Mapping statecharts to Verilog for hardware/software co-specification. by Qin, S. & Chin, W. N.
Durham Research Online
Deposited in DRO:
10 December 2009
Version of attached file:
Accepted Version
Peer-review status of attached file:
Peer-reviewed
Citation for published item:
Qin, S. and Chin, W. N. (2003) ’Mapping statecharts to Verilog for hardware/software co-specification.’, in
FME 2003 : formal methods : International Symposium of Formal Methods Europe, 8-14 September 2003,
Pisa, Italy: proceedings. Berlin: Springer , pp. 282-299. Lecture notes in computer science. (2805).
Further information on publisher’s website:
http://dx.doi.org/10.1007/b13229
Publisher’s copyright statement:
The original publication is available at www.springerlink.com
Additional information:
Use policy
The full-text may be used and/or reproduced, and given to third parties in any format or medium, without prior permission or charge, for
personal research or study, educational, or not-for-profit purposes provided that:
• a full bibliographic reference is made to the original source
• a link is made to the metadata record in DRO
• the full-text is not changed in any way
The full-text must not be sold in any format or medium without the formal permission of the copyright holders.
Please consult the full DRO policy for further details.
Durham University Library, Stockton Road, Durham DH1 3LY, United Kingdom
Tel : +44 (0)191 334 3042 — Fax : +44 (0)191 334 2971
http://dro.dur.ac.uk
  
Durham Research Online 
 
Deposited in DRO: 
10 December 2009 
 
Peer-review status: 
Peer-reviewed 
 
Publication status: 
Accepted for publication version 
 
Citation for published item: 
Qin, S. and Chin, W. N. (2003) 'Mapping statecharts to Verilog for hardware/software co-
specification.', in FME 2003 : formal methods : International Symposium of Formal Methods 
Europe, Pisa, Italy, September 8-14, 2003 : proceedings. Berlin: Springer , pp. 282-299. 
Lecture notes in computer science. (2805). 
 
Further information on publishers website: 
http://dx.doi.org/10.1007/b13229 
 
Publishers copyright statement: 
The original publication is available at www.springerlink.com 
 
 
 
 
 
 
 
 
 
 
 
Use policy 
 
The full-text may be used and/or reproduced, and given to third parties in any format or medium, without prior 
permission or charge, for personal research or study, educational, or not-for-profit purposes provided that : 
 
 a full bibliographic reference is made to the original source 
 a link is made to the metadata record in DRO 
 the full-text is not changed in any way 
 
The full-text must not be sold in any format or medium without the formal permission of the copyright holders. 
 
Please consult the full DRO policy for further details. 
 
