Abstract. This paper provides an overview of the vspec behavioral interface speci cation language for vhdl. Although operational speci cation language such as vhdl provide exceptional speci cation capabilities, at the systems requirements level the operational style is a hindrance. vspec provides vhdl users with a declarative mechanism for de ning functional requirements and performance constraints. In the tradition of behavioral interface speci cation languages, vspec adds clauses to the vhdl entity construct allowing axiomatic speci cation of functional requirements. Because system constraints play an ever increasing role in systems design, vspec also provides performance constraint speci cation capability. This paper presents the basics of vspec, its semantics, semantic analysis, and brie y describes current and future applications.
Introduction
Requirements analysis is a critical activity in any systems design process. However, it is poorly supported by tools and languages. Although operational, simulation centered, hardware description languages such as vhdl 1] provide excellent support for design, they are less appropriate for requirements analysis. The operational style tends to introduce implementation bias into requirements. Furthermore, simulation-based analysis is not always appropriate for evaluating highly declarative, frequently incomplete requirements. To address such problems, vspec 2{5] augments vhdl to provide a declarative requirements specication capability that support rigorous, formal analysis. lsl is a formal algebraic language that de nes the underlying sorts and operators used in interface language de nitions. As the name implies, lsl is common among all Larch Interface Languages. Speci ers use lsl to de ne reusable domain theories for speci cation activities and to de ne semantics for interface languages.
vspec describes the requirements of a digital system using the canonical Larch approach. Each vhdl entity is annotated with a pre-and post-condition to indicate the component's functional requirements. The operators used in a vspec description are de ned with lsl. vspec also allows a designer to describe non-functional requirements and the internal state of a device. vspec semantics is de ned by providing a translation of vspec language constructs and vhdl types into lsl enabling formal veri cation using Larch tools.
vspec-annotated components can be connected together to form an abstract
architecture. An abstract architecture is an inter-connected collection of components where the requirements of each component are speci ed without de ning their implementation. This describes a class of solutions with a common structure. A standard vhdl structural architecture referencing vspec annotated entities de nes an abstract architecture. The vhdl architecture indicates interconnection in the traditional manner, but the requirements of each component are de ned instead of their implementations.
Abstract architectures speci ed with vspec present a problem that other Larch interface languages do not have to address: when is a component in an abstract architecture active? In traditional sequential programming languages, a language construct executes after the construct immediately preceding it terminates. For correct execution, a construct's pre-condition must be satis ed when the preceding construct terminates. In a vspec abstract architecture, each of the components behave as independent processes. There is no prede ned execution order so there is no means of determining when a component's pre-condition should hold. vspec solves this problem by allowing a user to de ne an activation condition for a component. The activation condition de nes what causes the component to begin processing its inputs. When the component state changes to one that satis es the activation condition, the pre-condition must hold and the component performs its speci ed transformation.
This paper describes the semantics of vspec, concentrating on the language's facilities for describing abstract architectures. The opening section provides a brief summary of the vspec language. Section 3 describes vspec abstract architectures, including a de nition of the vspec state model and a description of how a process algebra (csp) 12] is used to provide a semantics for the vspec activation condition. Section 5 discusses how these semantics can be used verify that an abstract architecture satis es the speci cation of the entity. Finally, the paper concludes with a discussion of vspec applications and some related work.
2 The vspec Language vspec's declarative speci cation style complements the traditional vhdl operational style by providing a requirements speci cation capability. As a requirements speci cation language, vspec is used very early in the design process to describe \what" a system should do. The operational style of vhdl makes vhdl alone ill-suited for requirements speci cation. It forces a designer to describe a system by de ning a speci c design artifact that describes \how" the system behaves. When attempting to use vhdl as a requirements speci cation language, this forces a designer to deal with unnecessary detail at a very early point in the design process. In contrast to vhdl's operational style, vspec allows a designer to declaratively describe a component. Together, vspec and vhdl support modeling from requirements acquisition through veri cation and synthesis.
As a working example, a vspec description of a sorting component is shown in Figure 1 . Three basic clauses de ne functional requirements for an entity: (i) the requires clause de nes the component precondition; (ii) the ensures clause denes the component postcondition; and (iii) the sensitive to clause de nes the component activation condition. E ectively, the requires and ensures clauses de ne component function while the sensitive to clause de nes component control.
