A formal approach to specify and synthesize at the system level by Blumenroehr, Christian
A Formal Approach to Specify and Synthesize at the
System Level

Christian Blumenrohr
Institute for Circuit Design and Fault Tolerance (Prof. Dr.-Ing. D. Schmid),
University of Karlsruhe, Germany e{mail: blumen@ira.uka.de
Abstract
In this paper, a new and formal methodology for specifying and synthesizing
systems is presented. Systems are modeled as structures of concurrent processes. The
way the processes communicate realizes a hand-shake protocol. The specication at
the system level is part of our hardware description language Gropius, which ranges
from the gate to the system level. Gropius was designed for a formal synthesis
scenario, where synthesis is performed by applying basic mathematical rules within
a theorem prover, thus guaranteeing correctness of designs implicitly.
1 Introduction
The synthesis of hardware systems is heading towards more and more abstract design levels.
At the algorithmic level, the specication for a single process is given as a piece of software
program. For modeling complex systems, it is often not sucient to start from a single
process specication. At the system level, therefore, systems are modeled as a structure of
concurrent processes, each of them represented by a piece of software program. Starting
from this abstraction level, the system need not necessarily be realized in hardware. The
descriptions at the system level can as well be a starting point for a pure software or a
mixed hardware/software implementation (HW/SW-codesign, embedded systems). How-
ever, depending on whether the processes are to be implemented as software or hardware,
dierent cost functions have to be considered during the synthesis and optimization process
[1]. In this paper, we restrict ourselves on the synthesis of hardware components.
Due to the fact that the complexity of today's systems is increasing as well as the
synthesis process for deriving them, the correctness of hardware and software components
has become an important matter | especially in safety critical domains. Since simulation
is normally (i.e. for large designs) not exhaustive in reasonable time and an automated

This work has been partly nanced by the Deutsche Forschungsgemeinschaft, Project SCHM 623/6-1.
1
post-synthesis verication is extremely costly, it is our objective to perform synthesis via
logical transformations thus guaranteeing \correctness by construction".
There are mainly two concepts to fulll this paradigm: transformational design and
formal synthesis. In both approaches, synthesis is based on correctness-preserving trans-
formations. To guarantee this, the correctness of the transformations is proven. However,
the transformations are implemented within a complex synthesis program. In this step,
many failures may occur. Therefore, it would be necessary to prove the correctness of
the implementations of the transformations. However, such proofs are not provided in
transformational design [2, 3, 4].
In formal synthesis, the synthesis process is performed within a theorem prover. The cir-
cuit descriptions are formalized in a mathematical manner and the transformations, which
are derived from elementary mathematical rules, are directly performed in this representa-
tion style within the theorem prover. Thus, not only the correctness of the transformations
is proven, but also the correctness of their implementations is guaranteed. In our approach
we use the theorem prover HOL [5]. Due to the fact, that deriving theorems in HOL is
restricted to a small core of rules and axioms, our approach is extremely safe as to cor-
rectness. Other approaches in the formal synthesis domain are restricted to lower levels of
abstraction [6, 7, 8] or to pure data ow graphs at the algorithmic level [9]. See [10] for a
survey on formal synthesis.
In this paper, we address formal synthesis at the system level. It extends our recent
work, which was dedicated to synthesis of pure data ow graphs [11, 12] and mixed con-
trol/data ow graphs [13, 14] at the algorithmic level. In the next section, we introduce,
how systems can be specied in our approach and in section 3 it is shown, how systems
can be mapped on implementations at the RT-level.
2 Specifying systems
Our work is based on a formal hardware description language called Gropius
1
ranging from
the gate level to the system level.
Gropius is functional, strongly-typed, polymorphic, higher-order and has a precise se-
mantics, since every construct has been dened in the theorem prover HOL [5].
Unlike most standard hardware description languages such as VHDL and Verilog,
Gropius is strictly divided into sublanguages each corresponding to a specic abstrac-
tion level. However, due to the common core of the sublanguages, Gropius is not just a
set of hardware description languages. The elementary constructs and the user dened
functions are a common starting point for all circuit descriptions. Figure 1 shows the
structure of Gropius. In the following, only the part of gure 1 that corresponds to the
system level (Gropius-3) is introduced. For the description of Gropius-0 (gate-level) and
Gropius-1 (RT-level) see [15], for Gropius-2 (algorithmic level) see [13, 14].
At the algorithmic level, only single processes can be modeled. To describe more
1
Walter Gropius (1883-1969), founder of the Bauhaus (form follows function).
