Abstract. We de ne a Plotkin-style structural operational semantics for a subset of vhdl that includes delta time, zero-delay scheduling and waits, arbitrary wait statements, and (commutative) resolution functions. While most of these features have been dealt with in separation, their combination is intricate. We follow closely the \careful prose" definition of vhdl as given in 9]. We prove a (conditional) monogenicity result for the operational semantics showing that the parallelism present in vhdl is benign. A classi cation of program behaviours is also given. While the semantics is of interest, of greater importance is the interpretation of the mature process algebra theory to our particular setting. An adaptation of bisimulation may be constructed but the concept of an observer, a process which inspects or acts as a test harness, turns out to be more useful. It leads naturally to a notion of observational equality that is a congruence with respect to parallel composition. This important result enables substitution of behaviourally equivalent subprograms without a ecting the overall program behaviour. The capability to pass (incapability to fail) a test gives rise to a the may (must) preorder on processes. These preorders are shown to coincide.
Introduction
vhdl is one of the most widely used hardware description languages. The language de nition 9, 10] is given in English prose, opening the way to a multitude of formal semantics (see, for example, the recent collection of papers 6] and 1, 2, 7, 14, 15, 16, 17, 18] ). As vhdl is a large language most of this research limits itself to subsets of vhdl, often ignoring essential features of the vhdl model of hardware, such as delta time, signal resolution, and the structural hierarchy. In this work also we deal with a fraction of the language, but our intention is to deal with all fundamental behavioural constructs present within one entity. The vhdl subset therefore contains local variables, (possibly resolved) signals, signal assignments (including zero delay signal scheduling), all versions of wait statements, if and while statements, and parallel composition of sequential programs. In Section 3 we present a Plotkin-style structural operational semantics 13] that closely follows the informal vhdl de nition. We believe that an operational framework is most natural for vhdl because it is generally understood in the context of a simulation kernel processing a hardware description.
We prove several results of the operational semantics, including a classi cation of program behaviours (Theorem 5). Also in Section 4 we show a (limited) monogenicity result for the operational semantics: despite the presence of parallelism executions are essentially deterministic (Theorem 2). At this point we must point out that the semantics for our vhdl subset is based on vhdl87 9] instead of vhdl93 10] . The latter includes shared variables that fundamentally change the semantic model of vhdl. In fact, one of the important properties of vhdl87, monogenicity, no longer holds, making system veri cation more complex, both in theory and practice. (Consult Section 3.1 for further details.)
Building on our formalisation of vhdl we de ne in Section 6 an observational semantics using the testing theory of 4]. In this framework two programs are considered equal if they pass the same set of tests. An observer is nothing more than the formalisation of a test harness, analysing the output generated in response to particular inputs. The theory thus blends comfortably with the tradition of hardware testing. Alternatively, vhdl models reactive systems that respond to a active environment that can be interpreted as a program or circuit because, essentially, it is de ned by changes it generates on input signals. Both views support the identi cation of observer and observee, leading to a pleasing symmetry and simplicity. The use of an established theory such as testing allows us to import its concepts such as may and must preorders and the observation semantics. We prove that due to the limited nondeterminism in vhdl may and must preorders coincide. Also, observational equivalence is a congruence with respect to parallel composition (Theorem 10). This theorem is important because it allows us to substitute observationally equivalent system components without a ecting the overall system behaviour. 2 De nition of the VHDL Subset Our vhdl subset contains local variables, variable assignment, signals (possibly resolved), signal assignments (including zero delay signal scheduling), full-blown wait statements, if and while statements, and parallel composition of sequential programs. The abstract syntax is de ned as follows:
pgm ::= k i2I ss ss ::= x :=e j x (e after e j wait on S for e until e j null j ss;ss j while e do ss j if e then ss else ss e ::= v j x j e binop e j unop e j s'delayed(e) j null Binary operators binop include^, _, ?, and +; unary operators include : and ?. I is an arbitrary, nite index set for processes and S a nite, possibly empty set of signal names. x is a variable or signal name (x 2 Var Sig) and v is a value from a given value domain (v2Val); see below for Var, Val, and Sig.
Abbreviations
In the following we expect vhdl processes of the form process (S)] begin ss end process to have been transformed to while true do (ss ;wait on S]) prior to evaluation in our semantics. Processes are then a special case of sequential programs and we use the terms process and sequential program interchangeably.
