An Operational Semantics for Handel-C1
		1Handel-C is the registered trademark of Celoxica Ltd (www.celoxica.com)  by Butterfield, Andrew & Woodcock, Jim
Electronic Notes in Theoretical Computer Science 80 (2003)
URL: http://www.elsevier.nl/locate/entcs/volume80.html 16 pages
An Operational Semantics for Handel-C
Andrew Butterﬁeld 1,2
Department of Computer Science
Trinity College, University of Dublin
Ireland
Jim Woodcock 3
Computer Laboratory
University of Kent at Canterbury,
United Kingdom
Abstract
We describe an operational semantics for the hardware compilation language Handel-
C [10], which is a C-like language with channel communication and parallel con-
structs which compile down to mainly synchronously clocked hardware. The work
in this paper builds on previous work describing the semantics of priority within
Handel-C [9] and a denotational semantics for part of the language [8]. We de-
scribe a key subset of the language and show how a design decision for the real
language, namely that default guards in prialt-statement executed in “zero-time”,
has consequences for the complexity of the operational semantics. We present the
operational semantics, indicating clearly how it interfaces with the priority seman-
tics of [9]. We then describe a notion of observational equivalence, and present an
example illustrating how we handle the complexity of nested prialts in default
guards.
1 Introduction
Handel-C 4 [10] is a language originally developed by the Hardware Compila-
tion Group at Oxford University Computing Laboratory, and now marketed
by Celoxica Ltd. It is a hybrid of CSP [16] and C, designed to target hard-
ware implementations, speciﬁcally ﬁeld-programmable gate arrays (FPGAs)
[23]. The language has sequential and parallel constructs and global variable
1 Thanks to Dean of Research Fund, TCD
2 Email: Andrew.Butterfield@cs.tcd.ie
3 Email: J.C.P.Woodcock@ukc.ac.uk
4 Handel-C is the registered trademark of Celoxica Ltd (www.celoxica.com)
c©2003 Published by Elsevier Science B. V.
235
CC BY-NC-ND license.  Open access under 
Butterfield and Woodcock
assignment and channel communication. The language targets synchronous
hardware with multiple clock domains. All assignments and channel communi-
cation events take one clock cycle. All expression and conditional evaluations,
as well as priority resolutions are deemed to be instantaneous, eﬀectively being
completed before the current clock-cycle ends.
As the Handel-C language targets hardware, it is ideal for implementing
embedded systems, often in situations where high levels of assurance would
be desirable [22]. There is a clear need for both a formal semantics of Handel-
C (or a reasonable subset) as well as an appropriate methodology and tool
support. The research described here is part of a program to provide just
such an industrial-strength formal framework.
This papers describes the current state of work being done to provide
Handel-C with a formal operational semantics. We also discuss language fea-
tures which prove to be problematical from an operational semantics perspec-
tive.
2 Previous and Related Work
Early work on the formal semantics of Handel-C concentrated on a sub-
set of the language that did not contain the prialt construct. This ini-
tial exploratory work focussed on modelling the ﬂow of control in Handel-C
constructs by tracking how “execution pointers” were created, modiﬁed and
merged as parallel threads were forked, executed and terminated. This led to
a formal model of a Handel-C ﬂow-of-control “interpreter” [7].
Work then started on exploring a denotational semantics for the same
language subset, which was non-trivial as we had to deal with concurrency,
message-passing, shared variables and the synchronous clock. Eventually, re-
sults based on branching sequences of functions mapping environments to
environments were obtained [6].
At this point it became clear that prialt would have to be included. It
cannot be simulated using ordinary communication and switch statements,
and it has a number of eﬀects on the overall semantics. Priority in CSP-like
concurrent processes is very diﬃcult to treat formally [15,19,20,21]. When
occam [3] was developed, the only aspects of the language for which no formal
semantics was provided were the constructs (PRI PAR and PRI ALT) which
involved priority. One of the issues is that the asynchronous nature of CSP-
like formalism makes it very diﬃcult to establish when prialts are “coming
together”, in order for their communication requests to be resolved. How-
ever, in Handel-C, the presence of a synchronising clock makes it very easy
to establish which prialts are participating at any given moment, so prior-
ity handling amounts to a static problem of resolving priorities of a known
collection of prialts.
In the broader arena of process algebras in general, there has been con-
siderable work done on priorities [11,13,12]. In [12] there is an overview of
236
Butterfield and Woodcock
this area, but there is no close match between any of the priority schemes
described therein, and that which features in the semantics of Handel-C.