2
RT-level circuits
gate-level circuits
Gropius-2
Gropius-1
abstract
operators
boolean
operators
functions
user defined
elementary
constructs
k-processes
dfg-terms
Gropius-3
circuit descriptions
algorithmic dfg-
s-structures
circuit descriptions
algorithmic p-
p-terms
automaton
boolean
dfg-terms
dfg-interface patterns p-interface patterns
Gropius-0
Figure 1: The language Gropius
complex systems, this is not sucient. Therefore, at the system level, a circuit is described
by a set of processes.
2.1 Algorithmic circuit descriptions
The description of algorithmic circuits at the system level as well at the algorithmic level
consists of two components. An algorithmic description only denes, how some input value
is mapped to some output value. Time is not yet considered. In [13, 14] the algorithmic
description of processes is introduced. To bridge the gap between an algorithmic description
and a hardware implementation one has to additionally dene an interface behavior. The
interface behavior describes, how the circuit communicates with the environment via its
interface.
In most approaches of the high-level and system level synthesis domain, algorithmic and
interface descriptions are mingled in an arbitrary manner. In our approach, algorithmic
description and interface behavior are strictly separated.
At the algorithmic level a xed set of interface patterns is provided. The circuit designer
can rst write some ordinary, time independent algorithm and can then select one of the
interface patterns, thus dening the way the circuit communicates with the environment.
The designer can easily switch from one interface behavior to another without changing
the program.
This is what we call \true abstraction". The design starts with some general purpose
program just as in software design. At this point, the design is not at all hardware specic:
no signals, no timing, no clock, no registers. The designer may then switch from software
3
to hardware by selecting an interface pattern, but he may as well remain in the software
domain and have his piece of code being executed on a computer.
The syntax for algorithmic circuit descriptions (see gure 1) is as follows:
algorithmic dfg-circuit description ::=
dfg-interface pattern "(" dfg-term "," number of cycles ")"
algorithmic p-circuit description ::=
p-interface pattern "(" program ")"
The algorithm given as a dfg-term or a p-term is handled to the interface pattern as a
parameter. There is one major dierence between the hardware implementation of dfg-
terms and p-terms. Dfg-terms correspond to acyclic data ow graphs and can be executed
in a xed number of clock ticks. P-terms on the other hand correspond to arbitrary
computable programs and therefore one cannot guarantee that they are executed in a xed
number of clock ticks and it may even be, that execution does not terminate at all. Dfg-
based algorithmic circuit descriptions have therefore an extra parameter specifying the
number of clock cycles for executing the dfg-term. This parameter may be given by the
designer or the designer may use a variable which is then instantiated during synthesis.
2.2 Communication scheme at the system level
At the system level processes interact via a xed communication scheme. There are only
two interface patterns at the system level: one for dfg-terms and others for p-terms. The
communication scheme is label based and closely related to higher order petri nets [16].
Every process corresponds to a transition with some places at its output. In Gropius-3,
ring means removing the input labels, performing some calculation and delivering the
produced result in terms of new labels to the output.
reset
channel_1
Process
ready_2
data_valid_2
data_2
channel_2
data_valid_1
ready_1
data_1
Figure 2: Interface of a single process
Circuits communicate via channels (see gure 2). A process may have several input and
output channels. Furthermore, every process has a global reset-input. Channels are used
to transport some label with some specic data package from some circuit A to some circuit
B. Each channel consists of two boolean control signals ready and data valid and a data
signal data of arbitrary type. Channels are always one-to-one connections and they always
have a xed direction, which is dened by the direction of the data-signal. The data valid-
signal goes to the same direction whereas the ready-signal goes to the opposite direction.
4
At the system level the designer will always describe structures of circuits communicating
via channels, but due to the communication scheme it is not possible to explicitly address
the basic signals belonging to some channel.
In channels communication is performed via handshake. Given some processes A and
B and a channel from A to B. Process A signalizes via data valid that there is a label
with some data being on data. Process B signalizes via ready that it is ready to read
the next label and that it will read the next label as soon as process A will provide it.
Whenever both data valid and ready become true, the communication happens, i.e. the
label is moved from A to B.
Figure 3 gives the formal denition of the p-term based interface pattern that is dened
for the system level. Figure 4 illustrates it in a schematic manner.