In the context of the wait statement, when on S, for e, or until e is omitted, on T (T is equal to the set of all signals appearing in the until clause), for 1, or until true are to be inserted respectively 9, Section 8.1]. Similarly, s ( e is shorthand for s ( e after 0. We adopt a single time scale and thus omit su xes such as ns.
A Structural Operational Semantics
Regarding the static semantics of our vhdl subset we expect expressions and programs to be well-typed, following the usual vhdl rules.
Before introducing our semantic entities it is helpful to show the relations and semantic functions that constitute our structural operational semantics:
E : e Store ! Val ? ! ss : (Store ss) (Store ss) ! pgm : (P(Store) pgm) (P(Store) pgm) E is a semantics for evaluating expressions in a store, ! ss de nes how statements evolve together with a store, and ! pgm relates programs and their state (a set of stores) to new programs and state. The latter are relations instead of functions because computations can be nondeterministic. A program and a set of stores is equivalent to a set of sequential programs each with their own store; to emphasise this fact we often regard ! pgm as having type P(Store ss) P(Store ss) and write k I < i ;ss i > for < I ; I > where I f i ji 2 Ig (a set of stores) and I k I ss i (a set of processes).
Semantic Entities
We take as given a value domain Val, which must include natural numbers and booleans, together with appropriate operators +, ?,^, _, and :. Assuming also a domain Var of variables and a domain Sig of signals we de ne: Store = (Var 7 ! Val) (Sig 7 ! P(Z Z Val ? )) Signals are mapped onto sets f, which we will frequently interpret as partial functions f : Z Z ! Val ? with the following intuition: for n < 0, f(n) is the value of the signal of n time steps ago; f(0) is the current value of signal s; for n 0, f(n + 1) is the projected value for s for n time steps into the future. Thus s ( e after n a ects (s)(n + 1), and (s)(1) contains the value scheduled for the next delta cycle. (s) contains at least <?1;i> and <0; v> for initial value i and current value v of signal s. Note that only for n > 0 is <n; ?> a valid pair in (s); it then encodes a null transaction for time n.
The types which are used together with the, possibly subscripted and primed, canonical elements are: v 2 Val; s 2 Sig; 2 Store; 2 P(Store); ; k I ss i 2 P(ss);pgm; c;< ; ss>2Store ss; C;< I ; I >;k I < i ;ss i >2P(Store ss).
As discussed previously, there is an obvious correspondence between P(ss) and pgm. Whether we use < I ; I > or k I < i ;ss i > depends on the emphasis we wish to place on the interpretation of the element. We call c a sequential program con guration and C a (program) con guration. We omit the index set I of con gurations where it is not relevant.
x is either a variable or a signal. (4) where f = ( (x) n f<n; (n)>jn > tg) f<t + 1; v>g.
There is no rule for null alone: it is handled in conjunction with the sequencing operator:
< ; null; ss> ! ss < ;ss> (5) This poses no problems as there is always a next statement because every sequential program is wrapped in a non-terminating while loop. Similarly wait statements are treated together with the parallel composition operator (rules 7 and 8 of Section 3.4). The remaining ve rules, for the assignment, while, and if statements, are standard.
Programs
So far the semantics has been straightforward. Its complexity lies with the advancement of time. vhdl's timing model is unusual, and process synchronisation and communication is rather convoluted. A vhdl program consists of a set of communicating sequential processes which execute independently of one another (this aspect is handled by rule 6). Global synchronisation occurs when all processes have encountered a wait statement and at this point communication via shared signals is e ected. If no signal has changed (the circuit described by the program has settled into a steady state) time is advanced (rule 7). If, on the other hand, some signal remains active relevant processes are reactivated without any change to time (rule 8) { this zero-time increment is also known as delta time. Process resumption involves removing the leading wait statement due to either (i) a change on a signal on which is being waited and the boolean condition holds, or (ii) a time-out speci ed in the until clause. If neither condition is satis ed the process remains suspended.
The following rule allows the processes that make up a program to evolve independently. Strictly speaking, waiting programs in rules 7 and 8 must be de ned as follows:
De nition 1. A sequential program is waiting if it is of the form:
( (wait on S for e while te; ss 1 ); ); ss n ) for some S, e, te, and ss 1 to ss n . A program is waiting if all its constituent sequential programs are waiting.
