Formal specification of a high speed CMOS correlator by Windley, P. J.
3rd NASA Symposium on VLSI Design 1991 10.1.1
Formal Specification of a
High Speed CMOS Correlator
P. J. Windley
Department of Computer Science
University of Idaho
Moscow, ID 83843
208.885.6501
Abstract: The formal specification of a high speed CMOS correlator is presented.
The specification gives the high-level behavior of the correlator and provides
a clear, unambiguous description of the high-level architecture of the device.
1 Introduction.
The use of formal specification in designing VLSI circuits has many benefits. Perhaps
the most important result is a clear description of the design's behavior that can be used
for communication among design engineers, production engineers, test engineers, technical
writers, and, perhaps most importantly, customers. Formal specifications also provide a
firm foundation upon which analysis of the circuit design can take place. This analysis
has the potential to significantly reduce design errors as well as providing a basis for
demonstrating that the design has desired properties.
This paper presents the formal specification of a high-speed CMOS correlator [2]. The
correlator, which is designed to be used in a space-born spectrometer, contains 32 channels
and is capable of sampling at 25MHz.
2 Formal Specification and Verification.
VLSI devices can be specified at many levels of abstraction [8]. Generally, we need at least
a behavioral and a structural specification [4]. The behavioral specification is written in
logic and unambiguously describes the expected behavior of the device. The behavioral
specification is declarative rather than imperative, giving a clear relationship between the
inputs, current state, and outputs.
The structural specification describes, again using logic, how the circuit is put to-
gether. Ideally, the structural specification can be derived from design information cap-
tured by conventional CAD tools or translated from a hardware description language such
as VHDL [6].
Verification is nothing more than a mathematical analysis of the behavioral and struc-
tural models. Ideally, we would like to show that the intended behavior follows from the
structure. This analysis, which is a type of symbolic simulation, can be done by hand or
with the aid of mechanical verification tools [5]. These mathematical models can also be
used to analytically demonstrate selected behavioral properties for a computer system.
https://ntrs.nasa.gov/search.jsp?R=19940013898 2020-06-16T18:06:31+00:00Z
10-.1.2
3 A Brief introduction to HOL.
To formally modei hardware and to ensure the accuracy of our proofs, we felt that it
wag necessary to develop the proofs and properties using a mechanical verification system.
T_his prevents proofs from containing - logical mistakes, and assures that the foundations
on which the work is b_sed are sound. Due to the nature of the proofs, which include
q_anfiflcation over sets of objects, we felt that a system which supports higher-order logic
and a typed lambda calculus would facilitate our efforts. The HOL system was selected for
this project due to its support for higher-order logic, generic specifications and polymorphic
_ype c0nstructs. ]_¢Urthermore its-ava_ab_ty, ruggec[ness, ioca[ support, and a growing
world-wide user base made it a very attractive selection. In this section we will provide a
brief description of HOL.
HOL is a general theore m pr0ving "system developed at the Um_'versity Of Cambridge
[5:t] that is based on Church's theory of simple types, or higher-order logic [3]. Although
Church developed higher-order logic as a foundation for mathematics, it can be used for
reasoning about computational-systems o1¢all kinds. Similar to predicate logic in allowing
quantification over variables, higher-order logic also allows quantification over predicates
and functions thus permitting more general systems to be described.
HOL is not a fully automated theorem prover but is more than simply a proof checker,
falling somewhere between these two extremes. HOL has several features that contribute
to its use _s _ verification environment:
.
.
.
Several built-in theories, including booleans, individuals, numbers, products, sums,
lists, and trees. These theories build on the five axioms that form the basis of higher-
order logic to derive a large number of theorems that follow from them.
Rules of inference for higher-order logic. These rules contain not only the eight basic
rules of inference from higher-order logic, but also a large body of derived inference
rules that allow proofs to proceed using larger steps. The HOL system has rules that
implement the standard introduction and elimination rules for Predicate Calculus as
well as specialized rules for rewriting terms.