P INTERFACE SYSTEM (A) (reset,(data 1; data valid 1; ready 1); (data 2; data valid 2; ready 2)) =
ready 1 0 ^
8t: reset t ) (ready 1 (t+ 1) ^ :(data valid 2 t)) ^
(ready 1 t ^ :(data valid 1 t)) )
ready 1 (t+ 1) ^ :(data valid 2 t) ^
(ready 1 (t+ 1) ^ :(data valid 1 (t+ 1))) )
(data 2 (t+ 1) = data 2 t) ^
(ready 1 t ^ data valid 1 t) )
CASE (A (data 1 t)) OF
Dened y 9m: (8n: n < m )
(8p: p  n ) :(reset (t+ p))) )
:(ready 1 (t+ n+ 1)) ^
:(data valid 2 (t+ n)) ) ^
((9s: ready 2 (t+m+ s)) )
(9s: (8n: n < s )
(8p: p  m+ n ) :(reset (t+ p))) )
:(ready 1 (t+m+ n+ 1)) ^
:(data valid 2 (t+m+ n)) ^
(data 2 (t+m+ n) = y) ) ^
((8p: p  m+ s ) :(reset (t+ p))) )
:(ready 1 (t+m+ s+ 1)) ^
:(data valid 2 (t+m+ s)) ^
(data 2 (t+m+ s) = y) ) )) ^
((8s: :(ready 2 (t+m+ s))) )
(8n: (8p: p  m+ n ) :(reset (t+ p))) )
:(ready 1 (t+m+ n+ 1)) ^
:(data valid 2 (t+m+ n)) ^
(data 2 (t+m+ n) = y) ))
Undened 8m:(8n: n  m ) :(reset (t+ n))) )
:(ready 1 (t+m+ 1)) ^
:(data valid 2 (t+m))
Figure 3: Formal denition of the p-interface pattern for the system level
The interface pattern P INTERFACE SYSTEM describes a relation between the interface
signals data 1, data valid 1 and ready 1, which are the basic signals of channel 1, the
5
...o o’o
i’
data_valid_1
ready_2
data_1
data_2
data_valid_2
o’
i’’
A
o’o’
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 time
reset
AA
i
o
ready_1
Figure 4: Schematic illustration of the p-interface pattern dened in gure 3
interface signals data 2, data valid 2 and ready 2 , which build channel 2, and the signal
reset. To distinguish the input and output channel, we added the suxes 1 and 2 to the
basic signals. The relation is with respect to some program A.
The semantics of the basic signals is as follows: the process gets the data packages
from its predecessor via data 1 and delivers data packages to its successor via data 2.
data valid 1 and data valid 2 signal, whether the predecessor delivers new data to the
process and whether the process delivers new data to its successor, respectively. With
ready 1 and ready 2 the process and its successor notify their predecessors, whether they
are able to accept new data. The global signal reset is used to interrupt calculations and
to bring all processes into their initial state.
The interface pattern states that the circuit has an internal state, indicated by the signal
ready 1, which is initially T. If no calculation is performed, the data 2-signal holds the
result of the last program execution. If a calculation is started, i.e. the signals data valid 1
and ready 1 are set at the time, ready 1 will be set to F in the next clock tick, indicating
that the process is busy now and cannot accept new data from its predecessor. If ready 2
is set when the calculation terminates, the result is immediately passed to the successor
by setting the data valid 2-signal. A clock tick later, ready 1 is set again and the process
is waiting for new data. If ready 2 is not set when the calculation terminates { i.e. the
successor process is busy, the result is stored in data 2, until ready 2 is set. If the calculation
does not terminate and/or the successor process never signals that it is able to accept new
data, ready 1 is set to F until reset is set thus stopping the calculation. If reset is set,
ready 1 is set a clock tick later indicating that the process is ready for new input.
The dfg-interface pattern, that is dened for the system level is similar to the p-interface
pattern. The dierence is, that calculations always terminate and that they always termi-
nate within the same number of clock ticks. Due to lack of space the dfg-interface pattern
is not shown here .
2.3 S-structures
In Gropius-3, structures of processes are named s-structures. There are three kinds of
processes: dfg-term based processes, p-term based processes and k-processes. Dfg-term
6
based processes and p-term based processes are nothing but algorithmic circuit descriptions
in Gropius-2 with the specic channel-based interface pattern, which was explained in the
last section.
Both dfg-term based processes and p-term based processes have a single input channel
and a single output channel. K-processes are sort of a glue logic for building arbitrary
s-structures. They are used for spreading, combining, buering and delaying signals.
The syntax of s-structures is as follows:
s-interface ::= "(" "reset"
n
"," channel
o
")"
s-process ::= algorithmic dfg-circuit description j
algorithmic p-circuit description j
k-process
s-structure ::= "9" channel
n
"," channel
o
"."
s-process s-interface
n
"^" s-process s-interface
o
2.4 K-processes
K-processes are channel based communication units. There are ten dierent k-processes,
six of them are displayed in gure 5.
b
a
b
aSy
Synchronize
De
Delay
a
a
Double
Do Si
Sink
b
a
Join
J ab
Split
Spaa a a (a,b) (a,b)
Figure 5: Some k-processes
The process Synchronize waits until both input channels hold a label and if both suc-
cessor processes are ready to read new data, it moves both labels to the output at the
same time. Delay delays some label by at least one clock tick. Double duplicates a label.
