV .3 ,  error.0 |}
L I  =  (| iveval .O.IV.3, ivwrite .O .IV.3, 
iveval .O .IV .l  |}
IR  =  { I V .1, 7V.2}
I W  =  { /V .3 }
R O I  =  { I V . l }
L I V  =  { /V .3}
R O B  =  {}
LIB  =  {}
Figure 5.17: O utput of Analyse w.r.t. process PAQ in Figure 5.16
composition of compiled process and shared variables perform. Therefore, it is these two 
sets tha t must be changed in the VHDLAnalyse function.
Clearly to support our new signal definitions, our additional events step, arb-false, 
sigchanged.j.x.true, tock, and calculate must be added to both our new definitions for 
Alpha and LI. This allows correct synchronisation of events between signals and compiled 
processes.
The original Alpha defined all allowable events of a compiled process and its associated 
variables th a t could be performed. SVA’s original definition for Alpha is too loose, 
enabling synchronisation of write events (ivwrite) from other processes th a t should not 
be available within our compiler. Thus, we restrict the allowable behaviour of compiled 
processes with their associated signals to remove such behaviour. Similarly, we also add 
the external signal events: xch, outp and iwrite to the Alpha definition. These alterations 
to our Alpha definition are defined in Figure 5.18.
82 Chapter 5. Augmenting SVA to Deûne a Single VHDL Component
{ v erro r .v  | v <— L I V ( j ) }  U {| error . j  |}U
{| iveval .k .v  \ v  4- L I V ( j ) , k  ^  pnum sV , m e m b e r (y ,I R (k ) )  |}U  
{| iveva l . j , ivw r i te . j  |}U
{sigchanged.p .v . true  | v  4 -  L I V ( j ) , p  4 -  sensit iveTo(v)}\J
{arb - fa lse .p  \ p  4 -  se n s i t iveT o (L IV ( j ) ) }U
{step ,  calculate, tock}U
{| iwrite.k , outp.k \ k 4— L I V ( j )  |}U
{| xch.k | k 4— ROI(J)  |}
Figure 5.18: The set Alpha as defined within VHDLAnalyse
L I ( j )  = { |  iveva l . j .v ,  i vw r i te . j .v  | v 4 -  L I V ( j )  |}U  
{| iveva l . j .v  \ v  4— R O I ( j )  |}U  
{s igchanged.j .v . true  | v  4— L I V ( j )  U R O I ( j ) }U  
{s tep ,  tock, calculate, arb- fa lse . j }
Figure 5.19: The set L I  as defined within VHDLAnalyse
Similarly, the definition for L I  must also be restricted since it defines the synchronisation 
events between signals and their associated process. Thus we augment the definition of 
L I  as depicted in Figure 5.19.
Furthermore, as we are no longer dealing with boolean shared variables, any events 
pertaining to their inclusion, bveval and bvwrite, are removed from the sets generated 
in VHDLAnalyse. Thus, applying the augmented VHDLAnalyse function to the process 
PAQ, from Figure 5.16, results in the sets given in Figure 5.20.
V H D L C om pileL ist
The CompileList function in the original SVA compiler was responsible for generating 
process shared variable pairs tha t could then be composed together by one of the many 
compile functions. Since the changes we have made include redefining the shared vari­
able definition in Chapter 4 and the introduction of a VHDL stabilisation model, an 
augmented version of CompileList is required, VHDLCompileList.
We restrict the behaviour of each composed signal such that:
• it cannot perform ivwrite events with any process except the current process, z;
• it ensures th a t the events iveval and ivwrite are correctly constrained to only those 
within the the range of the signal;
5.4. Augmenting the SVA Compiler to Analyse VHDL Processes 83
A lp h a =  {\iveval.O, ivwrite.O,
iv eva l . l . IV .3 ,  step,  calculate, 
tock, arb-false.O, arb—false . l ,  
sigchanged.O, s igchanged.l .IV.S .true,  
iw r i t e . IV .3, x c h .I V . l ,  verror .IV .3 ,  
error.0 |}
L I  =  {| iveval.O.IV .3, ivwrite.O. I  V.3,  
step, tock, calculate, arb—false.0, 
sigchanged.O.IV .3. true, sig chang ed.O. I V  .1. true,  
iveval.O.IV .1 |}
IR  =  { I V . l ,  I V . 2}
I W  =  { I V . 3}
R O I  =  { I V . l }
L I V  =  { I V . 3}
Figure 5.20: O utput of VHDLAnalyse w.r.t. process PAQ in Figure 5.16
• any processes tha t are not sensitive to the signal, sigchanged, are removed from the
process.
Recall in Section 4.3.2, prior to composition with a process, shared variables must first be 
composed with Stop to remove any unwanted behaviour. The process IV R {x, z), within 
CompileList, describes this composition and it is within this process we swap IV A R (x, v) 
with IntSIGQd, range, v, ch). The sets Internals, Inputs, and Outputs, from page 71, are 
used here to provide the required parameters for each signal. The definition for IntSIG  
is therefore further restricted by placing unused events in parallel with Stop.
As would be expected, the VHDLCompileList must call VHDLAnalyse instead of Analyse, 
providing the sets required for the correct composition of the system.
Shared variables associated with a single process were interleaved together in the original 
SVA compiler since they did not synchronise on any events. However, in exchanging 
shared variables for the signals definition, Section 5.2, the signals must be placed in an 
interface parallel composition, synchronising on the stabilisation events calculate, step, 
and stable, and the sensitivity list event arb-false.
5 .4 .3  C o m p ilin g  S V A 4 V H D L
The final amendment to the SVA compiler at this point requires a replacement of the 
compiler strategy Compile, by VHDLCompile. Clearly this new definition replaces 
CompileList with VHDLCompileList. As with the Compile compile strategy, discussed
84 Chapter 5. Augmenting SVA to Dehne a Single VHDL Component
VHDLCompile
A n a ly s e l
VHDLCompileList
M ainProc
VHDLAnalyse
Figure 5.21: SVA4VHDL compilation flow
in Section 4.4, VHDLCompile is passed a sequence of CSP process and alphabet tuples, 
(P, A), returned by VHDLCompileList.
The same compilation strategy is used, composing all returned processes in an alpha­
betised parallel. Figure 5.21 illustrates the compilation approach taken using the newly 
defined functions. We apply the adapted functions and a new definition for signals but 
utilise the original approach, illustrated in Figure 4.6 on page 53.
To compile the example processes, PAQ and PBQ  from Figure 5.16, a process PSys' that 
uses the new compile method, VHDLCompile, is written:
P % ;' =  P A () ,P B ( )  > )
However, as we have previously noted, further information is required to generate a 
CSP model from the SVA code: four additional sets and a list are required. These sets 
identify the internal, input and output signals: Inputs, Outputs, and Internals] and the 
process identifiers within the system, ProcsWithSensitivityLists. The sensitivity list for 
the processes within the system are captured within the SensLists list.
Thus, for the definition of PSys', the following information is required:
Inputs — { ( IV .l ,  0, {0..1})}
Internal = {(/V .2,0, {0..1}), ( I V .3 ,0, {0..1})}
Outputs — { ( IV  A, 0, {0..1})}
ProcsWithSensitivityLists = {0,1}
SensLists =  ((0, IV .l) ,  (1, I V .3))
5.5. Translating VHDL to SVA4VHDL 85
P Sys'
(MPV(O) .A lp h a (0) ) (MPV(1 h a ( l ) )
M ainProc(VHDLProc. ( * ) , 0 ) ) M ainProc(V H D L Proc.( * ) , ! )  )
V (IV .3 )  V ( I V .l) V (IV .2 )  V d V .4 )
Figure 5.22: CSP model structure for SVA4VHDL system PSys'
Note, process PAQ becomes process identifier 0 , and process PBQ  becomes process 
identifier 1 .
A CSP model from the definition of PSys' would generate the structure illustrated in 
Figure 5.22. A CSP model of PSys' can now be analysed by FDR.
This chapter has defined the principal changes to the SVA compiler for modelling a VHDL 
component. However, it is clear that we need to identify repeatable translation patterns 
to convert VHDL syntax to SVA4VHDL. SVA4VHDL provides a direct representation 
for VHDL process and signal names, mapping functions must also be provided to support 
these translation patterns. W ithin this section we identify these repeatable patterns and 
suitable mapping functions to support a translation. These translations are used within 
our Java tool described in Section 7.6.
5 .5 .1  S ign a ls
The SVA4VHDL compiler does not use enumerated values for each signal. Instead, a 
global index is stored for tracking all ports and internal signals within an SVA4VHDL 
model. Thus, when translating VHDL to SVA4VHDL a mapping must be made in order 
to ensure consistency between a signal name and its corresponding index value.
We define three partial injection functions th a t are pairwise disjoint, which together 
associate every VHDL signal name with a unique corresponding indexed SVA4VHDL 
value:
5.5 Translating V H D L to  SVA4VH DL
signalMappingin : Ei x SN  h-> IV N  
signalMapping0Ut : Ei x SN  h-> IV N  
signalMappinginternal ' Ei x SN  h-> IV N
86 Chapter 5. Augmenting SVA to Deûne a Single VHDL Component
where Ei is the entity instance, SN  is the finite set of VHDL signal names and IV N  is 
the finite set of SVA4VHDL indexed values for an entire VHDL system, such that: 
ian.(signalMappingin) A  ran(signalMapping0Ut) A  Tan(signalMappinginternai) =  0 A  
dom(signalMappingin) U dom(signalMappingout ) U dom(signalMappingintemal ) =  SN  A  
ran(signalMappingin) U ran.(signalMapping0Ut )U 
ran(signalMappingintemal ) =  IV N
For example, for signal Si from Table 5.1, signalMappingin (Ei, Si) = I V . l  and (I?i, Si) 
dom (SignalMapping out). The mapping of VHDL signals of type in o u t uses both signalMap­
pingin and signalMappingout to associate two indexed values with an in o u t signal.
All the patterns for a single entity architecture pair have been given in this section. Note 
that the definition given for the signalMapping functions is over specified. The reasons 
for the definition will become clear in Chapter 7.
5 .5 .2  T y p es
Recall tha t the SVA compiler, Chapter 4, does not permit enumerated types, only integer 
and boolean. Thus, our augmented SVA Compiler does not handle enumerated types 
explicitly. A simple indexing function is used to map from VHDL enumerated types to 
corresponding SVA4VHDL integer values:
TypeMapping : TN  x E N  — y Z
where TN  is the finite set of all VHDL type definitions and E N  is the finite set of 
all VHDL enumerated values within a VHDL system. E.g., TypeMapping(Ti, Ei) =  0, 
TypeMapping(Tii E2 ) — 1 and TypeMapping(T2 , A3 ) =  0.
5 .5 .3  E n tity
As identified in Section 2.1.3, each VHDL component description contains an entity 
definition th a t describes port information. This port information is externally visible for 
th a t VHDL component. We provide a translation pattern for a VHDL entity in Table 5.1.
Table 5.1 illustrates how each of the different signal types are translated. Each signal, its 
type and initial value, are defined on separate lines within the port signature. Note tha t 
the port of type inout is added to both maps, signalMappingin and signalMappingout , in 
a translation.
5.5. Translating VHDL to SVA4VHDL 87
__________________________________________________V H D L _________________________________________________
e n t i t y  i d e n t i f i e r  i s  
p o r t ( Si : i n  s u b t y p e - i n d i c a t i o n i  :=  s t a t i c _ e x p r e s s i o n i ;
Sg : i n o u t  s u b t y p e - i n d i c a t i o n s  := s t a t i c - e x p r e s s i o n s ;
S3  : o u t  s u b t y p e - i n d i e  a t  i o n s  := s t a t i c _ e x p r e s s i o n s  ) ; 
end  e n t i t y  e n t i t y _ n a m e  ;
SV A 4 V H D L
I n p u t s - e n t i t y - n a m e  =  { ( S i g n a lM a p p in g ^  ( S i )  , s t a t i c - e x p r e s s i o n i  , s u b t y p e - i n d i c a t i o n i )  , 
( S ign alM appingin  (S 3 ) , s t a t i c - e x p r e s s i o n s ,  s u b t y p e - i n d i e  a t  i o n s ) }
O u tp u ts_ e n t i ty _ n a m e  =  { (  S ign a lM a p p in g  out (S 3  ) , s t a t i c _ e x p r e s s i o n s ,  s u b t y p e - i n d i e  a t  i o n s  
) ,
(S ig n a lM a p p in g  0nt (S 3 ) , s t a t i c - e x p r e s s i o n s ,  s u b t y p e - i n d i e  at i o n s ) }
Table 5.1: T P i: VHDL entity translation pattern
____________________________________________ V H D L _________________________________
a r c h i t e c t u r e  i d e n t i f i e r  o f  e n t i t y _ n a m e  i s  
t y p e  Ti i s  (Ei ,Es ,Es) ;
t y p e  Ts i s  (E4 ,Es ,E6  .Ey) ;
5 4  : Ti := Ei ;
5 5  : T3  :=  E5  ;
b e g in
a r c h i t e c t u r e - s t a t e m e n t - p a r t  
end  a r c h i t e c t u r e  i d e n t i f i e r  ;
S V A 4 V H D L
I n t e r n a l s  =  { (S ig n a lM a p p in g  internal ( S4  ) , TypeMapping (Ti ,E i)  , { 0 . . # T i } )  , 
( S ign a lM app in g  internal ( S5  ) , TypeMapping (Ts ,E5 ) , { 0 . . # T 2 ) } ) } ____________
Table 5.2: TH^: VHDL architecture, declarative part, translation pattern
5 .5 .4  A r c h ite c tu r e
Recall that, for each VHDL entity, there is at least one architecture. The architecture 
captures the behaviour of the VHDL component and is captured within two aspects, a 
declarative part and a statement part, as identified in Section 2.1.2. Table 5.2 identifies 
the capture of information from the declarative part of a VHDL architecture and Table 5.3 
provides the translation pattern  for the statement part of the architecture.
From Table 5.2, it is not only VHDL signals th a t are mapped to an indexed value, but 
so also are user defined enumerated types. To ensure consistency in the translation the 
TypeMapping function is used, returning the relevant value for the enumerated type, with 
respect to the type. As the translation replaces VHDL enumerated types for an integer 
value, the internal signals are then translated to be stored in a th ird  set, Internals.
88 Chapter 5. Augmenting SVA to Deûne a Single VHDL Component
________  V H D L _________________________ ____
a r c h i t e c t u r e  i d e n t i f i e r  o f  e n t i ty _ n a m e  i s
a r c h i t e c t u r e - d e c l a r a t i v e . p a r t
b e g in
Pi : p r o c e s s  ( S L i ) i s  . . .  ;
? 2  : p r o c e s s  (SLg) i s  . . .  ;
P 3  : p r o c e s s  (SL3 ) i s  . . .  ;
end  a r c h i t e c t u r e  i d e n t i f i e r  ;______________
S V A 4 V H D L  ~~
‘Comp’ _ e n t i t y - n a m e  =
V H D L C om pileL is t (<P i( )  ,P 2 () ,Ps ( ) > ) ( { } )
S e n s L i s t  =  < ( 0 ,SLi)  , ( 1 ,SL 2 ) , ( 2 ,SL3 )> ______________ _____
Table 5.3: TPg: VHDL architecture, statement part, translation pattern
Each process within a VHDL architecture_body is translated to a corresponding SVA 
process. Nevertheless it is necessary to capture further information from the architec- 
ture-body. As with the VHDL types and signals, the translation must also index the 
translated VHDL processes. VHDL processes are not explicitly assigned an integer value 
in their translation (as illustrated in Table 5.4). Instead, the order in which they are 
added to the compilation process, identified as the concatenation of the entity_name 
with “Comp” , is used to specify their ordering. This is tied to the order in which the 
processes are compiled by SVA4VHDL.
W ithin Table 5.3, translation of the further information necessary for compilation is 
identified. The first item given is the SVA4VHDL compilation process, containing the 
VHD LCompileList command. It is from this list th a t the process ordering must be 
matched. For simplification, the order is identified linearly, i.e., the order in which the 
VHDL processes are listed within the architecture.body.
The second, identifies each process as an index value, and associates this identifier with 
a copy of the translated sensitivity list associated with that process. These are stored 
within a sequence as tuples for use by the compiler.
5 .5 .5  P r o c e ss
The translation of a VHDL process is given in Table 5.4. Each SVA4VHDL process 
is identified by using the VHDL processJabel, appended with empty brackets. The 
SVA4VHDL process is defined as a V H D L P r o c .  This is made up of the translation of 
the process’ sensitivity list, and the translation of the process sequential statements,
5.5. Translating VHDL to SVA4VHDL 89
_____________________________________________V H D L _________________________________
Pi : p r o c e s s  ( s e  ns  i t i v i t  y _ 1 i s t ) i s  
b e g in
s e q u e n t i a l - s t a t e m e n t i ;  
s e q u e n t i a l - s t a t e m e n t  2 ; 
s e q u e n t i a l - s t a t e m e n t s ;  
e n d  p r o c e s s  P i  ;
S V A 4 V H D L
Pi () =  VHDLProc. (TP5  ( s e n s i t i v i t y _ l i s t )  ,Sq. <  s e q u e n t  i a l - S t a t e m e n t  s 1 , 
s e q u e n t i a l _ s t a t e m e n t s g  , s e q u e n t ! a l _ s t a t e m e n t s s > )  { }
Table 5.4: T P 4 : VHDL process translation pattern
V H D L  
S i , 8 2 , 8 3
_______________________________S V A 4 V H D L ________________________
{ s i g n a lM a p p in g inU s ig n a lM a p p in g interriaZ( S i )  , 
s ig n a lM a p p in g  jnU s ig n a lM a p p in g jniernaz ( S2  ) , 
s ig n a lM a p p in g  jnUsignalMappingjrcterna; (S3 ) }________________
Table 5.5: T P 5 : VHDL sensitivity list translation pattern  
captured within the SVA4VHDL Sq operator.
S en s itiv ity  L ist A sensitivity list is translated by applying signalMappinginU signal­
Mappingintemal to each signal listed in the sensitivity list. The sensitivity list is then 
returned as a set. We identify the translation pattern  within Table 5.5.
The SVA language enabled a set of signals to be associated with a particular SVA process, 
identified within a set following the process behaviour. Because of this, an empty set 
must be appended to a SVA4VHDL process definition since we do not, at present, utilise 
the additional features within the SVA compiler th a t this information provides.
5 .5 .6  S eq u en tia l S ta te m e n ts
There are different VHDL operators classified as sequential statements, identified in 
Section 2.1.2. These operators are used to define the behaviour of a VHDL process. 
Tables 5.6, 5.7 and 5.8 identify the patterns of translation for these sequential statements.
S ignal A ssig n m en t A signal assignment comprises two aspects, a target and an 
expression. As illustrated in Table 5.6, a VHDL signal assignment is translated to
90 Chapter 5. Augmenting SVA to Dehne a Single VHDL Component
______________________ V H D L ______________________________________________
Si < =  e x p r e s s i o n
S V A 4 V H D L
l a s s i g n  . ( I V a r . s i g n a l M a p p i n g j n i e m n ; U  s ig n a l  M a p p in g  out ( S i )  , e x p r e s s i o n ) ______________
Table 5.6: TPe: VHDL assignment translation pattern
V H D L
i f  e x p r e s s i o n i  t h e n
s e q u e n t i a l - s t a t e m e n t s i  
e l s i f  e x p r e s s i o n s  t h e n  
s e q u e n t  i a l  . s t a t e m e n t s  2  
e l s e
s e q u e n t  i a l - s t a t e m e n t s ^
_______________ end  i f  ;______
S V A 4 V H D L
Cond. ( e x p r e s s i o n i  ,S q .<  s e q u e n t  i a l  _st a t  e m e n t s  i > ,
Cond. ( e x p r e s s i o n s  ,S q .<  s e q u e n t i a l - S t a t e m e n t s s ^
S q .<  s e q u e n t  i a l - s t a t e m e n t  S3>))___________________
Table 5.7: TP?: VHDL If statement translation pattern
the SVA4VHDL la ss ig n  datatype. The target (Si) is given as the first argument, and 
the expression is given as the second argument of the la ss ig n  operator. Clearly, the 
SignalMapping function is applied to Si to correctly map to the corresponding IV N  
element.
The first argument of an lAssign  is an lExpr th a t is always resolved to an IVar datatype. 
The second argument is given as an expression. This enables the assignment value to be 
a constant, another signal, or the result of a calculation.
IF  S ta te m e n t Table 5.7 identifies the pattern  for translating a VHDL IF statement to 
the SVA4VHDL C o n d  operator. The C ond operator takes the boolean expression as its 
first parameter, the true branch as its second operator, and the false branch as its third 
(with nesting as appropriate).
The expression is a boolean expression, and is restricted to a comparative operator 
within the SVA4VHDL language. Thus, each VHDL expression must be converted to an 
SVA4VHDL C o m p O p  expression.
The translation of sequentiaLstatements follow the same pattern  as identified above.
5.5. Translating VHDL to SVA4VHDL 91
_______________________________________ V H D L _____________________________________
c a s e  e x p r e s s i o n  i s  
w hen c h o i c e s  i =>  
s e q u e n t  i a l - s t a t e m e n t s
1
w hen c h o i c e s 2  =>
s e q u e n t i a l - s t a t e m e n t s
2
end  c a s e  ;
____________________________________ S V A 4 V H D L __________________________________
Cond. (CompOp.Eq. e x p r e s s i o n  . c h o i c e s  i ,S q .<  s e q u e n t  i a l - s t a t e m e n t  s i > ,  
Cond. (CompOp.Eq. e x p r e s s i o n  . c h o i c e s 2  ,S q .<  s e q u e n t  i a l - s t a t e m e n t s  2  
>,
S k ip )  ) ___________________________________________________________________
Table 5.8: TPg: VHDL case statement translation pattern
C ase S ta te m e n t A Case statement in VHDL uses the expression as the basis of a 
boolean equality guard. Each branch is made up of a series of sequential statements. 
Because of the way in which the SVA4VHDL compiler parses the syntax, it is not possible 
to carry the expression between branches. It is therefore necessary to translate a VHDL 
case statement to the SVA4VHDL C ond operator. Table 5.8 identifies the translation 
pattern  for this.
It is necessary to nest the C o n d  operator for each choice listed within the case statement. 
A default case is not given, thus the final false branch is given as the SVA4VHDL Skip 
operator to complete the translation.
A VHDL case statement is comparing the result of expression to the value listed as 
choice, hence it is necessary to perform a comparative equality validation between these 
two aspects. As a result, the conditional param eter of the SVA4VHDL C o n d  is defined 
as CompOp.Eq.expression.choicej, where choice^ relates to each branch of the case statement.
5 .5 .7  E x p re ss io n s
The VHDL language is an infix language, placing operators in between values. However, 
as we can see above, SVA4VHDL is a prefix language, placing operators first, followed by 
the values. Translating between these two forms is straightforward. For instance, take: 
(4 x 5) +  (3 x 5). To write this as prefix, rather than infix, it becomes +  x 45 x 3 5. 
The same technique is applied when translating VHDL to SVA4VHDL, as illustrated in 
Table 5.9.
92 Chapter 5. Augmenting SVA to Dehne a Single VHDL Component
__________________________________V H D L ________________________
s i m p l e - e x p r e s s i o n  i o p e r a t o r  s i m p l e - e x p r e s s  i o n  2
n o t  pr i mary | pr i mary +  pr i mary  | pr imary — primary
S V A 4 V H D L
o p e r a t o r  . s i m p  l e - e x p r e s s i o n i . s i m p l e - e x p r e s s  i on  2
U I Op . N ot .  pr i mary | B i n l O p .  P l u s  . pr i mary . pr imary  
I B i n l O p . M i n u s . pr i mary  . pr imary
Table 5.9: T P g :  VHDL expression translation pattern
____________________________________________ V H D L _______________________________________
and | or  [ nand | nor  | x o r  | xn or
___________________= 1 /= I < 1 <= 1 > I >=__________________________
__________________________________________S V A 4 V H D L ____________________________________
BBOp.And | BBOp.Or | UI Op.Not .BBOp. And | UI Op .Not .BBOp.Or  
| BBOp. Xor  | UI Op. N o t  .BBOp. Xor
CompOp. Eq | CompOp. Ne q | CompOp. Lt | CompOp. Le | CompOp. Gt  | CompOp. Ge
Table 5.10: T P iq: VHDL operator translation pattern
We traverse the VHDL syntax as defined in Section 2.1.2. Thus, the relevant function is 
applied, either SignalMapping or TypeMapping, upon reaching a name declaration for a 
VHDL primary construct.
5 .5 .8  O p era to rs
The patterns for mapping VHDL operators to SVA4VHDL operators are given in Ta­
ble 5.10. The translation of operators requires additional definition of the type of op­
erator: binary, unary, comparative. However, as illustrated in Table 5.10, these remain 
constant and can therefore be associated as part of the translation. W ithin SVA4VHDL 
it is necessary to combine a unary negation with the complementary VHDL operator. 
For example, a nand gate is defined as a not gate and an and gate.
5.6. Running Example: Candy Puzzle: SVA4VHDL Approach 93
5.6 R unning Exam ple: C andy Puzzle: SVA4VH DL  
Approach
The previous sections of this chapter have described several complex changes to the 
SVA compiler, and identified translation patterns from VHDL to our newly defined 
SVA4VHDL compiler. At present, this compiler only contains the ability to generate a 
CSP model of a single VHDL component. We illustrate the use of our SVA4VHDL com­
piler and the translation patterns from Section 5.5 to our running example, the Uniform 
Candy Distribution Puzzle first introduced in Section 2.1.3 on page 15. In particular, we 
apply these patterns to the VHDL Child component from Figure 2.3 on page 17.
Applying the translation patterns from T P i and T P 2  to the entity and architecture of 
the VHDL Child component produces:
—  e lk  , r e s e t ,  t e a c h e r A d d , s w e e t s l n
I n p u t s  =  { ( I V . l  ,0 , { 0 . . 1 } )  , ( I V . 2 , 0 , { 0 . . 1 } )  ,
( IV .3 ,0 , { 0 . .  1 }  ) , ( I V . 4 , 0 , { 0 . . 8 } ) }
— s w e e t s  O u t  , r e p o r t N o
O u t p u t s  =  { ( I V . 5 ,0 , { 0 . .  8  } ) , ( I V . 6  ,0 , { 0 . .  8  } ) }
—  c u r  r e n t - s w e e t s
I n t e r n a l s  =  { ( I V . 7 , 0  , { 0 - 8 } ) }
The CSP comments identify the mapping between VHDL signal names and the 
SVA4VHDL signal identifiers.
Notice that we have chosen to represent the VHDL bit_vectors for the Child component 
as integer values instead. The VHDL representation of the Uniform Candy Distribution 
Puzzle required the application of several VHDL functions to perform the necessary divi­
sions for bit-vector signals. As these functions have not been defined within SVA4VHDL, 
we represent the signals as integer values of the same length. Should we wish to provide 
a direct translation of these VHDL signals, binary division and binary addition functions 
would be required.
The SVA4VHDL syntax is not necessarily easy to interpret; recall th a t we used the 
intermediate SVL language in Section 4.1.6 to illuminate SVA behaviour. However, using 
the translation patterns we can produce a representation of the Child VHDL component 
behaviour. Thus, applying the translation patterns T P g ,  T P 4 ,  T P g ,  T P g ,  T P 7 ,  T P g ,  and 
T P  1 0 , we can then translate the behaviour of the VHDL Child component process share 
to give:
94 Chapter 5. Augmenting SVA to Deûne a Single VHDL Component
Psha re  ()=VHDLProc.  ( { I V .  1 , I V . 2  , I V . 3 }  ,
Cond.  (CcmpOp.Eq.  I V a r . IV . 1.  C o n s t .  1 ,
Cond.  (CompOp.Eq. I V a r . IV . 2 . C o n s t . 1 , 
l a s s i g n .  ( I V a r .  IV.  7 , C o n s t .  0)  ,
S Q . < Co n d. (CompOp.Eq. I V a r . IV . 7.  C o n s t . 0 ,
S Q . < l a s s i g n  . ( I V a r . I V . 5 , BIOp. D i v . I V a r . IV . 7.  C o n s t . 2) , 
l a s s i g n  . ( I V a r . I V . 7 ,BIOp.  P l u s  .
BI Op . D i v . I V a r . IV . 7.  C o n s t . 2 . I V a r . I V . 4 ) > ,
S Q . < l a s s i g n  . ( I V a r . I V . 7 , I V a r . I V . 4)  , 
l a s s i g n  . ( I V a r  . I V . 5 , C o n s t . 0)  > ) ,  
l a s s i g n  . ( I V a r . I V . 6  , I V a r , IVar  . IV . 7)  > ) ,
Cond.  (CompOp.Eq. I V a r . IV . 3 . C o n s t . 1 ,
l a s s i g n  . ( I V a r . I V . 7 ,BIOp.  P l u s  . I V a r . IV . 7.  I V a r . IV . 4)  ,
Sk ip)
) ) ,  ({},{})
Finally, employing the translation pattern  in Table 5.3, the VHDL description of the 
Child component would be fully transformed. This final pattern  produces the compilation 
process and the additional information required for modelling VHDL sensitivity lists:
Comp_Child =  VHDLCompi le(<Pshare  () > ,  ( { } ) )
S e n s L i s t s  =  < ( 0 , {F V. 1  , I V . 2  , I V . 3 } ) >
Using FDR, a deadlock check can then be performed on this definition. As expected, 
since each child VHDL component should always be able to accept and pass sweets, the 
definition passes.
SV A 4V H D L C h ild  C o m p o n e n t O u tp u t  T race  In order to visualise the output 
of our SVA4VHDL compiler with respect to this small translation, a trace for the 
Comp_Child process is given in Figure 5.234. Furthermore, we clearly identify the sta­
bilisation cycles within the trace. Similarly, we can distinguish the signal updates for 
the internal signal IV.7 and the output ports IV.5 and IV.6 , iwrite and outp events 
respectively.
Clearly, the SVA4VHDL compiler must be further adapted to enable the representation of 
VHDL systems made up of multiple components, such as the Uniform Candy Distribution 
Puzzle. We address this problem, and the subsequent issues that arise in the next three 
chapters.
4 T h e  t r a c e  i n  F i g u r e  5 . 2 3  w a s  p r o d u c e d  b y  e x p l o r i n g  t h e  C h i l d r e n  S w e e t s  S V A 4 V H D L  m o d e l  u s i n g  
P r o B E  [3 7 ]
5.6. Running Example: Candy Puzzle: SVA4VHDL Approach 95
S t a ble
sigchanged.O.IV .S.true 
calculate 
iveval.O.IV.1.0 
iveval.O.IV .3.0 
step 
arb-false.O 
calculate
stable 
xch .IV  A.3 
xch .IV .3.1
sig chang ed.O. I V  .3.true 
calculate 
iveval.O.IV .1.0 
iveval.O.IV .3.1 
iveval.O.IV .7.0 
iveval.O.IV A.3 
ivwrite.O. I V .7.3 
step
U n s t a b l e
U n s t a b l e
Figure 5.23: Uniform Candy Distribution Puzzle: SVA4VHDL Child trace
Chapter 5. Augmenting SVA to Define a Single VHDL Component
Chapter 6
VHDL Com ponents in 
SVA4VHDL
Previously, Chapter 4 identified a compiler for formally analysing threaded processes, 
which could be augmented to model hardware systems, and documented the changes 
required. Chapter 5 set about implementing the first of these changes, enabling the 
translation of a single VHDL component. However, since VHDL systems usually com­
prise multiple-component instantiations, further changes are required to model larger 
VHDL systems.
Firstly, in this chapter, Section 6.1 gives a small example to clarify the ideas to be 
conveyed. Secondly, Section 6 . 2  defines a hierarchical stabilisation model suitable for 
modelling multi component VHDL systems. Lastly, possible approaches for modelling 
hierarchical VHDL systems are then discussed in Section 6.3, which serve to justify our 
chosen approach.
6.1 A n Illustrative Exam ple
From Chapter 2, VHDL systems are normally constructed from small components. These 
components are instantiated and composed using VHDL port mappings, which connect 
the output port of one instantiated VHDL component to the input port of another.
Figure 6.1 illustrates a simple VHDL architecture comprising two instantiated compo­
nents, comp A and compB, connected using a VHDL port mapping. The VHDL descrip­
tions are defined in Figures 6.2 and 6.3 respectively. The behaviour of this VHDL system
97
98 Chapter 6. VHDL Components in SVA4VHDL
compBcomp A
Figure 6.1: VHDL component port mapping
e n t i t y  compA i s  
p o r t  ( i n i  , in2 : i n  BIT;  
o u t l , o u t 2 : o u t  BIT) ;  
e nd  e n t i t y
a r c h i t e c t u r e  r t l  o f  compA i s  
s i g n a l  i n t e r n a i l  : BIT ; 
p r o c e s s  P A ( i n i , i n 2 )
i n t e r  n a i l  < =  n o t  ( i n i  and i n 2  ) ; 
e nd  p r o c e s s  PA; 
p r o c e s s  P B ( i n i , i n 2 , i n t e r n a i l )  
o u t l  < =  n o t  ( i n t e r n a i l  and  
i n t e r n a i l ) ;
o u t 2  < =  n o t  ( i n t e r n a i l  and  
i n t e r n a l l ) ;  
e nd  p r o c e s s  PB 
end;
e n t i t y  compB i s  
p o r t  ( i n i ,  in2 : i n  BIT ; 
o u t l , o u t 2 : o u t  B I T ) ; 
e nd  e n t i t y
a r c h i t e c t u r e  r t l  o f  compB i s  
s i g n a l  i n t e r n a l l  : BIT ; 
p r o c e s s  PC( i n i  , in2  )
i n t e r n a l l  < =  n o t  ( i n i  and i n 2 ) ;  
e nd  p r o c e s s  PC; 
p r o c e s s  P D ( i n l  , in2 , i n t e r n a l l )
o u t l  < =  n o t  ( i n i  and i n t e r n a l 1 );  
o u t 2  < =  n o t  ( i n 2  and i n t e r n a l l ) ;  
e nd  p r o c e s s  PD 
end;
Figure 6.2: VHDL description of components compA and compB
defines a hardware XNOR gate constructed of five NAND gates (we duplicate the last 
gate to provide an additional output), three of these are contained within compA and 
three within compB. The tru th  tables for compA and compB are given in Table 6.1 and 
Table 6.2 respectively.
We have seen in, Chapter 5, how to augment SVA to generate a formal model for a single 
VHDL component. Further changes must be made to distinguish between different VHDL 
components within the same system to correctly model multi-component VHDL systems.
in i in 2 o u t l o u t 2
F F T T
F T T F
T F F T
T T T T
in l in 2 o u t l / o u t 2
F F T
F T F
T F F
T T T
Table 6.1: Truth table for compA Table 6.2: T ruth table for compB
6.2. A  VHDL Hierarchical Stabilisation Model 99
e n t i t y  compC i s  
p o r t  ( i n l  , in2  : i n  BIT ; 
o u t l , out2  : o u t  BI T) ;  
e n d  e n t i t y
a r c h i t e c t u r e  h s t r u c t  o f  compC i s  
s i g n a l  i n t e r n a l  1 : BIT;
s i g n a l  i n t e r  n a l 2  
c ompone nt  compA 
p o r t  ( i n l  , i n 2  
o u t l , o u t 2  : 
e nd  c ompone nt  ; 
c ompone nt  ~ compB 
p o r t  ( i n l  , i n 2  : 
o u t l , o u t 2  : 
e n d  c ompone nt  ;
: BIT;
i n  BIT;  
o u t  BIT ) ;
i n  BIT;  
o u t  BIT) ;
b e g i n
cA : compA p o r t  map(  
i n l  = >  i n l  , 
i n 2  =>  i n 2 , 
i n t e r n a l  1  = >  o u t l ,  
i n t e r n a l 2  = >  o u t 2 ) ;  
cB : compB p o r t  map(  
i n t e r n a l l  =>  i n l , 
i n t e r n a l 2  =>  i n 2 , 
o u t l  =>  o u t l , 
o u t 2  =>  o u t 2 ) ;
end;
Figure 6.3: VHDL port mapping of compA and compB description
, ~ stable -t- ~.stable
inl 'outl in3 out 3
in2
compA
out 2 in4
compB
out4
■ step .step
Figure 6.4: Stabilisation models for compA and compB
6.2 A  V H D L Hierarchical Stabilisation M odel
Recall, a VHDL component can either be in a stable or an unstable state. Further, a 
component may only be considered to be in a stable state when all internal behaviour 
has finished executing, and the component is awaiting external stimuli. This behaviour 
has previously been described in Figure 5.1 on page 64.
W ithin our work, we have decided to work with a more complex idea of stabilisation with 
respect to hierarchical VHDL components, taking a simulation view of a VHDL system 
to provide more detailed feedback. The stabilisation of a component, identified in the 
SVA4VHDL compiler as a stable event, must now be considered.
From Figure 6.1, we consider compA and compB to be inner components, and compC to 
be an outer component. For each incremental progression towards stabilisation, a VHDL 
outer component must first wait for its inner components to stabilise before it can then 
itself stabilise.
100 Chapter 6. VHDL Components in SVA4VHDL
'  " stable/ \ C
inl 3Utl
3Ut2in2
compBcompA
, - steP(
ôûti internall in3
compC
□ut2 intfirnal2 i”4
step
- ‘B te p g
Figure 6.5: Stabilisation model for compC
The step and stable events are particular to a component, thus these are unique to both 
compA and compB. In Figure 6.4, we append our earlier system architecture illustration, 
Figure 6.1, to distinguish between stable and step events by introducing dotted circles 
for internal step events, and dashed circles for external stable events for clarity.
Considering the two components depicted in Figure 6.4, when these are captured in 
a VHDL hierarchical structure, such as that shown in Figure 6.5, it is necessary to 
introduce synchronisations between the hierarchical stabilisation events. Notice tha t in 
order to synchronise these stabilisation events we rename the stable events of the original 
contained components (compA and compB) to the unstable (stepc) event of the containing 
component, compC). This is visually shown in Figure 6.4, where the stable event (on the 
corner top right of compA) becomes stepc  in Figure 6.5; similarly for compB.
Figure 6 . 6  provides a state machine of the stabilisation model for our small example; 
this state machine is generic for any two components. In Figure 6 . 6  we identify unstable 
states as U and stable states as S. For example, state Uc Sb  Ua  identifies that the outer 
component compC is unstable whilst the inner components compB and compA are stable 
and unstable respectively.
Consider the four unstable states UqSb Sa , Uc Ub Sa , Uc Sb Ua and Uc Ub Ua within 
Figure 6 .6 . For these four states components compA and compB can perform internal s t e p  a  
and s t e p s  events when they themselves are unstable respectively. The transition s tepA B  
identifies both  compA and compB entering into an unstable state during the same compC 
unstable cycle. When component compA and compB are both stable, only then can the 
s ta b le  event be performed so tha t all three components stabilise to the state S q Sb Sa -
Consider another example shown in Figure 6.7. Our component stabilisation state ma­
chine, Figure 6 .6 , is also applicable for this example; the architecture in which compA 
and compB are composed allows both components to transition from both being unstable
6.3. Scaling SVA4VHDL 101
"-.UNSTABLE
STABLE
stepc
stepc
U=Unstable
S=Stable
Figure 6 .6 : State machine of VHDL component stabilisation model
compB
compC
Figure 6.7: Simple VHDL component configurations
to stabilised concurrently, i.e., from state Uq Ub Ua to Uc Sb Sa since the two contained 
components are not reliant on each other (interleaved).
Whilst the stabilisation model, Figure 6 .6 , has been illustrated here for two inner com­
ponents, it is clear th a t this must be expanded for each additional component added to 
the outer component. Thus, increasing the number of contained components increases 
the complexity of the associated stabilisation model.
6.3 Scaling SVA4VH DL
In Chapter 5 it was not important to identify which processes were associated with 
a particular VHDL component because we were only concerned with one component. 
However, to enable the modelling of complex VHDL systems, we must be able to translate 
VHDL instantiated components. We discuss four approaches that could be adopted, and
102 Chapter 6. VHDL Components in SVA4VHDL
i n l o u t l
compC
in 2 o u t  2
a r c h i t e c t u r e  r t l  o f  compC i s  
s i g n a l  i n t e r n a l l  , i n t e r n a l ^  ,
p r o c e s s  P C ( i n t e r n a l 2  , i n t e r n a l s )  
i n t e r n a l ^  < =  n o t  ( i n t e r n a l 2  ,
i n t e r n a l s  , i n t e r n a l ^  : BIT;  
p r o c e s s  PA( i n l  , i n 2 )
i n t e r n a l s ) 
e n d  p r o c e s s  PC 
p r o c e s s  PD( i n t e r n a H  )
i n t e r n a l l  < =  n o t  ( i n l  and i n 2 ) ;  
e nd  p r o c e s s  PA
p r o c e s s  P B ( i n l ,  in2 , i n t e r n a l l )
o u t l  < =  no t  i n t e r n a H
i n t e r n a l 2  < =  n o t  ( i n l  and  
i n t e r n a l l ) ;
i n t e n r a l S  < =  n o t  ( i n 2  and
out2 < =  n o t  i n t e r n a H  
e n d  p r o c e s s  PD 
e nd;
i n t e r n a l l ) ; 
e n d p r o c e s s  PB
Figure 6 .8 : Flattened VHDL component compC
the last is the one tha t we adopt. In the next chapter (Chapter 7) we identify a clear 
perspective on the stabilisation model within our adopted approach tha t adheres to the 
stabilisation given in Figure 6 .6 .
6 .3 .1  F la tte n in g  a  V H D L  C o m p o n en t B efo re  T ra n sla tio n
Our first suggested approach would require tha t a VHDL system be manipulated prior to 
compilation in SVA4VHDL, producing a single VHDL component tha t the SVA4VHDL 
compiler could assemble. It would therefore be necessary to flatten the VHDL hierarchy 
transferring all VHDL processes into a single component. In flattening the VHDL system, 
the behaviour of the inner components (the VHDL processes) must be lifted into a single 
outer component, and the changes to the signal names used by each process altered 
accordingly.
Figure 6 . 8  illustrates this by defining an alternative architecture for compC. This flat­
tening approach, whilst resulting in perfectly valid VHDL1, does not provide the same 
stabilisation behaviour th a t would be found in the original hierarchical architecture, given 
in Figure 6.3. Recall tha t flattening of VHDL is automatically performed by the tools 
when pushing-to-chip, and is thus no longer considered a VHDL design model. Further­
more, flattening the VHDL system by hand could lead to errors in the translation and
1 T h e  r e a d e r  i s  r e f e r r e d  t o  S e c t i o n  2 . 1 . 5  w i t h  r e g a r d s  t o  f l a t t e n i n g  V H D L
6.3. Scaling SVA4VHDL 103
introduction of unwanted behaviour and/or removal of required functionality.
This approach mirrors the compilation method identified within the VHDL LRM [70]. 
However, this technique is applied for ‘push-to-chip’ not simulation, and thus may remove 
potential information pertinent to analysis of the design.
6 .3 .2  In d iv id u a l C o m p ila tio n
Alternatively, using our SVA4VHDL compiler, it would be possible to compile the 
SVA4VHDL translation of each behavioural VHDL component2  individually into CSP 
processes. The components would require separation as depicted in Figure 6.9, stage 1 
[VHDL Component Extraction).
Once these individual CSP processes have been created by iteratively running the SVA4- 
VHDL compiler, illustrated by stage 2 in Figure 6.9, the CSP compiled processes (comp- 
A csp etc.) may be composed. Additionally, CSP renaming would be utilised to connect 
the VHDL signals, as defined within each VHDL port mapping. These CSP renamings 
are not defined within our illustration since they cannot easily be defined as repeatable 
patterns as they are unique to a particular VHDL system.
Then these individual CSP processes could subsequently synchronise on the CSP chan­
nel equivalent of the VHDL external signals identified in the port mapping. This is 
highlighted as stage 3 in Figure 6.9.
Compiling the translated VHDL components and subsequently composing the CSP pro­
cesses in this way, is a valid approach, but requires tha t the composition of the CSP 
processes be carefully constructed for each VHDL system. As the VHDL components 
would have been translated and compiled prior to composition, the dynamically generated 
alphabets of the CSP processes would no longer be available for use in the composition 
stage to produce compCesp', recall the CompileList function from Section 4.3.2.
Thus, changes to the SVA compiler would be required to store the alphabets of each 
CSP process representing a VHDL component, and subsequent additional functions ap­
plied. Once these alphabets were known, CSP renaming would need to be introduced 
to connect the signals of different VHDL component instantiations together. The CSP 
renaming would also require careful application to replicate the hierarchical structures 
of an individual VHDL system. Furthermore, in order to generate a translation of the
2 A  V H D L  c o m p o n e n t  t h a t  d o e s  n o t  c o n t a i n  a n o t h e r  V H D L  c o m p o n e n t
104 Chapter 6. VHDL Components in SVA4VHDL
inl DUtl
DUt2jjl2_
step
ExtractionVHDL Component
stable i t a b l ^
inl "outl in3 out 3
in2
step
SVA4VHDL Compilation
sigsCcompBcompA
compB
compBcompA
compA
inl
in2
"outl
out 2
step
step
in4
in3
step
CSP Composition
compC
Figure 6.9: Individual compilation of VHDL components
VHDL system, the stabilisation model detailed in the previous section would also need 
to be added alongside the component composition, identified in Figure 6.9 as sigsCcsp-
Clearly, this approach does not scale easily and the problems would become obvious when 
dealing with larger VHDL systems. These problems would include correctly identifying 
events when reporting feedback since there would be overloading on process identifiers, 
and so would need to be carefully mapped back to the correct components.
6 .3 .3  B e h a v io u ra l C o m p o n e n t C o m p ila tio n
Rather than compile each behavioural VHDL component separately, another approach 
would be to compile all VHDL behavioural components within a VHDL system together 
in stage 2 of the previously suggested approach. Issues relating to uniqueness of process 
identifiers that were an issue in the individual compilation approach would therefore be 
removed. We visualise this approach for generating a CSP model from a VHDL system 
in Figure 6.10.
The first step would be to extract the VHDL behavioural components from a hierarchical
6.3. Scaling SVA4VHDL 105
VHDL systems structure, identified as stage 1 in Figure 6.10; this is the same as individual 
compilation. Next all the processes of the behavioural components would need to be 
translated to SVA processes, and subsequently compiled in the SVA4VHDL compiler, 
identified as stage 2 in Figure 6.10.
At the end of stage 2, the compiled VHDL processes would be returned as a CSP model, 
compABcsp- However, the VHDL process behaviour captured in this model would be 
incomplete. It would be necessary to introduce an additional CSP process describing 
the VHDL port mapping for this system, sigsCcsP, Figure 6.10. In order to combine 
compABcsp with sigsCcsp a renaming of xch to ivevdl events and outp to ivwrite events 
to compABcsp is necessary; this is stage 4 in our visualisation.
W ithin this approach the stabilisation model in Figure 6 . 6  is not applicable since syn­
chronisations occur on all stable and step events, across all VHDL components. Thus, 
the approach would utilise the simple stabilisation model of a single component, Figure 
5.1 on page 64. Even though the timing model is simple, the complexity during the 
réintroduction of the hierarchy means this is not a sensible approach. Aside from this, 
it is obvious tha t generating the renaming required to reapply the original VHDL hier­
archical structure would quickly become very complex as larger systems were translated 
using this approach. Indeed, it would require deconstruction of the VHDL structures 
(step 1), iterative compilation within FDR of each hierarchical component level (step 2), 
application of the correct synchronisation events and complex renamings for each level 
(step 3) to ensure the correct hierarchical structure is reapplied.
6 .3 .4  D e fin in g  a  H ierarch ica l S tr u c tu r e  w ith in  S V A 4 V H D L
Rather than  re-introduce the hierarchy of a VHDL multiple component system after 
SVA4VHDL compilation, the information pertaining to the composition of the compo­
nents within the system may be collated and introduced using a suitable syntax prior to 
compilation. This information can then by processed during the translation of a VHDL 
system to create the correct structure required.
In Figure 6.11 we note th a t only one stage is required to translate and compile an 
SVA4VHDL model to correctly represent a VHDL system comprising multiple compo­
nents. We discuss this approach in detail in the following chapters, discussing not only the 
further changes and additions made to the SVA4VHDL compiler, but also the application 
of CSP renaming to correctly identify channels for synchronisation. This approach pro­
vides an elegant, scalable method for capturing a VHDL system hierarchy dynamically,
106 Chapter 6. VHDL Components in SVA4VHDL
„ j3 table
3Utlini
122.
step
ExtractionVHDL Component
ini "outl in3
in2
step step
SVA4VHDL Compilation
sigsCcompAB
compB
compBcomp A
comp A
ini
in2
~ontl
step
step
in4
in3
step
CSP Composition
compC
Figure 6.10: Combined compilation of VHDL components
without the need for additional hierarchical information and post compilation manipula­
tion. Furthermore, by adopting the component stabilisation model, illustrated in Figure 
6 .6 , the provision of more detailed feedback is obtainable, identifying not only the VHDL 
processes but also the VHDL components involved in a counter example.
3Utli nl
in2
step
SVA4VHDL Compilation
compC
compBcomp A
ini
in2
"outl
step
step
compC
in4
in3
"'xsteP(
Figure 6.11: Hierarchical compilation of VHDL components
Chapter 7
Defining a Hierarchical Structure 
for SVA4VHDL
In this chapter we introduce a hierarchical structure able to represent VHDL systems 
composed of instantiated components, which we identified in Chapter 4, as a key aspect 
of our new SVA4VHDL compiler.
In order to correctly model such structures, the current CSP events generated by 
SVA4VHDL must be augmented to provide additional information pertinent to identify­
ing interactions between components. In the previous chapter we identified th a t such a 
structure should be integrated into the compiler, removing the need for multiple steps to 
the translation. This chapter is therefore structured as follows: in Section 7.1 we augment 
the current SVA4VHDL compiler by adding an additional parameter to the generated 
CSP events, relating a component with each event. Using these new events, we describe 
our new hierarchical structure for representing hardware descriptions in Section 7.2. To 
provide clarity, the compilation workflow for this new hierarchical structure is conveyed 
in Section 7.3. A translation method for converting hierarchical VHDL components to 
this new structure is given in Section 7.4. Finally, Section 7.5 illustrates the use of the 
new structure and translation method.
107
108 Chapter 7. Defining a Hierarchical Structure for SVA4VHDL
7.1 A dding a C om ponent Param eter to  SVA4VH DL  
G enerated CSP Channels
To identify components in SVA4VHDL we introduce a new parameter, c, to the channels 
step, calculate, arb-false, sigchanged, iwrite, xch, outp, iveval and ivwrite, included as 
the first param eter for each channel. The datatype, compnames associated with our new 
parameter, c, is an enumeration of all VHDL components names.
Recalling the small example from Chapter 6 , comprising two components comp A and 
compB within an outer component compC. The datatype for compnames would be de­
fined as:
datatype compnames = comp A  | compB \ compC
Carrying this additional parameter throughout the SVA4VHDL compiler functions would 
be tedious and require numerous changes to functions throughout the SVA4VHDL com­
piler. Instead we define an extraction function, getComponent(id) as follows:
getComponent(id) =  {x  | (x, k) <— Components, m em ber(id,k)}
where Components is a set of tuples, and each tuple relates a component identifier with 
a set of process identifiers. For the example in Figure 6.3 on page 99, Components would 
be defined as:
Components = {(compA, {1,2}), (compB, {3,4}), (compC, {5})}
Then getComponent{id) returns a singleton set containing the component name from a 
process identifier, from which we use the element.
The process identifiers assigned for the behavioural processes of compA and compB are 
1, 2 and 3, 4 respectively. The compC component from Figure 6.3 never contained 
a process and only contained component instantiations. To correctly return an outer 
component, we add a new process identifier specifically for the component. In the case 
of compC, we introduce a new process identifier, 5. This enables us to define a tuple for 
each component.
Process identifiers are assigned during compilation. Thus, we must be vigilant when 
defining the Components set as errors in its definition will result in invalid model gener­
ation.
7.2. Capturing Multi-Component VHDL Systems in SVA4VHDL 109
M ainProc(Iassign.(el ,  e ) , j )  =  let
c =  getElem (getCom ponent( j ))
Q{lv)  =  let 
P (r v )
'if m em ber(rv ,  ctype(lv))  then  
i v w r i te lc . j . lv .rv  —> 
i f  member(Iv, D irtyVars)  
then ivw r i te lc . j . Iv .rv  —> S K I P  
else S K I P  
else error, c . j  —> S T O P  
within IExpEval(e, P , j )  
within ILvEval(el, Q , j )
Figure 7.1: Adding a component parameter to the MainProc process
Clearly, the inclusion of the component name for stabilisation events is key when analysing 
trace information about a system, distinguishing stabilisations of different components. 
Note th a t we do not append the stable event since it provides a synchronisation channel 
across contained components which, as identified in Chapter 6 , must synchronise and 
may be renamed throughout a hierarchical structure.
A process identifier is already carried by almost all compiler functions, an assignment 
within each compiler function to c, using getComponent(id) and the process identifier, can 
be added. Thus, the additional parameter, c is populated during compilation. Figure 7.1 
illustrates the style of the change made to the compiler functions. It shows the MainProc 
process tha t generates the required ivwrite events for all lassign pattern  matches, and 
tha t these events now include the component parameter.
The getComponent(id) is also added to the IntSIG  process, previously defined in Sec­
tion 5.2.1. A benefit of introducing the component parameter in this fashion is tha t 
the signal definition, IntSIG , restricts the internal events iveval, ivwrite to only those 
processes within the component. This is a stronger restriction than  previously applied to 
the IntSIG  definition and thus further reduces the state space of the generated process 
earlier in the compilation process.
7.2 Capturing M ulti-C om ponent V H D L System s in 
SVA4VH DL
In Section 4.4 we identified a hierarchical compilation strategy akin to VHDL multi- 
component systems, which exists within the original SVA compiler, CmdStruct. This
110 Chapter 7. Defining a Hierarchical Structure for SVA4VHDL
strategy allows us to create tree like structures, where VHDL processes may be thought 
of as leaves and VHDL components nodes, since VHDL components may contain both 
processes and components. In the original SVA form, CmdStruct is not suitable for 
defining VHDL multi-component systems. Clearly, we ought to adapt this compilation 
strategy to handle hierarchical VHDL systems.
The CmdStruct structure was illustrated in Figure 4.9. We alter this design to distin­
guish between VHDL processes, VHDL behavioural components and VHDL hierarchical 
components. In this section we describe the changes made to the CmdStruct to correctly 
capture these three different VHDL structures.
The CmdStruct had two enumerated types, CSLeaf and CSNode. The CSLeaf is suffixed 
with Cmd, allowing any of the SVA sequential syntax datatypes to follow. The CSNode 
is defined as containing a sequence of CmdStruct elements, providing the ability to de­
fine tree structures within the hierarchy. Our specialised datatype, VStruct, based on 
CmdStruct, is made up of several constructs VProc, VRTL, VP Map] we describe each in 
turn.
V P ro c  Recall tha t Cmd within our SVA4VHDL compiler contains specific datatypes 
for defining VHDL processes. The smallest SVA4VHDL construct must therefore capture 
a translated VHDL process. This is identical to the definition of a CSLeaf and it is 
therefore obvious tha t VHDL processes, identified using the new datatype VProc, may 
be defined within our structure as:
VProc. Cmd
Unlike the original CmdStruct, our VStruct must differentiate between different hierar­
chical elements. It is not realistic to consider only a leaf and node structure for VHDL. 
Indeed, a VHDL component may be of two types: one tha t contains only VHDL processes 
(VProc)] and one tha t contains instantiated VHDL components and possibly further 
VHDL processes.