In the de nition for ss 0 i in both rule 7 and 8, we evaluate the time-out clause every time. Although this seems contrary to the language de nition 9, Section 8.1], it functions correctly in our setting for the following reason: te i 's rst evaluation corresponds to the only evaluation in the de nition. Subsequent evaluations of the same wait statement are vacuous in the sense that te i has been replaced by its denotation E te i ] ] i . After the wait statement is deleted (activation of process { y above) the next encounter of the same wait statement will contain the expression te i afresh as a consequence of the while loop surrounding every process body (cf. Section 2).
The boolean expression be i in wait statements has the opposite characteristics of the time-out clause: it must be evaluated anew every time the wait statement is encountered. Also, the time-out clause is evaluated at the time of suspension (i.e. with stores I ) whereas be i is used at time of reactivation (with U( I )) 9,
In the following we will use the labels A, T, and with the ! pgm relation to indicate that rule 6, 7, or 8 has been used respectively. We will frequently omit the pgm subscript from ! pgm . Let Act be f ;T;Ag, and let range over elements from Act.
Properties of the Operational Semantics
In this section we rst show that vhdl is essentially deterministic. Then we give a classi cation of program behaviours that is more re ned than usual.
Parallelism and Nondeterminism
Languages that contain parallelism normally are nondeterministic, complicating both the design and veri cation of programs. Even though vhdl includes the parallel execution of processes its somewhat peculiar simulation model, in particular the use of delayed signal updates, ensures that the resulting nondeterminism is benign. In vhdl nondeterminism only arises through A actions, i.e. arbitrary interleaving of processes. But at every or T action all execution paths converge so that the visible behaviour is perfectly deterministic. By the visible behaviour we intend all current and past signal values, as opposed to the whole system con guration that also includes projected signal values and variables. This analysis leads naturally to the following theorem:
Theorem 2 (Monogenicity of ! pgm ). For all C, if C ! C 0 then C 0 is unique, with the proviso that if is equal to A then C 0 must be a waiting con guration.
The proof is straightforward and relies on the monogenicity of the semantics for expressions and sequential statements. 4 The relevance of this theorem is elucidated by the following result. 4 Proofs of all theorems have been omitted from this paper; they may be found in 8]. This result re ects to some extent the strati ed nature of vhdl's simulation model. In order of increasing granularity we encounter: evaluation of expressions (E); evaluation of statements (! ss ) or equivalently asynchronous process execution (A actions); computation of a xed point within every time step ( actions); and nally time steps modelled by T actions. (We refer to 7] for a similar hierarchy.) Delta delays model internal computation steps and should be invisible to the user. Program divergence may take place at the sequential program level (within one process) or may be due to the failure to reach a xed point when several processes may be involved. In both cases progress of the system as a whole is inhibited, even though the causes are very di erent.
Program Transformations
Operational semantics are always rather cumbersome to work with. We prefer therefore to work with derived properties. At the level of statements (! ss ) these include program transformations. Behavioural notions to be introduced in Section 6 are more useful when discussing processes. vhdl = Common encodes equality of the stores on the common domain and by C 6 ! ss we mean that C cannot do another ! ss transition. Using these rules most \real computation" can be moved to immediately follow the wait statements and signal assignments can immediately precede wait statements.
Towards a More Abstract Semantics
The operational semantics presented in the preceding sections is useful because it allows formal reasoning about vhdl programs. It is, however, not abstract enough because it distinguishes programs that intuitively behave in the same way. Consider, for example, the two nand gates p 1 In summary, the notion of bisimulation is well adapted to abstract process algebras but turns out to be intricate to state and cumbersome to work with in our more concrete operational semantics. This is unfortunate because the proof method of nding bisimulations to prove program equivalence is e cient and elegant.
Testing
The testing framework of 4] is a method for comparing programs; two processes are considered equal if they pass the same set of tests. An observer is a process or program that emulates the environment of a circuit, in other words, it supplies the observee with inputs and analyses the results. A test is successful if the observer indicates success, for example by raising a distinguished ag. If two circuits pass the same set of tests they are indistinguishable by all environments and may hence be considered equal. This is the basis of observational equality.
Testing, like bisimulation, has traditionally been applied to process algebras but, unlike bisimulation, works well for operational semantics (see also 5]).
Recall that bisimulation is maladapted for the presence of an explicit state that must be partly ignored. An observer is a normal program (collection of processes) and as such can access only its local variables, and current and past values of signals. Thus there is no need to explicitly restrict the scope of visibility. Per de nition an observer can only access the visible environment as de ned by = Visible .