There are two output channels | one for each copy. Join combines two labels to a single
label with the new data being a pair holding the two data packages of the original labels.
Split is the inverse operation to Join. Since the channels are bidirectional, there must be
an extra Sink-process to represent sinks of signals.
K-processes are used for combining several algorithmic processes and to manage the
communication between them. They are dened once and for all and can thus be reused
in dierent systems.
The strict separation of functional and temporal aspects at the algorithmic level may
at rst glance mean a restriction in contrast to other approaches, where these descriptions
can be arbitrarily mingled. However, even those descriptions can be represented in Gropius
in the following way. A description containing functional as well as temporal parts is rst
partitioned into several purely algorithmic descriptions such that the temporal aspects
only describe the communication between these processes. Then the new processes are
7
combined at the system level in combination with k-processes to yield the original mixed
functional/temporal description. In gure 6 a small but typical example is illustrated.
An algorithmic circuit description contains two functional blocks A and B. After A is
performed, the calculation of B is delayed until some control signal is set. In VHDL this
is expressed using the "wait until"-expression. This description cannot be represented in
Gropius at the algorithmic level. However, it can be represented at the system level using
the k-processes Synchronize and Sink.
A B
Sy
Si
input
signal
output
Figure 6: Example for representation of mixed functional/temporal description
3 Synthesizing systems
Each process at the system level represents a hardware component with a well-dened
interface in terms of electronic input and output wires. A s-structure can be synthesized
by synthesizing each process separately and then implementing the channels as bundles of
wires.
Synthesis of dfg-terms and p-terms at the algorithmic level has already been introduced
in [11, 14], respectively. We here only will roughly repeat the synthesis scenario for p-terms.
In our approach, the synthesis of algorithmic p-circuit descriptions is divided into two
parts: rst the p-term is transformed into an equivalent p-term in the so-called single-
loop-form (slf) by applying pre-proven program transformation theorems. Afterwards a
pre-proven implementation theorem is applied to perform the interface synthesis thus gen-
erating a RT-level implementation. The only dierence between synthesis at the system
level compared to the algorithmic level is that another interface pattern is used and there-
fore during interface synthesis another implementation theorem is applied, which generates
the RT-level implementation.
3.1 Synthesizing k-processes
When synthesizing algorithmic dfg- or rather p-circuit descriptions, several tasks like
scheduling, allocation and binding have to be performed to achieve cost-minimal imple-
mentations. Since in k-processes no algorithmic calculation is performed, nothing can be
optimized and thus the synthesis is restricted to applying an implementation theorem.
Therefore, for every k-process an implementation at the RT-level has to be found and an
implementation theorem has to be proven stating that the implementation fullls the com-
munication scheme for the k-process. We have proven implementation theorems for all of
8
the ten k-processes. The following implementation theorem e.g. states that the implemen-
tation, which is sketched in gure 7(a), implies the behavior of the k-process Delay, which
is illustrated in gure 7(b).
` IMPLEMENTATION DELAY
(reset, (data 1, data valid 1, ready 1), (data 2, data valid 2, ready 2))
)
INTERFACE DELAY
(reset, (data 1, data valid 1, ready 1), (data 2, data valid 2, ready 2))
&
MUX
T
F
&
& &
>1
>1
>
DF
>1
>
DT
MUX
T
F
>
Dq
data_valid_1
ready_1
data_1 data_2
data_valid_2
ready_2
reset
(a)
data_2
data_valid_2
0 1 2 3 4 5 6 7 8 9 10 11 12 13
ready_1
d d’
time
d d d’ d’ d’ ...d"d"d"d"d"d"
data_valid_1
ready_2
data_1 d d’ d"
reset
(b)
Figure 7: Schematic illustration of implementation and specication for Delay
3.2 Further optimizations
One possibility to synthesize a s-structure is to just synthesize its components indepen-
dently from each other. However, the drawback is that every process, that has to be
implemented in hardware, requires its own hardware resources. Since optimizations can
only be performed within single processes, the resulting hardware for the complete system
is normally not cost-minimal. It would be better to rst combine several processes to
perform optimizations over their boundaries. A second advantage is the reduction of the
communication overhead. Therefore, we are on our way to develop a method to combine
several processes to a single process.