V R T L  The first of our two node style datatypes, VRTL, captures only behavioural 
VHDL processes, in tha t it does not have the capacity to describe VHDL port mapping 
information. The VRTL  construct is defined:
VRTL.compnames.Seq( VStruct).Set((ivnames, ivnames))
7.2. Capturing Multi-Component VHDL Systems in SVA4VHDL 111
The VRTL  construct contains three elements, defined using CSP datatypes:
• compnames: the name of the VHDL component it represents;
• Seq{VStruct): a sequence of its own datatype, allowing VRTL to specify contained 
VProc structures;
•  Set((ivanmes, ivnames)): a set of tuples comprising two signal identifiers, for the 
purpose of defining inout ports.
The final element of VRTL provides information necessary for renaming signals within 
a single component. Recall from Chapter 2, VHDL components may have inout ports. 
Until now, it has not been possible to represent ports of type inout within SVA4VHDL 
since defining the behaviour was not straightforward. Using renaming permits the repre­
sentation by reporting the value of an output port as the stimulus of an input port. At 
present, we only identify th a t the relevant signal names be provided in the definition; we 
will discuss this functionality in more detail in the next chapter.
V P M a p  The final construct, VP Map, permits capture of VHDL components that 
comprise component instantiations, both of type VRTL and VPMap. Furthermore, the 
construct may also contain VProc constructs. In essence, the VPMap definition builds on 
the previous node definition for VRTL, adding a suitable datatype to capture VHDL port 
mappings, and component signals for those signals not used within any VHDL process. 
The VPMap construct takes the form:
VPMap.compnames.Seq( VStruct)
.Set(((compnames, ivnames), (compnames, ivnames)))
.(pnums, Set(ivnames))
The VPMap construct contains four elements, again defined using CSP datatypes:
• compnames: the name of the VHDL component it represents;
• Seq( VStruct): a sequence of its own datatype, allowing VPMap to specify contained 
VStruct structures;
• Set ((compnames, ivnames), (compnames, ivnames)): a set of tuples representing 
VHDL port mappings, comprising two identical tuples, both specifying a compo­
nent name and a signal identifier;
112 Chapter 7. Defining a Hierarchical Structure for SVA4VHDL
• (pnums, Set{ivnames)): information to generate the component’s signals, associ­
ated with a process identifier.
The VRTL  construct provided information pertinent to the introduction of the VHDL in­
out port. Our VPMap removes this original renaming element of the VRTL  construct, re­
placing the tuple within the definition with a tuple of tuples: Set ((compnames, ivnames), 
(compnames, ivnames)).
Each tuple identifies a component name, and a signal identifier; clearly, two of these 
tuples relate to a VHDL port mapping element. Once more, CSP renaming can be 
employed to implement the required behaviour. The final tuple within the definition 
captures the signal identifiers within a hierarchical component and associates them with 
a process identifier; recall our previous discussion on this concept in Section 7.1.
We discuss the implementation functions tha t utilise the information captured by these 
constructs to model in o u t ports, port mappings and component signal generation m the 
next chapter.
C a p tu r in g  a  V H D L  sy s te m  w ith  VStruct
Using the small example from Figure 6.3 on page 99, we illustrate the use of the VStruct 
datatype to correctly capture a VHDL hierarchical component system.
From the system defined in Figure 6.3, we assume that four SVA4VHDL processes are 
defined: PAQ, PB(), PCQ, and PD(). To use VStruct, VProc. must be prepended to 
each process.
Since neither compA, nor compB, contain inout ports, the mapping of these two compo­
nents to the VStruct datatype take the form: VRTL. comp A. (VProc. PAQ, VProc.PB ()).{}, 
and VRTL.compB.(VProc.PCQ, VProc.PD()).{}.
Translating compC is more involved. Clearly, the first three elements of the VPMap 
datatype can be easily captured. To map the port mappings, the signal mapping function 
from Section 5.5, must be employed. Recall in Section 5.5 it was mentioned that the 
definitions for these signal mapping functions were over specified. It is now clear that 
this over specification was necessary to correctly capture the more complicated VHDL 
systems we are currently discussing. Assuming the basis of these sets, based on our small 
example, are:
7.2. Capturing Multi-Component VHDL Systems in SVA4VHDL 113
signalMappingin = { ( ( c o m p A ,  i n i ) ,  I V . 1), ((compA,  m2),  I V . 2),
{{compB,  m l ) ,  I V . 6), { {compB,  m2),  I V . 7),
( (com pC ,  ml ) ,  I V . 11), ((compc,  m2),  IV . 12)} 
signalMappingout =  {{{com pA , o u t l ) ,  I V . 3), ( (compA, out2), I V A ) ,
((compB, o u t l ) ,  I V . 8), {{compB, out2), I V . 9),
{ {compC, o u t l ) ,  I V . 13), ((com pC , out2),  / V 1 4 ) }  
signolMappingintemal — {{{com pA , in t e m a l l ) ,  I V . 5), ( (compB, in t e m a l l ) ,  I V . 19),
( (com pC , in t e m a l l ) ,  I V . 15), ((com pC , in tem al2 ) ,  / V 1 6 ) }
We can produce the following set of port mapping information for our definition using 
the s i g n a l M a p p i n g  functions:
{ ((com pA ,  / V I ) ,  (com pC,  / V i l ) ) ,  ((compA, I V . 2), (compC, IV .12)) ,
((compA, I V A ) ,  ( compC, I V . 13)), ( (compA, I V . 5), (compC,  JV14)) ,
{{compB, I V . 6), (compC, I V . 13)), {{compB, I V . 7), ( compC,  / V1 4 ) ) ,
((compB, I V . 9), (compC, I V .15)), ( (com pB ,  /VIO) ,  (com pC, I V . 16))}
Similarly, the tuple for defining compC’s signals must also be populated. Since process 
identifiers 1 . . .  4 already exist (recall Section 7.1) we use process identifier 5 for identifying 
compC events. The associated set of signal identifiers can then be generated using:
{ x  \ x  e  s i g n a l M a p p i n g i n  U  s i g n a l M a p p i n g out U s i g n a l M a p p i n g i n ternai ,  E i  =  c o m p C }
Thus, we can define the entire compC system, including both inner components, compA 
and compB, using our new SVA4VHDL hierarchical structure as:
VPMap. compC.
<VRTL.compA.< V P r o c . P A () ,V P r o c . P B ( )  > . { } ,
VEHL. compB. < VPr oc  . PCQ , V P r o c .P D ( ) > . { } >
. { ( ( compA, I V . 1 ) , ( compC , I V . 11 ) ) , ( ( compA, IV . 2 ) , ( compC , I V . 12 ) ) ,
( (compA, I V . 4)  , (compC , I V . 13)  ) , ( (compA, IV . 5 )  , (compC , I V . 14)  ) ,
( (compB, I V . 6 ) , ( c o m p C , I V . 13)  ) , ( ( compB, I V . 7 )  , ( compC , I V . 14)  ) ,
( (compB, I V . 9 )  , ( c o m p C , I V . 15)  ) , ( (compB, I V . 10)  , (compC , I V . 16)  ) }
. ( 5  , { I V . 11 , I V . 1 2  , I V . 1 3  , I V . 1 4  , I V . 1 5  , I V . 1 6 } )
Note that, this small translation does not clearly identify the order in which process 
identifiers are assigned. We refer the reader back to Section 4.4, on page 56, where 
we identified tha t the C S t r u c t  compilation strategy applied a depth first, left to right 
assignment for process identifiers. Understanding this indexing strategy for SVA4VHDL 
processes is crucial to the composition of a system. It will be necessary for the translation 
from VHDL to SVA4VHDL to correctly comprehend this ordering. As will become clear 
in Chapter 8 , the compilation approach applied to the C S t r u c t  structure is also relevant 
to our compilation strategy.
The hierarchical structure we have identified within this section is only that, a structure. 
In the following chapter we detail how this structure may be compiled to produce a 
suitable representation of a VHDL system.
114 Chapter 7. Defining a Hierarchical Structure for SVA4VHDL
VHDL multi-component system
Reapply hiearchical structure 
to compiled SVA4VHDL processes
Compile SVA4VHDL 
sequential processes
Translate VHDL multi-component 
iystem to hierarchical SVA4VHDL
Remove hierarchical structure foi 
SVA4VHDL processs compilation
Compose compiled SVA4VHDL processe: 
using hierarchical structure
CSP Model
Figure 7.2: Translation and compilation workflow of VHDL multi-component systems
7.3 Com pilation Framework for Hierarchical Structures
The hierarchical structure we have defined, and the methods tha t will be employed in its 
compilation are not necessarily easy to visualise. We provide a domain level view of the 
stages, illustrating the workflow needed within our approach to compile hierarchical sys­
tems in Figure 7.2. Indeed, Figure 7.2 identifies the five stages necessary for compilation 
of hierarchical SVA4VHDL systems:
s ta g e  1 Section 7.4 discusses a suitable translation method for VHDL hierarchical sys­
tems to our newly defined VStruct datatype.
s ta g e  2  Section 8.1 defines new functions to extract SVA4VHDL processes from VStruct 
structures for compilation.
s ta g e  3 Section 8 . 2  identifies the compilation of SVA4VHDL processes.
s ta g e  4 Section 8.4 discusses the reapplication of the hierarchical structure to compiled 
SVA4VHDL processes.
s ta g e  5 Section 8.5 details the composition strategy applied to the compiled SVA4VHDL 
processes, using the hierarchical structure and additional information tha t it pro­
vides.
7.4. Translation Technique for a Hierarchical Structure 115
□
1 — 1
% % % %
PiO
l(D
((-Pi, Ai) ,  (P2 , A 2 ), (P3 , A3 ), (P4, A 4 ))
©
CSP Model
Figure 7.3: Visual representation of the workflow shown in Figure 7.2
Further illustration is given by identifying a structural ‘shape’ of a system through each 
stage of the compilation framework in Figure 7.3. The stages identified (1, 2, 3, 4, and 5) 
here tie with those identified in Figure 7.2.
7.4 Translation Technique for a H ierarchical Structure
Q
10I hoi hoi hoi \ ©
©
(fiO, #().%(), W; 
1©
©
Since introducing a hierarchical structure for capturing VHDL within SVA4VHDL, the 
translation patterns from Section 5.5 are no longer valid. In particular, the architec- 
ture_statem ent_part can no longer be correctly captured by the translation pattern  given 
in T P 3  on page 8 8 .
Indeed it is no longer possible to identify a simple pattern  for the translation. Instead 
we provide a suitable algorithm in the form of pseudo code th a t defines a procedure for 
capturing VHDL as SVA4VHDL defined across three figures, Figure 7.4, 7.5, and 7.6. 
The procedure tmnslateSystemQ  in Figure 7.4 takes in a VHDL system and generates a 
SVA4VHDL representation.
116 Chapter 7. Defining a Hierarchical Structure for SVA4VHDL
p r o c e s s ^  : =  0;
i n s t a n c e ^  : =  0; 2
t r a n s l a t e S y s t e m  ( s y s  ) =  {
t r a n s i a t e - p r o c e s s e s ( s y s , i n s t a n c e ^ )  ; 
i n s t a n c e ^  : =  0;
t r a n s l a t e - c o m p o n e n t s  ( s y s  , i n s t a n c e ^ )  ; } 7
Figure 7.4: VHDL architecture, statement part, translation pattern v2
As identified within Chapter 5, a process identifier is introduced in place of each VHDL 
process name. Since the chosen approach for generating SVA4VHDL models of hierar­
chical VHDL systems (Section 6.3.4) first compiles all processes in the order presented, 
it is necessary to replicate the same order when performing the translation; hence, we 
introduce a global counter processif- VHDL systems must be traversed twice in order to 
capture the system correctly, ensuring the process identifier ordering is maintained.
The first traversal of a VHDL system is performed by translate-processes, Figure 7.5, 
that accepts a VHDL component, and an instance value for the component. For the top 
level component this is set to 0 .
As the translation is no longer capturing a single component, sets and lists must be 
defined tha t contain additional information regarding each component, which will be 
required during the compilation of the translated system. The use of these sets and 
lists are discussed in Chapter 8 . These sets and lists are first initialised in lines 9-11 in 
Figure 7.4. The naming convention for these sets requires not only the component name 
(design_entity), but also a unique identifier for each instantiation of the component in 
order to ensure global uniqueness.
The translate-processes procedure, lines 13-28 in Figure 7.5, iterates through each con­
tained instantiated component, recursively calling itself to perform a depth first left to 
right traversal of the system. This exploration populates the sets SensLists, Components 
and ContainedComponents, for a particular d e s ig n _ e n ti ty _ I^ , such that the list of 
each contained component is concatenated together and the sets unioned.
Lines 29-41 then identify the translation approach for all processes within each architec­
ture. We use the translation patterns from T P 4  and T P 5 , pages 89 and 89, to translate 
the VHDL process and generate the sensitivity lists respectively for the current archi­
tecture. It is within this iteration of an architecture that process identifiers are assigned 
and thus our counter processid incremented (line 34).
7.4. Translation Technique for a Hierarchical Structure  117
t r a n s l a t e _ p r o c e s s e s (  d e s i g n  . e n t i t y  , 1 ^ )  =  
d e s i g n - e n t i t y - l i d - S e n s L i s t  =  () 
d es  i g n  _e n t  i t  y  _I ^ - Compone nt s  =  {}  
d es  i g n _ e n  t i t  y_I  i d- Co n ta in ed C omp o ne nt s  =  {}
i f  a r c h i t e c t u r e  c o n t a i n s  i n s t a n t i a t e d - c o m p o n e n t s  { 
comps =  { } ;
f or  each ent  in a r c h i t e c t u r e { 
f or  each i n s t a n c e  o f  e n t { 
t r a n s l a t e - p r o c e s s e s ( e n t , i n s t a n c e ) ;
d e s i g n _ e n t i t y _ I i d - S e n s L i s t  =  d e s i g n - e n t i t y - I i d - 2 e n s h i s t  ^  
e n t _ i n s t a n c e _ S e n s L i s t  
d e s i g n _ e n t  i t y _ I i d -C om p on e nt s  =  d e s i g n - e n t i t y - I  id - Compone nts  U 
e n t - i n s t a n c e - C o m p o n e n t s  
comps— comps U { e n t _ i n s t a n c e }
}
}
d e s i g n _ e n t i t y _ I i d - C o n t a i n e d C o m p o n e n t s  =
d e s i g n . e n t i t y _ I i d - C o n t a i n e d C o m p o n e n t s  U  
{ ( d e s i g n  . e n t i t y  _I id , comps ) }
}
i f  a r c h i t e c t u r e  c o n t a i n s  p r o c e s s e s  { 
pr o cs  =  { } ;
f or  each p r o c e s s  in a r c h i t e c t u r e  {
TP4 ( p r o c e s s ) ;
pr o cs  =  pr oc s  U  { p r o c e s s i d }; 
pr o ce s Si d+ +;
d e s i g n _ e n t i t y - I i d - S e n s L i s t  =  d e s i g n - e n t i t y - I i d - S e n s L i s t  ^  
( ( p r o c e s s i d  .{TPs ( s e n s i t i v i t y _ l i s t ) } ) )
}
d e s i g n - e n t i t y  _I id - Components  =
d e s i g n _ e n t i t y _ I i d - C o m p o n e n t s  U
{ ( d e s i g n - e n t i t y - I  id,  pr o cs  ) }
}
Figure 7.5: VHDL architecture, statement part, translation pattern  v2 (continued)
118 Chapter 7. Defining a Hierarchical Structure for SVA4VHDL
t r a n s l a t e _ c o m p o n e n t s  ( d e s i g n . e n t i t y  , 1 ^ )  =  
po rt Ma ppi ngs  =  { }
d e s i g n  . e n t i t y  _I ^  -CComponents  =  { }
procnames  =  () 45
componentnames =  ()
i f  a r c h i t e c t u r e  w i t h i n  d e s i g n . e n t i t y  c o n t a i n s  o n ly  p r o c e s s e s  { 
for  each p r o c e s s  in a r c h i t e c t u r e { 
procnames  =  procnames  A  ( ‘VPr oc .  ’ pr o c e s s  1 ( ) ’) ; }  
i nOut Renami ngs  =  g e ne r a t e l O R e n a m i n g s  ( d e s i g n . e n t i t y  ) ; so
C o m p - d e s i g n . e n t i t y _ / i d =  ‘VRŒL. ’ d e s i g n _ e n t i t y _ I i d -  
p r o c n a m e s . i n o u t  r e n a m i n g s
}
i f  a r c h i t e c t u r e  w i t h i n  d e s i g n . e n t i t y  c o n t a i n s  c o m p on e nt s  { 
f or  each ent  in a r c h i t e c t u r e { 55
f or  each i n s t a n c e  of  e n t { 
t r a n s l a t e - c o m p o n e n t s  ( i n s t a n c e  , i n s t a n c e j d )  ; 
c omponentnames— componentnames A  ( Co mp _e nt _ i ns tanc e id  ) ; 
d e s i g n . e n t i t y  _I id -CComponents  =  d e s i g n _ e n t i t y _ I i d - C C o m p o n e n t s  U
{ e n t  _ ins  t a n c e  id-CComponents } ; go
po rt Mappi ngs  =  po rt Ma ppi ng s  U
t r a n s l a t e  P o r t  M a p p i n g  ( d e s i g n  . e n t i t y . I  id,
e n t . i n s t a n c e i d  , p o r t - m a p p i n g )  ;
i n s t a n c e i d + + ;
} 65
}
d e s i g n . e n t i t y  _I id-CComponents =  d e s i g n . e n t i t y  _I id -CComponents  U 
{ ( e n t i t y . d e s i g n  _I id,  p r o c e s s i d ) }  
for  each p r o c e s s  in a r c h i t e c t u r e { 
procnames  =  pr oc name s A  ( ’VPr oc .  ’ p r oc es s  ’ ( )  ’ ) ; }  70
c o m p o n e n t  P r o c es s  =  gener  at e C o m p o n e n t  P ro c es s  ( d e s i g n . e n t i t y )  ;
‘Comp’ . d e s i g n . e n t i t y _ I i d  =  ‘VPMap. ’ d e s i g n . e n t i t y _ I i d  . 
componentnames A  p r o c es s n am e s  .
p or t ma pp in gs  . c o m p o n e n t  P roc es s  
d e s i g n  . e n t i t y  _I id - Compone nts  =  d e s i g n  . e n t i t y  . I  id -Components  U 7 5
{ (  e n t i t y - I i d  , pr oc s  ) } 
p r o c e s s i d + + ;
}
Figure 7.6: VHDL architecture, statement part, translation pattern  v2 (continued)
7.4. Translation Technique for a Hierarchical Structure 119
The second pass of the VHDL system is performed by translate-components, Figure 7.6. 
In this function, lines 42-78, generate a hierarchical structure representation of a VHDL 
system, using the structure identified earlier in this chapter, Section 7.2. Thus, the 
procedure must gather information about port mappings, inout ports and component 
ports needed within the generated structure definition, where relevant. Two lists are 
initialised for capturing the contained processes and components of a component in the 
order traversed: procnames and componentnames.
To support the gathering of information during this traversal we introduce additional 
functions: generateComponentProcess, generatelORenamings, and translatePortMappings 
in Figures 7.7, 7.8, and 7.9 respectively.
Our procedure determines the VStruct type to be used for each VHDL component. 
Lines 47-53 correctly construct VRTL type components. For each process found within 
an architecture (that only contains processes), the name of the process is appended with 
the VProc structure identifier, and added to the procnames list. This ensures tha t the 
VRTL  component captures the correct order for the contained processes. In addition, 
the ports of the component are assessed by generatelORenamings and a set is returned 
to represent any inout ports, of the form described in Section 7.2. The VRTL  structure 
generated is then added to a set so tha t it may be added to its parent component where 
required.
Lines 48-78 describe the correct construction of VPMap structures. Clearly, this func­
tion must recursively call itself, line 57, to perform a depth first, left to right traversal of 
the VHDL system. The generated contained components from the iteration of the cur­
rent architecture, lines 55-66, are added to the componentnames list. The port mapping 
information for each instantiated component is analysed by translatePortMapping, Fig­
ure 7.9, returning a set containing elements of the form previously identified. The port 
mapping sets for each component are then unioned together to provide the information 
needed during compilation. Any processes within a VPMap component are then added 
to populate the procnames list in lines 69-70.
Our third supporting function, generateComponentProcess, Figure 7.7, is then called in 
line 71, assigning the value of processid to the current component. The VPMap structure 
can finally be generated, lines 72-74. Finally, the processid counter is incremented, and 
the newly defined VPMap structure is added to a set so tha t it can be composed within 
a parent component where appropriate.
The behaviour defined within generateComponentProcess and generatelORenamings, 
Figures 7.7 and 7.8, is straightforward. These functions examine the signals of the current
120 Chapter 7. Defining a Hierarchical Structure for SVA4VHDL
g e n e r a t e C o m p o n e n t P r o c e s s  ( d e s i g n . e n t i t y  ) =
s i g n a l s  =  { }  80
f or  each s i g n a l  . d e c l a r a t i o n  in d e s i g n . e n t i t y  { 
s i g n a l s  =  s i g n a l s  U { S ig n a lM a p p i n g  ( s i g n a l - d é c l a r a t i o n ) }
}
c o m p o n e n t  P ro c es s  =  ( p r o c e s s i d  , s i g n a l s  ) ;
r e t u r n  c o m p o n e n t  P r o c es s  ; 85
Figure 7.7: generateComponentProcess function
g e ne ra t e l O Re n a m i n g s  ( d e s i g n . e n t i t y )  =  
r en ami ng s  =  {}
f or  each por t  o f  t y p e  i no u t  in d e s i g n . e n t i t y  { 
r en am in gs  =  r e n ami ng s  U
{ ( S i g n a l M a p p i n g in , S i g n a l M a p p i n g out) }
}
r e t u r n  r en a mi ng s ;
Figure 7.8: generatelORenamings function
component, and generate sets of tuples of the correct return type.
The behaviour of translatePortMapping, Figure 7.9, is slightly more involved. The func­
tion takes in three parameters, the parent component name, the child component name 
(both with relevant instance information), and the port mapping between the two. The 
function then examines each port in turn, and based on both signal types, determines 
the relevant SignalMapping function, from Section 5.5 on page 85, to use to return the 
correct signal identifier. We visualise this combination matching on signal types more 
clearly in Table 7.1.
7.5. Running Example: Candy Puzzle: SVA4VHDL Components Approach 121
fo rm a l_ p a rt a c tu a l_ p a r t
in port in port, internal signal
out port out port, internal signal
inout port in port, out port 
internal signal, inout port
Table 7.1: Possible combinations for port mappings
A detailed understanding of this pseudo code translation is not required since SVA4VHDL 
descriptions are always automatically generated. The pseudo code is simply a design aid 
to the implementation discussed in Section 7.6.
7.5 R unning Exam ple: C andy Puzzle: SVA4VH DL  
C om ponents Approach
The Uniform Candy Distribution Puzzle, as a VHDL solution, from Section 2.1.3 on 
page 16, may be used to illustrate the application of both our new hierarchical SVA4VHDL 
structure, and the translation procedure described in the previous section. We previously 
identified the result of applying the translation patterns: TP% to TPio on pages 87 to 92 
from Chapter 5, to a VHDL Child component in Section 2.1.3.
Our new procedure tmnslateSystemQ  translates VHDL processes and their subsequent 
behaviour using the translation patterns identified in Chapter 5, and supersedes the 
patterns T P i, TP^, and TPg, with tmnslateSystemQ. Thus, this section focuses on the 
translation of the hierarchical structure of a VHDL multiple component system, using 
translateSystem  ().
Applying the first function, translate—procès ses {design-entity^Iid), passing in the de- 
sign_entity childrenSweets, from Figure 2.7 on page 23, and assigning the value 0 to the 
lid parameter; will translate all the VHDL processes contained within it. Running to 
completion, the following SVA4VHDL process names are hand generated for use in the 
second function:
P s h a r e . c h i l d l  () , P s h a r e _ c h i l d 2  () , P s h a r e _ c h i l d 3  ()
P c a l c S w e e t s . t e a c h e r  1 () , P g i v e S w e e t s . t e a c h e r  1 () ,
P s t a b i l i s e . m o n i t o r  1  ()
122 Chapter 7. Defining a Hierarchical Structure for SVA4VHDL
t r a n s l a t e P o r t M a p p i n g  ( P a r e n t ^  , C h i l d ^  , p o r t - m a p p i n g )  
p or tMappi ngs  =  { }
for  each a s s o c i â t  i o n - e l e m e n t  in por t  mapping { 
i f  a c t u a l - p a r t  i s  o f  t y p e  in t he n { 
p a r e n t S i g  =  S i g n a l M a p p i n g ^  ( a c t u a l - p a r t  ) ; }  
i f  a c t u a l - p a r t  i s  o f  t y p e  out  then { 
p a r e n t S i g  =  S i gn a l Ma pp in g 0Ui ( a c t u a l - p a r t  ) ;} 
i f  a c t u a l  - p a r t  i s  o f  t y p e  ’ un de f in ed  ’ t hen { 
p a r e n t S i g  =  S i gn a l Ma pp in g jn<ernaj ( a c t u a l _ p a r t  ) ; }  
i f  f o r m a l _ p a r t  i s  o f  t y p e  in t h e n {  
c h i l d S i g  =  S i g n a l M a p p i n g ^  ( f o r m a l  _p a r t ) ; }  
i f  f o r m a l _ p a r t  i s  of  t y p e  out  t hen { 
c h i l d S i g  =  S i g n a l M a p p i n g OU( ( f o r m a l - p a r t  ) ;} 
i f  f o r m a l _ p a r t  i s  o f  t y p e  i n o u t  t h e n {  
i f  a c t u a l _ p a r t  i s  o f  t y p e  in t h e n {  
c h i l d S i g  =  S i gnalMappingin  ( f o r m a l - p a r t  ) ; }  
i f  a c t u a l - p a r t  i s  o f  t y p e  out  t h e n {  
c h i l d S i g  =  S ign al Ma pp in g out ( f o r m a l _ p a r t  ) ;} 
i f  a c t u a l - p a r t  i s  of  t y p e  ’ un de f in ed  ’ t h e n {  
c h i l d S i g  =  Si gnalMappingout  ( f o r m a l _ p a r t  ) ;}
}
p or tMappi ngs  =  p or t Ma ppi ng s  U
{ ( (  Chi ld  ^  , c h i l d S i g )  , ( Par ent  ^  , p a r e n t S i g )  ) }
}
r e t u r n  por tMappi ngs  ;
Figure 7.9: translatePortM appings function
N o t i c e  t h a t  t h e  p r o c e s s  n a m e s  a r e  p r e f ix e d  w i t h  a  ‘P ’ a n d  s u f f ix e d  w i t h
e n s u r i n g  t h a t  p r o c e s s e s  f r o m  m u l t i p l e  i n s t a n c e s  o f  a  c o m p o n e n t  a r e  u n i q u e l y  id e n t i f ia b le .
F u r t h e r m o r e ,  t h e  fo l lo w in g  s e t s  a n d  s e q u e n c e s  w il l  a lso  b e  g e n e r a t e d :
c h i l d l _ S e n s L i s t = { ( 0 , { I V . l , I V . 2 , I V . 3 } ) } ,  child  l_ C o m p o n e n ts= { (  ch i ld  1 ,{0 } )  } , 
ch ild  1-C o n ta in e d C o m p o n e n ts  = { ( c h i l d l  ,{} )  }
c h i l d 2 _ S e n s L i s t = { ( l , { I V . 8 , I V . 9 , I V . 1 0 } ) } ,  c h i ld 2 _ C o m p o n e n ts= { (c h i ld 2  , { ! } ) } ,  
c h i ld 2-C o n ta in e d C o m p o n e n ts  —f f c h i l d 2 ,{} )  }
c h i l d 3 - S e n s L i s t = { ( 2 , { I V . 1 4 , I V . 1 5 , I V . 1 6 } ) } ,  c h i ld 3 _ C o m p o n e n ts= { (c h i ld 3  ,{2} )  } , 
ch i ld 3 _ C o n ta in ed C o m p o n en ts  = { (c h i ld 3  ,{ } )}
t e a c h e r l _ S e n s L i s t = { ( 3 , { I V . 2 2 } )  , ( 4 , { I V .27}) } , t e a c h e r l - C o m p o n e n t s —{ ( te a c h e r  ,{ 3 ,4 } )
}>
t e a c h e r l - C o n t a in e d C o m p o n e n t s —{ ( t e a c h e r l  ,{} )  }
m o n i t o r l - S e n s L i s t  =  { (5 ,{ IV .28 , I V .2 9})  } , m o n i to r l -C o m p o n e n ts—{ (m o n i to r l  ,{ 5 } )  } , 
m o n i to r l_ C o n ta in e d C o m p o n en ts  = { ( m o n i to r l  , { } ) }
The second function will then be fired, again taking in the same parameters. This time
7.5. Running Example: Candy Puzzle: SVA4VHDL Components Approach 123
the resultant output is an SVA4VHDL system, defined using VStruct constructs, taking 
the form:
Co mp_chi l d- l=VKIL.  c h i l d l  . < V P r o c .  P s h a r e . c h i l d l  () > . { }
Comp-chi ld-2=VRŒL. c h i l d 2 . C V P r o c .  P s h a r e _ c h i l d 2  () > . { }
Co mp _ch i l d_3^ EÏIL.  c h i l d 3 . < V P r o c .  P s h a r e _ c h i l d 3  () > . { }
Co mp_t eac he r_ l=^KI L.  t e a c h e r l . < V P r o c . P c a l c S w e e t s _ t e a c h e r  1 () ,
VP ro c .  P g i v e  S w e e t s - t e a c h e r l  () > . { }
Comp_monitor_l=VKIL.  m o n t ior 1 . < V p r o c . P s t a b i l i s e . m o n i t o r  1 () > . { }
C omp  . c h i l d r e n S w e e t s  _0 =  VPMap. c h i l d r e n S w e e t s O  .
< C o m p _ c h i l d l  , Comp_chi ld2 , Comp_chi ld3 , C o m p . t e a c h e r l  , Comp. moni tor l  >.
{ ( c h i l d l  , I V . 1 ) ,( c h i l d r e n S w e e t s O  , I V . 3 4 ) , ( c h i l d l  , I V . 2 ) , (  c h i l d r e n S w e e t s O  , I V . 3 5 ) , 
( c h i l d l  , I V . 3 ) ,( c h i l d r e n S w e e t s O  , I V . 4 2 ) , ( c h i l d l  , IV . 4 ) , ( c h i l d r e n S w e e t s O  , I V . 4 3 ) , 
( c h i l d l  , I V . 5 ) , ( c h i l d r e n S w e e t s O  , I V . 3 8  ) , ( c h i l d l  , IV . 6  ) , ( c h i l d r e n S w e e t s O  , I V . 3 7 ) , 
( c h i l d 2  , I V . 8  ) , ( c h i l d r e n S w e e t s O  , I V . 3 4 ) , ( c h i l d 2  , IV . 9 ) , ( c h i l d r e n S w e e t s O ,  I V . 3 5 )  , 
( c h i  Id 2 , I V . 10 ) , ( c h i l d r e n S w e e t s O ,  I V . 38 )  , ( c h i l d  2 , I V . 11 ) , (  c h i l d r e n S w e e t s O  , I V . 4 3 )  , 
( c h i l d 2  , I V . 12 ) ,( c h i l d r e n S w e e t s O  , I V . 4 0 ) , ( c h i l d 2  , I V . 13 ) , (  c h i l d r e n S w e e t s O  , I V . 3 9 ) , 
( c h i l d 3  , I V . 15 ) , (  c h i l d r e n S w e e t s O  , I V . 3 4 ) , ( c h i l d 3  , I V . 16 ) , (  c h i l d r e n S w e e t s O  , I V . 3 5 ) , 
( c h i l d 3  , I V . 17 ) , (  c h i l d r e n S w e e t s O  , I V . 4 0 ) , ( c h i l d 3  , I V . 18 ) , (  c h i l d r e n S w e e t s O  , I V . 4 3 )  , 
( c h i l d 3  , I V . 19)  , ( c h i l d r e n S w e e t s O , I V . 4 2 )  , ( c h i l d 3  , I V . 2 0 )  , ( c h i l d r e n S w e e t s O , I V . 4 1 )  , 
( t e a c h e r l  , I V . 2 2 ) , (  c h i l d r e n S w e e t s O  , I V . 3 4 ) , ( t e a c h e r l  , I V . 2 3 ) , (  c h i l d r e n S w e e t s O  , IV 
. 37)  ,
( t e a c h e r l  , IV . 2  4 ) , (  c h i l d r e n S w e e t s O  , I V . 4 0 )  , ( t e a c h e r l  , I V . 2 5 ) , (  c h i l d r e n S w e e t s O  , IV 
. 42)  ,
( t e a c h e r l  , I V . 2 6 )  , (  c h i l d r e n S w e e t s O  , I V . 4 3 )  ,
( m o n i t o r l  , IV . 2 8 )  , (  c h i l d r e n S w e e t s O  , I V . 3 4)  , (  m o n i t o r l  , I V . 29)  , (  c h i l d r e n S w e e t s O  , IV 
. 35)  ,
( m o n i t o r l  , IV . 3 0 )  , (  c h i l d r e n S w e e t s O  , I V . 3 7 )  , (  m o n i t o r l  , I V . 31 ) , (  c h i l d r e n S w e e t s O  , IV 
. 39)  ,
( m o n i t o r l  , I V . 3 2)  , (  c h i l d r e n S w e e t s O  , I V . 41 )  , (  m o n i t o r l  , I V . 3 3 )  , (  c h i l d r e n S w e e t s O  , IV 
. 3 6 ) } .
( 6 , { I V . 3 4 , I V . 35 , I V . 36  , I V . 3 7 , I V . 38 , I V . 3 9  , I V . 4 0  , I V . 4 1  , I V . 4 2  , I V . 4 3 } )
Notice tha t the process^ continues to be used to aid in the definition of the chil­
drenSweetsO component. Likewise the mapping functions, initially defined on page 85, 
are used in the generation of the port mapping sets and component signal process. None 
of the VRTL  constructs for the five contained components contain renaming information 
since none of the VHDL components contained inout ports.
The function also generates the further following sets:
c h i l d r e n S w e e t s O  _ S e n s L i s t =
{ ( 6 , { I V . 34 , I V . 35 , I V . 36 , I V . 3 7 , I V . 38 , I V . 39 , I V . 40 , I V . 41 , I V . 42 , I V . 4 3 } )  } , 
c h i l d r e n S w e e t s O - C o m p o n e n t s  = { ( c h i l d S w e e t s O  , { 6 } ) } , 
c hi ldrenSweet sO - C o n t a i n e d C o m p o n e n t s  =
{ (  c h i ld S we et sO  , { c h i l d l  , c h i l d 2  , c h i l d 3  , t e a c h e r l  , m o n i t o r l } ) }  
componentnames =  { c h i l d l  , c h i l d 2  , c h i l d 3  , t e a c h e r l  , m o n i t o r l  , c h i l d r e n S w e e t s O  }
124 Chapter 7. Defining a Hierarchical Structure for SVA4VHDL
7.6 A utom ated  Translation from V H D L to  SVA4VH DL
The previous section, Section 7.4, defined the translation technique for a hierarchical 
VHDL system to be mapped correctly to our intermediary SVA4VHDL notation. In 
this section we describe the automation of this technique in order to produce a proof of 
concept translation tool. The purpose of the tool is to validate the manual translation 
approach and show that an automation step is feasible for the framework illustrated in 
Figure 1.1 on page 4.
The translation tool comprises two aspects: a VHDL parser and a Java implementation of 
the translation technique from Section 7.4 and translation patterns of Section 5.5. Rather 
than develop our own bespoke VHDL parser, a freely available Java library provided by 
EDAUtils [54],has been used.
In the following subsections we describe the VHDL parser and provide an overview of 
our Java implementation.
7 .6 .1  V H D L  P arser
EDAUtils [54], developed by Kanai Lai Ghosh, provides a set of miscellaneous free EDA 
utilities; one of which is a Java library tha t parses VHDL to provide a traversable model. 
The version used within our tool, is the Beta release from April 2013. The release is 
undocumented and closed source. Nonetheless, it contains suitable API calls that have 
enabled us to translate the majority of the VHDL RTL syntax within our examples and 
case studies.
EDAUtils has been used by Kulanov [60] to retrieve statistics about the number of 
statements of some type (e.g., simple signal assignment) that are used in a VHDL system. 
The systems of interest were primarily single entity architecture pairs focusing on CPU 
core behaviours. The work in our thesis focuses on hierarchical entity architecture pairs. 
The author also refers to using the EDAUtils tool in a framework which supports a 
fault injection technique [81]. The framework aims to perform fault profiling for selected 
VHDL descriptions and fault injection in accordance with the obtained fault profile. The 
framework is software based and does not make use of formal analysis.
EDAUtils has also been used by Zdaraveski [103] in order to perform a semantic annota­
tion of the VHDL code of a system. The parser has been used to extract the m eta-data 
for IP cores [104,105]. The VHDL designs that have been considered vary in size from
7.6. Autom ated Translation from VHDL to SVA4VHDL 125
■m iscedautils.Com monUi:ils|
g  Java, t e x t  |
g ja v a .u t il
translator!
S  com .eu .m iscedautils.vhdlp arserj
g  java.lang
Figure 7.10: External API dependencies graph for the SVA4VHDL Java translation
simple gates up to whole projects for controllers, memories, etc., but the author notes 
tha t there were errors with the EDAUtils API. For example, it was difficult to distinguish 
whether the errors were due to a parser problem or a size constraint of the systems under 
consideration.
The EDAUtils parser accepts a top VHDL description as a reference point to  begin 
traversal of the VHDL. Each VHDL description consists of an entity/architecture pair 
which is converted into individual models. The structure specified within the VHDL 
files is referenced across the models, providing a navigable model of the original VHDL 
system. Once the model is created it provides the basis for a translation from a source 
VHDL description to a different target language. Identifying the setup structure for the 
parser was non trivial.
W ithin the EDAUtils parser we utilise 69 of the VHDL syntax classes available, of which 
there are over 100. The dependency of our tool on these 69 classes is shown in Figure 
7.10. From these 69 dependencies, many methods are used not only for traversing the 
model, but also for identifying referenced objects and extracting values.
Note tha t identifying the appropriate method calls and required objects was not always 
easy due to the lack of documentation as previously mentioned. The lack of documen­
tation was compounded by the fact tha t the EDAUtils parser does not completely align 
with the VHDL LRM which meant tha t an intuitive understanding of its behaviour could 
not be derived from an alternative source.
126 Chapter 7. Defining a Hierarchical Structure for SVA4VHDL
7 .6 .2  V H D L  to  S V A 4 V H D L  Java  T ran sla tor
The structure of our Java translator tool is provided in Figure 7.11 in the form of a 
dependency graph for ease of reference. However, the full class diagram for our Java 
translator can be found in Appendix E.
There are a total of nine classes within our tool, six of these are required to model the 
hierarchical VHDL structure: VHDLComponent, P ortS ignals, Port, S ignal, Proc and 
DataType.
The six classes used to model the hierarchical structure are necessary to provide the 
mapping between VHDL names for ports, signals and processes and the indexed values 
required in SVA4VHDL. Objects of these classes are generated at runtime, whilst travers­
ing the model. Particular care when indexing these objects is taken to ensure that their 
indexing is unique.
The Gener at eSVA4VHDL class is responsible for loading in the VHDL files and running 
the EDAUtils VHDL parser over the provided files, before then passing the generated 
traversable models to an instance of FVhPGenSVA4VHDL.
The translation between VHDL and SVA4VHDL is defined in the FVhPGenSVA4VHDL class. 
This class is responsible for traversing over the VHDL design and translating it into a 
SVA4VHDL model. The pseudo code in Section 7.4 is described as two translation steps 
to convey the capture of the hierarchical structure. Our Java translation implements these 
steps within FVhPGenSVA4VHDL efficiently as one step by performing dynamic indexing. 
The translation patterns identified in Section 5.5 are implemented as methods within the 
FVhPGenSVA4VHDL class. The code metrics for the classes are provided in Table 7.2.
Recall in Section 7.5 a hand coded SVA4VHDL model was produced for the Candy Puzzle 
example, we similarly produced a model using our Java translation tool and demonstrated 
equivalence using the Failures Divergences model in FDR.
This chapter demonstrates tha t we can now generate a suitable SVA4VHDL representa­
tion of a VHDL hierarchical system using the SVA4VHDL syntax and datatypes. This 
is step one of the workflow (Figure 7.3 on page 115) completed.
7 .6 .3  T o o l r e s tr ic t io n s
This section reflects on whether the EDAUtils supported the translation of all the aspects 
of VHDL syntax referred to in Section 2.1.2, in our small examples, and the case studies
7.6. Autom ated Translation from VHDL to SVA4VHDL 127
|Q FVhPGenSVAWHDl
>1® Port|
I® DataTypëslI® Prog
I® Signall
Figure 7.11: SVA4VHDL Java translation tool dependency graph
Class No. Methods LoC
DataTypes 5 61
FVhPGenSVA4VHDL 46 1871
GenerateSVA4VHDL 8 257
Port 6 74
PortSignal 7 34
Proc 4 25
Signal 6 73
VHDLComponent 19 292
Total 1 0 1 2687
Table 7.2: Code metrics for our VHDL to SVA4VHDL Java translator
in Chapter 9 and 10. We note th a t two main restrictions had to be overcome through the 
additional pre-processing of either the VHDL descriptions themselves or the file names 
of the VHDL descriptions. Note that the restriction of the SVA4VHDL compiler and its 
ability to handle VHDL syntax is discussed in Section 10.4 in Chapter 10.
Signal A ssignm ent R eferencing
Recall, in Section 2.1.2, the definition of a signal assignment, i.e., ta rg e t <= ex p ress io n , 
where a target identifies a reference to a port of signal. Thus, when pairing a target to 
a reference we naturally expect to be able to identify the type of the target, since it will 
have been introduced as a port or signal earlier in the VHDL script. The EDAUtils parser
128 Chapter 7. Defining a Hierarchical Structure for SVA4VHDL
seems to have omitted to make this association explicit for ’t a r g e t 5. Ports and signals 
referred to in an ’e x p re s s io n 5 do type correctly. This limitation means that when a 
target is a vector the VHDL description has to be re-written as an explicit assignment 
to a vector element in order for safe translation to occur. For example, the valid VHDL 
assignment, out_vec <= o th e rs  => 'O ’ ; cannot be safely mapped to assign the value 
‘O’ to each element of the vector out_vec. As a result of this restriction, any VHDL that 
is to be translated must first be modified to explicitly state the vector elements; e.g., 
ou t_vec(0 ) <= 'O’ ; . . .  ou t_vec(n) <= 'O’ ;.
Order o f C om ponent Parsing
Our VHDL descriptions are made up of several files tha t need to be read in a particular 
order to generate a traceable model of the syntax which correctly represents the hierarchy. 
This means that when parsing a particular entity, all of the referenced components must 
have already been parsed. In order to ensure this, some pre-processing of the VHDL 
files names is required, i.e., the file names were modified, and an alphabetical sort was 
applied to resolve this issue with the EDAUtils Java Parser. Then the parser can be 
invoked in the order required to traverse the hierarchical model correctly. This issue 
does not manifest itself in the case of simple models tha t do not contain multiple depth 
hierarchical structures and is only a concern when dealing with larger scale examples.
This constraint of the tool has been acknowledged by the designer in personal correspon­
dence [41], with a suggestion of avoiding the use of multiple VHDL files, or to explicitly 
identify how they are parsed, using the file names, one name at a time.
Chapter 8
Defining Hierarchical Com pilation
In previous chapters we have developed and extended the SVA4VHDL compiler. W hilst a 
hierarchical structure has been identified within the previous chapter to represent VHDL 
systems containing multiple components, no method has been identified to use this hier­
archical structure to generate a CSP model for formal analysis. W ithin this chapter we 
describe the addition of new functions to perform stages 2 to 5 identified in Figure 7.2 
on page 114.
We deal with altering the structural ‘shape’ of a SVA4VHDL representation of a hardware 
system to enable compilation of the behavioural processes, and then composing them  
using the defined structure within this chapter. These transitions of the SVA4VHDL 
model are given in Figure 8.1 and illustrate the flow of this chapter.
The chapter is structured as follows:
• Section 8.1 defines new functions to extract SVA4VHDL processes from VStruct 
structures for compilation (stage 2 );
• Section 8 . 2  identifies the compilation of SVA4VHDL processes (stage 3);
• Section 8.3 introduces a second hierarchical structure, VCStruct capable of rep­
resenting the same VStruct structures, but containing compiled SVA4VHDL pro­
cesses;
• Section 8.4 elucidates to the reapplication of the VStruct hierarchical structure 
using VCStruct, to represent compiled SVA4VHDL processes (stage 4);
129
130 Chapter 8. Defining Hierarchical Compilation
□
I" .... — 1
(P i, (P2, (P 3 , (P i,
A i) M ) A3) A4 )
Pi()
< ( f i ,  A i ) ,  ( f g ,  ^ 2 ) ,  ( f g ,  A 3 ) ,  ( f 4 , A 4 ) )
C S P  Model
Figure 8.1: Transition stages during compilation of SVA4VHDL component systems
• Section 8.5 illuminates on the composition strategy for the compiled SVA4VHDL 
processes using the hierarchical structure (stage 5);
• Section 8 . 6  goes on to discuss the optimisation of generated models through the 
use of compression techniques;
• Section 8.7 illustrates the resultant output traces from the compilation of the Uni­
form Candy Distribution Puzzle;
8.1 E xtracting SVA4VH DL P rocesses From a 
Hierarchical Structure
f t  ) f t ( )  f t ( )
Q .
©
n
I©
©
In Section 4.4, a function, CSFlatten, was applied to a system captured with CmdStruct 
to extract all contained SVA processes, identified by CSLeaf elements, for use within 
compileList. Once more these SVA functions are tailored to suit our needs.
The original CSFlatten function is duplicated and altered to define a new function, 
VFlatten, given in Figure 8.2. VFlatten pattern matches on the VStruct constructs:
8.1. Extracting SVA4VHDL Processes From a Hierarchical Structure 131
V F la t ten(  V Proc .C)  =  ((C),  {})
V F la t ten(V R T L .com p.ts .m am ings)  =  
let ps  =  { VFlatten(t)  | i  is)
Reduce(Cs, Ms, n, ()) =  (Cs,  Ms)
Reduce(Cs, Ms, n, ( (Csx, Msx))  A ps) =
Reduce(Cs  A Csx, Ms  U {r  +  n | r M sx} ,  n  +  # C s x , p s )  
within  
Reduce({), { } , 0 , p s )
V F la t ten(V P M ap.com p.ts .m am ings .s igs )  =  
l e tp s  =  (V F la t ten ( t)  | t ■<— is)
Reduce(Cs, Ms, to, ()) =  (Cs,  Ms)
Reduce(Cs, Ms, to, ( (Csx, Msx))  A ps)  =
Reduce(Cs ^  Csx,  Ms  U {r  +  to | r M sx} ,  n  +  4 tC s x ,p s )  
within  
Reduce({) , {},  0 ,ps)
Figure 8.2: VFlatten pattern  matching functions
VProc, VRTL  and VPMap, introduced in the previous chapter. The VFlatten functions 
traverse a VStruct defined SVA4VHDL system, generating a sequence of all contained 
SVA4VHDL processes ready for compilation.
We have repeatedly stressed the importance of process ordering, and ensuring the correct 
matching of process identifiers. The application of the VFlatten function emphasises this 
requirement, removing the structure from the processes to match the original assignment. 
Thus, the three pattern  matching functions of VFlatten must m aintain this ordering.
VProc is the simplest of the three pattern  matches, returning its associated SVA4VHDL 
process, identified as C.
CSFlatten only dealt with a single node type structure, CSNode. We expand our VFlatten 
to deal with both VRTL  and VPMap. These two patterns are similar in their defini­
tion, and differ only on actual pattern match, handling the parameters of each VStruct 
datatype correctly. Both pattern matches use the Reduce function, one of Roscoe’s 
original SVA functions originally defined for use with SVA’s CSFlatten function, which 
recursively applies VFlatten to all contained structures.
132 Chapter 8. Deûning Hierarchical Compilation
8.2 C om piling SVA4VH DL P rocesses
<P1(),P2(),P3(),P4()>
Once the hierarchical structure has been removed, the sequence of processes provided by 
VFlatten may be processed by VHDLCompileList, previously defined in Section 5.4.2 on 
page 82. VHDLCompileList accepts a sequence of SVA4VHDL processes and returns a 
sequence of tuples in its place. These tuples contain a compiled SVA4VHDL process, in 
the form of a CSP process, and the CSP process’ alphabet.
This compilation is identified as stage 3 of Figure 7.2, page 115. Note, this application 
of VHDLCompileList compares to the compilation of a single component from Section 
5.4.3.
8.3 A  Second H ierarchical Structure
The compiled sequence of processes from VHDLCompileList are not of type Cmd, but 
rather (P , A) (CSP process, CSP alphabet). Thus, the VStruct datatype can no longer 
be used. Instead, a new hierarchical structure must be defined tha t can represent a 
VHDL system, but with compiled SVA4VHDL process tuples. We therefore introduce a 
new structure datatype, VCStruct.
Note th a t this concept of a post-process compilation compiler is visible in the original 
SVA compiler, with CmdStruct and PStruct. A similar approach is taken to transforming 
SVA4VHDL’s VStruct datatype to VCStruct datatypes as the original SVA’s CmdStruct 
datatype to PStruct datatype; this translation is discussed in detail in Section 8.4.
As with VStruct we identify three constructs for VCStruct: VCProc, VCRTL, and 
VCPMap.
V C P ro c  The VCProc construct contains a CSP process/alphabet pair. This is identi­
cal to the PSLeaf definition from the original SVA; and is defined as:
8.3. A  Second Hierarchical Structure 133
VCProc.(Proc, Se t(E ven t))
We do not simply reapply the same structure from VStruct for VRTL  and VPMap 
constructs. Instead we move the renaming information ‘down a level’ for VCPMap and 
VCRTL. Section 8.4 discusses this movement of renaming, but the VCRTL  and VCPMap 
constructs reflect this movement in their definition.
V C R T L  As the renaming information from a VCPMap will be moved down to the 
level of a VCRTL, we define a VCRTL as:
V C R TL.Seq(V C Struct) .Set{( (com pnam es ,  i vnames),  (compnames, ivnames)))
The VCRTL definition contains a sequence of VCStruct constructs, but these must be 
restricted to only VCProc constructs. The second element contains renaming information 
for the component’s instantiation in its parent component; i.e. the renaming tuples are 
now port mapping elements from the parent VPMap construct. The renaming for inout 
ports is no longer visible in this definition, as previously mentioned this will be applied 
to a VProc at the time of un-flattening (Section 8.4).
V C P M a p  When re-applying the hierarchical structure we intend, not only to move the 
renaming information to the appropriate level for CSP composition, bu t also to generate 
a CSP process/alphabet pair derived from the composition of signal processes for a non- 
behavioural component. Thus a VPMap’s (pnums, Set(ivnames)) tuple is replaced with a 
process/ alphabet pair which can be easily introduced into the system during composition. 
Hence, the VCPMap construct takes the form:
V C PM ap.Seq(V CStruct) .(Proc ,  Set (Events)) . Se t  (((compnames, ivnames),  (compnames, ivnames)))
Note, the set of renaming tuples given in this definition will be those from a parent 
component, and not those from the associated VPMap.
The original SVA Unflatten function only reapplied the structure defined within CmdStruct 
to the compiled processes. An SVA4VHDL UnFlatten function must not only re-apply 
the hierarchical structure, but alter the positioning of event renamings, and generate 
a process/alphabet pair from (pnums, {ivnam es}), to ensure correct composition of the 
resultant CSP model.
134 Chapter 8. Defining Hierarchical Compilation
VProc.Cmd „ ^ "  » VCProc. ( P r o c ,S e t (E v e n ts ) )
VRTL. compnames. S eq (V S tr u c t)  -S e t  ( (iv n a m es, ivnam es) ) VCRTL.Seq (V C Struct) .S e t  ( ( (compnames, ivnam es) , (compnames, iv n a m es) ) )
VP M ap.com pnam es.Seq(V Struct) '  . VCPMap. S e q (V C S tr u c t ) . (P r o c , S e t (E v e n ts )  )
. S e t ( ( ( compnames, iv n a m e s ) , (com pn am es,ivnam es)))  . S e t ( ( (com pnam es,ivnam es) , (com p nam es,ivn am es)))
. (pnums. S e t  (ivn am es) ) ,  •'
VPMap. compnames. Seq (V S tru ct)
. S e t ( ( (com pnam es,ivnam es) , (com p nam es,ivn am es)))
. (p n u m s ,S e t(iv n a m e s))
Figure 8.3: Visualisation of ‘pushing down’ renaming information
8.4 R e-A pplying an SVA4VH DL Hierarchical Structure
©
i r a  mm
(PiO.WaO.rV))
1©
((Pi.Ai), (P2, A2), (Ps, A3), (P4,A4))
As previously indicated, a new function based on SVA’s Unflatten is required to reapply 
the structure initially captured for a system using VStruct. We define such a function 
VUnflatten. The function must not only reapply the structure, but also move the re­
namings, and generate the process/ alphabet pair defining a non-behavioural component’s 
signals.
‘P u sh in g  D ow n’ R e n a m in g  To clarify this concept of ‘pushing down’ the renaming 
in the transition between VStruct and VCStruct constructs, we provide a visual aid, in 
the form of Figure 8.3. We can see from this visual representation of the two construct 
datatypes th a t the renaming is pushed to the contained construct.
In the case of VCPMap, then any renamings tha t it acquires are from a parent component 
of type VPMap. Similarly, for VCRTL  constructs, the renaming information is provided 
by a parent component of type VPMap construct. The renaming information from a 
VRTL  is applied during the application of VUnFlatten to the process element within 
VCProc. This movement of renaming information is depicted by the dashed arrows in
8.4. Re-Applying an SVA4VHDL Hierarchical Structure 135
Figure 8.3. We elaborate on the ‘pushing down’ of the renaming information in the rest 
of this section.
For instance, the XNOR definition from Chapter 6 , Figure 6.3, in the VStruct hierarchical 
structure would be defined as:
VP M ap.com pC  .(V R TL.com pA .{  VProc.PA, V P ro c .P B ) . { }
V R T L .com pB .( V Proc .PC, V P ro c .P D ) .{ } )
{ ((com pA , I V . 1), (com pC,  iV . l l ) ) ,  ((compA, I V . 2), (compC,  7V.12)), 
((compA, I V A ) ,  (compC, I V . 13)), ((compA, I V . h), (com pC ,  /V.14)), 
( (compB, I V . 6), (com pC, I V . 13)), ((compB, I V . 7), (compC,  /V.14)), 
( (compB, I V . 8), (com pC,  7V.15)), ((compB, I V . 9), (compC,  7V.16))}. 
{(9, {7V.11, 7V.12, 7V.13, 7V.14, 7V.15,7V.16})}
After compilation of the individual processes has occurred, the structure would be reap­
plied using the VCStruct structure instead, such tha t it takes the form:
V C P M a p .co m p C .(V C R T L .( VCProc.(PA, a p A ) ,  VC Proc.(PB , o . p b ) ) .
{((com pA , I V . 1), (com pC,  7V.11)), ((compA, I V . 2), (com pC,  7V.12)),
((compA, I V . 4), (com pC, I V . 13)), ((compA, I V . 5), (compC,  7V.14)),
((compB, I V . 6), (compC, I V . 13)), ( (compB, I V . 7), (com pC,  7V.14)),
((compB, I V . 8), (compC, I V . 13)), ( (compB, I V .9), (com pC,  7V.16))} 
V R T L .(V C P ro c .(P C  , a p C ), VC Proc.(PD, a PD)).