Durham University Library, Stockton Road, Durham DH1 3LY, United Kingdom 
Tel : +44 (0)191 334 2975 | Fax : +44 (0)191 334 2971 
http://dro.dur.ac.uk 
Mapping Statecharts to Verilog for Hardware/Software
Co-Specification
Shengchao Qin and Wei-Ngan Chin
Singapore-MIT Alliance, National University of Singapore
School of Computing, National University of Singapore
qinsc,chinwn @comp.nus.edu.sg
Abstract. Hardware-Software co-specification is a critical phase in co-design.
Our co-specification process starts with a high level graphical description in Stat-
echarts and ends with an equivalent parallel composition of hardware and soft-
ware descriptions in Verilog. In this paper, we investigate the Statecharts formal-
ism by providing it a formal syntax and a compositional operational semantics.
After that, we design a semantics-preserving mapping function to transform a
Statecharts description into Verilog specification. We can combine this mapping
with our previous formal partitioning process so as to form a more complete and
automated co-specification process.
Keywords: Statecharts, Verilog, operational semantics, homomorphism
1 Introduction
The design of a complex control system is ideally decomposed into a progression of
related phases. It starts with an investigation of properties and behaviours of the pro-
cess evolving within its environment, and an analysis of the requirement for its safety
performance. From these is derived a specification of the electronic or program-centred
components of the system. The process then may go through a series of design phases,
ending in a program expressed in a high level language. After translation into a machine
code of a chosen computer, it can be executed at a high speed by electronic circuity. In
order to achieve time performance required by the customer, additional application-
specific hardware devices may be needed to embed the computer into the system which
it controls.
Classical circuit design methods resemble the low level machine language program-
ming methods. These methods may be adequate for small circuit design, but not ade-
quate for circuits that perform complicated algorithms. Industry interests in the for-
mal verification of embedded systems are gaining ground since an error in a widely
used hardware device can have adverse effect on profits of the enterprise concerned. A
method with great potential is to develop a useful collection of proven equations and
other theorems, to calculate, manipulate and transform a specification formulae to the
product.
Hardware/software co-design is a design technique which delivers computer sys-
tems comprising hardware and software components. A critical phase of the co-design
process is the hardware/software co-specification, which starts from a high level sys-
tem specification and ends with a pair of sub-specifications representing resp. hardware
and software. Our previous work ([17]) proposes a formal partitioning algorithm which
splits a Verilog source program into hardware and software specifications. The parti-
tioning correctness is verified using algebraic laws developed for the Verilog hardware
description language. This algebraic approach has also been demonstrated in our earlier
work [15, 16]. One of advantages of this approach is that it ensures the correctness of
the partitioning process. Moreover, it optimises the underlying target architecture, and
facilitates the reuse of hardware devices.
In this paper, we bridge the gap between the high level specification in Statecharts
and the Verilog source program by defining a mapping function between the two for-
malisms. Through this work, the overall co-specification process can be automated, as
illustrated in Fig.1. Two key contributions of the present paper are:
– we propose a formal operational semantics for a subset of Statecharts with data
states, which adopts an asynchronous model and supports true concurrency;
– we define a formal mapping function which transforms a Statechart specification
into a Verilog program. We show that the target program after mapping preserves
the semantics of the source specification.
S t a t e c h a r t s   S p e c i f i c a t i o n 
M a p p i n g 
V E R I L O G  R a w  S p e c i f i c a t i o n 
A l g e b r a i c  T r a n s f o r m a t i o n 
R e f i n e d  V E R I L O G  S p e c i f i c a t i o n 
H a r d w a r e - S o f t w a r e  P a r t i t i o n i n g 
S o f t w a r e  S p e c i f i c a t i o n H a r d w a r e  S p e c i f i c a t i o n 
H a r d w a r e - S o f t w a r e  C o - S y n t h e s i s 
P e r f o r m a n c e   E s t i m a t i o n  &    S i m u l a t i o n 
F o r m a l 
P a r t i t i o n i n g 
R u l e s 
Fig. 1. HW-SW Co-Specification
The mapping process can be integrated with our previous formal partitioning al-
gorithm so as to form an automated hardware-software co-specification process for
hardware-software co-design, as summarised in Fig.1. The remainder of this paper is or-
ganised as follows. Section 2 first gives a formal (text-based) syntax for Statecharts with
data states and proposes a compositional operational semantics for it afterwards. Sec-
tion 3 introduces a subset of Verilog for behaviourial specification. We build a mapping
function from Statecharts into Verilog and prove that it is a homomorphism between
the two formalisms in Section 4. Related works together with a simple discussion and
conclusion follow afterwards.
2 Operational Semantics for Statecharts
The graphical language of Statecharts as proposed by David Harel ([4]) is suitable for
the specification and modeling of reactive systems. While the (graphical) syntax of the