A formal description of prialt resolution without consideration of default
clauses was presented in [9]. At this stage, it had become clear that prialt
resolution could be treated orthogonally to most other semantic issues, and so
the denotational semantics was reworked slightly to make use of the prialt
semantics [8].
Other work involving formal techniques and Handel-C has been reported,
and includes the use of the Ponder policy speciﬁcation language [14] as a
basis for implementing ﬁrewalls [22], as well as techniques for performing be-
havioural transformations from Haskell programs into Handel-C implementa-
tions [1]. Beyond the scope of Handel-C, there is considerable work on using
formal techniques to develop safety-critical embedded systems, of which the
languages Esterel [5,4,24] and Lustre [18,2] are two key examples.
3 Scope of Handel-C Semantics
Given that our ﬁnal aim is a formal semantics of a real language which was
itself not formally designed, we are developing our semantic framework in a
manner that allows us to separate concerns as much as possible. In partic-
ular, we see the ﬁnal semantics of Handel-C as having four loosely coupled
components:
types Handel-C has a range of datatypes, all of which ultimately reduce down
to speciﬁcations of bit strings of ﬁxed length. The underlying type theory
is fairly straightforward.
synchronous “cores” These are regions of hardware under the control of a
single clock, and constitute the primary area of concern of this paper. Here
we present an operational semantics for the behaviour of these cores.
priority The communication constructs are provided in the form of prialt-
statements, which requires all choices between communication events to be
prioritised.
asynchronous “environment” The synchronous cores communicate with
each other and the external environment via asynchronous interfaces.
These four areas can be treated separately to a large degree, as the interfaces
between them are simple in character 5 . For example, the asynchronous in-
terfaces in Handel-C involve “bus interface” constructs, rather than channels.
This means that priority information and decision-making does not cross the
boundaries between synchronously clocked regions.
We shall present a shorthand form, in a mathematical style, of the syntax
of the Handel-C subset with which we are currently concerned. A Handel-
5 Indeed it could be argued that it is the simplicity of these interfaces that has contributed
to the success of Handel-C.
237
Butterfield and Woodcock
C program (p), as written, contains the following statements: a unit delay
(1); assignment (v := e); selection (s  [pi]); iteration (b ∗ p); sequential
composition (p1; p2); parallel composition (p1 ‖ p2); and prialt (〈gi : pi〉).
Here v denotes a variable, while e, s and b denote expressions, and g denotes
a guard, which we describe in more detail later on. We use shorthands of
the form xi to denote a sequence x1, . . . , xn of comma separated xs, where x
itself may have internal structure. So 〈gi : pi〉, for example, is shorthand for
〈g1 : p1, . . . , gn : pn〉.
We allow the use of 0 in prialts to indicate an empty continuation pro-
cess. The language is extended with the following statements not available to
programmers, namely a zero delay (0) now as a fully ﬂedged process; an or-
dered guard request statement (+〈gi〉); and a guard action statement (act(g)).
We also extend the language expression syntax to include two functions on
guard-lists: waiting (w〈gi〉) and active (a〈gi〉), as well as a function on chan-
nel identiﬁers (d(c)) returning the current value being communicated on that
channel.
e, s, b ∈ E=normal expression | w〈gi〉 | a〈gi〉 | d(c)
p ∈ P ::=1 | v := e | s  [pi] | b ∗ p | p1; p2 | p1 ‖ p2 | 〈gi : pi〉
| 0 | +〈gi〉 | act(g)
We have a mix of parallel processes and global shared variables, so Handel-
C has a restriction which states that no variable should ever be assigned to
by two diﬀerent processes during one clock cycle. It is allowable to have
diﬀerent processes write to the same variable on diﬀerent clock cycles. A
prialt-statement can be viewed as a sequence of guard-process pairs, where
the guards are either communication actions like input (c?v) or output (c!e)
or a default guard to be activated if no communication guard is active. The
default guard if present must be the last element of the sequence, and we shall
denote it by the shorthand !?.
g ∈ G ::= c?v | c!e | !?
The sequence of guards in a prialt denotes that prialt’s priority preference,
considered as relative priority — it i.e. it prefer its ﬁrst guard to its second, its
second to its third, and so on. A key restriction imposed by Handel-C is that
during any clock-cycle, all the relative priorities of all prialtsexecuting during
that cycle must be consistent with one another in that no priority cycles are
introduced when all their preferences are merged. We will eventually replace
all prialts of the form: 〈gi : pi〉 by the following equivalent program:
+〈gi〉 ; w〈gi〉 ∗ (1 ; +〈gi〉) ; a〈gi〉  [act(gi) ; pi]
This captures the notion that a prialt acts in three stages: (i) it submits a
request (+〈gi〉); (ii) it waits until it become active, re-submitting the request
on every clock cycle (w〈gi〉 ∗ (1 ; +〈gi〉)); and (iii) once waiting is over, selects
238
Butterfield and Woodcock
and executes the active guard and process (a〈gi〉  [act(gi) ; pi]). The only
uses of the request and action statements, as well as the wait, active and
channel expressions are as a result of translating prialts as just described.
