A Typing Discipline for Hardware Interfaces by de Muijnck-Hughes, Jan & Vanderbauwhede, Wim
A Typing Discipline for Hardware Interfaces
Jan de Muijnck-Hughes
University of Glasgow, UK
Jan.deMuijnck-Hughes@glasgow.ac.uk
Wim Vanderbauwhede
University of Glasgow, UK
Wim.Vanderbauwhede@glasgow.ac.uk
Abstract
Modern Systems-on-a-Chip (SoC) are constructed by composition of IP (Intellectual Property)
Cores with the communication between these IP Cores being governed by well described interaction
protocols. However, there is a disconnect between the machine readable specification of these
protocols and the verification of their implementation in known hardware description languages.
Although tools can be written to address such separation of concerns, the tooling is often hand written
and used to check hardware designs a posteriori. We have developed a dependent type-system and
proof-of-concept modelling language to reason about the physical structure of hardware interfaces
using user provided descriptions. Our type-system provides correct-by-construction guarantees that
the interfaces on an IP Core will be well-typed if they adhere to a specified standard.
2012 ACM Subject Classification Theory of computation → Type theory; Hardware → System on
a chip; Software and its engineering → System description languages
Keywords and phrases System-on-a-Chip, AXI, Dependent Types, Substructural Typing
Digital Object Identifier 10.4230/LIPIcs.ECOOP.2019.6
Supplement Material ECOOP 2019 Artifact Evaluation approved artifact available at
https://dx.doi.org/10.4230/DARTS.5.2.14
Funding This work is part of Border Patrol: Improving Smart Device Security through Type-Aware
Systems Design (EP/N028201/1) and has been sponsored by an EPSRC funding call on Trust,
Identity, Privacy and Security in the Digital Economy.
Acknowledgements The authors would like to thank the anonymous reviewers for commenting on
the paper, and also various members of Scottish Programming Language Community (SPLS) for
their helpful comments on early versions of the work.
1 Introduction
Hardware Description Languages (HDLs) such as Verilog, SystemVerilog and VHDL are
designed to realise both the structure and behaviour of hardware systems. Hardware is
modelled as interconnected components (modules) that are connected through ports; ports
being individual wires or a collection of wires. Ports carry data, and the flow of data on
a port is directional. HDLs abstract over groupings of ports (port groups) as an interface,
and present values at higher levels of abstraction such as integers and strings. A component
can have multiple interfaces that each send multiple values, and can each be characterised
differently. An initiating interface (initiator) initiates communication, and the targeted
interface (target) is the recipient of the communication.
Modern hardware design is not just about digital circuits, it is also about describing
systems of systems. For instance, System-on-a-Chip (SoC) views hardware modules (IP
Cores) as boxes connected using well-known and bespoke interfaces. The structure, and
behaviour, of these interfaces are described in natural language documents [3, 41, 4]. Such
standards documents will present an abstract interface description which is a global view of
Co
ns
iste
nt *
Complete * W
ell Documented*Easyto
Re
us
e*
*Evaluated*
EC
OO
P *
Artifact * AEC
© Jan de Muijnck-Hughes and Wim Vanderbauwhede;
licensed under Creative Commons License CC-BY
33rd European Conference on Object-Oriented Programming (ECOOP 2019).
Editor: Alastair F. Donaldson; Article No. 6; pp. 6:1–6:27
Leibniz International Proceedings in Informatics
Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany
6:2 A Typing Discipline for Hardware Interfaces
an interface agnostic to its endpoint usage, and will provide salient structural information
(using natural language) about each port in the interface required for realisation in a HDL.
Details provided include a port’s size, sensitivity, necessity, flow, and dependencies between
the details specified. Further, these documents describe behavioural characteristics of the
interfaces as a whole. For example, how ports are grouped to describe different channels.
While circuit-level designs are required to implement behaviour at a low-level, the designer
must also ensure that the components in a SoC design are correctly connected according
to the provided specification. Standardised machine readable formats such as IP-XACT
capture many of the structural information found within the standards document’s natural
language descriptions [23]. However, interface specifications written using IP-XACT cannot
be parameterised, nor can structural dependencies be specified between ports and over
interfaces. Further, not all the information contained within a natural language document
can be specified using IP-XACT. For instance, IP-XACT does not support the definition of
strobe, a signal carried on a separate port that is linked to an individual bit in multi-wire
data bus. The number of strobe is dependent on the size of the bus. Conversely, the machine
readable specification can present information more clearly than the specification document
itself. For example, port necessity for the APB specification is more clearly described in the
IP-XACT specification than in the standards document.
Generally speaking, there is a disconnect between the description of an interface’s structure
in a standards document, its representation in a standardised machine readable format,
and its enforcement in a HDL. When instantiating these interfaces in a HDL there are no
mechanisms to ensure that the characterised interfaces respect the specifications. As a result,
mismatches between the specifications and their implementations are common.
1.1 Contributions
The aim of our work is to improve the security and safety of SoC design by utilising state-of-the-
art concepts from programming language theory to provide greater correct-by-construction
guarantees over the structural and behavioural aspects of SoC designs.
Dependent type-systems present a rich and expressive setting that allows for precise
program properties to be stated and verified directly in the language’s type-system [28].
Such type-systems also support modelling of resource usage in the style of substructural
typing [40, 6]. By building upon existing work from hardware design we can use these
concepts to construct a type-based formal description of abstract interfaces, and formally
validate that concrete component interfaces adhere to these descriptions at design-time using
type checking.
Specifically, we make the following contributions:
1. We present a type-driven modelling framework (Cordial) for reasoning about interfaces
on components within a SoC design.
2. We show the use of Cordial for describing an exemplar protocol Mungo, and discuss
how Cordial can be used to model real-world protocol specifications: APB, LocalLink
and AXI [4, 3, 41].
3. We describe the formalisation of our framework in the dependently typed programming
language Idris [9] that also constitutes a proof-of-concept implementation.
Figure 1 summarises the core constructs that comprise Cordial and their relations.
Modelling information is taken from the IP-XACT standard [23] and existing work [30] to
construct a model (θAID) to represent abstract interface descriptions. Our model construction
language (λAID) is a simple extension to the Simply Typed Lambda Calculus (STLC) and
J. de Muijnck-Hughes and W. Vanderbauwhede 6:3
λAID λ
redux
AID λ
cont
AID θAID θ
proj
AID θCOMP
model construction type checking
Figure 1 Relationships between various languages, models, and intermediate representations.
models parameterised specifications as computable functions, and allows dependencies to
be made between signals. The type-system of λAID follows a substructural design [40, 5]
allowing correctness guarantees towards labelling of signals to be lifted into the type-system.
Model construction is from reduction of λAID instances to a reduced form (λreduxAID ) which is
then evaluated to construct θAID instances using continuation passing. Concrete interfaces
are modelled using θCOMP to present components in a SoC with multiple interfaces.
Inspired by notions of global and local types from Session Types [22] abstract interface
specifications are treated as a global description that is characterised to a local description –
θ
proj
AID. By embedding the projected model (θ
proj
AID) into the type of the interface description
(θCOMP) the model’s type-system ensures that a local type is satisfied by its global type.
Further, the concept of thinnings [1, § 3] captures a specification’s optional ports, and allows
optional ports to be knowingly skipped.
Application of Cordial would see it embedded within existing SoC tooling and to enrich
existing HDLs with static design-time mechanisms that would make mismatches between
interface specification and implementation impossible and thus reduce errors, increase design
productivity and enhance safety and security of the SoC designs. The transformations of
specification instances, and model projections would be automatic and hidden from users.
Protocol designers would have a tool (based on λAID) to design interface specifications. During
the SoC design phase SoC designers use these specifications to annotate their components
(θCOMP) and ensure their port selections are correct.
1.2 Outline
Section 2 presents a running example that further motivates our work. Section 3 introduces
our model for abstract interface descriptions (θAID) and the specification language (λAID)
used to construct θAID model instances. Section 4 details our model (θCOMP) for describing
concrete components and how projected θAID instances are used to type-check interfaces.
Section 5 briefly describes the formalisation of Cordial in Idris, and Section 6 considers use
of the framework to model real-world interaction protocol specifications. Section 7 discusses
the efficacy of the framework, and considers related work. The paper concludes with a
discussion over future work in Section 8.
Notation. For simplicity the syntax for standard algebraic types are abstracted over. Similar
abstractions are used for dependent types. Single-field variant types are presented with a
constructor name as the label and the body being a n-ary tuple. Where possible simple
typing rules are embedded within the presentation of abstract syntax and types. Model types
are denoted using blackboard style letters. Types from construction languages are denoted
using uppercase Greek letters. Constructs subscripted with: d are from θAID; and p are
from θprojAID.
ECOOP 2019
6:4 A Typing Discipline for Hardware Interfaces
2 The Mungo Protocol
Presentation of Cordial will be aided through consideration of an exemplar protocol
(Mungo) that captures salient physical properties common to many interaction protocols.
Table 1 Signal descriptions for Mungo.
Name Width Direction Necessity Source Sensitivity
SYS_CLK 1 Always System Optional System High
CTRL_R 1 To Initiator Required IP High
CTRL_W 1 To Initiator Required IP High
DATA 32/16 Bi-Directional Required IP High
ADDR 8/4 To Target Required IP High
ERR_MODE 2 To Initiator Target Optional IP High
ERR_INFO user defined To Initiator Target Optional IP High
Table 1 presents the signal descriptions (abstract interface description) for Mungo.