{ ((com pA , I V . 1), (com pC,  7V.11)), ((compA, I V .2), (com pC,  7V.12)),
((compA, I V . 41), (compC,  7V.13)), ((compA, I V . 5), (com pC,  7V.14)),
((compB, I V . 6), (com pC, I V . 13)), ( (compB, I V . 7), (com pC,  7V.14)),
((compB, I V . 8), (com pC,  7V.15)), ( (compB, I V .9), (com pC,  7V.16))}).
{(9, {7V.11, 7V.12, 7V.13, 7V.14, 7V.15, 7V.16})}
As with the previous hierarchical structure function, VFlatten, we rely on recursively 
calling VUnflatten pattern  matches to traverse the hierarchy and m arry up the pro­
cesses correctly. Since we are ‘pushing down’ the renaming information, we discuss the 
VUnflatten functions from the top down, starting with VCPMap.
8.4.1 M apping V PM ap to  V C PM ap
To reapply a structure, using recursion, a general case and a base case pattern  matching 
function for VUnFlatten are defined. The base case, defined in Figure 8.4, works on a 
singleton sequence of contained components.
136 Chapter 8. Defining Hierarchical Compilation
V  UnFlatten(  VPM ap.comp.(t) .renamings.s igs,  ps ,  pmappings)  =  
let
( P , A )  — MakeComponent Signals {sigs)
{p t ,p s ' )  =  VUnFlatten(t, ps,  renamings)
D  — ComponentOverlord(comp)
DA  =  OverlordAlpha(comp)
DivBlock  =  VCProc.(D, DA)  
within
(V C PM ap. (DivBlock) A (p t ) . (P ,  A) .pmappings, ps')
Figure 8.4: Base case VUnFlatten function for VPMap constructs 
B ase  C ase Figure 8.4 identifies a base case with three parameters:
•  the first signifies the pattern  matching on a VPMap construct with a singleton 
sequence ((£)), which is the second element of the VPMap construct. The other 
elements are: comp representing the component identifier; renamings as the current 
level component port mapping renaming information; and sigs representing the 
process identifier and set of signal identifiers tuple.
• the second the sequence, ps, of associated compiled SVA4VHDL processes for the 
system.
• and the third, the port mapping renaming information, pmappings, from a possible 
parent component.
W ithin the function, we generate several CSP processes, the first of these is the tuple 
(P, A), which is the generated process/ alphabet pair from applying MakeComponentSignals 
to sigs; this function is discussed in more detail in Section 8.4.4. A recursive call is applied 
to the singleton element, t, passing the compiled processes ps, and the renaming infor­
mation renamings. This returns ps1, the sequence of compiled processes not used within 
the recursive call, and pt, the result of recursively applying the VCStruct constructs.
The remaining definitions of D, DA, and DivBlock are explained in Section 8.6.1 and 
they are included in order to remove divergence introduced through hiding.
G e n e ra l C ase  Figure 8.5 defines the generalised form of VUnFlatten that pattern  
matches on the VPMap constructs; this is far simpler than  the base case definition. The 
definition of the generalised case parameters differs only on its pattern match, splitting 
off the head element, t, from the rest of the contained sequence, ts, of VStruct constructs.
8.4. Re-Applying an SVA4VHDL Hierarchical Structure 137
V  U nF la t ten{V P M ap .  comp.{(t)  A ts) .renamings, sigs, ps ,  pmappings)  =  
let
(P ,  A) — MakeComponentSignals(s igs)
(p t ,p s ' )  =  VUnFlatten(t ,  ps, renamings)
(V C P M a p . t s ' . (P ; , A ' ).pm app ings' ,p s")  =
VUnFlatten( VPMap.comp.ts .renamings.s igs,  p s ' , pmappings)
within
(V C P M ap.( {p t)  A  t s ' ) . (P ,  A).pmappings, ps")
Figure 8.5: General case VUnFlatten function for VPMap constructs
V U n F la t ten (V P roc—, ( ( P , A ) )  A p s , renamings)  =
(V C P roc .(R enam ingProc(P , renamings),  A ) ,p s )
Figure 8 .6 : VUnFlatten function for VProc constructs
As we have seen in the base case a process/ alphabet pair (P , A) is required, and thus 
it needs to be carried through the recursive case in order to form part of the finished 
VCPMap definition.
W hilst the same application is made to t as in the base case, we note that ts is also passed 
as a recursive call to VUnFlatten. This ensures that the sequence of contained compo­
nents is iteratively traversed. Thus, the returned ps’ from the first call to VUnFlatten is 
then given in place of ps, and subsequently, ps" is returned. Note the extraction of ts' 
from a VCPMap construct, since the VUnFlatten function will return  such a construct 
in this case. The return  of the general case is therefore, a VCPMap construct comprising 
a sequence made up from ps concatenated with ts1, and the unused compiled processes 
ps", in the form of a tuple.
8 .4 .2  M a p p in g  V R T L  to  V C R T L
The VUnFlatten pattern  matching functions for VRTL  follow a pattern  similar to VPMap. 
The only difference between the two definitions are the constructs used, and th a t the 
VCRTL matching functions do not require the use of the MakeComponentFunction.
8 .4 .3  M a p p in g  V P r o c  to  V C P r o c
Since no sequences are involved within the single leaf construct, VCProc, only a single 
definition is required. Figure 8 . 6  provides the pattern  matching function.
138 Chapter 8. Deûning Hierarchical Compilation
The definition of VProc only contains a single element, the old SVA4VHDL process, 
represented using the CSP wildcard The purpose of this function is to take the 
head element (P , A) from the sequence of compiled processes, passed as a parameter, 
and return a VCProc construct with a process/ alphabet tuple along with the tail of the 
sequence, ps.
Renaming information is also passed to the VUnFlatten function as the parameter 
renaming; recall tha t this relates to correctly representing inout ports. Thus, the pro­
cess within the (P, A) tuple has this renaming applied with the use of a simple function 
Renaming Proc.
8 .4 .4  G en er a tin g  a  C o m p o n en t S ta b ilisa tio n  an d  S ign a ls  P r o c e ss
To represent a hierarchical VHDL system, signals must be defined for each compo­
nent, enabling full traceability of system behaviour within a formal model. Previ­
ously the signal processes of a component are generated during the compilation of the 
SVA4VHDL behavioural processes, Section 5.4. However, non-behaviour al components 
do not necessarily contain behavioural processes, so the generation of signal processes 
must be dealt with differently. In Section 7.2 we defined a parameter within the VPMap 
construct tha t contains a signal identifier and a suitable process identifier; defined as 
(pnums, Set (ivnames)).
We define a function MakeComponentSignals, given in Figure 8.7, that uses this in­
formation to generate a CSP process alphabet pair suitable for alphabetised parallel 
composition later. MakeComponentSignals uses several contained functions to return a 
tuple, (Sigs, Alpha): Sigs represents an interface parallel of all component signals as a 
CSP process; Alpha represents the combined alphabet of all signals.
In defining MakeComponentSignals, we conducted a review of the functions defined in 
Chapter 5, and identified tha t it was possible to reuse IntSIGPre, from Section 5.2.1 on 
page 72. The context in which it is being used differs here since we will not be composing 
a CSP signal process with an existing compiled SVA4VHDL behavioural process.
For our small example, page 113, the process identifier of component compC is given 
as 5, hence IntSIGPre(b, {0..1},0, IV .13, true) returns a CSP process for an internal 
signal IV .IS  with read and write events, iveval, ivwrite etc., associated with process 
identifier 5 only.
Figure 8.7 identifies a CSP process th a t creates a component’s signals. Each signal is also 
coupled with its stabilisation model (Figure 5.1 on page 64). This tight coupling means
8.4. Re-Applying an SVA4VHDL Hierarchical Structure 139
Make C om ponent Signals (sigs) =  
let
Alpha =  {| iveva l .c . j .v ,  iv w r i t e .c . j .v , iw r i t e .c .v ,x c h .c .v ,  outp .c .v ,  stable, step.c ,
calculate.c, s igError.v, arb—fa lse .c . j  \ ( v , j )  <— Generate(s igs),  c <— ge tC om ponen t( j )  |}
BlockAlpha(id, c , j )  — {| iveval .c ' .k . id ,  ivw r i te .c ' .k . id ,xch .c ' . id ,  outp.c' . id ,  s tep .c1, 
calculate.c', iveva l .c . l . id ,  ivw r i te .c . l . id ,  sigchanged.c'.k, sigchanged.c.l,  
sigchanged.c.k .true  | c' <— diff(c ,  comps), I -f- d i f f ( { j } ,  pnums),  k <— pnums  |}
ComponentSignal(id, range, v ,  ch, k, c) =  let
IS P (id ,  range, v ,  ch, k, c) =  In tSIG Pre(id ,  range, v, ch, k)
W{\ stable, o u tp .c .id ,xch .c .id ,s tep . c\} ST A B I L IS A T I O N  ( i d ,  k )
\\BlockAlpha(id,c,k) S T O P
ISPArb(id ,  range, v,  ch, k, c) — IS P (id ,  range, v,  ch, k, c ) ^wchcmged.c.k.id.faise / arb_false_c_fc] 
within ISPArb(id, range, v, ch, k, c)
S ignal(( id , k))  =  let
c =  getElem (getCom ponent(k))  
range =  sigRange(id)  
v =  sig ln i t ( id )  
within ComponentSignal(id, range, v, true,  k, c)
Generate((x,  xs)) =  { ( id ,  k) \ id  <— xs, k <— {%}}
Sync =  {stable, calculate.c, s tep .c  | (k ,—) <— {siys},  c getC om ponen t(k)}
Signals =  || Signal (sig)
S y n c s ig e  G enerate (sigs)
within(Signals, Alpha)
Figure 8.7: MakeComponentSignals process
th a t the stabilisation models are localised to each signal and we do not have to consider 
constructing a global stabilisation model for all signals within a component together.
Using these recursive VUnFlatten functions, we are able to re-apply a structure defined 
using VStrcut constructs, to compiled SVA4VHDL processes, whilst ensuring the pro­
cess ordering is maintained, and ‘pushing down’ the renaming information, ready for 
composition.
Applying this function to the small example we have used for illustrating components, 
the VPMap definition on page 113, we can generate the following VCPMap definition 
instead:
140 Chapter 8. Deûning Hierarchical Compilation
VCPMap. CVGRTL. <  V P r o c . ( P A , a PA) , VProc  . ( PB ,  a p B )>
. {  ( ( c o m p A , I V . 1) , (compC, IV.  11)  ) , ( (compA , IV . 2 ) , (compC , I V . 12 ) ) , 
( ( c o m p A , I V . 4)  , (compC, I V . 13)  ) , ( (compA, I V . 5)  , (compC , I V . 14)  ) ,
( ( compB, IV . 6 ) , (  compC, I V . 13 ) ) , ( ( compB , IV . 7 ) , ( compC , I V . 14 ) ) , 
( ( c o m p B , I V . 9) , ( compC,IV.  15)  ) , ( (compB, I V . 10)  , (compC , I V . 16)  ) } , 
VCRTL.< V P r o c . ( P C . a p c )  ,V P r o c . ( P D , a P D )>
. { ( ( c o m p A , I V . 1) , (compC, IV.  11)  ) , (  ( compA,IV . 2 )  , (compC , I V . 12)  ) ,
( ( compA, I V . 4 )  , ( compC, I V . 13)  ) , ( ( compA, IV . 5)  , ( compC , I V . 14)  ) , 
( ( c o m p B , I V . 6) , ( c o m p C , I V . 13)  ) , ( ( compB, IV . 7)  , (compC , I V . 14)  ) , 
( ( c o m p B , I V . 9)  , (compC, IV.  15)  ) , ( ( compB, I V . 10)  , (compC , I V . 16)  ) } >  
. ( PcompC, apco m p c ) • { }
8.5 C om posing VCStruct D efined System s
CSP Model
Thus far, we have provided a suitable hierarchical structure for representing and captur­
ing VHDL systems comprising multiple components. All contained behavioural processes 
have then been compiled and the hierarchical design reapplied using a secondary hierar­
chical structure. These are stages 2, 3, and 4 identified in Figure 7.3 on page 115.
The final stage within this compilation workflow is the composition of a hardware system 
represented using the VCStruct datatype, stage 5 in Figure 7.3.
The philosophy taken throughout the development of our SVA4VHDL compiler is to 
reuse, and adapt functions from the Roscoe SVA compiler. Here we adapt the SPA 
function to define VS PA, for composing compiled SVA4VHDL processes captured with 
VCStruct constructs. The composition function VS PA, defined in Figure 8 .8 , recurses 
through the hierarchical VCStruct constructs, and produces a final CSP process/alphabet 
pair representing the full VHDL system. This output is the final CSP model capturing 
the overall behaviour of the VHDL system.
The original SPA functions recursed through the hierarchical system provided: composing 
processes together from the bottom  up; unioning the alphabets of the processes for further 
use accordingly; with each function always returning a CSP process alphabet tuple of
8.5. Composing VCStruct Deûned Systems 141
V S P A (V C P M a p . ts . (S ig n a ls ,  Alpha).renaming)  =  let
V S P A ( V C P r o c . ( P ,A ) )  =  ( P , A ) ps  =  (V S P A (t )  | t fs)
VSPA(VC RTL.ts .renam ing)  =  let 
ps  =  ( VSPA(t)  [ (<- &, )
Ü =  PortRenamings(renaming)  
old =  {o | (o, n) E}  
neu; =  {n | (o, n) <- R }
Alpha' — (Alpha \  old) U new  
A' =  Alpha'  U Alpha
A  ~  U(_, a):p s
R  =  PortRenamings(renaming)  
within
(PortMappingRenamer(  
L is tPar(ps) ,  R ) ,  A)
within
((P ortM appingRenamer(
L is tPar(ps) ,  R ) A lpha' |[A Signals),  A')
Figure 8 .8 : VSPA function for composing a hierarchically compiled SVA4VHDL system
the CSP processes composed thus far. In VSPA, we pattern  match on the VCStruct 
datatype, composing them  as required, based on the construct.
We utilise the ListPar function defined for composing processes using alphabetised paral­
lel (originally used in SPA) for composing our processes together. Similarly the alphabets 
of these composed processes are unioned together in the same manner. As previously 
mentioned, the VCStruct constructs VCRTL  and VCPMap are complex owing to the 
renaming information. Our VSPA function needs to apply this renaming; this was not a 
concern in the original SVA.
In order to perform the renaming we have identified two simple functions, PortRenamings 
and PortMappingRenamer. PortRenamings is used to generate a set of tuples that 
define the renaming of external read and write events from contained components, to 
internal read and write events of the parent component, for every signal identified within 
the renaming set. PortMappingRenamer is used to apply the renamings generated by 
PortRenamings to the composed CSP process, generated by ListPar (ps), where ps is the 
sequence of CSP process/ alphabet pairs from the current constructs.
The VSPA function for VCPMap additionally composes the CSP signal process generated 
in Section 8.4.4, (Signals, Alpha), to the returned tuple. Thus, any renamings must be 
applied after this composition.
Upon full traversal of a VCStruct structure, a single CSP process is returned by 
SVA4VHDL, which represents the entire system. This is returned by extracting the first 
element of the returned (P , A) tuple, P , in the VStructPar function:
V Struc tPar(t)  — let (P,_)  =  VSPA(t)  within P
142 Chapter 8. Deûning Hierarchical Compilation
8.6 A pplying a Suitable Com pression Technique
The result of the previous section has provided us with a CSP hierarchical model of a 
VHDL system within FDR. All of the events within the model are externally visible. 
These include the internal details of step, iveval, ivwrite and stable events. Hiding step 
events within the model will introduce divergence. This divergence has nothing to do 
with any behaviour of a VHDL system, but is a residual artefact generated within our 
modelling approach. In this section we will introduce an additional process tha t utilises 
chase compression to remove such divergences.
The original SVA compression techniques, discussed in Chapter 4 on page 59, relied on 
high levels of interleaving throughout the model to be effective. Such interleaving is not 
so prominent within SVA4VHDL models, and thus, the application of FD R’s diamond 
compression, followed by strong bisimulation compression, Figure 4.11 on page 59, is not 
so effective.
FDR contains several other compression techniques, including chase compression. Recall 
from Chapter 2 on page 33, chase compression follows an arbitrary trace of tau (hidden) 
events, reducing the state to the events found after the tau events. This means tha t chase 
is not semantics preserving, but as long as the model is deterministic and divergence free, 
chase compression may be applied safely.
In Section 6.2, we discussed the relationship between step and stable events, i.e., whenever 
stable is offered, step is still available for the same component. Thus, when we hide these 
step events, we introduce a divergence. To resolve this divergence problem, we introduce 
an additional CSP process to our generated SVA4VHDL model for each component 
construct. This process, generated by the ComponentOverlord function is used in the 
VUnFlatten functions discussed Section 8.4.1. Note that Barton [12] identified the need to 
distinguish between internal and external cycles (delta cycles (d) and femto seconds (fs)) 
when ‘sketching’ a proposed CSP representation for VHDL descriptions.
8 .6 .1  R e m o v in g  D iv e rg e n c e
The function ComponentOverlord, defined in Figure 8.9, monitors the events used to 
determine the stabilisation state of a signal, for all signals, with respect to a single 
component. Should the function determine tha t none of the signal values have changed 
since the previous step event, a stable event is offered over a step event.
8.6. Applying a Suitable Compression Technique 143
C  om ponentOverlord(comp)  =  
let
compProcs =  getElem({procs  | (c, procs)  -f— Components, c =  comp})
P R E P A R E (x )  =  arb—falselcomplx  —» P O S T - A R B ( x )
□ steplcomp  —> P R E - A R B ( x )
P O S T —A R B ( x )  =  no—action  —> stable —>• P R E —A R B ( x )
□ stepl comp —> P R E —A R B ( x )
O V E R L O R D -JB A D STE P{xs)  =  || P R E P A R E  (x)
{\step  .com p,stable,no—action \} x ç xs
O V E R L O R D (x s)  =  c h a se (O V E R L O R D —B A D S T E P (x s )  \  {n o —action})  
within
O VERL O R D  ( compProcs)
Figure 8.9: ComponentOverlord process
In order to ensure th a t a stable event is elevated over a step event when available, we 
use CSP hiding and c/mse compression to follow the tau path  and thus ensure th a t only 
stable is offered.
Consider the component compA from our small example, Figure 6.2 on page 98. When 
m l, m 2 , in tem all, intemal2, outl and out2 do not change between calculate and step 
events, stable is offered. This is only because arb-false events have been detected for 
process identifiers 1 and 2. For any one of these processes arb-false may occur, bu t if 
both perform arb-false then stable is possible.
We introduce a new event no-action. The only purpose of this event is tha t it can be 
safely hidden. Upon hiding no-action, we can see that after an arb-false.compA.l event, 
the possible traces for a process P R E -A R B  (I) from Figure 8.9, are:
{{stable) ,  {step,  comp A ) }
In itself, there is no elevation of the stable event. However, if we place two of these 
processes together, i.e., P R E -A R B (1) and P R E -A R B {2), synchronising on stable and 
step.comp A, and apply chase compression, the possible traces are not the same. The 
way chase compression works here will be dependent on the branching available.
If either process performs a step.comp A  event, stable is blocked as before. However if 
both return  the trace set given above, applying chase will result in only the stable event 
being offered. This is due to the behaviours of chase compression, chasing down a chain 
of r  events, and we can see that this enables us to elevate the stable event over a step 
event.
144 Chapter 8. Deûning Hierarchical Compilation
8.7 R unning Example: Candy Puzzle: G enerated CSP  
M odel
Recall the translation to SVA4VHDL of the Uniform Candy Distribution Puzzle from 
Section 7.4 on page 115. At that point, it was only possible to translate VHDL hier­
archical systems to SVA4VHDL. However, within this chapter we have introduced new 
SVA4VHDL functions that enable a CSP model to be generated.
Using the translation from Section 7.4, a CSP trace can be generated identifying a possible 
behaviour of the system. We provide such a trace in Figure 8.10. For clarity we highlight 
the stabilisation points of the different components involved within the system. Also, 
the trace identified in Figure 5.23 is visible within Figure 8.10, given by the events 
parameterised with childl.
8.7. Running Example: Candy Puzzle: Generated CSP Model 145
Z
CHILDS <
S t e p s
C h ild2
calculate. childrenSweets 
sigchanged.teacherA.IV .31. true 
calculate. teacher 
iveval.teacherA.IV .29.0 
iveval.teacher.3.I V  .22.0 
ivwrite.teacherA.IV .26.0 
iveval.teacherA.IV .30.0 
iveval.teacherA.IV .23.0 
sig chang ed.child3.2. I V  .16. true 
ivwrite.teacherA.IV .27.0 
iveval.teacherA.IV .31.0 
calculate. child3 
iveval. child3.2.I V  .15.0 
ivwrite.teacherA.IV .29.0 
iveval.child3.2.IV .17.0 
ivwrite.teacherA.IV .28.0 
sig changed, childl.0. I V  .2. true 
calculate, childl 
iveval. childl.0.I V  .1.0 
iveval. child 1 .0 .TV.3.0 
step, childl 
iveval.teacherA.IV .24.0 
ivwrite.teacherA.IV .30.0 
iveval.teacherA.IV .25.0 
step.child3 
ivwrite.teacherA.IV .31.0 
step.teacher 
iwrite. teacher. I V  .31.0 
arb-false. child 1 . 0  
iwrite.teacher. I V .30.0 
sig chang ed. child 2.1. I V  .9. true 
iwrite.teacher. I V  .29.0 
calculate. child2
\
>  T e a c h er
C hild  1
>  T e a c h er
Figure 8.10: A CSP trace from our running example as defined in Figure 7.4
146 Chapter 8. Deûning Hierarchical Compilation
Chapter 9
Case Study: Traffic Lights
We present the first of two case studies in this chapter to aid in the evaluation of our 
SVA4VHDL compiler. A hardware system, in the form of a set of traffic lights controllers, 
with associated state machines, is identified and then verified using CSP high-level specifi­
cations. Similar reasoning regarding the system is also applied using the Mentor Graphics 
Questa Advanced Simulator EDA tool in order to allow us to draw comparisons. Fur­
thermore we also provide a comparable CSP model using Evans’ [35] methodology, since 
this was the initial starting point of our research and provides further evaluation of our 
compiler.
The chapter is therefore structured as follows. In Section 9.1 we describe the system 
specification and requirements, and provide a VHDL implementation. High-level CSP 
specifications are then identified in Section 9.2. Using the translation patterns and proce­
dure identified in previous chapters within our Java translator, Section 9.3 identifies the 
translation of SVA4VHDL from the VHDL design appropriate for the traffic lights system. 
Section 9.4 details the translation to an alternative CSP approach by Evans [35], and the 
verification of similar properties within an EDA environment is then discussed in Section 
9.5. Finally, a discussion is given in Section 9.6, drawing out the key points revealed 
from evaluating this case study; providing a short comparison of the three approaches 
identified within this chapter; and identifying a flaw within the compiler, revealed by this 
case study, and its subsequent resolution.
147
148 Chapter 9. Case Study: Traffic Lights
triggerG lotriggerG2i
triggerGlitriggerG 2i
triggerG  1q triggerG2a
triggerG li triggerG20
triggerGlo triggerG2o
triggerG li triggerG2o
(m R M R )
/  /  triggerG lo  triggerG2i
 j  /
triggerG  lo  triggerG20n
Figure 9.1: A single traffic light controller FSM
9.1 O verview
A controller of a single traffic light governing the crossing between two unidirectional 
roads is driven by a finite state machine. The crossing is biased, allowing traffic from a 
major road to flow without regard to waiting cars on a minor road. To ensure tha t the 
major road remains clear of traffic, a countdown is initiated once the traffic flows over 
the major road, and at the end of the countdown, the current flow of traffic is assessed. 
Clearly, cars on the minor road may only proceed if there are no cars on the major road, 
and only after the countdown has expired.
The controller requires: two inputs tha t sense the presence of cars at the lights of the 
major road, and cars at the lights of the minor road; and two outputs to control the 
two traffic lights. For simplicity, we identify a traffic light to be either Red or Green 
(ignoring Amber). We express this behaviour as the finite state machine given in Figure 
9.1, where: triggerGl and triggerG2 represent the triggers on the first and second road, 
suffixed with the signal value 0 or 1; and three states: mRM R, mGMR, and mRMG, 
where the major road (M) and minor road (m) are suffixed with their current light colour 
red (J?) or green ((?).
Our traffic light system contains three traffic light controllers, whereby the output of 
one controller may become the input of another. This ensures that the connected major 
road guarantees a constant flow of traffic whilst cars are present on tha t road. Figure
9.2 visualises this system.
9.1. Overview 149
© © ©
a :
1 0 1 0 1 0
f Ag g 1
Figure 9.2: The traffic light system
9 .1 .1  S y s te m  R e q u ir e m e n ts
Each traffic light controller must adhere to certain system properties:
R e q u ire m e n t 1 Never allow both lights to be green at once (Safety Property).
R e q u ire m e n t 2  Allow traffic at the junction of a major road to take precedence.
R e q u ire m e n t 3 Ensure tha t the minor road traffic may flow if the associated major 
road has no traffic.
If each controller meets these properties the emergent property: traffic will flow across 
the major road is revealed. A resultant implementation, adhering to these requirements, 
would therefore be considered valid.
9 .1 .2  A  S in g le  Traffic L ight C o n tro ller
Using the finite state machine from Figure 9.1, we define a VHDL traffic light controller 
component with two input ports and two output ports; both  of type std-logic. If a car 
is present at a set of lights, the associated input port will report a value ‘1’, else ‘O’. 
Similarly, to set the traffic lights, we associate the value ‘1’ with green and ‘0’ with red.
The traffic light controller identifies a countdown prior to reassessing the current state 
of the lights; we introduce an internal signal, timer, for this purpose. Since the system 
is driven by a finite state machine, we define two internal signals p resen ts ta te  and 
n e x ts ta te  of type state-type to identify the different states of the controller. We define 
the states within the VHDL user defined type statetype: mRMR, mRMG, and mGMR.
150 Chapter 9. Case Study: Traffic Lights
As this is a VHDL system, we also include a clock input port to drive the controller, 
and change the state accordingly. Our VHDL representation of a single traffic light 
controller is given in Figure 9.3, where the implemented behaviour for traversing the 
state machine, from Figure 9.1, is given in the VHDL process fsm . Each transition from 
a state is represented by a VHDL if  s ta te m e n t (Section 2.1.2 on page 14).
9 .1 .3  C o n n e c t in g  Traffic L igh ts C o n tro llers
The VHDL component definition of a traffic lights controller,cross-road in Figure 9.3, 
can be instantiated three times to provide the system we require, as illustrated in Figure 
9.4. Figure 9.5 defines these instantiations within a new VHDL component, long-road.
From Figure 9.5 it is clear tha t connecting the output port from the first and second 
instantiations to both the traffic light, and the input of the proceeding instantiation, is 
not straightforward. VHDL does not allow a contained component s output port to be 
assigned to both an internal signal and an output port within a port mapping defini­
tion. Thus, additional signals are introduced for two of our component instantiations so 
tha t their output ports may be used for both internal port mapping and output port 
assignments.
In addition to the three component instantiations, the architecture of our system, Fig­
ure 9.5, also includes an additional VHDL processes. The process assigns the output 
ports of the first and second cross-road components, which are ‘wired’ to GSTrigger 
and G5Trigger respectively, and assigns their values to the output ports of the parent 
component, Glgreen and G 2 green. This additional process enables the values of one 
component to be used both as an input to another component, and be visible as an 
output of the parent component. Since the port values need only be updated during a 
rising clock event, we specify the sensitivity list of the process to be the clock port only. 
This resolves the VHDL restriction with dual assignment of port mapping values.
Notice tha t the inputs of the VHDL long-road component, Figure 9.5, are triggerGl, 
triggerG2, triggerGA, and triggerGQ. The trigger triggerGl relates to the presence of a 
car at the major road, whilst triggerG2, triggerG A, and triggerGQ represent the presence 
of a car at the first, second, and th ird  minor roads. The triggers triggerGl and triggerGb 
(relating to the second and third instance of the cross-roads component) are moved to 
internal signals. The stimuli for triggerG?, and triggerGb are provided by the output 
signals Glgreen and G?green respectively, clearly illustrated in Figure 9.4.
9.1. Overview 151
e n t i t y  c r o s s - r o a d  i s  
p o r t  ( c lo c k  , t r i g g e r G l  ,
t r ig g e r G 2  : i n  s t d - l o g i c  ;
G lg r e e n ,  G2green : o u t  s t d _ l o g i c  ) ; 
en d  e n t i t y  c r o s s - r o a d  ;
a r c h i t e c t u r e  asm o f  c r o s s - r o a d  i s  
t y p e  s t a t e - t y p e  i s  (mGMR, mRMG,mRMR.) ; 
s i g n a l  p r e s e n t - s t a t e  ,
n e x t - s t a t e  : s t a t e  - t y p e  := mRMR; 
s i g n a l  t im e r  : i n t e g e r  :=  0; 
b e g in
fsm : p r o c e s s  ( t i m e r ,  t r i g g e r G l ,  t r ig g e r G 2  , 
p r e s e n t - s t a t e )  i s
b e g in
c a s e  p r e s e n t - s t a t e  i s  
when mRMR =>
i f  ( t r i g g e r G l  =  ’l ’and t r ig g e r G 2  = ’0 ’) t h e n  
n e x t - s t a t e  < =  niRMG; 
e l s i f  ( t r i g g e r G l  =  ’l ’ and t r ig g e r  G2 =  ’1 ’) 
t h e n
n e x t - s t a t e  < =  mRMG; 
e l s i f ( t r i g g e r G l  = ’0 ’ and t r ig g e r G 2  =  ’1 ’) 
t h e n
n e x t - s t a t e  < =  mGMR; 
end  i f  ; 
when mGMR =>
i f  ( t r i g g e r G l  —’1 ’ and t r ig g e r G 2  =  ’O’) or  
( t r ig g e r G 1  = ’0 ’ and t r ig g e r G 2  =  ’0 ’) t h e n  
n e x t - s t a t e  < =  mRMR; 
en d  i f  ; 
when mRMG =>
i f  ( t i m e r = 8 )  t h e n
n e x t - s t a t e  <— mRMR; 
en d  i f  ; 
end  c a s e  ; 
end  p r o c e s s  fsm ;
e l k :  p r o c e s s  ( c l o c k )  i s  
b e g in
i f  ( c lo c k  ’ e v e n t  and c lo c k  =  ’ 1 ’) 
t h e n
p r e s e n t - s t a t e  < =  n e x t - s t a t e
i f  ( p r e s e n t - s t a t e  =  mRMG) 
t h e n
t im e r  < = t im e r  +  1; 
e l s e
t im e r  < =  0; 
end  i f  ; 
end  i f  ; 
e n d  p r o c e s s  e lk  ;
s e t G l  : p r o c e s s  ( p r e s e n t - s t a t e  ) 
i s
b e g in
i f  ( p r e s e n t - s t a t e  =  rriRMG) t h e n  
G lg reen  < =  ’ 1 ’ ; 
e l s e
G lg reen  < =  ’O ’ ; 
end  i f  ; 
end  p r o c e s s  s e t G l  ;
se tG 2  : p r o c e s s  ( p r e s e n t - s t a t e  ) 
i s
b e g in
i f  ( p r e s e n t - s t a t e  =  mGMR) t h e n  
G2green < =  ’ 1 ’ ; 
e l s e
G2green < =  ’O ’ ; 
en d  i f  ; 
end  p r o c e s s  se tG 2  ; 
end  a r c h i t e c t u r e  asm;
Figure 9.3: Case Study 1: A VHDL traffic lights controller
152 Chapter 9. Case Study: Traffic Lights
t r ig g e r G l - 
t r ig g e r G 2 -
tr ig g e r G 3 -
tr ig g e r G 4 -
Cross_Roads^
Cross_Road^
CrossJRoad^
-G lg r ee n  
-G 2green  
-G lg r ee n  
-G 4green  
-G Sgreen
-G Sgreen
A: tr ig g e r G 3 B : tr ig g e r G S
Figure 9.4: Traffic light controller hierarchy
e n t i t y  lo n g _ r o a d  i s  
p o r t  ( c lo c k  , t r ig g e r G l  , t r ig g e r G 2  , 
t r ig g e r G 4  , tr iggerG G  : in  
s t d _ l o g i c  ;
G lg reen  , G2green , GSgreen,
G4green ,
G S g r ee n , GSgreen : o u t  s t d - l o g i c  )
e n d  e n t i t y  l o n g - r o a d  ;
a r c h i t e c t u r e  o u ter  o f  l o n g - r o a d  i s  
com ponent c r o s s - r o a d  
p o r t  ( t r i g g e r G l  , t r ig g e r G 2  , 
c lo c k  : in  s t d - l o g i c  ;
G lg reen  , G2green : o u t  s t d - l o g i c  
) ;
en d  com ponent ; 
s i g n a l  G Str ig g e r  , G S tr ig g e r  : s t d - l o g i c
b e g in
c r o s s r o a d s  1 : c r o s s - r o a d  
p o r t  map(
c lo c k  =>  c lo c k  , 
t r i g g e r G l  =>  t r ig g e r G l  , 
t r ig g e r G 2  =>  tr ig g e r G 2  ,
G lg r e en  =>  G S tr ig g e r  ,
G2green =>  G2green
) ;
c r o s s r o a d s 2  : c r o s s - r o a d  
p o r t  map(
c lo c k  =>  c lo ck  , 
t r i g g e r G l  =>  G S tr ig g er  , 
t r ig g e r G 2  =>  t r ig g e r G 4  ,
G lg reen  =>  G Str ig g e r  ,
G2green =>  G4green
) ;
c r o s s r o a d s S  : c r o s s - r o a d  
p o r t  map(
c lo c k  =>  c lo ck  , 
t r i g g e r G l  =>  G Str ig g e r  , 
t r ig g e r G 2  =>  tr iggerG G  ,
G lgreen  =>  GSgreen ,
G2green =>  GGgreen
) ;
l i n k :  p r o c e s s  ( c l o c k )  i s  
b e g in
i f  ( c lo c k  =  ’1 ’ and c lo ck  ’ e v e n t )  t h e n  
G lgreen  < =  G S tr ig g e r ;
GSgreen < =  G S tr ig g e r  ; 
end  i f  ; 
end  p r o c e s s  l in k  ; 
end  a r c h i t e c t u r e  o u ter  ;
Figure 9.5: VHDL traffic lights system
9.2. CSP Specifications 153
channel G lgreen , G2green  : {1..1}
SafetySpec =  
let
C O N T R O L (0 ,0) =  G lg re e n .l ->■ C O N T R O L (1 ,0 )
□ G 2green .l C O N T R O L (0 ,1)
□ stable C O N T R O L ^ , 0)
CON TRO LAI, 0) =  G lg re e n .l - 4 -  C 0 N T R 0 L { 1 ,0)
□ stable -4- C O N T R O L ^ , 0)
C O N T R O L ^ , 1) =  G 2green.1 -4 C O N T R O L (0 ,1)
□ stable —> C O N T R O L (0 ,0) 
w ithin
C O N T R O L ^ , 0)
Figure 9.6: Traffic lights requirement 1 (safety property)
9.2 C SP Specifications
In order to verify a CSP representation of the VHDL long-road description, the require­
ments from Section 9.1.1 must be defined as CSP specifications. Since our modelling style 
within SVA4VHDL identifies each signal value change as an event, all our specifications 
must reflect this style. The specifications we give relate to a system in terms of a major 
road and a minor road. This allows the specification to be applied to a single cross road, 
or across the entire system, for instance the major road and the third minor road (Figure 
9.2).
9.2.1 Requirem ent 1
The safety property, “never allow both lights to be green at once”, is effectively described 
by the finite state machine (FSM) in Figure 9.1. However, since our SVA4VHDL identi­
fies signal value changes individually in its compiled models, a finer granularity of CSP 
specification is required than  the behaviour exhibited in Figure 9.1. As we are defining 
a specification, we need only focus on those signals th a t are relevant to ensuring the 
property; the traffic light values themselves.
The CSP specification SafetySpec in Figure 9.6, describes a FSM of three channels, 
Glgreen, G2green, and stable. The behaviour given allows any combination of the 
events Glgreen.l, G2green.1 and stable, except for the occurrence of both G lgreen.l 
and G2green.1 at the same time. The specification does not permit both lights being 
green, the state which we wish to avoid, the safety property.
Using CSP trace refinement [83] and event renaming, we can apply our safety specification
154 Chapter 9. Case Study: Traffic Lights
P r io r ity  Spec — let 
IG N O R E  =  stable  -> IG N O R E  
G 2green.1 —> IG N O R E
□ G2green.O —> IG N O R E
□ Triggerl.O  T rigger2 .l TIM E (0)
□ Trigger2.1  -4- Triggerl.O  -4 TIM E{0)
□ T rig g e r l.l  -4 IG N O R E
T IM E (8) =  G 2green.1 -4 IG N O R E
□ THgyerl.O —> T IM E (8)
□ Trigger2.1  -4 T IM E {8)
T IM E (n ) =  G 2green.0 -4 T IM E {n)
T IM E (0) =  G 2green.0 -4 TIM E (0) 
□ stable  -4 T IM E (1)
□ TMggerl.O -4 TIM E (0)
□ TWggerl.l -4 IG N O R E
□ G2green.l -4  IG N O R E
□ Trigger2.0  —> IG N O R E
□ Trigger2.1 -4 TIM E (0)
□ G2green.l -4 IG N O R E
□ T rig g e r l.l -4 IG N O R E
□ THggerl.O -4 T IM E (n )
□ stable -4 T IM E (n  +  1)
□ Trigger2.0  -4 IG N O R E
□ Trigger2.1 -4 T IM E (n )
w ithin  IG N O R E
Figure 9.7: Traffic lights requirement 2 (priority property)
to a representation of the traffic lights system compiled using SVA4VHDL. The specifica­
tion given in Figure 9.6 can then be used to verify tha t a state where both lights are set to 
green never occurs, a behaviour outside of the specification. Note th a t the specification 
has been written using new channel names rather than use the SVA4VHDL channel outp. 
This is to make the specification more readable, and removes the requirement to know 
the signal identifiers whilst defining the specification. To use the specification we can 
rename the necessary outp events from the SVA4VHDL compiler generated CSP model 
as required.
9.2.2 Requirem ent 2
Our second requirement, “allow traffic at the junction of a major road to take precedence”, 
can be defined by modelling only those signals needed to get to the point where the major 
light is set; it is driven by the two input signals, Triggerl and Trigger2. Thus we define 
a PrioritySpec, Figure 9.7, to provide such behaviour.
W ithin the PrioritySpec we wish only to observe the major lights go green with the 
existence of cars at the major junction. To ensure the property always holds we must 
also include the behaviour where the lights for the major junction are not green; when a 
car is only at the minor road. This property can be applied to an individual cross roads 
or to the entire system, depending on which signal identifiers (xch and outp events) are 
renamed.
9.2. CSP Speciûcations 155
channel tr ig g erG l, triggerG 2 : {0..1} 
coun t-va lue  =  N  
L ivenessSpec =  let
S ta rt =Dxe{o..i} G 2green\x  —>• S ta rt
□ stable —> S tart
□ tr ig g e rG l.l  S ta rt
□ triggerG 2.0  —>■ S ta rt
□ triggerG l.O  —» S ta r t l
□ triggerG 2.1  —> S tart2  
S ta r t l  = n xe{o..i} G 2green\x  —>
□ stable —>■ S ta r t l
□ inggerG l.l  —> S'iart
□ triggerG 2.0  —> Siarti
□ triggerG 2.1  —> L ive Check ( count—value)
□ inggerGl.O —> Start 1
S ta rt2  =da:G{o..i} G 2green\x  —> S tart2
□ stable  —> S tart2
□ tr ig g e r G l.l  —> S tart2
□ triggerG 2.0  —> Start
□ triggerG 2.1 S tart2
□ triggerG l.O  —> L ive Check (count—value) 
L iveCheck(0) =  tr ig g e r G l.l  S ta r t l
□ trtggerG 1.0 —> LiveC heck(0)
□ triggerG2.1 —> LiveG heck(0)
□ G 2green.1 —> Start
L iveC heck(n) =  stable  —> L iveC heck(n  — 1)
□ tr ig g e r G l.l  —> S ta r tl
□ triggerG l.O  —> LiveC heck(n)
□ triggerG 2.1  —> LiveC heck(n)
□ G 2green.0 —> L iveC heck(n)
□ G 2green.1 —> Start 
within  S tart
Figure 9.8: Traffic lights requirement 3 (liveness property)
9.2.3 Requirem ent 3
The final requirement, “ensure that the minor road traffic may flow i f  the associated major 
road has no traffic”, for the traffic light controller, the liveness property, must ensure that 
eventually the traffic on the minor road of a crossing can progress. This example is not as 
simple to verify using the failures semantic model [8 8 ]. We must identify the maximum 
number of stabilisations a generated model can perform before the system must enforce 
the liveness property within our specification. Thus the variable count-value is given in 
our specification to specify this maximal size.
The specification LivenessSpec, given in Figure 9.8, tracks the occurrence of stable events 
to allow ‘up to ’ the maximal path  for the minor lights to go green (G2green.l). Obvi­
ously the behaviour of a crossing is determined by the triggers involved, triggerGl and 
triggerG2. Thus, we specify all the possible combinations for these and the effect these 
state changes has on the enforcement of the liveness property, i.e., when to restart the 
count etc.
Clearly these three CSP specifications are written in such a way as to interact with an 
output of our compiler. Note however, CSP renaming (Section 2.3.1 on page 28) will 
need to be applied to the compiled SVA4VHDL model in order for these specifications to 
be applicable; renaming xch and outp events, triggerGl and Glgreen etc., as necessary.
156 Chapter 9. Case Study: Traffic Lights
To reiterate, we have defined these specifications such tha t they are applied to a pair of 
roads, a major road and a minor road. It is clear that identifying different renamings 
will allow them to be applied to each crossing within the system, and indeed across the 
entire system, e.g., to prove the emergent property.
Note, these specifications will not be applicable for use with the alternative approach 
given in Section 9.4 since it does not represent a hardware design in the same way.
9.3 A n SVA4VH DL R epresentation
The translation procedure from Chapter 7, page 115, is applied to the VHDL description 
of our traffic lights system in Figures 9.3 and 9.5. As before this procedure invokes 
our translation patterns to generate a SVA4VHDL representation of the VHDL process 
behaviour. For this case study the translation patterns T P 4 ,  T P 5 ,  T P g ,  T P ? ,  T P  g 
and T P g ,  pages 89-92 are applied. Our Java tool was used to perform the automatic 
translation of these patterns.
The procedure on page 115, produces multiple instances of the cross—road component. 
However, since the behaviour defined is identical in each instance, and only the signal 
identifiers, process names and process identifiers change, we only provide the definition 
for the first instance, given in Figure 9.9.
The long-road component, Figure 9.5, as the top level VHDL component, is translated 
by our procedure, Figures 7.4, 7.5, and 7.6, to produce the SVA4VHDL model in Figure 
9.10. Note the definition of the additional sets and sequences also generated at the bottom 
of Figure 9.10 that are necessary to fully define the VHDL structure within SVA4VHDL. 
Furthermore, Figure 9.11 gives additional information, such as the signal identifier and 
process identifier ranges, which are not requirements for CSP model generation, but are 
a requirement from the original SVA compiler.
Again the behavioural FSM, from Figure 9.1, within the cross—road SVA4VHDL model 
can be seen. This time however, it is derived from the VHDL FSM process in Figure 
9.3. Clearly, the SVA4VHDL representation contains more lines of code than the original 
VHDL as a result of individual definitions for each instantiated component.
9 .3 .1  M o d e l V er ifica tio n
Using the CSP specifications from the previous section, the SVA4VHDL representation 
of the traffic lights controllers can be verified against the original system requirements.
9.3. A n  SVA4VHDL Representation 157
—  I n p u t s  =  c lo c k  , t r i g g e r G  1 , t r i g g e r G S
—  I n t e r n a l s  =  p r e s e n t - s t a t e  , n e x t - s t a t e  , t i m e r
—  O u tp u ts  =  G lg r e e n ,  G S g re e n
cr os sR o  ads  1 I n p u ts  =  { (IV .1 ,0 , { 0 . . 1 } )  , ( I V . 2  ,0 , { 0 . . 1 } )  , ( I V . 3  ,0 , { 0 . . 1 } ) }  
c r o s s R o a d s l I n t e r n a l s  =  { (IV .4 ,0 , { 0 . .  3 } )  , ( I V . 5 ,0 , { 0 . .  3 }  ) , ( I V . 6 ,0 , { 0  ..  8 }  ) } 
cro ssR o  ads 1 O u tp u ts  =  { ( I V . 7 , 0  , { 0 . . 1 } )  , ( I V . 8 ,0 , { 0 . .  1}  ) }
P _ c l k ( )  =  (VHDLProc. ( { I V . 1}  ,
Cond. (O o n p Q p .E q .IV a r . IV . 1. C o n s t .  1 ,
S q .  ( l a s s i g n  . ( IV a r  . I V . 4 , I V a r . I V .5 )  ,
Cond. (C om pO p.E q .IV ar . IV . 5 . C o n s t . 0 ,
C on d . (ConçiOp. N e q . I V a r . IV . 4 .  C o n s t . 0 , 
l a s s i g n  . ( I V a r . I V . 6 , C o n s t . 0)  ,
l a s s i g n  . ( I V a r . I V . 6 ,BIOp. P l u s  . I V a r . IV . 6 .  C o n s t .  1) ) ,
S k ip )  ) ,
S k i p ) ) ,  ( { } , { } )
P_fsm () =  (VHDLProc. ( { I V . 6 , IV . 2 , I V . 3 , I V . 4 }  ,
Cond. (C om pO p.E q .IV ar . IV . 4 .  C o n s t . 2 ,
Cond. (BBOp.And.CompOp.Eq. I V a r . IV . 2 .  C o n s t . 1 .CompOp.Eq. I V a r . IV . 3 . C o n st  
. 0 ,
l a s s i g n  . ( I V a r . I V . 5 , C o n st  .0 )  ,
Cond. (BBOp.And.CompOp.Eq. I V a r . IV . 2 . C o n s t . 1 .CompOp.Eq. I V a r . IV . 3 . 
C o n s t . 1 ,
l a s s i g n  . ( IV a r  . I V . 5 , C o n s t .  1) ,
Cond. (BBOp.And.CompOp.Eq. I V a r . IV . 2 . C o n s t . 0 .CompOp.Eq. I V a r . IV . 3 . 
C o n s t .  1 ,
l a s s i g n  . ( I V a r . I V . 5 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . I V . 5 , C o n s t . 1) ) ) ) ,
C on d . (CompOp. E q . I V a r . IV . 4 .  C o n s t . 1 ,
Cond. (BBOp. And.CorrpOp.Eq. I V a r . IV . 2 . C o n s t . 0 .CompOp.Eq. I V a r . IV . 3 . 
C o n s t . 1 ,
l a s s i g n  . ( I V a r . I V . 5 , C o n st  .2 )  , S k i p ) ,
Cond. (CompOp.Eq. I V a r . IV . 4 .  C o n s t . 3 ,
Cond. (BBOp.And.CompOp.Eq. I V a r . IV . 2 . C o n s t . 1 .CompOp.Eq. I V a r . IV . 3 . 
C o n s t . 0 ,
l a s s i g n  . ( I V a r . I V . 5 , C o n s t . 3)  ,
Cond. (BBOp.And.CompOp.Eq. I V a r . IV . 2 . C o n s t . 1 .CompOp.Eq. I V a r . IV . 3 . 
C o n s t . 1 ,
l a s s i g n .  ( I V a r .  IV. 5 ,  C o n s t .  3)  ,
Cond. (BBOp.And.CompOp.Eq. I V a r . IV . 2 . C o n s t . 0 .CompOp.Eq. I V a r . IV 
. 3 . C o n s t . 1 ,
l a s s i g n  . ( I V a r . I V . 5 , C o n s t  .2 )  , l a s s i g n  . ( I V a r . I V . 5 , C o n s t . 3) ) ) ) , 
Cond. (CompOp.Eq. I V a r . IV . 4 .  C o n s t . 0 ,
C on d . (CompOp. E q . I V a r . IV . 6 . C o n s t . 8 , 
l a s s i g n  . ( I V a r .  IV. 5 , C o n s t .  3)  , S k ip )  ,
S k ip )  )
) ) ) ,  ({},{})
P _ se tG l  () =  (VHDLProc. ( { I V . 4 }  ,
Cond. (C om pO p.E q .IV ar . IV . 4 . C o n s t . 1 ,
l a s s i g n  . ( I V a r . IV. 7 , C o n s t . 1) , l a s s i g n  . ( I V a r . IV .7  , C o n st  .0 )
) ) ,  ( U n i o n ( { { } > )  , Union ( { { } } ) )  )
P _setG2 () =  (VHDLProc. ( { I V . 4}  ,
Cond. (C om pO p.E q .IV ar . IV . 4 .  C o n s t . 0 ,
l a s s i g n  . ( I V a r . I V . 8 , C o n s t .  1 ) , l a s s i g n  . ( I V a r . IV . 8 , C o n st  .0 )
) ) ,  ({},{})
c r o s s R o a d s l S e n s L i s t s  =  <  (0 , { I V . 1}  ) , (1 , { I V . 2 , IV . 3 , I V . 4 , I V . 6 }  ) , ( 2 , { I V . 4 } )  
, ( 3 , { I V . 4 } ) >
c ro ssR o a d slR T L  =  VKIL. c r o s s R o a d s l .< V P r o c .  P _ c lk  () ,V Proc .  P_fsm () ,
V P ro c .  P _ se tG l  () ,V Proc .  P _setG2 () > . { }
Figure 9.9: SVA4VHDL translation of the first instance of Figure 9.3
158 Chapter 9. Case Study: Traffic Lights
r o a d S e n s L i s t s  =  < ( 1 2 , { I V . 3 0 } )  ,
(13  , { I V . 2 5 ,1V. 26 , I V . 2 7 , I V . 28 , I V . 2 9 , I V . 3 0 , I V . 3 1 , I V . 33 , I V . 3 5 } ) >
— I n p u t s  =  c l o c k ,  c a r G l , c a r G 2 , c a r G 4 , ca rG 6
r o a d l n p u t s  =  { (IV .2 5  ,0 , { 0 . .  1}  ) , ( I V . 26  ,0 , { 0 . .  1}  ) , ( I V . 2 7  ,0 , { 0  ..  1 }  ) ,
( I V . 28 ,0 , { 0 . .  1}  ) , ( I V . 2 9  ,0  , { 0 . .  1 }  ) }
—  O u tp u ts  =  G lg r e e n ,  G S g r e e n , G S g r e e n , G 4 g r e e n , G S g r e e n , G G green  
r o a d O u tp u ts  =  { ( I V . 32 ,0 , { 0 . . 1 } )  , ( I V . 3 3  ,0 , { 0 . . 1 > )  , ( I V . 34  ,0 , { 0 . . 1 } )  ,
( I V . 35 ,0 , { 0 . .  1 }  ) , ( I V .3 6  ,0  , { 0 . . 1 } )  , ( I V . 37  ,0  , { 0 . .  1 }  ) }
—  I n t e r n a l s  =  G S t r ig g e r  , G S t r i g g e r
r o a d l n t e r n a l s  =  { (IV .3 0  ,0 , {  0 . .  1}  ) , ( I V .3 1  ,0 , {  0 . .  1}  ) }
P _ l in k  () =(VHDLProc. ( { I V . 2 5 }  ,
Sq .  ( l a s s i g n  . ( I V a r . I V . 32 , I V a r . I V . 3 0 )  ,
l a s s i g n .  ( I V a r .  IV. 3 4 ,  IV a r .  IV. 3 1 )  ) , ( { } , { } )
RoadVPMap =  VPMap. r o a d .< c ro s sR o a d s lR T L  , crossRoads2RTL ,
V P ro c .  P _ l in k  () ,V P roc .  Q _link  () > . {
( ( c r o s s R o a d s l  , I V . 1 ) , ( road ,IV  .2 5 )  ) , ( ( c r o s s R o a d s l  , IV .2 )  , (road , I V .2 6 )  ) ,
( ( c r o s s R o a d s l  , I V .3 )  , ( road , IV .2 7 )  ) , ( ( c r o s s R o a d s l  , IV . 6) , (road , I V .3 0 )  ) ,
( (  c r o s s R o a d s l  , I V . 7)  , ( road , I V .3 3 )  ) ,
( ( c ro ssR o a d s2  , I V . 9)  , ( road , IV .2 5 )  ) , ( ( c ro s sR o a d s2  , I V . 10) , (road , I V .3 0 )  ) ,
( ( c ro ssR o a d s2  , I V . 11)  , (road ,IV  .2 8 )  ) , ( ( cro ssR o a d s2  , I V . 15)  , ( road , I V .31  ) ) , 
( ( cro ssR o a d s2  , I V . 16)  , ( road , IV .3 5 )  ) ,
( ( c ro ssR o a d s3  , I V . 17)  , (road ,IV .2 5 )  ) , ( ( cro ssR o a d sS  , I V . 18)  , ( road ,IV .3 1 )  ) , 
( ( c ro s sR o a d s3  , I V . 19)  , ( road , IV .2 9 )  ) , ( ( cro ssR o a d s3  ,IV .2 3 )  , ( road , I V .3 6 )  ) , 
( ( c r o s s R o a d s S , I V .2 4 )  , ( r o a d , I V . 3 7 ) ) } .
(13 , { I V . 2 5 , I V . 2 6 , I V . 2 7 , I V . 2 8 , I V . 2 9 , I V . 3 0 , I V . 31 , I V . 3 3 , I V . 3 5 } )
I n p u t s  =  Union ({ c r o s s R o a d s l I n p u t s  , c r o s s R o a d s 2 I n p u t s  , 
c r o s sR o a d sS  I n p u ts  , r o a d l n p u t s  } )
I n t e r n a l s  =  Union ( { c r o s s R o  ads l i n t  e r n a ls  , c r o s s R o a d s 2 I n t e r n a l s  , 
c r o s s R o a d s 3 I n t e r n a l  , r o a d l n t e r n a l })
O u tp u ts  =  Union ({ c r o s s R o a d s lO u t p u t s  , c r o s s R o a d s 2 0 u t p u t s  , 
c ro ssR o a d sS  O u tp u ts  , r o a d O u tp u ts  } )
S e n s L i s t s  =  c o n c a t ( < c r o s s R o a d s l S e n s L i s t s  , c r o s s R o a d s 2 S e n s L i s t s  , 
c r o s s R o a d s S S e n s L i s t s  , r o a d S e n s L i s t s  >)
Com ponents =  { (  c r o s s R o a d s l  , { 0 , 1 , 2  , 3 } )  , ( c ro ssR o a d s2  , { 4  ,5 ,6  , 7 } )  , 
( c r o s s R o a d s S , { 8  , 9 , 1 0 , 1 1 } )  , ( road , { 1 2  , 1 3 } ) }
C o n ta in ed C o m p o n en ts  =  { ( r o a d  , {  c r o s s R o a d s l  , c ro s sR o a d s2  , c r o s s R o a d s S } )  }
T r a f f i c  =  V StructuredC om pile(RoadVPM ap) ( {  | c | c - e - S i g n a l s U l S i g n a l s U E r r o r s  | } )
Figure 9.10: SVA4VHDL translation of Figure 9.5
9.3. A n  SVA4VHDL Representation 159
— SVA v a l u e s  n o t  to  be c h a n g e d  
c h a n n e l  a s s e r t i o n f a i l e d  
S i g n a l s  =  { | a s s e r t i o n f a i l e d  | } 
bvnums =  { 1 . .  1}  
ianums =  { 1 . .  0}  
banums =  { 1 . .  0 }
D ir ty V a r s  =  Union ( { } )  
c t y p e s  =  O  
c a t y p e s  =  O  
i t y p e s  =  O  
i n i t  =  ( < > ,< > )
ParR eads =  Union ( { } )
P a rW rite s  =  Union ( { } )
SeqReads =  Union ( { } )
S e q W r ite s  =  Union ( { } )
In i tB  =  f a l s e  
e x t _ a t o m i c = f a l s e  
I n i t I  =  0 
d i t y p e  =  { 0 . . N} 
d c ty p e  =  { M i n i . .  Maxi}
— SVA4VHDL r e q u i r e d  v a l u e s  
N =  8
ivnums =  { 1 . . 3 7 }  
m o stp ro c s  =  14 
M ini =  0 
Maxi =  N
Figure 9.11: SVA additional defined values for Figure 9.5
To analyse the model we define the following FDR assertions that utilise the CSP speci­
fications already discussed. Both the specifications and assertions are added to the script 
tha t contains the automatically generated SVA4VHDL model by hand.