4 Overview of prialt Semantics
We present here a brief overview of the prialt semantics presented in [9],
with an explanation of how it can be extended to cover default clauses, and
interfaced with the operational semantics described later on in this paper. If
a prialt-statement is starting execution during the current clock cycle, then
its guards are viewed as a prioritised sequence of requests, and if a guard (gi
for instance) is deemed to be enabled or active, then it carries out its commu-
nication action during the current clock cycle. Its continuation process (pi)
then starts execution at the beginning of the next clock cycle. If no communi-
cation guard is deemed active, and the prialt has a default guard (!?), then
the corresponding continuation process (pn) starts execution immediately, i.e.
during the current clock cycle. This immediate execution of a default guard’s
continuation process is a major reason for the complexity of the operational
semantics to be presented.
In any given clock cycle, there will be zero or more prialts commencing
execution. A guard is deemed to be potentially active if elsewhere there is
a complementary guard in some other prialt active during the same clock
cycle. The process of determining which potentially active guards, if any, are
actually active, is called Resolution. If a prialt has no active guards after
resolution, and no default guard, then it is blocked, and lies idle for the rest
of the current clock cycle. It then proceeds to resubmit its request in the next
clock cycle. This either continues until some other request elsewhere leads to
it becoming active, or runs forever if no such other request ever materialises.
Let us consider two examples, the ﬁrst straightforward, the second involv-
ing default clauses in that manner that causes most semantic diﬃculty. The
ﬁrst example has three prialts executing in parallel:
〈a!1 : 0, b!2 : 0〉 ‖ 〈c!3 : 0, d?x : 0〉 ‖ 〈e!5 : 0, b?y : 0, c?z : 0〉
The overall priorities being expressed here can be summarized as: { a, e } <
b < c < d where lesser values denote higher priorities. Only channels b and c
are potentially active, and b has higher priority, and so will be actually active.
The result is the ﬁrst and third prialts execute, transferring value 2 across
channel b to variable y. The second prialt remains blocked, waiting on either
c or d (preferring c).
The second example has two prialts in parallel, with the second having
a default clause which itself is a prialt:
〈c!7 : 0〉 ‖ 〈d!0 : 0, !? : 〈c?v : 0〉〉
239
Butterfield and Woodcock
Initially we have a situation where there are no potentially active guards, so the
ﬁrst prialt blocks, while the second immediately activates its default clause.
This introduces another prialt to the mix, and now channel c becomes active,
transferring value 7 across channel c to variable v. It is worth pointing out
that the above process is in fact equivalent to 〈c!7 : 0〉 ‖ 〈d!0 : 0, c?v : 0〉, but
that this simplifying law does not extend to arbitrary continuation processes.
This example is used later to illustrate the operational semantics at work.
In [9] resolution is viewed formally as a process (Resolve) which takes a
set of Prialt Requests, and returns a pair called a Resolution, consisting of a
Channel Map and the set of requests that have remained blocked (no active
communication guards).
Resolve : PPrialt→ (Ch m→ PPrialt)× PPrialt
The Channel Map maps active channels to the set of requests invoking that
channel which have been deemed active. A Prialt Request is simply modelled
as a sequence of guards, i.e simply as the corresponding prialt-statement
with the continuation processes stripped out. A channel is deemed poten-
tially active if it occurs in a number of prialts, in both input and output
forms. It becomes active if no other potentially active channels in its own
prialts are of higher priority. The formal semantics in [9] does not deal
with default clauses, nor elaborate on how the resolution structure interfaces
to the formal semantics of the rest of the language. Brieﬂy put, the default
clauses are simply handled by scanning the set of blocked requests for any that
have default clauses, and simply moving them into the channel map, under a
pseudo-channel called “default”. No information is lost in resolution, as given
(γ,B) = Resolve(P ) we always have that B and dom γ partition P .