language has been formulated quite early, the definition of its formal semantics proved
to be more difficult than originally expected. As discussed in [14], these difficulties
may be explained as resulting from several requirements that seem to be desirable in a
specification language for reactive systems, but yet conflict with one another in some
interpretations. This may be why there exist more than twenty variants of Statecharts
([21]), each of which can be regarded as a subset of the originally expected language.
The version discussed in [6] for STATEMATE is rather large and powerful; however,
their operational semantics is neither formal nor compositional. The work presented
in [11] provides a compositional semantics for Statecharts, but does not contain data
states. Hooman et.al ([9]) proposes a denotational semantics based on histories of com-
putation. Following this line, [20] attempts to link the denotational semantics of State-
charts with temporal logic, so as to support formal verification. All these works adopt
a synchronous model of time, which is simpler to understand and formalise, but less
powerful than the asynchronous model.
Our version of Statecharts involves data items. The model we adopt is the asyn-
chronous model, which is more powerful for specifying and modeling complex systems.
Our formal operational semantics comprises the following features.
– It is compositional, which implies that inter-level transitions and state references
have been dropped. The history mechanism has also been ignored.
– It adopts an asynchronous time model, in which a macro-step (comprising a se-
quence of micro-steps) occurs instantaneously. This model supports perfect syn-
chrony hypothesis and also supports state refinement in top-down design.
– It reflects the causality of events.
– To be more intuitive, our semantics obeys local consistency, rather than global
consistency. That is, the absence of an event may lead to itself directly or indirectly
in the same macro-step.
– Instantaneous states are allowed, but each state cannot be entered twice or more at
the same instant of time. 1
1 For simplicity, this checking is omitted in our semantics. We can include it by keeping records
of the states that are passed so far in the current macro-step and prevent a former state from
being re-entered in each macro-step.
– It covers the data-state issues of Statecharts, allowing assignments in state transi-
tions.
– It supports true concurrency.
In this paper, timeout events are not included and this aspect is left as future work.
In what follows we give a formal syntax for Statecharts, and afterwards investigate
its operational semantics thoroughly.
2.1 A Formal Syntax of Statecharts
Quoting from [5], state charts = finite-state diagrams + depth + orthogonality + broad-
cast communication. This equation indicates the typical features of the Statecharts for-
malism:
– It is an extension of conventional finite state machines (Mealy machine).
– It provides natural notion of depth. A state can either be a basic one, or of a hierar-
chical structure, inside which some other states are treated as its substates.
– It supports the modeling of concurrency. A state may contain several states as its
concurrent components. This feature also helps to avoid state explosion.
– It provides the broadcast communication mechanism. Unlike CSP or CCS, its out-
put events are asynchronous, and can be broadcast to any receiver without waiting.
However, its input events are synchronous, and are blocked until the arrival of the
corresponding output events. Such a communication mechanism is similar to Ver-
ilog.
In order to formalise the syntax of Statecharts, we introduce the following notations.
: a set of names used to denote Statecharts which is large enough to prevent name
conflicts.
: the set of all abstract events (signals). We also introduce another set to
denote the set of negated counterparts of events in , i.e. ,
where denotes the negated counterpart of event , and we assume .
: the set of all assignment actions of the form exp.
Var Val is the valuation function for variables, where Var is the set of all
variables, Val is the set of all possible values for variables. A snapshot for variables is
.
: the set of transitions, which is a subset of ,
where is the set of boolean expressions.
Similar to [12, 11], we give a term-based syntax for Statecharts. The set SC of
Statecharts terms is constructed by the following inductively defined functions.
Basic SC
Basic
Or SC SC SC
Or
And SC SC
And
Some informal explanations follow:
– Basic denotes a basic statechart named .
– Or represents an Or-statechart with a set of substates
, where is the default substate, is the active substate, is com-
posed of all possible transitions among immediate substates of .
– And is an And-statechart named , which contains a set of orthog-
onal (concurrent) substates .
2.2 Operational Transition Rules
The configuration of computation is defined by a triple , where
– is the syntax of the statechart of interest.
– gives the snapshot of data items.
– denotes the current environment of active events.
The behaviour of a statechart is composed of a sequence of macro-steps, each of
which comprises a sequence of micro-steps. A statechart may react to any stimulus
from the environment at the beginning of each macro-step by performing some enabled
transitions and generating some events. This may fire other state transitions and lead
to a chain of micro-steps without advancing time. During this chain of micro-steps, the
statechart does not respond to any potential external stimulus. When no more internal