Behaviourally the protocol represents the reading and writing of data from the initiating
IP Core to the target1. Mungo provides unicast style communication, it does not support
broadcast communication through a shared bus. A system clock (SYS_CLK) can send signals
to both the target and initiator. The clock is optional as the clock source for the specified
component might not go through this interface. Reading and writing are dictated by the
initiator using control wires CTRL_R and CTRL_W. A data bus is bidirectional and data can
have a width of 32 or 16 bits. The address bus is eight or four bits in width. Error reporting
is optional where: ERR_MODE indicates the type of error; and ERR_INFO is the message itself.
The width of error messages are left to the implementer. All wires have high sensitivity.
interface Mungo #(AWIDTH = 8, DWIDTH = 32, EWIDTH) (input bit clk);
logic [AWIDTH-1:0] addr;
logic [DWIDTH-1:0] data;
logic [2:0] errType;
logic [EWIDTH-1:0] errInfo;
logic ctrlr, ctrlw;
modport initiator(input clk,
input errType, errInfo,
output addr, ctrlw, ctrlr,
inout data);
modport target(input clk,
output errType, errInfo,
input addr, ctrlw, ctrlr,
inout data);
endinterface
Figure 2 Realising Mungo using SystemVerilog.
1 Only the physical structure of the interface is considered. How the framework can be extended to
capture behaviour properties is discussed later.
J. de Muijnck-Hughes and W. Vanderbauwhede 6:5
Figure 2 shows how Mungo can be realised in SystemVerilog. The interface is paramet-
erised, however, SystemVerilog only allows such interfaces to have a single default parameter.
Mungo has multiple default parameters. Two characterised interfaces for both an initiator
and target are presented as modports. Error related signals and clock information are
optional. Interfaces can take many other valid structural forms. SystemVerilog supports
unrestricted use of dangling ports, in which a receiving port is unconnected. In these cases
the value received is taken as the default value as dictated by the port’s type. A designer
can also deviate from the specification and make required ports optional. When connecting
two modules together that support Mungo the wrong interface might be left out. Further,
not all HDLs support the concept of dangling ports.
module System (output wire clock);
System
module Initiator (
input wire clock,
output wire write,
output wire read,
input [1:0] errorType,
input [7:0] errorInfo,
output [7:0] address,
inout [31:0] data
);
Initiator
module Target(
input wire clock,
input wire write,
input wire read,
input [7:0] address,
inout [31:0] data
);
Target
module Top ();
wire clock, write, read;
wire [7:0] address;
wire [31:0] data;
System s (.clock(clock));
Initiator i (.clock(clock), .write(write), .read(read), .errorType(), .errorInfo(),
.address(address), .data(data));
Target t (.clock(clock), .write(write), .read(read), .address(address), .data(data));
endmodule
Top
Figure 3 SystemVerilog module definitions adhering to Mungo, and signal flow indicators.
Figure 3 presents a second use of SystemVerilog to declare two components that support
Mungo, and connect them together. Within Figure 3 we present a visualisation of the
module interconnections. Within this example, the initiating component has two dangling
ports for optional error reporting, and we have deviated from the specification in using
different labels. SystemVerilog provides name and positional oriented connection of modules.
Ultimately, the programmer is responsible for ensuring that the ports are connected correctly,
and can wire or name ports freely. We need to ensure that the interfaces on a module are
valid against their respective specifications.
3 Abstract Interface Descriptions
This section presents a model (θAID) for reasoning about abstract interface descriptions,
together with a language (λAID) for model construction. How λAID instances are transformed
into θAID instances is also described.
Taking inspiration from IP-XACT [23], abstract interfaces are modelled as a named-tuple
of port descriptions and other metadata. This is a common approach as seen by existing
work [30, 19]. For each port a variety of emergent properties are also tracked. Dependent
ECOOP 2019
6:6 A Typing Discipline for Hardware Interfaces
types control invariants over model structure and property values. θAID model instances are
not parameterised, the construction language (λAID) facilitates creation of parameterised
specifications and ensures models created use unique labels using substructural typing.
3.1 Properties
Ghica et al. [19] modelled ports according to their size and signal direction. However, there
are other important properties as shown by McKechnie [30]. Ports are uniquely identified
using labels. Similar types of ports share similar behaviour. A port can: communicate
data; provide addressing information; provide clock ticks; trigger a reset; signal an interrupt;
indicate control; provide port-level behavioural information; or is used in a general sense.
Differentiating between these behaviours is important when connecting two (or multiple)
ports together. Not all ports in an interface are required, and how a port responds to changes
in signal (sensitivity) should also be captured.
For interfaces, salient properties concern the style of communication. Does the inter-
face expect to interact with a set number of other interfaces, or interact directly with
another interface?
3.2 Model Components
Metadata
i,n :N∗ F Natural numbers greater than zero.
r : L F User provided labels
s :SF High | Low | Rising | Falling | Insensitive Wire Sensitivity
h :HF System | IP Port Origin
ccstyle :Cstyle F Broadcast | Unicast Comm. Style
Ports
kp :KP F WIRE | ARRAY Kind
A : KP → Type Type
t :A (ARRAY)F Data | Address Values
t :A (WIRE)F Clock | Reset | Interrupt | Control
t :A (kp)F General | Info
Labels
kl :KL F NMD | IDX Kind
L : KL → Type→ Type Type
l :L(NMD, L)F Named(r) Values
l :L(IDX, L)F Indexed(r, i)
ec F n | r | s | h | cstyle | kp | t | l
Tc :TypeF L | N∗ | S | H | Cstyle | KL | L(kl, L) | KP | A (kp)
Figure 4 Common terms and their types.
J. de Muijnck-Hughes and W. Vanderbauwhede 6:7
Figure 4 presents the shared terms and types used throughout the models and languages
presented. Numbers originate from the set of natural numbers greater than zero. Port
labels are specification dependent and assumed to be typed enumerations. Signals are either
sensitive or insensitive. Sensitive wires are level sensitive (high, or low) or edge sensitive –
rising or falling. Signals either originate from a system interface, or from another component
– IP Core. An interface’s communication style is either broadcast or unicast.
Of interest is how a port’s type and label are modelled. A “kind” provides type-level
disambiguation between different kinds of labels and ports. θAID & λAID support several
types of port, and different port types have different shapes. Data and address ports will
always be an array of ports. Clocking information, resets, interrupts, and control ports
will always use a single wire. General and information ports can have either shape. When
describing widths, the shape of the port will dictate possible values.
Ports must be labelled, however, they can also share a common name with a fixed set of
other ports – cf. strobes in APB and AXI. A label is either named and is used once, or indexed
and used i times. To prevent ambiguities between different label families, the type for labels
is indexed with the type associated with the underlying name used.
3.3 A Model for Abstract Interfaces
Figure 5 presents the core modelling constructs, and typing rules, for θAID model instances.
Within θAID, signal flow is directional. Signals flow from: initiator to target ( ); target to
initiator (f); bidirectional (!); always received (f); or always produced – ( ). Ports
can be completely optional ( ? ), target optional ( ?t ), initiator optional ( ?i ), or are required
– ( ! ). Wire ports have width (1d), and array ports have width (wd (n)) where n is greater
than one. Ports can be specified with an arbitrary width – (∞d). The type for port widths
is paramterised by a port kind. This enforces the relation that ports will have the correct
width for their kind i.e. a wire can only have length one.
A port description is a named tuple comprising of the port’s label (l), kind (kp), type (t),
flow ( f ), necessity (o), width (w), sensitivity (s), and origin – (h). The type for ports is a
type synonym for the following dependent function:
portp :L(L, kl) → (kp :KP) → A (kp) → F→ Od →Wd (kp) → S→ H→ Pd (L)
Dependently typed terms allow for an invariant to hold during term construction. The port
kind associated with a port type and width, must respect the specified port kind. Thus, if
the port has kind WIRE then its width and type must be suitable for a wire. Further, the
port type itself (Pd (L)) is indexed by the type associated with label.
Ports are grouped in a cons-style collection (ps :PGd (L)) whose type is also parameterised
by the type associated with labels. All ports in a group must have the same type of label.
An abstract interface is a named tuple containing the interface’s communication style, max
number of initiators and targets, and a collection of ports.
3.3.1 Example
Figure 6 presents a θAID instance for Mungo – Table 1. An enumerated type provides
labelling information. θAID instances are, however, not parameterised. Mungo is an interface
that can be instantiated with several address and data bus widths. The example instance for
Mungo in Figure 6 provides holes () in place of precise widths. Exact values for widths
must be presented. Further, there are no restrictions on label use, one can easily duplicate the
use of a name. The next section presents a language to present parameterised specifications
and ensure label uniqueness.
ECOOP 2019
6:8 A Typing Discipline for Hardware Interfaces
f :FF |f |!| f | Signal Flow
od :Od F ? | ?i | ?t | ! Necessity
w :Wd (kp)F 1d | wd (n) | ∞d Widths
pd :Pd (L)F portd(l, kp, t, f ,od,wd, s, h) Port
psd :PGd (L)F ∅d | pd ::d psd Portgroup
id : Id (L)F ifaced(cstyle,n,n, psd) Interface
eaidl F ec | f | od | wd | pd | psd | id Expressions
Taidl F T ∈ Tc | F | Od | Wd (kp) | Pd (L) | PGd (L) | Id (L) Types
(a) Terms and types.