{ outp. road ./V .3 2 .0 , outp. road ./V .3 2 .1 ,
TrafficR enam edSafetyl =  Trafficl °utp.road.iv.33.0,outp.road.iv.33.1} j  ^Glgreen 0]Glgreen.1] ]
G 2 g re e n .0 ,G 2 g re e n .l}
T rafficR Sl =  T rafficR enam edSafetyl \  (E ven ts \  {| G lgreen , G2green, stable  |}) 
assert SafetySpecV -T  T rafficR S l
{ outp. road . /V .3 4 .0 ,o u tp . road . I V  .3 4 .1 ,
T rafficR enam edSafe ty2 =  T ra ffic l °utP.road.iv.35.0,outp.road.iv.35.1} j  {Glgreen.0]Glgreen l i  J
G 2 g re e n .O , G 2 g r e e n . l }
TrafficRS2 =  TrafficRenam edSafety2 \  (E ven ts \  {| G lgreen , G2green, stable  |}) 
assert Safe ty  Spec TrafficRS2
{outp. road . I V . 3 6 .0 ,  outp. road . I V  .3 6 .1 ,
T ra fficR en a m ed S a fe ty l =  T ra ffic l outp.road.iv.37.0,outp.road.iv.37.1} j  {Glg7.een.0>Glgreen l) ]
G 2 g re e n .O , G 2 g r e e n . l }
T rafficR S l — TrafficR enam edSafetyl \  (E ven ts \  {| G lgreen , G2green, stable  |}) 
assert SafetySpec Q t  T rafficR S l
These assertions apply the safety specification, SafetySpec against each crossing in turn, 
as can be seen by the application of renaming to different signal identifiers. The following 
refinement assertions are applied to verify the emergent property of both the PrioritySpec 
and LivenessSpec:
160 Chapter 9. Case Study: Traffic Lights
C o m p ila tio n ^ ^ RgR.I (secs) Req.2(secs) Req.3(secs)
Traffic 40 34 35 34 36 36
Table 9.1: SVA4VHDL verification time 1
{xch .road .IV .2 6 .0 ,xch .road.IV .26.1 ,xch.road. I V .29.0
TrafficR enam edPriority  =  Trafficl x c h -TOad-I V -2 9 -1 ’outP-road-I V -3 6 -0 ’outP-road-I V -3 6 -1 ï  /  { tr ig g e rG 1 .0 ,tr ig g e rG l.l ,tr ig g e rG 2 .o }
trigger G2 . 1 ,  G 1 green. 0 ,  G 1 green. 1}
TrafficR P — TrafficR enam edPriority \  (E ven ts \  {| tr ig g erG l, triggrG 2, G lgreen , stable |}) 
assert P rioritySpec Q f  TrafficRP
{xch.road. I V .2 6 .0 ,xch.road. I V .2 6 .1 ,xch.road. I V .29.0  
T r a f f i c R e n a m e d L i v e n e S S  —  T r a f f i c l  xch-road-I V -29 -1’outP-raad-I V -37 -Q<outP-road-I V -37 -1l  /  { tHggerGI . O, triggerG l.l,triggerG 2 .o l
tr ig g e rG 2 .1 ,G 2 g re e n .0 ,G 2 g re e n .l}
TrafficRL =  TrafficRenam edLiveness \  (E vents \  {| tr ig g erG l, triggerG 2, G2green, stable |}) 
assert L ivenessSpec Çp TrafficRL
These two assertions verify that the properties hold between the major road, Gltrigger 
and Gbgreen, and the minor road, GStrigger and GSgreen from Figure 9.4. Further 
assertions of this form could be applied to ensure that the property holds over the first 
and second cross roads as well. However, it is clear that both the Priority and Liveness 
Properties must hold for the first and second minor roads in order for them  to hold for 
the third minor road.
Table 9.1 identifies the SVA4VHDL representation of traffic lights system.
Note tha t the compilation size in memory (given by FD R’s state2 process) is 630MB, 
encompassing 326 states and 203,700 transitions. Also, while the hardware description 
was a mere 125 lines of VHDL code, we have had to individually define each component 
rather than  use an instantiation m ethod due to the constraints of SVA4VHDL, thus the 
SVA4VHDL model is represented by 254 lines.
9.4 A n A lternative M odel: U sing the dd Approach
As we have mentioned before, the starting point of our research was the evaluation 
of the work by Evans [35], which identified a formal representation in CSP for VHDL 
descriptions. Evans’ methodology for hardware verification, from now on referred to as 
the dd approach.
Recall in Chapter 3, we identified within the literature tha t different levels of abstraction 
have been applied to different approaches, in an effort to formally model VHDL. The
1 F o r  t h e  F D R  a n a l y s i s  w e  a r e  u s i n g  a  1 . 8 7 G h z  I n t e l  X e o n  D e l l  S e r v e r  w i t h  3 2 G B  o f  D D R 2  R A M .
9.4. A n  Alternative Model: Using the dd Approach 161
machine
CSP controller 
Process
machine
CSP controller 
Process
CSP controller 
Process
B machine
B machine B machine
B machine
Top-level 
B Machine
CSP controller 
Process
‘current’ state 
B machine
Figure 9.12: Evans [35] CSP||B architecture for VHDL2
dd approach abstracts the VHDL description to the level of delta delay units (hence the 
name dd), providing a ‘snapshot’ of the system state after each delta delay. As a result, 
notions of time are abstracted away, and the system clock is represented as any normal 
signal.
9 .4 .1  T h e  dd A p p ro a ch
Evans presented a CSP||B architecture tha t captures the behaviour of a ‘flattened’ VHDL 
description (Section 2.1.5 on page 24), including a representation of the historical state of 
VHDL signals. Evans’ CSP||B structure is given in Figure 9.12. As per the premise of the 
CSP||B methodology, CSP is used to drive the B machines in the dd approach. However, 
as identified in [35], to formally verify the models in FDR, the B-Method machines are 
‘lifted’ [89] to CSP, resulting in a CSP model representation of the system. A single CSP 
channel, dd, is given in this ‘uplifting’, and the values of all the signals, both  internal 
signals and ports, are presented as parameters of the dd channel. Thus, the resulting 
CSP model produces traces containing only dd events.
In only viewing the system behaviour as a series of dd events, it is clear there is no 
immediately identifiable notion of system stabilisation, as identified during our early 
work. Consequently we defined a test harness, in the form of an additional CSP process, 
that compares all parameters (signal values) over adjacent dd events.
2 F i g u r e  c o u r t e s y  o f  N e i l  E v a n s ,  A W E  p i c .
162 Chapter 9. Case Study: Traffic Lights
B (a , b) =  i f  (a  = =  b)then true else false
T e s tH a m e ss (v -a , %_6) =  d d ln v —a ln v —b —> 
i f ( v —a =  nv—a and V—b  =  n v-b )th en
stable—report\B {n v—a, nv—b) —» T estH a m ess(n v -a , nv—b) 
else
unstable—repartiB (n v —a, n v -b )  —> T estH am ess(n v—a, nv—b)
Figure 9.13: Stabilisation notification process for the dd approach
If none of the values changed between events, the system is considered to be in a stabilised 
state. Our process, TestHamess, defines two additional channels, stable-report and 
unstable-report, th a t both contain a boolean parameter. We provide an example of the 
TestHamess for an arbitrary system with two signals, a and 6 , over the dd channel in 
Figure 9.13. Using the TestHamess it is possible to identify stable and unstable states 
from a dd system model.
A u to m a tin g  th e  G e n e ra tio n  o f dd C S P  M ode ls  from  V H D L  D esc rip tio n s
During an industrial placement at AWE an automatic transformation framework for gen­
erating dd style CSP models from a VHDL description was developed. The framework, 
depicted in Figure 9.14, used metamodelling technologies to perform this transformation.
Our transformation framework utilised the Concrete Syntax Mapping (CSM) language 
EMFText [50] to perform text-to-model and model-to-text transformations for both CSP 
and VHDL; identified as step 1 and 2 in Figure 9.14. The associated meta-models used 
in the framework are given in Appendix A as Figures A.5 and A.6 .
To convert VHDL to a dd style CSP model, the transformation framework employed the 
model transformation language Epsilon Transformation Language (ETL) [58,59]. The 
ETL transformation is discussed further in Appendix A.
9 .4 .2  A  dd R e p r e se n ta t io n
Before our traffic light controller example can be transformed into a dd style CSP model, 
the VHDL description must first be ‘flattened’. Clearly, this is the case of replacing each 
VHDL component in the long-road component with the VHDL processes defined in the 
cross-road component. Likewise, substituting the cross-road ports with the long-road 
signals and including the cross-road signal within the long-road architecture is also 
necessary.
9.4. A n  Alternative Model: Using the dd Approach 163
Figure 9.14: A VHDL to dd style CSP model transformation framework
From a flattened VHDL description of the traffic lights controllers, a dd style CSP model 
can be generated. We give the resulting CSP model in Appendix B due to its size. We 
provide the translation for a single crossing in Figures 9.15 and 9.16. Our transformation 
from VHDL to CSP differs from Evans’ original approach in th a t we provide unique 
channels for all output ports. The reasoning is twofold: first this aids in identifying 
output ports for CSP model analysis; and second, the compilation strategy within FDR 
means tha t this representation is marginally smaller and thus, more scalable. Note tha t 
the dd channel still contains many parameters, and th a t identifying which param eter 
relates to a signal is non-trivial, a mapping is required (as illustrated in Figure 9.15).
The dd channel for a single cross-road VHDL component is given as: 
dd ? nv-dock  ! nv-jpres ent s t a t e !  n v s ie x ts ta te  ? nv-triggerG l! nv-triggerG2 ! nv—timer 
Clearly this increases by an additional five parameters (internal and input signals, minus 
the clock) per additional cross-road component.
The behaviour exhibited by the dd CSP model in Appendix B differs to a compiled 
SVA4VHDL CSP model in tha t there is: a) no hierarchical structure modelled; and b) 
the possible interleaving of internal signal and port value assignments is abstracted to 
provide only a ‘snapshot’ of all signal state for each dd occurrence.
9 .4 .3  V er ify in g  th e  C ase  S tu d y  P r o p e r t ie s
We previously noted th a t dd abstracts the VHDL description to the delta delay unit level, 
thus the CSP specifications provided in Section 9.2 cannot be used for this CSP model. 
Instead, we define new CSP specifications, in terms of signal snapshots that represent 
the signal states in which we are interested.
164 Chapter 9. Case Study: Traffic Lights
d a ta typ e  S T A T E  =  m R M R  | m G M R  | m R M G
nam etype B IT  — {0..1}
 clock, p r e s e n ts ta te ,  n e x t s ta te ,  tig g erG l, triggerG 2, tim er
channel dd : B I T .S T A T E .S T A T E .B IT .B IT . T E N
P -c lk (c lo ck , p resen t—sta te , n e x t-s ta te , tim er)  =  let 
n v-p resen t—sta te  — i f  (clock = =  1) then next—sta te  
else p re se n t-s ta te  
nv—tim e r —
if  ((p re se n t-s ta te  = =  m R M G )an d(clock  = =  l) ) th e n  tim e r  +  1 
else tim er
w ithin  P —elk '(nv—presen t—sta te , n v—tim e r , clock)
P -d k ' ( n v p resen ts ta te , n v tim er, clock) =
d d ln v —clock ! nv—presen t—sta te?n v—next—state?—?—\ nv—tim e r  —» 
i f  (nv—clock\ =  clock)then
P -c lk (n v -c lo c k , n v -p re se n t-s ta te , n v -n e x t-s ta te , n v - tim e r )  
else P —elk '(nv—presen t—sta te , nv—tim er, clock)
P -fsm (tr ig g e rG l, triggerG 2, tim er, m R M R ) =  let 
nv—next—sta te  =
i f  ( (tr ig g erG l —=  T)and(triggerG 2  = =  0))then  m R M G  
else i f  ((tr ig g erG l  = =  l)a n d (tr ig g erG 2  = =  l) ) th e n  m R M G  
else i f  ((tr ig g e rG l = =  0)and(triggerG 2 - l) ) th e n  m G M R  
else m R M R
w ithin  P -fsm '( tr ig g e rG l, triggerG 2, tim er , m R M R , n v -n e x t-s ta te )
P -fsm (tr ig g e r G l, triggerG 2, tim er, m G M R ) — let 
nv—n e x t-s ta te  =
i f  ((tr ig g erG l  = =  l)a n d (tr ig g erG 2  = =  0))then  m R M R  
else i f  ( (tr ig g erG l  = =  0)and(triggerG 2  = =  0))then  m R M G  
else m G M R
w ithin  P -fsm ' (tr ig g erG l, triggerG 2, tim er, m G M R , n v - n e x ts ta te )
P -fsm (tr ig g e rG l, triggerG 2, tim er, m R M G ) =  let 
n v—next—sta te  =
i f  ( tim e r  = =  8) then m R M R  
else m R M G
within  P —fsm '( tr ig g e rG l, triggerG 2, tim er, m R M G , n v - n e x ts ta te )
P -fsm ' (tr ig g erG l, triggerG 2, tim er, p re se n t-s ta te , nv—n e x ts ta te )  =  
d d ? -? n v -p r e s e n ts ta te \n v —n e x ts ta te ?
nv—trig g erG l? n v—trig g erG 2 ? n v-tim er  —> 
i f (( tr ig g e rG l\ — n v - tr ig g e rG l)  or (trigger G21 =  n v-tr ig g erG 2 )  
o r(( tim e r\  =  n v—tim er)
o r (p r e s e n ts ta te \  =  n v -p r e s e n ts ta te ) ) )  then  
P —fsm (n v - tr ig g e rG l, n v-tr ig g erG 2 , n v - tim e r , nv—p re sen t-s ta te )  
else
P -fsm ' (tr ig g erG l, triggerG 2, n v - t im e r , p re se n t-s ta te , nvn ext—sta te)
Figure 9.15: A dd CSP model of a single traffic lights controller
9.4. A n  Alternative Model: Using the dd Approach 165
 ou tpu t channels
nam etype T E N  =  {0..10} 
channel G lgreen  : B IT  
channel G2green : B IT
P —s e tG l(p r e s e n ts ta te )  — let 
n v -G lg re e n  —
i f  ( p r e s e n ts ta te  = =  m R M G )th en  1 
else 0
with in  G 1 green ! nu g  1 green —> P s e t G l '  (p r e s e n ts ta te )
P s e t G l '  (p r e s e n ts ta te )  =
dd?—?nv ^ present s t a t e ?  Ni—I—I— —> 
i f  ( p re s e n ts ta te l  =  nv—p r e s e n ts ta te )  then  
P s e t G l ( n v —p r e s e n ts ta te )  
else P s e t G l ’ (p r e s e n ts ta te )
P s e tG 2 ( p r e s e n ts ta te )  =  let 
n v-G 2green  =
i f  ( p r e s e n ts ta te  - m G M R )th en  1 
else 0
-within G2 green ! nv—G2 green  —> P s e t G 2 '  (p r e s e n ts ta te )
P s e t G 2 '  (p r e s e n ts ta te )  =
dd?—?nv—p r e s e n ts ta te ? —?—?—?— —>■ 
i f  (presen t—sta te l =  nv—presen t—sta te)th en  
P s  et G 2 (n v-p res ent—sta te)  
else P s e t G T  (p r e s e n ts ta te )
P S Y S T E M  =  let
P —S Y S T E M  (clock, p r e s e n ts ta te ,  n e x ts ta te ,  car, tim ed, v—sta r t—tim er) =
P - d k ’(p r e s e n ts ta te ,  tim er, clock) ||
{\dd\}
P -fsm '( tr ig g e rG l, triggerG 2, tim er, p r e s e n ts ta te ,  n e x ts ta te )  ||
{\dd\}
P s e t G l 1 (p r e s e n ts ta te )  || P s e t G T  (present—sta te)
{\dd\}
w ith in  P S Y S T E M ((0, m R M R , m G M R , 0,0 ,0)
Figure 9.16: A dd CSP model of a single traffic lights controller (cont.)
166 Chapter 9. Case Study: Traffic Lights
S a feS P E C  =  let
S T A R T  — G lg re en .1 M A J
□ G 2green .l —> M IN
□ dd?_?_?_?_?_?_ -4- S T A R T  
M A J  =  G^sreen.l —> S T O P
□ dd?-?-?-?-?-?- -4 S T A R T  
M IN  : Glgreen. 1 -4 S T O P
□ cM?_?_?_?_?_?_ -> S T A R T  
within
S T A R T
S y ste m R l =  S afeSP E C  || P S Y S T E M
{\ G 2green.1, G lg reen .l ,d d \}
assert S y s te m R l : [deadlockfree{F]\
Figure 9.17: Traffic lights cM requirement 1 (safety property)
R equirem ent 1 (v2) To determine the existence of both lights being green at the 
same time, a simple CSP process can be defined. We need only disprove the existence of 
the occurrence of a trace tha t would indicate such behaviour. The CSP process defined 
in Figure 9.17 exhibits this behaviour.
The process SafetySPEC  identifies the case where both G1 green.1 and G2green.1 occur, 
i.e., before a dd occurrence or in between dd occurrences. Observing both these events 
gives rise to the unwanted behaviour. By composing SafetySPEC  with our system, 
a deadlock check can be used to ensure the behaviour does not exist. This is again 
illustrated in Figure 9.17.
R equirem ent 2 (v2) The next property must again identify tha t given traffic at 
both  junctions, only the major lights may be green. Initially one might think a single 
‘snapshot’ of the state (single dd event) would suffice to show such a property. However, 
the propagation of signal changes must also be taken into account. Thus, the definition is 
not as straightforward. Instead we must utilise our TestHamess and confirm the property 
only after the input stimuli have been acknowledged, and the stable-report.true event 
occurs. The CSP priority specification, inclusion of the TestHamess, and the failures 
refinement assertion is provided in Figure 9.18.
R equirem ent 3 (v2) The final property is defined in a similar way to our previous 
version, Figure 9.8. A maximal trace must be provided. Thus, we must acknowledge the 
states where the major road has traffic, the state where only the minor road has traffic, 
and the point where the minor lights go green. The stable-report.true event must be used
9.4. A n  Alternative Model: Using the dd Approach 167
channel m ajor—p rio r ity  
P riS P E C  =  let
S T A R T  =  m ajor—p rio r ity  —¥ s ta b le -rep o rt.tru e  —>■ STA B ILISE  
STA B ILISE  =  stable—report, true  —> S T A R T  □ G l green.1 —> S T A R T  
with in  S T A R T
H am essedS ystem  =  P S Y S T E M  || T estH am ess
{\dd\}
R enam edA ndH iddenR 2  =
H a m essed S ystem ldd 1-----/ major-priorityl
\ { |  dd, Glgreen.O, G2green, s ta r t - t im e r  |} 
assert P riS P E C  Cp R enam edA ndH iddenR 2
Figure 9.18: Traffic lights dd requirement 2 (priority property)
Compilation (mins) Req.l (mins) Req.2 (mins) Req.3 (mins)
UnCompressed 1203 168 93 97
Table 9.2: dd compilation and requirement verification time
to acknowledge the number of stabilisations, and thus the maximal trace is identified 
by the occurrences of the stable-report.true event. Once more, the CSP specification, 
composition with our TestHamess process, and the failures refinement assertion is given 
in Figure 9.19.
R e su lts  It was found tha t a system containing three traffic light controllers could not 
be modelled in FDR using the machines at our disposal. In trying to generate the model, 
we encountered the proverbial state space explosion despite having 32GB of memory. As 
a result of this we rescaled the model to just two traffic light components. Our results 
are based on this reduced system.
By applying the refinement assertions, Figures 9.17, 9.18, and 9.19, in FDR, we can verify 
the reduced our case study using the dd approach. The time taken to verify each of these 
requirements is given in Table 9.2.
FDR compilation time of the two CSP based approaches SVA4VHDL and dd, was 40 sec­
onds and 1203 minutes respectively. We can see tha t the dd approach is not efficient in 
its compilation strategy, suffering early on from state space explosion. In not restricting 
the parameters of the dd channel, the compilation time of some of the CSP processes 
can be very high, generating large state spaces for the process due to the unrestricted 
parameters.
168 Chapter 9. Case Study: Traffic Lights
channel m inor—w aitin g , m ajor—override  
L iv eS P E C  =  let
S T A R T  =  m inor—waiting  —> C 0 U N T (8 )
□ stable—report.true  —> C 0 U N T (8 )
□ m ajor—override  —> S T A R T  
C O U N T (0) =  m in or—w aiting  —> C O U N T (0)
□ G 2green.1 —> S T A R T
□ m ajor—override  —> S T A R T
C O U N T {n ) — stab le-rep o rt.tru e  —> C O U N T (n  — 1)
□ G 2green.1 —> S T A R T
□ m in or—waiting C O U N T {n )
□ m ajor—override  —> S T A R T  
w ithin
S T A R T
Renam edAndH iddenRS =
H am essedSystem ^  ’ /  minor—waiting, major—override 1
\ { |  dd, G lgreen , G lg re e n .l, s ta r t- t im e r  |} 
assert L iveS P E C  Ç f  Renam edA ndH iddenR S
Figure 9.19: Traffic lights dd requirement 3 (liveness property)
Those CSP processes where only one parameter of the dd channel is assigned are those 
most greatly affected. Only once the CSP processes are composed does the state space 
of the dd approach reduce, due to the restriction of possible permutations of the dd 
channel parameters brought about by the synchronisation of dd events. It is clear from 
this tha t our SVA4VHDL compiler provides an optimised model for VHDL descriptions 
by comparison.
9.5 ED A  A nalysis
Recall from Chapter 2, we identified that the common approach to providing assurance 
on a VHDL description, known as a Unit Under Test (UUT), performing the expected 
behaviour, was through testing assertions using scenarios tha t defined the stimuli for the 
description. In this section stimuli are applied to the case study and PSL assertions are 
used to verify the properties previously identified in Section 9.1.1.
It is commonly accepted th a t determining the stimuli for a digital hardware system is 
often more time consuming than  the design and development of the VHDL system itself. 
W ithin the simulation tools tha t enable verification of hardware designs, e.g. Mentor 
Graphics Questa [45], not only are suitable stimuli required to drive the entire system, 
but the time at which stimuli must be applied must also be considered. The stimuli
9.5. EDA Analysis 169
required are often extensive since they must not only ’drive’ the design for the required 
property test, but often ’drive’ the design to the point at which the property can be 
considered applicable; for instance the main road lights are green, and the minor roads 
lights are red.
The required stimuli are often not apparent directly from the specification, and yet must 
be carefully constructed to ensure that the property under test is stimulated at the correct 
time, with the correct values. If the test stimuli and assertions are incorrect, the model 
cannot be validated with confidence.
As previously mentioned in Chapter 2, EDA tools provide a measure of coverage of the 
VHDL code written. In this case study, it is possible to uncover full path  coverage, as 
the system has a limited set of stimuli. However, this full coverage is achieved through a 
‘naive’ brute force approach; such a methodology is not applicable to larger systems.
9 .5 .1  C a s e  S tu d y  T e s t  B e n c h
We present a ‘naïve’ test bench for the UUT by using random stimuli for the four input 
ports of the hardware system, from Figure 9.4, triggerGl, triggerG2, trigger G A, and 
triggerGS. These inputs identify the arrival of cars at the major road, and at the first 
second and third minor roads respectively.
Since the design is small, the random stimuli are applied over a large time period for the 
internal behaviour. We do this as it provides a high probability of generating suitable 
combinations, at the relevant times, which will enable us to explore all the states of the 
system. The stimuli applied to the case study are shown in Figure 9.20, encapsulated in 
a VHDL testbench, similar to tha t shown in Figure 2.9, page 25.
9 .5 .2  P S L  A s s e r t io n s
The requirements, from Section 9.1.1, are defined using PSL in Figure 9.21; notice they 
are presented as boolean invariants. In order to evaluate the PSL assertions, with respect 
to the testbench in Figure 9.20, the clock and reactive edge (in this case the rising edge) 
must first be identified. The assertions given in Figure 9.21 are added to the testbench 
in Figure 9.20, directly within the a rc h i te c tu re  statement, outside of any processes, 
ensuring tha t the properties always hold.
170 Chapter 9. Case Study: Traffic Lights
e n t i t y  s i m u l a t i o n  i s  
end  e n t i t y  s i m u l a t i o n  ; 
a r c h i t e c t u r e  sim o f  s i m u l a t i o n  i s  
com ponent lo n g _ r o a d  
p o r t  ( c lo c k  , t r ig g e r G l  , t r ig g e r G 2  , 
t r ig g e r G 4  ,
tr iggerG G  : i n  s t d . l o g i c  ;
G lgreen  , G2green , G Sgreen ,  G4green
G S g r ee n , GGgreen : o u t  s t d _ l o g i c )
end  com ponent ;
s i g n a l  c lo c k  , t r ig g e r G l  , t r ig g e r G 2  , 
t r ig g e r G 4  , tr ig g erG G  : s t d - l o g i c  
:= ’O ’ ;
s i g n a l  G lgreen  , G2green , GSgreen , 
G 4 g r e e n , GSgreen , GGgreen : 
s t d . l o g i c  ; 
c o n s t a n t  c lk _ p e r  io d  : t im e  := 2 ns ; 
s i g n a l  e x i t S i g  : s t d - l o g i c  : =  ’0 
b e g in  
uut : lo n g _ r o a d  
p o r t  map( 
c lo c k  =>  c lo c k  , t r i g g e r G l  =>  
t r ig g e r G l  ,
t r ig g e r G 2  => tr ig g e r G 2  , t r ig g e r G 4  
=> tr ig g e r G 4  ,
t r iggerG G  —>  tr iggerG G  , G lg reen  =>  
G lgreen  ,
G2green =>  G2green , GSgreen =>  
GSgreen ,
G4green =>  G4green , GSgreen =>  
GSgreen ,
GGgreen =>  GGgreen) ; 
c l k - p r o c e s s  : p r o c e s s  
v a r i a b l e  i : i n t e g e r  r a n g e  0 t o
8000;  
b e g in  
i :=  8000;  
w h i l e  ( i  >  1) l o o p  
c lo c k  < =  ’O ’ ; 
w a i t  f o r  c l k _ p e r i o d / 2 ;
c lo c k  < =  ’ 1 ’ ; 
w a i t  f o r  c l k . p e r i o d / 2 ;  
i :=  i — 1; 
end  l o o p  ; 
e x i t S i g  < =  ’ 1 ’ ; 
e n d  p r o c e s s  ; 
s t i m . p r o c  : p r o c e s s  
v a r i a b l e  r a n d l  , r a n d 2 : r e a l  ; 
v a r i a b l e  s e e d l  , se e d 2  : p o s i t i v e  ; 
b e g in
w h i l e  e x i t S i g  / =  ’ 1 ’ lo o p
un iform  ( s e e d l  , seed2  , r a n d l ) ;  
uniform  ( s e e d l  , seed2  , r a n d 2 ) ; 
i f  r a n d l  >  0 .7  t h e n  t r i g g e r G l  
< =  ’ 1 ’ ;
e l s e  t r i g g e r G l  < =  ’O ’ ; 
end  i f  ;
i f  rand2 >  0 .3  t h e n  tr ig g e r G 2  
< =  ’ 1 ’ ;
e l s e  t r ig g e r G 2  < =  ’O ’ ; 
end  i f  ;
i f  rand2 >  r a n d l  t h e n  t r ig g e r G 4  
< =  ’ 1 ’ ;
e l s e  t r ig g e r G 4  < =  ’O ’; 
end  i f  ;
i f  rand2 <  r a n d l  t h e n  tr iggerG G  
< =  ’ 1 ’ ;
e l s e  tr iggerG G  < =  ’O’ ; 
end  i f  ;
w a i t  f o r  8 ns ; 
end  lo o p  ; 
w a i t  ; 
end p r o c e s s  ; 
end  a r c h i t e c t u r e  sim ;
Figure 9.20: Testbench with stimuli
9.5. EDA Analysis 171
p s l  d e f a u l t  c lo c k  i s  r i s i n g _ e d g e  ( c lo c k  ) ;
—  S a f e t y  P r o p e r t y
p s l  assert a lw a y s  G lg r e e n =  ’1 ’ —>  not ( G2green = ’! ’);  
p s l  assert a lw a y s  G2green =  ’1 ’ —>  not ( G lg r e en  =  ’ 1 ’) ;
p s l  assert a lw a y s  G3green =  ’1 ’ —>  not ( G4green =  ’ 1 ’) ;
p s l  assert a lw a y s  G4green =  ’1 ’ —>  not ( GSgreen =  ’ 1 ’) ;
p s l  assert a lw a y s  GSgreen — ' l  ' —> not ( GSgreen =  ’1 ’) ;
p s l  assert a lw a y s  GBgreen— ' l  ' —>  not ( GSgreen =  ’ 1 ’) ;
—  P r i o r i t y  P r o p e r t y
p s l  assert a lw a y s  t r i g g e r G l  =  ’l ’ —>  next [8] ( G lg reen  =  ’1 ’) ; 
p s l  assert a lw a y s  t r i g g e r G l  =  ’l ’ —> next [8] (G 3green  =  ’1 ’) ;
p s l  assert a lw a y s  t r i g g e r G l  =  ’l ’ —> next [8] (G 5green  =  ’1 ’) ;
—  L iv e n e s s  P r o p e r t y
p s l  assert a lw a y s  t r i g g e r G l  =  ’0 ’ & t r ig g e r G 2  = ’1 ’ —>  next [8] (G 2green  =  ’1 ’) ;
p s l  assert a lw a y s  t r ig g e r  G 1 = ’0 ’ & t r ig g e r G 4  = ’1 ’ —>  next [16] (G 4green =  ’1 ’) ;
p s l  assert a lw a y s  t r ig g e r  G 1 = ’0 ’ &: t r ig g e r  G6 = ’1 ’ —>  next [24] (G 6green =  ’1 ’) ;
Figure 9.21: PSL assertions
R equirem ent 1 (Safety  P roperty) Since the property requires th a t both major and 
minor roads may not progress at the same time, major and minor lights both  being green 
(‘1 ’), an assertion is defined to ensure tha t if one set of lights is green, then the other set 
cannot also be green. However, a single PSL Boolean assertion is not enough to define 
this safety property. The PSL defines Boolean invariants, thus the assertion must be 
given for each light, ensuring the consequence is met for each antecedent, ( /  5).
The safety property for all three lights requires six assertions. By contrast, in the CSP 
specification, Figure 9.6, only requires a single refinement per set of traffic lights.
R equirem ent 2 (Priority P roperty) The priority assertion can be easily defined 
using PSL, employing the next[x] argument, where x specifies the number of clock cycles 
until the property must hold. Since it may take time for the property to be exhibited, 
and we are not concerned tha t this property need hold immediately, we specify x to be 
8  for each cross-road component, allowing for propagation through the components.
Since the behaviour is the same for each set of lights, it follows tha t there is only a need to 
verify the assertion against the major road stimuli, triggerGl, and the third set of major 
road lights, G5green. However, for completeness, we define an assertion for each of the 
crossings, all using the same major road indicator for the presence of a car, triggerGl.
Notice tha t our CSP specification for the same priority property, Section 9.2, identified a 
single specification that provided an allowed ‘notional period of tim e’ until the property 
must hold within the specification behaviour. This specification was applied, with the
172 Chapter 9. Case Study: Traffic Lights
use of CSP renaming, to verify the property between triggerGl and the final set of lights, 
Gh green.
R e q u ire m en t 3 (L iveness P ro p e r ty )  The final property utilises the PSL next[x] 
argument since the requirement specifies tha t eventually the property must hold. Since 
all three cross_road components use the triggerGl (even indirectly), as the identifier for 
traffic waiting on the major road, to allow flow over any of the three minor roads, the 
triggerGl must be used in the PSL assertions. As a consequence, the value for the PSL 
n e x t [x] argument will differ, increasing for both the second and third crossings. From the 
VHDL implementation, a maximum of eight clock cycles are required before the state of 
the lights at a crossing may change, thus this value must be increased for each assertion 
to allow for the propogation of the triggerGl signal.
The CSP specification, Figure 9.8, identifies a stabilisation cycle limit before the property 
must hold. Once more, the property is treated as emergent in the CSP and thus ensured 
between the major road and the third minor road. This is clearly a viable assumption to 
make, since if the property holds for the third minor road, it must also hold for the first 
and second minor roads, since the major road traffic passes their junctions first. Thus, 
the third assertion given for the liveness property in Figure 9.21 is all th a t is required to 
provide assurance of this property over the entire system.
9 .5 .3  E D A  A n a ly s is
W ithin our chosen EDA tool, Questa Advanced Simulator [45], visualisations and cover­
age metrics can be produced in addition to the standard waveform output, Figure 9.22. 
(Note th a t within the given waveform, the safety property is shown as violated, this 
is expected as an error was introduced to the hardware design to illustrate the visual 
indication of violated assertions against a waveform).
The first output of interest from Questa is the exploration of the FSM, Figure 9.23, 
for the first instance of the cross_road component. The state machine mirrors th a t of 
Figure 9.1; our initial design. On this state machine, values are given to both states and 
transitions, identifying how many times they have been traversed for the stimuli provided 
during the allotted time frame.
For instance the far left transition given in Figure 9.23 identifies the transition between 
both major and minor lights being red, to the major lights being green, and the minor
9.5. EDA Analysis 173
Figure 9.22: Waveform to  700ns
174 Chapter 9. Case Study: Traffic Lights
mRMG
Figure 9.23: State coverage metrics
lights being red (for the first instance of cross_road component). Furthermore, it identifies 
that this transition has been taken 288 times during the simulation time.
This information cannot be so easily drawn from the SVA4VHDL specification since we 
model the system as transitions through individual signal assignments. Likewise, the dd 
approach provides snapshots at dd intervals, not stable intervals, and thus retrieving this 
information is not as apparent.
W hilst Figure 9.23 shows tha t all states within the component were visited, further infor­
mation with regards to the testbench can be obtained using Questa Advanced Simulator 
coverage metrics. Figure 9.24 identifies the transition coverage for the component - 100% 
state and transition coverage.
Figure 9.25 gives the Questa Instance Coverage results for the case study, providing a 
summary of the coverage metrics, individually identifying both statement and branch 
coverage for each component within the UUT. Clearly from Figure 9.25, 100% coverage 
for both statement and branch has been found for each component. For most VHDL 
designs obtaining these coverage metrics, and thus a high level of assurance is not so 
easily accessible.
9.6 D iscussion
Clearly from the coverage metrics identified in Section 9.5, our naive scenario is effective 
in providing full coverage for statement, condition (branch), and path (transition); recall
9.6. Discussion 175
F i n i t e  S t a te  M achine: present_state 
I n s ta n c e  : sim:/simulation/uut
S t a te  C overage:
mRMR: 495425 
mGMR: 2888 
mRMG: 2187
T r a n s it io n  C overage:
mRMR ->  mRMG: 243 
mRMR ->  mGMR: 377 
mGMR -> mRMR: 378 
mRMG -> mRMR: 243
S t a te  c o v era g e  : 100.00% (3 /3 )  
T r a n s it io n  co v e ra g e : 100.00% (4 /4 )
A
Figure 9.24: Transition coverage metrics
jPesign unit type j Total coverage j Stmt count ) Stmts hit j Stmts missed jstmt % jstmtg-aph i count i Branches hit [Branches missed ) Branch % j Branch graph
s_road(asm) Architecture
Figure 9.25: Branch and to ta l coverage metrics
Section 3.1, page 36. However, as previously stated , the behaviour and stim ulus variation 
for this case study  is small by hardw are design standards. In  the next case study  we 
present a larger hardware system  where random  stimuli would not be sufficient to  provide 
the same level of coverage assurance.
The style of CSP refinement in the dd approach is far more ‘in -tune’ w ith the PSL as­
sertions, identifying snapshot states as opposed to SVA4VHDL’s finer grained individual 
signal assignment style. Since the processes in VHDL are interleaved, the ordering of 
these signal assignments is not determ inistic between stable and step events. Thus, a 
drawback of the  SVA4VHDL approach is the need to define all possible perm utations of 
the stimuli involved, w ith the system  property  undergoing model checking, to define the 
same specification as a PSL assertion.
Notice th a t the inclusion of the stabilisation model at the heart of SVA4VHDL model 
enables us to distinguish clearly between stable and unstable states, instead of introducing 
additional CSP processes to add this functionality, as was necessary in the dd approach.
It is evident from this case study th a t the SVA4VHDL compiler we have developed
176 Chapter 9. Case Study: Traffic Lights
provides a more scalable approach to model checking VHDL using CSP than our initial 
starting point for this research, Evans’ dd methodology. Indeed, the case study could 
not be verified using the dd approach since it could not be generated in FDR, and thus 
had to be scaled down to two traffic light systems prior to analysis.
During this case study a subtle design error was discovered within the SVA4VHDL com­
piler. For a signal, our original premise was to simply enable the occurrence of xch and 
outp events during a stable state. Whilst our initial definition of the stabilisation model 
was valid for a single component, it did not scale to provide the behaviour necessary to 
correctly represent multiple VHDL components.
In order to ensure altered values propagated through different contained components, the 
stabilisation model was altered such that, should an output port (outp) value change, 
it is reported at least once, thus making certain tha t connected components reacted to 
changes as required.
An additional benefit of this alteration was the reduction in the size of the model gen­
erated (smaller state space), since the model no longer contained behaviour relating to 
non-reactive components, despite new stimuli. This alteration to the stabilisation model 
is reflected in both the single and component stabilisation models, given in this thesis as 
Figures 5.1 and 6 .6 , pages 64 and 101 respectively; and depicted by the smaller states 
and their associated transitions.
Chapter 10
Case Study: Built-In Self Test
W ithin this chapter we discuss our second case study, a Built-In Self Test (BIST) for 
a VIRTEX5 Field Programmable Gate Array (FPGA), kindly provided by the PhD 
sponsors, AWE pic. The case study describes a hardware test for the internal logic of 
an FPGA and its Inpu t/O u tpu t (I/O ). The BIST is significantly larger, with a more 
complex hierarchy, than  our previous case study. We use it to not only evaluate the 
scalability of our approach, but also to demonstrate how a fault injection technique can 
be used to model the fault tolerance of a VHDL system through formal analysis. In 
this chapter we will use a simulation based fault injection [42] technique where faults are 
introduced into the formal model of the VHDL system.
We explain the BIST, its requirements and identify the implemented VHDL in Sec­
tion 10.1, (the full VHDL definition for the BIST case study is provided in Appendix 
C). Section 10.2 describes testing the BIST system using the Questa [45] to  perform 
hardware simulation. This section describes one of the standard industrial approaches 
for testing a hardware design, including the use of simulation based fault injection. Sec­
tion 10.3 presents the CSP models for the BIST case study. It comprises three parts: 
the SVA4VHDL translation of the BIST system, CSP specifications of the BIST require­
ments, and a SVA4VHDL representation of the fault injection from the previous section. 
The section also contains the verification results of the formal analyses of these models. 
Appendix D details the complete SVA4VHDL model refered to in Section 10.3. The 
chapter concludes with a summary.
177
178 Chapter 10. Case Study: Built-In Self Test
LFSR
Figure 10.1: Built In Self Test hierarchical design structure
10.1 Overview
The Built-In Self Test (BIST), as the name suggests, is a program that tests the internal 
logic and the I/O  of an FPGA prior to its primary use. The program is loaded onto 
a Xilinx Virtex-5 FPGA [102], and executes, passing information first over the internal 
logic of the FPGA (implemented as Random Access Memory (RAM)); and then cycling 
odd and even bits through the hardware I/O , ensuring correct receipt of values. Upon 
detecting errors in either RAM or I/O , the failed hardware is reported and the testing of 
that aspect (of either RAM or I/O ) terminates. A Virtex-5 is in effect programmed as a 
large RAM block, enabling as much testing of the internal logic of the FPGA as possible, 
as well as its I/O .
Figure 10.1 shows the hierarchical structure of the BIST. W ithin the BIST there are three 
key components, BIST—FSM, BIST—RAM and BIST-I0. The BIST—FSM defines the triggering 
of two tests, one for I/O  and one for RAM; it also processes the results from these tests 
and outputs the results. The BIST-I0 evaluates the pins of the FPGA by cycling values 
over them. The BIST—RAM composes two components: the FSM—LFSR which is responsible 
for evaluating the RAM, and the TL-LFSR th a t composes multiple LFSR blocks together. 
These LFSR blocks are used to populate the remaining space of the Virtex-5 FPGA, 
and are ‘chained’ together to pass a single message throughout the FPGA to ensure the 
healthiness of the FPGA.
The original system comprised 1080 RAM components, and an I/O  width of 64. Clearly 
this is a large system and will not model check due to its size.
Thus, in this chapter we explore reducing the system to a smaller number of RAM 
components, and an I/O  of reduced length. This reduction does not affect the behaviour
10.1. Overview 179
Idle
C o rrec t)
Figure 10.2: BIST internal logic test behaviour
of the system. The reduction in I/O  means the number of pins evaluated is reduced, 
but the method of evaluation remains the same. Similarly, reducing the number of RAM 
elements also does not affect the behaviour of the system; the same message is passed 
but through fewer components. Section 10.3 discusses the systematic scaling of our BIST 
system to allow model checking.
As discussed above, the FSM_LFSR tests the behaviour for the internal logic of the FPGA 
and is represented by the FSM in Figure 10.2. The names for the states in this figure are 
drawn from the VHDL provided by AWE pic. Information is passed sequentially through 
every Linear Feedback Shift Register (LFSR) block, denoted by the cyclic transition 
CH ECKNEXT  over the state SendData. After every block has passed the test sequence, 
it is compared against a checksum, and from this the FPG A ’s internal logic is determined 
to be sound or faulty.
The test behaviour, captured within the BIST_I0 component is more complex. The I/O  
is split into bi-directional tristate  pairs. Several traversals of these bidirectional pairs 
are executed by the test behaviour. The I/O  is tested by comparing a pre-set message 
passed to the even port of each bi-directional tristate  to tha t received by the odd port of 
the same pair; the same is then done from odd port to even port.
Figure 10.3 gives the FSM of the test behaviour, identifying the different test patterns. 
These patterns are cycled through such tha t the FSM performs three even tests sequen­
tially, EventTestOa, EvenTestl, and EventTestOb] and then three odd tests sequentially, 
OddTestOa, OddTestl, and OddTestOb, to each bi-directional I /O  tristate  pair. We use 
the term  odd and even to indicate the direction in which the I/O  pair is tested, e.g., 
even-to-odd and odd-to-even.
Should a pair of I/O  ports not return the correct message, not only does that particular 
test fail, transitioning to SendFailEven or SendFailOdd state in Figure 10.3, bu t the 
identity of the I/O  pair is reported back along with an error flag. The error codes are 
used such tha t first the specific I/O  pair error code is issued, followed by the general I/O
180 Chapter 10. Case Study: Built-In Self Test
failed
failed
R E SE T
R E SE T
R E SE T
RES1
finished
Idle
R E SE T
RE SE T
failed^
Figure 10.3: BIST Input Output test behaviour 
error code OxFE, from Table 10.1.
In order to report back on the FPG A ’s healthiness, an output signal is specified in the 
design, B IST -R E G . From this, information about the FPGA can be determined through 
the use of reporting codes, as we have already mentioned, these codes are given in Table 
10 . 1 .
As previously identified, both these BIST tests are contained within a top level com­
ponent, as indicated in Figure 10.1, and controlled using the BIST_FSM. This FSM is 
used to trigger the two tests, using the S T A R T ^R A M  and STA R T-.10 signals defined 
in the T L -B IS T  component, and provides feedback about the test over the output port, 
B IST -R E G .
10.1. Overview 181
BIST_REG Description
0 x0 0
0x01 to 0x7D (1 to 125)
OxFC
OxFD
OxFE
OxFF
Initial value
1 0  pair which has failed 
RAM test has passed 
RAM test has failed 
1 0  test has failed 
1 0  test has passed
Table 10.1: BIST report codes
1 0 .1 .1  S y s te m  R e q u ir e m e n ts
Defining requirements for a test unit may seem aberrant, however the purpose of the 
BIST is to ensure the healthiness of the FPGA and thus it is imperative tha t the test 
perform as expected. As described, the BIST performs a healthiness check on both the 
internal logic of the FPGA and its I/O . Thus we identify two properties tha t the BIST 
must exhibit:
R e q u ire m e n t 1 The RAM test must correctly identify if the internal logic of the FPGA 
is faulty.
R e q u ire m e n t 2  The I/O  test must correctly identify faulty I/O  bi-directional tristate  
pairs.
Clearly there is a possibility th a t the small area of the FPGA on which the BIST be­
haviour is loaded is faulty, at which point the BIST cannot be guaranteed to operate 
as designed and thus ‘all bets are o ff’. This is a circumstance which we are not able to 
control from a formal model checking perspective and thus do not take into consideration.
1 0 .1 .2  V H D L  R e p r e se n ta t io n
The implementation of the BIST, provided by AWE pic., is given in Appendix C due to its 
significant size. The hierarchical implementation, as described in Figure 10.1, comprises 
multiple components; these are summarised in Table 10.2.
Note that we list a signal vector as a single signal here, within our translation to 
SVA4VHDL these vectors will be split into individual signals.
182 Chapter 10. Case Study: Built-In Self Test
Component Components Processes Signals
TLJ3IST 4 1 19
BIST_FSM 0 6 15
BIST_JO 0 7 2 2
BIST_RAM 1 0 9
LFSR_FSM 0 8 16
TLJLFSR 3 0 5
LFSR 0 2 5
Table 10.2: VHDL process, instantiated components, and signal distribution
10.2 Testing the D esign  U sing Q uest a A dvanced  
Sim ulât on
Verification of the BIST requires a different approach to be taken than in the previous 
case study. It is trivially possible to evaluate th a t a healthy BIST returns the expected 
result. However, to ensure tha t the BIST returns valid responses for test failures (faulty 
hardware), two different fault injection approaches [42] are taken to enable verification 
of the other possible paths within this VHDL system.
10 .2 .1  V er ifica tio n  M e th o d o lo g y
The verification of the BIST requires fault injection through both component substitution 
and signal manipulation during simulation.
1. In order to verify the B IS T -R A M  component, an intentionally faulty component 
must be substituted in place of a good component within the VHDL design. Such 
a component must be defined so that it injects a failure in an expected way. The 
behaviour of the rest of the system can then be verified in the context of this fault.
2. The B IST —10  evaluates tri-state signals that represent hardware I/O . The use of 
tri-state signals allow for values to be injected onto these signals, representing a 
faulty ‘read’ from a valid ‘write’ on a particular tri-state. This fault injection over 
a tri-state signal can be made introduced through suitable testbench stimuli.
Both these verification approaches require suitable testbench stimuli. W hilst it is clear 
th a t by substituting in a faulty component, a testbench will not be able to verify both
10.2. Testing the Design Using Questa Advanced Simulaton 183
‘healthy’ and ‘faulty’ tests in a single simulation, the same testbench stimuli can be used 
each time.
To evaluate the output of the BIST within a testbench, PSL assertions are incorporated 
into the testbench to determine if the correct output is being produced during simulation. 
These PSL assertions are written to evaluate the expected outputs.
Below we detail the approach taken to construct suitable PSL assertions for each of the 
fault injection tests identified above.
V erifica tion  fo r th e  B IS T —R A M
The first assertion we define ensures the internal logic is healthy, Requirement 1. Since 
we wish to validate tha t following a RAM test the B IS T -R E G  reports its passing or 
failure, we define the following PSL assertion:
p s l  d e f a u l t  c lo c k  =  r i s i n g _ e d g e  (CLK) ;
p s l  a s s e r t  STARTJtAM- >  n e x t  [10] BISTJR£G=” 1 1 1 1 1 1 0 0 ” ;
(Notice tha t once more a clock signal must be identified for the PSL assertions.) The 
PSL assert statement states the binary equivalent value of passing the RAM test from 
Table 10.1.
As detailed above, the behaviour of at least one LFSR block must be changed to produce 
detectable faulty behaviour (simulating a bad area on an FPGA). Thus, we define a 
second LFSR component tha t performs a X N O R  operation instead of the previously 
specified X O R  (see Appendix C.8 ). In altering the component we break the assertion 
and thus expect to see an assertion violation within a simulation, and a transition into 
the Wrong state, identified in Figure 10.2. The RAM error code, 0 x FD from Table 10.1 
should also be passed over the B IS T —REG  port.
V erifica tion  for th e  B IS T _ IO
The second assertion, Requirement 2, must ensure th a t the I/O  test returns a suitable 
error code. Once more, it is clear tha t generating the I/O  passed code, 0 x FF  is to be 
expected from the BIST system. However simulating an error to obtaining a fault error 
code, and identifying the I/O  pair is non-trivial.
To generate such an error, we must first identify the time within a scenario when the 
I/O  will be under test, and at that point replace the I /O  pair input value (in the correct
184 Chapter 10. Case Study: Built-In Self Test
direction) with a different value to be read back. Determining which test is being per­
formed for the bi-directional tristate  I/O  pair, EvenTestOb, OddTestl, etc., is not clear 
since the FSM test behaviour given in Figure 10.3 is applied to all I/O  pairs, first as even 
tests and then as odd.
The easiest assertion to confirm for the I/O  test is the healthiness of the FPG A ’s I/O , 
the following assertion can be used to perform such a check:
p s l  a s s e r t  S T A R T J O = ‘l ’ - >  n e x t  [10] BIST_REG=” 1 1 1 1 1 1 1 0 ” ;
To violate this assertion, a scenario must be defined tha t will alter the I/O  at the required 
time, with the ‘correct’ value to invalidate the test, and thus ensure the assertion reports 
an error code for tha t I/O  pair; this value can also then be compared against those 
given in Table 10.1. The above PSL assertion can be used to identify these codes, since 
the assertion will be violated and the error code given in its place will be either the 
general I/O  error code, 0 x FF  or the I/O  pair specific error code. The first violation 
will naturally be the I/O  pair specific error code.
Clearly identifying how to validate the BIST is not straightforward using a traditional 
EDA approach. W hilst defining the assertions appears straightforward to ensure correct 
behaviour, determining the scenario to break these assertions is not. It is simply not 
enough to provide random stimuli and ‘hope’. In this case we understand the VHDL 
well enough to know roughly when to introduce falsifications (altered behavioural code). 
However, in other systems this may not be the case, especially if the tester has not 
designed and implemented the system herself.
C reating a Suitable Scenario
Since the design of the BIST is well encapsulated, the only stimuli to test expected be­
haviour must trigger the two tests, S T A R T ^R A M  and STAR T_IO  (from the TL_BIST  
component), and provide a cyclic signal, clock, to drive the UUT (BIST). These stimuli 
are identified as:
10.2. Testing the Design Using Questa Advanced Simulaton 185
RST < =  ’O ’ ; w a i t  f o r  100 ns ;
RST < =  ’ 1 ’ ; w a i t  f o r  100 ns ;
STARTJRAM < = ’! ’; w a i t  f o r  100 ns ;
STARTJRAM < =  ’O’ ; w a i t  f o r  400 ns ;
RST < =  ’ 1 ’ ; w a i t  f o r  100 ns ;
RST < =  ’O ’ ; w a i t  f o r  100 ns ;
STARTJO < =  ’ 1 ’ ; w a i t  f o r  100 ns ;
STARTJO < =  ’O’ ; w a i t  f o r  10 ns ;
This provides an initial reset to the system, ensuring the system has correctly stabilised. 
S T A R T -R A M  is set to high to trigger the RAM check, and this is followed by another 
reset before then setting S T A R T E D  to high to trigger the I/O  check. As we have 
already identified, the scenario must change the I/O  value at the correct point in order 
to evaluate the second requirement. In order to violate the second assertion we also 
provide the following stimulus:
1 0 ( 6 3 ) < =  ’1 ’;
The above stimulus identifies the 64th signal of the I/O , the first evaluated. Note tha t we 
have not determined the period to wait before applying this stimulus. Determining this 
time period can be performed in one of two ways: the first, run the scenario and examine 
the waveform produced to determine when the values for the I/O  pair in question are 
changing; the other, fully understand the implemented VHDL, and from this determine 
how many clock cycles occur prior to the validation of the I /O  pair in question. Note 
th a t with both of these methods, there may be a need to further ‘fine tune’ the wait 
period to ensure the UUT performs the expected result.
1 0 .2 .2  C overage
Performing the scenario for a total of 1200ns in Questa Advanced Simulator generates 
different metrics about the scenario. State machines can be generated depicting the 
transitions between the states, and the number of times the transitions were taken, 
and the states entered. Figure 10.4 identifies the transitions and states entered for the 
B IS T -R A M  component.
From Figure 10.4 we can see tha t the test is initialised and then proceeds to perform the 
test, indicated by the transition from IDLE  to SEN D -D ATA  (recall Figure 10.2). The 
LFSR definitions are then verified sequentially, indicated by the looped transition (recall
186 Chapter 10. Case Study: Built-In Self Test
1075
Figure 10.4: RAM sta te  coverage visualisation
I s m T g h jB g n * j* a n c h » :H  j ^ g t^ L - t e s g i j E a O
Figure 10.5: B ranch coverage m etrics for the B IST—FSM, BISTM O, and FSM JLFSR  
components
C H E C K N E X T ).  After checking the expected behaviour of each LFSR the Wrong sta te  
is entered since the scenario has been applied over our ‘broken’ BIST design.
Notice however th a t for this FSM, we cannot enter all the states since the only way to 
exhibit faulty behaviour for this FPG A  is to  alter the LFSR component, as previously 
identified. Clearly, from this it is impossible to  get full s ta te  space coverage reported. 
In  this case, the scenario can only provide 89.3% statem ent coverage, and 92.6% branch 
coverage, Figure 10.5. Note th a t we use the instance coverage functionality of Q uesta 
Advanced Sim ulator in this case to ensure th a t behaviour in all LFSR com ponents is 
explored.
Providing assurance th a t the combined coverage for bo th  ‘broken’ and ‘unbroken’ UUTs 
is non-trivial. Thus we m ust assume, through reasoning about the system, th a t this 
scenario, for bo th  healthy and faulty BIST im plem entations, together provide enough
10.2. Testing the Design Using Questa Advanced Simulaton 187
Figure 10.6: 10 state coverage visualisation 
assurance to be confident about the BIST’s correct behaviour.
A state machine, illustrating the explored states for our second FSM (the 1 /O test from 
Figure 10.3) can also be generated by Questa Advanced Simulator, given in Figure 10.6. 
Note tha t the state machine depicted identifies a failed assertion early on in the scenario 
simulation.
The generated state machine identifies the same states and transitions from our design 
FSM in Figure 10.3. We note tha t the state machine does not identify a great deal of 
state coverage, indeed the state machine has only entered four states, as indicated by the 
bold black transition lines in Figure 10.3. The I/O  test has only managed to test the 
behaviour of the first I/O  pair to the second even test, EvenTestl.