transitions are enabled, the clock tick transition will occur by emptying the set of active
events and advancing time by one unit.
We explore a set of transition rules comprising state transitions and time advance
transitions.
At any circumstance, what a basic statechart can do is to advance time by a clock
tick.
1.
If a transition between two immediate substates of an Or-statechart is enabled and the
transition condition is true in current circumstance, it can be performed.
2. En
tgt trig a
where
src and tgt denote, respectively, the source and target state of transition .
a represents all events generated by transition , whereas a denotes
a single assignment action generated by . No loss of general results since a
sequence of instantaneous assignment statements can be transformed into a single one.
This changes the data state from to .
En comprises all transitions among substates of being enabled by events in
. It can be generated by the following definition.
En iff
src trig trig
where trig and trig represent respectively the positive events and the negated
events from .
The function changes the active substate of into its default substate, and
the same change is applied to its new active substate.
The substitution for an Or-statechart is defined
by
Discussion: in rule 2, those events that are used to trigger are consumed by and
will no longer exist. This mechanism looks intuitive and reasonable and can help to
prevent incorrect looping. Consider an example given in Fig. 2 (a). When the first event
from the environment comes, the transition is performed and the active substate
is migrated from to . This will not move back to until next event occurs,
as under normal expectation. Earlier work ([14]) suggests a different treatment, where
active events are kept active during all micro-steps in a macro-step, where they may be
reused many times.
1p 2p/{}e
/{}e
p
eba /},{3o fcb /},{4o
ge /
5o3p
4p
5p
6p
7p
)(a )(b
1q 2q
1o
2o
q
Fig. 2. Example Statecharts (a) and (b)
The transitions in Statecharts are considered hierarchically. If no transitions among
immediate substates of an Or-statechart are enabled, an enabled (inner) transition for the
active substate may be performed instead. This consideration is carried out inductively
as highlighted in rule 3.
3.
En
trig a
If no transition is enabled for an OR-statechart, time advances, as shown below.
4. En
The premise indicates that no transitions in can be triggered by . The set of transi-
tions that are enabled at multiple levels is defined as follows.
En for any basic state
En En En
En En
For a parallel statechart, variables are shared by all orthogonal components. How-
ever, each variable can only be modified by one component. We use WVar to denote
the set of variables that can be modified by a statechart .
It is natural and intuitive to accept that several transitions allocated in orthogonal
components may be fired simultaneously. This implies that they can be performed in a
truly concurrent way. However, we have to write the transition rule for parallel state-
charts carefully. Let us look at the statechart in Fig. 2 (b). Suppose the external stimulus
is , which will fire both and at the same moment. Under rule 2, per-
forming either of them will prevent another from happening since the common event is
consumed by the performed transition. This contradicts the above intuitive explanation.
We propose a more reasonable way in which simultaneously enabled transitions are
allowed to occur concurrently within And-charts. In the following rule, we suppose
is a permutation of .
5.
all are constructed byBasic orOr
for all
En for all
WVar WVar for all where
trig a
In this rule, the overall transition that the And-chart performs involves several simul-
taneously enabled transitions which are performed respectively by
components . Other components ( ) are not involved in
this transition.
A time advance transition will take place if all orthogonal components agree to do
so.
6. En
3 Verilog and Its Operational Semantics
Hardware description languages (HDLs) are widely used to express designs at various
levels of abstraction in modern hardware design. A HDL typically contains a high level
subset for behaviour description, with the usual programming constructs such as assign-
ments, conditionals, guarded choices and iterations. It also has appropriate extensions
for real-time, concurrency and data structures for modeling hardware. VHDL and Ver-
ilog ([10]) are two contemporary HDLs that have been widely used for years. Although
the formal semantics of VHDL has been studied quite thoroughly, that of Verilog has
been ignored until recently ([3, 7, 8, 22, 23]). However, it is reported that Verilog has
been more widely used in industry (especially in US)([3]).
What we shall use is a simple version of Verilog with some notational extension (as
discussed in [7]) which contains the following categories of syntactic elements.
1. A Verilog program can be a sequential process or a parallel program made up of a set
of sequential processes.
2. A sequential process in Verilog can be any of the following forms.
(primitive command) (sequential composition)
(conditional) (iteration)
(guarded choice) (recursion)
where is a boolean condition, and
skip sink (output event) (assignment)
(assignment guard)
(time delay) (event control)
(value rising) (value falling) (a set of abstract events)
Although Verilog has been standardised ([10]) and widely used in industry, its pre-
cise semantics is still lacking. Some recent work ([7, 8, 22, 23]) attempted to address
its formal semantics issues from different points of views. The most recent work ([7])