DWU
kp :KP
∞d :Wd (kp)
DWO
1d :Wd (WIRE)
DWM
i :N∗, [i ≥ 2]
wd (i) :Wd (ARRAY)
PD
kp :KP
l :L(L, kl) ty :A (kp) f :F wd :Wd (kp) s :S od :Od h :H
portd(l, kp, ty, f ,od,wd, s, h) :Pd (L)
PGD-E ∅d :PGd (L)
PGD-C
p :Pd (L) ps :PGd (L)
p ::d ps :PGd (L)
ID
c :Cstyle maxI :N∗ maxT :N∗ ps :PGd (L)
ifaced(c,maxI,maxT, ps) : Id (L)
(b) Typing Rules.
Figure 5 Definition of θAID.
L F C | R | W | D | A | E | I
ifaced(Unicast,1,1,portd(Named(C),WIRE,Clock,f, ? ,1d,High,System)
::dportd(Named(R),WIRE,Control, , ! ,1d,High, IP)
::dportd(Named(W),WIRE,Control, , ! ,1d,High, IP)
::dportd(Named(D),ARRAY,Data,!, ! ,wd (),High, IP)
::dportd(Named(A),ARRAY,Address, , ! ,wd (),High, IP)
::dportd(Named(E),ARRAY, Info,f, ?t ,wd (2),High, IP)
::dportd(Named(I),ARRAY, Info,f, ?t ,∞d,High, IP)
::d∅d)
Figure 6 Mungo as a partial θAID instance.
J. de Muijnck-Hughes and W. Vanderbauwhede 6:9
3.4 Specifying Interface Descriptions
Figure 5 presents a model instance that is dependently typed, however, the model design
itself has several limitations. First, labels are not required to be unique. Second, model
instances cannot be parameterised. We address these issues through creation of a description
language λAID. An extension of the STLC, λAID describes the construction of model instances.
Specifications are a sequencing of port descriptions, and other metadata. Function, and
application, in λAID provide parameterisation of specifications, and descriptions of structural
dependencies. Evaluation of λAID, using continuation passing, constructs instances of a θAID
model. A substructural type-system provides further correct-by-construction guarantees
that labels are unique. Construction semantics detail model instance construction from
λAID programs.
3.4.1 Counting Label Usage
Substructural type-system’s extend existing type-systems with extra information [40]. Labels
in θAID instances are required to be unique. The type-system for λAID is designed to ensure
that label usage is linear: A label can only be used once.
Inspired by the work of McBride [29] we utilise a “rig” to capture label usage. For our
bespoke use case a rig of the same style is not required. McBride’s rig is for computation
(addition and multiplication), and our rig is for usage accounting only. We define our rig as:
I Definition 1 (Rig o’ 2). Let R = {used, free} be a set, with an operation use(u) to change a
u ∈ R as follows:
use(u)F
{
free 7→ used
used 7→ used
3.4.2 Terms
e F i | n | r | f | kp | s | h | c Constants
| (add e e) | (sub e e) | (mul e e) | (div e e) Maths
| ?1 | ω Unit Values & Variables
| e; e | bec | let ω be e in e Statements
| (λ(i) · e) | e $ n | (λ(i; [i ∈ ps]) · e) | e $[i∈ps]i Function & Application
| label(n) Label Creation
| portDesc(ω, kp, ty, f ,o,w, s, h) | replicate(i, e) Port Specification
| stop Stopping
| setCommunication(c) | setMaxInitiators(n) Metadata
| setMaxTargets(n)
Figure 7 Terms for λAID.
Figure 7 presents the terms for λAID. Common structures from Figure 4 are included
except for the terms for labels. Terms can be sequenced, and bound to variables using
let-bindings. Pure values are indicated with bec. Combined the terms “Let”, “Seq”, “Unit”
ECOOP 2019
6:10 A Typing Discipline for Hardware Interfaces
and “Pure” form a monadic computation context in which the labels and their usage are the
computation in context. Although, sequencing is presented separately from “Let”-bindings,
sequencing can also be described as a “Let”-binding where ω is bound to ?1.
The term stop denotes the end of a specification such that all labels are used. Terms are
presented to represent functions, and function application. Predicated versions of functions
and application exist to restrict parameters of type N∗ to predefined sets of whole numbers.
Whole labels are created using a single term. Port declarations are similar to port construction
in Figure 5a, except that rather than a direct label, port descriptions must take a label
variable. There are terms for setting communication style, and max number of initiators and
targets. Within λAID, labels are not indexed. Ports with an indexable label are indicated
using replicate.
A simple arithmetic language with binary operators to operate on whole numbers is
embedded within λAID. Supported operations are addition, subtraction, multiplication, and
division. With this, user provided widths can be used to construct arithmetic dependencies
on the number of ports in a specification. This is described using replicate. Allowing for data
dependent port specifications (i.e. strobes) to be supported.
3.4.3 Type-System
T ∈ T F L | Tc ∈ Tc \ (L(kl, L)) | F | Od | Wd (kp) Types for Constants
| 1 | Λ (L,u) | Ψ (L) Types for Unit/Labels/Port
| T → T | (i :N∗) [i∈ps]−→ T Types for Functions
Γ F  | Γ + (e :T) | Γ ± (e :T) Context
Figure 8 Types & typing context for λAID.
Figure 8 presents the types for λAID. Here L is a placeholder to represent a user defined
set of labels. Several types are taken from existing constructs (Figures 4 and 5a) without the
type for labels, ports, port groups and interfaces. Three new types are introduced. First
is the unit type (1) to represent terms that do not represent computations. Second is the
type for label variables (Λ (L,u)), indexed by the type of the underlying label value and
parameterised with usage information from the “Rig o’ 2”. Function types follow the standard
definition, and predicated functions are restricted to acting on whole numbers.
Within λAIDwell-typed contexts (Γ) comprise of name type pairings. Contexts can be
extended using (+), and named terms updated using (±).
Section 3.4.3 presents the typing rules for λAID. For brevity the typing rules for maths
expressions are not provided. Like the syntax definition for λAID itself, the typing rules follow
that of the STLC, but with extensions for describing abstract interfaces. Rules Var,Lam,
App, Let, Pure, and Seq follow standard conventions with one noticeable difference that
follows from the work of Atkey [5]: Usage information associated with labels presents stateful
information. The monad form by “Let”, “Seq”, “Unit”, and “Pure” is a Hoare Monad that
allows state information for label usage to be threaded through the entire computation [8].
The notation Γold ` e a Γnew represents updating the context from Γold to Γnew . The context
will change only if the rules are well-typed. Where the notation is not used implies the
context does not change.
J. de Muijnck-Hughes and W. Vanderbauwhede 6:11
Var
ω :T ∈ Γ
Γ ` ω :T Let
Γ1 ` a :T1 a Γ2 Γ2 + (ω :T1) ` b :T2 a Γ3
Γ1 ` let ω be a in b :T2 a Γ3
Pure
x :T ∈ Γ
Γ ` bxc :T
Lam
Γ1 + (i :T1) ` e :T2 a Γ2
Γ1 ` (λ(i) · e) :T1 → T2 a Γ2
App
Γ1 ` f :T1 → T2 a Γ2 Γ1 ` i :T1
Γ1 ` f $ i :T2 a Γ2
PLam
Γ1 + (i :N∗) ` e :T2 a Γ2 ps = {i1, . . . , in} [i ∈ ps]
Γ1 ` (λ(i; [i ∈ ps]) · e) :N∗ [i∈ps]−→ T2 a Γ2
PApp
Γ1 ` f : (i :N∗) [i∈ps]−→ T a Γ2 Γ1 ` i′ :N∗ ps = {i1, . . . , in} [i′ ∈ ps]
Γ1 ` f $[i∈ps]i′ :T a Γ2
Seq
Γ1 ` e1 :T1 a Γ2 Γ2 ` e2 :T2 a Γ3
Γ1 ` e1; e2 :T2 a Γ3
Unit
Γ ` ?1 : 1
LBL
Γ ` L :Type Γ ` n : L
Γ ` label(n) :Λ (L, free)
Stop
∀ω :Λ (L,u) ∈ Γ [u ≡ used]
Γ ` stop : 1 a 
Port
Γ ` l :Λ (L, free) Γ ` kp :KP
Γ ` ty :A (kp) Γ ` f :F Γ ` o :Od Γ ` w :Wd (kp) Γ ` s :S Γ ` h :H
Γ ` portDesc(l, kp, ty, f ,o,w, s, h) :Ψ (L) a Γ ± (l :Λ (L,used))
REP
Γ1 ` i :N∗ [i > 2] Γ1 ` e :Ψ (L) a Γ2
Γ1 ` replicate(i, e) : 1 a Γ2
Max-I
Γ ` n :N∗
Γ ` setMaxInitiators(n) : 1
Max-T
Γ ` n :N∗
Γ ` setMaxTargets(n) : 1 COM
Γ ` c :Cstyle
Γ ` setCommunication(c) : 1
Figure 9 Typing rules for λAID.
Predicated functions, and their application, mirror their plain counterparts but have a
side-condition that requires the predicate to hold true for type-checking to be successful.
The typing rules for labels and ports use the “Rig o’ 2” to instantiate and augment the
usage count for types for labels – Λ (L,u). These are the type-level computations that enforce
correct label usage. Rule LBL presents the typing rule for label creation, initialising the type
with usage free. Rule Stop describes the end conditions for λAID programs, and results in
erasure of the context. λAID programs will successfully type-check only if all label variables
have been used. Rule Port specifies a new port, and consumes labels. A label ω with type
Λ (L,u), and usage u can only be used if the usage is free. If the label is available to use the
type for ω in resulting computations will be Λ (L,used), and thus be unavailable.