A wait period of 2 ns was applied in the scenario, and this has, along with the fault injec­
tion, caused the FSM to enter into the SendFailEven state (Figure 10.3) early on during 
the I/O  test; this does not allow enough of the system state to be covered. Determining 
which I/O  pair and the delay between starting the test (setting IO -T E S T  to ‘1’) and 
injecting a new value over a I/O  signal is clearly onerous.
In this case, it is clear that the state coverage provided by our scenario will be low. 
Indeed, Figure 10.7 identifies the statement coverage to only be 45.2% with a branch 
coverage of 40% (Figure 10.5). To improve the coverage metric, the scenario must be 
expanded to reset the system and then apply the same stimuli from before to different 
I/O  pairs, such tha t we can cause the I /O  test to fail during each of the six different I/O  
test phases, ideally for every I/O  pair. Identifying the timing for such stimuli is difficult,
188 Chapter 10. Case Study: Built-In Self Test
i l 8 * 6 * 0  - * i f e s s a i  - * t | |  »  - * e | |  < î - « 8 - C ‘e :_ y j  _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
j Design mut loesumnt tv c  l«atfcy" ico.g Odloni iTMalcovtfW__________________lamtccmt janmHl |5tmBn«ied Isa itu  jswtyiyli |»anchc«« [Branchiate |l?and>_]
-j-jg uut uut(behavior) Architecture
B  uut d_bist(d) ArcKecture
± M  en_dock_di... dock_dvide... ArcNtecture
* 3f en_bsfc_fsm b$t_fsm(be... Architecture
~ M en bst jam  BIST_RAM(TL) Architecture
i.i ■  en_F5M... fsmjfsr(f$m) Architecture
: h  ■  en_TL_L...Tl_LF5R(TL) Architecture 
Sne_61 tl_bist(ti) Process
j- -t# CLKjxocess uut(behavior) Process 
stim_proc ujt(behavior) Process
H  standard standard Package
H  texbo text» Package
H  stdjogicj 164 std_logic_l... Package
g  math_real math_reai Package
g  numerc_std numeric_std Package
----------------------------J______________________________________
Figure 10.7: S tatem ent coverage m etrics
and providing stimuli random ly may not provide b e tte r results unless an extremely large 
sim ulation time is specified.
Note th a t Figures 10.5 and 10.7 identify a th ird  com ponent w ith a poor coverage metric, 
T L -B IS T .  Since this component merely defines how the two behavioural tests should be 
triggered, and the analysis of their results, we do not concern ourselves w ith its FSM. The 
system  requirem ents identified relate only to the  evaluation of an F P G A ’s healthiness 
prior to use, thus this additional coverage inform ation is not pertinent to  our assessment 
of the BIST design.
10.3 A SV A 4V H D L M odel
This section identifies the  approach taken to  autom atically generating an SVA4VHDL 
m odel for the BIST example, and its subsequent verification in FDR.
In Section 7.6, we noted two restrictions on the parser th a t is used to translate  VHDL 
descriptions into the SVA4VDHL input language. All the examples until the BIST could 
be autom atically translated , however two restrictions emerged as a result of a constraint 
w ithin the SVA4VHDL compiler, i.e., no support for param etrisation.
The first restriction perta ined  to the dynamic assignment of signal values, using an 
iterative loop. T he original VHDL description of the BISTM O utilised a param etrised 
value to evaluate the value of each I /O  pair, e.g., s i g ( i )  <= x. C apturing this is not 
possible using the SVA4VHDL compiler. The fundam ental reason for this is due to the 
fact th a t the compiler is w ritten  in term s of sequential composition and therefore does 
not support the passing of inform ation over such an operator.
10.3. A  SVA4VHDL Model 189
# 1 / 0 Memory Required 
(GB)
Compilation Time 
(secs)
2 13 364
4 14 371
8 18 534
16 25 682
Table 10.3: Required memory and compilation time for the BIST with the increase of 
I/O
The second restriction was also associated with dynamic assignment. However, this 
time it was at the component instantiation level. VHDL generate syntax (described 
in Section 2.1.2 on page 15) was originally used within the hierarchical structure of the 
BIST to compose multiple LFSR components. This technique could not be translated, 
again because of the use of dynamic parametrisation.
These restrictions meant tha t the VHDL had to be rewritten to explicitly identify both 
assignment to the I /O  tri-states and the instantiation of LFSR components. This resulted 
in a ‘flattening’ of the BIST_I0 and TL-LFSR VHDL descriptions respectively.
Thus, automatically generating various VHDL descriptions for a different number of 
components is not currently possible. In order to achieve this we have had to replicate the 
definitions of the number of components explicitly in the VHDL and then the SVA4VHDL 
succeeds in generating an appropriate SVA4VHDL input script.
Hence, in order to make our tests practicable scaling was employed, with regards to: 
the number of I/O signals identified within the BIST_I0 component, and the number 
of LFSR components introduced tha t ‘fill’ the Spartan Virtex-5. For testing, an explict 
combination of I/O and LFSR components was necessary.
We decided to fix the I/O  width to eight bits; this provided a reasonable number of bits 
to evaluate the I/O  test within the BIST, which cycled values over the I/O  bits as pairs. 
Our full model checking was carried out on a 1.87Ghz Intel Xeon Dell Server machine 
with 32GB of DDR2 RAM. We conducted tests tha t demonstrated the memory required 
to model check varying I/O  widths with one LFSR component. The results of the tests in 
Table 10.3 demonstrate tha t a choice of an eight bit width I/O  allows the flexibility to 
vary the number of LFSR components tha t can be considered within the scope of possible 
model checking. Moreover, using eight bits rather than  four for the width of the I /O  
enables validation of more of the possible values output over the BIST—REG.
190 Chapter 10. Case Study: Built-In Self Test
#  LFSR Memory Required 
(GB)
Compilation Time 
(secs)
1 18 537
2 25 729
3 30 837
4 44 1411
5 71 2014
6 93 2798
Table 10.4: Required memory and compilation time for the BIST with the increase of 
LFSR blocks
W ith the I/O  width fixed at eight bits, the number of LFSR components was varied to 
identify the limitations of the SVA4VHDL compiler. LFSR components were incrementally 
added from 1 to 6  to see how large the state space of the model grew. The state of the 
system was determined by monitoring the size of the FDR process state2l that contains 
the FDR representation of the SVA4VHDL model. Table 10.4 illustrates the growth 
of the SVA4VHDL BIST model size against the number of LFSR components included 
within the BIST model. The machine used to carry out these tests was provided by the 
sponsor and contained 128GB of RAM. (Note this machine was only available for a day 
during the end of the research period). We can see from the results that the memory 
required grows exponentially with respect to the number of LFSR components.
Recall from Table 10.2 tha t the VHDL description for a model with three LFSR compo­
nents and a I/O  width of eight bits, was defined in terms of 26 processes and 91 signals 
(which does not consider signal vector widths). This equated to 889 lines of VHDL code 
compared to 1466 lines of automatically generated SVA4VHDL from the Java translator. 
The SVA4VHDL model is summarised in Table 10.5, comprising a total of 29 processes 
and 195 signals (this significant change was due to the representation style of signal 
vectors as individual signals as discussed in Section 7.6).
1 0 .3 .1  C S P  R e q u i r e m e n ts
As identified in Section 10.2, behaviour of the BIST cannot be evaluated without injecting 
faults into the digital design to emulate faulty hardware. This fault injection can be
1 F D R  i s  l i m i t e d  b y  t h e  s i z e  o f  t h e  m o d e l  b e i n g  a n a l y s e d ;  t h e  w h o l e  m o d e l  m u s t  r e s i d e  w i t h i n  M a c h i n e  
m e m o r y .  H a r d  d i s k  s p a c e  m a y  t h e n  b e  u s e d  a s  a  b u f f e r  d u r i n g  m o d e l  a n a l y s i s .
10.3. A  SVA4VHDL Model 191
Component VStruct Type Processes Signals
TLJBIST VPMap 2 48
BIST—FSM VRTL 6 39
BISTJIO VRTL 7 44
BIST-RAM VPMap 1 7
FSM JLFSR VRTL 8 27
TLJLFSR VPMap 1 6
LFSR1 VRTL 2 8
LFSR2 VRTL 2 8
LFSR3 VRTL 2 8
Table 10.5: SVA4VHDL process and signal distribution 
introduced for SVA4VHDL and verified in FDR.
R e q u ire m e n t 1  as a  C S P  S pec ifica tion
The first requirement, relating to testing the internal logic of the Virtex-5 on which the 
BIST is loaded, must be approached in the same way as in Section 10.2, using falsification. 
We therefore redefine one of the LFSR SVA4VHDL components, given in Figure 10.8, to 
perform an X N O R  is place of the original X O R  between two signals. This alteration to 
the SVA4VHDL definition in Figure 10.8 is the equivalent of altering the original LFSR 
component (Appendix C) VHDL assignment:
GEN_reg < =  GEN_reg (7 dow nto  0) &: (G EN_reg(8) x o r  GEN_reg(3) ) ;
to read:
GEN_reg < =  GEN_reg (7 dow nto  0) & (GEN_reg(8) x n o r  GEN_reg(3) ) ;
By swapping out this SVA4VHDL definition for an LFSR component, a specification can 
be defined tha t will evaluate both healthy and faulty systems. The RAMSpec, defined 
in Figure 10.9, determines whether a particular sequence of events occur. These events 
relate to a possible output of the B IS T -R E G  signal. To verify the RAM test, the 
RAMSpec is defined using either the pass or fail sets, and uses the ram-pass or ram-fail 
event respectively. These events can then be associated with the signal events within the 
SVA4VHDL model. The sets pass and fail are the binary representation of the RAM 
Passed and RAM Failed codes in Table 10.1. Notice tha t we simply want to prove that 
the error code is within the trace, not the amount of time it takes for the code to be 
generated.
192 Chapter 10. Case Study: Built-In Self Test
L F SR 4 S en sL ists  =  < ( 6 , { I V . 26 , I V . 2 0 6 } )  , (7  , { I V . 3 2 } ) >
LFSR4Component =  { (  LFSR4 , { 6 , 7 } ) }
LFSR4Inputs =  { (IV . 26 ,0 , { 0 . .  1 } )  , ( I V . 2 0 6  ,0 , { 0 . .  1}  ) , ( I V .2 7  ,0 , { 0 . .  1}  )
}
L F SR 4Intern a l  =  { ( I V . 29 ,1 , { 0 . . 1 } )  , (IV .3 0  ,1 , { 0 . .  1 }  ) ,
( I V . 31 ,1 , { 0 . .  1}  ) , ( I V . 32 ,1 , { 0 . . 1 } ) }
LFSR 40utputs  =  { ( I V . 28 ,0 , { 0 . . 1 } )  }
LFSRreg4()  =  (VHDLProc. ( { I V . 26 , I V . 2 0 6 }  ,
Cond. (CompOp.Eq. I V a r . I V . 2 0 6  . C o n s t . 1 ,
S Q . d a s s i g n  . ( IV a r .  IV .29  , C o n s t . 1) , l a s s i g n  . ( I V a r .  IV. 30 , C o n s t .  1) , 
I a s s î g n  . ( I V a r .  IV. 31 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV. 3 2 , C o n s t . 1 ) > ,
Cond. (CompOp.Eq. I V a r . I V . 2 6 .  C o n s t .  1 ,
SQ.<Cond. (CompOp.Eq. I V a r . IV . 32 . I V a r . I V .2 7  ,
l a s s i g n  . ( I V a r . IV .29  , C o n s t . 1 ) , l a s s i g n  . ( I V a r . I V .29  , C o n s t . 0)  ) , 
Cond. (C om pO p.E q .IV ar . IV . 2 9 .  I V a r . I V .2 7  , 
l a s s i g n  . ( I V a r . I V . 30 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV .3 0  , C o n st  .0 )  ) , 
Cond. (CompOp.Eq. IV ar . IV . 3 0 .  I V a r . I V .2 7  , 
l a s s i g n  . ( I V a r . IV .31 , C o n s t .  1 ) , l a s s i g n  . ( I V a r . IV .3 1  , C o n s t .0 )  ) , 
Cond. (CompOp.Eq. I V a r . IV . 3 1 .  I V a r . I V .2 7  , 
l a s s i g n  . ( I V a r . IV .32  , C o n s t . 1 ) , l a s s i g n  . ( IV a r  . IV .  32 , C o n s t .  0 )  )
>,
S k i p ) ) ) ,  ( { } , { } )
LFSRout4 () =  (VHDLProc. ( { I V . 3 2 }  , l a s s i g n  . ( IV a r  . I V . 28 , I V a r . I V . 32)  ) , 
( { } ,{ } )
LFSR4RTL =  VRTL. LFSR4. < V P r o c . LFSRreg4 ( ) , V P r o c . LFSRout4 ( ) > . { }
Figure 10.8: Invalid LFSR SVA4VHDL definition for falsification verification
Since SVA4VHDL models signal vectors as individual signal identifiers, the B IS T -R E G  
values can be read in any order, thus the specification must allow for such behaviour. 
This is a drawback of the SVA4VHDL signal representation, but is easily represented 
using indexed choice within our specification.
Requirement 2 as a CSP Specification
The second requirement, reporting faulty bi-directional I/O  tristate  pairs, was identi­
fied as non-trivial using a testbench approach. We define an additional CSP process, 
lOFaultlnjection, Figure 10.10, which can alter the value of a signal identifier after it has 
a value assigned. Since ideas of time have been abstracted from a SVA4VHDL model, 
there is no need to factor in time when injecting a fault. Instead, the fault is injected 
irrespective of time, whenever a value is written to the output under inspection. Note 
th a t the process is extremely simple, the intricacies are introduced when renaming the 
system signals.
10.3. A  SVA4VHDL Model 193
channel reg : {0..7}.{0..1}
channel ram —pass, ra m -fa il, ram —sta rt
RAM Spec(alpha, result) =
let
all =  {| result, reg |}
E R R O R -R P T  =nxealpha x E R R O R -R P T
□ stable —ï W A ITIN G
□ ram —sta r t —> E R R O R -R P T  
W A IT IN G  =  stable  -> W A IT IN G
□ result —> E R R O R -R P T
□ ram —sta rt —> W A IT IN G  
S T A R T  =  ram —sta r t  —> W A IT IN G
n a:6oZZ\{resuZt} x W A IT IN G  
w ithin  
W A ITIN G
 EAM PASS =  11111100
-  -  PAM  PA/L =  11111101 
pass =  {reg.0.1, reg.1.1, reg.2.1, reg.3.1, 
reg.4.1, reg.5.1, reg.6.0, reg.7.0} 
fa il =  {reg.0.1, reg.1.1, reg.2.1, reg.3.1, 
reg.4.1, reg.5.1, reg.6.0, reg.7.1}
R A M SpecP ass =  R A M Spec(pass, ram —pass) 
RA M SpecF ail — RAM Spec(Jail, ram -fa il)
Figure 10.9: RAMSpec: RAM test specification
channel read, in ject
lO F aultln jection  — read —>■ in ject —> lO F aultln jection  
□ stable —» lO F aultln jection
Figure 10.10: CSP I/O  fault injection process
A specification is required to verify the output values of B IS T -R E G  signals. A similar 
specification to Figure 10.9 is given, 10Spec in Figure 10.11, which defines whether an 
error code can be found subsequent to executing the I/O  test. We identify two versions 
lOSpecPass and lOSpecFail th a t take the error codes from Table 10.1. To determine if 
the I/O  pair with the fault is correctly identified, additional sets can be defined, specifying 
the specific error code.
V erifica tion  R e su lts  Using the specifications, the additional process, and interchange­
able SVA4VHDL LFSR component definition, we verify the SVA4VHDL BIST model. 
As always CSP assertion definitions, which specify the type of refinement between the 
specification and the system (with appropriate renaming) are included. Suitable refine­
ment assertions for FDR are depicted in Figure 10.12. The compilation and verification 
time for the two requirements are given in Table 10.6.
The generation of the model within FDR required 30 GB of system memory (RAM) 
to model the system, as well as additional system resource (through the utilisation of 
the FDR Page Directories option) to perform the two refinement checks. This is a
194 Chapter 10. Case Study: Built-In Self Test
channel reg : {0. .7}.{0..1} 
channel io—pass, io—fa il, io—start  
IO Spec(alpha, result) =  
let
all =  {| result, reg |}
E R R O R -R P T  = n xealpha x  -»■ E R R O R -R P T
□ stable  -*• W A ITIN G
□ io—sta r t  —> E R R O R -R P T  
W A ITIN G  =  stable -»• W A ITIN G
□ result —» E R R O R —R P T
□ io—sta r t  —> W A ITIN G  
S T A R T  =  i o s t a r t  -> W A ITIN G
n a:6aZZ\{resuZt} ^ W A ITIN G  
w ithin  
W A ITIN G
 70  P A S S  =  11111110
-  -  70  FAIL =  11111111 
pass =  {reg .0.1, reg.1.1, reg.2.1, reg.3.1, 
reg.4.1, reg.5.1, reg.6.1, reg.7.0} 
fa i l l  =  {reg.0.1, reg.1.1, reg.2.1, reg.3.1, 
reg.4.1, reg.5.1, reg.6.1, reg.7.1}
lO SpecP ass =  IO Spec(pass, io -p a ss)  
lO SpecFail =  IO Spec(fail, io—fail)
Figure 10.11: 10Spec: I/O  test specification
Compilation (sec) Req.l (sec) Req.2 (sec)
UnCompressed 2285 18772 20809
Table 10.6: BIST verification time
considerably large CSP model from our experience. We believe, considering the size of 
the model generated, tha t the verification times, given in Table 10.6, are good, although 
experimentation with the style of specification may yield better results.
10.4 D iscussion
This chapter has demonstrated tha t a VHDL description that contains a faulty compo­
nent can be repeatedly translated to a CSP model tha t was subsequently analysed. We 
demonstrated how PSL assertions were translated to CSP specifications, thus removing 
the need to identify specific stimuli, since all state is being explored.
Providing a CSP specification to validate the I/O  enabled us to simply wait for a partic­
ular I/O  bit to change, and to then overwrite the change; simulating a faulty pin on the 
Virtex-5. In order to simulate a faulty pin, as a test scenario in VHDL, we showed in 
Section 10.2 tha t it was necessary to understand the timing and propagation inside the 
VHDL design to determine when the value of a particular I/O  pin needed to be altered. 
Clearly, the ability to perform this fault injection in CSP is far simpler than in VHDL 
because we abstracted time.
10.4. Discussion 195
B I STR enam edR A M P ass =
o u tp .T L B IS T . I V . 1 6 6 .1 ,o u tp .T L B IS T .I V . 1 6 7 .1 ,o u tp .T L B IS T . I V . 1 6 8 .1 , 
A W E J B I 3 T [ » ^ > - T L B I S T . I V . 1 6 9 . 1 , ma p . T i B I S T . I V . n 0 . 1 ,  / r e g .0 .1 , r e g . l . l , r e g .2 .1 ,}
reg .3 .1 , reg .4 .1 ,
B IST R enam edR A M P assC on t =
o u tp .T L B IS T .IV  .1 7 1 .1 ,o u tp .T L B I S T .I V .1 7 2 .0 ,o u tp .T L B I S T .I V .1 7 3 .0 ,
B IS T R en am edR A M P assliwrite-TLBIST-IV ■196-1’iwrite-TLBIST-IV-19i-1 / r e g .5 . 1 ,r e g .6 .o ,r e g .7 .o ,}
ra m ^ p a ss , r a m s t a r t
B ISTR enam edH iddenR A M Pass =  B IST R enam edR A M P assC ont \  pass U {stab le , ram —pass, ram—sta r t}
assert R A M SpecPass Ç t  B ISTR enam edH iddenR A M Pass
A W E B ISTR enam ed =  A W E -B IS T lx c h .T L B I S T .IV .187, o u tp .T L B IS T .1 7 6 /in ject, read} 
B IS T In ject =  A W E B ISTR enam ed  || lO F aultln jection
{{stable,read,in jec t\}
B I STR enam edIO F ail =
o u tp .T L B IS T  . I V  .1 6 6 .1 ,o u tp .T L B IS T  . I V  .1 6 7 .1 ,o u tp .T L B IS T  . I V  .1 6 8 .1 , 
A W E - B I S T I n j e c t [ ° ^ P . T L B I S T . I V . 1 6 9 . 1 , o u t p . T L B I S T . I V . 1 7 0 . 1 ,  / r e g .0 .1 , reg .1 .1 , reg .2 .1 ,}
reg .3 .1 , reg .4 .1 ,
BISTR enam edIO F ailC ont =
o u tp . T L B I S T .I V  .1 7 1 .1 ,outp. T L B I S T . I V .1 7 2 .1 ,ou tp . T L B I S T . I V .1 7 3 .1 , 
B I S T R e n a m e d I O F a i l \ / ^ - T L B i S T . i v . l o i . i , i w H t e . T L B i s T . i v . 1 0 3 .1  W 7 . i , ]
io—.fa ilii o s t a r t
BISTR enam edH iddenlO F ail =  B ISTR enam edlO F ailsC on t \  pass U {stab le , io—fa il, i o s t a r t }  
assert lO SpecFail BISTR enam edH iddenlO F ail
Figure 10.12: BIST verification refinement assertions
We demonstrated that FDR was capable of model checking an abstraction of the BIST 
model with three LFSR components and an eight bit width I/O  on a machine with 32GB 
of RAM. This size of model was the limit of what FDR could model check due to the 
memory restrictions of the machine. We also evaluated the scalability of the compiler 
on a larger 128GB machine and we were able to build the state space for a six LFSR 
component system with an I/O  width of eight bits. Clearly, the original BIST system 
of 1080 LFSR components and an I/O  w itdth of 64 bits was not verifiable due to the 
restrictions of state space. We note that recently 2  a later version of FDR has been 
released (FDR3 Beta 7) tha t supports the use of multiple processors. However, this new 
release is in a beta state and was not readily available during the time of the research.
The case study has identified the following two limitations within the current SVA4VHDL 
compiler:
• The SVA4VHDL compiler makes significant use of CSP sequential composition 
and is therefore unable to support parametrised VHDL processes at this time. 
Component parametrisation in VHDL is common practice (using the g e n e ra te  
syntax as described in Chapter 2, page 15), enabling large numbers of replicated 
components to be sequentially composed together in a design. As a result of this
^ N o v e m b e r  2 0 1 3
196 Chapter 10. Case Study: Built-In Self Test
restriction the dynamic chaining of LFSR blocks was not possible without first 
preprocessing the VHDL by hand to produce an explicit VHDL component where 
each of the LFSR blocks is uniquely introduced.
• The second restriction of the SVA4VHDL compiler also pertained to dynamic as­
signment within VHDL sequential process behaviour. The assignment of values 
to the I/O  tri-state signals used within the BIST example were not immediately 
translatable. Instead, the parametrised loop statements had to first be removed, 
and replaced with explicit if statements instead.
To mitigate these limitations in the case study, we simply re-factored the VHDL descrip­
tions prior to translation using our Java tool and the compiler.
Whilst all the case studies show th a t the core syntax of VHDL is supported, the syntax 
tha t enables generic VHDL systems to be described easily is not immediately supported 
by the compiler.
Chapter 11
Discussion
In this thesis we have presented a novel approach to model checking VHDL descriptions 
by developing a custom made compiler. Our work has shown th a t Roscoe’s SVA com­
piler [83] has provided a viable basis on which we have: defined a new modelling style, 
and implemented the extended capability to correctly capture a VHDL design comprising 
multiple components.
In Chapter 4 we reviewed Roscoe’s compiler and this formed the basis for our contribution 
of a new compiler in Chapters 5, 6, 7, and 8. Chapter 5 began by replacing the definition 
of a shared variable with our own definition of a VHDL signal. This definition provided 
a means of representing the three different signal types (input and output ports and 
internal signals). We also introduced a stabilisation model for VHDL, identifying stable 
and unstable states, which was crucial in correctly capturing the behaviour of both  VHDL 
signals and processes. In addition, Chapter 5 introduced new syntax to correctly express 
the nature of individual VHDL processes and their associated sensitivity list.
Chapter 6, 7, and 8 extended our compiler from Chapter 5. Chapter 6 identified possible 
scaling strategies, and from these an appropriate one was chosen th a t enabled us to 
translate multiple components in Chapter 7. The focus of the chosen strategy realised 
the restrictions of FDR, since the size of a model is restricted by the capability of a 
single processor, and the capacity of its associated memory, on which verification is to 
be performed. Thus, the selected strategy was chosen to ensure an optimal model was 
generated for use within FDR. Additionally, the stabilisation model from Chapter 5 was 
also reviewed in Chapter 6, and suitably modified to enable the correct modelling of 
multiple components.
197
198 Chapter 11. Discussion
A suitable set of constructs, defined as a CSP datatype, for capturing the different 
VHDL components was explained in Chapter 7. An appropriate translation method for 
defining VHDL using these constructs was also conveyed and an automatic translation 
tool introduced. The automatic translation worked well on the case studies, but there 
were limitations. These limitations were identified in Section 7.6 and Section 10.3.
The compilation of these constructs, and their associated information, into a CSP model, 
was then described to fully explain our SVA4VHDL compiler in Chapter 8. W ithin 
this expansion of the compiler to support multiple VHDL components, additional CSP 
processes were required to support the new structure, enabling correct capture of the 
VHDL behaviour. Identifying the need for these additional processes was not always 
apparent, as can be attested by the refinement of the stabilisation model as a result of 
evaluation of the first case study.
The structure of the thesis does not reflect the research journey taken, instead the focus 
is on our contribution, the SVA4VHDL compiler. Initial investigation aimed to extend 
another CSP methodology for representing VHDL, based on Evans’ approach [35]. This 
evaluation is contained within Chapter 9 so tha t it does not detract from our explanation 
of our compiler. It is nonetheless included, since it shows th a t the proposed approach 
in the literature does not scale. Our approach using a new compiler is shown to scale 
considerably by comparison to Evans’ original approach, as demonstrated in Chapter 9. 
The scalability of our compiler was subsequently further explored in Chapter 10.
The first case study, Chapter 9, began the evaluation of our contribution, comparing 
its abilities to analyse a small hardware description with both a current EDA tool, and 
more importantly, the methodology for analysing VHDL descriptions th a t formed our 
initial work. The necessity to define a CSP model with such care is made apparent 
in [84], which indicates tha t the implicit model checking capabilities of FDR are sensitive 
in their application, and must be skilfully employed in order tha t optimal models are 
obtained. From the work presented in Chapter 9, it is visible tha t we have identified an 
optimised approach for analysing VHDL using CSP specifications in FDR, providing a 
more scalable methodology than previously available. This was the driving focus of the 
research; identified by the PhD sponsor, AWE pic. The improvement in the scalabil­
ity provided by SVA4VHDL is impressive by comparison. The traffic lights case study 
used 630MB of RAM using SVA4VHDL to model check the system whereas the same 
case study could not be model checked using 32GB of RAM using Evans’ methodology. 
Chapter 9 illustrated the optimised compilation of our compiler, enabling verification to 
be performed on a moderate machine, within an acceptable time limit.
199
Chapter 10 discussed the analysis of a much larger, real world hardware system. The 
case study identified the versatility of using CSP specifications to provide verification of a 
hardware design, through the introduction of falsification into the model. Therefore, the 
two case studies in the thesis demonstrate two distinct styles of using CSP successfully 
to analyse hardware descriptions in VHDL.
We determined th a t the abstraction of time from the model could be accommodated. 
Whilst the case studies have illustrated tha t this was a valid assumption, as SVA4VHDL 
has modelled sufficiently each of the properties we have identified, there are certain 
limitations th a t have been introduced as a result. We have mentioned coverage evaluation 
throughout this thesis. There are, however, scenarios where knowing the timing within an 
invalid model may prove beneficial, such as providing feedback for reducing the coverage 
gap of a scenario; e.g., requirement two of our second case study from Chapter 10.
Languages such as PSL have been developed to perform assertions over time, within EDA 
simulators. There are a range of properties associated with hardware development tha t 
must be assessed to ensure tha t the clock speeds to be used, and the resultant chip layout, 
be it on an FPGA or ASIC, mean that the design can perform the defined behaviour 
within the timing requirements of a system.
Research introducing time into a CSP representation of hardware has been undertaken 
in [55]. In doing so, Kharmeh et al. have found it prudent to decompose their system 
model into distinguishable blocks, thus allowing for the verification of different system 
properties, including time; captured using abstracted CSP—took models. By comparison, 
our work has focused on ensuring the behavioural properties of a system can be analysed 
for hardware designs, and tha t the properties can be validated at a fine level of granularity.
Our research generates explicit formal models from hardware descriptions, in the form 
of optimised CSP for FDR. The compiler produces a fine granularity representation of a 
hardware system, tha t can be reasoned about using the versatile CSP language, allowing 
complex behavioural properties to be analysed. This fine level of granularity can be used 
to aid identification of erroneous code, and design faults.
From our research, the application of the SVA4VHDL compiler, for analysing system 
critical hardware behavioural designs, provides a more beneficial methodology than  pre­
viously available. However, this analysis is still unable to evaluate real world problems 
without the need to perform careful abstraction of the system under analysis.
The SVA4VHDL compiler brings a different perspective to the analysis of hardware sys­
tems. By using explicit formal models, focus can be placed on providing assurance on
200 Chapter 11. Discussion
the behavioural descriptions within a hardware design. Conversely, the formal verifica­
tion within EDA tools focuses on ensuring equivalence between different levels of VHDL 
design, and that for a particular scenario, a hardware description has been covered and 
meets certain criteria, expressed as assertions. Others such as Blackmore [13], Chen [26], 
and Grofie [47] aim to guide scenario development within EDA tools, closing the cov­
erage gap. Thus, our approach may offer an insight into a hardware description, and 
perhaps feed into a development framework to support analysis using EDA tools using 
this alternative perspective.
11.1 Future W ork
From this thesis several paths of research could be followed to extend our work. In 
Section 10.4 we noted th a t the grammar of SVA4VHDL could perhaps be extended to 
include additional functionality; in particular, a loop operator. By introducing such 
a loop operator, enabling dynamic assignment and component instantiation, the BIST 
example would have been fully automated, without the need for preprocessing of the 
VHDL description.
A possible approach to resolving this restriction would be to review the compiler and 
determine whether the I  Arc shared variable could be adapted to represent a signal vector. 
If such a change were to be implemented it is not immediately clear if the same sensitivity 
list definition, and thus the VHDLProc operator, would also require augmentation to 
support such a feature.
Addressing the issue of loops and vectors above would mean that more examples can 
be automatically generated without the need for preprocessing of the VHDL. These 
alterations would not have an impact on the CSP traces provided in terms of the number 
of events. Nonetheless, it would be easier to distinguish vectors as events in the traces 
due to the fact tha t they would be of a different type.
Recall tha t we introduced our analysis framework in Chapter 1, in Figure 1.1. In the 
framework we identified tha t a translation from a CSP trace into a digital design format 
would complete the round trip engineering process. The automatic translation tool con­
tains the required mapping information back to the VHDL ports and signals and provides 
the required basis for a translation back to VHDL. A study into the representation style 
should be undertaken to ensure tha t the resultant output is in a style understandable to 
VHDL designers.
11.1. Future Work 201
Another thought for further development of the SVA4VHDL compiler would be to de­
termine if any benefit can be drawn from using symbolic model checking, using the 
methodology identified by Nguyen et al. [67]. Such work would involve the mapping of 
the compiled SVA4VHDL model, tha t is the resultant CSP representation, to a suitable 
Binary Decision Diagram (BDD). However, before such enquiry were to be undertaken, 
the limits of the current SVA4VHDL tool would need further exploration. Additionally, 
recent work in the development of FDR such as the inclusion of BMC technologies [5] may 
provide an interesting avenue of research to determine whether symbolic model check­
ing need be required for extremely large systems, or if such functionality may now be a 
feasible option within FDR.
Chapter 11. Discussion
Appendices
203
A ppendix A
A Transformation Framework for 
the dd  Approach
As part of our initial research a transformation tool utilising meta-modelling techniques 
was developed to generate CSP models of hardware descriptions. This required the 
creation of two meta-models; one for VHDL and one for a version of CSP th a t could 
support the dd style. We give these meta-models in Figures A.5 and A . 6  respectively.
Upon these meta-models, the ETL [59] transformation language was employed to generate 
dd style CSP models from VHDL descriptions. The development of this transformation 
script resulted in 18 transformation rules, supported by 39 operations. Since the syntax 
style of the two languages was so disjoint, operations were frequently required to reshuffle 
rule generated model elements, often duplicating as well as restructuring aspect of the 
generated model.
Figure A .l identifies the ETL transformation rule used to generate the two CSP processes 
needed for each VHDL process, provided by the arguments of lines 4 and 5 in Figure A.I. 
Clearly from this rule definition many operations are called to support the transformation.
The first of these operations is the SensitivityList2ProcessParammeterList, called for 
both generated CSP processes in lines 9 to 1 2  of Figure A.I. Subsequently, from lines 14 
to 17, the GenerateParametersFromProcessExpression is also called in the generation of 
both  processes. Additional functions are also called to ‘tidy up ’ the generated param eter 
lists, lines 19 and 20. Notice the generation of the processes contained behaviour, lines 
2 1  to 23 of Figure A .l, is also specified using operations due to the disparate relation 
between VHDL and the style of CSP used in the dd translation [35].
205
206 Appendix A. A  Transformation Framework for the dd Approach
© la zy
r u l e  P r o c e s s 2 P r o c e s s  
t r a n s f o r m  vProc  : v h d l  ! C o m p lexP rocess  
t o  cProc  : csp  ! P ro c es s  ,
c P ro cP r im e  : csp ! P r o c e s s  {
/ / C r e a t e  t h e  tw o  CSP p r o c e s s e s  an d  s e t  t h e i r  nam e v a u l e s  
c P r o c .n a m e  :=  ” P_” +  v P ro c .n a m e;  
c P r o c P r im e .n a m e  := ” P_” +  vProc  . name +  ” ;
cProc  . d e f i n e s P a r a m e t e r s  : =
S e n s i t i v i t y  L i s t  2 P r o c e s s P a r a m e t e r  L i s t  (v P ro c  . r e a c t s T o )  ; 
c P r o c P r im e . d e f i n e s P a r a m e t e r s  :=
S e n s i t i v i t y  L i s t  2 P r o c e s s P a r a m e t e r  L i s t  (v P ro c  . r e a c t s T o )  ; 
f o r  ( e x p r e s s i o n  in  vProc  . p r o c e s s S t a t e m e n t s )  {
cProc  . d e f i n e s P a r a m e t e r s  . c o n t a i n s T y p e l t e m  . a d d A l l
( G e n e r a t e P a r a m e t e r s F r o m P r o c e s s E x p r e s s io n  ( e x p r e s s i o n )  ) ; 
cP ro cP r im e  . d e f i n e s P a r a m e t e r s  . c o n t a in s T y p e l t e m  . a d d A l l
( G e n e r a t e P a r a m e t e r s F r o m P r o c e s s E x p r e s s io n  ( e x p r e s s i o n )  ) ;
}
R e m o v e D u p lic a te sF r o m P a r a m ete rL is t  ( c P r o c  . d e f in e s P a r a m e t e r s  , f a l s e  ) ; 
R e m o v e D u p lic a te sF r o m P a r a m ete rL is t  ( c P r o c P r im e .  d e f in e s P a r a m e t e r s  , t r u e )  ; 
cProc  . p r o c e s s S t a t e m e n t  :=  C o n s t r u c t P r o c e s s  (v P r o c )  ;
G en e r a te P r im e R e fs  (vP roc  . r e a c t sT o  , cProc  . p r o c e s s S t a t e m e n t  , cP r o cP r im e )  ; 
cP r o cP r im e  . p r o c e s s S t a t e m e n t  :=  C o n s tr u c tP r im e  ( cProc , cProcPrim e , vProc  . r e a c t s T o  )
}
Figure A .l: ETL VHDL2CSP transformation of a VHDL process to 2 CSP processes
o p e r a t i o n  C o n s t r u c t P r o c e s s  (v P ro c  : v h d l  ! C om p lex P ro cess  ) : csp ! P r o c e s s E x p r e s s i o n  { 
v a r  e x p r e s s i o n s  =  new O rd ered S et  ;
/ / c o n s t r u c t  e x p r e s s i o n s  f r o m  VHDL p r o c e s s  s t a t e m e n t s ,  d i s t i n g u i s h i n g  b e t w e e n  
/ / a s s i g n m e n t s  a n d  i f / c a s e  s t a t e m e n t s  
f o r  ( s t a t e m e n t  i n  vP roc  . p r o c e s s S t a t e m e n t s )  
s w i t c h  ( s t a t e m e n t  . t y p e  () .name) {
c a s e  ” E x p r e s s i o n S t a t e m e n t ” : e x p r e s s i o n s  . a d d ( s t a t e m e n t  . e q u i v a l e n t  ()  ) ; 
c a s e  ” A s s ig n m e n t” : e x p r e s s i o n s  . a d d ( G e n e r a t e L e t W i t h i n ( s t a t e m e n t  ) )  ;
}
v a r  c E x p r e s s io n  :=  n u l l ;
c E x p r e s s io n  := C o n s t r u c t P r o c e s s E x p r e s s i o n (  e x p r e s s i o n s )  ; 
r e t u r n  c E x p r e s s io n  ;
}
Figure A.2: ETL VHDL2CSP ConstructProcess operation
We provide the supporting operations ConstructProcess and ConstructPrime in Figures 
A.2 and A.3 respectively. From both these operations we can see distinct behaviour, 
calling rules and subsequently manipulating the generated model structures to a form 
that meets the target model style. The calling of other rules, such as the transformation 
of ExprèssionStatements, Line 7 of Figure A.2, use the ETL equivalent () operator.
The ConstructPrime operation, Figure A.3, is used to generate the dd event for each 
process, focusing ensuring the correct ordering of parameters over the channel, both  as 
variable values and wild cards. Line 6  generates the reference to the dd channel, enabling 
an event, whilst lines 7 and 8  go on to define the parameters for the event. The generated 
dd event is then integrated into the prime process (P') body along with an IF statement 
in line 1 0 .
Interestingly, the definition of the dd channel meant that a scan on the entire VHDL was 
required prior to any transformation was undertaken. This ensured a defined ordering of 
parameters over the dd channel tha t could then be referenced by any rules and operations 
th a t generated events, such as the ConstructPrime operation already discussed. Figure 
A.4 gives the pre block tha t initiated the dd channel, and constructed the necessary 
OrderedSet to ensure the ordering of parameters was maintained.
The implemented automated tool provided sufficient functionality to define the traffic 
lights case study from Chapter 9. However, from Chapter 9, it was show that further 
development of the tool was inconsequential since the approach to modelling VHDL taken 
did not scale. Thus efforts were turned to develop a scalable methodology for analysing 
VHDL using explicit model checking technologies.
208 Appendix A. A  Transformation Framework for the dd Approach
o p e r a t i o n  C o n s tr u c tP r im e  ( cProc  : csp ! P ro c es s  , cPro cP r im e  : csp  ! P ro c es s  ,
v p S e n s i t i v i t y L i s t  : v h d l  ! S e n s i t i v i t y L i s t  ) : csp ! P r o c e s s E x p r e s s i o n  {
v a r  e x p r e s s i o n  := new csp ! P r e f i x  ; 
v a r  dd := new csp ! Event ;
/ / c r e a t e  dd  e v e n t
dd . i n s t a n c e O f  := G etC hannelR ef  ( ” dd” ) ;
dd . d e f i n e s P a r a m e t e r s  := C o n s t r u c t E v e n t P a r a m e t e r L i s t ( cP rocP r im e  .
d e f in e s P a r a m e t e r s  , cProc  . d e f i n e s P a r a m e t e r s )  ;
/ / d e f i n e  Ihs  a n d  r h s  o f  p r e f i x  e x p r e s s i o n  
e x p r e s s i o n  . n e s t e d E x p r e s s i o n  .a d d ( d d )  ;
/ / d e f i n e  r h s  o f  p r e f i x  e x p r e s s i o n
e x p r e s s i o n  . n e s t e d E x p r e s s i o n  . a d d (  C r e a t e S e n s i t i v i t y S t a t e m e n t s (  
cProc , cProcPrim e , v p S e n s i t i v i t y L i s t  ) ) ;
/ / r e t u r n  e x p r e s s i o n  
r e t u r n  e x p r e s s i o n  ;
}
Figure A.3: ETL VHDL2CSP ConstructPrime operation
/ / P r e  b l o c k  u s e d  t o  s t o r e  d d C h a n n e l V a l u e s  f o r  u s e  t h r o u g h o u t  t r a n s f o r m a t i o n . 
p r e  {
v a r  d d C h a nne lV a lues  := new O rd ered S et  ;
/ / C r e a t e  C h a n n e l  d e f i n t i o n s  i n  CSP
/ / e x p l i c i t l y  c r e a t e  t h e  dd  c h a n n e l  f o r  a l l  i n p u t  v a l u e s  
v a r  ddChannel =  new csp ! Channel ; 
d d C h a n n e l . name := ” dd” ;
v a r  d d P a r a m e te r L is t  =  new csp ! C h a n n e lP a r a m e te r L is t  ; 
d d C h a n n e l . d e f i n e s P a r a m e t e r s  :=  d d P a r a m e te r L is t  ;
}
Figure A.4: ETL VHDL2CSP Transformation Pre block
209
Figure A.5: VHDL Meta-Model
210 Appendix A. A  Transformation Framework for the dd Approach
[Hr
Figure A.6: CSP Meta-Model
A ppendix B
Case Study 1: 
A dd Representation
The translation of the VHDL traffic lights system {long-road component) to a dd model is 
represented by many CSP processes. From Section 9.4, it was identified th a t a long-road 
VHDL description comprising three cross-road components generated a dd style system 
that could not be analysed, despite the 32GB RAM afforded by our modelling machine. 
As a result, we identify the model used instead, containing only two cross-road compo­
nents here.
Since the VHDL description must first be flattened, the generated dd channel contains: 
a single global clock parameter; two present-state and n e x ts ta te  parameters, one for 
each component; a timer param eter for each, bounded from one to ten; and the triggers 
triggerGl, triggerG2, triggerGS, and triggerGA. The ordering of these parameters are 
given in the code below, but it is visible that it is not easy to track what each param ­
eter represents. Glgreen and G2green are for one cross roads. Similarly, G3green and 
GAgreen represent the other cross-roads.
d a ta type  S T A T E  =  m R M R \ m G M R  | m R M G  
nametype B I T  =  {0..1}
 clock, p r e s e n t - . s t a t e i ,n e x t s ta t e i , t i g g e r G l ,  triggerG2, t im er i ,
 p r e s e n t s ta t e z ,  n e x t s t a t 62 , tiggerGS, triggerGA, timer?,
channel dd  : B I T .S T A T E .S T A T E .B I T .B I T .T E N  . S T A T E .S T A T E .B I T .B I T .T E N
 output channels
nametype T E N  =  {0..10}
channel Glgreen, G2green, GSgreen, GAgreen : B I T
The generation of VHDL processes to CSP processes is not a one-to-one relationship.
211
212 Appendix B. Case S tudy 1: A  dd Representation
For each dd defined VHDL processes, a CSP process, suffixed prime, e.g., P', is defined 
to represent the sensitivity list behaviour of a VHDL process, and the updating of signal 
values. It is within this prime process that the dd event occurs.
For simple VHDL processes, another process is required to describe the actual behaviour 
of the VHDL process. These are denoted without a suffix, e.g. P. The translation of the 
VHDL elk process from 9.3 is given by the following two dd style CSP processes:
P —clk(clock, present—state , n e x t s t a t e ,  t im er)  =  let 
nv—present—state  =  i f  (clock = =  1) then n e x t s t a t e  
else p resen t-s ta te  
nv—tim er  =
i f  ((present—state  = =  m R M G ) and(clock  = =  l ) ) th en  t im er  +  1 
else t im er
within P —elk'(nv—present—state, nv—tim er,  clock)
P —clk'(nvp resentstate , n v t im er,  clock) =
dd?nv—clock ! nv—present—state?nv—next—state?—?—\ n v - t im e r ? -? —?-?-?— —> 
i f  (nv—clock! =  clock)then  
P —clk(nv—clock, nv—present—state, n v - n e x t s t a t e ,  nv—tim er)  
else P - d k '  ( n v - p r e s e n t s t a t e ,  n v - t im e r ,  clock)
More complex behaviours within a VHDL process require tha t the behaviour be split up, 
utilising CSP pattern  matching for processes. For instance, the traffic light case study’s 
FSM for each cross-roads used three states: mRM R, mGMR, and mRMG, it is on these 
values tha t we pattern  match and thus three behavioural CSP processes are defined to 
correctly capture the behaviour within the VHDL fsm  process. The full representation 
of the VHDL fsm  process is given below:
P —f s m ( t r ig g e r G l ,  triggerG2, tim er,  m R M R )  =  let 
nv—next—state  =  
i f  ( ( tr iggerG l - l )and( tr iggerG 2  = =  0))then m R M G  
else i f  ( ( tr iggerG l  = =  l )and(tr iggerG 2  = =  l ) ) th en  m R M G  
else i f  ( ( tr iggerG l  = =  0)and(triggerG2  = =  l ) ) th e n  m G M R  
else m R M R
within P —fsm ' ( tr iggerG l ,  triggerG2, t im er,  m R M R , nv—next—state)
P - f s m ( t r ig g e r G l ,  triggerG2, timer,  m G M R ) — let 
nv—n e x t s t a t e  =  
i f  ( ( tr iggerG l  = =  l )and( tr iggerG 2  = =  0))then m R M R  
else i f  ( ( tr iggerG l  —=  0)and(triggerG2  = =  0 ) ) th e n m R M G  
else m G M R
within P —fsm' ( tr iggerG l,  triggerG2, t im er,  mG M R , nv—next—state)
213
P - f s m ( t r i g g e r G l ,  triggerG2, t im er ,  m R M G ) — let 
nv—next—state  =  
i f  ( t im er  = =  8) then m R M R  
else m R M G
within P - f s m ' ( t r ig g e r G l ,  triggerG2, t im er ,  m R M G , nv—n e x t s t a t e )
P —fsm '( tr ig g erG l,  triggerG2, t im er ,  p re sen t -s ta te ,  n v - n e x t s t a t e )  =  
dd?—? nv—p re sen t- s ta te  ! nv—n e x t s t a t e ?
nv—tr iggerG l?n v—triggerG2?nv—tim er?—?—?—?—?— —> 
i f  ((triggerGV.  =  n v - t r ig g e r G l )  or  (trig g erG2\  =  nv-tr iggerG 2)  
or( ( t im erl  — nv—tim er)
o r ( p r e s e n t s ta t e \  =  nv—present—sta te))) then  
P - f s m ( n v - t r ig g e r G l ,  nv- tr iggerG 2 ,  nv—tim er,  nv—pre sen t-s ta te )  
else
P —fsm '( tr ig g erG l ,  triggerG2, nv—tim er,  p re sen t-s ta te ,  nvn e x t s t a t e )
Notice tha t in flattening the model we have not only had to generate an event with the 
value of the output port Glgreen of the first cross-roads component, but its value is also 
provided it as the ninth parameter over the dd channel, written by the P s e tG V  process 
(see below). This value is then used as the nv-triggerG3 value in the second cross-roads 
component, providing the stimulus for the major road trigger within this component. 
The P s e tG 2  and P-setG 2' processes describe the setting of the minor road light colour, 
reacting to the first cross-roads component. From this we can see how the interlinking 
of VHDL components is represented in the dd approach.
P s e t G l ( p r e s e n t —state)  =  let 
nv—G lgreen  =
i f  (present—state  = =  m R M G )th en  1 
elseO
within G lgre en \nv g lgreen  —» P s e t G l ' ( p r e s e n t - s t a t e ,  n v -G lg r e e n )
P s e t G l ' ( p r e s e n t - s t a t e ,  nv—triggerG3)  =
dd?—?nv—present—state?—?—?—?—?—?—\nv—triggerG3?—?— —> 
i f  (present—state! — nv—present—state) then  
P s e t G l ( n v - p r e s e n t s t a t e )  
else P s e t G l ' ( p r e s e n t - s t a t e ,  nv- tr iggerG 3)
P s e t G 2 ( p r e s e n t —state)  =  let 
n v - G 2  green =
i f  (present—state —=  m G M R )th en  1 
else 0
within G2green\n v - G 2 green —>• P s e t G 2 ' ( p r e s e n t - s t a t e )
P —setG2' (present—state)  =
dd?—?nv—present—state?—?—?—?—?—?—?—?—?— —> 
i f  (present—state! =  n v - p r e s e n t s ta t e ) th e n  
P s e t G 2 ( n v —presen t-s ta te )  
else P s e t G 2 ' ( p r e s e n t - s t a t e )
214 Appendix B. Case S tudy 1: A  dd Representation
In order to synchronise the CSP processes, a composition of the P' process, with the 
initial stimuli, is given for each component, such as P S Y S T E M i  and P S Y S T E M 2 
below. These processes composed together to perform a multi-way synchronisation over 
the dd channel. It is at this point tha t the state space of the system is reduced through 
the synchronisation.
P S Y  S T  E M i =  le t
P S Y S T E M ( c l o c k ,  p re sen t-s ta te ,  n e x t s t a t e ,  tr iggerG l,  t r iggerG l ,  t im er)  =
P - c l k [ ( p r e s e n t s t a t e ,  t im e r , clock) ||
{\dd\}
P - f s m l  ( tr iggerG l,  tr iggerG l,  t im er ,  p r e s e n t s t a t e ,  n e x t s t a t e )  ||
{\dd\}
P s e t G l ^ ( p r e s e n t s t a t e ,  tr iggerG l)  || P s e t G l [ ( p r e s e n t s t a t e )
{\dd\}
within P —S Y S T E M ((0, m R M R , m G M R ,  0,0,0)
P - S Y S T E M 2 =  let
P S Y S T E M ( c l o c k ,  p r e s e n t s t a t e ,  n e x t s t a t e ,  , tr iggerG3, triggerGA, t im er)  =
P - d k U p r e s e n t s t a t e ,  t im er ,  clock) ||
{|dd|}
P-fsm M triggerG S, triggerGA, t im er ,  p r e s e n t s t a t e ,  n e x t s t a t e )  ||
{\dd\y
P s e t G l ' 2 ( p r e s e n t s ta t e )  || P s e t G l ' 2 ( p r e s e n t s ta t e )
{|dd|}
within P S Y S T E M ( ( 0 ,  m R M R , m G M R ,  0,0,0)
To fully define the traffic lights example, the above component compositions are com­
posed together, again synchronising over the dd channel:
road =  P - S Y S T E M i  || P S Y S T E M ^
{\dd\y
We have deliberately left out the definition of the second component CSP processes since 
they will be exact reflections of the behaviour exhibited in the first component, except 
tha t the location of the parameters from the dd channel will change to reflect the positions 
identified initially, and there is no need to provide the output of GSgreen as the stimuli 
for another component. The original VHDL traffic lights system was encapsulated within 
125 lines of code, and represented in SVA4VHDL using 254 lines of code. By comparison 
the translation to a dd style CSP model has resulted in nearly double the lines of code 
of the original VHDL model, 240. Note that this is for only two contained components, 
not the three specified in the original VHDL, or the SVA4VHDL representation.
A ppendix C
Case Study 2: AWE Built-In Self 
Test VHDL Code
Below we present the VHDL components tha t make up the AWE pic. BIST case study 
presented in Chapter 10, Section 10.1. The VHDL composition of these different VHDL 
components is given in Figure 10.1.
Section C .l identifies the LFSR component tha t is used to fill the internal logic of a 
VIRTEX 5 FPGA during the BIST testing. Section C.2 presents the VHDL compositional 
component used to link the LFSR blocks from Section C .l.
The VHDL test for the LFSR blocks is given in Section C.3, the behaviour of which 
is illustrated in Figure 10.2 on page 179. This component, along with the LFSR blocks 
defined in Section C.2 are composed together using the VHDL component in Section C.4.
The other two VHDL components for this hierarchical level (refer back to Figure 10.1) 
are given in Sections C.5 and C.6. Section C.5 details the second test performed by the 
BIST in VHDL, this is illustrated in Figure 10.3, on page 180, for clarity.
The top level component for the BIST VHDL design is identified in Section C.7, com­
posing the components from Sections C.4, C.5, and C.6, together.
An additional definition for the LFSR component, from Section C .l is given in Section 
C.8. This version supplies the broken behaviour used during the EDA analysis discussed 
in Section 10.2. The full VHDL description requires 889 lines for its definition (this 
includes comments).