The primary data observed during bisimulation are the labels of the semantic relation but in our testing framework signals take rst place. Value passing considerably complicates bisimulation (requiring quanti cation over all possible input values) but it comes naturally to observers, which are, after all, just programs. Moreover, vhdl may be said to be asynchronous. That is, a program can continue to evolve internally (modify its state, diverge) or externally (produce results) without or despite the intervention of the observer. Also, inputs are non-blocking: if an input signal is active the incoming value will be consumed at the rst opportunity (rule 8), but the lack of input data (more precisely, a quiet signal) does not inhibit execution of the program (cf. Theorem 4). This is fundamentally di erent from synchronous languages such as ccs on which bisimulation and testing are based. There only signal activity counts, whereas vhdl also includes events, null transactions, and values. 5 While asynchrony combines uneasily with bisimulation, an observer naturally emits or omits input data at speci c points in time.
All in all, observers cope well with programs exactly because they themselves are programs. Apart from a single distinguished ag success no new machinery needs to be introduced.
Conclusion
The two notions of bisimulation and observation are pivotal to the theory of process algebras. From the previous sections we may conclude that the observational framework can be more easily adapted to our structural operational semantics. Both methods are explored in 8], but in the following we restrict ourselves to the testing theory. On a more philosophical level, the use of bisimulations is a positive method in the sense that it allows us to show that processes are equal, in contrast to testing which is negative making it easy to prove that two processes are di erent. To prove equality we need to nd only one bisimulation but need to run an in nite number of tests (because the number of observers is innite). Conversely, to show inequality we need nd only one observer. Thus, even though bisimulation is not further elaborated upon it remains an alternative worth investigating.
An Observational Semantics
To interpret our semantics within the testing theory of 4] we need to de ne the following entities: a set of processes Q, a set of observers O, a set of states States and a set of successful states Success, and a method of assigning to every observer C O and process C P a non-empty set of computations Comp(C O ;C P ).
Q and O are both equal to the set of all program con gurations { except that observers may use the distinguished signal success { because a program is not only de ned by its program text but also by the values its variables and signals have. 6 In addition to the store I of a program a state comprises the program text k I ss i because it must be known how far each process has advanced in its execution. The program text is manipulated and is therefore part of the state so that States is equal to the set of all program con gurations (store and program text). A computation is the set of all states an observer-observee pair passes 5 In De nition 6 \no input" corresponds to a quiet signal, vs = (s)(0) to an active signal without an event, and vs 6 = (s)(0) to an active signal with an event. In the case of vs = null, s is active but may or may not have an event, depending on resolution. See Section 3.4 for active and event.
through. Finally, a program passes a test if the observer has assigned true to the reserved signal success. Let us recapitulate what we have de ned so far. Given a program con guration we add to the system a number of processes that test the program. They simulate the environment by providing all input stimuli and analysing outputs. When the observer (or test harness) decides that the program behaves as it should it signals success on the reserved signal success. The framework is quite simple: observers are program con gurations like the programs they test with the exception that they can access the reserved signal success. No special start or stop signals are necessary (see below for a more detailed discussion on this point) and constructing a test entails simply putting the program and observer in parallel.
Having moulded the testing framework to our needs, we immediately obtain the following concepts: The may and must preorders indicate a tness for purpose: v may can be read as the capacity to pass a test so that C v may C 0 means that C 0 can pass at least all the tests C can pass. The preorder v must indicates the incapacity to fail a test and C v must C 0 states that all tests that C always passes are also always successful for C 0 . This then induces a notion of implementation: C P implements a speci cation C S (C P v impl C S ) i C P v may C S^CS v must C P .
An implementation must satisfy all tests that the speci cation always satis es; moreover, the implementation may not pass tests that the speci cation does not pass. The former clause de nes the minimum behaviour an implementation must exhibit, the latter indicates the limit of possible behaviours of an implementation.
Results of the Observational Semantics
Due to the limited nondeterminism of vhdl (Theorem 2) the may and must preorders coincide, as is shown by the next theorem.
Theorem 9. v may =v must =v test
The result can easily be shown: observers can only inspect the visible system state which by Corollary 3 has a unique computation path. This result allows us to omit the may, must, and test subscripts without ambiguity. We write ' for the equivalence relation induced by v ('= v \ (v) ?1 ). It is equal to previously de ned implementation preorder v impl .