Replication of a port description (Rule REP) details that a port will be replicated if the
number of replications is greater than two. The remaining rules detail the simple typing
rules for the remaining terms.
ECOOP 2019
6:12 A Typing Discipline for Hardware Interfaces
3.4.4 Example
 `Mungo : (x :N∗) [x∈{32,16}]−→ (y :N∗) [y∈{8,4}]−→ 1 a 
Mungo B (λ(x; [x ∈ {32,16}]) · (λ(y; [y ∈ {8,4}]) ·
setCommunication(Unicast); setMaxInitiators(1); setMaxTargets(1)
; let c be label(C) in
let r be label(R) in
let w be label(W) in
let d be label(D) in
let a be label(A) in
let e be label(E) in
let i be label(I) in
portDesc(c,WIRE,Clock,f, ? ,1d,High,System)
; portDesc(r,WIRE,Control, , ! ,1d,High, IP)
; portDesc(w,WIRE,Control, , ! ,1d,High, IP)
; portDesc(d,ARRAY,Data,!, ! ,wd (x),High, IP)
; portDesc(a,ARRAY,Address, , ! ,wd (y),High, IP)
; portDesc(e,ARRAY, Info,f, ?t ,wd (2),High, IP)
; portDesc(e,ARRAY, Info,f, ?t ,∞d,High, IP)
; stop))
Figure 10 Mungo specified using λAID.
Figure 10 demonstrates how Mungo is specified using λAID. The concrete set of labels
from Figure 6 are reused. The specification for Mungo is parameterised through function
specification. This is reflected in the specification’s type signature. The use of the specification
to create θAID instances is also restricted to values of x ∈ {32,16} and y ∈ {8,4}. A type
error will occur if values for x and y were chosen that were not in the provided sets. The
type signature also shows the initial and end contexts for the function; start with nothing,
end with nothing. Different specification instances are generated through application of the
function to different values.
3.5 Building Models from Specifications
In this section the set of transformations to construct θAID instances from λAID programs are
described. We first reduce λAID programs to core terms, and use continuations to represent
model construction as evaluation of a reduced λAID program.
Figure 11 presents the reduction rules for reducing λAID programs to core terms following
standard conventions. Reduction of N∗ values mirrors reduction of natural numbers but with
smallest value being one not zero. The reduced version of a λAID program is called λreduxAID ,
and the reduction of a λAID program l to its reduced form (l ′) by the operation l ⇓redux l ′.
Much like the STLC reduction of λAID programs will also be strongly normalising.
J. de Muijnck-Hughes and W. Vanderbauwhede 6:13
Let
e1 ⇓redux be′1c
let ω be e1 in e2 ⇓redux e2[ω/e′1]
Lam
f ⇓redux (λ(x) · b) a ⇓redux ba′c
f $ a ⇓redux b[x/a′]
PLam
f ⇓redux (λ(x; [x ∈ ps]) · b) a ⇓redux a′ [a ∈ ps]
f $[x∈ps]a ⇓redux b[x/a′]
Add
e1 ⇓redux i1 e2 ⇓redux i2
(add e1 e2) ⇓redux i1 + i2
Sub
e1 ⇓redux i1 e2 ⇓redux i2
(sub e1 e2) ⇓redux i1 − i2
Mul
e1 ⇓redux i1 e2 ⇓redux i2
(mul e1 e2) ⇓redux i1 × i2
Div
e1 ⇓redux i1 e2 ⇓redux i2
(div e1 e2) ⇓redux i1 ÷ i2
Figure 11 Reduction rules for λAID.
To construct θAID model instances, the reduced form, λreduxAID , is first transformed into a
continuation (λcontAID) in the style of Hatcliff and Danvy [21]. This transformation is denoted
using n l ocont, where l is an instance of λreduxAID . Using this approach we can make model
construction more easily checkable for termination, and model construction comes from
evaluation of λcontAID instances. For brevity we do not provide the definitions of λ
cont
AID and
n l ocont, and remark that they follow standard contructions [21].
Evaluation of λcontAID instances, which we denote using ⇓cont, transforms: label variables
into labels; port declarations into port descriptions; and repeated port declarations into port
groups. Each evaluation of the accessor functions for setting description values replaces the
previously see value, and a default set of values are supplied initially. When evaluated, the
continuation returns a tuple containing the final interface metadata and collated port groups.
The complete steps to construct a θAID from λAID are defined as:
I Definition 2 (Construction of θAID from λAID). Let m be a θAID model instance, and l be
a λAID program. The construction of m is defined as the reduction of l to an instance l ′ of
λreduxAID . This instance l
′, is then evaluated to an instance of λcontAID that is then reduced using
⇓cont to produce m:
n l oAIDλ7→θ = n l ⇓redux l ′ ocont ⇓cont m
4 Specifying IP Core Interfaces
Section 3 described the specification and construction of θAID instances, these are abstract
interface descriptions. This section looks at the specification of components in a SoC design
and how guarantees are made that the physical interfaces satisfy given θAID instances.
A model for reasoning about components (θCOMP) is introduced. Each component
comprises of a set of physical interface models whose interfaces are satisfied by a θAID
instance. Interface satisfaction is a two-step process: first a θAID instance is projected ()
using the specified endpoint e, creating the projected model θprojAID. Second, the projected
model is used in the type of an interface to provide a type-level invariant that the presented
interface satisfies the projected model. Dependently typed model terms ensures that if an
interface is well-typed then the interface satisfies the provided specification.
ECOOP 2019
6:14 A Typing Discipline for Hardware Interfaces
t :EF Initiator | Target Endpoint
dp :D (t, f )F + | − | ± Direction
op :O (t,od)F ? | ! Necessity
pp :Pp (L, t, pd)F portp(l, kp, t, dp,op,wd, s, h) Port
psp :PGp (L, t, psd)F ∅p | pp ::p psp Portgroup
ip : Ip (L, t, id)F ifacep(cstyle,n,n, psp) Interface
ep F ed | t | dp | op | pp | psp | ip Expressions
Tp F T ∈ Td | E | D (t, f ) | O (t,od) Types
| Pp (L, t, pd) | PGp (L, t, pd) | Ip (L, t, id)
Figure 12 Terms and types for θprojAID.
4.1 Projecting Abstract Interfaces
Figure 12 presents the terms, and salient types for a projected interface model instance.
A projected interface represents the local view of an abstract interface. The structure of
a projected interface mirrors that of an abstract interface, and values only differ w.r.t. a
port’s signal flow (direction), and necessity. The type’s for ports, port groups, and interfaces
are parameterised by the type of labels associated with ports, the endpoint that the term
was projected to, and the originating abstract interface. The types are indexed with the
originating term to allow for structural invariants, for example a port’s shape, to be specified.
– cf. Section 3.3.
A projected port is either unidirectional in receiving (+) or sending signals (−); or is
bidirectional – (±). A port is required ( ! ) or optional ( ? ). The types for directions and
necessity are both dependent, each containing the endpoint being projected and the original
projected value. These values are not free to choose.
(d) ? ?i ?t !
Target ? ! ? !
Initiator ? ? ! !
(a) Necessity.
(n)  f ! f  
Target − + ± + −
Initiator + − ± + −
(b) Direction.
Figure 13 Typing rules for flow and necessity projection.
Figure 13 presents the typing rules that constrain the values in the projected model to
predetermined pairings. Dependent types ensure the correctness of projection transformation.
The projection for port flow and necessity are defined as functions ((d) and (n)) that, given
a flow or optional description will compute the required direction – or necessity. Their type
signatures are:
(d) : (do :Od) → (e :E) → O (e,od)
(n) : ( f :F) → (e :E) → D (e, f )
These projection functions will only type check if the given inputs match the allowed pairing
of values for the returned type.
J. de Muijnck-Hughes and W. Vanderbauwhede 6:15
PP
l :L(L, kl)
kp :KP ty :A (kp) d :D (e, f ) o :O (e,od) wd :Wd (kp) s :S h :H
portp(l, kp, ty, d,o,wd, s, h) :Pp (L, e,portd(l, kp, ty, f ,od,wd, s, h))
PGP-E ∅p :PGp (L, e,∅d)
PGP-C
pp :Pp (L, e, pd) psp :PGp (L, e, psd)
pp ::p psp :PGp (L, e, pd ::d psd)
IP
c :Cstyle maxI :N∗ maxT :N∗ psp :PGp (L, e, psd)
ifacep(c,maxI,maxT, psp) : Ip (L, e, ifaced(c,maxI,maxT, psd))
Figure 14 Typing rules for θprojAID.
Figure 14 presents the remaining typing rules for projected interfaces, ports, and port
groups. Like the structural definition, the typing rules mirror those for their abstract
counterparts, and are indexed by the type associated with labels. However, the types
are further indexed by their abstract counterparts, and also by the endpoint the term is
being projected under. The θAID instance provides as a type-level meta-model from which
information is sourced. This approach allows for several invariants on the structure of the
projected interface to be established.
1. Non-projected values must match.
2. Values parameterising the type of projected values are sourced from the abstract descrip-
tion and must match.