215
216 Appendix C. Case S tudy 2: AW E  Built-In Self Test VHDL Code
C .l Case Study 2: LFSR  V H D L Com ponent
The LFSR component below identifies the behaviour of a 4 bit flip-flop (LFSR_reg) taking 
in a value (LFSR-IN), and using this value performs an xor against each of the contained 
flip flops. The last element of the 4 bit flip flop is then passed as an o u t p u t (LFSR_out), 
and using the input value as the head of the flip-flop.
e n t i t y  LFSR i s  
p o r t  ( CLK: in  s t d - l o g i c  ;
RST: i n  s t d _ l o g i c  ;
LFSR-IN : in  s t d - l o g i c  ;
LFSR_out : o u t  s t d _ l o g i c ) ;  
end  e n t i t y  ;
a r c h i t e c t u r e  RTL o f  LFSR i s  
s i g n a l  LFSR : s t d - l o g i c . v e c t o r  (3 dow nto  0) := ( o t h e r s  =>  ’1 ’) ;
b e g in
LFSR_reg : p r o c e s s  (CLK,RST) 
b e g in  
i f  (RST =  ’ I ’) t h e n
LFSR < =  ( o t h e r s  =>  ’ 1 ’) ;  
e l s i f  r i s i n g - e d g e  (CLK) t h e n
f o r  I i n  LFSR’HIGH dow nto  0 l o o p  
i f  I =  0 t h e n
LFSR(O) < =  LFSR (LFSR’HIGH) x o r  LFSR-IN ; 
e l s e
L FSR(I) < =  L F S R ( I - l )  x o r  LFSR-IN ; 
end  i f  ; 
end  l o o p  ; 
end  i f ; 
end  p r o c e s s  ;
LFSR-out < =  LFSR( LFSR’HIGH) ; 
end;
C.2 Case Study 2: TL_LFSR  V H D L Com ponent
The compositional component below composes four LFSR components together to build 
a larger block, linking the input and output port of each to create a larger sequential 
flip-flop.
e n t i t y  TL-LFSR i s  
g e n e r i c  (N : NATURAL :=  5 ) ;
p o r t  (CLK : in  s t d - l o g i c  ; RST : in  s t d - l o g i c  ;
LFSR-IN : in  s t d - l o g i c  ; LFSR.out : o u t  s t d - l o g i c  ) ; 
end  e n t i t y  ;
a r c h i t e c t u r e  TL o f  TL-LFSR i s  
s i g n a l  L F SR -int  : s t d - l o g i c - v e c t o r  (N -2  dow nto  0 ) ;
b e g in
C.3. Case S tudy 2: FSM ^LFSR VHDL Component 217
G l: f o r  I in  0 t o  N—2 g e n e r a t e  
It : i f  I =  0 g e n e r a t e
LO : e n t i t y  WORK. LFSR p o r t  map (
CLK =>  CLK, RST =>  RST, LFSRJN = >  L F S R J N , L FSR.out =>  L F SR -in t  (0 )  ) ; 
end  g e n e r a t e  ; 
r t : i f  i =  N—2 g e n e r a t e
L n : e n t i t y  WORK.LFSR p o r t  map (
CLK =>  CLK, RST = >  RST, LFSR-IN =>  L FSR -int  ( I - 1 )  , LFSR.out =>  L F SR .out)  ; 
en d  g e n e r a t e  ; 
b r : i f  i =  N—1 g e n e r a t e
Ln: e n t i t y  WORK. LFSR.broken p o r t  map (
CLK =>  CLK, RST = >  RST, LFSRJN =>  L FSR -int  ( I - 1 )  , LFSR.out =>  L F S R .o u t ) ;  
end  g e n e r a t e  ;
md: i f  i >  0 and  I <  N—2 g e n e r a t e
Ln : e n t i t y  WORK. LFSR p o r t  map (
CLK =>  CLK, RST =>  RST, LFSRJN = >  L F SR -int  ( I - 1 )  , LFSR.out =>  L F S R .in t  ( I ) )  ; 
end  g e n e r a t e  ; 
end  g e n e r a t e  ; 
end;
C.3 Case Study 2: F SM —LFSR V H D L C om ponent
A test for ensuring tha t the LFSR blocks produce the expected result is described in the 
component below. The behaviour, identified within the fsm-logic  process and visualised 
in Figure 10.2, is driven by the fsm -reg  process, which reacts to the clock input port, 
e n t i t y  FSMJFSR i s  
g e n e r i c  (
RAMNO : NATURAL := 10;
RAM_CHK_VALUE : s t d - l o g i c . v e c t o r  :=  X”FFFF” ;
RAM-CHKNO : NATURAL := 4 ) ; 
p o r t  (
CLK : in  s t d - l o g i c  ; RST : in  s t d - l o g i c  ;
START : in  s t d _ l o g i c  ; R S T .in t  : o u t  s t d _ l o g i c  ;
LFSRJN : o u t  s t d - l o g i c  ; L F SR .c lk  : o u t  s t d _ l o g i c  ;
LFSR.out : i n  s t d - l o g i c  ; FAIL : o u t  s t d - l o g i c ;
PASS : o u t  s t d _ l o g i c ) ;  
end  e n t i t y  ;
architecture FSM of FSM-LFSR is 
type s t a t e  is (IDLE, SENDJDATA,CORRECT,WRONG) ; 
signal p r e s e n t - s t a t e  , n e x t  . s t a t e  : s t a t e  :=  IDLE;
signal count  : i n t e g e r  range 0 to (RAMJ>!OfRAM_CHK_NO—1) :=  0;
signal CHK_reg : s t d - l o g i c . v e c t o r  (RAM-CHKNO-1 downto 0) := (others = >  ’O’) ;
signal GEN_reg : s t d - l o g i c . v e c t o r  (8 downto 0) :=  (others => ’1 ’) ;
signal G E N .r e g .r s t  : s t d _ l o g i c  ; 
signal g e n .e n  : s t d - l o g i c  ; 
begin
f s m .r e g  : p r o c e s s  (CLK,RST) i s
218 Appendix C. Case S tudy 2: AW E Built-In Self Test VHDL Code
b e g in
i f  r i s i n g _ e d g e  (CLK) t h e n
i f  (RST =  ’ ! ’) t h e n  p r e s e n t - s t a t e  < — i d l e ;  
e l s e  p r e s e n t - s t a t e  < =  n e x t - s t a t e  ; 
end  i f  ; 
e n d  i f  ; 
e n d  p r o c e s s  ;
f s m - l o g i c  : p r o c e s s  ( p r e s e n t - S t a t e  ,START, count , CHK_reg) i s  
b e g in
gen_en < =  ’O’ ; FAIL < =  ’O’ ; PASS < =  ’O’ ;
GEN_reg_rst < =  ’0 ’ ; n e x t - s t a t e  < =  p r e s e n t . s t a t e  ;
c a s e  p r e s e n t - s t a t e  i s  
when IDLE =>
i f  (START =  ’ 1 ’ ) t h e n  n e x t - s t a t e  < =  SEND-DATA; 
e l s e  GEN_reg_rst < =  ’ 1 ’ ; 
end  i f  ; 
when SEND-DATA =>
i f  c o u n t  =  RAMJ'JO+RAM-CHK-NO—1 t h e n
i f  CHK-reg =  RAMJSHK-VALUE t h e n  n e x t - s t a t e  < =  CORRECT; 
e l s e  n e x t - s t a t e  < =  WRONG; 
end  i f  ; 
e l s e  g e n .e n  < =  ’ 1 ’ ; 
end  i f  ; 
when CORRECT =>
PASS < =  ’ 1 ’ ; n e x t - s t a t e  < =  IDLE; 
w hen WRONG =>
FAIL < =  ’ 1 ’ ; n e x t - s t a t e  < =  IDLE; 
end  c a s e  ; 
en d  p r o c e s s  ;
c o u n te r  : p r o c e s s  ( e lk  ,RST) 
b e g in
i f  r i s i n g . e d g e  (CLK) t h e n
i f  (RST =  ’! ’) t h e n  c o u n t  < =  0; 
e l s i f  G E N .r e g .r s t  =  ’1 ’ t h e n  co u n t  < =  0; 
e l s i f  (gen_en  =  ’l  ’) t h e n  c o u n t  < = c o u n t  +  l; 
end  i f  ; 
en d  i f  ; 
end  p r o c e s s  ;
c h k . r e g i s t e r  : p r o c e s s  (CLK,RST) 
b e g i n
i f  r i s i n g . e d g e  (CLK) t h e n
i f  (RST =  ’ 1 ’ ) t h e n  CHK.reg < =  ( o t h e r s  = >  ’O’) ;  
e l s i f  g e n .e n  =  ’1 ’ t h e n
CHK_reg < =  CHK_reg(RAJVLCHK-NO-2 dow nto  0) & LFSR.out;  
en d  i f  ; 
end  i f ; 
end  p r o c e s s  ;
g e n . r e g i s t e r  : p r o c e s s  (CLK,RST) 
b e g i n
i f  r i s i n g . e d g e  (CLK) t h e n
i f  (RST =  ’ 1 ’) t h e n  GEN_reg < =  ( o t h e r s  = >  ’ ! ’) ;
C.4. Case S tudy 2: B IST _R A M  VHDL Component 219
elsif G E N .r e g .r s t  =  ’1 ’ then GEN_reg < =  (others => ’ 1 ’) ; 
elsif g e n .e n  =  ’1 ’ then
GEN_reg < =  GENjreg(7 downto 0) & (G E N j-eg (8 )  xor G E N jreg(3)  ) ; 
end if ; 
end if ; 
end process ;
LFSRJN < =  GEN_reg(7) ;
L F SR .c lk  < =  g e n . e n  and e lk  ;
R S T .in t  < =  RST or G E N .r e g .r s t  ; 
end;
C.4 Case Study 2: B IST _R A M  V H D L C om ponent
The composition of the TL-LFSR  and the F SM -L F SR  components is described in the 
VHDL component below.
e n t i t y  BISTJtAM i s  
g e n e r i c  (RAMNO : n a t u r a l  : =  64; RAMCHKNO : n a t u r a l  : =  32;
RAM.CHK-YALUE : s t d . l o g i c . v e c t o r  := X”FFFF” ) ; 
p o r t  (CLK : i n  s t d . l o g i c  ; RST : in  s t d . l o g i c  ;
STARTJLAM : i n  s t d . l o g i c  ; RAM J'AIE : o u t  s t d . l o g i c  ;
RAMPASS : o u t  s t d - l o g i c  ) ; 
e n d  e n t i t y  ;
a r c h i t e c t u r e  TL o f  BISTJtAM i s  
s i g n a l  LFSRJN : s t d . l o g i c  ; s i g n a l  L F SR .c lk  : s t d . l o g i c  ; 
s i g n a l  LFSR.out : s t d . l o g i c  ; s i g n a l  R S T .in t  : s t d . l o g i c  ; 
b e g in
enJ S M .L F S R : e n t i t y  "WORK.FSMJFSR 
g e n e r i c  map (RAMNO =>  RAMNO, RAMCHKNO =>  RAMCHKNO,
RAMCHK-VALUE =>  RAMCHKVALUE) 
p o r t  map (CLK = >  CLK, RST => RST, R S T .in t  =>  R S T J n t  ,
START =>  STARTJtAM, LFSR-IN => L F S R J N , L F S R .c lk  =>  L FSR .c lk  ,
LFSR.out =>  L F S R .o u t , FAIL =>  RAM JAIL , PASS >  RAM JA SS) ; 
en.TL.LFBR: e n t i t y  'WORK.TLJJSR 
g e n e r i c  map (N =>  RAMNO)
p o r t  map (CLK =>  LFSR.CLK, RST =>  R S T J n t  ,
LFSRJN =>  L F S R J N , LFSR.out =>  LFSR.out ) ; 
end  a r c h i t e c t u r e  ;
C.5 Case Study 2: BIST_JO V H D L C om ponent
The second BIST test is defined in the B IS T -IO  component below. This describes the 
verification of the I/O , using the FSM depicted in Figure 10.3, captured by the fsm-logic  
process.
e n t i t y  BIST.IO i s  
g e n e r i c  (IO N O  : n a t u r a l  := 3 2 )  ;
220 Appendix C. Case S tudy  2: AW E Built-In Self Test VHDL Code
p o r t  (CLK : in  s t d _ l o g i c  ; RST : i n  s t d _ l o g i c  ;
START : in  s t d . l o g i c ;  nOE_0 : o u t  s t d _ l o g i c  ; 
nOE_l : o u t  s t d - l o g i c  ; DIR : o u t  s t d - l o g i c  ;
IO-PASS : o u t  s t d _ l o g i c ;  10-FAIL : o u t  s t d - l o g i c  ;
IO-FAILJEND : o u t  s t d - l o g i c  ;
IO-FAILEDJPORT : o u t  s t d - l o g i c - v e c t o r  (7 dow nto  0) ;
IO : i n o u t  s t d - l o g i c - v e c t o r  (IO_NO—1 dow nto  0 ) ) ;  
end  e n t i t y  ;
a r c h i t e c t u r e  BEE o f  BIST-IO i s  
t y p e  s t a t e  i s  (IDLE, EVEN_TEST_0a, EVEN_TEST_1, EVEN_TEST_0b, 
ODD-TEST-Oa, ODD_TEST_l, ODD_TEST_Ob, SEND-FAIL-EVEN,
SEND-FAIL-ODD, END-TEST) ; 
signal p r e s e n t - s t a t e  , n e x t  - S t a t e  : s t a t e  := IDLE; 
signal in c _ c o u n t  : s t d - l o g i c  ; signal r s t . c o u n t  : s t d - l o g i c  ; 
signal IO -IP  : s t d - l o g i c  ; signal ERROR_reg : s t d - l o g i c  :=  ’O’ ; 
signal ERROR-CLR : s t d - l o g i c  ; signal ERROR : s t d - l o g i c  ; 
signal D IR -i  : s t d - l o g i c  ; signal nOE_i : s t d - l o g i c  ; 
signal c o u n t  : n a t u r a l  range 0 to IO-NO := 0; 
begin
fsm _ reg  : p r o c e s s  (CLK,RST) i s  
b e g in
i f  r i s i n g _ e d g e  (CLK) t h e n
i f  (RST =  ’! ’) t h e n  p r e s e n t - s t a t e  < =  i d l e ;  
e l s e  p r e s e n t - s t a t e  < =  n e x t - s t a t e  ; 
end  i f  ; 
end  i f  ; 
end  p r o c e s s  ;
f s m _ l o g i c  : p r o c e s s  ( p r e s e n t - s t a t e  ,START,10 , count  ,ERROR_reg) i s  
b e g in
in c _ c o u n t  < =  ’O’ ; r s t . c o u n t  < =  ’O’ ; ERROR-CLR < =  ’O’ ;
ERROR < =  ’O’ ; IO-IP  < =  ’O ’ ; nO E.i  < =  ’ ! ’ ; D IR -i  < =  ’O ’ ; 
IO-PASS < =  ’O ’ ; IO-FAIL < =  ’O’ ; IO-FAILJEND < =  ’O ’ ; 
IO_FAILEDJPORT < =  ( o t h e r s  =>  ’O’) ;  
c a s e  p r e s e n t - s t a t e  i s  
w hen IDLE =>
ERROR-CLR < =  ’ 1 ’ ; r s t . c o u n t  < =  ’ 1 ’ ; 
i f  (START =  ’ 1 ’ ) t h e n  n e x t - s t a t e  < =  EVEN-TESTuOa; 
e l s e  n e x t - s t  a te  < =  IDLE ; 
end  i f  ; 
w hen EVEN-TESTDa =>  
nOE_i < =  ’O’ ; D IR -i  < =  ’ ! ’ ; IO -IP  < =  ’O ’ ;
IF  ( I O ( c o u n t+ 1 )  =  ’O’) t h e n  n e x t - s t a t e  < =  EVEN_TEST_1 ; 
e l s e  n e x t - s t a t e  < =  SENDJFAILJEVEN; 
end  i f  ; 
when EVEN_TEST_1 =>  
n O E J  < =  ’O’ ; D IR -i  < =  ’ ! ’ ; IO_IP < -  ’ ! ’ ;
IF  (IO ( c o u n t + 1 )  =  ’ 1 ’) t h e n  n e x t - s t a t e  < — EVEN_TEST_0b; 
e l s e  n e x t - s t a t e  < =  SEND-FAIL-EVEN ; 
end  i f  ; 
w hen EVEN-TEST-0b =>  
nOE-i < =  ’O’ ; D IR -i  < =  ’1 ’ ; IO-IP < =  ’O ’ ;
C.5. Case S tudy  2: B IST -IO  VHDL Component 221
IF  ( 1 0 ( c o u n t + 1 )  =  ’O’) t h e n  
IF  ( c o u n t  =  IO_NO—2) t h e n
r s t . c o u n t  < — ’ 1 ’ ; n e x t - s t a t e  < =  ODD_TEST_Oa; 
e l s e
i n c . c o u n t  < =  ’ 1 ’ ; n e x t - s t a t e  < =  EVEN_TEST_Oa; 
en d  i f  ;
else n e x t - s t a t e  < =  SEND-FAILJEVEN; 
end i f ; 
when ODD_TEST-Oa =>  
nOE_i < =  ’O ’ ; D IR -i  < =  ’O ’ ; IO_IP < =  ’O ’ ; 
i f  ( I O ( c o u n t ) =  ’O’) then n e x t - s t a t e  < =  0DD_TEST_1 ; 
else n e x t - s t a t e  < =  SEND_FAIL_ODD; 
end i f ; 
when ODD-TEST-l =>  
nOE_i < =  ’O’ ; DIR_i < =  ’O ’ ; IO -IP  < =  ’1 ’ ;
IF  ( 1 0 ( c o u n t ) =  ’1 ’) t h e n  n e x t - s t a t e  < =  ODD_TEST_Ob; 
e l s e  n e x t  . s t a t e  < =  SEND-FAIL-ODD ; 
e n d  i f  ; 
w hen ODD_TEST-Ob =>  
nOE-i < =  ’O’ ; D IR -i  < =  ’O’ ; IO -IP  < =  ’O’ ;
IF  (10  ( c o u n t )  =  ’O’) t h e n
IF  (c o u n t  =  IO-NO—2) t h e n  n e x t - s t a t e  < =  END_TEST; 
e l s e
i n c . c o u n t  < =  ’ 1 ’ ; n e x t - s t a t e  < =  ODD_TEST_Oa; 
e n d  i f  ;
e l s e  n e x t - s t a t e  < =  SEND-FAIL-ODD ; 
e n d  i f  ; 
when SEND-F AIL-EVEN =>
ERROR < =  ’ 1 ’ ; D I R . i  < =  ’ 1 ’ ; IO-FAIL < =  ’ 1 ’ ;
IO-FAILED-PORT < =  STD_LOGIC_VECTOR(TO-UNSIGNED ((  c o u n t / 2 ) + 1 , 8 )  ) ; 
i f  START =  ’1 ’ t h e n  
i f  c o u n t—IO-NO—2 t h e n
r s t . c o u n t  < =  ’ 1 ’ ; n e x t - s t a t e  < =  ODD-TEST-Oa ; 
e l s e
i n c . c o u n t  <  =  ’! ’; n e x t - s t a t e  < =  EVEN_TEST_Oa; 
e n d  i f ;
e l s e  n e x t - s t a t e  < =  SEND-FAIL-EVEN ; 
end  i f  ; 
w hen SEND-FAIL-ODD =>
ERROR < =  ’ 1 ’ ; D IR -i  < =  ’O ’ ; IO-FAIL < =  ’ 1 ’ ;
IO-FAILED-PORT < =  STDJLOGIC_VECTOR(TO_UNSIGNED ( ( ( c o u n t  / 2 )  + 1 )  , 8 ) )  ; 
i f  START =  ’1 ’ t h e n
i f  c o u n t—IO-NO—2 t h e n  n e x t  . s t a t e  < =  END-TEST ; 
e l s e
i n c . c o u n t  <  =  ’! ’; n e x t - s t a t e  < =  ODD-TEST-Oa ; 
end  i f  ;
e l s e  n e x t  . s t a t e  < — SEND-FAIL-ODD ; 
end  i f  ; 
when END_TEST =>
IF ERROR-reg =  ’ 1 ’ t h e n  IO-FAILJEND < =  ’ 1 ’ ; 
e l s e  IO-PASS < =  ’ 1 ’ ;
222 Appendix C. Case S tudy  2: AW E Built-In Self Test VHDL Code
end  i f  ;
n e x t - s t a t e  < =  i d l e  ; 
end  c a s e  ; 
e n d  p r o c e s s  ;
DIR < =  D IR  J  ;
IO _ co u n ter  : p r o c e s s  ( e lk  ,RST) 
b e g in
i f  r i s i n g _ e d g e  (CLK) t h e n
i f  (RST =  ’ 1 ’ ) t h e n  co u n t  < =  0; 
e l s i f  ( r s t _ c o u n t  = ’1 ’) t h e n  c o u n t  <=0;  
e l s i f  ( in c _ c o u n t  = ’1 ’) t h e n  c o u n t  < = c o u n t + 2 ;  
end  i f  ; 
end  i f  ; 
end  p r o c e s s  ;
E RR OR Jlag: p r o c e s s  (CLK,RST) 
b e g in
i f  r i s i n g _ e d g e  (CLK) t h e n
i f  (RST =  ’ 1 ’) t h e n  ERROR_reg < =  ’ O ’ ; 
e l s i f  ERROR-CLR =  ’ 1 ’ t h e n  ERROR-reg < =  ’O ’ ; 
e l s i f  ERROR = ’1 ’ t h e n  ERROR_reg < =  ’ ! ’ ; 
end  i f  ; 
e n d  i f  ; 
end  p r o c e s s  ;
lO - w ir i n g  : p r o c e s s  (IO , DIR-i  , IO-IP , nOE_i)  
b e g in
IO < =  ( o t h e r s  =>  ’Z ’ ) ; 
i f  nOE-i =  ’0 ’ t h e n  
i f  (D I R - i  =  ’ 1 ’ ) t h e n
f o r  i in  0 t o  ( (IO -N O /2)  —1) l o o p  I O ( i * 2 )  < =  IO-IP ; 
e n d  l o o p  ; 
e l s e
f o r  i in  0 t o  ( ( I O - N O /2 ) —1) lo o p  I O ( ( i * 2 ) + l )  < =  IO -IP  ; 
end  lo o p  ; 
en d  i f  ;
e l s e  IO < =  ( o t h e r s  =>  ’Z ’ ) ; 
end  i f  ; 
end  p r o c e s s  ; 
nOE_0 < =  nOE_i ; 
nOEJL < =  nOE_i ; 
end;
C.6 Case Study 2: B IST _F SM  V H D L Com ponent
A further FSM is defined below to indicate how the BIST should trigger and respond to 
the other FSM components, B IS T -IO  and LF SR -F SM .
e n t i t y  BIST-ESM is  
p o r t  ( CLK,RST : in  s t d - l o g i c  ; START-RAM : in  s t d - l o g i c  ;
STARTJO : in  s t d - l o g i c  ; IO-RUN : o u t  s t d - l o g i c  ;
C. 7. Case S tudy 2: T L _B IST  VHDL Component 223
RAMJRUN : o u t  s t d _ l o g i c  ; RAM_FAIL : i n  s t d . l o g i c  ;
RAMJPASS : i n  s t d . l o g i c  ; IO.PASS : i n  s t d . l o g i c  ;
IO-FAIL : in  s t d . l o g i c ;  IO_FAIL_END : i n  s t d . l o g i c ;
IO_FAILEDJPORT : i n  s t d . l o g i c  . v e c t o r  (7 dow nto  0) ;
BISTJtEG : o u t  s t d . l o g i c  . v e c t o r  (7 dow nto  0 ) ) ;  
end  e n t i t y  ;
a r c h i t e c t u r e  behav o f  BIST.FSM is  
s i g n a l  IO.SR : s t d - l o g i c . v e c t o r  (1 dow nto  0) :=  ” 0 0 ” ; 
s i g n a l  RAMJ3R : s t d - l o g i c . v e c t o r  (1 dow nto  0) :=  ” 0 0 ” ; 
s i g n a l  BIST_REG_i : s t d . l o g i c  . v e c t o r  (7 dow nto  0) := X” 0 0 ” ; 
b e g in
BISTJtEGISTER : p r o c e s s  (CLK,RST) 
b e g in
i f  r i s i n g . e d g e  (CLK) t h e n
i f  (RST =  ’1 ’) t h e n  BIST_REG_i < =  X” 00 ” ;
e l s i f  RAMJPASS = ’1 ’ t h e n  BIST-REG-i < =  X”FC” ;
e l s i f  RAM-FAIL = ’1 ’ t h e n  BIST-REG-i < =  X”FD” ;
e l s i f  IO-FAIL = ’1 ’ t h e n  BIST-REG-i < =  IO-FAILED-PORT;
e l s i f  IO-FAIL.END = ' ! '  t h e n  BIST-REG-i < =  X”FE” ;
e l s i f  IO-PASS = ’1 ’ t h e n  B IS T .R E G J  < =  X”FF” ;
end  i f  ;
end  i f  ; 
end  p r o c e s s  ;
BISTJREG < =  BIBT.REG.i;
I O . r i s i n g . e d g e  : p r o c e s s  (CLK,RST) i s  
b e g in
i f  r i s i n g . e d g e  (CLK) t h e n
i f  (RST =  ’ 1 ’) t h e n  IO.SR < =  ( o t h e r s  =>  ’O’) ;  
e l s e  IO.SR < =  IO -S R (0 )  & STARTJO; 
e n d  i f  ;
end  i f  ; 
e n d  p r o c e s s  ;
IOJR.UN < =  ’1 ’ when IO -B R (l )  =  ’0 ’ and IO_SR(0) =  ’ 1 ’ e l s e  ’O ’ ; 
R A M .r i s in g .e d g e  : p r o c e s s  (CLK,RST) i s  
b e g in
i f  r i s i n g . e d g e  (CLK) t h e n
i f  (RST =  ’ 1 ’ ) t h e n  RAMJ3R < =  ( o t h e r s  =>  ’O’) ;  
e l s e  RAMJ3R < =  RAM^R(O) & START JtAM; 
end  i f  ;
end  i f  ; 
en d  p r o c e s s  ;
RAMRUN < =  ’1 ’ w hen R A M ^ R (l)  =  ’0 ’ and  RAM_SR(0) =  ’1 ’ e l s e  ’O ’ ; 
end  ;
C.7 Case Study 2: T L _B IST  V H D L C om ponent
The top level component encapsulating the other components within the BIST is defined 
below, describing the port mappings required to compose the components correctly.
224 Appendix C. Case S tudy 2: AW E  Built-In Self Test VHDL Code
e n t i t y  TLJBIST i s  
g e n e r i c  ( IO_NO : n a t u r a l  : =  128; RAMJNO : n a t u r a l  : =  10;
RAMjGHKJMO : n a t u r a l  := 4 ;  RAM-CHK-VALUE : s t d - l o g i c - v e c t o r  :=  X” 6 ” ) ; 
p o r t  ( CLK : i n  s t d _ l o g i c  ; RST : in  s t d - l o g i c  ^
START_EtAM : in  s t d - l o g i c ;  STARTJO : in  s t d - l o g i c  ;
nOE-O : o u t  s t d - l o g i c  ; nOE_l : o u t  s t d - l o g i c  ;
DIR : o u t  s t d _ l o g i c  ;
BIST-REG : o u t  s t d - l o g i c - v e c t o r  (7 dow nto  0 ) ;  
s l o w _ c l o c k  : o u t  s t d - l o g i c  ;
IO : i n o u t  s t d _ l o g i c - v e c t o r  (IO-NO—1 dow nto  0 ) ) ;  
end  e n t i t y  ;
a r c h i t e c t u r e  TL o f  TLJBIST i s  
s i g n a l  IO-PASS : s t d - l o g i c  ; s i g n a l  IO-FAIL : s t d - l o g i c  ; 
s i g n a l  IO_FAIL_END : s t d - l o g i c  ;
s i g n a l  IO_FAILED_PORT : s t d - l o g i c - v e c t o r  (7 dow nto  0) ; 
s i g n a l  IO-RUN : s t d  - l o g i c  ; s i g n a l  RAMRUN : s t d - l o g i c  ; 
s i g n a l  RAM-FAIL : s t d - l o g i c  ; s i g n a l  RAM-PASS : s t d - l o g i c  ;
s i g n a l  RST -i  : s t d - l o g i c  ; 
b e g in  
R S T J  < =  n o t  RST;
e n - d o c k - d i v i d e  : e n t i t y  W3RK. c l o c k _ d i v i d e
p o r t  map (C L K Jn —>  CLK, CLK_out =>  s l o w _ c l o c k  ) ; 
e n _ b s i t _ i o :  e n t i t y  WORK. B IS T J O  
g e n e r i c  map (IO-NO => IOJMO)
p o r t  map (CLK =>  CLK, RST =>  R S T J ,  START =>  IO-RUN, 
nOE_0 =>  nOE_0, nOE_l =>  n O E _ l , DIR =>  DIR,
IO-PASS =>  IO -PASS, IO-FAIL =>  IO -FAIL ,
IOJFAIL-END =>  IO-FAIL-END,
IO_FAILED_PORT = >  IO-FAILEDJPORT, IO =>  IO) ; 
e n _ b s i t _ f s m :  e n t i t y  WORK.BIST-FSM 
p o r t  map (CLK = >  CLK, RST =>  R S T J  ,
START-RAM =>  START-RAM, STARTJO =>  STARTJO,
IOJRUN => IO-RUN, RAMRUN =>  RAMRUN,
RAM_FAIL =>  RAM-FAIL, RAMJPASS =>  RAMJPASS,
IO-PASS => IO-PASS, IO-FAIL =>  IO-FAIL ,
IO-FAILJEND = >  IO-FAILJEND,
10JFAILEDJPORT =>  IO-FAILEDJPORT, BISTJREG =>  BIST-REG);  
e n _ b s i t _ r a m :  e n t i t y  WCRK.BIST-RAM 
g e n e r i c  map (RAMNO = >  RAMNO, RAM-CHKNO =>  RAMCHKNO, 
RAM-CHK_VALUE => RAM_CHK_VALUE) 
p o r t  map (CLK = >  CLK, RST => R S T J  ,
STARTRAM =>  RAMRUN, RAMJFAIL => RAM-FAIL,
RAM-PASS =>  RAMJPASS) ; 
e n d  a r c h i t e c t u r e ;
C.8. Case S tudy 2: Broken LFSR  VHDL Component 225
C.8 Case Study 2: Broken LFSR  V H D L C om ponent
A ‘broken’ version of the LFSR  component in Section C .l is given below for use in 
evaluating the hardware design, as discussed in Chapter 10.
e n t i t y  LFSR i s  
p o r t  ( CLK: i n  s t d _ l o g i c  ;
RST: in  s t d _ l o g i c  ;
LFSRJN : i n  s t d _ l o g i c  ;
LFSR-out : o u t  s t d _ l o g i c  ) ; 
e n d  e n t i t y  ;
a r c h i t e c t u r e  RTL o f  LFSR i s  
s i g n a l  LFSR : s t d _ l o g i c - v e c t o r  (3 dow nto  0) := ( o t h e r s  =>  ’ 1 ’) ; 
b e g in
LFSR-reg : p r o c e s s  (CLK,RST) 
b e g in  
i f  (RST =  ’1 ’) t h e n
LFSR < =  ( o t h e r s  =>  ’ 1 ’) ; 
e l s i f  r i s i n g _ e d g e  (CLK) t h e n
f o r  I i n  LFSR’HIGH dow nto  0 l o o p  
i f  I =  0 t h e n
LFSR(O) < =  LFSR (LFSR’HIGH) nand LFSRJN ; 
e l s e
LFSR(I) < =  L F S R ( I - l )  nand LFSRJN ; 
end  i f  ; 
end  l o o p  ; 
end  i f  ; 
end  p r o c e s s  ;
LFSR_out < =  LFSR(LFSR’HIGH) ; 
end;
Appendix C. Case S tudy 2: AW E Built-In Self Test VHDL Code
A ppendix D
Case Study 2: AWE Built In Self 
Test SVA4VHDL Code
We provide the SVA4VHDL generated by applying the translation rules T P i, T P 2 , T P 3 , 
T P 4 , T P 5 , TPg, T P 7 , TPg, T P 9 , and T P  1 0  (Tables 5.1 to 5.10) and translation procedures 
from Figures 7.4, 7.5, and 7.6, to the VHDL components from Appendix C. It follows 
tha t each section here provides the translation for a VHDL component. The translations 
are identified in Table D .l.
The decomposition of the number of lines of code required to describe each VHDL com­
ponent in SVA4VHDL is given in Table D.2 along with the VHDL equivalent. Clearly 
the lines of code needed to replicate the behaviour in SVA4VHDL far exceeds the original 
description in VHDL.
Component Name VHDL Representation SVA4VHDL Representation
TLJBIST Section C.7 Section D.7
BIST_FSM Section C . 6 Section D . 6
B IS T JO Section C.5 Section D.5
B IS T JtA M Section C.4 Section D.4
FSM JLFSR Section C.3 Section D.3
TLJLFSR Section C . 2 Section D.2
LFSR Section C .l Section D .l
Table D .l: Location identification for VHDL to SVA4HDL BIST components
227
228 Appendix D. Case S tudy  2: AW E Built In Self Test SVA4VHDL Code
__________________________   i____________
Component VHDL LoC SVA4VHDL LoC
TL_BIST 131 120
BISTJFSM 107 171
BIST-IO 282 777
BIST_RAM 74 36
FSM -LFSR 170 206
TLJLFSR 74 40
LFSR 51 49x4
T o ta l 889 1546
Table D.2: SVA4VHDL and VHDL component representation as lines of code
D .l  Case Study 2: LFSR  SVA4VHDL C om ponent
L F S R l  Sens L ists  =  < ( 0  , { I V . 1  , I V . 2 } ) , (1  , { I V . 8 } ) >
LFSRIComponent =  { ( L F SR l, { 0  , 1 } )  }
LFSRIInputs =  { ( I V . 1 ,0 , { 0 . . 1 > )  , (IV . 2 ,0 , { 0 • ■ 1} ) , (IV • 3 ,0  , { 0 • • 1 }  ) } 
L F S R IIn ter n a l  =  { ( I V . 5 ,1 , { 0  — ]_}) , ( I V . 6 , 1 , { 0 - - I } ) >
( I V . 7 , 1  , { 0 . . 1 > )  , ( I V . 8 , 1 , { 0 . . 1 > ) }
LFSRlO utputs =  { ( I V . 4 ,0  , { 0 . .  1 }  ) }
LFSRregl () =  (VHDLProc. ( { I V . 1 , IV . 2 }  ,
Cond. (CbmpOp.Eq. I V a r . IV . 2 . C o n s t .  1 ,
SQ .< l a s  s i g n  . ( I V a r . I V . 5 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . I V . 6 , C o n s t .  1) , 
l a s s i g n  . ( I V a r .  IV . 7 , C o n s t .  1) , l a s s i g n  . (  I V a r . I V . 8 , C o n s t .  1 ) > ,
Cond. (CompOp.Eq. IV ar  . IV . 1.  C o n s t . 1 ,
SQ .<C on d . (CompOp.Eq. I V a r . IV . 8 . I V a r . I V . 3 ,
l a s s i g n .  ( I V a r .  IV. 5 , C o n s t .  0) , l a s s i g n  . ( I V a r .  IV. 5 , C o n s t .  1) ) ,
Cond. (CompOp.Eq. I V a r . IV . 5 . I V a r . IV . 3 , 
l a s s i g n  . ( I V a r .  IV. 6 , C o n s t .  0)  , l a s s i g n  . ( I V a r .  IV. 6 , C o n s t .  1) ) ,
Cond. (CompOp.Eq. I V a r . IV . 6 . IV ar  . I V . 3 , 
l a s s i g n  . ( I V a r .  IV . 7 , C o n s t .  0)  , l a s s i g n  . ( I V a r .  IV . 7 , C o n s t .  1) ) ,
Cond. (CompOp.Eq. I V a r . IV . 7 .  I V a r . I V . 3 , 
l a s s i g n  . ( I V a r .  IV . 8 , C o n s t .  0)  , l a s s i g n  . ( I V a r . IV . 8 , C o n s t .  1) ) > ,
S k ip )  ) ) , ( { }  , { } )
LFSRoutl ()  =  (VHDLProc. ( { I V .  8 }  , l a s s i g n  . (  I V a r . I V . 4 , IV a r .  IV .8 )  ) , ( { } , { } )  
LFSR1RTL =  VKIL. LFSRl.< V P r o c . LFSRregl () ,V P r o c . LFSRoutl ()  > . { }
L F S R 2 S en sL is ts  =  < ( 2 , { I V . 9 , IV . 1 0 } )  , (3 , { I V . 1 6 } ) >
LFSR2Component =  { ( LFSR2, { 2  , 3 } )  }
D .l. Case S tudy 2: LFSR SVA4VHDL Component 229
LFSR2Inputs =  { ( I V . 9 ,0 , { 0 . . 1 } )  , ( I V . 10 ,0 , { 0 . .  1}  ) , ( I V . 11 ,0 , { 0 . . 1 } ) }  
L F S R 2 In tern a l  =  { ( I V . 13 ,1 , { 0 . . 1 } )  , ( I V . 14 ,1 , { 0 . . 1 > )  ,
( I V . 1 5 , 1  , { 0 . .  1}  ) , ( I V . 16 ,1 , { 0 . .  1}  ) }
L F SR 20utputs  =  { ( I V . 12 ,0 , { 0 . .  1 } )  }
L FSRreg2()  =  (VHDLProc. ( { I V . 9 , I V . 1 0 }  ,
Cond. (CompOp.Eq. I V a r . I V . 1 0 .  C o n s t . 1 ,
S Q . < l a s s i g n  . ( I V a r . I V . 13 , C o n s t . 1) , l a s s i g n  . ( I V a r . IV .1 4  , C o n s t . 1 ) , 
l a s s i g n  . ( I V a r . I V . 15 , C o n s t . 1) , l a s s i g n  . ( I V a r . IV. 16 , C o n s t .  1) > ,
C o n d . (CompOp.Eq. I V a r . IV . 9 . C o n s t . 1 ,
SQ.CCond. (CompOp.Eq. I V a r . IV . 1 6 .  I V a r . IV. 11 ,
l a s s i g n  . ( I V a r . IV. 13 , C o n s t .0 )  , l a s s i g n  . ( I V a r . I V .  13 , C o n s t . 1 ) ) ,
Cond. (CompOp.Eq. I V a r . IV . 13 .  I V a r . I V . 11 , 
l a s s i g n  . ( I V a r . I V . 14 , C o n s t . 0 )  , l a s s i g n  . ( I V a r . I V . 14 , C o n s t . 1) ) ,
C o n d . (CompOp.Eq. I V a r . IV . 1 4 .  I V a r . I V . 11 , 
l a s s i g n  . ( I V a r . IV. 15 , C o n s t . 0)  , l a s s i g n  . ( I V a r . I V . 15 , C o n s t . 1) ) ,
Cond. (CompOp.Eq. I V a r . I V . 15 . I V a r . I V . 11 , 
l a s s i g n  . (  I V a r . I V . 16 ,C o n s t  .0 )  , l a s s i g n  . ( I V a r . I V . 16 , C o n s t . 1 ) )  > ,
S k i p ) ) ) ,  ( { } , { } )
LFSRout2 () =  (VHDLProc. ( { I V .  1 6 }  , l a s s i g n  . ( I V a r . I V . 12 , I V a r . I V . 16)  ) , ( { } , { } )  
LFSR2RTL =  VR3L.LFSR2.CVProc. LFSRreg2 () ,V P r o c . LFSRout2 () > . { }
L F SR S SensL is ts  =  < ( 4 , { I V .  17 , I V . 1 8 }  ) , (5 , { I V . 2 4 } ) >
LFSRSComponent =  { (  LFSR3 , { 4 , 5 } ) }
LFSR3Inputs =  { (IV . 17 ,0 , { 0 . .  1 }  ) , ( I V . 18 ,0 , { 0 . .  1 }  ) , ( I V . 19 ,0  , { 0 . .  1 }  ) } 
L F SR 3Intern a l  =  { ( I V . 21 ,1 , { 0 . . 1 } )  , ( I V . 22 ,1 , { 0 . . 1 } )  ,
( I V . 23  ,1 , { 0 . . 1 } )  , ( I V . 2 4 , 1  , { 0 . .  1}  ) }
LFSRSOutputs =  { ( I V . 20 ,0 , { 0 . .  1}  ) }
LFSRreg3 () =  (VHDLProc. ( { I V .  1 7 ,  IV. 1 8 } ,
C o n d . (CompOp. E q . I V a r . I V . 18 .  C o n s t . 1 ,
S Q . < l a s s i g n  . ( I V a r . I V . 21 , C o n s t . 1) , l a s s i g n  . ( I V a r . I V . 22 , C o n s t . 1 ) , 
l a s s i g n  . ( I V a r .  IV . 23 , C o n s t .  1) , l a s s i g n  . ( I V a r .  IV. 24 , C o n s t .  1) > ,
Cond. (CompOp.Eq. I V a r . I V . 17 .  C o n s t . 1 ,
S Q .<C on d . (CompOp.Eq. I V a r . IV . 2 4 .  I V a r . I V . 19 ,
l a s s i g n  . ( I V a r . I V . 21 , C o n s t . 0) , l a s s i g n  . ( I V a r . IV .21  , C o n s t .  1) ) ,
Cond. (CompOp.Eq. I V a r . IV . 2 1. I V a r . I V . 19 , 
l a s s i g n .  ( I V a r .  IV. 2 2 ,  C o n s t .  0)  , l a s s i g n  . ( I V a r . I V . 22 , C o n s t . 1) ) ,
C on d . (CompOp.Eq. I V a r . IV . 2 2 .  I V a r . I V . 19 , 
l a s s i g n  . ( IV a r  . I V . 23 , C o n s t . 0) , l a s s i g n  . ( I V a r . I V . 23 , C o n s t .  1) ) ,
Cond. (CompOp.Eq. I V a r . IV . 2 4 . I V a r . I V . 19 , 
l a s s i g n  . ( I V a r .  IV. 23 , C o n s t .  0) , l a s s i g n  . ( IV a r  . IV .  23 , C o n s t .  1) ) > ,  
S k i p ) ) ) ,  ( { } , { } )
LFSRoutS () =  (VHDLProc. ( { I V . 2 4 }  , l a s s i g n .  ( I V a r . I V . 20 , I V a r . I V . 2 4 )  ) , ( { } , { } )  
LFSR3RTL =  VRTL.LFSR3.<VProc. LFSRreg3 () ,V P r o c . LFSRout3 ( ) > . { }
L F SR 4S en sL is ts  =  < ( 6 , { I V . 26 , I V . 2 0 6 } )  , (7  , { I V . 3 2 } ) >
LFSR4Component =  { (  LFSR4 , { 6 , 7 } ) }
LFSR4Inputs =  { (IV .2 6  ,0 , { 0 . .  1 }  ) , ( I V .2 0 6  ,0 , { 0 . .  1 }  ) , ( I V . 2 7  ,0  , { 0 . .  1 }  ) } 
L F SR 4Intern a l  =  { (IV . 29 ,1 , { 0  .. 1 } )  , (IV .3 0  ,1 , { 0 . .  1 }  ) ,
( I V . 31 ,1 , { 0 . .  1}  ) , ( I V . 32 ,1 , { 0 . .  1} ) }
L FSR 40utputs  =  { ( I V . 28 ,0 , { 0 . .  1} ) }
LFSRreg4 () =  (VHDLProc. ( { I V . 26 , I V . 2 0 6 }  ,
230 Appendix D. Case S tudy  2: AW E Built In Self Test SVA4VHDL Code
Cond. (C om pO p.E q .IV ar . I V . 2 0 6 . C o n s t . 1 ,
S Q . < I a s s i g n  . ( I V a r . I V . 29 , C o n s t .  1) , l a s s i g n  . ( I V a r .  IV. 30 , C o n s t .  1) , 
l a s s i g n  . ( I V a r . I V . 31 , C o n s t .  1) , l a s s i g n  . ( I V a r  . I V . 32 , C o n s t .  1) > ,
Cond. (CompOp.Eq.IVar . IV . 2 6. C o n s t .  1 ,
SQ. < C o n d . (CompOp. E q . I V a r . IV . 3 2 .  I V a r . I V . 2 7 ,
l a s s i g n  . ( I V a r . I V . 29 , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV .29  , C o n s t . 1) ) ,
Cond. (CompOp.Eq. I V a r . I V . 2 9.  I V a r . I V . 27  , 
l a s s i g n  . ( I V a r . IV .30  , C o n s t . 0) , l a s s i g n  . ( I V a r .  IV . 30 , C o n s t . 1 ) ) ,
Cond. (C om pO p.E q .IV ar. IV . 3 0 .  I V a r . I V .2 7  , 
l a s s i g n  . ( I V a r . I V . 31 , C o n st  .0 )  , l a s s i g n  . ( I V a r . IV .3 1  , C o n s t .  1) ) ,
Cond. (CompOp.Eq. I V a r . I V . 3 1 .  I V a r . I V . 27  , 
l a s s i g n  . ( I V a r . IV. 32 , C o n s t . 0)  , l a s s i g n  . ( I V a r .  IV. 32 , C o n s t .  1) ) > ,
S k i p ) ) ) ,  ( { } , { } )
LFSRout4()  =  (VHDLProc. ( { I V .  3 2 }  , l a s s i g n  . ( I V a r . I V . 2 8 , IV ar . I V . 32 ) ) , ( { } , { } )  
LFSR4RTL =  V R IL .L FSR4.<V Proc. LFSRreg4 () ,V P roc .  LFSRout4 () > . { }
D .2 Case S tudy 2: TL_LFSR  SVA4VH DL Com ponent
in c lu d e  ” I f s r  1 . c s p ” i n c lu d e  ” I f s r  2 . c s p ” 
i n c lu d e  ” I f s r 3 . c s p ” i n c lu d e  ” I f s r 4 . c s p ”
TLLFSRComponent =  { (T L L F SR ,{32})  }uLFSRlComponentU  
LFSR2Component ULFSR3Component ULFSR4Component 
TLLFSRContainedComponents =  { ( TLLFSR, { L F SR l, LFSR2, LFSR3, LFSR4} ) }
T L L FSR SensL ists  =  < ( 3 2 , { I V . 33 , I V .3 4  , I V .35  , I V .36  ,IV .3 7  , I V .3 8  , I V . 3 9 } ) >
TLLFSRInputs =  { ( I V . 33  ,0 , { 0 . . 1 > )  , ( I V . 3 4  ,0  , { 0 . . 1 } )  , ( I V . 3 5  ,0 , { 0 . . 1 } ) }
TLLFSR Internal =  { ( I V . 37  ,1 , { 0 . . 1 > )  , ( I V . 38  ,1 , { 0 . . 1 } )  , ( I V . 39 ,1 , { 0 . . 1 } ) }  
TLLFSROutputs =  { ( I V . 36 ,0 , { 0 . . 1 } ) }
TLLFSRMap =  VPMap. TLLFSR. <LFSR1RTL, LFSR2RTL, LFSR3RTL, LFSR4RTL>.
{ ( ( L F S R l , I V . 1) , (TLLFSR, IV. 3 3 ) )  , ( (L F SR l,  IV . 2)  , (TLLFSR, I V . 34 )  ) ,
( ( L F S R l , I V . 3 )  , (TLLFSR, IV. 3 5 )  ) , ( (L F S R l,  IV . 4 )  , (TLLFSR, I V . 3 7 )  ) ,
( ( LFSR2, I V .9 )  , (TLLFSR,IV.3 3 )  ) , ( (LFSR2 , I V . 10)  , (TLLFSR,IV.3 4 )  ) ,
( ( LFSR2, I V . 11 ) , (TLLFSR,IV.3 7 ) )  , ( (L F S R 2 ,IV .1 2 )  , (TLLFSR,IV.3 8 )  ) ,
( ( LFSR3, I V . 17 ) , (TLLFSR,IV.3 3 ) )  , ( (L F S R 3 ,IV .1 8 )  , (TLLFSR, IV. 34 )  ) ,
( ( LFSR3, I V . 19 ) , (TLLFSR,IV.3 8 ) )  , ( (L F S R 3 ,IV .2 0 )  , (TLLFSR, IV. 39 )  ) ,
( ( LFSR4, 1V. 2 6 ) , (TLLFSR,IV.3 3 )  ) , ( (LFSR4, I V . 2 7 )  , (TLLFSR, I V . 34 )  ) ,
( ( LFSR4, I V .2 8 )  , (TLLFSR,IV .3 9 )  ) , ( (L F S R 4 ,IV .2 9 )  , (TLLFSR,IV.3 6 )  ) } .
(32 , { I V . 3 3 , I V . 3 4 , I V . 3 5 , I V . 36 , IV. 3 7 ,  I V . 38 , I V . 3 9 } )
D .3 Case Study 2: FSM _L FSR  SVA4VH DL Com ponent
FSM LFSRSensLists =  < ( 9 , {IV .40  , I V . 4 1 } )  , (1 0  , { I V . 49 , I V . 42 , I V . 51 ,
I V . 52 , I V .5 3  , 1V .5 4  , I V . 5 5 } )  ,
( 1 1 , { I V . 4 0 , I V . 4 1 } )  , ( 1 2 , { I V . 4 0 , I V . 4 1 } )  , ( 1 3 , { I V . 4 0 , I V . 4 1 } )  , ( 1 4 , { I V . 6 3 } )  ,
( 1 5 , { I V . 4 0 , I V . 6 6 } )  , ( 1 6 , { I V . 41 , I V . 6 5 } ) >
FSMLFSRComponent =  {(FSMLFSR,{9 ,10  ,11 ,12  ,13  ,14  ,15  , 1 6 } ) }
FSMLFSRInputs =  { ( I V . 40 ,0 , { 0 . . 1 } )  , ( I V . 4 1  ,0 , { 0 . . 1 } )  , ( I V . 4 2  ,0 , { 0 . . 1 } )  , 
( I V . 4 3 , 0 , { 0 . . 1 } ) }
FSMLFSRInternal =  { ( I V . 49  ,0  , { 0 . . 3 } )  , ( I V . 50 ,0  , { 0 . .  3 } ) , ( I V . 5 1  ,0 , { 0 . . 1 3 } )  , 
( I V . 5 2 , 0 , { 0 . . 1 } )  , ( I V . 5 3 , 0 , { 0 . . 1 } )  , ( I V . 5 4 , 0 , { 0 . . 1 } )  , ( I V . 5 5 , 0 , { 0 . . 1 } ) ,
D.3. Case S tudy  2: FSM _LFSR SVA4VHDL Component 231
( I V . 56  ,0 , { 0 . .  1 }  ) , ( I V . 5 7 , 0 , { 0 . . 1 } )  , ( I V . 58 ,0  , { 0 . .  1 }  ) , (IV . 59 ,0  , { 0 . .  1 }  ) ,
( I V . 60  ,0  , { 0 . .  1 }  ) , ( I V . 6 1 , 0 , { 0 . . 1 } )  , ( I V . 6 2 , 1 , { 0 . . 1 } )  , ( I V . 6 3 , 1 , { 0 . . 1 } )  ,
( I V . 6 4 , 1  , { 0 . .  1}  ) , ( I V . 6 5  ,1 , { 0 . . 1 } )  , ( I V . 6 6  ,1 , { 0 . . 1 } ) }
FSMLFSROutputs =  { ( I V . 44  ,0  , { 0 . . 1 } )  , ( I V . 45  ,0  , { 0 . .  1 }  ) , (IV .4 6  ,0  , { 0 . .  1 }  ) ,
( I V . 4 7 , 0  , { 0 . .  1}  ) , ( I V . 4 8  ,0  , { 0 . .  1 }  ) }
FSMreg() =  (V H D IProc . ( { I V .4 0  , I V .4 1 >  ,
C o n d . (CompOp. E q . I V a r . I V . 4 0 . C o n s t . 1 ,
Cond. (CompOp.Eq. I V a r . IV . 4 1 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r .  IV . 4 9 , C o n s t .  0)  , l a s s i g n  . ( I V a r . IV .4 9  , I V a r . I V .5 0 )  ) ,
S k i p ) ) ,  ( { } , { } )
FSM LogicQ =  (V H D L P r o c .( { IV .4 9 , I V . 4 2 , I V . 5 1 , I V . 5 2 , I V . 5 3 , I V . 5 4 , I V . 5 5 } ,
SQ .< l a s s i g n  . ( I V a r . I V . 6 6 , C o n s t . 0 ) , l a s s i g n  . ( I V a r .  IV. 47  , C o n st  .0 )  , 
l a s s i g n  . ( I V a r .  IV. 48 , C o n s t .  0)  , l a s s i g n  . ( I V a r . IV . 65 , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . I V . 50 , I V a r . I V . 4 9 )  ,
Cond. (CompOp.Eq. I V a r . IV . 4 9 .  C o n s t .0  ,
Cond. (CompOp. Eq. IV a r .  IV . 4 2 .  C o n s t .  1 , 
l a s s i g n  . ( I V a r .  IV. 50 , C o n s t . 2 ) , l a s s i g n  . ( I V a r . I V . 6 5 , C o n s t . 1 ) ) ,
Cond. ( CompOp. Eq. IV a r .  IV .  4 9.  C o n s t .  1 ,
C o n d . (CompOp.Eq. I V a r . IV . 5 1 .  C o n st  . 1 3 ,
Cond. (BBO p.And.BBO p.And.ConpO p.E q.IVar. IV . 5 2 .  C o n s t . 1.
CompOp. Eq. IV a r .  IV . 5 3.  C o n s t .  1 .BBOp. And.ConpOp.Eq. IV a r .  IV . 5 4 .
C o n s t . 1 . CompOp.Eq. I V a r . I V . 55 . C o n s t . 1 , 
l a s s i g n  . ( IV a r  . I V .5 0  , C o n s t . 2)  , l a s s i g n  . ( I V a r  . I V .5 0  , C o n s t . 3)  ) , 
l a s s i g n  . ( I V a r . I V . 66 , C o n s t .  1) ) ,
C o n d . (CompOp. E q . I V a r . IV . 4 9 . C o n s t . 2 ,
Sq . ( l a s s i g n  . ( IV a r  . I V . 48 , C o n s t . 1) , l a s s i g n  . ( I V a r . IV .50  , C o n st  .0 )  ) ,
C o n d . (ConpOp.Eq. I V a r . IV . 4 9 .  C o n s t . 3 ,
Sq .  ( l a s s i g n  . ( I V a r . I V . 48 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV .4 7  , C o n s t . 0 )  ) , 
Skip ) ) ) ) > ) ,  ( { } , { } )  
c o u n te r  () =  (VHDLProc. ( { I V .40  , I V .4 1 }  ,
Cond. (ConpOp.Eq. I V a r . I V . 4 0 .  C o n s t .  1 ,
Cond. (ConpOp.Eq. IV a r .  IV . 4 1 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . I V . 51 , C o n s t . 0)  ,
Cond. (C o n p O p .E q .IV a r . IV . 6 5 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r .  IV. 51 , C o n s t .  0)  ,
C o n d . (ConpOp.Eq. I V a r . IV . 6 6 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . IV .5 1  ,BIOp. P lu s  . I V a r . IV . 5 1 .  C o n s t .  1) ,
S k i p ) ) )  ,
S k i p ) ) ,  ( { } , { } )  
c h k R e g i s t e r  () =  (VHDLProc. ( { I V . 40 , I V . 4 1 }  ,
C o n d . (CompOp. E q . I V a r . IV . 4 0 .  C o n s t . 1 ,
Cond. (ConpOp.Eq. I V a r . IV . 4 1 .  C o n s t . 1 ,
S Q . < l a s s i g n  . ( I V a r . IV .52  , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV .5 3  , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . IV .5 4  , C o n s t . 0 )  , l a s s i g n  . ( I V a r . I V .5 5  , C o n s t . 0)  > ,
Cond. (ConpOp.Eq. I V a r . I V . 6 6 .  C o n s t . 1 ,
SQ .< l a s s i g n  . ( IV a r  . IV .  52 , IV ar  . IV .  4 3 )  , l a s s i g n  . ( I V a r .  IV. 5 3 , IV a r .  IV. 5 2 )  , 
l a s s i g n  . ( IV a r  . I V .5 4  , I V a r . I V . 53 )  , l a s s i g n  . ( I V a r . IV. 55 , I V a r . IV .4 4 )  > ,  
S k i p ) )  ,
S k i p ) ) ,  ( { } , { } )  
g e n R e g i s t e r  ()  =  (VHDLProc. ( { I V . 40 , I V . 4 1 }  ,
Cond. (ConpOp.Eq. I V a r . I V . 4 0 .  C o n s t .  1 ,
232 Appendix D. Case S tudy  2: AW E Built In Self Test SVA4VHDL Code
Cond. (Cbm pO p.Eq.IVar. I V . 4 1 .  C o n s t .  1 ,
S Q . < l a s s i g n  . ( I V a r . IV .56  , C o n s t . 1) , l a s s i g n  . ( I V a r . IV .5 7  , C o n s t .  1) , 
l a s s i g n  . ( IV a r  . I V . 58 , C o n s t .  1) , l a s s i g n  . ( I V a r . I V . 59 , C o n s t .  1 ) , 
l a s s i g n  . ( IV a r  . I V . 60 , C o n s t .  1) , l a s s i g n  . ( IV a r  . I V . 61 , C o n s t .  1) , 
l a s s i g n  . ( I V a r . IV .6 2  , C o n s t . 1) , l a s s i g n  . ( I V a r . I V .6 3  , C o n s t .  1) , 
l a s s i g n  . ( IV a r  . I V . 64 , C o n s t .  1) > ,
Cond. (CompOp.Eq. I V a r . IV . 6 5 . C o n s t . 1 ,
S Q . < l a s s i g n  . ( I V a r . I V . 56 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . I V . 57  , C o n s t . 1) , 
l a s s i g n  . ( I V a r . IV. 58 , C o n s t . 1 ) , l a s s i g n  . ( I V a r .  IV. 5 9 , C o n s t .  1) , 
l a s s i g n  . ( I V a r . IV. 60 , C o n s t . 1 ) , l a s s i g n  . ( I V a r .  IV. 61 , C o n s t . 1) , 
l a s s i g n  . ( I V a r . I V .6 2  , C o n s t . 1 ) , l a s s i g n  . ( I V a r . I V . 63 , C o n s t . 1 ) , 
l a s s i g n  . ( I V a r . IV .6 4  , C o n st .  1 ) > ,
Cond. (CbmpOp.Eq. I V a r . I V . 6 6.  C o n s t . 1 ,
SQ.<Cond. (C om pO p.E q .IV ar. IV . 6 4 .  I V a r . I V . 59 ,
l a s s i g n  . ( I V a r . IV .56  , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV .56  , C o n s t . 0) ) , 
l a s s i g n  . ( I V a r . I V . 57  , IV ar  . I V . 5 6 )  , l a s s i g n  . ( IV a r  . I V . 58 , I V a r . I V . 5 7 )  , 
l a s s i g n .  ( I V a r .  IV. 5 9 , IV a r .  IV. 58 )  , l a s s i g n  . ( I V a r .  IV. 60 , IV a r .  IV. 59 )  , 
l a s s i g n  . ( IV a r .  IV. 61 , I V a r . I V . 60 )  , l a s s i g n  . ( I V a r . IV. 62 , IV a r .  IV .6 1 )  , 
l a s s i g n .  ( I V a r . I V . 63 , I V a r . I V . 62)  , l a s s i g n  . ( I V a r . I V . 64 , I V a r . I V . 63)  > ,
S k i p ) ) )  ,
S k i p ) ) ,  ( { } , { } )
LFSRIN() =  (VHDLProc. ( { I V . 6 3 } ,  l a s s i g n .  ( I V a r . I V . 45 , I V a r . I V . 63)  ) , ( { } , { } )
LFSRClkQ =  (VHDLProc. ( { I V . 40 , I V . 6 6 }  ,
Cond. (BBOp.And.CompOp.Eq. I V a r . I V . 4 0 .  C o n s t . 1 .CbmpOp.Eq. I V a r . IV . 6 6 .  C o n s t .  1 , 
l a s s i g n  . ( IV a r  . I V . 46 , C o n s t .  1) , l a s s i g n  . ( IV a r  . I V . 46 , C o n s t . 0)  ) ) , ( { } , { } )
RSTInt () =  (VHDLProc. ( { I V . 41 , I V . 6 5 }  ,
Cond. (BBOp.Or.CbmpOp.Eq. I V a r . IV .4 1 .  C o n s t . 1 . Com pO p.E q.IVar. IV . 6 5 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . IV .4 4  , C o n s t . 1 ) , l a s s i g n  . ( I V a r .  IV . 44 , C o n s t . 0)  ) ) ,  ( { } , { } )
FSMLFSRRTL =  VKIL.FSMLFSR< V P r o c . FSMreg () ,V P r o c . FSMLogic () ,V Proc .  c o u n te r  () , 
V P roc.  c h k R e g i s t e r  () ,V P roc .  g e n R e g i s t e r  ()  ,V P r o c . LFSRIN() ,
V P roc .  LFSRClk() ,V P roc .  RSTInt () > . { }
D .4 Case Study 2: B IST _R A M  SVA4VHDL Com ponent
i n c l u d e  ” 1 1 _1 f s r  . c s p ” i n c lu d e  ” f s m _ l f s r  . c s p ”
BISTRAMSensLists =  < ( 3 3 , { I V . 67 , I V . 68 , I V .69  , IV .70  , I V .71 ,
I V . 72 , I V .7 3  , I V . 7 4 , I V . 7 5 } ) >
BISTRAMComponent =  { (BISTRAM, { 3 3 } ) } $  \cup$FSMLFSRComponent$ \  cup $
TLLFSRComponent
BISTRAMContainedComponents =  { (BISTRAM, {TLLFSR,FSMLFSR}) } $ \ c u p $  
TLLFSRContainedComponents  
BISTRAMInputs =  { ( I V . 67  ,0 , { 0 . . 1 } )  , (IV . 6 8 ,0 , { 0 . .  1}  ) , (IV . 6 9 ,0  , { 0 . .  1 }  ) } 
BISTRAMInternal =  { (IV . 72 ,0  , { 0 . .  1}  ) , (IV . 73 ,0 , { 0 . .  1 }  ) ,
( I V . 7 4 , 0  , { 0 . .  1}  ) , ( I V . 7 5  ,0 , { 0 . .  1}  ) }
BISTRAMOutputs =  { ( I V . 70 ,0 , { 0 . .  1 }  ) , ( I V . 71 ,0  , { 0 . .  1}  ) }
BISTRAMMap =  VPMap. BISTRAM. <  TLLFSRMap, FSMLFSRRTL >.