The requires and ensures clauses are used to de ne an axiomatic relationship between current and the next state. Speci cally, they specify the pre-and post-conditions of the component. Any component that makes the postcondition true in the next state given that the precondition is true in the current state is a valid implementation of these requirements. More precisely, given a component with requires clause I(St) and ensures clause O(St; St 0 post) 1 , f(St) is a correct implementation of the requirements if the following condition holds:
The sensitive to clause plays the same role in a vspec de nition that sensitivity lists and wait statements play in a vhdl description. It de nes when a component is active. The sensitive to clause for sort in Figure 1 states that the entity activates (and sorts its input) whenever the input changes. The sensitive to clause contains a predicate indicating when an entity should begin 1 The St 0 post notation references the value of St in the state after the transformation described by the entity is performed. This is analogous to the variable 0 notation of lcl 8, 9] executing and the next section contains a more precise de nition of the meaning of the sensitive to predicate.
In the example speci cation from Figure 1 , the sort component is de ned to operate correctly in any initial state whenever its input changes and produce an output that is ordered and a permutation of the input. The requires clause de nes a precondition of true. As true holds in any state, the component must execute starting in any state. The ensures clause de nes a postcondition of permutation(input,output'post) and ordered(output'post) requiring that after execution the output should be an ordered permutation of the input. Note that ordered and permutation are de ned in the included trait sort. The sensitive to clause de nes an activation condition of input'event.
Event is a prede ned vspec predicate that is true whenever its associated signal changed values in the previous state change.
In addition to allowing a designer to describe functional requirements, vspec also allows speci cation of performance constraints. The vspec constrained by clause is used for this purpose. As shown in Figure 1 , this clause de nes relations over constraint variables. Currently, the de ned constraint variables include power consumption, layout area (expressed as a bounding box), heat dissipation, clock speed and pin to pin timing. Constraint theories written in lsl de ne each constraint type. Users may de ne their own constraints and theories if desired. 2 The the k input. This requirement is represented by find's ensures clause predicate. One possible way to meet this requirement is to connect the output of a sorting component to a binary search component as shown in Figure 3 . The speci cation for sort is the same as the one in in Section 2, while the bin search speci cation is shown in Figure 2b . The only di erence between this structural description of find and a vhdl structural description of find is that the con guration speci es that the vspec descriptions of sort and bin search should be used instead of a speci c architecture for these two entities. This con guration describes an abstract architecture for the find component. Any implementation satisfying the vspec requirements of sort and bin search may be associated with the entity de nitions. This abstract architecture for find actually de nes a class of solutions with a common structure.
Although a vhdl architecture referencing vspec de nitions de nes components and interconnections, additional information must be added to specify when the vspec components activate. In traditional sequential programming, a language construct \executes" following termination of the construct preceding it. For correct execution, a construct's pre-condition must be satis ed when the preceding construct terminates. In hardware systems, components exist simultaneously and behave as independent processes. No prede ned execution order exists so there is no means of implicitly determining when a component's pre-condition should hold. Consider the find example. The pre-condition of bin search must hold only when sort has completed its transformation. At all other times, bin search need only maintain its state.
vhdl provides sensitivity lists and wait statements to synchronize entity execution and de ne when a component in a structural architecture is active.
vspec achieves the same end using the sensitive to clause. The sensitive to clause contains a predicate called the activation condition that indicates when an entity should begin executing. E ectively, this activation condition de nes when a vspec annotated entity's precondition must hold. When the sensitive to predicate is true, the pre-condition must hold and the implementation must satisfy the post-condition. When the sensitive to predicate is false, the entity makes no contribution to the state of the system. In the find example, both components activate when any of their input signals change.
Formally, the contribution of the sensitive to clause to the transformation speci ed by vspec is easily represented using a traditional process algebra such Separating the environment and the store is common among formal models of programming language semantics. In a language such as lcl, one of the motivating factors for this is to allow multiple names for the same element of memory. For example, two C pointers can obviously reference the same memory location. The program state model above represents this situation by mapping each of these pointers to the same object in the Env map.