3. The endpoint that terms are being projected under must match.
4. The structure of the projected interface must match the structure of the abstract interface.
θAID 7→ θprojAID
portd(l, kp, t, dp,op,wd, s, h) p e F portp(l, kp, t, (dp d e), (op n e),wd, s, h)
∅d g e F ∅p
pd ::d psd g e F (pd p e) ::p (psd g e)
ifaced(cstyle,a, b, psp) i e F ifacep(cstyle,a, b, (psp g e))
Figure 15 Projection semantics for θprojAID.
Figure 15 presents the projection semantics for projecting θAID instances to θprojAID instances.
The type signatures for each projection function are omitted for brevity, but they follow those
for (d) and (n). By design, projections and their invariants are well-typed. Malformed
projections will fail to type-check, for example if the widths or calculated directions are wrong.
4.1.1 Example
Figure 16 presents example projections for the θAID instance for Mungo, applied to para-
meters 32 and 8 using predicated function application. Figure 16a shows a projection for
an initiator interface, and Figure 16b shows a projection for a target interface. The set of
ECOOP 2019
6:16 A Typing Discipline for Hardware Interfaces
n (Mungo ${32,16}32 ${8,4}8) oAIDλ 7→θ i Initiator
ifacep(Unicast,1,1,portp(Named(C),WIRE,Clock,+, ? ,1d,High,System)
::pportp(Named(R),WIRE,Control,−, ! ,1d,High, IP)
::pportp(Named(W),WIRE,Control,−, ! ,1d,High, IP)
::pportp(Named(D),ARRAY,Data,±, ! ,wd (32),High, IP)
::pportp(Named(A),ARRAY,Address,−, ! ,wd (8),High, IP)
::pportp(Named(E),ARRAY, Info,+, ! ,wd (2),High, IP)
::pportp(Named(I),ARRAY, Info,+, ! ,∞d,High, IP)
::p∅p)
(a) Mungo projected as an initiator interface.
n (Mungo ${32,16}32 ${8,4}8) oAIDλ 7→θ i Target
ifacep(Unicast,1,1,portp(Named(C),WIRE,Clock,+, ? ,1d,High,System)
::pportp(Named(R),WIRE,Control,+, ! ,1d,High, IP)
::pportp(Named(W),WIRE,Control,+, ! ,1d,High, IP)
::pportp(Named(D),ARRAY,Data,+, ! ,wd (32),High, IP)
::pportp(Named(A),ARRAY,Address,+, ! ,wd (8),High, IP)
::pportp(Named(E),ARRAY, Info,−, ? ,wd (2),High, IP)
::pportp(Named(I),ARRAY, Info,−, ? ,∞d,High, IP)
::p∅p)
(b) Mungo projected as a target interface.
Figure 16 Mungo projected as θprojAID instances.
directions for each port are mirror images of each other, aside from the constant direction for
the system clock and the bi-directional data port. Further, the definition of a port’s necessity
have been calculated to respect if the port is optional or not. The ports for returning error
information are optional if the interface’s endpoint is a target interface and required if the
endpoint is an initiator.
4.2 Specifying Physical Interfaces
Abstract interfaces, and their projections, represent descriptions of a component’s interface,
we must also model the component itself. Figure 17 presents the terms and types for θCOMP
model instances. Figure 18 presents the typing rules.
The structure of concrete interfaces mirrors that of the abstract interface and projection.
However, a concrete interface does not have optional ports, within our model dangling ports
are not allowed. To model skippable ports the concept of thinnings is used [1]. A thinning
allows for structures to be weakened using some decision procedure [13, 2]. We can use this
concept to weaken the specified ports in an interface’s portgroup w.r.t. a given specification.
Our decision procedure is simple: a port can be skipped if the projected port is optional. The
J. de Muijnck-Hughes and W. Vanderbauwhede 6:17
w :W (kp,wd)F u (i) | 1 | w (i) Widths
p :P (L, e, pp)F (l, kp, t, d,w, s, h) Ports
ps :PG (L, e, psp)F ∅ | p :: ps | unionsqps | p ::≈ ps Port Groups
i : I (L, e, ip)F (ps) Interfaces
is : IG (isd, es)F ∅i | i ::i is Interface Group
c :C (xs)F comp(is) Components
eCSL F eaidl | w | p | ps | i | is | c Expressions
Tcsl F Taidl | W (kp,wd) | P (L, e, pp) Types
| PG (L, e, psp) | I (L, e, ip) | IG (isd, es) | C (xs)
Figure 17 Terms for concrete interfaces.
W-Z
i :N∗ shape :KP
u (i) :W (shape,∞d)
W-O
1 :W (WIRE,1d)
W-A
i :N∗
w (i) :W (ARRAY,wd (i))
Port
l :L(L, kl)
kp :KP ty :A (kp) w :W (kp,wd) s :S h :H d :D (e, f )
(l, kp, t, d,w, s, h) :P (L, e,portp(l, kp, ty, d,o,wd, s, h))
PGP-E ∅ :PGp (L, e,∅d)
PG-C
p :P (L, e, pp) ps :PG (L, e, psp)
p :: ps :PG (L, e, pp :: psp)
PG-S
ps :PG (L, e, psp)
unionsqps :PG (L, e,portp(l, kp, t, dp, ? ,wd, s, h) :: psp)
PG-SC
p :P (L, e, pp) ps :PG (L, e, psp)
p ::≈ ps :PG (L, e, pp ::p portp(l, kp, t, dp, ? ,wd, s, h) ::p psp)
Interface
ps :PG (L, e, psp)
(ps) : I (L, e, ifacep(c,maxI,maxT, psp))
IG-E ∅i : IG (∅d,∅e)
IG-C
i : I (L, e, id i e) is : IG (isd, es)
i ::i is : IG (id ::i isd, e ::e es)
Component
xs = {(id,0, e0), . . . , (id, j, ej)} is : IG (∪jk=0id,k,∪jk=0ek)
comp(is) :C (xs)
Figure 18 Typing rules for concrete interfaces.
ECOOP 2019
6:18 A Typing Discipline for Hardware Interfaces
thinning decision procedure does not occur at the value level. Thus a concrete port group is
either: empty – ∅; extended by a port (::); skipped by an optional port (unionsq); or an optional
port is skipped when extending the group with a port – (::≈). The operator (::≈) can be
defined as the combination of the (::) and (unionsq) operators. That is p :: (unionsqps) ≡ p ::≈ ps. The
typing rules (Figure 18) show how thinning works for interface specifications. The θprojAID is a
type-level invariant, the specification of the necessity of the projected ports is what allows
the thinning to occur, or not.
A component is modelled as a collection of interfaces. The type for a component is indexed
by a collection (xs) of θAID-endpoint pairings. The type for a collection of interfaces is indexed
by the separated elements of each pair in xs. As a collection of interfaces is constructed, the
θAID instances are projected (at the type-level) by the endpoint type to construct the θprojAID
instance indexing the collected interface. Use of projection at the type-level ensures that the
type for a concrete interface is sourced from the specified projection.
In θAID model instances, wires have width one, arrays have fixed width greater than
one, or are unrestricted. When projecting an abstract port, the width does not need to be
projected into a local value. However, the port width in a θCOMP instance needs to respect
the width in the θAID. Widths are modelled using a dependent data type that captures, and
reasons with, the width of an abstract port.
An instantiated port with an abstract port and an unrestricted width has no restrictions
on kind or width. A port with an abstract port of width one must also have a width of one.
Similarly, a port with an abstract port of fixed width must also have the same fixed width.
4.2.1 Example
Figure 19 presents two example interfaces that modelMungo. Figure 19b shows the interface
with a port to receive the clock, and Figure 19c without a clock port. Within Figure 19c
the skip term (unionsq) allows for the clock to the be skipped. If other required ports were to be
skipped this will result in a type error. For both interfaces we have chosen the user defined
error message width to be of width 32 and 16. This will not cause a type error as the Mungo
allows the signal to have a user-defined width. Further, should other value level information
(e.g. port width and label) be incorrectly specified the example will also fail to type-check.
4.3 Type-Checking Interfaces
The type of interfaces in θCOMP are parameterised by projected interfaces from θprojAID. A
satisfaction relation is defined to link programs written in λAID to interfaces from θCOMP.
I Definition 3 (Interface Satisfaction). Given a λAID specification ( ` ν : 1 a ), and
an interface ϑ : I (L, e, ϑp) then the interface ϑ satisfies ν, which is defined as ϑ |= ν, if
n ν o i e 7→ ϑp.
Proof. By construction. The evaluation of ν (n ν o) produces a model (ϑd : Id (L ′)), for some
(L ′ :TypeL). The type of ϑ is I (L, e, ϑp). The projected interface ϑp has type Ip (L, e, ϑ′d). If
ϑd ≡ ϑ′ and L ≡ L ′ then ϑd i e ≡ ϑ′d i e. If ϑd 6≡ ϑ′d or L 6≡ L ′ then ϑ would fail to type
check. J
5 Implementation
We have realised Cordial using Idris, a general purpose dependently typed programming
language [9]. This provides both a practical proof-of-concept implementation, and mechanised
formalisation that the framework’s type-system holds. The models representing interfaces,
port groups, and ports translate directly to standard dependently (and non-dependently)
J. de Muijnck-Hughes and W. Vanderbauwhede 6:19
I (L, Initiator,n (Mungo ${32,16}32 ${8,4}8) oAIDλ7→θ i Initiator)
(a) Type for both Interfaces.