{ ( (FSMLFSR,IV .4 0 )  , (BISTRAM,IV .6 7 )  ) , ( (FSMLFSR, IV .4 1 )  , (BISTRAM, I V . 68 )  ) ,
( (FSMLFSR,IV .4 4 )  , (BISTRAM,IV.7 5 )  ) , (  (FSMLFSR,IV .4 2 )  , (BISTRAM,IV.69)  ) ,
((FSMLFSR, IV. 4 5 )  , (BISTRAM,IV.7 2 )  ) , (  (FSMLFSR, IV .4 6 )  , (BISTRAM, IV. 73 )  ) ,
((FSMLFSR, IV. 4 3 )  , (BISTRAM, IV . 7 4 )  ) , (  (FSMLFSR, IV .4 7 )  , (BISTRAM, IV. 70)  ) ,
((FSMLFSR, IV. 4 8 )  , (BISTRAM, IV .7 1 )  ) , ( (TLLFSR, I V . 33 )  , (BISTRAM, IV. 6 7 )  ) ,
D.5. Case S tudy 2: B IS T R O  SVA4VHDL Component 233
((TLLFSR, IV . 3 4 )  , (BISTRAM, I V . 7 5 )  ) , (  (TLLFSR, I V . 3 5 )  , (BISTRAM, I V . 7 2 )  ) ,
((TLLFSR, IV. 3 6 )  , (BISTRAM, IV. 7 4 )  ))-.
( 3 3 , { I V . 6 7 , I V . 68 , I V .6 9  , I V .7 0  , I V . 71 , I V . 72 , I V . 73 , I V . 74 , I V .7 5 > )
D .5 Case Study 2: BIST _IO  SVA4VH DL C om ponent
B IS T IO  Sens L is t s  =  < ( 2 3 , { I V . 1 1 4 , I V . 1 1 5 } )  , (24  , { I V .  1 47  , IV. 116 , IV. 1 1 7  ,
IV. 1 1 8 , IV. 1 1 9 , IV . 1 2 0 , IV. 121 , IV. 122 , I V . 123 , I V . 1 2 4 , I V . 1 5 7 , I V . 1 5 2 } )  ,
( 2 5 , { I V . 1 5 5 } )  , ( 2 6 , { I V . 1 1 4 , I V . 1 1 5 } )  , ( 2 7 , { I V . 1 1 4 , I V . 1 1 5 } )  ,
(28 , { I V . 1 1 7 , I V . 1 1 8 , I V . 1 1 9 , I V . 1 2 0 , I V . 1 2 1 , I V . 1 2 2 , I V . 1 2 3 , I V . 1 2 4 ,
I V . 1 5 1 , I V . 1 5 5 , I V . 1 5 6 } )  , (2 9  , { I V . 1 5 6 } )  , (3 0  , { I V . 1 5 6 } ) >
BISTIO Component =  { (BISTFSM, { 2 3  ,24  ,25  ,26  ,2 7  ,28  ,29  , 3 0 } ) }
B IST IO Inputs =  { ( I V . 1 1 4 , 0 , { 0 . . 1 } ) , ( I V . 1 1 5 , 0 , { 0 . . 1 } ) , ( I V . 1 1 6 , 0 , { 0 . . 1 } ) ,
( I V . 1 1 7 , 0  , { 0 . .  1}  ) , ( IV . 118  ,0  , { 0 . .  1}  ) , ( I V . 1 1 9 , 0 , { 0 . . 1 } )  , ( I V . 1 2 0 , 0 , { 0 . . 1 } )  ,
( I V . 121 ,0 , { 0 . .  1}  ) , ( IV . 12 2 ,0  , { 0 . .  1}  ) , ( I V  .1 2 3  ,0  , { 0 . .  1 }  ) , ( I V . 124  ,0 , { 0 . .  1}  ) }
B IS T IO  In ter n a l  =  { ( I V . 14 7  ,0 , { 0 . .  9 }  ) , ( I V . 1 48  ,0  , { 0 . .  9 }  ) , ( I V . 14 9  ,0 , { 0 . .  1}  ) ,
( I V .1 5 0  ,0 , { 0 . . 1 } )  , ( I V . 1 5 1  ,0 , { 0 . . 1 } )  , ( I V . 1 5 2  ,0  , { 0 . . 1 } )  , ( I V . 1 5 3  ,0 , { 0 . . 1 } )  ,
( I V . 1 54  ,0 , { 0 . .  1}  ) , ( I V . 15 5  ,0 , { 0 . .  1}  ) , ( I V . 156  ,0  , { 0 . . 1 } )  , ( I V . 1 5 7  ,0 , { 0 . .  8 }  ) }
BISTIO Outputs =  { ( I V . 125  ,0 , { 0 . .  1}  ) , ( I V . 12 6  ,0 , { 0 . . 1 } )  , ( I V . 12 7  ,0 , { 0 . . 1 } )  , 
( I V .1 2 8  ,0 , { 0 . . 1 } )  . ( I V . 1 2 9  ,0 , { 0 . . 1 } )  , ( I V . 1 3 0  ,0  , { 0 . . 1 } )  , ( I V . 1 3 1  ,0 , { 0 . . 1 } )  , 
( I V . 1 3 2 , 0 , { 0 . . 1 } )  , ( I V . 1 3 3 , 0 , { 0 . . 1 } )  , ( I V . 1 3 4 , 0 , { 0 . . 1 } )  , ( I V . 1 3 5 , 0 , { 0 . . 1 } )  , 
( I V . 1 3 6 , 0 , { 0 . . 1 } )  , ( I V . 1 3 7 , 0 , { 0 . . 1 } )  , ( I V . 1 3 8 , 0 , { 0 . . 1 } )  , ( I V . 1 3 9 , 0 , { 0 . . 1 } )  , 
( I V .1 4 0  ,0 , { 0 . . 1 } )  , ( I V . 1 4 1  ,0 , { 0 . . 1 } )  , ( I V . 1 4 2  ,0 , { 0 . . 1 } )  . ( I V . 1 4 3  ,0  , { 0 . . 1 } )  ,
( I V . 14 4  ,0 , { 0 . .  1}  ) , ( I V . 145  ,0 , { 0 . .  1 }  ) , ( I V . 146  ,0 , { 0 . . 1 } ) }  
fsmReg () =  (VHDLProc. ( { I V . 1 1 4 , I V . 1 1 5 }  ,
C o n d . (ConçOp. E q . I V a r . I V . 1 1 4 .  C o n s t . 1 ,
C o n d . (CompOp. E q . I V a r . I V . 1 1 5 .  C o n s t . 1 , 
l a s s i g n  . ( IV a r .  IV. 1 47  , C o n s t . 0 )  , l a s s i g n  . ( I V a r . I V . 14 7  , I V a r . IV . 1 4 8 )  ) ,
Sk ip )  ) , ( { } , { } )
DIRQ =  (V H D L P r o c .( { IV .1 5 5 }  , l a s s i g n . ( I V a r . I V . 1 2 7 , I V a r . I V . 1 5 5 )  ) , ( { } , { } )  
lO c o u n te r  () =  (VHDLProc. ( { I V .  1 1 4 , IV. 1 1 5 }  ,
C o n d . (CompOp. E q . I V a r . I V . 1 1 4 .  C o n s t . 1 ,
Cond. (CompOp.Eq. I V a r . I V . 1 1 5 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . I V . 157  , C o n s t .0 )  ,
Cond. (CompOp.Eq. I V a r . I V . 1 5 0 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r .  IV. 157  , C o n s t .  0)  ,
C o n d . (CompOp. E q . I V a r . IV . 1 4 9 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . I V . 15 7  ,BIOp. P lu s  . I V a r . IV . 1 5 7 .  C o n s t .2 )  ,
S k i p ) ) )  ,
Sk ip )  ) , ( { } , { } )
ERRORFlagQ =  (VHDLProc. ( { I V .  1 1 4 ,  IV. 1 1 5 }  ,
Cond. (CompOp.Eq. I V a r . I V . 1 1 4 .  C o n s t . 1 ,
Cond. (CompOp.Eq. I V a r . I V . 1 1 5 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . I V . 152 , C o n s t . 0 )  ,
Cond. (CbmpOp.Eq. I V a r . IV . 1 5 3 .  C o n s t . 1 , 
l a s s i g n  . (  I V a r . I V . 152 , C o n st  .0 )  ,
Cond. (CbmpOp.Eq. I V a r . IV . 1 5 4 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . I V . 152 , C o n s t . 1) ,
S k ip )  ) ) ,
S k i p ) ) ,  ( { } , { } )
lO W ir ing  () =  (VHDLProc. ( {  I V . 11 7  , I V . 118  , I V . 119  , I V . 120 , IV . 121 ,
234 Appendix D. Case S tudy 2: AW E Built In Self Test SVA4VHDL Code
IV. 122  , IV. 123 ,IV .  1 2 4 ,1 V .  151 ,IV .  155 , I V . 1 5 6 }  ,
S q .  (SQ .< l a s s i g n .  ( I V a r .  IV. 1 1 7 ,  C o n s t .  0)  , l a s s i g n .  ( I V a r .  IV . 1 1 8 ,  C o n s t .  0)  , 
l a s s i g n . ( I V a r . I V . 119 , C o n s t . 0) , l a s s i g n . ( I V a r . I V . 120 , C o n s t . 0)  , 
l a s s i g n .  ( I V a r . I V . 121 , C o n s t . 0)  , l a s s i g n  . (  I V a r . I V . 122 , C o n s t . 0 ) , 
l a s s i g n  . ( IV ar . I V . 123 , C o n s t . 0 ) , l a s s i g n  . ( IV ar  . I V . 1 2 4 ,  C o n s t . 0 ) > ,
Cond. (CompOp.Eq. I V a r . IV . 1 5 6 .  C o n s t . 0 ,
Cond. (CompOp.Eq. I V a r . IV . 1 5 5 .  C o n s t . 1 ,
SQ .< l a s s i g n  . ( I V a r . I V . 11 7  , I V a r . I V . 1 5 1 )  , l a s s i g n .  ( I V a r .  IV. 119 , I V a r . I V . 1 5 1 )  , 
l a s s i g n  . ( I V a r .  IV. 121 , I V a r . I V . 1 5 1 )  , l a s s i g n .  ( I V a r .  IV. 123 , I V a r . I V . 1 5 1 )  > ,  
S Q . C l a s s i g n  . ( I V a r . I V . 118  , I V a r . I V . 1 5 1 )  , l a s s i g n  . (  I V a r . I V . 120 , I V a r . I V . 1 5 1 )  , 
l a s s i g n .  ( I V a r .  IV . 122 , I V a r . I V . 1 5 1 )  , l a s s i g n . ( I V a r . I V . 124  , I V a r . I V . 1 5 1 )  > ) ,  
SQ. <  l a s s i g n  . ( IV ar  . I V . 1 1 7 ,  C o n st  .0 )  , l a s s i g n . ( IV ar  . I V . 1 1 8 ,  C o n s t . 0 ) , 
l a s s i g n . ( I V a r . I V . 1 1 9 , C o n s t . 0 )  , l a s s i g n .  ( I V a r .  IV. 120  , C o n s t .  0)  , 
l a s s i g n .  ( I V a r .  IV . 121 , C o n s t . 0)  , l a s s i g n .  ( I V a r .  IV . 122 , C o n s t .  0)  , 
l a s s i g n .  ( I V a r .  IV. 123  , C o n s t .  0)  , l a s s i g n  . (  I V a r . I V . 124  , C o n s t . 0)  > ) )  ) , ( { } , { } )
nO E zero()  =  (VHDLProc. ( { I V . 1 5 6 }  , l a s s i g n  . (  I V a r . I V . 125 , I V a r . I V . 1 5 6 )  ) , ( { } , { } )
nOEone() =  (VHDLProc. ( { I V . 1 5 6 }  , l a s s i g n  . (  I V a r . I V . 126 , I V a r . I V . 156)  ) , ( { } , { } )
f sm L ogic  () =  (VHDLProc. ( { I V . 1 4 7 , I V . 1 1 6 , I V . 1 1 7 , I V . 1 1 8 , I V . 1 1 9 , I V . 1 2 0 ,
I V . 121 , I V . 122 , I V . 123  , I V . 1 2 4 , I V . 1 5 7 , I V . 1 5 2 }  ,
S Q . C l a s s i g n .  ( IV ar  . I V . 149  , C o n s t . 0 ) , l a s s i g n .  ( IV ar  . I V .1 5 0  , C o n s t . 0 ) , 
l a s s i g n .  ( I V a r . I V . 1 5 3 , C o n s t . 0)  , l a s s i g n  . (  I V a r . I V . 154  , C o n s t . 0) , 
l a s s i g n  . ( I V a r . I V . 151 , C o n s t . 0) , l a s s i g n .  ( I V a r . I V . 156 , C o n s t . 0)  , 
l a s s i g n .  ( I V a r . I V . 155 , C o n s t . 0) , l a s s i g n  . (  I V a r . I V . 128 , C o n s t . 0) , 
l a s s i g n .  ( I V a r .  IV. 12 9 ,  C o n s t .  0)  , l a s s i g n  . ( I V a r . I V . 130 , C o n s t . 0) , 
l a s s i g n .  ( I V a r .  IV. 1 3 1 ,  C o n s t .  0) , l a s s i g n . ( I V a r . I V . 132 , C o n s t . 0)  , 
l a s s i g n .  ( I V a r . I V . 1 3 3 , C o n s t . 0) , l a s s i g n  . (  I V a r . I V . 134  , C o n s t . 0)  , 
l a s s i g n .  ( I V a r . I V . 1 3 5 , C o n s t . 0) , l a s s i g n  . (  I V a r . I V . 136 , C o n s t . 0) , 
l a s s i g n .  ( I V a r . I V . 1 3 7 , C o n s t . 0)  , l a s s i g n  . (  I V a r . I V . 138 , C o n s t . 0) ,
Cond. (CompOp.Eq. I V a r . IV . 1 4 7 .  C o n s t . 0 ,
SQ. <  l a s s i g n .  ( I V a r .  IV. 153 , C o n s t .  1) , l a s s i g n  . ( I V a r .  IV. 150 , C o n s t .  1) ,
Cond. (ConpOp.Eq. I V a r . I V . 1 1 6 .  C o n s t . 1 , 
l a s s i g n .  ( I V a r .  IV. 148  , C o n s t .  1) , l a s s i g n .  ( I V a r .  IV. 148 , C o n s t .  8)  ) > ,
C on d . (CorrpOp. E q . IV ar  . IV . 14 7. C o n s t . 1 ,
S Q . C l a s s i g n .  ( I V a r .  IV. 155 , C o n s t .  0)  , l a s s i g n  . ( I V a r . I V . 156 , C o n s t . 1 ) , 
l a s s i g n  . ( I V a r . I V . 151 , C o n s t . 0) ,
Cond. (CompOp.Eq. I V a r . IV . 1 5 7 .  C o n s t . 1 ,
C o n d . (ConpOp.Eq. I V a r . IV . 1 1 8 .  C o n s t . 0 , 
l a s s i g n  . ( I V a r . I V . 148 , C o n s t . 2 ) , l a s s i g n  . ( I V a r . I V . 148 , C o n s t . 7) ) ,
Cond. (C o n p O p .E q .IV a r . IV . 1 5 7 .  C o n s t . 2 ,
C o n d . (ConpOp.Eq. IV ar  . IV . 1 1 9 .  C o n s t . 0 , 
l a s s i g n  . ( IV ar  . I V . 148 , C o n s t . 2 ) , l a s s i g n  . ( I V a r . I V . 148 , C o n s t . 7)  ) ,
Cond. (ConpOp.Eq. I V a r . IV . 1 5 7 .  C o n s t . 3 ,
Cond. (ConpOp.Eq. I V a r . IV . 1 2 0 .  C o n s t . 0 , 
l a s s i g n .  ( I V a r .  IV. 148 , C o n s t .  2)  , l a s s i g n  . (  I V a r . I V . 148 , C o n s t . 7)  ) ,
Cond. (C onpO p.E q.IV ar  . IV . 1 5 7 .  C o n s t . 4 ,
Cond. (ConpOp.Eq. I V a r . IV . 1 2 1 .  C o n s t . 0 , 
l a s s i g n  . ( I V a r . IV . 1 4 8 , C o n s t . 2)  , l a s s i g n  . ( I V a r . I V . 148 , C o n s t . 7) ) , 
Cond. (ConpOp.Eq. I V a r . IV .1 5  7. C o n s t . 5 ,
Cond. (ConpOp.Eq. I V a r . IV . 1 2 2 .  C o n s t . 0 , 
l a s s i g n  . ( I V a r . IV . 1 4 8 ,  C o n st  .2 )  , l a s s i g n .  ( I V a r . IV . 1 4 8 ,  C o n s t . 7 ) ) , 
Cond. (ConpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 6 ,
D.5. Case S tudy 2: B IS T R O  SVA4VHDL Component 235
Cond. (C om pO p.E q .IV ar . I V . 1 2 3 . C o n s t . 0 , 
l a s s i g n  . ( I V a r . I V .  148 , C o n s t .2 )  , l a s s i g n  . ( I V a r . I V .  148  , C o n s t .7 )  ) , 
Cond. (ConpOp.Eq. I V a r . IV . 1 5 7 .  C o n s t . 7 ,
Cond. (C o n p O p .E q .IV a r . I V . 1 2 4 . C o n s t . 0 , 
l a s s i g n  . ( I V a r . IV. 148 , C o n s t . 2 ) , l a s s i g n  . ( I V a r .  IV. 148 , C o n s t . 7)  ) , 
S k i p ) ) ) ) ) ) ) > ,
C o n d . (ConpOp. E q . I V a r . IV . 14 7.  C o n s t . 2 ,
S Q . C l a s s i g n  . ( I V a r .  IV. 155 , C o n s t .  0)  , l a s s i g n  . ( I V a r . IV . 156 , C o n s t . 1 ) , 
l a s s i g n  . ( I V a r . IV .1 5 1  , C o n s t . 1 ) ,
C o n d . (ConpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 1 ,
Cond. (ConpOp.Eq. I V a r . I V . 1 1 8 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . I V . 148 , C o n s t . 3 )  , l a s s i g n  . ( I V a r . I V .1 4 8  , C o n s t .7 )  ) ,
Cond. (ConpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t .2 ,
C o n d . (ConpOp.Eq. I V a r . I V . 1 1 9 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . IV . 148  , C o n s t . 3 ) , l a s s i g n  . ( IV a r .  IV. 148 , C o n st  .7 )  ) ,
Cond. (ConpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 3 ,
C on d . (ConpOp. E q . I V a r . IV . 12 0. C o n s t . 1 , 
l a s s i g n  . ( I V a r . IV. 148  , C o n st  .3 )  , l a s s i g n  . ( IV ar  . IV .  148 , C o n s t . 7 )  ) ,
C on d . (ConpOp. E q . I V a r . I V . 15 7. C o n s t . 4 ,
C o n d . (ConpOp.Eq. I V a r . IV . 1 2 1 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . I V . 148  , C o n s t . 3)  , l a s s i g n  . ( I V a r . I V .1 4 8  , C o n s t . 7 )  ) , 
Cond. (C o n p O p .E q .IV a r . I V . 1 5 7 .  C o n s t . 5 ,
Cond. (ConpOp.Eq. I V a r . I V . 1 2 2 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r .  IV . 148 , C o n s t . 3 ) , l a s s i g n  . ( IV a r .  IV. 148 , C o n s t . 7) ) , 
C o n d . (ConpO p.Eq. I V a r . I V . 15 7. C o n s t . 6 ,
Cond. (ConpOp.Eq. I V a r . I V . 1 2 3 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r .  IV . 148  , C o n s t .  3) , l a s s i g n  . ( I V a r . I V . 148  , C o n s t . 7 )  ) , 
Cond. (ConpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t .7  ,
Cond. (ConpOp.Eq. I V a r . IV . 1 2 4 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . IV. 148 , C o n st  .3 )  , l a s s i g n  . ( I V a r . IV. 148 .C o n s t  .7 )  ) , 
S k i p ) ) ) ) ) ) ) > ,
Cond. (ConpOp.Eq. I V a r . I V . 1 4 7 .  C o n s t . 3 ,
SQ.< l a s s i g n  . ( IV a r .  IV .1 5 5  .C o n s t  . 0 )  , l a s s i g n  . ( I V a r . IV. 156  , C o n s t . 1) , 
l a s s i g n  . ( I V a r . IV. 151 . C o n s t . 1) ,
Cond. (ConpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 1 ,
C on d . (ConpOp.Eq. I V a r . I V . 1 1 8 .  C o n s t .0  ,
S q .  ( l a s s i g n  . ( I V a r . IV. 148 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . I V . 149 , C o n s t .  1) ) , 
l a s s i g n  . ( I V a r . I V . 148 . C o n s t . 7)  ) ,
C o n d . (ConpOp. E q . I V a r . I V . 15 7. C o n s t . 2 ,
Cond. (ConpOp.Eq. I V a r . IV . 1 1 9 .  C o n s t . 0 ,
Sq .  ( l a s s i g n  . ( I V a r .  IV. 148 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . I V . 149  , C o n s t . 1) ) , 
l a s s i g n  . ( I V a r .  IV . 148 .C o n s t .  7)  ) ,
C o n d . (ConpOp.Eq. I V a r . IV . 1 5 7 .  C o n s t .3 ,
Cond. (ConpOp.Eq. I V a r . I V . 12 0. C o n s t . 0 ,
S q .  ( l a s s i g n  . ( I V a r . IV. 148 .C o n s t .  1) . ,  l a s s i g n  . ( I V a r . I V . 149  .C o n s t .  1 ) ) , 
l a s s i g n  . ( I V a r . IV. 148 .C o n s t .  7)  ) ,
Cond. (C o n p O p .E q .IV a r . I V . 1 5 7 .  C o n s t .4 ,
Cond. (ConpOp. Eq. IV a r .  IV. 1 2 1 .  C o n s t .  0 ,
S q .  ( l a s s i g n  . ( I V a r .  IV. 148 . C o n s t . 1) , l a s s i g n  . ( I V a r . IV. 149 , C o n s t .  1) ) , 
l a s s i g n  . ( I V a r . I V .  148 , C o n s t .7 )  ) ,
Cond. (ConpOp.Eq. IV a r .  IV . 1 5 7 .  C o n s t . 5 ,
236 Appendix D. Case S tudy  2: AW E Built In Self Test SVA4VHDL Code
Cond. (Cbm pO p.Eq.IVar. IV . 1 2 2 .  C o n s t . 0 ,
Sq .  ( l a s s i g n  . ( I V a r . IV. 148 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV. 149 , C o n s t . 1) ) , 
l a s s i g n  . ( I V a r . IV. 148 , C o n s t . 7) ) ,
Cond. (CompOp.Eq. I V a r . IV . 1 5 7 .  C o n s t . 6 ,
Cond. (CbmpOp.Eq. I V a r . I V . 12 3. C o n s t . 0 ,
Sq .  ( l a s s i g n  . ( I V a r . IV. 148 , C o n s t .  1) , l a s s i g n  . ( I V a r . I V . 149 , C o n s t . 1 ) ) , 
l a s s i g n  . ( I V a r . I V .  148  , C o n s t . 7)  ) ,
Cond. (Cbm pO p.Eq.IVar. I V . 1 5 7 .  C o n s t . 7 ,
Cond. (CbmpOp.Eq. I V a r . I V . 1 2 4 .  C o n s t .  0 ,
Sq . ( l a s s i g n  . ( I V a r . IV. 148 , C o n st  .4 )  , l a s s i g n  . ( I V a r . I V . 149 , C o n s t . 1 ) ) , 
l a s s i g n  . ( I V a r . I V .  148  , C o n s t . 7) ) ,
S k i p ) ) ) ) ) ) ) > ,
Cond. (ConpOp.Eq. IV a r .  IV. 14 7.  C o n s t .  4 ,
S Q . < l a s s i g n  . ( I V a r . IV. 155 , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV .1 5 6  , C o n s t . 0) , 
l a s s i g n  . ( I V a r . I V .  151 , C o n s t . 0)  ,
Cond. (C bm pO p.E q.IVar. IV . 15 7. C o n s t . 0 ,
Cond. (C o n p O p .E q .IV a r . IV . 1 1 7 .  C o n s t . 0 , 
l a s s i g n .  ( I V a r .  IV . 148 , C o n s t .  5) , l a s s i g n  . ( I V a r .  IV. 148 , C o n s t .  8 )  ) ,
Cond. (ConpOp.Eq. I V a r . IV . 1 5 7 .  C o n s t . 1 ,
Cond. (ConpOp.Eq. I V a r . I V . 1 1 8 .  C o n s t . 0 , 
l a s s i g n  . ( I V a r .  IV. 148 , C o n s t .  5)  , l a s s i g n  . ( I V a r .  IV. 148 , C o n s t .  8)  ) ,
Cond. (ConpOp.Eq. IV a r .  IV . 15 7. C o n s t .  2 ,
Cond. (CbmpOp.Eq. I V a r . I V . 1 1 9 .  C o n s t . 0 , 
l a s s i g n  . ( I V a r . IV. 148 , C o n s t . 5)  , l a s s i g n  . ( I V a r . IV. 148 , C o n s t . 8)  ) ,
Cond. (C b m p O p .E q .IV a r .IV .1 5 7 . C o n s t . 3 ,
Cond. (CbmpOp.Eq. I V a r . IV . 12 0. C o n s t . 0 , 
l a s s i g n  . ( I V a r . IV. 148 , C o n st  .5 )  , l a s s i g n  . ( I V a r . IV. 148 , C o n s t .8 )  ) ,
Cond. (CbmpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t .4 ,
Cond. (ConpOp.Eq. I V a r . I V . 1 2 1 .  C o n s t . 0 , 
l a s s i g n  . ( I V a r .  IV . 148 , C o n s t .  5)  , l a s s i g n  . ( I V a r .  IV. 148 , C o n s t .  8)  ) , 
Cond. (ConpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 5 ,
Cond. (ConpOp.Eq. I V a r . IV . 1 2 2 .  C o n s t . 0 , 
l a s s i g n  . ( I V a r .  IV . 148  , C o n s t .  5)  , l a s s i g n  . ( I V a r .  IV. 148 , C o n s t .  8)  ) , 
Cond. ( C o n p O p .E q .I V a r .I V .1 5 7 . C o n s t . 6 ,
Cond. (C o n p O p .E q .IV a r . IV . 1 2 3 .  C o n s t . 0 , 
l a s s i g n  . ( I V a r . IV. 148 , C o n s t .  5)  , l a s s i g n  . ( I V a r . IV. 148 , C o n s t . 8) ) , 
Cond. (C b n p O p .E q .IV a r . IV . 1 5 7 .  C o n s t . 7 ,
Cond. (CbmpOp.Eq. I V a r . I V . 1 2 4 .  C o n s t .0  , 
l a s s i g n  . ( I V a r . IV. 148 , C o n s t . 5) , l a s s i g n  . ( I V a r .  IV. 148 , C o n s t . 8) ) , 
S k i p ) ) ) ) ) ) ) ) > ,
Cond. (ConpOp.Eq. I V a r . IV . 1 4 7 .  C o n s t .  5 ,
SQ.< l a s s i g n  . ( I V a r .  IV. 155 , C o n s t .  0 )  , l a s s i g n  . ( I V a r . IV. 156 , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . IV. 151 , C o n s t . 1 ) ,
Cond. (ConpOp.Eq. I V a r . I V . 15 7. C o n s t . 1 ,
Cond. (ConpOp.Eq. I V a r . I V . 1 1 7 .  C o n s t . 1 , 
l a s s i g n  . ( IV a r  . I V . 148 , C o n s t  .6 )  , l a s s i g n  . ( I V a r . IV. 148 , C o n s t .8 )  ) ,
Cond. (ConpOp.Eq. I V a r . IV . 1 5 7 .  C o n s t . 2 ,
Cond. (C o n p O p .E q .IV a r . IV . 1 1 8 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r . I V . 148 , C o n s t . 6)  , l a s s i g n  . ( I V a r . IV. 148 , C o n s t . 8)  ) ,
Cond. (ConpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 3 ,
Cond. (ConpOp.Eq. I V a r . I V . 1 1 9 .  C o n s t . 1 ,
D.5. Case S tudy 2: B IST -IO  SVA4VHDL Component 237
l a s s i g n  . ( I V a r . I V .  148  , C o n s t . 6) , l a s s i g n  . ( I V a r . I V .  148 , C o n s t . 8)  ) ,
Cond. (CompOp.Eq. I V a r . IV . 1 5 7 .  C o n s t .4  ,
Cond. (C bm pO p.E q.IVar. I V . 1 2 0 . C o n s t . 1 , 
l a s s i g n  . ( I V a r . IV. 148 , C o n s t .6 )  , l a s s i g n  . ( I V a r . I V .1 4 8  , C o n st  .8 )  ) ,
Cond. (CbmpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 5 ,
Cond. (CbmpOp.Eq. I V a r . I V . 1 2 1 .  C o n s t .  1 , 
l a s s i g n  . ( I V a r .  IV. 148  , C o n s t . 6 ) , l a s s i g n  . ( IV ar  . IV .  148 , C o n s t . 8)  ) ,
Cond. (CbmpOp.Eq. IV a r .  IV . 15 7. C o n s t .  6 ,
Cond. (C bm pO p.E q.IVar. IV . 1 2 2 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r .  IV . 148 , C o n s t . 6 ) , l a s s i g n  . ( I V a r .  IV . 148  , C o n s t . 8)  ) ,
Cond. (C o n p O p .E q .IV a r . I V . 1 5 7 .  C o n s t .7  ,
Cond. (C b m p O p .E q .IV a r .IV . 1 2 3 . C o n s t . 1 , 
l a s s i g n  . ( I V a r . IV. 148 , C o n s t . 6 )  , l a s s i g n  . ( I V a r . IV. 148 , C o n s t  .8 )  ) ,
C o n d . (ConpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 7 ,
Cond. (ConpOp.Eq. I V a r . I V . 1 2 4 .  C o n s t . 1 , 
l a s s i g n  . ( I V a r .  IV. 148 , C o n st  .6 )  , l a s s i g n  . ( I V a r . IV. 148  , C o n s t . 8 ) ) , 
S k i p ) ) ) ) ) ) ) ) > ,
Cond. (CbmpOp.Eq. I V a r . IV . 1 4 7 .  C o n s t . 6 ,
SQ.< l a s s i g n  . ( I V a r . IV. 155 , C o n s t . 0 )  , l a s s i g n  . ( I V a r .  IV. 156  , C o n s t . 0)  , 
l a s s i g n  . ( I V a r .  IV. 151 , C o n s t .  0)  ,
C o n d . (C o n p O p .E q .IV a r . I V . 1 5 7 . C o n s t .0 ,
Cond. (C b m pO p.E q .IV a r .IV . 1 1 7 .  C o n s t .0 ,
Sq .  ( l a s s i g n  . ( I V a r . IV. 148 , C o n s t .4 )  , l a s s i g n  . ( I V a r . IV. 149 , C o n s t .  1) ) , 
l a s s i g n  . ( I V a r . IV. 148 , C o n s t .  8 )  ) ,
Cond. (C b n p O p .E q .IV a r . I V . 15 7.  C o n s t . 1 ,
Cond. (CbmpOp.Eq. I V a r . IV . 1 1 8 .  C o n s t . 0 ,
Sq .  ( l a s s i g n  . ( I V a r .  IV. 148  , C o n s t  . 4 )  , l a s s i g n  . ( I V a r . IV .1 4 9  , C o n s t . 1 ) ) , 
l a s s i g n  . ( I V a r . I V .  148 , C o n s t .8 )  ) ,
Cond. (ConpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 2 ,
Cond. (CbmpOp.Eq. I V a r . IV . 11 9  . C o n s t . 0 ,
Sq .  ( l a s s i g n  . ( I V a r . IV. 148 , C o n s t  .4 )  , l a s s i g n  . ( I V a r . IV. 149  , C o n s t .  1) ) , 
l a s s i g n  . ( IV a r  . IV .  148  , C o n s t . 8 )  ) ,
C o n d . (ConpOp.Eq. I V a r . I V . 15 7. C o n s t . 3 ,
Cond. (ConpOp.Eq. I V a r . I V . 12 0. C o n s t . 0 ,
S q .  ( l a s s i g n  . ( I V a r . IV. 148 , C o n s t . 4)  , l a s s i g n  . ( I V a r . IV . 149  , C o n s t . 1 ) ) , 
l a s s i g n  . ( I V a r . I V . 148 , C o n st  .8 )  ) ,
Cond. (ConpOp.Eq. I V a r . I V . 15 7. C o n s t . 4 ,
Cond. (ConpOp.Eq. I V a r . I V . 1 2 1 .  C o n s t . 0 ,
S q .  ( l a s s i g n  . ( I V a r . I V . 148  , C o n s t .4 )  , l a s s i g n  . ( I V a r .  IV. 149  , C o n s t . 1 ) ) , 
l a s s i g n  . ( I V a r . I V .  148 , C o n s t . 8 )  ) ,
Cond. (ConpOp.Eq. IV ar  . IV . 1 5 7 .  C o n s t . 5 ,
Cond. (ConpOp.Eq. I V a r . I V . 1 2 2 .  C o n s t .0 ,
Sq .  ( l a s s i g n  . ( I V a r . IV. 148  , C o n s t  .4 )  , l a s s i g n  . ( I V a r . I V . 149  , C o n s t . 1 ) ) , 
l a s s i g n  . ( I V a r .  IV. 148 , C o n s t .  8) ) ,
Cond. (ConpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t .6 ,
Cond. (C o n p O p .E q .IV a r . I V . 12 3  . C o n s t . 0 ,
Sq .  ( l a s s i g n  . ( IV ar  . IV . 148 , C o n s t . 9)  , l a s s i g n  . ( I V a r . IV . 150 , C o n s t . 1 ) ) , 
l a s s i g n  . ( I V a r . I V .  148 , C o n s t . 8) ) ,
Cond. (ConpOp.Eq. IV a r .  IV . 15 7.  C o n s t .  7 ,
Cond. (ConpOp.Eq. I V a r . IV . 1 2 4 .  C o n s t . 0 ,
S q .  ( l a s s i g n  . ( I V a r . I V . 148  , C o n st  .4 )  , l a s s i g n  . ( I V a r . IV. 149 , C o n s t . 1) ) ,
238 Appendix D. Case S tudy 2: AW E Built In Self Test SVA4VHDL Code
l a s s i g n  . ( I V a r . I V .  148 , C o n s t . 8)  ) ,
S k i p ) ) ) ) ) ) ) ) > ,
Cond. (CompOp.Eq. I V a r . IV . 1 4 7 .  C o n s t . 7 ,
S Q . C l a s s i g n  . ( I V a r .  IV. 154  , C o n s t . 1) , l a s s i g n  . ( I V a r . IV. 155 , C o n s t . 1) , 
l a s s i g n  . ( I V a r . IV. 129 , C o n s t . 1 ) ,
Cond. (ConpOp.Eq. I V a r . IV . 1 5 7 .  C o n s t . 0 ,
S Q . C l a s s i g n  . ( I V a r . I V . 131 , C o n s t . 1) , l a s s i g n  . ( I V a r . I V . 132 , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . IV. 133 , C o n s t . 0)  , l a s s i g n  . ( I V a r .  IV. 134 , C o n s t .  0)  , 
l a s s i g n  . ( I V a r . IV. 135 , C o n s t . 0)  , l a s s i g n  . ( IV a r .  IV. 136 , C o n st  .0 )  , 
l a s s i g n  . ( I V a r . IV. 13 7  , C o n st  .0 )  , l a s s i g n  . ( I V a r . IV. 138 , C o n s t .0 )  > ,
Cond. (C om pO p.E q .IV ar. IV . 15 7. C o n s t . 1 ,
S Q . C l a s s i g n  . ( I V a r . IV. 131 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . I V . 132 , C o n s t . 0) , 
l a s s i g n  . ( I V a r . I V . 133 , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV. 134  , C o n s t . 0) , 
l a s s i g n  . ( I V a r . I V . 135 , C o n s t . 0) , l a s s i g n  . ( I V a r .  IV. 136 , C o n s t .  0)  , 
l a s s i g n  . ( I V a r .  IV. 137  , C o n s t .  0) , l a s s i g n  . ( I V a r .  IV. 138 , C o n s t .  0) > ,
Cond. (CompOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 2 ,
S Q . C l a s s i g n  . ( I V a r . IV. 131 , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV. 132 , C o n s t . 1) , 
l a s s i g n  . ( IV a r  . IV .  133 , C o n s t .  0)  , l a s s i g n  . ( I V a r . IV. 134 , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . I V . 135 , C o n s t .0 )  , l a s s i g n  . ( I V a r . IV. 136 , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . IV. 137  , C o n st  .0 )  , l a s s i g n  . ( I V a r .  IV. 138 , C o n s t . 0)  > ,
Cond. (ConpOp.Eq. IV ar . I V . 1 5 7 .  C o n s t . 3 ,
S Q . C l a s s i g n  . ( I V a r .  IV. 131 , C o n s t .  0 )  , l a s s i g n  . ( I V a r .  IV. 132 , C o n s t .  1) , 
l a s s i g n  . ( I V a r .  IV. 133 , C o n s t .  0) , l a s s i g n  . ( IV a r  . IV .  134  , C o n s t .  0)  , 
l a s s i g n  . ( I V a r . IV. 135 , C o n s t . 0)  , l a s s i g n  . ( I V a r .  IV. 136 , C o n s t .  0)  , 
l a s s i g n  . ( I V a r . I V .  137  , C o n s t . 0)  , l a s s i g n  . ( I V a r . I V .  138 , C o n s t . 0) > ,
C on d . (ConpO p.Eq. I V a r . I V . 15 7. C o n s t . 4 ,
S Q . C l a s s i g n  . ( I V a r . IV. 131 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV. 132 , C o n s t . 1) , 
l a s s i g n  . ( I V a r . IV. 133 , C o n s t . 0)  , l a s s i g n  . ( I V a r .  IV. 134  , C o n s t .  0)  , 
l a s s i g n  . ( I V a r . I V . 135 , C o n s t . 0)  , l a s s i g n  . (  I V a r . I V . 136 , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . IV. 13 7  , C o n s t .0 )  , l a s s i g n  . ( I V a r . IV. 138 , C o n s t . 0) > ,
Cond. (ConpOp.Eq. IV a r .  IV. 15 7. C o n s t .  5 ,
S Q . C l a s s i g n  . ( I V a r . IV. 131 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV. 132 , C o n s t . 1 ) , 
l a s s i g n  . ( IV a r  . IV .  133 , C o n s t .  0)  , l a s s i g n  . ( I V a r . I V . 134 , C o n s t . 0)  , 
l a s s i g n  . ( IV a r  . IV .  135 , C o n s t . 0) , l a s s i g n  . ( I V a r . I V . 136 , C o n s t .0 )  , 
l a s s i g n  . ( I V a r .  IV. 137  , C o n s t .  0)  , l a s s i g n  . ( I V a r .  IV. 138 , C o n s t .  0 )  > ,
Cond. (ConpOp.Eq. I V a r . I V . 15 7. C o n s t . 6 ,
S Q . C l a s s i g n  . ( I V a r . I V . 131 , C o n s t . 0)  , l a s s i g n  . ( I V a r . I V .  132 , C o n s t . 0)  , 
l a s s i g n  . ( I V a r .  IV. 133 , C o n s t .  1) , l a s s i g n  . ( I V a r .  IV . 134 , C o n s t .  0) , 
l a s s i g n  . ( I V a r . IV . 135 . C o n s t . 0)  , l a s s i g n  . ( I V a r .  IV. 136 , C o n s t .  0) , 
l a s s i g n  . ( I V a r . I V .  137  , C o n s t . 0)  , l a s s i g n  . ( I V a r . I V .  138 , C o n s t . 0)  > ,  
Cond. (ConpOp.Eq. I V a r . IV . 15 7. C o n s t . 7 ,
S Q . C l a s s i g n  . ( I V a r . IV. 131 , C o n st  .0 )  , l a s s i g n  . ( I V a r . IV. 132 , C o n s t .0 )  , 
l a s s i g n  . ( I V a r . I V . 133 , C o n s t . 1 ) , l a s s i g n  . ( I V a r .  IV. 134 , C o n s t .  0) , 
l a s s i g n  . ( I V a r . IV. 135 , C o n st  .0 )  , l a s s i g n  . ( I V a r . I V . 136 , C o n s t . 0) , 
l a s s i g n  . ( I V a r . IV. 137  , C o n s t . 0) , l a s s i g n  . ( I V a r . IV. 138 , C o n s t .0 )  > ,  
Cond. (ConpOp.Eq. IV a r .  IV . 15 7. C o n s t .  8 ,
S Q . C l a s s i g n  . ( I V a r . I V . 131 , C o n st  .0 )  , l a s s i g n  . ( I V a r . I V . 132 , C o n s t . 0 )  , 
l a s s i g n  . ( I V a r . I V . 133 , C o n s t . 0) , l a s s i g n  . ( I V a r . IV. 134  , C o n s t . 1 ) , 
l a s s i g n  . ( I V a r . I V . 135  , C o n s t . 0)  , l a s s i g n .  ( I V a r .  IV . 136 , C o n s t .  0)  , 
l a s s i g n  . ( I V a r . I V . 137  , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV. 138 , C o n s t . 0)  > ,  
S k i p ) ) ) ) ) ) ) ) ) ,
D.5. Case S tudy 2: B ISTJtO  SVA4VHDL Component 239
C on d . (CompOp. E q . I V a r . IV . 1 1 6 .  C o n s t . 1 ,
Cond. (CompOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 6 ,
Sq .  ( l a s s i g n  . ( I V a r . IV. 148  , C o n st  .4 )  , l a s s i g n  . ( I V a r . IV. 150 , C o n s t . 1) ) ,
Sq .  ( l a s s i g n  . ( I V a r . I V . 148  , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV. 149 , C o n s t . 1) ) ) , 
l a s s i g n  . ( I V a r .  IV . 148 , C o n s t . 7 ) ) > ,
C on d . (CompOp. E q . I V a r . I V . 14 7.  C o n s t . 7 ,
S Q . < l a s s i g n  . ( I V a r . IV. 154  , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV. 155 , C o n st  .0 )  , 
l a s s i g n  . ( I V a r . IV. 129 , C o n s t . 1 ) ,
Cond. (CompOp.Eq. I V a r . IV . 1 5 7 .  C o n s t . 0 ,
S Q . C l a s s i g n  . ( I V a r . IV. 131 , C o n s t .  1 ) , l a s s i g n  . ( I V a r . IV. 132 , C o n s t .0 )  , 
l a s s i g n  . ( I V a r . IV. 133 , C o n s t . 0 )  , l a s s i g n  . ( I V a r . I V . 13 4  , C o n s t .0 )  , 
l a s s i g n  . (  I V a r . IV . 135 ,C o n s t .  0 )  , l a s s i g n  . ( I V a r .  IV. 136 , C o n s t .  0)  , 
l a s s i g n  . ( I V a r . IV. 13 7  , C o n s t .0 )  , l a s s i g n  . ( I V a r . IV. 138 , C o n st  .0 )  > ,
C o n d . (CompOp. Eq. I V a r . I V . 15 7.  C o n s t . 1 ,
S Q . C l a s s i g n  . ( I V a r . I V . 131 , C o n s t . 1) , l a s s i g n .  ( I V a r . I V . 132 , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . I V . 133 , C o n s t . 0 )  , l a s s i g n  . ( I V a r . I V . 134 , C o n s t .0 )  , 
l a s s i g n  . ( I V a r .  IV. 135 , C o n s t .  0)  , l a s s i g n  . ( I V a r . IV . 136 . C o n s t . 0) , 
l a s s i g n  . ( I V a r .  IV. 137  , C o n s t .  0)  , l a s s i g n  . ( I V a r .  IV. 138 , C o n s t .  0) > ,
Cond. (C bm pO p.E q.IVar. I V . 1 5 7 .  C o n s t .2 ,
S Q . C l a s s i g n  . ( I V a r . IV. 131 , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV. 132 , C o n s t . 1 ) , 
l a s s i g n  . ( IV a r  . IV .  133  , C o n s t . 0)  , l a s s i g n  . ( IV a r  . IV .  134  , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . IV. 135 , C o n s t .0 )  , l a s s i g n  . ( I V a r . I V . 136 , C o n s t . 0 )  , 
l a s s i g n  . ( I V a r . I V . 13 7  , C o n s t .  0)  , l a s s i g n  . ( I V a r .  IV. 138 , C o n s t . 0)  > ,
C on d . (CompOp. E q . I V a r . IV . 15 7. C o n s t . 3 ,
S Q . C l a s s i g n  . ( I V a r . I V . 131 , C o n s t . 0 )  , l a s s i g n  . ( I V a r . I V .  132 , C o n s t . 1)  , 
l a s s i g n  . ( I V a r . IV. 133 , C o n s t . 0)  , l a s s i g n  . ( I V a r .  IV. 134  , C o n s t .  0 )  , 
l a s s i g n  . ( I V a r . IV. 135 , C o n s t .0 )  , l a s s i g n  . ( I V a r . I V .  136 , C o n s t . 0 )  , 
l a s s i g n  . ( I V a r . IV . 137  , C o n s t . 0 ) , l a s s i g n  . ( I V a r .  I V . 138 , C o n s t . 0 ) > ,
Cond. (CbmpOp.Eq. I V a r . I V . 1 5 7 .  C o n s t . 4 ,
S Q . C l a s s i g n  . ( I V a r . I V .  131 , C o n s t . 1) , l a s s i g n  . ( I V a r . IV. 132  , C o n s t . 1 ) , 
l a s s i g n  . ( I V a r .  IV. 133 , C o n s t .  0 )  , l a s s i g n  . ( I V a r . IV. 134 , C o n s t . 0)  , 
l a s s i g n  . ( I V a r .  IV . 135 , C o n s t .  0 )  , l a s s i g n  . (  I V a r . I V . 136 , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . IV. 13 7  , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV. 138 , C o n st  .0 )  > ,
C o n d . (CompOp.Eq. I V a r . I V . 15 7. C o n s t . 5 ,
S Q . C l a s s i g n  . ( I V a r . IV. 131 , C o n s t .  1) , l a s s i g n  . ( IV a r  . I V . 132 , C o n s t . 1 ) , 
l a s s i g n  . ( I V a r . IV. 133 , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV. 134  , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . I V . 135 , C o n s t . 0)  , l a s s i g n  . ( IV a r  . IV .  136 , C o n s t . 0 )  , 
l a s s i g n  . ( IV a r .  IV. 13 7  , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV. 138  , C o n s t . 0 ) > ,
Cond. (Cbm pO p.E q.IVar. I V . 1 5 7 .  C o n s t .  6 ,
S Q . C l a s s i g n  . ( I V a r . IV. 131 , C o n s t  .0 )  , l a s s i g n  . ( I V a r . IV. 132  , C o n s t .0 )  , 
l a s s i g n  . ( I V a r . IV. 133 , C o n s t . 1 ) , l a s s i g n  . ( I V a r .  IV . 134  , C o n s t .  0 )  , 
l a s s i g n  . ( I V a r .  IV. 135 , C o n s t .  0 )  , l a s s i g n  . ( I V a r .  IV. 136 , C o n s t .  0 )  , 
l a s s i g n  . ( I V a r . IV. 13 7  , C o n st  . 0 )  , l a s s i g n  . ( I V a r . IV. 138 , C o n s t .  0 )  > ,  
C o n d . (CbmpOp.Eq. I V a r . IV . 1 5 7 .  C o n s t . 7 ,
S Q . C l a s s i g n  . ( I V a r . I V . 131 , C o n s t  . 0 )  , l a s s i g n  . ( I V a r . IV. 132 , C o n s t . 0 )  , 
l a s s i g n  . ( I V a r . I V . 133 , C o n s t . 1) , l a s s i g n  . ( I V a r . IV. 134  , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . I V . 135 , C o n s t . 0)  , l a s s i g n  . ( IV ar  . I V . 136  , C o n s t . 0)  , 
l a s s i g n  . ( I V a r . I V .  137  , C o n s t . 0)  , l a s s i g n  . ( I V a r . I V .  138 , C o n s t . 0) > ,  
Cond. (CbmpOp.Eq. I V a r . IV . 15 7. C o n s t . 8 ,
S Q . C l a s s i g n  . ( I V a r . I V . 131 , C o n s t  .0 )  , l a s  s i g n . ( I V a r . IV. 132 , C o n s t . 0 )  , 
l a s s i g n  . (  I V a r . IV. 133 , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV. 134  . C o n s t .  1 ) ,
240 Appendix D. Case S tudy  2: AW E  Built In Self Test SVA4VHDL Code
l a s s i g n  . ( I V a r .  IV. 135 , C o n s t .  0)  , l a s s i g n  . ( I V a r .  IV. 136 , C o n s t .  0)  , 
l a s s i g n  . ( I V a r . IV. 13 7  , C o n st  .0 )  , l a s s i g n  . ( I V a r . I V . 138 , C o n s t . 0 )  > ,  
S k i p ) ) ) ) ) ) ) ) ) ,
Cond. (CompOp.Eq. IV a r .  IV . 1 1 6 .  C o n s t .  1 ,
Cond. (C om pO p.E q .IV ar. I V . 1 5 7 .  C o n s t . 6 , 
l a s s i g n .  ( I V a r . I V . 148 , C o n s t . 9) ,
Sq .  ( l a s s i g n  . ( I V a r . IV. 148 , C o n st  .4 )  , l a s s i g n  . ( I V a r . IV. 149 , C o n s t . 1 ) ) ) , 
l a s s i g n  . ( I V a r . I V . 148 . C o n s t . 8 )  ) > ,
Cond. (CbmpOp.Eq. IV a r .  IV . 14 7. C o n s t .  9 ,
Sq .  (Cond. (CompOp.Eq. I V a r . I V . 1 5 2 .  C o n st .  1 , l a s s i g n  . ( I V a r . IV. 130 , C o n s t . 1 ) , 
l a s s i g n  . ( I V a r . IV. 128 , C o n s t . 1 ) ) , l a s s i g n  . ( I V a r . IV. 148 , C o n s t .0 )  ) , 
S k i p ) ) ) ) ) ) ) ) ) ) » ,  ( { } , { } )
BISTIORTL =  VEOL. BISTIO.<  V P r o c . fsmReg () ,V P roc .  f sm L o g ic  ()  ,V P r o c .D IR () ,
V P roc .  lO c o u n te r  () ,V P r o c . ERRORFlag() ,V P r o c . lO W ir ing  () ,V P r o c . nOEzero () ,
V P r o c . nOEone() > . { }
D .6 Case Study 2: B IST _F SM  SVA4VHDL C om ponent
B IST F SM SensL ists  =  < ( 1 7 , { I V . 75 , I V . 7 6 } )  , (18  , { I V . 75 , I V . 7 6 } )  ,
( 1 9 , { I V . 1 0 1 , I V . 1 0 2 } )  , ( 2 0 , { I V . 7 5 , I V . 7 6 } )  , ( 2 1 , { I V . 1 0 3 , I V . 1 0 4 } )  ,
( 2 2 , { I V . 1 0 5 , I V . 1 0 6 , I V . 1 0 7 , I V . 108 , I V . 1 0 9 , I V . 1 1 0 , I V . 1 1 1 , I V . 1 1 2 } ) >
BISTFSMComponent =  {(BISTFSM,{ 1 7  ,18  ,19  ,20  ,21  , 2 2 } ) }
— CLK, R S T , STARTJRAM , S T A R T  J O ,  R A M J 'A IL , RAM J>ASS, I O .P A S S ,
— 1 0 . F  A I L ,  IO .F A IL .E N D
BISTFSMInputs =  { ( I V  . 75 ,0 , {  0 . .  1}  ) , (IV . 76 ,0 , {  0 . .  1} ) , ( I V . 113  ,0 , { 0 . .  1 } )  , 
( I V . 7 7 , 0 , { 0 . . 1 } )  , ( I V . 7 8 , 0 , { 0 . . 1 } )  , ( I V . 7 9 , 0 , { 0 . . 1 } )  , ( I V . 8 0 , 0 , { 0 . . 1 } ) ,
( I V .8 1  ,0 , { 0 . . 1 } )  , ( I V . 8 2  ,0  , { 0 . . 1 } )  , ( I V . 8 3  ,0 , { 0 . . 1 } )  , ( I V . 8 4  ,0 , { 0 . . 1 } )  , 
( I V . 8 5 , 0 , { 0 . . 1 } )  , ( I V . 8 6 , 0 , { 0 . . 1 } )  , ( I V . 8 7 , 0 , { 0 . . 1 } )  , ( I V . 8 8 , 0 , { 0 . . 1 } )  ,
( I V . 89  ,0 , { 0 . .  1 }  ) , ( I V . 9 0 ,0 , { 0 . .  1}  ) }
— I O S R  0 . . 1
BIST FSM Internal =  { ( I V . 101 ,0 , { 0 . . 1 } )  , (IV . 10 2  ,0 , { 0 . .  1 } )  , ( I V . 103  ,0 , { 0 . .  1 } )  ,
( I V . 10 4  ,0 , { 0 . .  1}  ) , ( I V . 10 5 ,0 , { 0 . .  1 }  ) , ( I V . 106  ,0 , { 0 . . 1 } )  , ( I V . 10 7  ,0 , { 0 . .  1}  ) ,
( I V .1 0 8  ,0 , { 0 . . 1 } )  , ( I V . 1 0 9  ,0 , { 0 . . 1 } )  , ( I V . 1 1 0  ,0 , { 0 . . 1 } )  , ( I V . l l l  ,0  , { 0 . . 1 } )  ,
( I V . 112  ,0 , { 0 . . 1 } ) }
— 1 0 . R U N , R A M R U N
BISTFSMOutputs =  { ( I V . 91 ,0 , { 0 . . 1 } )  , ( I V . 9 2  ,0 , { 0 . . 1 } )  , ( I V . 9 3  ,0 , { 0 . . 1 } )  ,
( I V . 9 4 , 0  , { 0 . .  1 }  ) , ( I V . 9 5  ,0 , { 0 . .  1}  ) , (IV . 96 ,0 , { 0 . .  1 }  ) , (IV . 97  ,0 , { 0 . .  1}  ) ,
( I V . 98 ,0  , { 0 . . 1 } )  , ( I V . 9 9  ,0  , { 0 . .  1}  ) , ( I V . 100  ,0 , { 0 . .  1 }  ) }
B I S T R e g is t e r  ()  =  (VHDLProc. ( { I V .75  , I V . 7 6 }  ,
Cond. (ConpOp.Eq. I V a r . IV . 75 . C o n s t . 1 ,
Cond. (ConpOp.Eq. IV ar  . IV . 75 . C o n s t . 1 ,
S Q . < l a s s i g n  . ( I V a r . I V . 105 , C o n st  .0 )  , l a s s i g n  . ( I V a r . I V . 106 , C o n s t .0 )  , 
l a s s i g n  . ( I V a r .  IV. 107  , C o n s t .  0)  , l a s s i g n  . ( I V a r .  IV. 108 , C o n s t .  0) , 
l a s s i g n  . ( I V a r . IV. 109 , C o n s t . 0)  , l a s s i g n  . ( I V a r . I V . 110 , C o n s t .0 )  , 
l a s s i g n  . ( IV a r  . I V . I l l  , C o n s t . 0)  , l a s s i g n  . ( I V a r . IV. 112 , C o n st  .0 )  > ,
Cond. (ConpOp.Eq. I V a r . IV . 7 9 .  C o n s t .  1 ,
SQ .< l a s  s i g n  . ( I V a r .  IV. 105 , C o n s t .  0)  , l a s s i g n  . ( I V a r .  IV. 106 , C o n s t .  0) , 
l a s s i g n  . ( I V a r . I V . 107  , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV. 108 , C o n st .  1 ) , 
l a s s i g n  . ( I V a r . I V . 109 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV. 110 , C o n s t . 1) , 
l a s s i g n  . ( IV ar  . IV . 111 , C o n s t . 1) , l a s s i g n  . ( IV ar  . IV . 1 1 2 ,  C o n s t .  1) > ,
Cond. (ConpOp.Eq. I V a r . IV . 7 8 .  C o n s t . 1 ,
D. 7. Case S tudy 2: T JB IS T  SVA4VHDL Component 241
S Q . C l a s s i g n  . ( I V a r . IV . 105 , C o n s t .  1) , l a s s i g n  . ( I V a r . IV .1 0 6  , C o n s t .0 )  , 
l a s s i g n  . ( I V a r . IV . 10 7  , C o n s t . 1) , l a s s i g n  . ( I V a r . IV . 108 , C o n s t . 1) , 
l a s s i g n  . ( I V a r . IV. 109 , C o n s t . 1) , l a s s i g n  . ( I V a r . I V . 110 , C o n s t . 1 ) , 
l a s s i g n  . ( IV a r  . IV .  111 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . I V .1 1 2  , C o n s t .1 )  > ,
C o n d . (CompOp. Eq. I V a r . IV . 8 1 .  C o n s t . 1 ,
S Q . C l a s s i g n  . ( I V a r .  IV . 105 , IV a r .  IV. 8 3 )  , l a s s i g n  . ( I V a r .  IV. 106 , IV a r .  IV. 8 4 )  , 
l a s s i g n  . ( I V a r .  IV . 1 07  , IV ar  . IV .  8 5 )  , l a s s i g n  . ( IV a r .  IV . 108 , IV a r .  IV. 8 6 )  , 
l a s s i g n  . ( I V a r . IV . 109 , I V a r . I V .8 7 )  , l a s s i g n  . ( I V a r . IV. 110  , IV a r  . I V . 88)  , 
l a s s i g n .  ( I V a r .  IV. 111 , I V a r . I V . 8 9 )  , l a s s i g n .  ( I V a r .  IV . 112 , I V a r . I V . 90 )  > ,
Cond. (C b m p O p .E q .IV a r .IV . 82 . C o n s t .  1 ,
S Q . C l a s s i g n  . ( I V a r . IV. 105 , C o n s t .0 )  , l a s s i g n  . ( I V a r . I V . 106 , C o n s t .  1 ) , 
l a s s i g n  . ( I V a r . IV. 10 7  , C o n s t . 1) , l a s s i g n  . ( I V a r . IV. 108  , C o n s t .  1 ) , 
l a s s i g n  . ( I V a r . I V .1 0 9  , C o n s t . 1) , l a s s i g n  . ( I V a r . IV. 110  , C o n s t .  1 ) , 
l a s s i g n  . ( I V a r . IV .1 1 1  , C o n s t . 1) , l a s s i g n  . ( I V a r . IV. 112 , C o n s t .  1) > ,
C on d . (CompOp. E q . I V a r . I V . 8 0.  C o n s t . 1 ,
S Q . C l a s s i g n  . ( I V a r . IV. 105 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV . 106 , C o n s t . 1 ) , 
l a s s i g n  . ( IV a r  . IV . 107  , C o n s t . 1) , l a s s i g n  . ( I V a r . IV .1 0 8  , C o n s t . 1 ) , 
l a s s i g n  . ( I V a r . IV. 109 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . I V .  110  , C o n s t .  1) , 
l a s s i g n  . ( IV ar  . IV .  1 1 1 ,  C o n s t . 1 ) , l a s s i g n  . ( I V a r . IV .1 1 2  , C o n s t . 1 ) > ,
S k i p ) ) ) ) ) )  , S k i p ) )  , ( { } , { } )  
lO R is in g E d g e  () =  (VHDLProc. ( {  I V . 75 , I V . 7 6 }  ,
C on d . (CompOp. E q . I V a r . I V . 7 5.  C o n s t . 1 ,
Cond. (CompOp.Eq. I V a r . IV . 75 . C o n s t . 1 ,
Sq .  ( l a s s i g n  . ( I V a r . IV. 101 , C o n s t . 0 ) , l a s s i g n  . ( I V a r .  IV. 102 , C o n s t . 0 )  ) ,
S q . ( l a s s i g n  . ( IV ar  . I V . 101 , IV ar  . IV .  77 )  , l a s s i g n  . ( IV a r  . I V . 102 , IV a r  . I V . 1 0 1 ) ) )  , 
S k i p ) ) ,  ( { } , { } )
IORUN() =(VHDLProc. ( { I V . 1 0 1 , I V . 1 0 2 }  ,
Cond. ( BBOp. And. CompOp. Eq. I V a r . I V . 1 0 1 .  C o n s t . 1 . CompOp.Eq. IV a r .  IV . 1 0 2 .  C o n s t . 0 , 
l a s s i g n  . ( IV a r  . IV .  91 , C o n s t . 1) , l a s s i g n  . ( I V a r .  IV . 91 , C o n s t . 0 )  ) )  , ( { }  , { } )  
RAMRisingEdge () =  (VHDLProc. ( { I V .75  , I V . 7 6 }  ,
C o n d . (CompOp. E q . I V a r . IV . 7 5 .  C o n s t . 1 ,
Cond. (CompOp.Eq. I V a r . IV . 75 . C o n s t . 1 ,
Sq .  ( l a s s i g n  . ( IV a r .  IV. 103 , C o n s t .0 )  , l a s s i g n  . ( I V a r . I V . 104  , C o n s t .0 )  ) ,
Sq .  ( l a s s i g n  . ( I V a r . IV. 103 , I V a r . I V . 1 1 3 )  , l a s s i g n  . ( I V a r .  IV . 104  , I V a r . IV. 1 0 3 )  ) ) , 
S k i p ) )  , ( { } , { } )
RAMRUNO =  (VHDLProc. ( { I V .  10 3 ,  IV. 1 0 4 }  ,
Cond. (BBOp.And.Cbm pOp.Eq.IVar. I V . 103  . C o n s t . 1 .CbmpOp.Eq. I V a r . IV . 1 0 4 .  C o n s t . 0 , 
l a s s i g n  . ( I V a r . IV. 92 , C o n s t . 1 ) , l a s s i g n  . ( I V a r . I V .9 2  , C o n s t . 0 ) ) ) ,  ( { } , { } )
BISTREGO =  (VHDLProc. ( { I V .  105 , IV. 106 , I V . 1 0 7  , I V . 108  , I V . 109  , I V . 110  , I V . 111 , I V . 1 1 2 }  , 
SQ.< l a s s i g n  . ( I V a r .  IV. 9 3 , I V a r . IV. 1 05)  , l a s s i g n  . ( I V a r . I V . 94 , I V a r . IV .1 0 6 )  , 
l a s s i g n .  ( IV a r  . I V . 95 , IV ar  . I V . 1 07)  , l a s s i g n . ( IV a r  . I V . 96 , IV a r  . I V . 1 0 8 )  , 
l a s s i g n  . ( I V a r . I V .9 7  , I V a r . IV. 1 09)  , l a s s i g n  . ( I V a r . IV .9 8  , I V a r . IV. 1 1 0 )  , 
l a s s i g n .  ( I V a r .  IV. 99 , IV a r .  IV. I l l )  , l a s s i g n . ( I V a r . I V . 100 , I V a r . I V . 1 1 2 ) >
) ,  ({},{})
BISTFSMRTL =  VRTL.BISTFSM.<VProc. B IS T R e g is te r  () , V P r o c . lO R is in g E d g e  () ,
VProc.IORUN() ,VP roc .  RAMRisingEdge () ,VProc.RAMRJUN() ,V P r o c . BISTREG( ) > . { }
D .7  Case S tudy 2: T _B IST  SVA4VH DL C om ponent
i n c lu d e  ” b i s t _ i o  . c s p ” i n c lu d e  ” b i s t - f s m  . c s p ” i n c lu d e  ” b is t_ r a m  . c s p ”
242 Appendix D. Case S tudy  2: AW E  Built In Self Test SVA4VHDL Code
T L B IS T S en sL ists  =  < ( 3 4 , { I V . x  | x-t-{ 1 5 8 . . 2 0 5 } } )  , (31  , { I V . 1 5 9 } ) >  
TLBISTComponent =  { (TLBIST,{ 3 1  , 3 4 } )  }uBISTRAMComponentU 
BISTIOComponentUBISTFSMComponent}
TLBISTContainedCom ponents =  { (TLBIST,{  BISTIO , BISTFSM,BISTRAM}) }U 
BISTRAMContainedComponents  
— CLK, R ST , STARTJRAM, S T  A R T  J O ,
TLBISTInputs =  { ( I V . 15 8  ,0 , { 0 . .  1}  ) , ( I V . 15 9  ,0 , { 0 . .  1 } )  ,
( I V .1 6 0  ,0 , { 0 . . 1 } )  , ( I V . 1 6 1  ,0  , { 0 . . 1 } )  , ( I V . 1 8 2  ,0  , { 0 . . 1 } )  , ( I V . 1 8 3  ,0 , { 0 . . 1 } )  , 
( I V . 1 8 4 , 0 , { 0 . . 1 } )  , ( I V . 1 8 5 , 0 , { 0 . . 1 } )  , ( I V . 1 8 6 , 0 , { 0 . . 1 } )  , ( I V . 1 8 7 , 0 , { 0 . . 1 } )  , 
( I V . 188  ,0 , { 0 . .  1}  ) , ( I V . 189  ,0  , { 0 . .  1} ) }
T L B IST In terna l  =  { }
— IO .P A S S , IO -F A IL , IO -F A IL -E N D , 1 0 J O IN , RAM RUN, R A M J'A IL , RAMJPASS, R S T J  
TLBISTMapInternal =  { ( I V . 190  ,0 , { 0 . .  1 } )  , ( I V . 191 ,0 , { 0 . .  1}  ) , ( I V . 192  ,0 , { 0 . .  1 } )  , 
( I V . 193  ,0 , { 0 . .  1}  ) , ( I V . 19 4  ,0  , { 0 . .  1}  ) , ( I V . 195  ,0 , { 0 . .  1}  ) , (IV . 196  ,0 , { 0 . .  1}  ) , 
( I V . 1 9 7 , 0  , { 0 . . 1 } )  ,
— IO -F A IL E D -P O R T
( I V .1 9 8  ,0 , { 0 . . 1 } )  , ( I V . 1 9 9  ,0  , { 0 . . 1 } )  , ( I V . 2 0 0  ,0 , { 0 . . 1 } )  , ( I V . 2 0 1  ,0 , { 0 . . 1 } )  ,
( I V . 2 0 2  ,0 , { 0 . .  1}  ) , ( I V . 2 0 3  ,0  , { 0 . . 1 } )  , ( I V . 2 0 4 , 0  , { 0 . . 1 } )  , (IV . 2 0 5  ,0 , { 0 . .  1}  ) }
— n O E -0 , n O E -1 , D IR , s l o w - d o c k
TLBISTOutputs =  { ( I V . 1 6 2  ,0 , { 0 . . 1 } )  , ( I V . 163  ,0 , { 0 . .  1 }  ) , ( I V . 164  ,0 , { 0 . .  1} ) ,
( I V . 165  ,0 , { 0 . . 1 } )  ,
— B IST-R E G  0 . . 7
( I V . 1 6 6 , 0 , { 0 . . 1 } )  , ( I V . 1 6 7 , 0 , { 0 . . 1 } )  , ( I V . 1 6 8 , 0 , { 0 . . 1 } )  , ( I V . 1 6 9 , 0 , { 0 . . 1 } )  , 
( I V .1 7 0  ,0 , { 0 . . 1 } )  , ( I V . 1 7 1  ,0 , { 0 . . 1 } )  , ( I V . 1 7 2  ,0  , { 0 . . 1 } )  , ( I V . 1 7 3  ,0 , { 0 . . 1 } )  ,
—10
( I V .1 7 4  ,0 , { 0 . . 1 } )  , ( I V . 1 7 5  ,0 , { 0 . . 1 } )  , ( I V . 1 7 6  ,0 , { 0 . . 1 } )  . ( I V . 1 7 7  ,0 , { 0 . . 1 } )  ,
( I V . 178  ,0 , { 0 . .  1}  ) , ( I V . 179  ,0 , { 0 . .  1}  ) , ( I V . 180  ,0 , { 0 . . 1 } )  , ( I V . 181 ,0 , { 0 . . 1 } ) }
R ST i()  =  (VHDLProc. ( { I V .  1 5 9 }  , l a s s i g n  . ( I V a r . I V . 197  , I V a r . I V . 1 5 9 )  ) , ( { } , { } )  
TLBISTMap =  VPMap. TLBIST. <BISTRAMMap, BISTFSMRTL, BISTIORTL, V P r o c . RSTi ( ) > .