A large collection of tactics to support goal directed proof. Examples of tactics
include Rv.WRITE_'rAc which rewrites a goal according to some previously proven the-
orem or deflnition, 0V.ILTAC which removes unnecessary univerS_y quanti-fled vari-
ables from the front of a goal, and IgQ_TAC which says that to show two things are
equivalent, we should show that they imply each other.
A proof management system that keeps track of the state of an interactive proof
s_sslon.
o A metaianguage, ML, for programming and extending the theorem prover. Using
the metalanguage, tactics can be put together to form more powerful tactics, new
tactics can be written, and theorems can be aggregated to form new theories for later
use. The metalanguage makes the verification system extremely flexible.
3rd NASA Symposium on VLSI Design 1991 10.1.3
Operator
P
A
V
=:_
AppIication
tl = t2
tl,t2
tl A t2
tl V t2
tl _ t2
Meaning
tl equals t2
the pair tl and t2
tl and t2
tl or t2
t 1 implies t 2
Table 1: HOL Infix Operators
Binder
V
3
g
Application
Vx. t
3x. t
¢ x. t
Meaning
for all x,t
there exists an x such that t
choose an x such that t is true
Table 2: HOL Binders
In the HOL system there are several predefined constants which can belong to two
special syntactic classes. Constants of arity 2 can be declared to be infix. Infix operators
are written "randl op rand2" instead of in the usual prefix form: "op rand1 rand2".
Table 1 shows several of HOL's built-in infix operators.
Constants can also belong another special class called binders. A familiar example of
a binder is V. If c is a binder, then the term "c x.t" (where x is a variable) is written as
shorthand for the term "c(_ x. t)". Table 2 shows several of HOL's built-in binders.
In addition to the infix constants and binders, HOL has a conditional statement that
is written a -* b [ c, meaning "if a, then b, else c."
4 The Correlator Design.
The correlator is designed for a space borne spectrometer. The design accepts two 2-
bit data streams clocked at a maximum of 25MHz. Delayed versions of one stream are
multiplied (using a biased multiplication) with the undelayed signal on the other stream.
The products are accumulated. The process continues for the duration of the integration
cycle which is defined by the int control line. When the end of an integration period
is signaled, the results are latched into a register, the accumulators are cleared, and the
datardy line goes high to signal that data is ready to be read from the chip. A new
integration cycle can begin immediately. Concurrent with the new integration period, the
data from the previous integration period can be read on the output lines. Data is read in
either a word serial or byte serial mode depending on the value of a control line.
Readers interested in additional detail are referred to [2].
5 The Correlator Specification.
This section presents the behavioral specification of the correlator.
I0.I.4
A B rn int
Interpreter
rn byte
IO
Figure 1: Architecture of the correlator shows the producer--
consumer relationship between the INT interpreter and the
tO interpreter.
The overall architecture of the behavioral description is shown in Figure 1. The archi-
tecture is based on two separate state machines which, along with the datapath, function
as single instruction interpreters [7]. The interpreters are arranged in a producer-consumer
architecture with a register serving as the shared link between the two interpreters.
The producer portion of the design is the INT interpreter. INT performs the integra-
tion of the incoming signals in 32 channels. The interpreter controls the following state
variables:
• acc--A bank of 32, 4-bit accumulators.
• dolay--A bank of 32, 2-bit delay elements.
• sr--A bank of 32, 24-bit shift registers.
• count--A bank of 32, 24-bit counters.
Each of these state variablesisparamcterized for time and channel number and has type
:time--4num---_w,where w varieswith registerwidth.
The specificationfor INT relatesthe state variablesat time g + 1 to the their value at
time t and the value of the inputs at time t.