discussed these distinct views, especially the algebraic and operational semantics for
Verilog, and explored the underlying links between them.
The subset of Verilog we adopt is quite similar to that proposed by He ([7]). How-
ever, there are some different treatments between our version and He’s version. We
include explicitly the possible context environment of active events in our configura-
tion, and change the operational rules for the parallel constructs. This facilitates our
semantic mapping from Statecharts into Verilog, and does not change the observable
behaviour of a program.
In our operational semantics of Verilog, transitions are of the form . The
configuration describes the state of an executing mechanism of Verilog programs
together with the environment of active events before an action , whereas describes
that immediately after. They are identified as triples , where
– is a program text, representing the rest of the program that remains to be exe-
cuted.
– Var Val records the data state.
– is the current set of active events.
A label denotes a transition from state to . It can be a clock tick event ,
or a compositional event possibly with three conjunctive parts: representing
the enabling condition, the set of events consumed, and the set of events generated,
respectively.
Now we present a critical subset of transition rules which are relevant to our trans-
formation from Statecharts into Verilog.
The primitive sink can do nothing but advance time by a clock tick.
sink sink
The guarded choice construct
can take a guarded transition if that guard is enabled.
for some
where indicates that the input guard is enabled by . This is defined as:
Also, extracts all “positive” events from the input guard (to be consumed when
enabling the guard), i.e.,
and records the set of events generated by the output guard . Given an output
guard , the generated events are
if
if
otherwise
If no guard is enabled, the clock tick can be performed.
where is the same as if no time delay guards ( ) appear in . Otherwise, it is
the guarded choice obtained from by eliminating all time delay guards.
A parallel construct of guarded choices is of the form where
This can be transformed into a guarded choice construct by algebraic laws ([7]). Here,
we give the transition rules for the parallel construct directly. It can perform a (composi-
tional) guarded transition if some threads agree, where denotes a permutation
of .
where , and
If no threads can take a guarded transition, then the clock tick event can take place,
as follows:
Note that is the same as if no time delay guards ( ) appear in . Otherwise, it
is the guarded choice obtained from by eliminating all time delay guards.
A sink thread does not block the behaviour of its partners.
sink sink
4 Mapping Statecharts into Verilog
In this section, we build a link between Statecharts and Verilog, by which a Statecharts
description can be mapped to its corresponding Verilog program. We show such a map-
ping preserves the semantics and can be conducted in a compositional manner.
4.1 Mapping Function
Before constructing the mapping function called , we address some subtle issues and
introduce some notations. There exist two features which complicate the definition of
on an Or-chart, one is the hierarchical feature of Statecharts and the priority of tran-
sitions, whereas the other lies in that an And-chart can be a sub-chart of an Or-chart.
This feature differentiates Statecharts from conventional programming languages. The
former indicates that transitions in an outer level (rule 2) has higher priority than those
in an inner level (rule 3). The possible transitions are considered hierarchically, starting
from the current active state, and progressing into inner active substates where appli-
cable. By enumerating these transitions in accordance with the hierarchy, we can cope
with the different priorities for transitions occurring in distinct levels.
To deal with the above features, we prepare the following formal notations. We first
give a function or-depth SC to calculate the “or-depth” of a statechart, which is
defined as follows:
– for a statechart constructed by Basic, or-depth ;
– for a statechart constructed by Or,
or-depth or-depth ;
– for a statechart constructed by And, or-depth .
The or-depth of an Or-chart just records the deepness of the path transitively along
its active Or-substates. We stop going further once an And-state is encountered. The
or-depth of an And-chart is simply 1.
Secondly, we extend some notations from Or-charts to And-charts. As already
known, for an Or-chart , active denotes its current
active substate; for any transition , src and tgt respectively represent its
source and target state. Given a parallel statechart , where all
are Or-charts, we define its current active state as a vector of the active states of these
constituents, i.e., active active active . We use to denote
all possible (perhaps compositional) transitions of the And-chart . Given a transition
, where , for , and is
a permutation of , we define its source state and target state respectively as
follows:2
src , where src , for , and
active , for ;
tgt , where tgt , for , and
active , for .
Thirdly, we need to know the resulting statechart after a transition is taken. When
a transition occurs, any involved statechart can have changes in its (transitive) active
substates. We use a function
resc SC SC
to return the modified statechart after performing a transition in a statechart. It is defined
inductively with regard to the type of the statechart.
– for a Basic-chart , and any transition , resc ;