The resolution of our ﬁrst example would have got the following input:
{ 〈a!1, b!2〉, 〈c!3, d?x〉, 〈e!5, b?y, c?z〉 }
The resulting output would have been:
( {b → { 〈a!1, b!2〉, 〈e!5, b?y, c?z〉 }}, { 〈c!3, d?x〉 } )
The rest of the interfacing is handled by three observer functions: W , A
and D. These are represented in the (extended) syntax of Handel-C by the
expressions w〈gi〉, a〈gi〉 and d(c), respectively.
Wait The function W [[w〈gi〉]] takes a Resolution as argument and returns a
boolean result which is True if the corresponding request (〈gi〉) is blocked.
Active The function A[[a〈gi〉]] takes a Resolution as argument and returns a
integer result which indicates the index of the guard in 〈gi〉 which is active.
It is only deﬁned if W [[w〈gi〉]] returns False.
Data The function D[[d(c)]] takes a Resolution as argument and returns the
expression being outputted onto channel c. It is only deﬁned if channel c is
240
Butterfield and Woodcock
in the domain of the channel map part of the Resolution, i.e. is active.
5 Operational Semantics
The operational semantics for Handel-C requires us to have an understand-
ing of the processing that takes place during a clock-cycle. First, the atomic
actions (assignment or communication) for the current clock cycle need to be
determined. This involves following the ﬂow of control from the statements
which executed on the previous clock cycle, requiring the evaluation of condi-
tional and while-loop guard expressions. We shall refer to this as the “select”
(sel) phase. At this point we have identiﬁed almost all of the assignments and
prialts which are about to execute. The next phase, the “request” phase
(req) involves all the selected prialts lodging their corresponding requests
with the environment. At the end of this phase, the system has global knowl-
edge of almost all the communication requests associated with this clock cycle.
The third, or “resolve” phase (res) , is were the system resolves all these re-
quests, as described in section 4 previously. The outcome of this is that we
now know which communication actions are going to be executed. The ﬁnal
or “action” phase (act) is were all the atomic assignment and active commu-
nication actions take place, all globally synchronised to the clock. It is at this
stage that permanent changes are made to the system state — i.e. ones that
persist across clock boundaries. The ﬁrst three phases are all implemented
as combinatorial logic, and are deemed to execute in “zero-time”. In other
words, this logic makes these decisions well within the time allocated to the
clock cycle. The last phase is eﬀectively synchronised to the end of the cycle,
and so is deemed to have taken one clock cycle to execute.
The sequencing of the phases is very important, as the outcome of resolu-
tion is not well-deﬁned until the selection and request phases are complete. As
resolution determines the ﬁnal communication actions and their consequent
permanent state changes, is important to get this sequencing right. In the
hardware implementation, this is achieved by letting the resulting combinato-
rial logic have enough time to settle into a consistent state, and aided by the
fact that the logic contains no “combinatorial” cycles. In our formal semantics
we ensure the appropriate ordering of decisions by modelling these conceptual
phases explicitly.
We now explain the frequent use in the previous few paragraphs of the
phrase “almost all”. The problem here is the existence of default clauses in
prialts, which execute in “zero-time”. As a consequence of this, the cor-
responding continuation process starts execution in the current clock cycle.
This continuation process can be any legal Handel-C process so may contain
conditionals, parallel branches, while-loops and more prialts. This means
that we have to redo the select, request and resolve phases. The prialts can
be nested to an arbitrary but ﬁnite depth in this fashion (via default guards).
Given a prialt nesting depth of d, in general we need to iterate the ﬁrst three
241
Butterfield and Woodcock
phases d + 1 times. This complication is a consequence of the decision that
default guards take zero-time. The presence of arbitrary Handel-C processes
as continuations after communication guards is not a problem, as they don’t
start execution until the subsequent clock cycle.
So, our operational semantics needs to model these four phases by
(i) classifying statements according to the phase in which they participate
(ii) providing transitions of diﬀerent types for each phase
(iii) providing special transitions to manage the switch between phases.
5.1 Transition Types
A Transition type (TType) is one of state-selection (sel), comms-request (req),
comms-resolution (res) or state update action (act), ordered as just listed.
TType =̂ { sel , req , res , act } sel < req < res < act
We classify statements by associating a transition type set (tts(p)) with them,
and use ttype(p) to denote min(tts(p)):
Statements tts
0, s  [pi], b ∗ p, act(!?) { sel }
〈gi : pi〉, +〈gi〉 { req }
a〈gi〉  [pi], w〈gi〉 ∗ p { res } (w is false)
1, v := e, act(c!e), act(c?v), w〈gi〉 ∗ p { act } (w is true)
p1; p2 tts(p1)
p1 ‖ p2 tts(p1) ∪ tts(p2)
The anomalous situation regarding the classiﬁcation of w〈gi〉 ∗ p is explained
when the transition rules are described. In addition to the four transition types
mentioned above, we have special transitions between those types: sel2req ,
req2res , res2sel , res2act , and act2sel .