This partitioning of the state of a component is used in the vspec semantics to model component communication. For a single vspec-speci ed component, Env contains a map from each port and state variable in the vspec description to an object. Store maps each of these objects to their current value. We call this the abstract state of the vspec component. When vspec components are connected together to form an abstract architecture, the elements of Env and Store are slightly di erent. The Store contains objects for each port in the architecture's entity, for each signal in the architecture and for the state variables of each component in the architecture. The Env maps each of these three types of elements to the proper object, but it also maps the ports of each architecture component to the object that represents the architecture signal the port is connected to. We call the state model of an abstract architecture the concrete state of the component.
In the simple two component example of Figure 4 , the abstract state of system, A and B are:
Env system = fsys in Notice that x, y, w and z now map to the objects that contain the values of the signals that these component ports are connected to in the architecture.
Using a component's state, its semantics are de ned using a csp process and its requires and ensures clauses. Let f(St) be a function between two states of entity C that implements the requirements speci ed in C's requires and ensures clauses (i.e. f(St) satis es Equation 1). The process de ning entity C with a sensitive to predicate S(St) in any state r is: C r = r : ! C f(r) (2) where is the set of states that satisfy C's activation condition: = ft : T C j S(t)g.
The traces of the process de ned by a vspec entity is a sequence of abstract states the entity enters. When the abstract state changes to an abstract state that satis es the entity's activation condition (r in Equation 2), the transformation de ned by the requires and ensures predicates (f(St)) is applied to r. This generates a new abstract state and the entity behaves like the process de ned by C f(r) . The abstract states that satisfy C's activation condition form the alphabet of C. Thus, every trace of C contains only elements from .
csp's concurrency operator (k) combines component processes to de ne the behavior of a vspec architecture. Let C 1 ; C 2 ; :::; C n be the processes represented by Equation 2 for the set of vspec component instances in architecture A. The process representing architecture A is:
When a state change occurs that satis es some component's activation condition, the component performs its speci ed transformation to its abstract state. This change is propagated to the concrete state of the architecture where the activation condition of another component may be satis ed. This causes the process to repeat until the system changes to a concrete state where no component's activation condition is satis ed. The system then waits until some external device changes the concrete state to one that activates some component in the architecture to start the process again.
In the csp model of a vspec process, this notion can be understood by examining the possible traces of A from Equation 3. Hoare 12] de nes traces over parallel composition, traces(C 1 k C 2 ), as: ft j (t " C 1 ) 2 traces(C 1 )^(t " C 2 ) 2 traces(C 2 )^t 2 ( C 1 C 2 ) g (4) Recall that in csp 12], t " P restricts the trace t to contain only events that appear in the alphabet of P. Thus, the traces of a parallel composition of components are all traces that when restricted to the alphabet of each component yield a trace of that component. Furthermore, traces of C 1 k C 2 only contain events from the alphabet of the two components. This means that every trace of A contains only elements that satisfy the activation condition of at least one component in A. The only challenging task associated with translating Camilleri's csp axiomatization involved moving from a higher order logic representation to a rst order representation. Speci cally, the csp choice operation plays a major role in the vspec de nition. In the HOL axiomatization, choice is parameterized over a choice operation. In lsl, this is achieved using a parameterized trait with the choice function as a parameter. The instantiation of the trait parameter is achieved at parse time requiring a new version of the choice trait to be instantiated for each instance of choice. The higher order representation allows instantiation of the choice function at proof time making for dramatically simpler proof activities.
Each vspec component is translated into an associated lsl trait. Brevity prevents the expansion of a component in this paper, however these traits share a common structure centering on: (i) the pre-and post-conditions; and (ii) the csp choice operator. Speci cally, the choice operator is specialized by specifying a choice function and an alphabet. The alphabet speci es what states can occur next and was de ned as earlier. The choice function generates the next state and is de ned using the pre-and post-condition of the component. Figure 5 shows the template used to generate lsl traits for each system component. The trait is instantiated using the 
Veri cation
Correctness checks in vspec take three fundamental forms: (i) component verication; (ii) interconnection veri cation; and (iii) bisimulation. Component and interconnection veri cation represent partial correctness checks used to quickly assess the quality of a speci cation. Bisimulation precisely de nes the relationship between a vspec architecture and an associated system speci cation. Although component and interconnection veri cation only verify speci c system properties, they are frequently simpler to prove than bisimulation relationships.