(Named(C),WIRE,Clock,+,1,High,System)
::i(Named(R),WIRE,Control,−,1,High, IP)
::i(Named(W),WIRE,Control,−,1,High, IP)
::i(Named(D),ARRAY,Data,±,w (32),High, IP)
::i(Named(A),ARRAY,Address,−,w (4),High, IP)
::i(Named(E),ARRAY, Info,+,w (2),High, IP)
::i(Named(I),ARRAY, Info,+,u (32),High, IP)
::i∅i
(b) With a clock port.
unionsq(Named(R),WIRE,Control,−,1,High, IP)
::i(Named(W),WIRE,Control,−,1,High, IP)
::i(Named(D),ARRAY,Data,±,w (32),High, IP)
::i(Named(A),ARRAY,Address,−,w (4),High, IP)
::i(Named(E),ARRAY, Info,+,w (2),High, IP)
::i(Named(I),ARRAY, Info,+,u (16),High, IP)
::i ∅i
(c) Without a clock port.
Figure 19 Sample θCOMP instances that show port skipping.
typed algebraic data structures. λAID, and its substructural type-system, has been imple-
mented as an Embedded Domain Specific Language (EDSL) using standard techniques [12,
Chp. 14]. Predicated functions were realised using Idris’ support for auto implicits that
attempt to search for constructors that can satisfy the type of the implicit variable. The
“model construction” process (i.e. n l oAIDλ7→θ), again uses standard techniques for working with
EDSLs in dependently typed languages [10, 11, 7].
6 Case Studies
Using our implementation we have constructed models for several interaction protocols of
varying sizes. We describe the structural properties of the protocols and report on their
modeling in Cordial as λAID programs.
6.1 ARMs Advanced Peripheral Bus
The first protocol considered was ARMs Advanced Peripheral Bus (APB) [3]. The protocol
is a legacy protocol comprising of at least eleven signals, and can be connected to many
target IP Cores using an intermediary IP Core called an interconnect. This requires that we
construct two specifications one for target connections to the interconnect, and the other for
ECOOP 2019
6:20 A Typing Discipline for Hardware Interfaces
initiating connections. At least seven signals are required, and two were target optional. At
least seven signals have a known width. The data and address width can be up to 32 bits
in width. There are three interesting features of APB worth noting. First, the specification
is parameterised depending on the number of IP Cores that an initiator is connecting too.
When connecting to x targets, the signal PSelx will be replicated x times in an initiating
interface, which will only be seen once in a target interface. Second, the protocol has optional
signals for the clock and a signal to enable the clock. The dependency between the two clock
signals is not clear from the specification: Can one be skipped when the other is required?
Third, the specification requires a set of strobes that connects to every 8th bit on the data
bus. This restricts data widths to multiples of eight.
(λ(nrSlaves) · (λ(dwidth; {8,16,32}) · (λ(awidth; {8,16,32}) ·
let x be (div dwidth 8) in
let α be label(T) in let ω be label(S) in
. . .
; replicate(nrSlaves,portDesc(α,WIRE, Info, , ! ,1d,High, IP))
; portDesc(ω,ARRAY, Info,f, ? ,wd (x),High, IP)
; . . .)))
Figure 20 Partial presentation of the “Master Interface” for the APB specification.
We chose to implement the specifications using two predicated functions, and one normal
function. The two predicated functions was used to ensure that all bus widths are multiples
of eight and less than 32 i.e. 8, 16, and 32. The normal function was used to represent the
number of targets. Specification of labels and ports followed the known information taken
from the specification. The term replicate was used to ensure that the correct number of
PSelx signals were generated. For strobes, the maths operations were used to calculate the
number of strobes required, based of the size of the data bus. Figure 20 shows part of the
APB specification detailing the predicated functions, use of replicate, and strobe specifcation.
6.2 Xilinx’s LocalLink
The second protocol chosen was a legacy protocol from Xilinx called LocalLink [41]. The
LocalLink protocol requires seven signals and thirteen optional signals. As with the APB
protocol many of the signals were encoded without complications. However, and unlike APB,
LocalLink does not specify a set of bus widths and requires that the presented bus width is
a multiple of eight. Predicated functions require that the list of possible values are known a
priori. Thus, we modelled the specification as a predicated function on bus widths of 8, 16,
and 32, together with a normal function that takes the number of channels.
The LocalLink specification contains various size dependencies based on the data bus.
The size of the remainder bus is dependent on how they are implemented within the IP Core.
Specifically, if the remainder is encoded then the bus size will be dlog2 d8 −1e. If the remainder
is masked then the size is d8 − 1. Our framework is not expressive enough to encode these
differences mathematically, we support simple arithmetic operations and these operations are
not simple. Moreover, our framework does not support related specifications that overlap to
be collapsed into a single definition. The LocalLink specification is too value dependent.
Another interesting aspect of the LocalLink specification is that of channels. These
are a set of optional signals whose flow is dependent on the application context. The size
of channel related signals are too calculated using a floating point operation. These three
J. de Muijnck-Hughes and W. Vanderbauwhede 6:21
signals are directional, and whether they send data from target to initiator is dependent
on the application, and how the other two signals are specified. Although we can represent
these channels as being bidirectional our language is not expressive enough to capture these
application specific, and inter signal, dependencies.
6.3 ARMs Advanced eXtensible Interface
ARMs Advanced eXtensible Interface (AXI) is a widely used family of interaction protocols [4]
for transferring addressable data between IP Cores. There are several previous versions
of AXI each building upon previous versions. Each version differs by number of signals
and changes to specific signal properties. The AXI specification defines three protocols that
offer three different interaction styles: Full, Lite, and Stream. The protocol can be directly
connected to another interface, or it can be used to connect to multiple other IP Cores using
an interconnect. Version four of the protocol requires 47 signals comprising of: two global
signals for the clock and a reset; thirteen signals each for specifying writing and reading of
an address; seven signals for reading and writing data; and five signals for writing responses
from the target to the initiator. Of the 47 signals, 36 are required and eleven are either
optional, target optional, or initiator optional. Several signals have user defined widths. The
AXI protocol is parameterised such that the address and data busses can be: 8, 16, 32, 64,
128, 256, 512, or 1024 bits wide. Further, the protocol specification supports custom sets of
signals that are completely user definable. In fact the AXI standard explicitly warns against
their use due to potential interoperability issues if different modules present user-defined
signals that behave differently.
We report on describing version four of the AXI protocol for direct interfaces only.
For versions of the protocol that connect to an interconnect, the techniques presented in
Section 6.1, can be leveraged. The specification was modelled in λAID using two predicated
functions to control the width of the address and data busses. Each of the signals were
translated into the required port descriptions. Like the APB protocol, AXI has the concept of
strobes. The same technique as used in Section 6.1 was used.
We chose not to include user-defined signals in this study. Cordial requires that signal
details are known a priori. Ideally, designers would create parameterised specifications
(functions) that take as parameters the user-defined signals. However, functions in λAID
take pure values as parameters, port declarations modify the typing environment to update
label usage information and are thus not pure. This is a restriction from the substructural
type-system for λAID – see Section 7.3.
The protocol specification divides the signals among several channels. Such a grouping
is only required for the specification. At the module level these groupings do not exist.
Although, Cordial does not support this grouping incorporating this into the framework
would be a potential benefit for reasoning about subgroupings of an interface’s portgroup.
7 Discussion & Related Work
This section discusses the efficacy of the framework, and related work.
7.1 Discussion
Section 6 described three case studies that modelled three interaction protocols using λAID.
For each of the protocols we were able to encode most of the ports correctly Cordial is
suitable for capturing each port’s values. However, both LocalLink and APB illustrated the
limitations of λAID in capturing all of the specification’s dependencies.
ECOOP 2019
6:22 A Typing Discipline for Hardware Interfaces
While Cordial can capture limited value dependencies, for example strobes and number
of targets within APB, the framework prohibits the construction of concise descriptions based
on other value dependencies. Specifically, for ports whose direction is dependent on a mode
of operation (LocalLink), and how to version protocols – AXI versions 1–4. Although we
can write multiple different versions, a dependently typed construction should be able to
capture these properties concisely, and without resorting to copying and pasting protocol
specifications. We need to explore what other dependencies there are within a protocol
specification, how prevalent these dependencies are, and how we can capture and reason
about the relevant dependent properties.
The construction of λAID exposes the resource tracking of the type systems directly as
resources are associated with variables. This does leads to a more verbose language such
that for n signals there will be n variables, and n additional ports declared. This is not
optimal. An alternative approach would be to embedd the resource tracking directly in our
monad’s type to remove the need for variables–cf. Swiestra’s Hoare & Atkey’s parameterised
monads [37, 5]. However, our current formulation is more extensible allowing arbitrary new
states to be added by indexing the type of new variables.
The type-level resource tracking in λAID also prohibits the creation of higher-order
descriptions. The typing rule Lam requires a pure value, and sequencing using Let and Seq
require that the knowledge contained in the environment is passed from the previous construct
to the next. This is a limitation of the Hoare Monad used to sequencing expressions.
7.2 Modelling Hardware Interfaces
Many attempts at reasoning about hardware have centred on formalising hardware systems
as a collection of digital circuts and capturing the behaviour of signals through the specified
circuits. Ghica et al. exploited category theory to investigate connection of components [18,
17, 19]. EDSLs have been developed for Haskell such as Lava [20] and Cλash [35] that take
other mathematical approaches to reasoning about hardware behaviour. ΠWare utilises
dependent types to reason about hardware [15, 16]. Vijayaraghavan et al. [38] presents a
complete formalisation of the behaviour of SoC designs, however, their approach does not
look at the validation of interfaces against a specification, and concentrates on modelling
the behaviour of components as a distributed system. Our framework complements existing
work by providing guarantees about the physical structure of a component’s ports.