Fdt] _tegrate_int (acc, delay, st, count, datardy)
(a, b, int, rn) =
Vt.
let nextstato = ((int t) -_ integrate I dump) : (
(acc (t+l), delay (t+i), Jr (t+l), count (t+l), datardy (t+l)) =
nextstate (ace t, delay t, sr t, count t, datardy t)
Ca t, b t, int t, x'n t))
3rd NASA Symposium on VLS[ Design 1991 10.1.5
The function nextstate evaluates to either integrate or dump depending on the value of
the int line.
The individual instructions produce new values for the state variables. In the case
of the integrate instruction new values are calculated for the ace, delay, and count
Variables. The shift register (sr) is unchanged.
b-d,! integrate (ace. delay, st, count, datardy)
(a, b, int, rn) =
let lignal_product n = mapper (delay n) b in (
let new_ace n -----
rn --_ (bt4 ival O) [
(add4 (signal_product n. accn)) in
let nee_delay n = (n=O) -_ a ] (delay (n--l)) in
let nee_count n =
_ (wordn o) I
(c_ry4 (si_al_product n, acc n)) _ inc (count n) [
(count n) in
(new_acc, new_delay, st, new_count, datardy)
The new values are precisely described. For example, the new value of the n th accumulator
is calculated by adding a biased multipfication of the n-delayed signal and the undelayed
signal to the current value in the same accumulator.
The consumer portion of the circuit is the I0 interpreter. The interpreter controls the
following state variables:
• sr--A bank of 32, 24-bit shift registers. This is the same register as the sr register
in the INT interpreter.
t
• ¢ounter--A 7-bit counter for counting the output.
• out--A 16-bit register that latches the values on the output lines.
• borw--A state variable that indicates whether output is byte or work serial.
The specification for the I0 interpreter is similar to the specification of the INT inter-
preter. The I0 interpreter has six instructions. The interpreter can be reset, it can start
the read cycle, it can end the read cycle, it can dump data from the output registers a
byte at a time, it can dump data a word at a time, or it can do nothing.
!0.1.6
O-dr! io_:J_t (s_, countor, out, bore, datardy, bog£n)
(byte, rn, outck) =
Vt .
let nextstate :
((rn t)
((datardy t) ^
((datardy t) ^
((datardy t) A
((datacrdy t) A
Tosot I
bogin -_ start_road [
((val (counter t)) = 0)) --* ond_road j
(borv t) A (outck t) --_ dump_byte [
_(bore t) A (outck t) -_ dump_word J
noop ) in (
(st (t+l), counter (t+l), out (t+l), bore (t+l), datardy (t+l)) =
nextstate (st t, counter t, out t, bore t, datardy t, begin t)
(byte t, rn t, outck t))
The operation of 10 is more complicated that the operation of INT. Whenever the reset
llne is raised, the state is reset as described in the specificationof the reset operation.
When the datardy line goes high, the interpreterbegins a read cycle. When the outck
lineisraised and the datardy lineishigh, wc dump eitherbytes or words depending on the
value of the borw line. There is a counter so that the correct number of bytes and words
are dumped. When the counter reaches 0 we end the read cycle (by pulling the datardy
linelow). Otherwise, wc do nothing. I
As an example of the instructionsin I0, consider the dump_word instruction.
_dd dump_eord (st, counter, out, borv, datardy, begin)
(byte, rn, outck) :
lot nee_counter : (dec counter) in
let i = (val counter) in
lot now_out : short (mr i) in
(st, nee_counter, nov_out, bore, datardy, begin)
The instruction updates the counter by decrementing the old value. The value on the
output is determined by 16 most significantbits from the ith shiftregister,where i is the
value of the counter.
The most interestingfeature of the specificationof INT and 10 isthat they share state.
For example, both specify changes to sr, the variable representing the shiftregister.INT
produces a value that is placed in sr by its dump instruction. I0 uses that value when
asked to present the resultsof the integration on the output lines.
Both interpreters also specify changes to datardy, the variable representing whether
or not data is ready to bc output. INT sets datardy when ithas dumped the contents of
the the counter into the shiftregister.10 resets datardy when it is done outputting the
data.