4 Conclusion
In this paper we have presented a new methodology for deriving RT-level structures from
circuit descriptions at the system level. There are two aspects, in which our approach diers
from conventional approaches in this domain. Firstly, this is (to our knowledge) the rst
formal methodology for synthesis at the system level. The result is a guaranteed correct
9
implementation at the RT-level, which is derived by a sequence of logical transformations.
Secondly, we have dened a xed communication scheme, where every connection between
two processes directly corresponds to electronic wires. Conventionally, processes at the
system level communicate by abstract channels, that have to be synthesized separately.
References
[1] D.D. Gajski, F. Vahid, S. Narayan and J. Gong. Specication and design of embedded system. Prentice Hall, Englewood
Clis, NJ, 1994.
[2] J.M. Mendias, R. Hermida and M. Fernandez. Correct high-level synthesis: a formal perspective. In Design, Automation
and Test in Europe, pages 977{978, Paris, France, 1998. IEEE Computer Society.
[3] P.F.A. Middelhoek. Transformational Design: An Architecture Independent Interactive Design Methodology for the
Synthesis of Correct and Ecient Digital Systems. PhD thesis, Universiteit Twente, NL, 1997.
[4] J. Hallberg and Z. Peng. Synthesis under local timing constraints in the CAMAD hig-level synthesis system. In IEEE
EUROMICRO, Como, Italy, 1995. IEEE-Press.
[5] M.J.C. Gordon and T.F. Melham. Introduction to HOL: A Theorem Proving Environment for Higher Order Logic.
Cambridge University Press, 1993.
[6] S.D. Johnson and B. Bose. DDD: A system for mechanized digital design derivation. In International Workshop
on Formal Methods in VLSI Design, Miami, Florida, January 1991. ACM/SIGDA. Available as Indiana University
Computer Science Department Technical Report No. 323 (rev. 1997).
[7] E.M. Mayger and M.P. Fourman. Integration of formal methods with system design. In A. Halaas and P.B. Denyer,
editors, International Conference on Very Large Scale Integration, pages 59{70, Edinburgh, Scotland, August 1991.
IFIP Transactions, North-Holland.
[8] R. Sharp and O. Rasmussen. The T-Ruby design system. In IFIP Conference on Hardware Description Languages and
their Applications, pages 587{596, 1995.
[9] M. Larsson. An engineering approach to formal digital system design. The Computer Journal, 38(2):101{110, 1995.
[10] R. Kumar , C. Blumenrohr, D. Eisenbiegler, and D. Schmid . Formal synthesis in circuit design-A classication
and survey. In M. Srivas and A. Camilleri, editors, Formal Methods in Computer-Aided Design. First International
Conference,FMCAD'96, number 1166 in Lecture Notes in Computer Science, pages 294{309, Palo Alto, CA, USA,
November 1996. Springer-Verlag.
[11] D. Eisenbiegler, C. Blumenrohr, and R. Kumar. Implementation issues about the embedding of existing high level
synthesis algorithms in HOL. In Joakim von Wright, Jim Grundy, and John Harrison, editors, Theorem Proving in
Higher Order Logics:9th International Conference, TPHOLs'96, number 1125 in Lecture Notes in Computer Science,
pages 157{172, Turku,Finland, August 1996. Springer-Verlag.
[12] C. Blumenrohr and D. Eisenbiegler. An ecient representation for formal synthesis. In 10th International Symposium
on System Synthesis, pages 9{15, Antwerp,Belgium, September 1997. IMEC, IEEE Computer Society Press.
[13] C.Blumenrohr and D. Eisenbiegler. Deriving structural RT-implementations from algorithmic descriptions by means of
logical transformations. In F.J. Rammig and W. Muller, editor, GI/ITG/GME Workshop Methoden des Entwurfs und
der Verikation digitaler Systeme, pages 38{49, Paderborn, Germany, March 1998. HNI-Verlagsschriftenreihe.
[14] C.Blumenrohr and D. Eisenbiegler. Performing high-level synthesis via program transformations within a theorem prover.
In Digital System Design Workshop at the 24th EUROMICRO 98 Conference, pages 34{37, Vaesteraas, Sweden, 1998.
IEEE-Press.
[15] D. Eisenbiegler. Automata | A theory dedicated towards formal circuit synthesis. Technical Report 14/97, Universitat
Karlsruhe, 1997. http: //goethe. ira. uka.de/fsynth/publications/postscript/Eise97b.ps.gz.
[16] K. Jensen. Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical Use. Volume 1, Basic Concepts.
Springer, 1992.
10