The system state (State) is larger than just p and t, comprising a tuple
(p, t, ρ, γ,, τ) where: p : P is the process state; t : TType is the current
transition type; ρ : Id
m→ Val is the variable environment; γ : Ch m→ G+ are
the active channels;  : P(G+) are the requested/blocked prialts; and τ : N is
the current clock value. Note that  holds the resolution input data during
the req phase, and (γ,) holds the resolution result obtained during the res
phase.
Given an initial program p0, the initial system state is (p0, sel , θ, θ, ∅, 0)
and a program terminates if p reduces to 0. To get the terminating clock
transition we shall strengthen this to say that a program terminates once p is
0 and t is sel .
242
Butterfield and Woodcock
5.2 Transition Events
We associate events with some transitions, denoting a transition of type t
engaging in event e by
t−→
e
, except for the special transitions were the event
is ﬁxed. All events describe some form of system state change, in addition to
that already described above, as detailed below:
transition event notation changes
req +〈gi〉  ∪ { 〈gi〉 }
act x := e ρ † {x → e}
req2res (γ,) := Resolve()
act2sel (γ,, τ) := (θ, ∅, τ + 1)
Here we use the notation e as shorthand for [[e]]ρ, i.e the evaluation of expres-
sion e w.r.t. the environment ρ. If any variable v in e is not in the domain
of ρ (i.e not yet assigned to), the the lookup ρ(v) returns zero, as this is how
Handel-C initialises all variables. Note also that the act action can be an
empty simultaneous assignment, denoted by leaving it blank.
We can view all events as functions on global state:
Evt =̂ State → State
[[·]] : P → Evt
[[x := e]]( , ρ, ) =̂ ( , ρ † {x → e}, )
[[+〈gi〉]]( ,, ) =̂ ( , ∪ { 〈gi〉 }, )
In some rules, we merge events, using the event merge operator ♦, which
is associative and commutative, with the null event as identity. In eﬀect
♦ merges disjoint assignments into a simultaneous assignment and multiple
prialt requests into one large request with a set of the prialts involved:
♦ : Evt × Evt → Evt
e1♦e2 =̂ e1 ◦ e2 or e2 ◦ e1
[[x := e]]♦[[y := f ]] = [[x, y := e, f ]]
( [[+〈gi〉]]♦[[+〈g′j〉]] )( ,, ) = ( , ∪ { 〈gi〉, 〈g′j〉 }, )
If assignments are not disjoint, then ♦ is not deﬁned, but this matches Handel-
C which outlaws this situation.
5.3 Transition Conditions
The conditional expressions (s,b) associated with the select and while con-
structs are evaluated w.r.t. the environment ρ. We use the same shorthand
s =̂ [[s]]ρ
as is used for assigment rhs expressions.
243
Butterfield and Woodcock
When we evaluate the wait predicate w〈gi〉 and the active guard selector
expression a〈gi〉, we do so with respect to the  and γ state components, using
two of the observer functions as follows:
w〈gi〉 =̂ W [[w〈gi〉]](γ,)
a〈gi〉 =̂ A[[a〈gi〉]](γ,)
Note that a consequence of these deﬁnitions and the properties of Resolve′
mentioned above is that a〈gi〉 is deﬁned only when w〈gi〉 is false.