– for an Or-chart , and a transition ,
resc
tgt if src
resc if
otherwise
– for an And-chart , and a transition ,
resc ifotherwise
where is the statechart obtained from via replacing
by , for , resc , for , and , for
.
2 For an Or-chart , contains all possible transitions inside
along its transitive active substate chain, i.e., src .
With the help of , we define the aforementioned possible transition set for an
And-chart formally as
, where . The transition set for
the general And-chart with components can be defined similarly.
The definition of is split into three cases in accordance with the type of the source
statechart.
Definition 1 (Mapping function ). The function
SC Verilog
maps any statechart description into a corresponding Verilog process. It keeps un-
changed the set of variables employed by the source description, i.e.,
SC vars vars
and it is inductively defined as follows.
– For a statechart constructed by Basic, maps it into an idle program sink
which can do nothing but let time advance, i.e.,
sink
– For a statechart constructed by And, maps it into a
parallel construct in Verilog.
– For a statechart constructed by Or, we define by
exhaustively figuring out the first possible transitions of if any, otherwise it sinks.
sink if
otherwise
where
or-depth resc
active src active
active src active
and
active active active
active active active
The input guard comprises the overall trigger events of , which has the
form , where are events from trig , whereas are events out of
trig .
Due to the priority mechanism of Statecharts, an enabled transition in an inner
level can occur only when no transitions from any outer level - are
enabled. The part is used to denote this condition.
The output guard is the overall action performed by , which has the form
, where comprises all abstract events out of a , and the
assignment action is from a .
For each statechart, we always assume each of its variables has bounded range,
and the set of possible events is finite, which implies that the set of its configurations
is finite. Therefore, the set of configurations (under transition relation) forms a well-
founded quasi order, which indicates the mapping function is terminating.
The following example deals with the transformation of statecharts in Fig. 2.
Example 1. The statechart (a) in Fig. 2 can be described as :
where
After applying the mapping function onto it, the statechart (a) becomes the fol-
lowing process
which does nothing but just waits to be fired by an event from the environment.
The statechart (b) can be described as :
where
It is mapped into the following parallel construct
sink sink sink
where the two parallel processes are mapped from and , respectively.
p 
1 p 
10 p 
11 p 
12 p 
1 / += y y f 10 <y 
0 / =y e 
3 p 
2 p 
4 p 
6 p 
5 p 7 p 
8 p 
9 p 
1 / - x x d =0 >x 
c b / /{} a 
2 t 3 t 
1 t 
4 t 5 t 
6 t 7 t 
Fig. 3. A More Complicated Statechart
Example 2. The statechart in Fig. 3 is more complicated than those in Fig. 2. It is de-
scribed by:
where
After applying onto it, we obtain the following recursive process.
where
Let us illustrate a more practical example: a simple remote controller for an air-conditioner.
o n 
F a n T e m p e r a t u r e T i m e r T e m p D i s p l a y 
T i m e r D i s p l a y 
a u t o 
h i g h 
l o w 
b f a n 
b f a n 
b f a n t e m p 
e I n c r  &   v < 2 8   /  v = v + 1 
e D e c r  &   v > 1 6   /  v = v - 1 
t c o n t 
t o f f 
t o n 
b t i m e r  /  t i m e r o n 
b t i m e r 
b t i m e r  / 
t i m e r o f f 
h I n c r  &   t < 8   /  t = t + 1 
h D e c r  &   t > 1   /  t = t - 1 
t e m p D 
v > d v    /  d v = v 
v < d v    /  d v = v 
t i D i s O f f 
t i D i s O n 
t i m e r o n t i m e r o f f 
t < d t   /  d t = t 
t > d t   / 
d t = t 
h I n c r  &   t < 8   / 
t = t + 1 
h D e c r  &   t > 1   /  t = t - 1 
Fig. 4. An Air-Conditioner Remote Controller: the on state
Example 3. Part of the specification for an air-conditioner remote controller is pre-
sented in Fig. 4. It is composed of five orthogonal components namely Fan, Temper-
ature, Timer, TempDisplay, and TimerDisplay. They will be respectively mapped to
Verilog programs pFan, pTemperature, pTimer, pTempDisplay, and pTimerDisplay.
After applying the mapping function to the statechart in Fig.4, we obtain the
following target program pon:
pon pFan pTemperature pTimer pTempDisplay pTimerDisplay
The five component programs are respectively
pFan bfan bfan bfan
pTemperature eIncreDecr
pTimer btimer timeron
where
hIncr
hDecr
btimer
hIncr
hDecr
btimer timeroff
pTempDisplay
pTimerDisplay timeron
timeroff
4.2 Correctness
The following theorem shows that the mapping function from Statecharts into Verilog
is a homomorphism between the two formalisms.
Theorem 1 (Homomorphism). Given any statechart and any of its possible transi-
tions which leads to statechart , there exists a Verilog transition for which
arrives at , such that ; on the other hand, for any Verilog transition
of leading to , there exists a Statecharts transition from to , such that
, as illustrated in Fig. 5.
C ' C 
P ' P 
t 
L L 
l 
Fig. 5. Mapping function
Proof By case analysis on the type of .
1. is constructed by Basic.
What can do is to perform the clock tick and remains as after the transition.
On the other hand, from Definition 1 we know sink, which does nothing
but performs the clock tick and remains as sink after that.
2. is constructed by Or.
In case that , it can be proved similar to the first case. Now suppose
, can (1) perform a transition active for some
in case that all transitions of outer levels (if any) are not available, which changes
the active substate of active from its source state to its target state and results