Component veri cation allows users to specify properties of a single component using lsl. Interconnection veri cation examines speci c relationships between components. As the name implies, interconnection veri cation centers primarily on properties of interconnected ports. In most cases, users select from pre-de ned conditions. Proof obligations are generated and veri ed automatically in most cases. Speci c examples of interconnection veri cations include proving: (i) all outputs from a component are legal inputs to another; (ii) some output from a component will activate another; and (iii) all inputs activating a component are legal component inputs. Many similar, additional obligations can be generated and discharged automatically.
Bisimulation allows a user to verify that an abstract architecture correctly implements its requirements. This veri cation obligation is generated automatically by the vspec parser and is based on weak bisimulation 18]. A weak bisimulation (or simply bisimulation) condition holds when a sequence of states in the architecture (or concrete) model produces the desired single state change speci ed by the system level (or abstract) model (see Figure 6 ). Only the rst and last state of the concrete state sequence are signi cant. The speci c state sequence leading from the initial concrete state to the nal concrete state is ignored. In addition to functional veri cation, the current vspec tool suite supports constraint veri cation using The Performance Description Language (pdl) 19].
The semantics of constraints is de ned using lsl in a fashion similar to the other vspec clauses. However, constraint evaluation requires signi cant manipulation of intervals. This activity proved to be exceptionally di cult in the Larch toolset.
pdl is a language designed explicitly for representing and evaluating constraint information. Speci cally, pdl provides a mechanism for representing and evaluating interval mathematics representations. In pdl, designers de ne models for various constraint types. These models are then used to instantiate architectures of components. Each interconnected component is assigned one model for each constraint to be evaluated. vspec constraint evaluation allows the user compare a systems level constraint description to an architectural description. For each vspec constraint, a pdl model has been de ned. Each model minimally de nes the data type associated with the constraint, and a function to combine two constraint values.
An architecture is derived from the vhdl architecture and populated with the various constraint models. Using the pdl evaluator and the combine operators associated with each constraint, a system level constraint value is calculated. This value is then compared with the system level speci cation to determine if the architecture meets its associated systems level performance requirements. 
The Move Machine
The rst signi cant speci cation developed using vspec was done by Baraona 4] .
The Move Machine is a simple CPU speci cation where operations are mapped to memory locations. The only operations performed by the Move Machine move data from one memory location to another. The Move Machine was speci ed as an instruction interpreter and at the register transfer level. Speci cations were written, however no analysis was performed. The Move Machine exercise served to shake out initial problems in the vspec semantics. Although no veri cation was performed, the exercise represented the rst actual vspec usage example.
Furthermore, the example represents a common class of systems and provided an excellent usage example for early users.
Find
The Find system and architecture speci cations presented in Figure 2 represent the rst complete bisimulation veri cation activity performed using vspec. Like the Move Machine, Find was developed as a synthesis benchmark and exhibits some interesting modeling capabilities. Speci cally, the use of activation conditions to model data caching. The Find architecture decomposes the problem into two components: (i) a sorting component; and (ii) a binary search component. The architecture is speci ed to cache the results of sorting so that if the input array does not change, it is not resorted. The result is a more e cient search.
Speci cations similar to those presented in Figure 2 were written and parsed by the original vspec parser. Formal models were generated by the parser and the Larch Prover was used to perform the veri cation. For this example, the proof obligations necessary to show the bisimulation relationship were written by hand. Although the veri cation was completed successfully, this activity demonstrated limitations in using lsl and the Larch Prover for veri cations of this size. The fundamental problem was the rst order nature of lsl and the mechanisms used to specify the basic CSP theories.
Pulse Interval Processor
In an initial technology transfer e ort, vspec was used jointly by TRW and The
University of Cincinnati to model the Pulse Interval Processing (PIP) section of an Interrogate Friend or Foe (IFF) transponder. The IFF transponder redesign represents a real Digital Signal Processing (DSP) product being designed and elded by TRW. Although vspec was not used in the actual design ow, we were given access to speci cations and worked with engineers designing the system. Unfortunately the PIP architecture is proprietary to TRW and details of the speci cation cannot be presented here. However, several important results are presented.