We evaluate the data associated with channel identiﬁer d(c) by using the
remaining observer function to get the channel expression e, and then evalu-
ating that in the variable environment in the usual way:
d(c) =̂ e where e = D[[d(c)]](γ,)
5.4 The Transition Relation
Given a state pair consisting of program (p) and transition type (t), we can
deﬁne conditions when transitions are enabled:
transition enable condition changes
sel t = sel ∧ ttype(p) = sel p sel−→ p′
sel2req t = sel ∧ ttype(p) > sel t := req
req t = req ∧ ttype(p) = req p req−→ p′
req2res t = req ∧ ttype(p) > req t := res
res t = res ∧ ttype(p) = res p res−→ p′
res2sel t = res ∧ ttype(p) = sel t := sel
res2act t = res ∧ ttype(p) = act t := act
act t = act ∧ act ∈ tts(p) p act−→ p′
act2sel t = act ∧ act /∈ tts(p) t := sel
The priorities introduced by the prialts are eﬀectively “collected” together
during the request phase, and then resolved all together, a process simpliﬁed
by the fact that no priority conﬂicts arise. None of the prialt priorities are
attached to transitions or states an any obvious way, and are, as asserted ear-
lier, treated orthogonally to the transition system being described here. Here
however, we have present a second notion of priority, notably that between
diﬀerent types of transitions in our transition system. These priorities are sim-
ilar in character to the static and global priorities of [12], except that while
initially sel transitions have highest priority, and act transitions have lowest,
we have a dynamic priority switch at the end of the clock cycles when act
244
Butterfield and Woodcock
Seq p
t−→
e
p′ ⇒ p ; q t−→
e
p′ ; q
Par-1 p
t−→
e
p′ ⇒ p ‖ q t−→
e
p′ ‖ q
Par-2 p
t−→
e
p′ ⇒ q ‖ p t−→
e
q ‖ p′
Merge-Par p
t−→
e
p′, q t−→
f
q′ ⇒ p ‖ q t−→
e♦f
p′ ‖ q′
Fig. 1. General Transition Rules
transitions become highest priority. Apart from this, the theory of [12] is not
applicable here as we have no silent actions and no synchronisation between
most transitions of any given type/priority.
Rules have the form:
Name [cond] antecedents⇒ consequent
where cond and antecedents⇒ are optional. The consequent transition is
enabled if and only if: (i) its transition type is enabled by the global state;
(ii) the condition, evaluated against the global state, is also true; and (iii) the
antecedent transitions, if any, are themselves enabled.
We ﬁrst present general transition rules dealing with sequential and parallel
composition, where the phase is irrelevant (Figure 1).
The basic phase-speciﬁc transition rules are shown in Figure 2, presented
largely in order of transition type. The ﬁrst set of rules dealing with sel
transitions are Par-End, Select, Whl-False, Whl-True, and Next.
The rules for the conditional and while constructs are straightforward. The
rules for the parallel and sequential constructs manage the fact that all parallel
threads must end before a subsequent process can start execution. The 0
construct (the process that does nothing in “zero-time”) pays a key role in
managing this synchronisation.
The next set of rules dealing with req transitions are PriAlt and Re-
quest. The prialt-statement simply lodges its request (+〈gi〉) and then
evolves into the sequential composition of a wait loop and a subsequent con-
ditional to select the active action. The wait loop resubmits the request in
following clock cycles, which is why the loop body starts with 1, i.e. to force
a wait until the next clock cycle. The request transition deals with the addi-
tional requests lodged by the wait loop.
The third set of transitions handle transitions which occur when evaluating
the resolution observer functions w〈gi〉 and a〈gi〉. Most of these are res tran-
sitions, except for Wait, which is an act transition. This is to ensure these
transitions, which initiate a one cycle wait, followed by resubmission of their
request, are held over until all default clauses have been handled. If this rule
was a res transition, we would have a race between its ﬁring, and the ﬁring
of a Continue rule, which may be as a result of a default guard elsewhere.
The result of that default guard’s execution might be a change in the status
245
Butterfield and Woodcock
Par-End 0 ‖ 0 sel−→ 0
Select [s = i] s  [pi] sel−→ pi
Whl-False [¬b] b ∗ p sel−→ 0
Whl-True [b] b ∗ p sel−→ p ; b ∗ p
Next [t ∈ { sel , res , req }] 0 ; p t−→ p
PriAlt 〈gi : pi〉 req−→
+〈gi〉
w〈gi〉 ∗ (1 ; +〈gi〉) ; a〈gi〉  [act(gi) ; pi]
Request +〈gi〉 req−→
+〈gi〉
0
Default act(!?)
sel−→ 0
Select-Active [a = i] a  [pi] res−→ pi
Continue [¬w] w ∗ p res−→ 0
Wait [w] w ∗ p act−→ p ; w ∗ p
Delay 1
act−→ 0
Assign v := e
act−→
v:=e
0
Output act(c!e)
act−→ 0
Input act(c?v)
act−→
v:=d(c)
0
Fig. 2. Phase-Specific Transition Rules
of a blocked prialt. It is very important that we ensure that all Continue
transitions occur before any Wait transitions are allowed to proceed.
The ﬁnal set of transitions are the act transitions, all of which change
the state. The delay statement state change is simply that it lets time pass.
The assignment statement has the expected eﬀect of updating the relevant
variable. The output statement acts like a delay, while the input statement
uses the resolution observable d(c) to update its variable value.