Suppose two programs have the same input-output behaviour but possibly a di erent structure (p 1 and p 2 of the previous section, for example). Within a larger system could some or all occurrences of p 1 be replaced by p 2 without changing the behaviour of the system as a whole? The answer is yes, if we use observational equivalence: Theorem 10. ' is a congruence with respect to parallel composition. That is, C J1 ' C J2 , 8C I :C I k C J1 ' C I k C J2 . (Taking care that variables occurring in only one of C J1 and C J2 are not captured by C I .) The proof relies on there being no restriction on observers C O so that any context C I can be interpreted as an observer. This theorem is important because it allows us to substitute observationally equivalent system components without a ecting the overall system behaviour. A re nement-based design methodology can therefore be safely adopted to construct circuits.
The Power of Observation
Our notion of behavioural equivalence is very strong because observers can inspect and modify signals at every delta step. Behaviourally equivalent processes must exhibit the same behaviour at every delta step. Consider the following processes: o 1 distinguishes p 3 and p 4 so that p 3 6 ' p 4 . Perhaps unexpectedly, p 3 6 ' p 5 although wait for 0 seems not to delay any statements that modify the state. It does, however, a ect the rate with which it is able to consume its inputs.
These observations might lure us to the mistaken belief that delta actions have a temporal signi cance. This is not so; delta actions represent internal computation steps of the simulation in the convergence to a xed point or steady state. Inputs to a circuit remain constant during one time step (from one T action to the next) and outputs should only be read when they have stabilised (i.e. at T actions). Observers may be thought of as emulating the environment and this suggests limiting the expressiveness of observers in this way. But there is no simple solution: if we circumscribe the power of observers we must make a corresponding restriction to programs, assuming we wish observational equivalence to be a congruence (see Theorem 10) . Any e ort to excise delta delays reduces the vhdl subset to a trivial language. More work is needed to nd a coarser and more useful notion of observation.
Although we have not yet proved this formally, it is clear that bisimulation outlined in De nition 6 is more discerning than our testing framework because observers cannot always reconstruct when (delta) time advances. (Consider a action caused only by a wait for 0 statement; the state does not change and the application of the delta rule passes unnoticeably. Conversely, all the information that is available to an observer can also be used by bisimulation, so that bisimulation is strictly more powerful.)
Observing Processes Or Sequential Programs
Parallelism in vhdl is uncomplicated because only complete sequential programs can be executed in parallel. Thus our notion of observation lies at the process level (whole sequential programs, i.e. ! pgm ). This contrasts with the approach of De Nicola and Pugliese who give an observational semantics for the asynchronous concurrent language Linda in 5]. In Linda concurrency can be introduced at the level of individual statements through explicit process creation (eval) so that a more re ned notion of observation is necessary and programs are tested at the level of sequential program statements. As a result the composition of observer and observee is more involved: in addition to the distinguished signal success special start and stop signals are needed. It is not clear if a similarly detailed notion of observation can easily be introduced for our semantics. We cannot simply regard our observers as (partial) sequential programs because wait statements cause an interaction of statement and program semantics. As de ned at present ' is not a congruence at the ! ss level because an observer cannot modify the past behaviour of programs. In particular, the problem is caused by histories of signals: ss 1 ' ss 2 6 ) wait for n;ss 1 ' wait for n;ss 2 .
Conclusions
Of research into vhdl the operational semantics by van Tassel 6, Chapter 3] is closest to ours; but it omits arbitrary wait statements simplifying the semantic model considerably. 16] do not su er from this defect but are less intuitive than an operational approach. However, because they are more abstract than our semantics reasoning with them may well be easier.
We have presented a semantics for vhdl subset that contains the principal features of one-entity vhdl programs, to be precise: delta delays, arbitrary wait statement, zero delay scheduling, parallel processes, and local variables. Resolution functions are also included, but they must be commutative. Of the various methods that have been used to de ne vhdl formally we believe ours to be one of the simplest and most intuitive. That the semantics correctly re ects the informal understanding of vhdl is supported by the fact that the properties that we proved are \common knowledge." Monogenicity of the semantics is important in theory and practice. Using the testing theory to give an observational semantics for a language such as vhdl has been fruitful. Our notion of equivalence on programs that is a congruence is an essential ingredient of any compositional method, be it a formal theory of correctness or an informal design tool.
Future work includes a cleaner characterisation of bisimulation and its relation to observational equivalence. The operational semantics could be extended by including (function) declarations to bring resolution functions into the language, and allowing multiple entities. Some small examples are presented in the technical report version of this paper; they demonstrate that practical use of our semantics is di cult.
We thank Rosario Pugliese for many useful discussions about the application of process algebraic methods to our vhdl semantics, Flavio Corradini for proof reading this paper, and the referees for valuable suggestions.