Tooling such as Vivado IP Integrator [39] and Kactus2 [24] can automatically construct,
and connect, components in a SoC architecture correctly. Such tooling is based on IP-XACT
and vendor extensions. Examination of the Vivado toolchain reveals handwritten TCL scripts
bespoke for the AXI family of protocols. Our work presents a specification agnostic framework
for type-checking hardware interfaces against a richer specification than seen with IP-XACT
solutions. We position our work as possible foundation for machine derivable code to develop
richer integration and construction checks to that seen with IP Integrator and Kactus2.
Click is an untyped SoC design language for describing the routing of data [25]. McK-
echnie [30] developed a type-system for typing the interconnections found within Click
specifications. Our work provides a natural extension to McKechnie’s work and provides a
means to type components in a Click design against external specifications.
7.3 Substructural Typing
The substructural type-system for λAID is based upon Hoare logic [5, 8]. Unfortunately,
Hoare logics do not support the frame rule, a means to divide and share invariants in a
composable manner. This results in λAID not being able to support higher-order descriptions.
J. de Muijnck-Hughes and W. Vanderbauwhede 6:23
Separation Logic is an advancement that does support the frame rule [34], and has been
used to construct substructural type-systems for EDSLs [26], However, it is not clear how
straightforward it would be to realise such a type-system for an EDSL within a dependently
typed language.
There are other formal models upon which one can realise substructural type-systems for
EDSLs, namely TypeStates [31], and Refinement Types from Hoare Types [8, 32]. All allow
for reasoning about type-level resource usage protocols, however, how straightforward these
models can be realised within a dependently typed language is not clear.
λAID was realised as an EDSL, perhaps realising it as a standalone Domain Specific
Language (DSL) written in Idris might allow for Idris’ rich type-system to better realise
the substructural typing for λAID. Future work will be to investigate how to realise, and
implement, the substructural typing for λAID.
7.4 Implementing Cordial
Cordial has been implemented within Idris. Any other dependently typed language
that supports full-spectrum dependent types, such as Agda [33], would also be suitable
host language.
Although Cordial uses dependent type theory and substructural typing, non-dependently
type languages can also realise the framework. The ideas are transferable, but the implement-
ation would not be as clean nor concise. Racket is a general purpose language that supports
EDSL creation through fine-grained control over the language’s type-system [14]. F? is a gen-
eral purpose language with value-dependent types [36]. Whereas Idris provides full-spectrum
dependent types, F? provides value-dependencies using refinement types. This provides a
novel, alternate, environment in which to construct “value-dependently-typed” programs.
How the approach behind Cordial is transferable to these languages is worth investigating.
8 Conclusion
We presented a framework (Cordial) to provide correct-by-construction guarantees over
interface specifications in SoC designs. We have demonstrated use of the framework to model
real world protocols, and noted limitations in the models expressiveness and future work to
enrich said expressiveness. There are other areas for future work:
Checking Existing Systems
Our approach lends itself well to the generation of designs from model instances. We can
easily extend our Idris implementation to generate stubbs for various HDLs. However, how do
we evaluate existing interfaces? To do so, not only do we need to be able to extract interface
model descriptions from existing HDL code, but also associate these model descriptions with
abstract interface model descriptions. That is, we need to be able to infer from a component
specification the concrete interfaces, and for those interfaces their abstract descriptions and
which characterisation corresponds to the found interface. The problem of model inference is
difficult as component interfaces are not always cleanly defined. Multiple interfaces for a
component can be presented as a flat port group, sending ports can send to multiple recipients,
and the ordering of ports does not necessarily reflect the ordering in the specification. Further,
the names given to ports may not match the labels described in the specification. Developers,
and code generation tools, have complete freedom in structuring their components interfaces.
Further work will be to explore how to infer models from such “messy” SoC descriptions.
ECOOP 2019
6:24 A Typing Discipline for Hardware Interfaces
Enriching existing HDL
We have formalised Cordial in an existing general purpose language. A more interesting
area for future work, and to increase adoption of the ideas mentioned, would be to develop
extensions for various HDL such as SystemVerilog with the presented framework. A similar
approach would be to extend existing design environments such as Vivado from Xilinx to
incorporate our tooling and ideas.
Checking Behaviour
Our solution reasons about the structural correctness of SoC architectures. These provided
guarantees are a design time check. Standards documents also describe a protocol’s behavioural
correctness. Our models do not capture a component’s behaviour, a correctly connected
component may show incorrect behaviour (as described in the specification) at run time. We
saw this when modelling the AXI family of protocols. Cordial borrows notions of global
and local projections from Session Types. We could also look to use Session Types to reason
about hardware behaviour. While there have been attempts at extending Session Types to
fit communication models similar to those found in hardware [27], none have been directly
applied to checking hardware. Future work will be to explore how we can extend our model
descriptions to capture the behaviour of a component’s interface.
Modelling complete SoC architectures
SoC designs are about connecting components. A natural extension to our work would
be to provide an orchestration language that uses θCOMP to model components and their
connections. Existing work has investigated verifying IP Core connections using static typing
to ensure substructural properties of a SoC design hold – Section 7.2. Integrating the work
of McKechnie [30] into the expressive type-system of our framework can serve as the basis
for a more complete solution to SoC design. We leave this aspect of future work as an
open problem.
References
1 Guillaume Allais, Robert Atkey, James Chapman, Conor McBride, and James McKinna. A
type and scope safe universe of syntaxes with binding: their semantics and proofs. PACMPL,
2(ICFP):90:1–90:30, 2018. doi:10.1145/3236785.
2 Thorsten Altenkirch, Martin Hofmann, and Thomas Streicher. Categorical Reconstruction of
a Reduction Free Normalization Proof. In David H. Pitt, David E. Rydeheard, and Peter T.
Johnstone, editors, Category Theory and Computer Science, 6th International Conference,
CTCS ’95, Cambridge, UK, August 7-11, 1995, Proceedings, volume 953 of Lecture Notes in
Computer Science, pages 182–199. Springer, 1995. doi:10.1007/3-540-60164-3_27.
3 ARM Limited. AMBA APB Protocol, ARM IHI 0024C edition, 2010.
4 ARM Limited. AXI and ACE Protocol Specification, ARM IHI 0022F.b edition, 2017.
5 Robert Atkey. Parameterised notions of computation. J. Funct. Program., 19(3-4):335–376,
2009. doi:10.1017/S095679680900728X.
6 Robert Atkey. Syntax and Semantics of Quantitative Type Theory. In Anuj Dawar and
Erich Grädel, editors, Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in
Computer Science, LICS 2018, Oxford, UK, July 09-12, 2018, pages 56–65. ACM, 2018.
doi:10.1145/3209108.3209189.
7 Lennart Augustsson and Magnus Carlsson. An Exercise in Dependent Types: A Well-Typed
Interpreter. In In Workshop on Dependent Types in Programming, Gothenburg, 1999.
J. de Muijnck-Hughes and W. Vanderbauwhede 6:25
8 Johannes Borgström, Juan Chen, and Nikhil Swamy. Verifying stateful programs with substruc-
tural state and hoare types. In Ranjit Jhala and Wouter Swierstra, editors, Proceedings of the
5th ACM Workshop Programming Languages meets Program Verification, PLPV 2011, Austin,
TX, USA, January 29, 2011, pages 15–26. ACM, 2011. doi:10.1145/1929529.1929532.
9 Edwin Brady. Idris, a general-purpose dependently typed programming language: Design and
implementation. J. Funct. Program., 23(5):552–593, 2013. doi:10.1017/S095679681300018X.
10 Edwin Brady. Programming and reasoning with algebraic effects and dependent types. In
Greg Morrisett and Tarmo Uustalu, editors, ACM SIGPLAN International Conference on
Functional Programming, ICFP’13, Boston, MA, USA - September 25 - 27, 2013, pages
133–144. ACM, 2013. doi:10.1145/2500365.2500581.
11 Edwin Brady. Resource-Dependent Algebraic Effects. In Jurriaan Hage and Jay McCarthy,
editors, Trends in Functional Programming - 15th International Symposium, TFP 2014,
Soesterberg, The Netherlands, May 26-28, 2014. Revised Selected Papers, volume 8843 of Lecture
Notes in Computer Science, pages 18–33. Springer, 2014. doi:10.1007/978-3-319-14675-1_2.
12 Edwin Brady. Type-Driven Development with Idris. Manning, 1st edition, 2016.
13 James Maitland Chapman. Type checking and normalisation. PhD thesis, School of Computer
Science, University of Nottingham, July 2009. URL: http://eprints.nottingham.ac.uk/
10824/.
14 Matthias Felleisen, Robert Bruce Findler, Matthew Flatt, Shriram Krishnamurthi, Eli Barzilay,
Jay A. McCarthy, and Sam Tobin-Hochstadt. A programmable programming language.
Commun. ACM, 61(3):62–71, 2018. doi:10.1145/3127323.
15 J Pizani Flor. pi-Ware: An Embedded Hardware Description Language using Dependent
Types. Masters, Department of Information and Computing Sciences, 2014. URL: https:
//dspace.library.uu.nl/bitstream/handle/1874/298576/.