5.5 Observational Equivalence
An execution trace of a Handel-C program is a sequence of transitions occur-
ring with the following structure:
((sel∗; req∗; res∗)∗; act+)+
where ; denotes concatenation, and x∗ and x+ denote zero-or-more xs and
one-or-more xs, respectively. As the subsequences of act transitions can be
collapsed into one such transition, using the ♦ operator, the overall eﬀect is
246
Butterfield and Woodcock
that of a single act transitions, one per clock cycle, separated by some mix of
other transition types:
((sel∗; req∗; res∗)∗; act)+
As the key function of these other transition types is to determine what act
transitions occur, and as only the act transitions have persistent eﬀects on
the state, we shall choose to ignore the other transition types. Hence we
shall declare two execution traces to be Observationally Equivalent if they are
identical once non-act transitions are removed, and all act transitions in one
clock cycle have been merged.
5.6 An example
To show the importance of requiring Wait to be a act transition, consider
the following example:
〈c!7 : 0〉 ‖ 〈d!0 : 0, !? : 〈c?v : 0〉〉
For brevity we shall omit 0 when it occurs either before or after “;”. Initially
it engages in Prialt transitions to become:
w〈c!7〉 ∗ (1; +〈c!7〉); a〈c!7〉  [act(c!7)]
‖
w〈d!0, !?〉 ∗ (1; +〈d!0, !?〉); a〈d!0, !?〉  [act(d!0), 〈c?v : 0〉]
If Wait was a res transition then the top process could evolve at this point to
something which would start with 1; +〈c!7〉. This process would now wait until
the mode was act , to do a Delay transition. In particular, if events elsewhere
suddenly made channel c active in this clock cycle, this process would miss
the event because it is no longer “listening”. Instead, the Wait transition is
blocked, but the lower process can do a Continue transition to become:
a〈d!0, !?〉  [act(d!0), 〈c?v : 0〉]
A Select-Active transition will pick the default guard to give:
〈c?v : 0〉
This prialt will then trigger another iteration of the sel -req transistion to
leave us in the following situation:
w〈c!7〉 ∗ (1; +〈c!7〉); a〈c!7〉  [act(c!7)]
‖
w〈c?v〉 ∗ (1; +〈c?v〉); a〈c?v〉  [act(c?v)]
247
Butterfield and Woodcock
Now both side are enabled for Continue transitions, so we get
a〈c!7〉  [act(c!7)]
‖
a〈c?v〉  [act(c?v)]
Select-Active transitions reduce this to
act(c!7) ‖ act(c?v)
Finally the Input and Output transitions ﬁre, v is assigned 7, the clock is
advanced, and we get 0 ‖ 0 which reduces in the next clock cycle to 0.
It is interesting to note that a prialt with a default guard will never wait
so we can omit the wait-loop giving the law:
〈gi : pi, !? : pn〉 = +〈gi, !?〉; a〈gi, !?〉  [act(gi); pi, pn]
6 Conclusions and Future Work
We have presented an operational semantics for a key subset of the Handel-C
hardware compilation language. In particular our semantics handles prialts
properly, coping with the issues raised by the zero-time execution behaviour
of default clauses. Another key feature of the work presented here is that
it exploits a clean separation of concerns between various key aspects of the
language: types, priority, ﬂow of control and asynchronous interfacing.
The key goal of this work is to have a formal development methodology
from a suitable speciﬁcation notation down to Handel-C code, with appro-
priate tool support. We envisage a methodology based on reﬁnement, using
an appropriate reﬁnement calculus. To reach this goal we need to achieve a
number of key milestones: an appropriate formal model of the asynchronous
interfaces, and the type system; the integration of all aspects into a uniﬁed
whole; an appropriate generalisation of Handel-C to produce a speciﬁcation
language; and the development of reﬁnement laws that enable correct pro-
grams to be developed. Given the need to unify the four aspects, we propose
to formulate the semantics of both Handel-C and its speciﬁcation language
within the unifying theories framework [17]. This will facilitate reﬁnement, as
a reﬁnement calculus (Circus) for this paradigm has been developed [25].
6.1 Acknowledgments
We would like to thank the Dean of Research Fund, University of Dublin for
its support, and Erke Boiten and the anonymous referees for their comments
which helped to improve this paper.
248
Butterfield and Woodcock
References
[1] Abdallah, A. E. and J. Hawkins, Formal Behavioural Synthesis of Handel-
C Parallel Hardware Implementations from Functional Specifications, in: 36th
Annual Hawaii International Conference on System Sciences (HICSS’03),
IEEE, 2003.
[2] Andriessens, C. and T. Lindner, AL: Using FOCUS, LUSTRE, and probability
theory for the design of a reliable control program, Lecture Notes in Computer
Science 1165 (1996), pp. 35–51.