in resc ; (2) otherwise, it can take a clock tick and remain its state. From
Definition 1 of , we know that has the form . If (1) occurs, is
fired, from the semantics of Verilog, such a program can perform the corresponding
transition and become , otherwise it can perform the clock tick transition. From
the definition of , it is straightforward that resc .
The second part can be proved similarly from the definition of .
3. is constructed by And.
From Definition 1, we know
Given any possible transition , we assume , where
, without loss of generality. If can be performed at the current en-
vironment, from rule 5, we know that , for , are ready to take place
and orthogonal components other than do not have available transitions.
This implies all processes can take the transition corresponding
to respectively in the current environment, whereas others can not. From
the operational semantics of parallel construct of Verilog, a parallel transition cor-
responding to can take place and after the transition the program becomes
where
resc for
otherwise.
It exactly accords with resc . The case for a clock tick transition is trivial.
The second part is also straightforward, since any transition of the result parallel
construct in Verilog either involves several threads or a single thread. From
the definition of , we can conclude, in either case, there exists a corresponding
Statecharts transition for , which yields and holds.
The following theorem shows the soundness of the mapping function.
Theorem 2 (Soundness). The mapping function in Definition 1 transforms any Stat-
echarts specification into a Verilog program with the same observable behaviour as the
original chart.
Proof In addition to the results from Theorem 1, we need to show that, given a
statechart and its image in Verilog, any possible pair of their corresponding
steps (a statechart transition and a Verilog transition), starting from the same context
environment(the same and in the corresponding configurations), consume the same
set of events, generate the same set of events, and bring the updates of data state into
accord. These follow directly from the construction of the mapping function .
5 Discussion and Related Work
In our co-specification process, we conduct the partitioning task after a Verilog be-
haviour specification has been generated from the higher level system description in
Statecharts. We use this approach because the semantics of Verilog has been well inves-
tigated and a collection of algebraic laws ([7]) can be used as the fundamental support
of the partitioning algorithm. In contrast, most work on Statecharts’ semantics focuses
on its operational rules since it has proved to be quite difficult to present a simple de-
notational model from which algebraic laws of Statecharts can be derived. Due to this
difficulty, the partitioning problem is currently not addressed at the Statecharts level.
Although it may seem unnatural to obtain a software specification in Verilog after par-
titioning, it is still reasonable in the sense that the behaviour subset of Verilog is very
similar to C programming language and can be readily transformed into C code.
Due to the involvedness of formal semantics for Statecharts, there have been so
many related works that we can hardly discuss all here. Some of them are presented in
[6, 9, 11, 12, 14, 21]. Many of these works adopt the simpler synchronous model. The
work in [6] takes into account a very large subset of Statecharts, but the semantics
is neither compositional nor formal. In contrast, our operational semantics is formal,
compositional and supports asynchronous model.
Although it is reported that Verilog has been widely used in industry (especially
in United States) for years, its precise semantics has been ignored until recently. The
results [8, 22, 23, 7] are all based on Gordon’s interpretation on simulation cycles [3].
A simple operational semantics is given in [8]. Zhu, Bowen and He [22, 23] investigate
the consistency between Verilog’s operational and denotational semantics, while He [7]
explores a program algebra for Verilog and its connection with both operational and
denotational semantics.
Some of related works on connecting Statecharts with other formalisms are pre-
sented in [1, 2, 13, 19, 20, 18]. Beauvais et.al. [1] and Seshia et.al. [19] translate STATE-
MATE Statecharts to synchronous languages Signal and Esterel respectively, aiming to
use supporting tools provided in the target formalisms for formal verification purposes.
However, all these translations are based on the informal semantics [6] lacking correct-
ness proofs. The authors of [2, 13] transform variants of Statecharts into hierarchical
timed automata and use tools (UPPAAL, SPIN) to model check Statecharts properties.
Also, [20] based on the denotational semantics [9] aims to connect a subset of Stat-
echarts with temporal logic FNLOG for theoretically proving Statecharts’ properties.
More recently, a translation from Statecharts to B/AMN is reported in [18]. However,
no correctness issue has been addressed. In comparison, the translation from Statecharts
to Verilog in this paper aims at code generation for system design. Our mapping func-
tion is constructed based on formal semantics for both the source and target formalisms
and has been proven to be semantics-preserving.
6 Conclusion
This paper proposes a mapping function which transforms a high level specification in
visual formalism Statecharts into a behaviour description in Verilog HDL. We explore a
compositional operational semantics to Statecharts which contains many powerful fea-