((BISTRAM, IV . 6 9 
((BISTRAM, IV . 71 
((BISTFSM, IV . 7 6 
((BISTFSM, IV . 7 7 
((BISTFSM, IV. 7 9 
((BISTFSM, IV . 81  
((BISTFSM, IV . 8 3 
((BISTFSM, IV . 8 5 
((BISTFSM, IV . 8 7 
((BISTFSM, IV . 8 9 
((BISTFSM, IV . 91 
((BISTFSM, IV . 9 3 
((BISTFSM, IV . 9 5 
((BISTFSM, IV . 9 7 
((BISTFSM, IV . 9 9 
( ( B I S T I O ,I V .114  
( ( B I S T I O ,I V .116  
( ( B I S T I O ,I V .118  
( ( B I S T I O ,I V .120  
( ( B I S T I O ,I V .122  
((B IST IO , IV. 124
7) , (TLBIST,IV. 1 5 8 ) )  ,(
) ,( TLBIST I V . 1 9 4 ) )  , ( (
) ,( TLBIST I V . 1 9 6 ) )  , ( (
) ,( TLBIST I V . 1 9 7 ) )  , ( (
) ,( TLBIST I V . 1 6 1 ) )  , ( (
) ,( TLBIST I V . 1 9 6 ) )  , ( (
) , (  TLBIST I V . 1 9 1 ) )  , ( (
) , (  TLBIST I V . 1 9 8 ) )  , ( (
) ,(  TLBIST IV . 2 0 0 ) )  , ( (
) ,(  TLBIST IV . 2 0 2 ) )  , ( (
) ,(  TLBIST IV . 2 0 4 ) )  , ( (
) ,(  TLBIST I V . 1 9 3 ) )  , ( (
) ,(  TLBIST I V . 1 6 6 ) )  , ( (
) ,(  TLBIST IV . 1 6 8 ) )  , ( (
) ,( TLBIST I V . 1 7 0 ) )  , ( (
) ,( TLBIST I V . 1 7 2 ) )  , ( (
) ,( TLBIST I V . 1 5 8 ) )  , ( (
) ,( TLBIST I V . 1 9 3 ) )  , ( (
) , (  TLBIST I V . 1 8 3 ) )  , ( (
) , (  TLBIST I V . 1 8 5 ) )  , ( (
) ,( TLBIST I V . 1 8 7 ) )  , ( (
) ,( TLBIST I V . 1 8 9 ) )  , ( (
(BISTRAM,IV.6 8)  , (T L B IS T ,IV .197  
BISTRAM,IV.70)  , (T L B IS T ,IV .195)
BISTFSM
BISTFSM
BISTFSM
BISTFSM
BISTFSM
BISTFSM
BISTFSM
BISTFSM
BISTFSM
BISTFSM
BISTFSM
BISTFSM
BISTFSM
BISTFSM
I V . 75)  
I V . 1 13)  
I V . 78)  
I V . 80)  
I V . 82)  
I V . 84)  
I V . 86)  
IV .88)  
I V . 90)  
I V .9 2 )  
I V . 94)  
I V . 96)  
I V . 98)  
I V . 1 0 0 )  
B ISTIO ,IV . 1 15)  
BISTIO, IV . 1 17)  
B IS T IO ,IV .1 1 9 )  
B IS T IO ,IV .1 2 1 )  
B IS T IO ,I V .1 23)  
B IS T IO ,IV .1 3 9 )
(TLBIST, IV. 158)  
, (TLBIST,IV. 160  
(TLBIST, IV. 195)
(TLBIST
(TLBIST
(TLBIST
(TLBIST
(TLBIST
(TLBIST
(TLBIST
(TLBIST
(TLBIST
(TLBIST
(TLBIST
(TLBIST
(TLBIST
(TLBIST
(TLBIST
I V . 190)  
I V . 192)  
I V . 199)  
I V . 2 0 1 )  
I V . 2 0 3 )  
I V . 2 0 5 )  
I V . 1 94)  
I V . 1 67)  
I V . 1 69)  
I V . 1 71)
, (TLBIST,IV. 173
I V . 1 97)  
I V . 1 82)  
I V . 1 84)  
I V . 1 86)  
I V . 1 88)
(T L B IS T ,IV .1 74)
) .
D. 7. Case S tudy 2: T JB IS T  SVA4VHDL Component 243
BISTIO I V .1 4 0 ) ,(  TLBIST I V . 1 7 5 ) )  ,( (B IS T IO ,IV .  1 4 1 ) ,(  TLBIST I V . 1 7 6 ) ) ,
BISTIO I V . 1 4 2 ) ,(  TLBIST I V . 1 7 7 ) )  ,( (BISTIO, IV . 1 4 3 ) , (  TLBIST I V . 1 7 8 ) ) ,
BISTIO I V . 1 4 4 ) ,(  TLBIST I V . 1 7 9 ) )  ,( (BISTIO, IV . 1 4 5 ) ,(  TLBIST I V . 1 8 0 ) ) ,
BISTIO I V . 1 4 6 ) ,(  TLBIST I V . 1 8 1 ) )  ,( (B IS T IO ,IV . 1 2 5 ) ,(  TLBIST I V . 1 6 2 ) ) ,
BISTIO I V . 1 2 6 ) ,(  TLBIST I V . 1 6 3 ) )  ,( (BISTIO, IV . 12 7) ,(  TLBIST I V . 1 6 4 ) )  ,
BISTIO I V .1 2 8 ) ,(  TLBIST I V . 1 9 0 ) )  ,( (BISTIO, IV . 1 2 9 ) ,(  TLBIST I V . 1 9 1 ) )  ,
BISTIO I V . 1 3 0 ) ,(  TLBIST I V . 1 9 2 ) )  ,( (B I S T I O ,I V .1 3 1 ) ,(  TLBIST I V . 1 9 8 ) ) ,
BISTIO I V . 1 3 2 ) ,(  TLBIST I V . 1 9 9 ) )  ,( (B I S T I O ,I V .1 3 3 ) ,(  TLBIST I V . 2 0 0 ) ) ,
BISTIO I V . 1 3 4 ) ,(  TLBIST I V . 2 0 1 ) )  ,( (B IS T IO ,IV .  1 3 5 ) ,(  TLBIST I V . 2 0 2 ) )  ,
BISTIO I V . 1 3 6 ) ,(  TLBIST I V . 2 0 3 ) )  ,( (BISTIO, IV . 13 7) ,(  TLBIST I V . 2 0 4 ) ) ,
BISTIO I V . 1 3 8 ) ,(  TLBIST I V . 2 0 5 ) ) } .
1 4 , { I V . : < | x<—{ 1 5 8 . . 2 0 5 } } )
244 Appendix D. Case S tudy 2: AW E Built In Self Test SVA4VHDL Code
A ppendix E
VHDL to SVA4VHDL Java Tool 
Class Diagram
This appendix provides an illustration of the class diagram for the tool tha t was described 
in Section 7.6 of Chapter 7. The diagram has been produced using Green UML to extract 
the fields and methods. The public visibility of the fields and methods are indicated with 
the green circle and the private with the red squares. The class which contains the main 
m ethod to initiate the translation is GenerateSVA4VHDL.
GenerateSVA4VHDL generates the VHDL models for a VHDL description, and then cre­
ates a new instance of FVhPGenSVA4VHDL, passing the newly created VHDL models. 
FVhPGenSVA4VHDL then proceeds to traverse through the hierarchical VHDL structure 
contained within the models to generate an SVA4VHDL representation of the VHDL 
system.
245
246 Appendix E. VHDL to SVA4VHDL Java Tool Class Diagram
®  translator.DataTypes
HashMap< String,A rrayL ist<String» da ta ty p es__
© ^âtâïÿpëstF V hm rchitecture  a)
void createDataTypes(LinkedList<FVhPBase> types) 
a ArrayUst<String> indexEiemente(UnkedUst<FVhPEnumLiteral> linkedlist) 
AirayUst<String> getTypefString str)
9  intfindE!emlD(String val) 
int MaxElemO
6 A translator.PortSignal
FVhPBase base 
intportSignallndex 
int rangelndex 
int m axRange 
boolean inout
" PortSignaKFVhPBase base)
" PortSignaKFVhPBase base, int rangelndex)
: PortSignaKFVhPBase base, int rangelndex, boolean inout) 
'  String getNamet)
void createlndexes(Ust<PortSignal> completeUst) 
int getlndexO 
* String getDi recti ont)
'  String getlnitO 
'  String getTypeQ
'  Integer getnanget)___________________________________________
4—
©  translator.Port
String type
e  Port(FVhPPort port) 
e 0 PortfFVhPPort port, int rangelndex) 
o c Port(FVhPPort port, int rangelndex, boolean io) 
© String getNameO 
e  String getDirectionO 
© String toStringO 
o String getlnitl)
© String getTypeO 
o  Integer getRangeQ________
©  translator.Signaf
© SignaKFVhPSignai signal) 
o c SignaKFVhPSignai signal, int rangelndex)
©c SignaKFVhPSignai signal, int rangelndex, boolean io) 
© String getNameO 
s  String toStringO 
© String getDirectionO 
® String getlnitO 
© String getTypeO
o Integer getRangeQ___________________________
0..* « L o c a l  A ss ig n m e n t»
0  translator.Proc
FVhPProcessStmt proc 
int prodndex_________
0..* « L o c a l_ A ssig n m en t»
' ProdFVhPProcessStmt proc)
String getNameO 
void createlndexes(List<Proc> totalList) 
int getlndexO
String toStringO___________________
T
0..* <<Local A ssig ÿ ien t> >
Q  translator.VHDLComponent
String name
HashMap<String,PortSigna!> portsAndSignals 
HashMap<String,Proc> processes 
ArrayList<Proc> processlndex 
DataTypes types_________________________
o  VFIDLComponentfFVhPEntity e, FVhPArchitecture a)
©c VFIDLComponent(FVhPlnstantiation e, FVhPArchitecture a) 
© String getComponentNameDebugO 
a void indexPorts{Linkedüst<FVhPPort> prts) 
a void indexPorts(FVhPlnstantiation e) 
a void indexSignals(Linkedlist<FVhPSignal> sigs)
© void addCompProc(String procName, Proc proc) 
a void indexProcesses(UnkedUst<FVhPBase> procs)
© void createlndexes(List<PortSignal> totalList)
© void createProclndexes(List<Proc> totalList) 
e  PortSignal getPortSignaKString str)
© String getPortSignalsQ 
© String getPortSignaisDebugO 
© String getPortSignals(Arrayüst<String> restrictions) 
e  HashMap<String,PortSignal> retumAIIPortSignalsO 
© Proc getProc(String str)
© int getDataTypefString type, String val)
© String getRangelString sig)
© int getElementlD(String type. String val)
© int getElementlDtString val)
© int getMaxEiementSizeO 
A
247
0..* « L o c a l  A ss ig n m e n t»  j 0..* <<Local A ss ig n m e n t»
9  translator.FVhPGenSVAWHDL
o 5 Integer errorCount 
o s boolean isVerbose 
= List<FVhPEntity> duEntities 
° Ust<FVhPArchitecture> duArchitectures 
= BufferedWnter output 
= String tab 
c String entName 
= AnrayList<PortSignal> signals 
= ArTayUst<Proc> procs 
= String strN 
= String sMVNums 
= String strMostProcs 
o String strComponentProcs 
& AinrayUst<String> components 
= Boolean notFirstCompProc 
^ AnrayUst<String> restrict 
a String strBuff 
= VHDLComponent comp 
= String duname
° HashMap<String,A’rayU st<String>> componentHierarchies 
= HashMap<String,FVhPArchitecture> entityMapping
o HashMap<String.VHDLComponent> instanceMapping______________________________________________________
e c FVhPGenSVA4VHDL{Ust<FVhPEntity> entity. List<FVhPArchitecture> architecture. String cutFile, String duname) 
e  void printFormalModeK) 
a  void convertVHDL2SVA4VHDL{) 
a void addAdditionalCompProc(FVhPArchitecture arch)
a  String createHierarch;calStnjcture(FVhPEntity entity, FVhPArchitecture architecture) 
a  String inoutRenamingfFVhPEntity entity) 
a String inoutVPMapRenaming(FVhPEntity entity)
a  String createHierarchicaiStructure{String instanceName, FVhPEntity entity, FVhPArchitecture architecture)
a  String componentProc{FVhP£ntity entity, FVhPArchitecture architecture)
o String renamings(FVhPArchitecture architecture)
b  void generateSVA4VHDlValues()
a void convertArchitecture(FVhPArchitecture arch)
a void convertArchitecture(FVhPArchitecture arch. String instanceName)
a String generateSensüstO
a String generateSensUstiFVhPProcessStmt current)
a String convertProcess(FVhPProcessStmt proc. String procName)
a  String convertCaseStatement(FVhPSeqCaseStatement caseStmt)
a  String convertCaseltem(FVhPExprBase IhsCase, FVhPSeqCaseltem current)
a String convertiFStatement(FVhPSeqifStmt ifstmt)
a  String convertSequence(LinkedList<FVhPBase> ifStmtBlock)
a  S ring  convertSimpieAssignment(FVhPSignalAssignment assignm ent)
a String convertAssignmentTolF(String target, LinkedList<FVhPVVaveForm> waveforms)
h Stnng getSimpleName(FVhPExprBase expr)
a  boolean evalWaveForm(ljnkedUst<FVhPV/aveForm> waveforms)
a  String convertWaveForms(LinkedList<FVhPWaveForm> waveforms, FVhPTarget target)
b  String convertWaveForm(FVhPWaveFonri wf, FVhPTarget target)
a String convertE!ement(FVhPExprBase expr, FVhPTarget target)
a String convert8itSeiectExpression(FVhPExprBitSe!ect expr)
a String convertE!ement(FVhPExpr8ase expr)
a Stnng getSVA IDf String val, FVhPTarget target)
b  String getSVAJD{String val, FVhPTarget target, boolean isOut)
a String getSVAjD(String val)
b 5 boolean ismtegerf String s)
a String convertBinaryExpression(FVhPExprBinary exprBin) 
a  String conveitOperator(OpType op)
,■3 string getSimp!eName(FVhPSimpleName simple, FVhPTarget target)
a String getSimpleName(FVhPSimpleName simple, FVhPTarget target, boolean isOut)
a  String getSimpieName(FVhPBitSelect simple, FVhPTarget target, boolean isOut)
a  String convertConditionai(FVhPExprBase condExpr)
a  String convertFunctionCall(FVhPExprFunctionCall condExpr)
a  String retumSensitivityüst{UnkedList<FVhPBase> senslist)
a void convertEntity(FVhPEntity ent)
a void convertlnstance(FVhPlnstantiation inst)
b  String printHeaderO
a String tabPutO
a void tabAddO
u void tabFtemoveQ_______________________________________________________________________________________
248 Appendix E. VHDL to SVA4VHDL Java Tool Class Diagram
l :f(5> tran slaco r.G en era teS V A 4 V H D L
s v o id  m a in (S tr in g []  a rg s )  
b  s v o id  c o m p ile S u b fi le s tS tr in g  w o rk lib . File t a r g e t .  File d ir)
b  5 v o id  s ta r tC o m p ila t io n fS tr in g  w o rk lib , S tring  infile , b o o le a n  p rin tS rc , b o o le a n  isS T D Pack, S tring  to p , S trin g  o u tfile )  
&  s In te g e r  c o m p ileF ile (S trin g  w o rk lib . S trin g  fN a m e , b o o le a n  p rin tS rc , b o o le a n  isST D Pack) 
iLs>s In te g e r  generateS V A 4V H D L (S tring  w o rk lib , S trin g  d u n a m e . S trin g  o u tfile )  
e s v o id  p rin tH elp O  
o  s v o id  p r in tB a n n e ri)
o s v o id  p r in tC o m p le tio n (b o o le a n  s u c c e s s fu l)____________________________________________________________________________
Bibliography
[1] J.-R. Abrial. The B  Book: Assigning programs to meanings. Cambridge University 
Press, 1996.
[2] J.-R. Abrial. Modeling in Event-B: System and Software Engineering. Cambridge 
University Press, 2010.
[3] Jean-Raymond Abrial, Michael Butler, Stefan Hallerstede, Thai Son Hoang, Farhad 
Mehta, and Laurent Voisin. Rodin: an open toolset for modelling and reasoning in 
Event-B. Int. J. Softw. Tools Technol. Transf., 12(6):447-466, November 2010.
[4] Aldec. Assertions - Practical Introduction for HDL Designers. Online; accessed 19 
November 2012.
[5] Philip J. Armstrong, Michael Goldsmith, Gavin Lowe, Joël Ouaknine, Hristina 
Palikareva, A. W. Roscoe, and James Worrell. Recent Developments in FDR. In 
CAV, volume 7358 of LNCS, pages 699-704. Springer, 2 0 1 2 .
[6 ] L. M. Augustin. Timing models in VAL/VHDL. In IEEE  International Conference 
on Computer-Aided Design, ICCAD-89. Digest of Technical Papers., pages 1 2 2  -  
125, 1989.
[7] Aver ant. Solidify product page, http://w w w .averant.com /, 2012. Online; accessed 
19-November 2012.
[8 ] C. Baier and J.-P. Katoen. Principles of Model Checking. MIT Press, 2008.
[9] S. Bailey. Comparison of VHDL, Verilog and SystemVerilog. Technical report, 
Model Technology, 2003. Online; accessed 19 November 2012.
[10] A. Bara, P. Bazargan-Sabet, R. Chevallier, D. Ledu, E. Encrenaz, and P. Renault. 
Formal verification of timed VHDL programs. In Proceedings of the 2010 Forum 
on specification & Design Languages (FDL), pages 80-85. ECSI, 2010.
249
250 Bibliography
[H] C. Barrett and C. Tinelli. CVC3. In Proceedings of the 19th International Con­
ference on Computer Aided Verification (CAV ’07), volume 4590 of LNCS, pages 
298-302. Springer, 2007.
[12] D. L. Barton. Examination of a CSP style formal definition of VHDL. In VHDL 
International Users Forum, 1995.
[13] T. Blackmore, D. Halliwell, P. Barker, K. Eder, and N. Ramaram. Analysing 
and closing simulation coverage by automatic generation and verification of formal 
properties from coverage reports. In IFM, volume 7321 of LNCS, pages 84-98. 
Springer, 2012.
[14] R. Bloem, R. Cavada, I. Pill, M. Roveri, and A. Tchaltsev. RAT: A tool for the 
formal analysis of requirements. In CAV, volume 4590 of LNCS, pages 263-267. 
Springer, 2007.
[15] R. Bloem, A. Cimatti, K. Greimel, G. Hofferek, R. Kônighofer, M. Roveri, 
V. Schuppan, and R. Seeber. RATSY - a new requirements analysis tool with 
synthesis. In CAV, volume 6174 of LNCS, pages 425-429. Springer, 2010.
[16] R. Bloem, S. Caller, B. Jobstmann, N. Piterman, A. Pnueli, and M. Weiglhofer. 
Interactive presentation: Automatic hardware synthesis from specifications: a case 
study. In DATE, pages 1188—1193. ACM, 2007.
[17] R. Bloem, H.-J. Gamauf, G. Hofferek, B. Kônighofer, and R. Kônighofer. Synthe­
sizing robust systems with RATSY. In SYN T, volume 84 of EPTCS, pages 47-53, 
2012.
[18] T. Bohman, O. Pikhurko, A. Frieze, and D. Sleator. Puzzle 6 : Uniform candy 
distribution, http://www.cs.cmu.edu/puzzle/puzzle6 .html. Online; accessed 19 
November 2012.
[19] N. Bombieri, F. Fummi, and G. Pravadelli. Hardware design and simulation for 
verification. In Formal Methods for Hardware Verification, 6th International School 
on EorrW  Methods /o r f&e Desert o/ C om pter, Comm%mco#on, and Sb/hmre 
Systems, volume 3965 of LNCS, pages 1-29. Springer, 2006.
[20] D. Borrione, L. Pierre, and A. Salem. Formal verification of VHDL descriptions in 
the Prevail environment. IEEE Des. Test, 9(2):42-56, 1992.
Bibliography 251
[21] D. D. Borrione and P. Georgelin. Electronic chips Sz systems design languages, 
chapter Formal verification of VHDL using VHDL-like ACL2 models, pages 273- 
284. Kluwer Academic Publishers, 2001.
[22] M. Bourahla and M. Benmohamed. Predicate abstraction and refinement for model 
checking VHDL state machines. Electr. Notes Theor. Comput. Sci., 66(2):1-16, 
2002 .
[23] R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE  
Trans. Comput, 35(8):677-691, 1986.
[24] M. Butler, J. Colley, A. Edmunds, C. Snook, N. Evans, N. Grant, and H. Marshall. 
Modelling and Refinement in CODA. ArXiv e-prints, May 2013.
[25] G. Cabodi and M. Murciano. BDD-based hardware verification. In Formal Methods 
for Hardware Verification, 6th International School on Formal Methods for the De­
sign of Computer, Communication, and Software Systems, volume 3965 of LNCS, 
pages 78-107. Springer, 2006.
[26] M. Chen, X. Qin, and P. Mishra. Efficient decision ordering techniques for SAP- 
based test generation. In DATE, pages 490-495. IEEE, 2010.
[27] A. Cimatti, E. M. Clarke, F. Giunchiglia, and M. Roveri. NUSMV: A new symbolic 
model checker. ST T T , 2(4)=410-425, 2000.
[28] E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletons 
using branching-time temporal logic. In Logic of Programs, volume 131 of LNCS, 
pages 52-71. Springer, 1981.
[29] Edmund M. Clarke, Orna Crumb erg, and Doron Peled. Model checking. MIT 
Press, 2001.
[30] B. Cohen, S. Venkataramanan, and A. Kumari. Using PSL/Sugar for Formal and 
Dynamic Verification: Guide to Property Specification Language for Assertion- 
based Verification. VhdlCohen Pub., 2004.
[31] D. Déharbe and D. Borrione. Semantics of a verification-oriented subset of VHDL. 
In CHARME, volume 987 of LNCS, pages 293-310. Springer, 1995.
[32] D. Déharbe, S. Shankar, and E. M. Clarke. Model checking VHDL with CV. In 
FMCAD, volume 1522 of LNCS, pages 508-514. Springer, 1998.
252 Bibliography
[33] Ashar Salem Dominique Borrione, Laurence Pierre. PREVAIL: A proof environ­
ment for vhdl descriptions. In P Prinetto and P Camurati, editors, Advanced 
Research Workshop on Correct Hardware Design Methodologies, pages 163-186, 
1992.
[34] B. Dongol, J. Derrick, and I. J. Hayes. Fractional permissions and non-deterministic 
evaluators in interval temporal logic. ECEASST, 2012 (to appear). Automated 
Verification of Critical Systems, 2 0 1 2 .
[35] N. Evans. Integrating formal methods with informal digital hardware development. 
ECEASST, 35, 2010. Automated Verification of Critical Systems, 2010.
[36] Limor Fix. Fifteen years of formal property verification in Intel. In 25 Years of 
Model Checking, volume 5000 of LNCS, pages 139-144. Springer, 2008.
[37] Formal Systems Eurpoe Ltd. Process Behaviour Explorer : ProBE User Manual, 
2003. Online; accessed 23 May 2013.
[38] Formal Systems University of Oxford. FDR 2.94 manual, 2012. Online; accessed 
19 November 2012.
[39] D. Gajski and R. H. Kuhn. New VLSI tools - guest editors’ introduction. IEEE  
Computer, 16(12):11-14, 1983.
[40] M. K. Ganai, A. Gupta, and P. Ashar. DiVer. SAP-based model checking platform 
for verifying large scale systems. In TAG AS, volume 3440 of LNCS, pages 575-580. 
Springer.
[41] Kanai L Ghosh. Personal Communication, December 2013.
[42] Daniel Gil, JuanCarlos Baraza, Joaqun Gracia, and PedroJoaqun Gil. Vhdl 
simulation-based fault injection techniques. In Alfredo Benso and Paolo Prinetto, 
editors, Fault Injection Techniques and Tools for Embedded Systems Reliability 
Evaluation, volume 23 of Frontiers in Electronic Testing, pages 159-176. Springer 
US, 2004.
[43] K. G. W. Goossens. Reasoning about VHDL using operational and observational 
semantics. In CHARME, volume 987 of LNCS, pages 311-327. Springer, 1995.
[44] Mentor Graphics. ModelSim Users Manual, 10.1 edition.
[45] Mentor Graphics. Questa SIM  Users Manual, lO.Od edition.
Bibliography 253
[46] Mentor Graphics. Formalpro equivalence checking.
http://w w w .m entor.com /products/fv/form alpro/, November 2012. Online; 
accessed 19 November 2012.
[47] D. Grofie, U. Kiihne, and R. Drechsler. Estimating functional coverage in bounded 
model checking. In DATE, pages 1176-1181. ACM, 2007.
[48] A. Gupta, M. K. Ganai, and C. Wang. SAT-based verification methods and appli­
cations in hardware verification. In SFM, volume 3965 of LNCS, pages 108-143. 
Springer, 2006.
[49] K. Hao, F. Xie, S. Ray, and J. Yang. Optimizing equivalence checking for behavioral 
synthesis. In DATE, pages 1500-1505. IEEE, 2010.
[50] F. Heidenreich, J. Johannes, M. Seifert, C. Wende, and M. Bohrne. Generating safe 
tem plate languages. In Generative Programming and Component Engineering, 8th 
International Conference (GCPE), pages 99-108. ACM, 2009.
[51] G. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985.
[52] G. J. Holzmann. The SP IN  Model Checker - primer and reference manual Addison- 
Wesley, 2004.
[53] Y. Isobe and M. Roggenbach. Verifying the uniform candy distribution puzzle with 
CSP-Prover. In Stefan Gruner and Bruce Watson, editors, COLLOQUIUM and 
FESTSC H RIFT at Occasion of the 60th Birthday of Derrick Kourie. University 
Pretoria, 2008.
[54] Kanai Lai Ghosh. VHDL Parser in Java.
http://www.edautils.com /VHDLParser.htm l, 2013. Online; accessed 20- June 
2013.
[55] S. Abu Kharmeh, K. Eder, and D. May. Formal analysis of a programmable 
performance-critical processor communication interface. In Proceedings of the 
10th International Workshop on Automated Verication of Critical Systems (AV- 
oCS 2010), pages 115-117. University of Düsseldorf, October 2010.
[56] Z. Khasidashvili and Z. Hanna. SAT-based methods for sequential hardware equiv­
alence verification without synchronization. Electronic Notes in Theoretical Com­
puter Science, 89(4):593 -  607, 2003. BMC’2003, First International Workshop on 
Bounded Model Checking.
254 Bibliography
[57] C. D. Kloos and P.T. Brener. Formal semantics for VHDL. Kluwer international 
series in engineering and computer science: VLSI, computer architecture, and dig­
ital signal processing. Kluwer Academic Publishers, 1995.
[58] D. Kolovos, R. F. Paige, L. M. Rose, and F. A. C. Polack. Epsilon. Sourceforge, 
http://w w w .eclipse.org/epsilon/doc/book/, January 2009.
[59] D. S. Kolovos, R. F. Paige, and F. Polack. The Epsilon Transformation Language. 
In ICMT, volume 5063 of LNCS, pages 46-60. Springer, 2008.
[60] Vitaliy Kulanov. Personal Communication, October 2013.
[61] K. G. Larsen, P. Pettersson, and W. Yi. UPPAAL Tool, http://w w w .uppaal.org/, 
2012. Online; accessed 19 November 2012.
[62] M. Leuschel and M. J. Butler. ProB: an automated analysis toolset for the B 
method. ST T T , 10(2):185-203, 2008.
[63] S. Maginot. Evaluation criteria of HDLs: VHDL compared to Verilog, UDL/I & 
M. In Proceedings of the conference on European design automation, EURO-DAC 
’92, pages 746-751. IEEE Computer Society Press, 1992.
[64] K. L. Man. Timed Chi: Modeling, simulation and verification of hardware systems. 
Computing and Informatics, 29(6):901-928, 2010.
[65] K. L. McMillan. Symbolic model checking. Kluwer, 1993.
[6 6 ] J. Strother Moore. Symbolic simulation: An ACL2 approach. In FMCAD, volume 
1522 of LNCS, pages 334-350. Springer, 1998.
[67] T. K. Nguyen, J. Sun, Y. Liu, and J. S. Dong. A model checking framework for 
hierarchical systems. In A SE, pages 633-636. IEEE, 2011.
[6 8 ] Institute of Electrical and Electronic Engineers. IEEE Standard for Waveform and 
Vector Exchange (WAVES). IEEE Std 1029.1-1991, 1992.
[69] Institute of Electrical and Electronic Engineers. IEEE Standard for Multivalue 
Logic System for VHDL Model Interoperability (Std_logic_1164). IEEE Std 1164- 
jggg, 1993.
[70] Institute of Electrical and Electronic Engineers. IEEE Standard VHDL Reference 
Manual. IEEE  Std 1076-1993, 1994.
Bibliography 255
[71] Institute of Electrical and Electronic Engineers. IEEE Standard for Property Spec­
ification Language (PSL). IEEE Std 1850-1995, 1995.
[72] Institute of Electrical and Electronic Engineers. IEEE Standard Verilog Hardware 
Description Language. IEEE Std 1364-2001, 2002.
[73] Institute of Electrical and Electronic Engineers. IEEE Standard for System Verilog 
- Unified Hardware Design, Specification, and Verification Language. IEEE Std
2005.
[74] Institute of Electrical and Electronic Engineers. IEEE Standard for SystemC Lan­
guage Reference Manual. IEEE Std 1666-2011, 2011.
[75] S. Ostroumov and L. Tsiopoulos. VHDL code generation from formal Event-B 
models. In DSD, pages 127-134. IEEE, 2011.
[76] L. Petre, K. Sere, and L. Tsiopoulos. Model-based analysis tools for component 
synthesis. In FMCO, volume 6957 of LNCS, pages 102-121. Springer, 2010.
[77] A. Pnueli. The temporal logic of programs. In FOCS, pages 46-57. IEEE Computer 
Society, 1977.
[78] J.-P. Queille and J. Sifakis. Specification and verification of concurrent systems in 
CESAR. In Symposium on Programming, volume 137 of Lecture Notes in Computer 
Science, pages 337-351. Springer, 1982.
[79] R. Reetz and T. Kropf. Evaluating possibilities for formally sound simulation and 
verification of VHDL. In Proceedings of the 3rd Workshop on Designing Correct 
Circuits (DCC96), Electronic Workshops in Computing, 1996.
[80] R. Reetz, K. Schneider, and T. Kropf. Formal specification in VHDL for hardware 
verification. In DATE, pages 257-263. IEEE Computer Society, 1998.
[81] L. Reva, V. Kulanov, and V. Kharchenko. Design fault injection-based technique 
and tool for fpga projects verification. East-W est Design; Test Symposium, 0:191- 
195, 2011.
[82] A. W. Roscoe. Compiling Shared Variable Programs into CSP. In Proceedings of 
PROGRESS workshop 2001, 2001.
[83] A. W. Roscoe. Understanding Concurrent Systems (Texts in Computer Science). 
Springer, 1  edition, April 2010.
256 Bibliography
[84] A. W. Roscoe, P. H. B. Gardiner, M. Goldsmith, J. R. Hulance, D. M. Jackson, 
and J. B. Scattergood. Hierarchical compression for model-checking CSP or how 
to check 1 0 ^  dining philosophers for deadlock. In TACAS, volume 1019 of LNCS, 
pages 133-152. Springer, 1995.
[85] A. W. Roscoe, G. A. R. Hoare, and Richard Bird. The Theory and Practice of 
Concurrency. Prentice Hall PTR, Upper Saddle River, NJ, USA, 1997.
[8 6 ] A. W. Roscoe and David Hopkins. SVA, a tool for analysing shared-variable pro­
grams. In Proceedings of AVoCS 2007, pages 177-183, 2007.
[87] A. W. Roscoe and Z. Wu. Verifying stalem ate statecharts using CSP and FDR. In 
ICFEM, volume 4260 of LNCS, pages 324-341. Springer, 2006.
[8 8 ] S. Schneider. Concurrent and Real-Time Systems: the CSP Approach. Wiley, 1999.
[89] S. Schneider and H. Treharne. Communicating B Machines. In ZB, volume 2272 
of LNCS, pages 416-435. Springer, 2 0 0 2 .
[90] S. Schneider, H. Treharne, A. Cavalcanti, and J. Woodcock. A layered behavioural 
model of platelets. In ICECCS, pages 98-106. IEEE Computer Society, 2006.
[91] J. Sharp, H. Treharne, and S. Schneider. Assessing the applicability of SVA in 
analysing VHDL models. ECEASST, 36, 2011. Automated Verification of Critical 
Systems, 2011.
[92] D. J. Smith. VHDL & Verilog compared & contrasted plus modeled example writ­
ten in VHDL, Verilog and C. In Proceedings of the 33rd annual Design Automation 
Con/emnce, DAC '96, pages 771-776. ACM, 1996.
[93] S. Tahar, P. Curzon, and J. Lu. Three approaches to hardware verification: HOL, 
MDG and VIS compared. In FMCAD, volume 1522 of Lecture Notes in Computer 
Science, pages 433-450. Springer, 1998.
[94] Inc. The Staff of Berkeley Design Technology. An indepen­
dent evaluation of: The autoesl autopilot high-level synthesis tool.
http://w w w .bdti.com /M yBD TI/pubs/A utoPilot.pdf, 2010. Online; accessed 
19 November 2012.
[95] K. Thirunarayan, R. L., and Ewing. Structural operational semantics for a portable 
subset of behavioral VHDL-93. Form. Methods Syst. Des., 18(1):69—88, 2001.
Bibliography 257
[96] H. Treharne and S. Schneider. Using a process algebra to control B operations. In 
IFM, pages 437-456. Springer, 1999.
[97] H. Treharne and S. Schneider. How to drive a B machine. In ZB, volume 1878 of 
LNCS, pages 188-208. Springer, 2000.
[98] Moraes Rodrigues V, D. Borrione, and P. Georgelin. An ACL2 model of VHDL 
for symbolic simulation and formal verification. In Proceedings of the 13th sympo­
sium on Integrated circuits and systems design, SBCCI ’00, pages 269-274. IEEE 
Computer Society, 2000.
[99] F. Vahid and R. Lysecky. VHDL for Digital Design. John Wiley Sz Sons, 2007.
[100] D. A. van Beek, K. L. Man, M. A. Renier s, J. E. Rooda, and R. R. H. Schiffelers. 
Syntax and consistent equation semantics of hybrid Chi. J. Log. Algebr. Program., 
68(1-2):129-210, 2006.
[101] M. A. Walden and K. Sere. Reasoning about action systems using the B-Method. 
Formal Methods in System Design, 13(l):5-35, 1998.
[102] Xilinx. DS202: Virtex-5 FPGA D ata Sheet: DC and Switching Characteris­
tics. http://w w w .xilinx.com /support/docum entation/data_sheets/ds202.pdf, May
2010. Online; accessed 19 November 2012.
[103] Vladimir Zdraveski. Personal Communication, October 2013.
[104] Vladimir Zdraveski, Milos Jovanovik, Riste Stojanov, and Dimitar Trajanov. HDL 
IP Cores Search Engine Based on Semantic Web Technologies. In Mar j an Gusev 
and Pece Mitrevski, editors, IC T  Innovations 2010, volume 83 of Communications 
in Computer and Information Science, pages 306-315. Springer Berlin Heidelberg,
2011.
[105] Vladimir Zdraveski and Dimitar Trajanov. VHDL IP Cores Ontology. In 10th 
International Conference for Informatics and Information Technology (C U T 2013). 
University Ss. Cyril and Methodius, Macedonia, 2013.
[106] M. Zwolinski. Digital System Design With VHDL. Prentice Hall, 1st edition, 2000.
258 Bibliography
Glossary
architecture
B-Method
component
construct
CSP||B
The body of a VHDL de- 9, 8 6 , 87, 93 
scription capturing the be­
haviour of the component.
A development method us- 38, 39, 163 
ing the B language, based 
around abstract machine 
notation
An individual VHDL en- iii, 3, 5, 9-11, 14-16, 19-21, 23, 24, 26, 
tity  architecture pair de- 35, 37-39, 42, 43, 63, 65, 85, 87, 93-
scribing the behaviour or 95, 97, 99,100, 102-107, 109-115, 118,
the composition of other 121, 124, 125, 131, 134-144, 146, 151,
components 152, 158, 162, 165, 170, 171, 173, 174,
176, 178, 180, 181, 183-186, 189-191, 
193, 194, 197, 198, 200, 237, 239-243, 
245, 248-250, 253 
An identifier for captur- 112-114, 125, 133-143, 197, 198
ing a VHDL component or 
process, defined within a 
CSP datatype
A hybrid formal language 39, 163
combining CSP and the B- 
Method
260 Glossary
EMFText
entity
Event-B
NetList
NuSMV
port
port mapping
ProB
An eclipse plug-in allowing 
quick definition of Domain 
Specific Languages using 
Ecore metamodels 
VHDL entity, describing 
the externally visible in­
formation of a VHDL com­
ponent
An evolution of the B lan­
guage with a simpler nota­
tion, for formally describ­
ing event driven systems, 
with a strong focus on re­
finement
The synthesised transistor 
level design for a VHDL 
description
A model checker based on 
SMV that further extends 
the SMV language
A specialisation of VHDL 
signal, for external com­
munication. A direction 
of communication must be 
defined for a port.
Defines a linking between 
two VHDL components 
through their external sig­
nals
A model checker for the 
B-Method, Event-B and 
CSP based on LISP
164
10, 86, 87, 93
42, 43
37-39, 42
40
9-11, 13, 14, 16, 19-21, 23, 24, 26, 63- 
71, 74, 80, 86, 87, 93, 95, 97, 112-114, 
118, 121, 122, 125, 127, 140, 151, 152, 
163, 165, 171, 178, 181, 184, 190, 197, 
239, 242, 243
9, 97,104, 105, 112-114, 118, 121,122, 
125, 135, 138, 152, 249
38
Glossary 261
process
PROMELA
sensitivity list
signal
SystemC
testbench
A VHDL construct for 
defining some sequential 
behaviour within a VHDL 
architecture
A model checker based on 
SMV that further extends 
the SMV language
A list of VHDL signals and 
ports to which a VHDL 
process reacts.
A VHDL representation of 
a communication medium 
(a wire) between two logic 
gates.
A hardware design lan­
guage based on C + +  with 
additional hardware con­
cepts
A user defined test envi­
ronment for VHDL hard­
ware designs, identifying 
assertions over as design 
for a predetermined sce­
nario
2, 9, 10, 16, 21, 23, 38, 64, 67-69, 75, 
77-79, 85, 8 8 , 89, 94, 102, 105, 107, 
111-113, 117, 118, 124, 152, 158, 165, 
171, 197 
37
9, 61, 63, 64, 67, 69, 75-78, 85, 94,
152, 197
2, 5, 9-14, 16, 19-21, 23, 24, 43, 63- 
72, 74-78, 80, 82-88, 93-95, 102, 104, 
111-115, 121, 122, 125, 127, 135, 136,
138, 140, 141, 151, 152, 155, 156, 158,
161-163, 165, 168, 174, 178, 181, 183,
184, 188-190, 192, 194, 195, 197, 200,
238 
35,44
1, 24-26, 42, 45, 192
UPPAAL A rich modelling tool for 37 
timed autom ata
262 Glossary
Verilog Another Hardware De- 35
scription Language for 
modelling hardware
systems