[3] Barrett, G., M. Goldsmith, G. Jones and A. Kay, The meaning and
implementation of PRI ALT in occam, in: C. Askew, editor, occam and the
Transputer, research and applications (OUG-9), 88.
[4] Bouali, A., Xeve: An Esterel verification environment, Lecture Notes in
Computer Science 1427 (1998), pp. 500–??
[5] Boussinot, F. and R. D. Simone, The ESTEREL language, Technical Report
RR-1487, Inria, Institut National de Recherche en Informatique et en
Automatique.
[6] Butterfield, A., Denotational semantics for prialt-free Handel-C, Technical
Report TCD-CS-2001-53, Dept. of Computer Science, Trinity College, Dublin
University (2001).
[7] Butterfield, A., Interpretative semantics for prialt-free Handel-C, Technical
Report TCD-CS-2001-54, Dept. of Computer Science, Trinity College, Dublin
University (2001).
[8] Butterfield, A. and J. Woodcock, Semantic Domains for Handel-C, , 74 (2002),
http:// www.elsevier.nl/ locate/ entcs (to appear).
[9] Butterfield, A. and J. Woodcock, Semantics of prialt in Handel-C, in:
J. Pasco, P. Welch, R. Loader and V. Sunderam, editors, Communicating
Process Architectures – 2002, Concurrent Systems Engineering (2002), pp. 1–16.
[10] Celoxica Ltd., “Handel-C Language Reference Manual, v3.0,” (2002), URL:
www.celoxica.com.
[11] Cleaveland, R. and M. Hennessy, Priorities in process algebra, in: Proceedings
3th Annual Symposium on Logic in Computer Science, Edinburgh (1988), pp.
193–202.
[12] Cleaveland, R., G. Luettgen and V. Natarajan, Priority in process algebra, in:
J. A. Bergstra, A. Ponse and S. A. Smolka, editors, Handbook of Process Algebra
(2001), pp. pp711–765.
[13] Cleaveland, R., G. Luettgen, V. Natarajan and S. Sims, Modeling and Verifying
Distributed Systems Using Priorities: A Case Study, in: Second International
Workshop on Tools and Algorithms for the Construction and Analysis of
Systems (TACAS ’96), LNCS 1055 (1996), pp. pp287–297.
249
Butterfield and Woodcock
[14] Damianou, N., N. Dulay, E. Lupu and M. Sloman, The ponder policy
specification language, Lecture Notes in Computer Science 1995 (2001), pp. 18–
??
[15] Fidge, C. J., A formal definition of priority in CSP, ACM Transactions on
Programming Languages and Systems 15 (1993), pp. 681–705.
[16] Hoare, C. A. R., “Communicating Sequential Processes,” Intl. Series in
Computer Science, Prentice Hall, 1985.
[17] Hoare, C. A. R. and H. Jifeng, “Unifying Theories of Programming,” Series in
Computer Science, Prentice Hall, 1998.
[18] Holenderski, L., LUSTRE, in: C. Lewerentz and T. Lindner, editors, Formal
Development of Reactive Systems, Case Study Production Cell, Lecture Notes
in Computer Science, Springer-Verlag, 1995 pp. 101–112.
[19] Lawrence, A. E., Cspp and event priority, in: M. M. Alan Chalmers and
H. Muller, editors, Communicating Process Architectures 2001, Concurrent
Systems Engineering (2001).
[20] Lawrence, A. E., Acceptances, Behaviours and infinite activity in CSPP., in:
Communicating Process Architectures – 2002, Concurrent Systems Engineering
(2002).
[21] Lawrence, A. E., HCSP and true concurrency, in: Communicating Process
Architectures – 2002, Concurrent Systems Engineering (2002).
[22] Lee, T., S. Yusuf, W. Luk, M. Sloman, E. Lupu and N. Dulay, Development
framework for firewall processors, www.celoxica.com, in Academic Papers
section.
[23] Page, I. and W. Luk, Compiling Occam into field-programmable gate arrays,
in: W. Moore and W. Luk, editors, FPGAs, Oxford Workshop on Field
Programmable Logic and Applications, Abingdon EE&CS Books, 15 Harcourt
Way, Abingdon OX14 1NV, UK, 1991 pp. 271–283.
[24] Tini, An axiomatic semantics for esterel, TCS: Theoretical Computer Science
269 (2001).
[25] Woodcock, J. and A. Cavalcanti, The Semantics of Circus, LNCS 2272, 2nd
International Conference of B and Z Users, Grenoble, France (2002).
250