tures that Statecharts owns, but proved to be difficult to be combined into a uniform for-
malism. Based on this semantics and an operational semantics for Verilog, we show our
mapping function provides as a semantic link between the two formalisms. Moreover,
we combine this transformation process with our previous formal partitioning approach
yielding a hardware/software co-specification process that can be automated. However,
the translation from Statecharts to Verilog can also be used in pure hardware design.
After translating into a behaviourial description in Verilog, existed Verilog synthesizer
can be used to obtain low level descriptions, like netlists, for direct implementation in
hardware (ASICs or FPGAs).
As an immediate future work, the obtained guarded choice specification should be
transformed into simplified behaviourial description in Verilog using algebraic laws
[7]. An implementation for this mapping from graphical descriptions in Statecharts to
Verilog specifications is also being considered.
Acknowledgement
We would like to thank Jifeng He for inspiration, thank Khoo Siau Cheng, P.S. Thiagarajan, Wang
Yi and Zhu Huibiao for useful discussions. We are also grateful to anonymous referees for many
helpful comments.
References
1. J.-R. Beauvais, et. al., “A Translation of Statecharts to Signal/DC+”, Technical Report, IRISA,
1997.
2. Alexandre David, M. Oliver Mo¨ller and Wang Yi, “Formal Verification of UML Statecharts
with Real-Time Extensions”, in the Proc. of Fundamental Approaches to Software Engineer-
ing (FASE 2002), LNCS 2306, pp. 218–232, Springer-Verlag, 2002.
3. M. Gordon, “The Semantic Challenge of Verilog HDL”, In the Proc. of Tenth Annual IEEE
Symposium on Logic in Computer Science, IEEE Computer Society Press, pp. 136–145, 1995.
4. D. Harel, “Statecharts: a Visual Formalism for Complex Systems”, Science of Computer Pro-
gramming, vol.8, no.3, pp. 231–274, 1987.
5. D. Harel, “On Visual Formalisms”, Communications of the ACM, Vol. 31, No. 5, pp. 541–530,
1988.
6. D. Harel and A. Naamad, “The STATEMATE Semantics of Statecharts”, ACM Transactions
on Software Engineering and Methodology, Vol. 5, No. 4, pp. 293–333, October, 1996.
7. J. He, “An Algebraic Approach to the VERILOG Programming”, in the Proc. of 10th An-
niversary Colloquium of the United Nations University / International Institute for Software
Technology (UNU/IIST), Springer-Verlag, 2002.
8. J. He and Q. Xu, “An Operational Semantics of a Simulator Algorithm”, in the Proc. of the
2000 International Conference on Parallel and Distributed Processing Techniques and Appli-
cations (PDPTA’2000), Las Vegas, Nevada, USA, June 26-29, 2000.
9. J.J.M. Hooman, S. Ramesh, and W.P. de Roever, “A Compositional Axiomatization of State-
charts”, Theoretical Computer Science 101, pp. 289–335, 1992.
10. IEEE Computer Society, IEEE Standard Hardware Description Language Based on the Ver-
ilog Hardware Description Language (IEEE std 1364-1995), 1995.
11. G. Luttgen, M. von der Beeck, and R. Cleaveland, “A Compositional Approach to Statecharts
Semantics”, NASA/CR-2000-210086, ICASE Report No.2000-12, March, 2000.
12. A. Maggiolo-Schettini, A. Peron, and S. Tini, “Equivalences of Statecharts”, in 7th Inter-
national Conference on Concurrency Theory (CONCUR’96), Pisa, Italy, Aug. 1996, LNCS
1119, pp.687–702, Springer-Verlag.
13. E. Mikk, Y. Lakhnech, M. Siegel and G. Holzmann, “Implementing Statecharts in
Promela/SPIN”, in the Proc. of the 2nd IEEE Workshop on Industrial-Strength Formal Speci-
fication Techniques, IEEE Computer Society, 1999.
14. A. Pnueli and M. Shalev, “What is in a Step: On the Semantics of Statecharts”, in the Proc.
of the Symposium on Theoretical Aspects of Computer Software, LNCS 526, pp. 244–264,
Springer-Verlag, Berlin.
15. S. Qin and J. He, “An Algebraic Approach to Hardware/software Partitioning”, in the Proc
of the 7th IEEE International Conference on Electronics, Circuits and Systems (ICECS’2k),
IEEE Computer Society Press, pp 273–276, Lebanon, Dec., 2000.
16. S. Qin and J. He, “Partitioning Program into Hardware and Software”, in the Proc of APSEC
2001, IEEE Computer Society Press, pp. 309–316, Macau, Dec., 2001.
17. S. Qin, J. He, Z. Qiu, and N. Zhang, “Hardware/Software Partitioning in Verilog”, in the 4th
International Conference for Formal Engineering Methods (ICFEM2002), LNCS 2495, pp.
168–179, Springer-Verlag.
18. E. Sekerinski and R. Zurob, “Translating Statecharts to B”, in B. Butler, L. Petre, and K.
Sere, eds.,Proc. of the 3rd International Conference on Integrated Formal Methods, Turku,
Finland, LNCS 2335, pp. 128–144, Springer-Verlag, 2002.
19. S. Seshia, R. Shyamasundar, A. Bhattacharjee and S. Dhodapkar, “A Translation of State-
charts to Esterel”, In J. Wing, J. Woodcock, and J. Davies, eds., FM99: World Congress on
Formal Methods, LNCS 1709, pp. 983–1007, 1999.
20. A. Sowmya and S. Ramesh, “Extending Statecharts with Temporal Logic”, IEEE Transac-
tions on Software Engineering, Vol. 24, No. 3, March, 1998.
21. M. von der Beeck, “A Comparison of Statecharts Variants”, in Formal Techniques in Real-
Time and Fault-Tolerant Systems, L. de Roever and J. Vytopil, Eds. LNCS 863, pp. 128–148,
Springer-Verlag, New York.
22. Zhu H., J. Bowen and He J., “From Operational Semantics to Denotational Semantics for
Verilog”, in the Proc. of CHARME 2001, LNCS 2144, pp. 449–464.
23. H. Zhu, J. Bowen and J. He, “Soundness, Completeness and Non-redundancy of Operational
Semantics for Verilog Based on Denotational Semantics”, in the 4th International Conference
for Formal Engineering Methods (ICFEM2002), LNCS 2495, pp. 600–612, Springer-Verlag.