16 João Paulo Pizani Flor, Wouter Swierstra, and Yorick Sijsling. Pi-Ware: Hardware Description
and Verification in Agda. In Tarmo Uustalu, editor, 21st International Conference on Types
for Proofs and Programs, TYPES 2015, May 18-21, 2015, Tallinn, Estonia, volume 69 of
LIPIcs, pages 9:1–9:27. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2015. doi:
10.4230/LIPIcs.TYPES.2015.9.
17 Dan R. Ghica. The Geometry of Synthesis - How to Make Hardware Out of Software.
In Jeremy Gibbons and Pablo Nogueira, editors, Mathematics of Program Construction -
11th International Conference, MPC 2012, Madrid, Spain, June 25-27, 2012. Proceedings,
volume 7342 of Lecture Notes in Computer Science, pages 23–24. Springer, 2012. doi:
10.1007/978-3-642-31113-0_3.
18 Dan R. Ghica, Achim Jung, and Aliaume Lopez. Diagrammatic Semantics for Digital
Circuits. In Valentin Goranko and Mads Dam, editors, 26th EACSL Annual Conference on
Computer Science Logic, CSL 2017, August 20-24, 2017, Stockholm, Sweden, volume 82 of
LIPIcs, pages 24:1–24:16. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2017. doi:
10.4230/LIPIcs.CSL.2017.24.
19 Dan R. Ghica, Alex I. Smith, and Satnam Singh. Geometry of synthesis iv: compiling affine
recursion into static hardware. In Manuel M. T. Chakravarty, Zhenjiang Hu, and Olivier
Danvy, editors, Proceeding of the 16th ACM SIGPLAN international conference on Functional
Programming, ICFP 2011, Tokyo, Japan, September 19-21, 2011, pages 221–233. ACM, 2011.
doi:10.1145/2034773.2034805.
20 Andy Gill, Tristan Bull, Garrin Kimmell, Erik Perrins, Ed Komp, and Brett Werling. Introdu-
cing Kansas Lava. In Marco T. Morazán and Sven-Bodo Scholz, editors, Implementation and
Application of Functional Languages - 21st International Symposium, IFL 2009, South Orange,
NJ, USA, September 23-25, 2009, Revised Selected Papers, volume 6041 of Lecture Notes in
Computer Science, pages 18–35. Springer, 2009. doi:10.1007/978-3-642-16478-1_2.
21 John Hatcliff and Olivier Danvy. A Generic Account of Continuation-Passing Styles. In Hans-
Juergen Boehm, Bernard Lang, and Daniel M. Yellin, editors, Conference Record of POPL’94:
21st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Portland,
ECOOP 2019
6:26 A Typing Discipline for Hardware Interfaces
Oregon, USA, January 17-21, 1994, pages 458–471. ACM Press, 1994. doi:10.1145/174675.
178053.
22 Kohei Honda, Nobuko Yoshida, and Marco Carbone. Multiparty asynchronous session types. In
George C. Necula and Philip Wadler, editors, Proceedings of the 35th ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Languages, POPL 2008, San Francisco, California,
USA, January 7-12, 2008, pages 273–284. ACM, 2008. doi:10.1145/1328438.1328472.
23 IEEE. IEEE Standard for IP-XACT, Standard Structure for Packaging, Integrating, and
Reusing IP within Tool Flows, ieee std 1685-2014 edition, September 2014. doi:10.1109/
IEEESTD.2014.6898803.
24 Antti Kamppi, Lauri Matilainen, Joni-Matti Määttä, Erno Salminen, Timo D. Hämäläinen,
and Marko Hännikäinen. Kactus2: Environment for Embedded Product Development Using
IP-XACT and MCAPI. In 14th Euromicro Conference on Digital System Design, Architectures,
Methods and Tools, DSD 2011, August 31 - September 2, 2011, Oulu, Finland, pages 262–265.
IEEE Computer Society, 2011. doi:10.1109/DSD.2011.36.
25 Eddie Kohler, Robert Tappan Morris, Benjie Chen, John Jannotti, and M. Frans Kaashoek.
The click modular router. ACM Trans. Comput. Syst., 18(3):263–297, 2000. doi:10.1145/
354871.354874.
26 Neelakantan R. Krishnaswami, Aaron Turon, Derek Dreyer, and Deepak Garg. Superfi-
cially substructural types. In Peter Thiemann and Robby Bruce Findler, editors, ACM
SIGPLAN International Conference on Functional Programming, ICFP’12, Copenhagen,
Denmark, September 9-15, 2012, pages 41–54. ACM, 2012. doi:10.1145/2364527.2364536.
27 Julien Lange, Nicholas Ng, Bernardo Toninho, and Nobuko Yoshida. A static verification
framework for message passing in Go using behavioural types. In Michel Chaudron, Ivica
Crnkovic, Marsha Chechik, and Mark Harman, editors, Proceedings of the 40th International
Conference on Software Engineering, ICSE 2018, Gothenburg, Sweden, May 27 - June 03,
2018, pages 1137–1148. ACM, 2018. doi:10.1145/3180155.3180157.
28 Per Martin-Löf and Giovanni Sambin. Intuitionistic Type Theory. Bibliopolis, 1984.
29 Conor McBride. I Got Plenty o’ Nuttin’. In Sam Lindley, Conor McBride, Philip W. Trinder,
and Donald Sannella, editors, A List of Successes That Can Change the World - Essays
Dedicated to Philip Wadler on the Occasion of His 60th Birthday, volume 9600 of Lecture Notes
in Computer Science, pages 207–233. Springer, 2016. doi:10.1007/978-3-319-30936-1_12.
30 Paul Edward McKechnie. Validation and verification of the interconnection of hardware
intellectual property blocks for FPGA-based packet processing systems. PhD thesis, University
of Glasgow, 2010. URL: http://theses.gla.ac.uk/1879/.
31 Filipe Militão, Jonathan Aldrich, and Luís Caires. Substructural typestates. In Nils Anders
Danielsson and Bart Jacobs, editors, Proceedings of the 2014 ACM SIGPLAN Workshop
on Programming Languages meets Program Verification, PLPV 2014, January 21, 2014,
San Diego, California, USA, Co-located with POPL ’14, pages 15–26. ACM, 2014. doi:
10.1145/2541568.2541574.
32 Aleksandar Nanevski, J. Gregory Morrisett, and Lars Birkedal. Hoare type theory, poly-
morphism and separation. J. Funct. Program., 18(5-6):865–911, 2008. doi:10.1017/
S0956796808006953.
33 Ulf Norell. Dependently typed programming in Agda. In Andrew Kennedy and Amal Ahmed,
editors, Proceedings of TLDI’09: 2009 ACM SIGPLAN International Workshop on Types in
Languages Design and Implementation, Savannah, GA, USA, January 24, 2009, pages 1–2.
ACM, 2009. doi:10.1145/1481861.1481862.
34 John C. Reynolds. Separation Logic: A Logic for Shared Mutable Data Structures. In 17th
IEEE Symposium on Logic in Computer Science (LICS 2002), 22-25 July 2002, Copenhagen,
Denmark, Proceedings, pages 55–74. IEEE Computer Society, 2002. doi:10.1109/LICS.2002.
1029817.
35 Gerard J. M. Smit, Jan Kuper, and Christiaan P. R. Baaij. A mathematical approach
towards hardware design. In Peter M. Athanas, Jürgen Becker, Jürgen Teich, and Ingrid
J. de Muijnck-Hughes and W. Vanderbauwhede 6:27
Verbauwhede, editors, Dynamically Reconfigurable Architectures, 11.07. - 16.07.2010, volume
10281 of Dagstuhl Seminar Proceedings. Schloss Dagstuhl - Leibniz-Zentrum für Informatik,
Germany, 2010. URL: http://drops.dagstuhl.de/opus/volltexte/2010/2840/.
36 Nikhil Swamy, Juan Chen, Cédric Fournet, Pierre-Yves Strub, Karthikeyan Bhargavan, and
Jean Yang. Secure distributed programming with value-dependent types. J. Funct. Program.,
23(4):402–451, 2013. doi:10.1017/S0956796813000142.
37 Wouter Swierstra. A Hoare Logic for the State Monad. In Stefan Berghofer, Tobias Nipkow,
Christian Urban, and Makarius Wenzel, editors, Theorem Proving in Higher Order Logics, 22nd
International Conference, TPHOLs 2009, Munich, Germany, August 17-20, 2009. Proceedings,
volume 5674 of Lecture Notes in Computer Science, pages 440–451. Springer, 2009. doi:
10.1007/978-3-642-03359-9_30.
38 Muralidaran Vijayaraghavan, Adam Chlipala, Arvind, and Nirav Dave. Modular Deductive
Verification of Multiprocessor Hardware Designs. In Daniel Kroening and Corina S. Pasareanu,
editors, Computer Aided Verification - 27th International Conference, CAV 2015, San Fran-
cisco, CA, USA, July 18-24, 2015, Proceedings, Part II, volume 9207 of Lecture Notes in
Computer Science, pages 109–127. Springer, 2015. doi:10.1007/978-3-319-21668-3_7.
39 Product page for Vivado IP Integrator by Xilinx. Online, 2019. URL: https://www.xilinx.
com/products/design-tools/vivado/integration.html.
40 David Walker. Advanced Topic in Types and Programming Languages, chapter Substructural
Type Systems, pages 3–43. The MIT Press, 2004.
41 Xilinx. LocalLink Interface Specification, SP006 (v2.0) edition, 2005.
ECOOP 2019