Readers of this specification who are familiar with the design may be surprised to find
that some details in the circuit are not found in the specification. For instance, after the
end of the integration period ends, there is an 8 cycle delay before data can be read from
tNote that count in INT and counter in I0 are two different state variables.
3rd NASA Symposium on VLSI Design 1991 10.1.7
the chip (i.e.datardy goes high). In the specificationshown above datardy goes high the
time period afterthe ±nt lineispulled high. This isan example of the temporal abstraction
going on between the circuitlevelsof the specificationand the behavioral specifications
given here.
6 The Top-Level Specification
The final specification combines the specifications of the two interpreters and operates
them in parallel.
_de] corr_top rep (acc, delay, st, count, datardy,
beg£n, counter, out, borw)
(byte_e, rn, outck, a, b, int) =
((integrate_in_ rep (ace, delay, sr, count, datardy)
(a, b, int, rn)) A
(io_int rep (st, counter, out, borw, da_ardy, begin)
(byte_e, rn, outck)))
The specification does not explicitly answer questions regarding the shared use of the
sr and datardy lines. For example, do INT and It] correctly coordinate the writing and
reading of sr correctly? This and other important questions regarding the operation of
the correlator can be answered by analysis of the specification.
7 Conclusion.
This paper has presented the behavioral specification for a VLSI correlator design. Previ-
ous to this specification being written, the design was described in design documents and
papers such as [2]. These descriptions were necessarily ambiguous since they were written
in English. Deriving the specification by reading the design documents and talking to the
design engineer provides an interesting perspective on the design process. The behavioral
specification of the correlator documents the design and is useful for enhancing communi-
cation between designers, customers, and users by unambiguously describing the function
of the device.
The specification presented in this paper is a snapshot of the design. A specification is
constantly subject to revisionto bring itup to date with current expectation and to correct
errors that are part of any written description. Future work willextend the specification
in two ways:
• We intend to show that the specification meets certain requirements for correct op-
eration. For example, the analysis will make explicit the synchronization conditions
that must exist between the two interpreters for the chip to function correctly and
show that they are met.
10.1.8
• We will specify the structural level by deriving it from the design information cap-
tured in the HDL description of the circuit. We intend to show that this structural
specification implies the architecture we have described above.
Acknowledgments
This work was sponsored by NASA under Space Engineering Research Center grant NAGW-
1406. i _ .... :_ :
References
[1]
[2]
Albert CamiUeri, Mike Gordon, and Tom Melham. Hardware verification using higher
order logic. In D. Borrione, editor, From HD£ Descriptions to Guaranteed Correct
Circuit Designs. Elsevier S.cientific Publishers, 1987.
J. Canaris and S. Whitaker. A high speed CMOS correlator. In NASA Space Engi.
neering Research Center Symposium on VLSI Design, pages 3.3.1-3.3.11, November
1990.
[3]
[4]
[5]
[6]
[7]
[s]
Alonzo Church.
Logic, 5, 1940.
A formulation of the simple theory of types. Journal of Symbolic
Michael S.C. Gordon. Why higher-order logic is a good formalism for specifying and
verifying hardware. In G. J. Mi!ne and P. A. Subrahmanyam, editors, Formal Aspects
of VLSI Design, pages 153-177. Elsevier Scientific Publishers, 1986.
Michael S.C. Gordon. HOL: A proof generating system for higher-order logic. In
G. Birtwhist!e and P.A Subrahmanyam, editors, VLSI Specification, Verification, and
Synthesis. Kluwer Academic Press, 1988.
IEEE Std 1076-1987. IEEE Standard VHDL Language Reference Manual, 1987.
PhiUip J. Windley. The Formal Verification of Generic Interpreters. PhD thesis,
University of California, Davis, Division of Computer Science, June 1990.
Phillip J. Windley. A hierarchical methodology for the verification of micropro-
grammed microprocessors. In Proceedings of the IEEE Symposium on Security and
Privacy, May 1990.