The PIP is an interesting challenge problem because of its means of encoding information. The PIP's function is to: (i) receive pulses from a digital signal processing system; (ii) transform pulse trains into commands; and (ii) produce appropriate output in response to those commands. Commands are used by other aircraft and air tra c control systems to gather information about an aircraft's altitude, position, mission and origin. The PIP is a particularly interesting model because information is encoded in the time di erence between received pulses.
This presented an interesting speci cation challenge as vspec does not use a temporal logic.
The speci cation was written using lsl to represent pulse times and their associated receive times. Pulse streams are processed by examining each pulse with respect to the PIP state and receive time of the last pulse. When a pulse is received its receive time is stored in the PIP state. When a second pulse is received, the di erence between its receive time and the stored receive time determines the command issued. The vspec state clause is used to maintain the last pulse received and a nested IF-THEN-ELSE statement is used to represent various processing cases.
The PIP speci cation was partially veri ed by automatically generating interconnect and component proof obligations. We were able to verify several interconnect conditions and TRW found one type error that had not been caught in the actual design ow. This error was not signi cant and would likely have been caught during design inspection or testing. No bisimulation relationships were speci ed or veri ed as the PIP architecture was established before beginning this speci cation task. As an extensive design activity for PIP preceded our e orts and this represented a redesign of a well understood system, the use of vspec did not seriously impact the actual design ow. However, design engineers commented that writing vspec made speci cation of test vectors much simpler.
This represents an interesting and somewhat unexpected result.
Real Time Monitor
The Real Time Monitor (RTM) is a proprietary special purpose signal processor used in military aircraft avionics subsystems. It is similar to the PIP except it contains programmability features allowing it to process multiple pulse streams and recognize multiple protocols. The RTM processor was speci ed by TRW exclusively with only vspec language assistance from the developers. Little veri cation was performed due to time restraints on the overall project.
Although details of the activity are considered proprietary, TRW acknowledges that using vspec played a key role in reducing estimated product costs by 25%. They observed that although vspec increased cost and development time during requirements analysis and representation, early mitigation of errors, precise requirements capture and ease of test vector generation compensated for initial costs. Speci cally, they reported that the result of the vspec speci cation activity resulted in much more precise and complete speci cations. Even without extensive veri cation, they reported discovering and mitigating ambiguities in the speci cations. Although only one legitimate error was discovered, using vspec forced them to be more precise in their speci cation activities. However, it should be noted that the primary motivation for writing vspec was a promise for automated veri cation, not more precise speci cations. TRW commented further that mature tools integrated into vhdl design environments would contribute to potential cost savings. Although this represents a development task, it does indicate the importance of integrating formal methods into traditional design ows.
Evaluation Summary
The vspec language and tools were evaluated with respect to two internal and two industrial examples. Internal examples were evaluated by students at The University of Cincinnati. The rst industrial example was evaluated jointly with TRW and the second evaluated solely by TRW. 
Conclusions and Current Status
Several problems and complexities of the Larch-based semantics were discovered in our prototyping activities. In an e ort to eliminate di culties, the vspec semantics have been transformed into PVS 28] form. The use of higher order logic substantially simpli es the speci cation and veri cation of CSP properties.
The vspec parser has been re-implemented in Java and generates PVS models in place of Larch. The higher order nature of PVS and maturity of its associate toolset will dramatically improve veri cation e ciency.
vspec is currently involved in several commercialization e orts. First, under Air Force and TRW sponsorship, the vspec toolset is being integrated with Mentor Graphics' Renoir development environment. This integration will allow vspec to be evaluated by engineers in their traditional design cycle. Second, under DARPA and EDAptive Computing sponsorship, vspec is being used to facilitate component retrieval by comparing component requirements with available components described by vspec. Comparing requirements with components formally supports high assurance in the quality of the match. Finally, under TRW sponsorship we have begun an e ort to generate test vectors from vspec speci cations. This paper brie y presented the vspec language and its associated semantics.
The semantics of single components were de ned using a canonical axiomatic approach. Activation conditions were described and a csp-base semantics provided. The use of vhdl architectures to describe abstract architectures was then discussed. The paper concluded with a presentation of examples used to evaluate the system and results of those activities.
